pyFF > 2.0.0 doesn't appear to check metadata signatures

[alanbuxey]

trafficstars

pyFF does not appear to be using the certificates to check the Metadata signature. When an XRD file is used in batch mode with incorrect certificate the metadata is still ingested, pipelines continue and entries consumed/exported etc.

When rolling back to 2.0.0 the configuration is indeed detected to be wrong and signatures fail, metadata not processed.

Code Version

2.1.2 and 2.1.1, or newer

Expected Behavior

when running with the XRD example file, the certificates should be used to verify the collected Metadata

Current Behavior

The Metadata is collected and worked on with no signature check being performed

Possible Solution

Added a debug log to the utils.py (line 267) to check if we 'have' a key

def check_signature(t: ElementTree, key: Optional[str], only_one_signature: bool = False) -> ElementTree:
    if key is None:
        log.debug("We dont have a key")

and that got printed out after MD was collected - so looks like the parser isn't parsing the x509 sections correctly.

Steps to Reproduce

• take the examples/links.xrd file (and re-enable the InCommon section),
• then swap the 2 certificate sections around - so the InCommon cert is used for SWAMID and SWAMID cert is used for InCommon,
• then run pyFF in batch mode with that XRD file