From f7f6aef8605b9874ed121d88195d2f6dac5f702e Mon Sep 17 00:00:00 2001
From: Giuseppe De Marco <giuseppe.demarco@unical.it>
Date: Sun, 21 Jul 2019 01:18:18 +0200
Subject: [PATCH 1/2] Disabled weak algorithms following Kantara SAML V2.0
 Implementation Profile for Federation Interoperability

---
 src/saml2/algsupport.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/saml2/algsupport.py b/src/saml2/algsupport.py
index 5134c0391..b7ae8c0c4 100644
--- a/src/saml2/algsupport.py
+++ b/src/saml2/algsupport.py
@@ -6,7 +6,7 @@
 __author__ = 'roland'
 
 DIGEST_METHODS = {
-    "hmac-md5": 'http://www.w3.org/2001/04/xmldsig-more#md5', # test framework only!
+    #"hmac-md5": 'http://www.w3.org/2001/04/xmldsig-more#md5', # test framework only!
     "hmac-sha1": 'http://www.w3.org/2000/09/xmldsig#sha1',
     "hmac-sha224": 'http://www.w3.org/2001/04/xmldsig-more#sha224',
     "hmac-sha256": 'http://www.w3.org/2001/04/xmlenc#sha256',
@@ -16,7 +16,7 @@
 }
 
 SIGNING_METHODS = {
-    "rsa-md5": 'http://www.w3.org/2001/04/xmldsig-more#rsa-md5',
+    #"rsa-md5": 'http://www.w3.org/2001/04/xmldsig-more#rsa-md5',
     "rsa-ripemd160": 'http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160',
     "rsa-sha1": 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
     "rsa-sha224": 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha224',

From 4f8a4f3a6939561fd3f63088bf3de1af0eaf434d Mon Sep 17 00:00:00 2001
From: peppelinux <giuseppe.demarco@unical.it>
Date: Thu, 1 Aug 2019 13:58:10 +0200
Subject: [PATCH 2/2] Disabled xmlsec algs as configurable configuration
 paramenter

---
 src/saml2/algsupport.py | 4 ++--
 src/saml2/config.py     | 2 ++
 src/saml2/metadata.py   | 2 ++
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/saml2/algsupport.py b/src/saml2/algsupport.py
index b7ae8c0c4..5134c0391 100644
--- a/src/saml2/algsupport.py
+++ b/src/saml2/algsupport.py
@@ -6,7 +6,7 @@
 __author__ = 'roland'
 
 DIGEST_METHODS = {
-    #"hmac-md5": 'http://www.w3.org/2001/04/xmldsig-more#md5', # test framework only!
+    "hmac-md5": 'http://www.w3.org/2001/04/xmldsig-more#md5', # test framework only!
     "hmac-sha1": 'http://www.w3.org/2000/09/xmldsig#sha1',
     "hmac-sha224": 'http://www.w3.org/2001/04/xmldsig-more#sha224',
     "hmac-sha256": 'http://www.w3.org/2001/04/xmlenc#sha256',
@@ -16,7 +16,7 @@
 }
 
 SIGNING_METHODS = {
-    #"rsa-md5": 'http://www.w3.org/2001/04/xmldsig-more#rsa-md5',
+    "rsa-md5": 'http://www.w3.org/2001/04/xmldsig-more#rsa-md5',
     "rsa-ripemd160": 'http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160',
     "rsa-sha1": 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
     "rsa-sha224": 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha224',
diff --git a/src/saml2/config.py b/src/saml2/config.py
index 9b7debcb4..6e2d747c7 100644
--- a/src/saml2/config.py
+++ b/src/saml2/config.py
@@ -30,6 +30,7 @@
 COMMON_ARGS = [
     "debug",
     "entityid",
+    "xmlsec_disabled_algs",
     "xmlsec_binary",
     "key_file",
     "cert_file",
@@ -189,6 +190,7 @@ class Config(object):
     def __init__(self, homedir="."):
         self._homedir = homedir
         self.entityid = None
+        self.xmlsec_disabled_algs = []
         self.xmlsec_binary = None
         self.xmlsec_path = []
         self.debug = False
diff --git a/src/saml2/metadata.py b/src/saml2/metadata.py
index 5c465032b..b092dfd37 100644
--- a/src/saml2/metadata.py
+++ b/src/saml2/metadata.py
@@ -735,6 +735,8 @@ def entity_descriptor(confd):
         _add_attr_to_entity_attributes(entd.extensions, attr)
 
     for item in algorithm_support_in_metadata(confd.xmlsec_binary):
+        if item.algorithm in getattr(confd, 'xmlsec_disabled_algs'):
+            continue
         if not entd.extensions:
             entd.extensions = md.Extensions()
         entd.extensions.add_extension_element(item)