commit 7e16242ef24d7d7589a1224de2730dc728fcd083 Author: CentOS Sources Date: Tue Nov 8 01:41:23 2022 -0500 import lasso-2.6.0-13.el8 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..23845a6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/lasso-2.6.0.tar.gz diff --git a/.lasso.metadata b/.lasso.metadata new file mode 100644 index 0000000..2e170e3 --- /dev/null +++ b/.lasso.metadata @@ -0,0 +1 @@ +c48e1d6626e6563163146063cbf65ffef52bac1b SOURCES/lasso-2.6.0.tar.gz diff --git a/SOURCES/0005-tests-use-self-generated-certificate-to-sign-federat.patch b/SOURCES/0005-tests-use-self-generated-certificate-to-sign-federat.patch new file mode 100644 index 0000000..e53d685 --- /dev/null +++ b/SOURCES/0005-tests-use-self-generated-certificate-to-sign-federat.patch @@ -0,0 +1,382 @@ +From 12a3f6c10ee3d5f321a751cf6c4cb7f63313582e Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Thu, 13 Jun 2019 13:03:04 +0200 +Subject: [PATCH] tests: use self-generated certificate to sign federation + metadata file (#33823) + +--- + tests/basic_tests.c | 13 +--- + tests/data/lasso.crt | 23 +++++++ + tests/data/lasso.csr | 15 ++++ + tests/data/lasso.key | 27 ++++++++ + .../metadata/metadata-federation-renater.crt | 15 ---- + tests/data/metadata/renater-metadata.xml | 69 +++++++++++-------- + tests/data/rootCA.crt | 32 +++++++++ + tests/data/rootCA.key | 51 ++++++++++++++ + tests/data/rootCA.srl | 1 + + 9 files changed, 192 insertions(+), 54 deletions(-) + create mode 100644 tests/data/lasso.crt + create mode 100644 tests/data/lasso.csr + create mode 100644 tests/data/lasso.key + delete mode 100644 tests/data/metadata/metadata-federation-renater.crt + create mode 100644 tests/data/rootCA.crt + create mode 100644 tests/data/rootCA.key + create mode 100644 tests/data/rootCA.srl + +diff --git a/tests/basic_tests.c b/tests/basic_tests.c +index c08cab69..84999a17 100644 +--- a/tests/basic_tests.c ++++ b/tests/basic_tests.c +@@ -1983,24 +1983,13 @@ START_TEST(test13_test_lasso_server_load_metadata) + block_lasso_logs; + check_good_rc(lasso_server_load_metadata(server, LASSO_PROVIDER_ROLE_IDP, + TESTSDATADIR "/metadata/renater-metadata.xml", +- TESTSDATADIR "/metadata/metadata-federation-renater.crt", ++ TESTSDATADIR "/rootCA.crt", + &blacklisted_1, &loaded_entity_ids, + LASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT)); + unblock_lasso_logs; + check_equals(g_hash_table_size(server->providers), 110); + check_equals(g_list_length(loaded_entity_ids), 110); + +-#if 0 +- /* UK federation file are too big to distribute (and I don't even known if it's right to do +- * it, disable this test for now ) */ +- check_good_rc(lasso_server_load_metadata(server, LASSO_PROVIDER_ROLE_IDP, +- TESTSDATADIR "/ukfederation-metadata.xml", +- TESTSDATADIR "/ukfederation.pem", +- &blacklisted_1, &loaded_entity_ids, +- LASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT)); +- check_equals(g_list_length(loaded_entity_ids), 283); +- check_equals(g_hash_table_size(server->providers), 393); +-#endif + lasso_release_list_of_strings(loaded_entity_ids); + + lasso_release_gobject(server); +diff --git a/tests/data/lasso.crt b/tests/data/lasso.crt +new file mode 100644 +index 00000000..568a0b9c +--- /dev/null ++++ b/tests/data/lasso.crt +@@ -0,0 +1,23 @@ ++-----BEGIN CERTIFICATE----- ++MIID6zCCAdMCFALT+lN2uLJWF7p2xOo65/5KwxixMA0GCSqGSIb3DQEBCwUAMEUx ++CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl ++cm5ldCBXaWRnaXRzIFB0eSBMdGQwIBcNMTkwNjExMDc0NTU2WhgPMjI5MzAzMjUw ++NzQ1NTZaMB0xCzAJBgNVBAYTAkZSMQ4wDAYDVQQDDAVMYXNzbzCCASIwDQYJKoZI ++hvcNAQEBBQADggEPADCCAQoCggEBAOIS/WATGMJsv7OvgrjpYmAW3RmojVp4cHi0 ++17HelWVZ5adX3zSljecmpb1UQcBNzEDb15tOnNO708O94fFLWiWRfjYWa1QYOLkZ ++6kHAR2yJTkhBNQl326K6BnJkWoCsErkXa1608+6+rXR+9KchB/lLSY3Dqh8L6N7s ++qE+xyD1Z8HM3mHs9CM4crIpCPaZ80/yNfBPqPA2Zv4uIBrwSF32rPnh1ciJuIKQg ++jnCQOaKC2j+VsytgthriI0PVRzC7WPAJReQa65N/i721jG6rPecwVcCS9G6cmG+s ++pq6GERUe7nFVdNZ5sRzNsGuDpEdmeCS1pCPtW2hufm8vqvtw9ZkCAwEAATANBgkq ++hkiG9w0BAQsFAAOCAgEAfbHk+QNvLYDNlqwwlu5+88/3CcEx+s1voXOBTxgyIAR2 ++NVKkO7dAW5me51jPPZhy+xC4i+AAeLW5JGwirM5LDgU+9P02JBsZ4OoZI3pBAZ5m ++GrmxrMm6q+9mJ+6bMHolfBNN6hoaWeJiknvc1Id7o0Dh4PbdV7r6ISuXisDb/1je ++tmzxoFuXhmDwwHMTG7eUORVFEgS8V5NNKMv16BeWNDohJVP6icxwoi5JswUl+vfO ++rvIwx2GAJ2EQAbSZv5ADFQ4/vxeopULgLnblc3BwVG4RTT7plNgT2iXP8YwmEGKb ++JDHRVFUo1tX6EKkBUI9AgETrdUnLq6XxP11JmrqNL9oOHw+hGb5vT1wyn6FFxZo2 ++BVgfqdiGbjcs1bTKeQAZKuhaW90oV6+yYD6WtWn/LfHnftAJivALkmUk+XaSqqbO ++FxuyRsz9C/yq0azr6IkCWhGwBYoLvf2CrvovSYpPXefeQ+1yXNDW7bvfAQfOO9xk ++SqQi4cYJw9hNqTk2f61x6UX/o8wKVhXEHyaCr9lVLNpCK0Uy07f3zkubx1mW5PST ++ITSnD8sPD7iMyGOJa5tQJ8W5u2NJT6qo52Jubgc8PapkOoYyEhUaTQEb8RN6D3oD ++xc8cCKn4HUtpkJKgxYhQDtsomJp2RK7lzjVPXAlFUmld88WgqdJwp9GSvMEktA0= ++-----END CERTIFICATE----- +diff --git a/tests/data/lasso.csr b/tests/data/lasso.csr +new file mode 100644 +index 00000000..c450e1b4 +--- /dev/null ++++ b/tests/data/lasso.csr +@@ -0,0 +1,15 @@ ++-----BEGIN CERTIFICATE REQUEST----- ++MIICYjCCAUoCAQAwHTELMAkGA1UEBhMCRlIxDjAMBgNVBAMMBUxhc3NvMIIBIjAN ++BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4hL9YBMYwmy/s6+CuOliYBbdGaiN ++WnhweLTXsd6VZVnlp1ffNKWN5yalvVRBwE3MQNvXm06c07vTw73h8UtaJZF+NhZr ++VBg4uRnqQcBHbIlOSEE1CXfboroGcmRagKwSuRdrXrTz7r6tdH70pyEH+UtJjcOq ++Hwvo3uyoT7HIPVnwczeYez0IzhysikI9pnzT/I18E+o8DZm/i4gGvBIXfas+eHVy ++Im4gpCCOcJA5ooLaP5WzK2C2GuIjQ9VHMLtY8AlF5Brrk3+LvbWMbqs95zBVwJL0 ++bpyYb6ymroYRFR7ucVV01nmxHM2wa4OkR2Z4JLWkI+1baG5+by+q+3D1mQIDAQAB ++oAAwDQYJKoZIhvcNAQELBQADggEBAJcoM7bn2yEElJjpX8mYuawWwlNdLOCyIPCc ++tr6b61CmVDVntWw61fExrg+n1b5uOVuUAEaYNutw6nypzrfvr4wjGKxbl/jTSJCM ++WHLl0/+IGQgr41SbRaySA1Y1hdJEd1ummH07sd7FfQNN/T/zLGaM0CI2/yj89VRk ++BJwiSwbFp1zqntoITQPjo/vpWAqahqNpSKR+C5l1f870wVI2wPg89McRw35EACdx ++Pys8g15+3eKBRTD24eOSWDAL4iDz1jh8ejwtuPjZCQRgg7pkV7uK9Qq4XbStW8AR ++JftZ9BBmUOkpdTY0ml6uNojI5u3J/A8KL0UHeiOGLzEy6l64qjE= ++-----END CERTIFICATE REQUEST----- +diff --git a/tests/data/lasso.key b/tests/data/lasso.key +new file mode 100644 +index 00000000..d6ee4142 +--- /dev/null ++++ b/tests/data/lasso.key +@@ -0,0 +1,27 @@ ++-----BEGIN RSA PRIVATE KEY----- ++MIIEpAIBAAKCAQEA4hL9YBMYwmy/s6+CuOliYBbdGaiNWnhweLTXsd6VZVnlp1ff ++NKWN5yalvVRBwE3MQNvXm06c07vTw73h8UtaJZF+NhZrVBg4uRnqQcBHbIlOSEE1 ++CXfboroGcmRagKwSuRdrXrTz7r6tdH70pyEH+UtJjcOqHwvo3uyoT7HIPVnwczeY ++ez0IzhysikI9pnzT/I18E+o8DZm/i4gGvBIXfas+eHVyIm4gpCCOcJA5ooLaP5Wz ++K2C2GuIjQ9VHMLtY8AlF5Brrk3+LvbWMbqs95zBVwJL0bpyYb6ymroYRFR7ucVV0 ++1nmxHM2wa4OkR2Z4JLWkI+1baG5+by+q+3D1mQIDAQABAoIBAClNONcFhh93CKrG ++JMatdJiDdM9MOM7PdBTJTSKkvHxwqQEij5epqzwQlnT5YK3GSMuMnl40RXh1NyHq ++nc2ca5KzevBctiz949cFQgPTIflVOGUA7LSXHhwjiiv544LgbOc9vRLnUi1Kzpua ++2g1yfmdv9rcciQb1AQ1BBRrSKvfyD410KojJXwunYx32hrHdnhPwC3xyg6BEMpq9 ++PtcnTvFY/iDeyzYLwAwJb2xdTCpg7okd1KthtohS740Y0uS+UVaEDK7xOIj+CNIq ++ii+j0fv5N5fjke8TdUszLWkDYQQ9BTJWFOjJ72FZs9J8pk7RlNhnt6tEoZ6866+w ++nprmJwUCgYEA9VWT0FswnSnm+lkRP7vc/SJYTg6zD2BrGOKEo58L8TObb242G+Fs ++JteMvdVm14GublmqXZv6Md5x5iVh3kRlu+8dbM5WnBNpwt6mGZPK7if5K/X1qiJg ++BeroAX/KuVjSHBYVDFfHqPQg146RFcj/q7aCsqc+aMwgdUZ8OlBjRf8CgYEA6+cP ++GG9VOlXWZ2RzSBoKrvxJgSQRpgVXeJAr1BWZ+pJVGIft3zSbeJ30nsUuob61UDVH ++g6HzjOUQWHyK4wq2gyK3kOw/Aii6z4REXDVMVq3OgqaE4Fw+MH31ci8JILU415ZY ++DQGo++E87tbSgp32gqou7Aj7Y4Sfvx+V/da4NGcCgYAv+tGSsRLb2cMLePnPnh0F ++AH+GnIdWXYP0dPB903ARdwdSDprUbwyouAUVZzPat8j2WeDgt82BjUB3Qx5Vysie ++rY/ypJP5qC5J5yNS4z2PwA+SEmM+J8Thw2QmTujFwOIujf8Fz/EDUONPZNlpCks+ ++OM5sxBqHgkxiwysueGRB3wKBgQCWwXDaMrwKrbR5Gq65kzrknQH0b7J/oMZHnAsG ++XE+s3DtZk/SmQh5hNMCRfn3Qi+mfOo1bR/I3RmPtyJmRgtUkdNlO2kth+9l2qJZv ++PvhsJGLnB7e/EfQEVVq3/+sbZfTPgZr/pOHzJfwkvlCFfKF+23dlDFBrRuQ35d2a ++/M93XQKBgQCmAatw/7+z/CS6HinOW7W4k77eQ4wHb8XwzTl8T/5mf6KzejDUuEpZ ++hi4ZMAZqNywiJo7UOu6APVzRU7qF6Dbg4eIZWtIocMhp19kUArAPz7NcrghXsTIZ ++UdBWeG3kgUa5Q6d/D2OpWHK9S8LRdUL4/H0WZoqDOoDpJwKpljevyg== ++-----END RSA PRIVATE KEY----- +diff --git a/tests/data/metadata/metadata-federation-renater.crt b/tests/data/metadata/metadata-federation-renater.crt +deleted file mode 100644 +index b6117441..00000000 +--- a/tests/data/metadata/metadata-federation-renater.crt ++++ /dev/null +@@ -1,15 +0,0 @@ +------BEGIN CERTIFICATE----- +-MIICZTCCAc6gAwIBAgIEScn+qTANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJG +-UjEQMA4GA1UEChMHUkVOQVRFUjFWMFQGA1UEAxNNQ2VydGlmaWNhdCBkZSBzaWdu +-YXR1cmUgZGVzIG1ldGEgZG9ubmVlcyBkZSBsYSBmZWRlcmF0aW9uIEVkdWNhdGlv +-bi1SZWNoZXJjaGUwHhcNMDkwMzI1MDk1MTM3WhcNMTkwMzIzMDk1MTM3WjB3MQsw +-CQYDVQQGEwJGUjEQMA4GA1UEChMHUkVOQVRFUjFWMFQGA1UEAxNNQ2VydGlmaWNh +-dCBkZSBzaWduYXR1cmUgZGVzIG1ldGEgZG9ubmVlcyBkZSBsYSBmZWRlcmF0aW9u +-IEVkdWNhdGlvbi1SZWNoZXJjaGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB +-AJBXcLIguokGiytYSOrgmU6fN+1DXK4eaquvFGMaswuhcRPD4tXtSs8CGxPP8/VF +-Mpcry04lfPA3mpwDis47hsvmLqGJVmfSuvkDsPx+I325h4WqGzEV8kfttkJSi8D0 +-QLKk9wseA+BHzoBpU6e5uWmGqfWJgbZlcUuYKCIE2nL/AgMBAAEwDQYJKoZIhvcN +-AQEFBQADgYEAT0rUS5GTtqW9a0pAv0PjieSS6bW3KG3Mtn0jC1dmav6X9fbhhmFL +-1XSC9WnCU2UD3986EWWYKhN2INHghHE/fQGveVwdcVSSt601OpAsUF18tx0vHqkf +-Shcj7mteq59Gv4hOE8U1Urd/pSRaIO3G42X6/L/AlXeDkicfGZHhq7Q= +------END CERTIFICATE----- +diff --git a/tests/data/metadata/renater-metadata.xml b/tests/data/metadata/renater-metadata.xml +index 868f9259..70517100 100644 +--- a/tests/data/metadata/renater-metadata.xml ++++ b/tests/data/metadata/renater-metadata.xml +@@ -1,4 +1,5 @@ +- ++ ++ + + + +@@ -11,36 +12,50 @@ + AIDrFyG3G6IpXdapls2LeP2Awt8= + + +- +-Mb7C8CsvA6UNnLN+LHCoOG7+c1CYQtUMm+o3p31niDfRcDcCDtuZ521FGM6p6ki6fS8HlncK0Q+h +-7rpXNeD2dY12FU94vI5wfF6m89pRs6QYE4O13HPDDZvhRZY+BX4+fqg6tsRz8NRaFS/xvxSzzPzO +-dsOrE6R2/QhrcaF1PnA= +- ++a47ZynaE+fXQFr2QkjjNsPoWhG0Lbed36MZ2/1jNygD2Ck3zYNSBxFTNI0bhZSi+ ++sYefYhnYDqpz785/90Ym3hVL+olMZ8z7NLlkeDKCScNCi1436j/W4voR0jez3BkA ++IrMW2p4eUtSwfTHRazMtRacQrwTk3JAbShXuWU7fVnRI4t8oa8t43rf2hz+rRG8F ++SizMOyyHMak13jaVCmX5qoaO4OWmqs2GhXsx8hRfzJ8o6w417InTLWcuIRNw1/zm ++6O6H1as6nmKv34SppCiwdGrTpT6i3/zB3j9Hw7iyuvTF5bbaF+7MMsW/pjw5VOF8 ++lmNqhsCFdu+JsaTFBIB2Fg== + + + + +-kFdwsiC6iQaLK1hI6uCZTp837UNcrh5qq68UYxqzC6FxE8Pi1e1KzwIbE8/z9UUylyvLTiV88Dea +-nAOKzjuGy+YuoYlWZ9K6+QOw/H4jfbmHhaobMRXyR+22QlKLwPRAsqT3Cx4D4EfOgGlTp7m5aYap +-9YmBtmVxS5goIgTacv8= ++4hL9YBMYwmy/s6+CuOliYBbdGaiNWnhweLTXsd6VZVnlp1ffNKWN5yalvVRBwE3M ++QNvXm06c07vTw73h8UtaJZF+NhZrVBg4uRnqQcBHbIlOSEE1CXfboroGcmRagKwS ++uRdrXrTz7r6tdH70pyEH+UtJjcOqHwvo3uyoT7HIPVnwczeYez0IzhysikI9pnzT ++/I18E+o8DZm/i4gGvBIXfas+eHVyIm4gpCCOcJA5ooLaP5WzK2C2GuIjQ9VHMLtY ++8AlF5Brrk3+LvbWMbqs95zBVwJL0bpyYb6ymroYRFR7ucVV01nmxHM2wa4OkR2Z4 ++JLWkI+1baG5+by+q+3D1mQ== + +-AQAB ++ ++AQAB ++ + + + +- +-MIICZTCCAc6gAwIBAgIEScn+qTANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJGUjEQMA4GA1UE +-ChMHUkVOQVRFUjFWMFQGA1UEAxNNQ2VydGlmaWNhdCBkZSBzaWduYXR1cmUgZGVzIG1ldGEgZG9u +-bmVlcyBkZSBsYSBmZWRlcmF0aW9uIEVkdWNhdGlvbi1SZWNoZXJjaGUwHhcNMDkwMzI1MDk1MTM3 +-WhcNMTkwMzIzMDk1MTM3WjB3MQswCQYDVQQGEwJGUjEQMA4GA1UEChMHUkVOQVRFUjFWMFQGA1UE +-AxNNQ2VydGlmaWNhdCBkZSBzaWduYXR1cmUgZGVzIG1ldGEgZG9ubmVlcyBkZSBsYSBmZWRlcmF0 +-aW9uIEVkdWNhdGlvbi1SZWNoZXJjaGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJBXcLIg +-uokGiytYSOrgmU6fN+1DXK4eaquvFGMaswuhcRPD4tXtSs8CGxPP8/VFMpcry04lfPA3mpwDis47 +-hsvmLqGJVmfSuvkDsPx+I325h4WqGzEV8kfttkJSi8D0QLKk9wseA+BHzoBpU6e5uWmGqfWJgbZl +-cUuYKCIE2nL/AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAT0rUS5GTtqW9a0pAv0PjieSS6bW3KG3M +-tn0jC1dmav6X9fbhhmFL1XSC9WnCU2UD3986EWWYKhN2INHghHE/fQGveVwdcVSSt601OpAsUF18 +-tx0vHqkfShcj7mteq59Gv4hOE8U1Urd/pSRaIO3G42X6/L/AlXeDkicfGZHhq7Q= +- ++MIID6zCCAdMCFALT+lN2uLJWF7p2xOo65/5KwxixMA0GCSqGSIb3DQEBCwUAMEUx ++CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl ++cm5ldCBXaWRnaXRzIFB0eSBMdGQwIBcNMTkwNjExMDc0NTU2WhgPMjI5MzAzMjUw ++NzQ1NTZaMB0xCzAJBgNVBAYTAkZSMQ4wDAYDVQQDDAVMYXNzbzCCASIwDQYJKoZI ++hvcNAQEBBQADggEPADCCAQoCggEBAOIS/WATGMJsv7OvgrjpYmAW3RmojVp4cHi0 ++17HelWVZ5adX3zSljecmpb1UQcBNzEDb15tOnNO708O94fFLWiWRfjYWa1QYOLkZ ++6kHAR2yJTkhBNQl326K6BnJkWoCsErkXa1608+6+rXR+9KchB/lLSY3Dqh8L6N7s ++qE+xyD1Z8HM3mHs9CM4crIpCPaZ80/yNfBPqPA2Zv4uIBrwSF32rPnh1ciJuIKQg ++jnCQOaKC2j+VsytgthriI0PVRzC7WPAJReQa65N/i721jG6rPecwVcCS9G6cmG+s ++pq6GERUe7nFVdNZ5sRzNsGuDpEdmeCS1pCPtW2hufm8vqvtw9ZkCAwEAATANBgkq ++hkiG9w0BAQsFAAOCAgEAfbHk+QNvLYDNlqwwlu5+88/3CcEx+s1voXOBTxgyIAR2 ++NVKkO7dAW5me51jPPZhy+xC4i+AAeLW5JGwirM5LDgU+9P02JBsZ4OoZI3pBAZ5m ++GrmxrMm6q+9mJ+6bMHolfBNN6hoaWeJiknvc1Id7o0Dh4PbdV7r6ISuXisDb/1je ++tmzxoFuXhmDwwHMTG7eUORVFEgS8V5NNKMv16BeWNDohJVP6icxwoi5JswUl+vfO ++rvIwx2GAJ2EQAbSZv5ADFQ4/vxeopULgLnblc3BwVG4RTT7plNgT2iXP8YwmEGKb ++JDHRVFUo1tX6EKkBUI9AgETrdUnLq6XxP11JmrqNL9oOHw+hGb5vT1wyn6FFxZo2 ++BVgfqdiGbjcs1bTKeQAZKuhaW90oV6+yYD6WtWn/LfHnftAJivALkmUk+XaSqqbO ++FxuyRsz9C/yq0azr6IkCWhGwBYoLvf2CrvovSYpPXefeQ+1yXNDW7bvfAQfOO9xk ++SqQi4cYJw9hNqTk2f61x6UX/o8wKVhXEHyaCr9lVLNpCK0Uy07f3zkubx1mW5PST ++ITSnD8sPD7iMyGOJa5tQJ8W5u2NJT6qo52Jubgc8PapkOoYyEhUaTQEb8RN6D3oD ++xc8cCKn4HUtpkJKgxYhQDtsomJp2RK7lzjVPXAlFUmld88WgqdJwp9GSvMEktA0= + + + +@@ -1277,7 +1292,7 @@ Ugr24VE4pUTqq2xGSOazVN0EKSqULXvM9ZHupGDCJmRH4P3H/X4w8Cq5Y6c0pDtJ + + + +- ++ + + + +@@ -8584,7 +8599,7 @@ f6ou5oRTltOZOUJfXI1XMhAUNnU7zQvrFeoGrRzGv3zq8AieXbRyWhXY1Eo1mPpS + $Id: renater.xml,v 1.4 2011/03/30 13:23:00 rdc Exp $ + generated at Wed Mar 30 14:18:20 2011 + by %Id: shib-config,v 1.6 2010/09/10 15:10:15 pmh Exp % +- --> ++ --> + + + +@@ -15545,7 +15560,7 @@ oZQx + + + +- ++ + + + +@@ -30065,4 +30080,4 @@ ihb/MX5UR6g83EMmqZsFt57ANEORMNQywxFa4Q== + + + +- +\ No newline at end of file ++ +diff --git a/tests/data/rootCA.crt b/tests/data/rootCA.crt +new file mode 100644 +index 00000000..a31c99a2 +--- /dev/null ++++ b/tests/data/rootCA.crt +@@ -0,0 +1,32 @@ ++-----BEGIN CERTIFICATE----- ++MIIFbTCCA1WgAwIBAgIUJD9pAmQfrAv6NLPnweO4XUdIbzkwDQYJKoZIhvcNAQEL ++BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM ++GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0xOTA2MTEwNzQzNTVaGA8yMjkz ++MDMyNTA3NDM1NVowRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx ++ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCAiIwDQYJKoZIhvcN ++AQEBBQADggIPADCCAgoCggIBAJuPnHwxmpRquFkFok4VkO39j5NT2a8+Wfp8zYnh ++qLt3CG3oDyFftWyF97NJYoxDPbio2fVYJiBKutDOMYPsJfrd4SoqcDOGOAdfkNl9 ++SEhCnzrzlOj6ZcDoNTG0IvKh+NzLgfpU1wggyLW2ZXwvwf8hNGW9YR1i8XY5TSmt ++0z9Dawsg2QAyYjoemUeDOVWEFWISmXySC2osXGANcOaaFMEv1Ryj5HWHzcCVZZ0g ++UBG9iDZqewDvPg+SRvC2k16coeRjsSstHzVqBxOWpp5Oium39K8jXV6jG+JkFn49 ++C2RBldpajbPhvHKOdtJeID20njgmfCRZB/KfQGPPf8xXk4wBTxPU9L8wKy370unZ ++P4WD1vq35KfPsiUdlavzqYkOkI20iWIZO6853oSPlJ4zmBVNXP8VhQm0h2VovNH+ ++Zde4vaPtQXPwwNbCvBItu5m1uaigPgRycBJV8M0gdliAICfCMeSwQDrhkX6ck17n ++uBpxBTCn9GEFN/+7miNH/roH03NHU3vciqTAi1MrDA3jfOZkYBC/Cd5AmsMc6NTO ++Xc57mFwuZ+BmQI6w1ddL5e+5Y/DA57VexfTdG+/TpS+D9oBJUmaczkAG+27YKs8f ++mJKoTSPULjXK8pwwcBMk8HuS5bt6fBBmqbJb8bwXceEHCBg7WCYNmXy5lXwUUwAh ++NDwDAgMBAAGjUzBRMB0GA1UdDgQWBBRWppx3mP/hCh9ZLKZfwGBeg1wiPjAfBgNV ++HSMEGDAWgBRWppx3mP/hCh9ZLKZfwGBeg1wiPjAPBgNVHRMBAf8EBTADAQH/MA0G ++CSqGSIb3DQEBCwUAA4ICAQAWfNrX65UUI55f0A8svSIUVy8c7YjX8P70xMWq7Cpe ++tRPo8C98JCr8MtUaAx6VFx4sjHyCPmEIIf+u7aDxRhrxpqAQAQl5me8OxqwmOxKu ++I7WeRrjAvOux52xfjqtm36fx9SUDu94ox5LdG+NNtG29AbLZeAs4pe4qVqH1GQb9 ++fw3lvxwKV+AovpVZ7eXyscfSvKWi4rgzVJl27me/rgLZsVYJ2gAjTI77vGN1G0ro ++q2iaTvEALHlzhKepVg1IAJAGJLSZegcK3zwWOqZzkL77De6Z3+zbxwNopcy/CGEs ++9v9gDyL1LeAJ3o/dehvPiqMWogTVO6X77sNIiiu41sdaWSTiFllmyO+hQqS69R68 ++NOe+uAP1+taLhD16kp7XHS0MIXEPaQbEgrXtqb163oMJSAaok3xXNyRJ7ZNMS4CT ++0QJE15PpnbRYoQOf4QrrsDmpl2ybU7MR9uOj64qVSvUtBcq1w7ljPStbkN7F7OOU ++pepVvNaWe820kgQ/l9tu1WY9D7PFGP6iWY4AwdxcpWwlJnIr104X3PQ0Y5/msYVs ++zEnqaNiEOnbmTZUvn5jJOwh8DWUo+LffRQx/PoZlhZ/L/L3RtpGUV2E+E5Gzqs7W ++gey9iG11CVcvK/wdCj0zhW/XpesQuwinIMawGS6G92igHo+AFjJoGaGiw3jYdep8 ++CA== ++-----END CERTIFICATE----- +diff --git a/tests/data/rootCA.key b/tests/data/rootCA.key +new file mode 100644 +index 00000000..6b39fb45 +--- /dev/null ++++ b/tests/data/rootCA.key +@@ -0,0 +1,51 @@ ++-----BEGIN RSA PRIVATE KEY----- ++MIIJJwIBAAKCAgEAm4+cfDGalGq4WQWiThWQ7f2Pk1PZrz5Z+nzNieGou3cIbegP ++IV+1bIX3s0lijEM9uKjZ9VgmIEq60M4xg+wl+t3hKipwM4Y4B1+Q2X1ISEKfOvOU ++6PplwOg1MbQi8qH43MuB+lTXCCDItbZlfC/B/yE0Zb1hHWLxdjlNKa3TP0NrCyDZ ++ADJiOh6ZR4M5VYQVYhKZfJILaixcYA1w5poUwS/VHKPkdYfNwJVlnSBQEb2INmp7 ++AO8+D5JG8LaTXpyh5GOxKy0fNWoHE5amnk6K6bf0ryNdXqMb4mQWfj0LZEGV2lqN ++s+G8co520l4gPbSeOCZ8JFkH8p9AY89/zFeTjAFPE9T0vzArLfvS6dk/hYPW+rfk ++p8+yJR2Vq/OpiQ6QjbSJYhk7rznehI+UnjOYFU1c/xWFCbSHZWi80f5l17i9o+1B ++c/DA1sK8Ei27mbW5qKA+BHJwElXwzSB2WIAgJ8Ix5LBAOuGRfpyTXue4GnEFMKf0 ++YQU3/7uaI0f+ugfTc0dTe9yKpMCLUysMDeN85mRgEL8J3kCawxzo1M5dznuYXC5n ++4GZAjrDV10vl77lj8MDntV7F9N0b79OlL4P2gElSZpzOQAb7btgqzx+YkqhNI9Qu ++NcrynDBwEyTwe5Llu3p8EGapslvxvBdx4QcIGDtYJg2ZfLmVfBRTACE0PAMCAwEA ++AQKCAgBPPweu1O40cXFcGFyofqAIPUWo/exFM/ROgMmMViLI7UikBLXAgKtBj7Wx ++5c6IObD1oz71l2REyw0EViYvWFu4wtNz0Y67EML2Lp7xzLrH5PiM5Y2UagrwDNsc ++aPHsvMq0YA/k4NdyUpEs0LA+ZW3kdJvmwGT6vW7YlTRT6TNWZRfg4WjqisAzb2cS ++YS0R/WmPPn5mUVfzTIn6fJ5pO1EbYSylnHBD11zfoLvVIaLohq8fWXsz7Kym7hOp ++iLjmV9C5MngM0L23Tj4womxa9RQbIBVMKy3jiiAoYmh7AsoM1sRqKftKCdMgYKbz ++X/P4u0xmumQ/eANue+YncoteI7cLrjps1RUeodmRgxLt0KHbTW4X35Fd6yI+Nxts ++13aA6J/WusELQYigBXG3cHOfxfOMkqjdVozReF+QzsAJFXQwV4lQhsdlkVjnMWB9 ++iotUVj9X8SWHktBnCHmuyuQoyJIxwM6cBLv1bJCpdiGcJJrtPgTwI3ybjVDlsVpE ++A2EaWiH2UDnzmI2OXy2BaOmLoYzV3kYLhd1zG2q2rLDd70kzOHJJmTOp8xFzZVOA ++74IbdWb6J3C6o7F8IFK+1strw6ADDINEyg+zoIbNUGVyvGI90Xak+7k8KgGWSplw ++318k0xyh6hu9HU/wWHE2WObjIWKnzDHnt917dJkyMazyC2x3wQKCAQEAy4gAWJNM ++/mVa4sr2NLUNPQpVfxhSF/jhxdD3b5Z5A/PD+spUcF1WZSpBj8BmNOWilJ2pBMkv ++Yp7o2s4MbLIFx1HMgVI/cTo1/kk8hvCBdX9n1Dum3dRNTaxBUaZNDdBZ61b4an/V ++lrK20Tx3RY23qInoOUsBFENF+UJUAkujXH3tBv5d//yfX9z75sesQl/HKVr1UAI6 ++I7a76sO+0bCnDAxooIQH0sLzmWa9JliiFd8gWeY7Yd+/jCw4toptkgtXUUm1dFLL ++8s7Eah+P0ORZ17+eBWub/4gOzbgfOh4EKNU/lLI9r2L6RH0F9C3Symm6mu7EBpEC ++SzDyHnYqzpAh8wKCAQEAw6nSmp+HBz7AhW+tEiXt1KjvCRgslVMGQ/UTFbU8TqLd ++rECn5wKO45EHV4at6jazJUhwIBVty39duiOmmEWOtpCxX3OgdM11s8/LACXv4/B4 ++pWHqzhJgrwISOLLoxEoM+A3odXoEw95phOy7seBkVxJ6Idq3obpZli0ilDHfFT2R ++B+kANrCI5D9d43XdoEBaS6EWvd0TrIbkrfwWrQtbmGuXsmj/ZpOntPixUaZO+go1 ++P0eDrUZlRcfVWBGNRiEHiGr0InOWrK93OtjoGB3SjtnQkRP5JJSN/2QOCw7LvmZj ++GA/KdQxef0Rh5cKLd3LBzwTzGwl+4MMME+WL0M3xsQKCAQAg8bKco7sismUzsIaJ ++oYSzDKkqGVWwa6ifzGNAvKp56UsfnQBt7628UkqqagohJcpbI+nnzGjPHcmzIQcB ++0Q7+ZE8l35pFSZbTwib58JQD4Mt9nuozndmlaOxpuvFd+wuS/FDZbDe2XNcapx7n ++Mzk3HptoKqvSC9GXtxTCClw27GshZqrwdIOXkL11bXyEgdxK5V4vxSyD+2APb//D ++EUT4vklxMe3SP5wOiIK1YkNaJvOlmY6jGQR4O/AyG9YAfbV0gunMGlrIwo8oXlN5 ++DH0+XtXFKtXlVrCOu+7SCWnC8kGIYBF8AhlgXJxKGeC0wshhq6QvK+mjIhkOtTHY ++nZvhAoIBAHbQBKcIAAKSRG3CpqHCjmz4OE6Zc1kplUBm7TPdXcWSeHFEwbAxiXr+ ++cirgCXOTy6z0E8InwQg1S0DgrSUB9+s8abjAicrjiHmr0GVCpC0RtPEYSHDiD/u1 ++kkMDwPyQytdF+sZ7VbFquUCSUFdvHv8QpUExgxieBBCBT+IVdpV7UTowboTHJhkT ++sXuR8waAjVQneZvJR00YjHxp+4sQvooLq44W3B/5wXjPGz2tc3+5+yN11au+d3is ++JAzae6L+I4jfCWhyMCikVA5T8HvUgCtmcJPoQP3Jh4BxzWVBks8HdV0DGbmBzVAS ++wi+2tuHNuYpwQv9EANuTFR5v4TrmE8ECggEAMXp5rfHt2hKLtkIwqYE7C8IVGQ9q ++BcjKAJSuDYkyBpfSp9uxkiyvnND5tEj0uOcMCVZlntSIxWx+HXFu5rL0Ax5ZmSal ++uoWpwDXbKYgHF9zlGXqYulsODqZC0cjJpUogXFC0B4pRDUVzuZXO9ACuS5azXYqh ++G6Rw0O6rDTHVgkmazJtxreO8v4NpfIbBbFfQgU5xeHdS6ky9LqG+yUKJ5FWkGWcU ++SqpZX3yxXM4q/cA1KBN31K3V2xvjVPcEwzkZDGDbLg33DASVF7RV/WYymhDuxE+w ++vHDz9Q7dk4pTzCdNiQgomBSjOkLDKWuOvaInQwYWJgavpPGWr31hDyi5Kw== ++-----END RSA PRIVATE KEY----- +diff --git a/tests/data/rootCA.srl b/tests/data/rootCA.srl +new file mode 100644 +index 00000000..8c619f27 +--- /dev/null ++++ b/tests/data/rootCA.srl +@@ -0,0 +1 @@ ++02D3FA5376B8B25617BA76C4EA3AE7FE4AC318B1 +-- +2.20.1 + diff --git a/SOURCES/0006-Fix-ECP-signature-not-found-error-when-only-assertio.patch b/SOURCES/0006-Fix-ECP-signature-not-found-error-when-only-assertio.patch new file mode 100644 index 0000000..0a3c750 --- /dev/null +++ b/SOURCES/0006-Fix-ECP-signature-not-found-error-when-only-assertio.patch @@ -0,0 +1,329 @@ +From 642182bdf49c9c93a86b093ad7335c8a7a5ae8cc Mon Sep 17 00:00:00 2001 +From: John Dennis +Date: Wed, 9 Jan 2019 17:23:09 -0500 +Subject: [PATCH] Fix ECP signature not found error when only assertion is + signed (#26828) + +With a SAML Authn Response either the message or the assertion +contained in the response message or both can be signed. Most IdP's +sign the message. This fixes a bug when processing an ECP authn +response when only the assertion is signed. + +lasso_saml20_profile_process_soap_response_with_headers() performs a +signature check on the SAML message. A signature can also appear on +the assertion which is checked by +lasso_saml20_login_process_response_status_and_assertion() The problem +occurred when the message was not signed and +lasso_saml20_profile_process_soap_response_with_headers() returned +LASSO_DS_ERROR_SIGNATURE_NOT_FOUND as an error code which is not +actually an error because we haven't checked the signature on the +assertion yet. We were returning the first +LASSO_DS_ERROR_SIGNATURE_NOT_FOUND error when in fact the subsequent +signature check in +lasso_saml20_login_process_response_status_and_assertion() succeeded. + +The ECP unit tests were enhanced to cover these cases. + +The enhanced unit test revealed a problem in two switch statements +operating on the return value of +lasso_profile_get_signature_verify_hint() which were missing a case +statement for LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE which caused +an abort due to an unknown enumeration value. + +Fixes Bug: 26828 +License: MIT +Signed-off-by: John Dennis +--- + lasso/saml-2.0/login.c | 29 ++++++++---- + lasso/saml-2.0/profile.c | 2 + + tests/login_tests_saml2.c | 97 +++++++++++++++++++++++++++++---------- + 3 files changed, 95 insertions(+), 33 deletions(-) + +diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c +index 028ffb31..91ff302d 100644 +--- a/lasso/saml-2.0/login.c ++++ b/lasso/saml-2.0/login.c +@@ -1107,18 +1107,31 @@ lasso_saml20_login_process_paos_response_msg(LassoLogin *login, gchar *msg) + { + LassoSoapHeader *header = NULL; + LassoProfile *profile; +- int rc1, rc2; ++ int rc; + + lasso_null_param(msg); + + profile = LASSO_PROFILE(login); + +- rc1 = lasso_saml20_profile_process_soap_response_with_headers(profile, msg, &header); ++ /* ++ * lasso_saml20_profile_process_soap_response_with_headers() ++ * performs a signature check on the SAML message. A signature ++ * can also appear on the assertion which is checked by ++ * lasso_saml20_login_process_response_status_and_assertion() ++ * (below). Therefore if the error is SIGNATURE_NOT_FOUND we ++ * proceed because ++ * lasso_saml20_login_process_response_status_and_assertion() ++ * will test the signature on the assertion. ++ */ ++ rc = lasso_saml20_profile_process_soap_response_with_headers(profile, msg, &header); ++ if (rc != 0 && rc != LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) { ++ return rc; ++ } + + /* + * If the SOAP message contained a header check for the optional +- * paos:Response and ecp:RelayState elements, if they exist extract their +- * values into the profile. ++ * paos:Response and ecp:RelayState elements, if they exist extract their ++ * values into the profile. + */ + if (header) { + GList *i = NULL; +@@ -1142,12 +1155,8 @@ lasso_saml20_login_process_paos_response_msg(LassoLogin *login, gchar *msg) + lasso_release_gobject(header); + } + +- rc2 = lasso_saml20_login_process_response_status_and_assertion(login); +- if (rc1) { +- return rc1; +- } +- return rc2; +- ++ rc = lasso_saml20_login_process_response_status_and_assertion(login); ++ return rc; + } + + /** +diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c +index 8171e79e..22a4e08c 100644 +--- a/lasso/saml-2.0/profile.c ++++ b/lasso/saml-2.0/profile.c +@@ -398,6 +398,7 @@ lasso_saml20_profile_process_artifact_resolve(LassoProfile *profile, const char + + switch (lasso_profile_get_signature_verify_hint(profile)) { + case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE: ++ case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE: + rc = profile->signature_status; + break; + case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE: +@@ -1559,6 +1560,7 @@ lasso_saml20_profile_process_soap_response_with_headers(LassoProfile *profile, + remote_provider, response_msg, "ID", LASSO_MESSAGE_FORMAT_SOAP); + switch (lasso_profile_get_signature_verify_hint(profile)) { + case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE: ++ case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE: + rc = profile->signature_status; + break; + case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE: +diff --git a/tests/login_tests_saml2.c b/tests/login_tests_saml2.c +index 54c7fb63..e331c07a 100644 +--- a/tests/login_tests_saml2.c ++++ b/tests/login_tests_saml2.c +@@ -1090,42 +1090,42 @@ START_TEST(test08_test_authnrequest_flags) + make_context(sp_context, "sp5-saml2", "", LASSO_PROVIDER_ROLE_IDP, "idp5-saml2", "") + + block_lasso_logs; +- sso_initiated_by_sp2(idp_context, sp_context, +- (SsoSettings) { ++ sso_initiated_by_sp2(idp_context, sp_context, ++ (SsoSettings) { + .use_assertion_consumer_service_idx = 1, + .assertion_consumer_service_idx = 0, + .stop_after_build_assertion = 1, + }); +- sso_initiated_by_sp2(idp_context, sp_context, +- (SsoSettings) { ++ sso_initiated_by_sp2(idp_context, sp_context, ++ (SsoSettings) { + .assertion_consumer_service_url = "http://sp5/singleSignOnPost", + .stop_after_build_assertion = 1, + }); +- sso_initiated_by_sp2(idp_context, sp_context, +- (SsoSettings) { ++ sso_initiated_by_sp2(idp_context, sp_context, ++ (SsoSettings) { + .protocol_binding = LASSO_SAML2_METADATA_BINDING_ARTIFACT, + .stop_after_build_assertion = 1, + }); +- sso_initiated_by_sp2(idp_context, sp_context, +- (SsoSettings) { ++ sso_initiated_by_sp2(idp_context, sp_context, ++ (SsoSettings) { + .assertion_consumer_service_url = "http://sp5/singleSignOnPost", + .protocol_binding = LASSO_SAML2_METADATA_BINDING_POST, + .stop_after_build_assertion = 1, + }); +- sso_initiated_by_sp2(idp_context, sp_context, +- (SsoSettings) { ++ sso_initiated_by_sp2(idp_context, sp_context, ++ (SsoSettings) { + .assertion_consumer_service_url = "http://sp5/singleSignOnArtifact", + .protocol_binding = LASSO_SAML2_METADATA_BINDING_ARTIFACT, + .stop_after_build_assertion = 1, + }); +- sso_initiated_by_sp2(idp_context, sp_context, +- (SsoSettings) { ++ sso_initiated_by_sp2(idp_context, sp_context, ++ (SsoSettings) { + .assertion_consumer_service_url = "http://sp5/singleSignOnPostAndArtifact", + .protocol_binding = LASSO_SAML2_METADATA_BINDING_ARTIFACT, + .stop_after_build_assertion = 1, + }); +- sso_initiated_by_sp2(idp_context, sp_context, +- (SsoSettings) { ++ sso_initiated_by_sp2(idp_context, sp_context, ++ (SsoSettings) { + .assertion_consumer_service_url = "http://sp5/singleSignOnPostAndArtifact", + .protocol_binding = LASSO_SAML2_METADATA_BINDING_POST, + .stop_after_build_assertion = 1, +@@ -1278,7 +1278,9 @@ static void validate_idp_list(LassoEcp *ecp, EcpIdpListVariant ecpIDPListVariant + check_str_equals((char*)g_list_nth(ecp->known_idp_entity_ids_supporting_ecp, 0)->data, "http://idp5/metadata"); + } + +-void test_ecp(EcpIdpListVariant ecpIDPListVariant) ++void test_ecp(EcpIdpListVariant ecpIDPListVariant, ++ LassoProfileSignatureHint signature_hint, ++ LassoProfileSignatureVerifyHint signature_verify_hint) + { + char *serviceProviderContextDump = NULL, *identityProviderContextDump = NULL; + LassoServer *spContext = NULL, *ecpContext=NULL, *idpContext = NULL; +@@ -1286,7 +1288,7 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant) + LassoEcp *ecp = NULL; + LassoSamlp2AuthnRequest *request = NULL; + gboolean is_passive = FALSE; +- char *provider_name = NULL; ++ char *provider_name = NULL; + char *relayState = NULL; + char *messageID = NULL; + char *extracted_messageID = NULL; +@@ -1296,7 +1298,7 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant) + char *ecpPaosResponseMsg = NULL; + char *spLoginDump = NULL; + LassoSaml2Assertion *assertion; +- LassoSamlp2IDPList *idp_list = NULL; ++ LassoSamlp2IDPList *idp_list = NULL; + + /* + * SAML2 Profile for ECP (Section 4.2) defines these steps for an ECP +@@ -1322,6 +1324,8 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant) + spContext = lasso_server_new_from_dump(serviceProviderContextDump); + spLoginContext = lasso_login_new(spContext); + check_not_null(spLoginContext); ++ lasso_profile_set_signature_hint(LASSO_PROFILE(spLoginContext), signature_hint); ++ lasso_profile_set_signature_verify_hint(LASSO_PROFILE(spLoginContext), signature_verify_hint); + + check_good_rc(lasso_login_init_authn_request(spLoginContext, "http://idp5/metadata", + LASSO_HTTP_METHOD_PAOS)); +@@ -1419,6 +1423,8 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant) + idpContext = lasso_server_new_from_dump(identityProviderContextDump); + idpLoginContext = lasso_login_new(idpContext); + check_not_null(idpLoginContext); ++ lasso_profile_set_signature_hint(LASSO_PROFILE(idpLoginContext), signature_hint); ++ lasso_profile_set_signature_verify_hint(LASSO_PROFILE(idpLoginContext), signature_verify_hint); + + /* Parse the ecpSoapRequestMsg */ + check_good_rc(lasso_login_process_authn_request_msg(idpLoginContext, ecpSoapRequestMsg)); +@@ -1465,7 +1471,7 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant) + check_str_equals(ecp->relaystate, relayState); + check_str_equals(ecp->issuer->content, "http://sp5/metadata"); + check_str_equals(ecp->provider_name, provider_name); +- check_equals(ecp->is_passive, is_passive); ++ check_equals(ecp->is_passive, is_passive); + + /* Validate ECP IdP list info */ + validate_idp_list(ecp, ecpIDPListVariant, idp_list); +@@ -1480,6 +1486,8 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant) + spContext = lasso_server_new_from_dump(serviceProviderContextDump); + spLoginContext = lasso_login_new(spContext); + check_not_null(spLoginContext); ++ lasso_profile_set_signature_hint(LASSO_PROFILE(spLoginContext), signature_hint); ++ lasso_profile_set_signature_verify_hint(LASSO_PROFILE(spLoginContext), signature_verify_hint); + + /* Parse the ecpPaosResponseMsg */ + check_good_rc(lasso_login_process_paos_response_msg(spLoginContext, ecpPaosResponseMsg)); +@@ -1515,19 +1523,61 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant) + + START_TEST(test09_ecp) + { +- test_ecp(ECP_IDP_LIST_NONE); ++ test_ecp(ECP_IDP_LIST_NONE, ++ LASSO_PROFILE_SIGNATURE_HINT_MAYBE, ++ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE); + } + END_TEST + + START_TEST(test10_ecp) + { +- test_ecp(ECP_IDP_LIST_ECP); ++ test_ecp(ECP_IDP_LIST_ECP, ++ LASSO_PROFILE_SIGNATURE_HINT_MAYBE, ++ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE); + } + END_TEST + + START_TEST(test11_ecp) + { +- test_ecp(ECP_IDP_LIST_BOGUS); ++ test_ecp(ECP_IDP_LIST_BOGUS, ++ LASSO_PROFILE_SIGNATURE_HINT_MAYBE, ++ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE); ++} ++END_TEST ++ ++START_TEST(test12_ecp) ++{ ++ /* Maybe Sign */ ++ test_ecp(ECP_IDP_LIST_NONE, ++ LASSO_PROFILE_SIGNATURE_HINT_MAYBE, ++ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE); ++ ++ test_ecp(ECP_IDP_LIST_NONE, ++ LASSO_PROFILE_SIGNATURE_HINT_MAYBE, ++ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE); ++ ++ test_ecp(ECP_IDP_LIST_NONE, ++ LASSO_PROFILE_SIGNATURE_HINT_MAYBE, ++ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE); ++ ++ /* Force Sign */ ++ test_ecp(ECP_IDP_LIST_NONE, ++ LASSO_PROFILE_SIGNATURE_HINT_FORCE, ++ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE); ++ ++ test_ecp(ECP_IDP_LIST_NONE, ++ LASSO_PROFILE_SIGNATURE_HINT_FORCE, ++ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE); ++ ++ test_ecp(ECP_IDP_LIST_NONE, ++ LASSO_PROFILE_SIGNATURE_HINT_FORCE, ++ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE); ++ ++ /* Forbid Sign */ ++ test_ecp(ECP_IDP_LIST_NONE, ++ LASSO_PROFILE_SIGNATURE_HINT_FORBID, ++ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE); ++ + } + END_TEST + +@@ -1538,7 +1588,7 @@ void check_digest_method(G_GNUC_UNUSED LassoLogin *idp_login_context, LassoLogin + lasso_release_string(dump) + } + +-START_TEST(test12_sso_sp_with_rsa_sha256_signatures) ++START_TEST(test13_sso_sp_with_rsa_sha256_signatures) + { + LassoServer *idp_context = NULL; + LassoServer *sp_context = NULL; +@@ -1595,7 +1645,8 @@ login_saml2_suite() + tcase_add_test(tc_ecp, test09_ecp); + tcase_add_test(tc_ecp, test10_ecp); + tcase_add_test(tc_ecp, test11_ecp); +- tcase_add_test(tc_spLogin, test12_sso_sp_with_rsa_sha256_signatures); ++ tcase_add_test(tc_ecp, test12_ecp); ++ tcase_add_test(tc_spLogin, test13_sso_sp_with_rsa_sha256_signatures); + return s; + } + +-- +2.20.1 + diff --git a/SOURCES/0007-PAOS-Do-not-populate-Destination-attribute.patch b/SOURCES/0007-PAOS-Do-not-populate-Destination-attribute.patch new file mode 100644 index 0000000..63eead1 --- /dev/null +++ b/SOURCES/0007-PAOS-Do-not-populate-Destination-attribute.patch @@ -0,0 +1,99 @@ +From 1e85f1b2bd30c0d93b4a2ef37b35abeae3d15b56 Mon Sep 17 00:00:00 2001 +From: Dmitrii Shcherbakov +Date: Fri, 28 Jun 2019 02:36:19 +0300 +Subject: [PATCH] PAOS: Do not populate "Destination" attribute + +When ECP profile (saml-ecp-v2.0-cs01) is used with PAOS binding Lasso +populates an AuthnRequest with the "Destination" attribute set to +AssertionConsumerURL of an SP - this leads to IdP-side errors because +the destination attribute in the request does not match the IdP URL. + +The "Destination" attribute is mandatory only for HTTP Redirect and HTTP +Post bindings when AuthRequests are signed per saml-bindings-2.0-os +(sections 3.4.5.2 and 3.5.5.2). Specifically for PAOS it makes sense to +avoid setting that optional attribute because an ECP decides which IdP +to use, not the SP. + +Fixes Bug: 34409 +License: MIT +Signed-off-by: Dmitrii Shcherbakov +--- + lasso/saml-2.0/login.c | 18 +++++++++--------- + lasso/saml-2.0/profile.c | 10 +++++++++- + 2 files changed, 18 insertions(+), 10 deletions(-) + +diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c +index 6e8f7553..0d4bb1da 100644 +--- a/lasso/saml-2.0/login.c ++++ b/lasso/saml-2.0/login.c +@@ -222,7 +222,7 @@ _lasso_login_must_verify_signature(LassoProfile *profile) { + gint + lasso_saml20_login_build_authn_request_msg(LassoLogin *login) + { +- char *url = NULL; ++ char *assertionConsumerServiceURL = NULL; + gboolean must_sign = TRUE; + LassoProfile *profile; + LassoSamlp2AuthnRequest *authn_request; +@@ -247,29 +247,29 @@ lasso_saml20_login_build_authn_request_msg(LassoLogin *login) + } + + if (login->http_method == LASSO_HTTP_METHOD_PAOS) { +- + /* + * PAOS is special, the url passed to build_request is the + * AssertionConsumerServiceURL of this SP, not the +- * destination. ++ * destination IdP URL. This is done to fill paos:responseConsumerURL ++ * appropriately down the line in build_request_msg. ++ * See https://dev.entrouvert.org/issues/34409 for more information. + */ + if (authn_request->AssertionConsumerServiceURL) { +- url = authn_request->AssertionConsumerServiceURL; ++ assertionConsumerServiceURL = authn_request->AssertionConsumerServiceURL; + if (!lasso_saml20_provider_check_assertion_consumer_service_url( +- LASSO_PROVIDER(profile->server), url, LASSO_SAML2_METADATA_BINDING_PAOS)) { ++ LASSO_PROVIDER(profile->server), assertionConsumerServiceURL, LASSO_SAML2_METADATA_BINDING_PAOS)) { + rc = LASSO_PROFILE_ERROR_INVALID_REQUEST; + goto cleanup; + } + } else { +- url = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding( ++ assertionConsumerServiceURL = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding( + LASSO_PROVIDER(profile->server), LASSO_SAML2_METADATA_BINDING_PAOS); +- lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, url); ++ lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, assertionConsumerServiceURL); + } + } + +- + lasso_check_good_rc(lasso_saml20_profile_build_request_msg(profile, "SingleSignOnService", +- login->http_method, url)); ++ login->http_method, assertionConsumerServiceURL)); + + cleanup: + return rc; +diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c +index 22a4e08c..85f535ae 100644 +--- a/lasso/saml-2.0/profile.c ++++ b/lasso/saml-2.0/profile.c +@@ -968,7 +968,15 @@ lasso_saml20_profile_build_request_msg(LassoProfile *profile, const char *servic + made_url = url = get_url(provider, service, http_method_to_binding(method)); + } + +- if (url) { ++ ++ // Usage of the Destination attribute on a request is mandated only ++ // in "3.4.5.2" and "3.5.5.2" in saml-bindings-2.0-os for signed requests ++ // and is marked as optional in the XSD schema otherwise. ++ // PAOS is a special case because an SP does not select an IdP - ECP does ++ // it instead. Therefore, this attribute needs to be left unpopulated. ++ if (method == LASSO_HTTP_METHOD_PAOS) { ++ lasso_release_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination); ++ } else if (url) { + lasso_assign_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination, + url); + } else { +-- +2.20.1 + diff --git a/SOURCES/0008-Fix-signature-checking-on-unsigned-response-with-mul.patch b/SOURCES/0008-Fix-signature-checking-on-unsigned-response-with-mul.patch new file mode 100644 index 0000000..18773f8 --- /dev/null +++ b/SOURCES/0008-Fix-signature-checking-on-unsigned-response-with-mul.patch @@ -0,0 +1,183 @@ +From ea7e5efe9741e1b1787a58af16cb15b40c23be5a Mon Sep 17 00:00:00 2001 +From: Benjamin Dauvergne +Date: Mon, 8 Mar 2021 11:33:26 +0100 +Subject: [PATCH] Fix signature checking on unsigned response with multiple + assertions + +CVE-2021-28091 : when AuthnResponse messages are not signed (which is +permitted by the specifiation), all assertion's signatures should be +checked, but currently after the first signed assertion is checked all +following assertions are accepted without checking their signature, and +the last one is considered the main assertion. + +This patch : +* check signatures from all assertions if the message is not signed, +* refuse messages with assertion from different issuers than the one on + the message, to prevent assertion bundling event if they are signed. +--- + lasso/saml-2.0/login.c | 102 +++++++++++++++++++++++++++++------------ + 1 file changed, 73 insertions(+), 29 deletions(-) + +diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c +index 0d4bb1da1..cf62c1cc9 100644 +--- a/lasso/saml-2.0/login.c ++++ b/lasso/saml-2.0/login.c +@@ -1257,7 +1257,11 @@ lasso_saml20_login_check_assertion_signature(LassoLogin *login, + original_node = lasso_node_get_original_xmlnode(LASSO_NODE(assertion)); + goto_cleanup_if_fail_with_rc(original_node, LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE); + +- rc = profile->signature_status = lasso_provider_verify_saml_signature(remote_provider, original_node, NULL); ++ /* Shouldn't set the profile->signature_status here as we're only ++ * checking the assertion signature. ++ * Instead, we'll set the status after all the assertions are iterated. ++ */ ++ rc = lasso_provider_verify_saml_signature(remote_provider, original_node, NULL); + + #define log_verify_assertion_signature_error(msg) \ + message(G_LOG_LEVEL_WARNING, "Could not verify signature of assertion" \ +@@ -1282,18 +1286,6 @@ cleanup: + return rc; + } + +-static gboolean +-_lasso_check_assertion_issuer(LassoSaml2Assertion *assertion, const gchar *provider_id) +-{ +- if (! LASSO_SAML2_ASSERTION(assertion) || ! provider_id) +- return FALSE; +- +- if (! assertion->Issuer || ! assertion->Issuer->content) +- return FALSE; +- +- return lasso_strisequal(assertion->Issuer->content,provider_id); +-} +- + static gint + _lasso_saml20_login_decrypt_assertion(LassoLogin *login, LassoSamlp2Response *samlp2_response) + { +@@ -1358,11 +1350,23 @@ _lasso_saml20_login_decrypt_assertion(LassoLogin *login, LassoSamlp2Response *sa + return 0; + } + ++/* Verify that an assertion comes from a designated Issuer */ ++static gboolean ++_lasso_check_assertion_issuer(LassoSaml2Assertion *assertion, const gchar *provider_id) ++{ ++ if (! LASSO_SAML2_ASSERTION(assertion) || ! provider_id) ++ return FALSE; ++ if (! assertion->Issuer || ! assertion->Issuer->content) ++ return FALSE; ++ return lasso_strisequal(assertion->Issuer->content,provider_id); ++} ++ + static gint + lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login) + { + LassoSamlp2StatusResponse *response; + LassoSamlp2Response *samlp2_response = NULL; ++ LassoSaml2Assertion *last_assertion = NULL; + LassoProfile *profile; + char *status_value; + lasso_error_t rc = 0; +@@ -1404,34 +1408,62 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login) + + /* Decrypt all EncryptedAssertions */ + _lasso_saml20_login_decrypt_assertion(login, samlp2_response); +- /* traverse all assertions */ +- goto_cleanup_if_fail_with_rc (samlp2_response->Assertion != NULL, +- LASSO_PROFILE_ERROR_MISSING_ASSERTION); + ++ /* Check there is at least one assertion */ ++ goto_cleanup_if_fail_with_rc (samlp2_response->Assertion != NULL, LASSO_PROFILE_ERROR_MISSING_ASSERTION); ++ ++ /* In case of verify_hint as 'FORCE', if there's no response signature, ++ * we reject. ++ * In case of 'MAYBE', if response signature is present and valid, or ++ * not present, then we proceed with checking assertion signature(s). ++ * In any case, if there's a response signature and it's not valid, ++ * we reject. ++ */ + verify_hint = lasso_profile_get_signature_verify_hint(profile); ++ if (profile->signature_status == LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) { ++ if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE) { ++ goto_cleanup_with_rc(profile->signature_status); ++ } ++ } else if (profile->signature_status != 0) { ++ goto_cleanup_with_rc(profile->signature_status); ++ } + + lasso_foreach_full_begin(LassoSaml2Assertion*, assertion, it, samlp2_response->Assertion); + LassoSaml2Subject *subject = NULL; + +- lasso_assign_gobject (login->private_data->saml2_assertion, assertion); ++ /* All Assertions MUST come from the same issuer as the Response. */ ++ if (! _lasso_check_assertion_issuer(assertion, profile->remote_providerID)) { ++ goto_cleanup_with_rc(LASSO_PROFILE_ERROR_INVALID_ISSUER); ++ } + +- /* If signature has already been verified on the message, and assertion has the same +- * issuer as the message, the assertion is covered. So no need to verify a second +- * time */ +- if (profile->signature_status != 0 +- || ! _lasso_check_assertion_issuer(assertion, +- profile->remote_providerID) +- || verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE) { ++ if (profile->signature_status != 0) { ++ /* When response signature is not present */ ++ if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE) { ++ assertion_signature_status = ++ lasso_saml20_login_check_assertion_signature(login, assertion); ++ if (assertion_signature_status) { ++ goto_cleanup_with_rc(assertion_signature_status); ++ } ++ } ++ } else { ++ /* response signature is present and valid */ + assertion_signature_status = lasso_saml20_login_check_assertion_signature(login, +- assertion); +- /* If signature validation fails, it is the return code for this function */ ++ assertion); + if (assertion_signature_status) { +- rc = LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE; ++ /* assertion signature is not valid or not present */ ++ if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE) { ++ /* In case of FORCE, we reject right away */ ++ goto_cleanup_with_rc(assertion_signature_status); ++ } else if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE) { ++ /* In case of MAYBE, if assertion signature is present and invalid, then we reject */ ++ if (assertion_signature_status != LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) { ++ goto_cleanup_with_rc(assertion_signature_status); ++ } ++ } + } + } +- + lasso_extract_node_or_fail(subject, assertion->Subject, SAML2_SUBJECT, +- LASSO_PROFILE_ERROR_MISSING_SUBJECT); ++ LASSO_PROFILE_ERROR_MISSING_SUBJECT); + + /* Verify Subject->SubjectConfirmationData->InResponseTo */ + if (login->private_data->request_id) { +@@ -1446,8 +1478,20 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login) + /** Handle nameid */ + lasso_check_good_rc(lasso_saml20_profile_process_name_identifier_decryption(profile, + &subject->NameID, &subject->EncryptedID)); ++ ++ last_assertion = assertion; + lasso_foreach_full_end(); + ++ /* set the profile signature status only after all the signatures are ++ * verified. ++ */ ++ profile->signature_status = rc; ++ ++ /* set the default assertion to the last one */ ++ if (last_assertion) { ++ lasso_assign_gobject (login->private_data->saml2_assertion, last_assertion); ++ } ++ + switch (verify_hint) { + case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE: + case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE: +-- +2.26.3 + diff --git a/SOURCES/0009-lasso_saml20_login_process_response_status_and_asser.patch b/SOURCES/0009-lasso_saml20_login_process_response_status_and_asser.patch new file mode 100644 index 0000000..df5a09f --- /dev/null +++ b/SOURCES/0009-lasso_saml20_login_process_response_status_and_asser.patch @@ -0,0 +1,38 @@ +diff -up lasso-2.5.1/lasso/saml-2.0/login.c.coverity lasso-2.5.1/lasso/saml-2.0/login.c +--- lasso-2.5.1/lasso/saml-2.0/login.c.coverity 2021-07-27 10:23:31.976845852 +0200 ++++ lasso-2.5.1/lasso/saml-2.0/login.c 2021-07-27 10:23:55.358913123 +0200 +@@ -1371,7 +1371,7 @@ lasso_saml20_login_process_response_stat + char *status_value; + lasso_error_t rc = 0; + lasso_error_t assertion_signature_status = 0; +- LassoProfileSignatureVerifyHint verify_hint; ++ LassoProfileSignatureVerifyHint verify_hint = LASSO_PROFILE_SIGNATURE_VERIFY_HINT_LAST; + + profile = &login->parent; + lasso_extract_node_or_fail(response, profile->response, SAMLP2_STATUS_RESPONSE, +@@ -1492,20 +1492,12 @@ lasso_saml20_login_process_response_stat + lasso_assign_gobject (login->private_data->saml2_assertion, last_assertion); + } + +- switch (verify_hint) { +- case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE: +- case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE: +- break; +- case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE: +- /* ignore signature errors */ +- if (rc == LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE) { +- rc = 0; +- } +- break; +- default: +- g_assert(0); +- } + cleanup: ++ if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE && ++ rc == LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE) { ++ profile->signature_status = rc; ++ rc = 0; ++ } + return rc; + } + diff --git a/SOURCES/build-scripts-py3-compatible.patch b/SOURCES/build-scripts-py3-compatible.patch new file mode 100644 index 0000000..563ce43 --- /dev/null +++ b/SOURCES/build-scripts-py3-compatible.patch @@ -0,0 +1,255 @@ +commit d526669810e0dc0a454260d5081fc96e16fc9e13 +Author: John Dennis +Date: Mon Jun 25 16:26:24 2018 -0400 + + Make Python scripts compatible with both Py2 and Py3 + + During the build if the Python3 interpreter is used a number of + scripts will fail because they were never ported from Py2 to Py3. In + general we want Python code to be compatible with both Py2 and + Py3. This patch brings the scripts up to date with Py3 but retains + backwards compatibility with Py2 (specifically Py 2.7, the last Py2 + release). + + Examples of the required changes are: + + * Replace use of the built-in function file() with open(). file() + does not exist in Py3, open works in both Py2 and Py3. The code was + also modified to use a file context manager (e.g. with open(xxx) as + f:). This assures open files are properly closed when the code block + using the file goes out of scope. This is a standard modern Python + idiom. + + * Replace all use of the print keyword with the six.print_() + function, which itself is an emulation of Py3's print function. Py3 + no longer has a print keyword, only a print() function. + + * The dict methods .keys(), .values(), .items() no longer return a + list in Py3, instead they return a "view" object which is an + iterator whose result is an unordered set. The most notable + consequence is you cannot index the result of these functions like + your could in Py2 (e.g. dict.keys()[0] will raise a run time + exception). + + * Replace use of StringIO.StringIO and cStringIO with + six.StringIO. Py3 no longer has cStringIO and the six variant + handles the correct import. + + * Py3 no longer allows the "except xxx, variable" syntax, where + variable appering after the comma is assigned the exception object, + you must use the "as" keyword to perform the variable assignment + (e.g. execpt xxx as variable) + + Note: the modifications in this patch are the minimum necessary to get + the build to run with the Py3 interpreter. There are numerous other + Python scripts in the repo which need Py3 porting as well but because + they are not invoked during a build they will be updated in a + subsequent patch. + + License: MIT + Signed-off-by: John Dennis + +diff --git a/bindings/python/examples/get_attributes_from_assertion.py b/bindings/python/examples/get_attributes_from_assertion.py +index 44ceb9e5..8f37a337 100644 +--- a/bindings/python/examples/get_attributes_from_assertion.py ++++ b/bindings/python/examples/get_attributes_from_assertion.py +@@ -1,8 +1,10 @@ + # Example SP Python code to get attributes from an assertion + ++from six import print_ ++ + for attribute in assertion.attributeStatement[0].attribute: + if attribute.name == lasso.SAML2_ATTRIBUTE_NAME_EPR: + continue +- print 'attribute : ' + attribute.name ++ print_('attribute : ' + attribute.name) + for value in attribute.attributeValue: +- print ' value : ' + value.any[0].content ++ print_(' value : ' + value.any[0].content) +diff --git a/bindings/python/tests/binding_tests.py b/bindings/python/tests/binding_tests.py +index 6d8e0dfa..54c3635f 100755 +--- a/bindings/python/tests/binding_tests.py ++++ b/bindings/python/tests/binding_tests.py +@@ -311,8 +311,8 @@ class BindingTestCase(unittest.TestCase): + ''' + node = lasso.Node.newFromXmlNode(content) + assert 'next_url' in node.any[1] +- assert 'huhu' in node.attributes.keys()[0] +- assert node.attributes.values()[0] == 'xxx' ++ assert '{https://www.entrouvert.com/}huhu' in node.attributes.keys() ++ assert 'xxx' in node.attributes.values() + node.any = ('coin',) + node.attributes = {'michou': 'zozo'} + assert 'coin' in node.dump() +diff --git a/bindings/python/tests/idwsf2_tests.py b/bindings/python/tests/idwsf2_tests.py +index 6f80c53d..4e47a4a1 100755 +--- a/bindings/python/tests/idwsf2_tests.py ++++ b/bindings/python/tests/idwsf2_tests.py +@@ -27,7 +27,7 @@ + import os + import unittest + import sys +-from StringIO import StringIO ++from six import StringIO + import logging + + logging.basicConfig() +@@ -310,11 +310,11 @@ class MetadataTestCase(IdWsf2TestCase): + self.failUnless(idp_disco.request.svcMD[0].svcMDID is None) + try: + idp_disco.checkSecurityMechanism() +- except lasso.Error, e: ++ except lasso.Error as e: + self.fail(e) + try: + idp_disco.validateRequest() +- except lasso.Error, e: ++ except lasso.Error as e: + self.fail(e) + self.failUnless(idp_disco.response is not None) + self.failUnlessEqual(len(idp_disco.metadatas), 1) +@@ -391,16 +391,16 @@ class MetadataTestCase(IdWsf2TestCase): + self.failUnless(idp_disco is not None) + try: + idp_disco.processRequestMsg(wsp_disco.msgBody) +- except lasso.Error, e: ++ except lasso.Error as e: + self.fail(e) + self.failUnless(idp_disco.request is not None) + try: + idp_disco.checkSecurityMechanism() +- except lasso.Error, e: ++ except lasso.Error as e: + self.fail(e) + try: + idp_disco.failRequest(lasso.IDWSF2_DISCOVERY_STATUS_CODE_FAILED, lasso.IDWSF2_DISCOVERY_STATUS_CODE_FORBIDDEN) +- except lasso.Error, e: ++ except lasso.Error as e: + self.fail(e) + self.failUnless(idp_disco.response is not None) + self.failUnless(idp_disco.response.status is not None) +@@ -415,7 +415,7 @@ class MetadataTestCase(IdWsf2TestCase): + wsp_disco.processResponseMsg(idp_disco.msgBody) + except lasso.Idwsf2DiscoveryForbiddenError: + pass +- except lasso.Error, e: ++ except lasso.Error as e: + self.fail(e) + + def test03(self): +@@ -475,7 +475,7 @@ class MetadataTestCase(IdWsf2TestCase): + self.failUnless(soap_envelope.getMessageId() is not None) + try: + idp_disco.checkSecurityMechanism() +- except lasso.Error, e: ++ except lasso.Error as e: + self.fail(e) + # redirect + interactionUrl = spInteractionUrl +@@ -488,7 +488,7 @@ class MetadataTestCase(IdWsf2TestCase): + self.failUnless(response.detail.any[0].redirectURL.startswith(interactionUrl + '?transactionID=')) + try: + idp_disco.buildResponseMsg() +- except lasso.Error, e: ++ except lasso.Error as e: + self.fail(e) + self.failUnless(idp_disco.msgBody is not None) + +@@ -500,7 +500,7 @@ class MetadataTestCase(IdWsf2TestCase): + wsp_disco.processResponseMsg(idp_disco.msgBody) + except lasso.WsfprofileRedirectRequestError: + pass +- except lasso.Error, e: ++ except lasso.Error as e: + self.fail(e) + response_envelope = wsp_disco.getSoapEnvelopeResponse() + self.failUnless(response_envelope.sb2GetRedirectRequestUrl().startswith(interactionUrl + '?transactionID=')) +@@ -527,11 +527,11 @@ class MetadataTestCase(IdWsf2TestCase): + self.failUnless(idp_disco.request.svcMD[0].svcMDID is None) + try: + idp_disco.checkSecurityMechanism() +- except lasso.Error, e: ++ except lasso.Error as e: + self.fail(e) + try: + idp_disco.validateRequest() +- except lasso.Error, e: ++ except lasso.Error as e: + self.fail(e) + self.failUnless(idp_disco.response is not None) + self.failUnlessEqual(len(idp_disco.metadatas), 1) +diff --git a/lasso/build_strerror.py b/lasso/build_strerror.py +index fca59628..908638d5 100644 +--- a/lasso/build_strerror.py ++++ b/lasso/build_strerror.py +@@ -1,42 +1,42 @@ + #! /usr/bin/env python + +-from cStringIO import StringIO + import glob + import re + import sys + import os ++from six import print_, StringIO + + srcdir = sys.argv[1] + +-hlines = file('%s/errors.h' % srcdir,'r').readlines() + messages = dict() + description = '' + +-for line in hlines: +- m = re.match(r'^ \* LASSO.*ERROR', line) +- if m: +- description = '' +- continue +- m = re.match(r'^ \* (.*[^:])$', line) +- if m: +- description += m.group(1) +- m = re.match(r'#define (LASSO_\w*ERROR\w+)', line) +- if m and description: +- description = re.sub(r'[ \n]+', ' ', description).strip() +- messages[m.group(1)] = description +- description = '' +- else: +- m = re.match(r'#define (LASSO_\w*ERROR\w+)',line) ++with open('%s/errors.h' % srcdir,'r') as f: ++ for line in f: ++ m = re.match(r'^ \* LASSO.*ERROR', line) + if m: +- messages[m.group(1)] = m.group(1) ++ description = '' ++ continue ++ m = re.match(r'^ \* (.*[^:])$', line) ++ if m: ++ description += m.group(1) ++ m = re.match(r'#define (LASSO_\w*ERROR\w+)', line) ++ if m and description: ++ description = re.sub(r'[ \n]+', ' ', description).strip() ++ messages[m.group(1)] = description ++ description = '' ++ else: ++ m = re.match(r'#define (LASSO_\w*ERROR\w+)',line) ++ if m: ++ messages[m.group(1)] = m.group(1) + +-clines = file('%s/errors.c.in' % srcdir,'r').readlines() +-for line in clines: +- if '@ERROR_CASES@' in line: +- keys = messages.keys() +- keys.sort() +- for k in keys: +- print """ case %s: +- return "%s";""" % (k,messages[k].rstrip('\n')) +- else: +- print line, ++with open('%s/errors.c.in' % srcdir,'r') as f: ++ for line in f: ++ if '@ERROR_CASES@' in line: ++ keys = sorted(messages.keys()) ++ for k in keys: ++ print_(' case %s:\n' ++ ' return "%s";' % ++ (k,messages[k].rstrip('\n'))) ++ else: ++ print_(line, end="") diff --git a/SOURCES/duplicate-python-LogoutTestCase.patch b/SOURCES/duplicate-python-LogoutTestCase.patch new file mode 100644 index 0000000..2adea00 --- /dev/null +++ b/SOURCES/duplicate-python-LogoutTestCase.patch @@ -0,0 +1,83 @@ +commit 623d785f957acc9eccb47a9a3f88e5e167a370b6 +Author: John Dennis +Date: Mon Jun 25 17:37:45 2018 -0400 + + fix duplicate definition of LogoutTestCase and logoutSuite + + Commit 6f617027e added a duplicate definition of the LogoutTestCase + class containing only 1 test which shaddowed the original + LogoutTestCase containing 4 tests. The logoutSuite variable was also + shadowed and the allTests variable contained a duplicate of + logoutSuite causing the 2nd definition of LogoutTestCase to be run + twice. + + Not only were the original 4 tests not being run but the entire unit + test in profiles_tests.py was failing under Python3. This is because + the unittest code in Py3 deletes a test from it's list of tests to run + once it's been run. The second time the logoutSuite was invoked it no + longer contained any tests which caused an exception to be raised + because there were no tests to be run. + + License: MIT + Signed-off-by: John Dennis + +diff --git a/bindings/python/tests/profiles_tests.py b/bindings/python/tests/profiles_tests.py +index 547c9e24..0ba1e56e 100755 +--- a/bindings/python/tests/profiles_tests.py ++++ b/bindings/python/tests/profiles_tests.py +@@ -386,6 +386,21 @@ class LogoutTestCase(unittest.TestCase): + else: + self.fail('Logout processResponseMsg should have failed.') + ++ def test05(self): ++ '''Test parsing of a logout request with more than one session index''' ++ content = ''' ++ me ++ coin ++ id1 ++ id2 ++ id3 ++ ''' ++ ++ node = lasso.Samlp2LogoutRequest.newFromXmlNode(content) ++ assert isinstance(node, lasso.Samlp2LogoutRequest) ++ assert node.sessionIndex == 'id1' ++ assert node.sessionIndexes == ('id1', 'id2', 'id3') ++ + class DefederationTestCase(unittest.TestCase): + def test01(self): + """IDP initiated defederation; testing processNotificationMsg with non Liberty query.""" +@@ -478,32 +493,15 @@ class AttributeAuthorityTestCase(unittest.TestCase): + assert aq.response.assertion[0].attributeStatement[0].attribute[0] + assert aq.response.assertion[0].attributeStatement[0].attribute[0].attributeValue[0] + +-class LogoutTestCase(unittest.TestCase): +- def test01(self): +- '''Test parsing of a logout request with more than one session index''' +- content = ''' +- me +- coin +- id1 +- id2 +- id3 +- ''' +- +- node = lasso.Samlp2LogoutRequest.newFromXmlNode(content) +- assert isinstance(node, lasso.Samlp2LogoutRequest) +- assert node.sessionIndex == 'id1' +- assert node.sessionIndexes == ('id1', 'id2', 'id3') +- + serverSuite = unittest.makeSuite(ServerTestCase, 'test') + loginSuite = unittest.makeSuite(LoginTestCase, 'test') + logoutSuite = unittest.makeSuite(LogoutTestCase, 'test') + defederationSuite = unittest.makeSuite(DefederationTestCase, 'test') + identitySuite = unittest.makeSuite(IdentityTestCase, 'test') + attributeSuite = unittest.makeSuite(AttributeAuthorityTestCase, 'test') +-logoutSuite = unittest.makeSuite(LogoutTestCase, 'test') + + allTests = unittest.TestSuite((serverSuite, loginSuite, logoutSuite, defederationSuite, +- identitySuite, attributeSuite, logoutSuite)) ++ identitySuite, attributeSuite)) + + if __name__ == '__main__': + sys.exit(not unittest.TextTestRunner(verbosity = 2).run(allTests).wasSuccessful()) diff --git a/SOURCES/use-specified-python-interpreter.patch b/SOURCES/use-specified-python-interpreter.patch new file mode 100644 index 0000000..fcdc360 --- /dev/null +++ b/SOURCES/use-specified-python-interpreter.patch @@ -0,0 +1,80 @@ +commit e3e904af7dd308fe7530773bd9ea136afc90049b +Author: John Dennis +Date: Thu Jun 21 10:49:30 2018 -0400 + + Use python interpreter specified configure script + + The configure script allows you to specify the python interpreter to + use via the --with-python option. There were several places where the + python interpreter was implicity invoked without using the specified + version. This can create a number of problems in an environment with + multiple python versions as is the case during the transition from + Python 2 to Python 3. Python 2 is not compatible with Python + 3. Lasso's Python code is supposed to be compatible with both + versions. But during the build and when running the unit tests it is + essential the same interpreter be used consistently otherwise you can + have problems. + + This patch assures whenever python is invoked it does so via the + $(PYTHON) configuration variable. + + What about shebang lines (e.g #/usr/bin/python) at the top of scripts? + Python PEP 394 (https://www.python.org/dev/peps/pep-0394/) covers + this. Basically it says if a script is compatible only with Py2 the + shebang should be #/usr/bin/python2, if only compatible with Py3 the + shebang should be #/usr/bin/python3. However, if the script is + compatible with both versions it can continue to use the + compatible with both Py2 and Py3. + + License: MIT + Signed-off-by: John Dennis + +diff --git a/bindings/java/Makefile.am b/bindings/java/Makefile.am +index 05e5f9ee..8de0178d 100644 +--- a/bindings/java/Makefile.am ++++ b/bindings/java/Makefile.am +@@ -26,7 +26,7 @@ if WSF_ENABLED + EXTRA_ARGS = --enable-id-wsf + endif + +-java_lasso_source_files := $(shell python $(top_srcdir)/bindings/bindings.py -l java-list --src-dir=$(top_srcdir)/lasso/ $(EXTRA_ARGS) ) ++java_lasso_source_files := $(shell $(PYTHON) $(top_srcdir)/bindings/bindings.py -l java-list --src-dir=$(top_srcdir)/lasso/ $(EXTRA_ARGS) ) + + lasso_jardir=$(prefix)/share/java + lasso_jar_DATA=lasso.jar +diff --git a/bindings/python/tests/Makefile.am b/bindings/python/tests/Makefile.am +index 205e7613..1305f26f 100644 +--- a/bindings/python/tests/Makefile.am ++++ b/bindings/python/tests/Makefile.am +@@ -11,5 +11,8 @@ if WSF_ENABLED + TESTS += idwsf1_tests.py idwsf2_tests.py + endif + ++TEST_EXTENSIONS = .py ++PY_LOG_COMPILER = $(PYTHON) ++ + EXTRA_DIST = profiles_tests.py binding_tests.py idwsf1_tests.py idwsf2_tests.py \ + tests.py XmlTestRunner.py +diff --git a/lasso/Makefile.am b/lasso/Makefile.am +index 751f9419..49ae88a7 100644 +--- a/lasso/Makefile.am ++++ b/lasso/Makefile.am +@@ -91,7 +91,7 @@ liblasso_la_LDFLAGS = -no-undefined -version-info @LASSO_VERSION_INFO@ \ + endif + + $(srcdir)/errors.c: $(srcdir)/errors.h $(srcdir)/build_strerror.py +- python $(srcdir)/build_strerror.py $(srcdir) >.errors.c.new ++ $(PYTHON) $(srcdir)/build_strerror.py $(srcdir) >.errors.c.new + if ! cmp -s $(srcdir)/errors.c .errors.c.new; then \ + mv -f .errors.c.new $@; else \ + rm .errors.c.new; fi +diff --git a/tools/check-lasso-sections.py b/tools/check-lasso-sections.py +index cb4c39c4..3a6c9880 100755 +--- a/tools/check-lasso-sections.py ++++ b/tools/check-lasso-sections.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/env python + + import sys + import os.path diff --git a/SOURCES/versioned-python-configure.patch b/SOURCES/versioned-python-configure.patch new file mode 100644 index 0000000..9fe3d57 --- /dev/null +++ b/SOURCES/versioned-python-configure.patch @@ -0,0 +1,48 @@ +commit af29047480cacafaed697cb2a1fb24c5143078a8 +Author: John Dennis +Date: Sat Jul 7 10:59:32 2018 -0400 + + Configure should search for versioned Python interpreter. + + Following the guidelines in Python PEP 394 with regards to the python + command on UNIX like systems preference should be given to explicitly + versioned command interpreter as opposed to unversioned and that an + unversioned python command should (but might not) refer to + Python2. Also in some environments unversioned Python interpreters + (e.g. /usr/bin/python) do not even exist, onlyh their explicitly + versioned variants are (e.g. /usr/bin/python2 and /usr/bin/python3). + + Therefore the AC_CHECK_PROGS directive in configure.ac should not rely + exclusively on an unversioned Python interpreter as it does not, + rather it should search in priority order. First for python3, then for + an unversionsed python because some distributions have already moved + the default unversioned python to python3, and then finally search for + python2. In the scenario where unversioned python is still pointing to + python2 it's equivalent to selecting the last prority option of + python2, but if unversioned python is pointing to python3 you get + instead. The net result is always preferring python3 but gracefully + falling back to python2 not matter how the environment exports it's + Python. + + If AC_CHECK_PROGS for python does not check for the versioned variants + the build fails in environments that only have versioned variants with + this error: + + configure: error: Python must be installed to compile lasso + + License: MIT + Signed-off-by: John Dennis + +diff --git a/configure.ac b/configure.ac +index 898468e6..74766972 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -131,7 +131,7 @@ dnl AC_CHECK_PROGS(JAR, fastjar jar) + AC_CHECK_PROGS(PERL, perl) + AC_CHECK_PROGS(PHP5, php5 php) + AC_CHECK_PROGS(PHP5_CONFIG, php-config5 php-config) +-AC_CHECK_PROGS(PYTHON, python) ++AC_CHECK_PROGS(PYTHON, python3 python python2) + AC_CHECK_PROGS(SWIG, swig) + + dnl Make sure we have an ANSI compiler diff --git a/SPECS/lasso.spec b/SPECS/lasso.spec new file mode 100644 index 0000000..19230d7 --- /dev/null +++ b/SPECS/lasso.spec @@ -0,0 +1,500 @@ +%global with_java 1 +%global with_php 0 +%global with_perl 1 +%global with_python 1 +%global with_python2 0 +%global with_python3 0 +%global with_wsf 0 +%global obsolete_old_lang_subpackages 0 + +%if %{with_php} +%if "%{php_version}" < "5.6" +%global ini_name %{name}.ini +%else +%global ini_name 40-%{name}.ini +%endif +%endif + +%if (0%{?fedora} > 0 && 0%{?fedora} <= 29) || (0%{?rhel} > 0 && 0%{?rhel} <= 7) + %global obsolete_old_lang_subpackages 1 +%endif + +%if %{with_python} + %if (0%{?fedora} > 0 && 0%{?fedora} < 32) || (0%{?rhel} > 0 && 0%{?rhel} <= 7) + %global with_python2 1 + %endif + + %if 0%{?fedora} || 0%{?rhel} >= 8 + %global with_python3 1 + %endif +%endif + +%global configure_args %{nil} +%global configure_args %{configure_args} + +%if !%{with_java} + %global configure_args %{configure_args} --disable-java +%endif + +%if !%{with_perl} + %global configure_args %{configure_args} --disable-perl +%endif + +%if %{with_php} + %global configure_args %{configure_args} --enable-php5=yes --with-php5-config-dir=%{php_inidir} +%else + %global configure_args %{configure_args} --enable-php5=no +%endif + +%if %{with_wsf} + %global configure_args %{configure_args} --enable-wsf --with-sasl2=%{_prefix}/sasl2 +%endif + +%if !%{with_python} + %global configure_args %{configure_args} --disable-python +%endif + + +Summary: Liberty Alliance Single Sign On +Name: lasso +Version: 2.6.0 +Release: 13%{?dist} +License: GPLv2+ +Group: System Environment/Libraries +Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz + +Patch1: use-specified-python-interpreter.patch +Patch2: build-scripts-py3-compatible.patch +Patch3: duplicate-python-LogoutTestCase.patch +Patch4: versioned-python-configure.patch +Patch5: 0005-tests-use-self-generated-certificate-to-sign-federat.patch +Patch6: 0006-Fix-ECP-signature-not-found-error-when-only-assertio.patch +Patch7: 0007-PAOS-Do-not-populate-Destination-attribute.patch +Patch8: 0008-Fix-signature-checking-on-unsigned-response-with-mul.patch +Patch9: 0009-lasso_saml20_login_process_response_status_and_asser.patch + +BuildRequires: libtool autoconf automake + +# The Lasso build system requires python, especially the binding generators +%if %{with_python2} +BuildRequires: python2 +BuildRequires: python2-lxml +BuildRequires: python2-six +%endif + +%if %{with_python3} +BuildRequires: python3 +BuildRequires: python3-lxml +BuildRequires: python3-six +%endif + +%if %{with_wsf} +BuildRequires: cyrus-sasl-devel +%endif +BuildRequires: gtk-doc, libtool-ltdl-devel +BuildRequires: glib2-devel, swig +BuildRequires: libxml2-devel, openssl-devel +BuildRequires: xmlsec1-devel >= 1.2.25-4, xmlsec1-openssl-devel >= 1.2.25-4 +BuildRequires: zlib-devel, check-devel +BuildRequires: libtool autoconf automake +Url: http://lasso.entrouvert.org/ + +Requires: xmlsec1 >= 1.2.25-4 + +%description +Lasso is a library that implements the Liberty Alliance Single Sign On +standards, including the SAML and SAML2 specifications. It allows to handle +the whole life-cycle of SAML based Federations, and provides bindings +for multiple languages. + +%package devel +Summary: Lasso development headers and documentation +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +This package contains the header files, static libraries and development +documentation for Lasso. + +%if %{with_perl} +%package -n perl-%{name} +Summary: Liberty Alliance Single Sign On (lasso) Perl bindings +Group: Development/Libraries +BuildRequires: perl-devel +BuildRequires: perl(ExtUtils::MakeMaker) +BuildRequires: perl(Test::More) +BuildRequires: perl(Error) +Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description -n perl-%{name} +Perl language bindings for the lasso (Liberty Alliance Single Sign On) library. +%endif + +%if %{with_java} +%package -n java-%{name} +Summary: Liberty Alliance Single Sign On (lasso) Java bindings +Group: Development/Libraries +BuildRequires: java-devel +BuildRequires: jpackage-utils +Requires: java-headless +Requires: jpackage-utils +Requires: %{name}%{?_isa} = %{version}-%{release} +%if %{obsolete_old_lang_subpackages} +Provides: %{name}-java = %{version}-%{release} +Provides: %{name}-java%{?_isa} = %{version}-%{release} +Obsoletes: %{name}-java < %{version}-%{release} +%endif + +%description -n java-%{name} +Java language bindings for the lasso (Liberty Alliance Single Sign On) library. +%endif + +%if %{with_php} +%package -n php-%{name} +Summary: Liberty Alliance Single Sign On (lasso) PHP bindings +Group: Development/Libraries +BuildRequires: php-devel, expat-devel +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: php(zend-abi) = %{php_zend_api} +Requires: php(api) = %{php_core_api} + +%description -n php-%{name} +PHP language bindings for the lasso (Liberty Alliance Single Sign On) library. + +%endif + +%if %{with_python2} +%package -n python2-%{name} +%{?python_provide:%python_provide python2-%{name}} +Summary: Liberty Alliance Single Sign On (lasso) Python bindings +Group: Development/Libraries +BuildRequires: python2-devel +Requires: python2 +Requires: %{name}%{?_isa} = %{version}-%{release} +%if %{obsolete_old_lang_subpackages} +Provides: %{name}-python = %{version}-%{release} +Provides: %{name}-python%{?_isa} = %{version}-%{release} +Obsoletes: %{name}-python < %{version}-%{release} +%endif + +%description -n python2-%{name} +Python language bindings for the lasso (Liberty Alliance Single Sign On) +library. +%endif + +%if %{with_python3} +%package -n python3-%{name} +%{?python_provide:%python_provide python3-%{name}} +Summary: Liberty Alliance Single Sign On (lasso) Python bindings +Group: Development/Libraries +BuildRequires: python3-devel +%{?__python3:Requires: %{__python3}} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description -n python3-%{name} +Python language bindings for the lasso (Liberty Alliance Single Sign On) +library. +%endif + +%prep +%setup -q -n %{name}-%{version} + +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 + +# Remove any python script shebang lines (unless they refer to python3) +sed -i -E -e '/^#![[:blank:]]*(\/usr\/bin\/env[[:blank:]]+python[^3]?\>)|(\/usr\/bin\/python[^3]?\>)/d' \ + `grep -r -l -E '^#![[:blank:]]*(/usr/bin/python[^3]?)|(/usr/bin/env[[:blank:]]+python[^3]?)' *` + +%build +./autogen.sh +%if 0%{?with_python2} + %configure %{configure_args} --with-python=%{__python2} + pushd lasso + make %{?_smp_mflags} CFLAGS="%{optflags}" + popd + pushd bindings/python + make %{?_smp_mflags} CFLAGS="%{optflags}" + make check + mkdir py2 + mv lasso.py .libs/_lasso.so py2 + popd + make clean +%endif + +%if 0%{?with_python3} + %configure %{configure_args} --with-python=%{__python3} +%else + %configure %{configure_args} +%endif +make %{?_smp_mflags} CFLAGS="%{optflags}" + +%check +make check + +%install +#install -m 755 -d %{buildroot}%{_datadir}/gtk-doc/html + +make install exec_prefix=%{_prefix} DESTDIR=%{buildroot} +find %{buildroot} -type f -name '*.la' -exec rm -f {} \; +find %{buildroot} -type f -name '*.a' -exec rm -f {} \; + +%if 0%{?with_python2} + # Install Python 2 files saved from first build + install -d -m 0755 %{buildroot}/%{python2_sitearch} + install -m 0644 bindings/python/py2/lasso.py %{buildroot}/%{python2_sitearch} + install -m 0755 bindings/python/py2/_lasso.so %{buildroot}/%{python2_sitearch} +%endif + +# Perl subpackage +%if %{with_perl} +find %{buildroot} \( -name perllocal.pod -o -name .packlist \) -exec rm -v {} \; + +find %{buildroot}/usr/lib*/perl5 -type f -print | + sed "s@^%{buildroot}@@g" > %{name}-perl-filelist +if [ "$(cat %{name}-perl-filelist)X" = "X" ] ; then + echo "ERROR: EMPTY FILE LIST" + exit -1 +fi +%endif + +# PHP subpackage +%if %{with_php} +install -m 755 -d %{buildroot}%{_datadir}/php/%{name} +mv %{buildroot}%{_datadir}/php/lasso.php %{buildroot}%{_datadir}/php/%{name} + +# rename the PHP config file when needed (PHP 5.6+) +if [ "%{name}.ini" != "%{ini_name}" ]; then + mv %{buildroot}%{php_inidir}/%{name}.ini \ + %{buildroot}%{php_inidir}/%{ini_name} +fi +%endif + +# Remove bogus doc files +rm -fr %{buildroot}%{_defaultdocdir}/%{name} + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%files +%{_libdir}/liblasso.so.* +%doc AUTHORS COPYING NEWS README + +%files devel +%{_libdir}/liblasso.so +%{_libdir}/pkgconfig/lasso.pc +%{_includedir}/%{name} + +%if %{with_perl} +%files -n perl-%{name} -f %{name}-perl-filelist +%endif + +%if %{with_java} +%files -n java-%{name} +%{_libdir}/java/libjnilasso.so +%{_javadir}/lasso.jar +%endif + +%if %{with_php} +%files -n php-%{name} +%attr(755,root,root) %{php_extdir}/lasso.so +%config(noreplace) %attr(644,root,root) %{php_inidir}/%{ini_name} +%attr(755,root,root) %dir %{_datadir}/php/%{name} +%attr(644,root,root) %{_datadir}/php/%{name}/lasso.php +%endif + +%if %{with_python2} +%files -n python2-%{name} +%{python2_sitearch}/lasso.py* +%{python2_sitearch}/_lasso.so +%endif + +%if %{with_python3} +%files -n python3-%{name} +%{python3_sitearch}/lasso.py* +%{python3_sitearch}/_lasso.so +%{python3_sitearch}/__pycache__/* +%endif + +%changelog +* Wed May 4 2022 Tomas Halman - 2.6.0-13 +- Publishing the python3-lasso binding +- Resolves: rhbz#1888195 - Release python lasso package + +* Fri Jul 30 2021 Jakub Hrozek - 2.6.0-12 +- Fix a dead code issue in the signature wrapping patch +- Resolves: rhbz#1951653 - CVE-2021-28091 lasso: XML signature wrapping + vulnerability when parsing SAML responses [rhel-8] + +* Mon Jun 21 2021 Jakub Hrozek - 2.6.0-11 +- Bump release to force the package through OSCI as the previous + build reached CI just in time for an outage +- Related: rhbz#1888195 - [RFE] release (built) python3-lasso pkg (comingfrom lasso) + +* Fri Jun 4 2021 Jakub Hrozek - 2.6.0-10 +- Resolves: rhbz#1951653 - CVE-2021-28091 lasso: XML signature wrapping + vulnerability when parsing SAML responses [rhel-8] + +* Thu May 6 2021 Jakub Hrozek - 2.6.0-9 +- Resolves: rhbz#1888195 - [RFE] release (built) python3-lasso pkg (coming + from lasso) + +* Fri Oct 18 2019 Jakub Hrozek - 2.6.0-8 +- Resolves: rhbz#1730018 - lasso includes "Destination" attribute in SAML + AuthnRequest populated with SP + AssertionConsumerServiceURL when ECP workflow + is used which leads to IdP-side errors + +* Fri Jun 14 2019 Jakub Hrozek - 2.6.0-7 +- Resolves: rhbz#1634268 - ECP signature check fails with + LASSO_DS_ERROR_SIGNATURE_NOT_FOUND when + assertion signed instead of response + +* Thu Jun 13 2019 Jakub Hrozek - 2.6.0-6 +- Resolves: rhbz#1719020 - Expired certificate prevents tests from running + +* Tue Sep 25 2018 Tomas Orsava - 2.6.0-5 +- Require the Python interpreter directly instead of using the package name +- Resolves: rhbz#1633617 + +* Tue Jul 17 2018 - 2.6.0-4 +- more fixes for py2/py3 build dependencies + +* Mon Jul 9 2018 - 2.6.0-3 +- Modify configure to search for versioned python +- Resolves: rhbz#1598047 +- Related: rhbz#1589856 + +* Wed Jun 27 2018 - 2.6.0-2 +- fix language bindings package names to comply with guidelines, + instead of %{name}-lang use lang-%{name} +- fix conditional logic used to build on rhel +- Resolves: rhbz#1589856 Drop python2 subpackage from RHEL8 + +* Tue Jun 26 2018 - 2.6.0-1 +- Upgrade to latest upstream +- Build using Python3, add python3 subpackage +- Resolves: rhbz#1592416 Enable perl subpackage + +* Wed May 2 2018 John Dennis - 2.5.1-13 +- add xmlsec1 version dependency + +* Tue May 1 2018 John Dennis - 2.5.1-12 +- Resolves: rhbz#1542126, rhbz#1556016 +- xmlsec removed SOAP support, reimplement missing xmlSecSoap* in Lasso + +* Wed Feb 07 2018 Fedora Release Engineering - 2.5.1-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Jan 05 2018 Iryna Shcherbina - 2.5.1-10 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Sun Aug 20 2017 Zbigniew Jędrzejewski-Szmek - 2.5.1-9 +- Add Provides for the old name without %%_isa + +* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek - 2.5.1-8 +- Python 2 binary package renamed to python2-lasso + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + +* Thu Aug 03 2017 Fedora Release Engineering - 2.5.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 2.5.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 2.5.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Jul 19 2016 Fedora Release Engineering - 2.5.1-4 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Thu Jun 30 2016 John Dennis - 2.5.1-3 +- disbable PHP binding because PHP-7 is now the default and lasso + only knows how to build with PHP-5 + +* Wed Jun 15 2016 John Dennis - 2.5.1-2 +- fix CFLAGS override in configure + +* Mon Feb 22 2016 John Dennis - 2.5.1-1 +- Upgrade to upstream 2.5.1 release + See Changelog for details, mostly bugs fixes, + most signficant is proper support of SHA-2 + Resolves: #1295472 + Resolves: #1303573 +- Add java_binding_lasso_log.patch to fix "make check" failure during rpmbuild + upstream commit d8e3ae8 + +* Thu Feb 04 2016 Fedora Release Engineering - 2.5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Sep 14 2015 John Dennis - 2.5.0-1 +- Upgrade to new upstream 2.5.0 release + Includes ECP support + +* Wed Jun 17 2015 Fedora Release Engineering - 2.4.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Mar 23 2015 Rob Crittenden - 2.4.1-3 +- Add BuildRequires on libtool +- Add -fPIC to LDFLAGS +- Disable perl bindings, it fails to build on x86. + +* Fri Jan 23 2015 Simo Sorce - 2.4.1-2 +- Enable perl bindings +- Also add support for building with automake 1.15 +- Fix build issues on rawhide due to missing build dep on perl(Error) + +* Thu Aug 28 2014 Simo Sorce - 2.4.1-1 +- New upstream relase 2.4.1 +- Drop patches as they have all been integrated upstream + +* Sun Aug 17 2014 Fedora Release Engineering - 2.4.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Jun 20 2014 Remi Collet - 2.4.0-4 +- rebuild for https://fedoraproject.org/wiki/Changes/Php56 +- add numerical prefix to extension configuration file +- drop unneeded dependency on pecl +- add provides php-lasso + +* Sat Jun 07 2014 Fedora Release Engineering - 2.4.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri Apr 25 2014 Simo Sorce - 2.4.0-2 +- Fixes for arches where pointers and integers do not have the same size + (ppc64, s390, etc..) + +* Mon Apr 14 2014 Stanislav Ochotnicky - 2.4.0-1 +- Use OpenJDK instead of GCJ for java bindings + +* Sat Jan 11 2014 Simo Sorce 2.4.0-0 +- Update to final 2.4.0 version +- Drop all patches, they are now included in 2.4.0 +- Change Source URI + +* Mon Dec 9 2013 Simo Sorce 2.3.6-0.20131125.5 +- Add patches to fix rpmlint license issues +- Add upstream patches to fix some build issues + +* Thu Dec 5 2013 Simo Sorce 2.3.6-0.20131125.4 +- Add patch to support automake-1.14 for rawhide + +* Mon Nov 25 2013 Simo Sorce 2.3.6-0.20131125.3 +- Initial packaging +- Based on the spec file by Jean-Marc Liger +- Code is updated to latest master via a jumbo patch while waiting for + official upstream release. +- Jumbo patch includes also additional patches sent to upstream list) + to build on Fedora 20 +- Perl bindings are disabled as they fail to build +- Disable doc building as it doesn't ork correctly for now