[WiP] Disable weak xmlsec algorithms

[peppelinux]

This PR aims to implement a blacklist parameter for xml algs, as discussed here:

• Limit available DigestMethods and SigningMethods #421
• https://github.com/IdentityPython/pysaml2/pull/626/files

Confguration parameter can be declared as follow:

SAML_IDP_CONFIG = {
    'debug' : True,
    'xmlsec_binary': get_xmlsec_binary(['/opt/local/bin', '/usr/bin/xmlsec1']),
    'xmlsec_disabled_algs': ('http://www.w3.org/2001/04/xmldsig-more#md5',
                             'http://www.w3.org/2001/04/xmldsig-more#rsa-md5'),
    ...

All Submissions:

• Have you checked to ensure there aren't other open Pull Requests for the same update/change?
• Have you added an explanation of what problem you are trying to solve with this PR?
• Have you added information on what your changes do and why you chose this as your solution?
• Have you written new tests for your changes?
• Does your submission pass tests?
• This project follows PEP8 style guide. Have you run your code against the 'flake8' linter?

[c00kiemon5ter]

Digest and signing are different operations. We should not mix them together. This should be configured separately for the two.

[c00kiemon5ter]

The metadata is just declaring something. We should prohibit actually using the algos when they are going to be used to sign docs or create digests.

[peppelinux]

Digest and signing are different operations. We should not mix them together. This should be configured separately for the two.

I understand but they are xmlsec's algs, so we could handle them in a unique parameter. This will simplify user's approach.. but somethings sounds to me that this solution won't like to you :)
It can be done both ways, just discuss it together first.

The metadata is just declaring something. We should prohibit actually using the algos when they are going to be used to sign docs or create digests.

I agree and this is just a basic implementation to start from. I saw how xmlsec is used in pysaml and I think that it would be better to handle this new born parameter together with the upcoming (?) xmlsec-handler refactor. Have you already choose a xmlsec API handler? This would be the point to start from, coupling in it this PR

[peppelinux]

I'd also put some reference here as personal notes:

• sigver.CryptoBackendXmlSec1.init, actually do not handle config directly but takes **kwargs;
• sigver.security_context, get configuration as paramenters. In it calls sigver.security_context that initialize sigver.CryptoBackendXmlSec1
• entity.Entity.sign get sign_alg and digest_alg as arguments (validate these in relation to blacklist)
• entity.Entity().sec = security_context(self.config)

Also:
sigver.SecurityContext().metadata handles metadata...

[peppelinux]

pyXMLsecurity is an alternative to xmlsec1, just need to have an example

https://github.com/IdentityPython/pyXMLSecurity

it only have signing features and no crypto:
https://github.com/IdentityPython/pyXMLSecurity/blob/master/src/xmlsec/crypto.py