Looks at the Popen returncode.

3 files changed, 46 insertions, 8 deletions

diff --git a/src/saml2/entity.py b/src/saml2/entity.py
index 2b62c591..707d5015 100644
--- a/src/saml2/entity.py
+++ b/src/saml2/entity.py
@@ -543,6 +543,7 @@ class Entity(HTTPBase):
                 if to_sign:
                     signed_instance_factory(response, self.sec, to_sign)
                 else:
+                    # default is to sign the whole response if anything
                     sign_class = [(class_name(response), response.id)]
                     return signed_instance_factory(response, self.sec,
                                                    sign_class)
diff --git a/src/saml2/sigver.py b/src/saml2/sigver.py
index d7b30d29..0ac1f032 100644
--- a/src/saml2/sigver.py
+++ b/src/saml2/sigver.py
@@ -847,8 +847,8 @@ class CryptoBackendXmlSec1(CryptoBackend):
             com_list.extend(["--node-id", node_id])
 
         try:
-            (stdout, stderr, signed_statement) = \
-                self._run_xmlsec(com_list, [fil], validate_output=False)
+            (stdout, stderr, signed_statement) = self._run_xmlsec(
+                com_list, [fil], validate_output=False)
             # this doesn't work if --store-signatures are used
             if stdout == "":
                 if signed_statement:
@@ -924,12 +924,17 @@ class CryptoBackendXmlSec1(CryptoBackend):
 
         p_out = pof.stdout.read()
         p_err = pof.stderr.read()
+
+        if pof.returncode is not None and pof.returncode < 0:
+            logger.error(LOG_LINE % (p_out, p_err))
+            raise XmlsecError("%d:%s" % (pof.returncode, p_err))
+
         try:
             if validate_output:
                 parse_xmlsec_output(p_err)
         except XmlsecError, exc:
             logger.error(LOG_LINE_2 % (p_out, p_err, exc))
-            raise exception("%s" % (exc,))
+            raise
 
         ntf.seek(0)
         return p_out, p_err, ntf.read()
diff --git a/tests/test_40_sigver.py b/tests/test_40_sigver.py
index cf5acfa7..c0d12813 100644
--- a/tests/test_40_sigver.py
+++ b/tests/test_40_sigver.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 import base64
-from saml2.sigver import pre_encryption_part, make_temp
+from saml2.sigver import pre_encryption_part, make_temp, XmlsecError
 from saml2.mdstore import MetadataStore
 from saml2.saml import assertion_from_string, EncryptedAssertion
 from saml2.samlp import response_from_string
@@ -438,7 +438,8 @@ def test_xbox():
     )
 
     sigass = sec.sign_statement(assertion, class_name(assertion),
-                                key_file=full_path("test.key"), node_id=assertion.id)
+                                key_file=full_path("test.key"),
+                                node_id=assertion.id)
 
     _ass0 = saml.assertion_from_string(sigass)
 
@@ -471,7 +472,38 @@ def test_xbox():
     print assertions
 
 
+def test_xmlsec_err():
+    conf = config.SPConfig()
+    conf.load_file("server_conf")
+    md = MetadataStore([saml, samlp], None, conf)
+    md.load("local", full_path("idp_example.xml"))
+
+    conf.metadata = md
+    conf.only_use_keys_in_metadata = False
+    sec = sigver.security_context(conf)
+
+    assertion = factory(
+        saml.Assertion, version="2.0", id="11111",
+        issue_instant="2009-10-30T13:20:28Z",
+        signature=sigver.pre_signature_part("11111", sec.my_cert, 1),
+        attribute_statement=do_attribute_statement(
+            {("", "", "surName"): ("Foo", ""),
+             ("", "", "givenName"): ("Bar", ""), })
+    )
+
+    try:
+        sec.sign_statement(assertion, class_name(assertion),
+                           key_file=full_path("tes.key"),
+                           node_id=assertion.id)
+    except XmlsecError as err:  # should throw an exception
+        pass
+    else:
+        assert False
+
+
 if __name__ == "__main__":
-    t = TestSecurity()
-    t.setup_class()
-    t.test_non_verify_2()
+    # t = TestSecurity()
+    # t.setup_class()
+    # t.test_non_verify_2()
+
+    test_xbox()