Compare commits
No commits in common. 'c8' and 'c9' have entirely different histories.
@ -1 +1 @@
|
|||||||
SOURCES/lasso-2.6.0.tar.gz
|
SOURCES/lasso-2.7.0.tar.gz
|
||||||
|
@ -1 +1 @@
|
|||||||
c48e1d6626e6563163146063cbf65ffef52bac1b SOURCES/lasso-2.6.0.tar.gz
|
7a4175eb925427504ac5d42bb3644a97fc188409 SOURCES/lasso-2.7.0.tar.gz
|
||||||
|
@ -0,0 +1,104 @@
|
|||||||
|
From 8b8fd22a168860c5034822472d1fb5745f8fa0f5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Wed, 16 Jun 2021 10:18:30 +0200
|
||||||
|
Subject: [PATCH] Fix lasso_query_sign HMAC other than SHA1 (#54037)
|
||||||
|
|
||||||
|
The switch clause was using SHA1 digests for all digest types when
|
||||||
|
signing. This obviously breaks verifying the signatures if HMAC-SHAXXX
|
||||||
|
is used and XXX is something else than 1.
|
||||||
|
---
|
||||||
|
lasso/xml/tools.c | 35 +++++++++++++++++++++++------------
|
||||||
|
tests/login_tests_saml2.c | 6 +++---
|
||||||
|
2 files changed, 26 insertions(+), 15 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
|
||||||
|
index 96d88a2c4..290fd55f2 100644
|
||||||
|
--- a/lasso/xml/tools.c
|
||||||
|
+++ b/lasso/xml/tools.c
|
||||||
|
@@ -594,22 +594,20 @@ lasso_query_sign(char *query, LassoSignatureContext context)
|
||||||
|
sigret_size = DSA_size(dsa);
|
||||||
|
break;
|
||||||
|
case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
|
||||||
|
+ md = EVP_sha1();
|
||||||
|
+ sigret_size = EVP_MD_size(md);
|
||||||
|
+ break;
|
||||||
|
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||||
|
+ md = EVP_sha256();
|
||||||
|
+ sigret_size = EVP_MD_size(md);
|
||||||
|
+ break;
|
||||||
|
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||||
|
+ md = EVP_sha384();
|
||||||
|
+ sigret_size = EVP_MD_size(md);
|
||||||
|
+ break;
|
||||||
|
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||||
|
- if ((rc = lasso_get_hmac_key(key, (void**)&hmac_key,
|
||||||
|
- &hmac_key_length))) {
|
||||||
|
- message(G_LOG_LEVEL_CRITICAL, "Failed to get hmac key (%s)", lasso_strerror(rc));
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
- g_assert(hmac_key);
|
||||||
|
- md = EVP_sha1();
|
||||||
|
+ md = EVP_sha512();
|
||||||
|
sigret_size = EVP_MD_size(md);
|
||||||
|
- /* key should be at least 128 bits long */
|
||||||
|
- if (hmac_key_length < 16) {
|
||||||
|
- critical("HMAC key should be at least 128 bits long");
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
g_assert_not_reached();
|
||||||
|
@@ -645,6 +643,19 @@ lasso_query_sign(char *query, LassoSignatureContext context)
|
||||||
|
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||||
|
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||||
|
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||||
|
+ if ((rc = lasso_get_hmac_key(key, (void**)&hmac_key,
|
||||||
|
+ &hmac_key_length))) {
|
||||||
|
+ message(G_LOG_LEVEL_CRITICAL, "Failed to get hmac key (%s)", lasso_strerror(rc));
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ g_assert(hmac_key);
|
||||||
|
+
|
||||||
|
+ /* key should be at least 128 bits long */
|
||||||
|
+ if (hmac_key_length < 16) {
|
||||||
|
+ critical("HMAC key should be at least 128 bits long");
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
HMAC(md, hmac_key, hmac_key_length, (unsigned char *)new_query,
|
||||||
|
strlen(new_query), sigret, &siglen);
|
||||||
|
status = 1;
|
||||||
|
diff --git a/tests/login_tests_saml2.c b/tests/login_tests_saml2.c
|
||||||
|
index e331c07a7..e1d78b5b1 100644
|
||||||
|
--- a/tests/login_tests_saml2.c
|
||||||
|
+++ b/tests/login_tests_saml2.c
|
||||||
|
@@ -981,7 +981,7 @@ sso_initiated_by_sp(LassoServer *idp_context, LassoServer *sp_context, SsoCallba
|
||||||
|
lasso_release_gobject(sp_login_context);
|
||||||
|
}
|
||||||
|
|
||||||
|
-START_TEST(test07_sso_sp_with_hmac_sha1_signatures)
|
||||||
|
+START_TEST(test07_sso_sp_with_hmac_sha256_signatures)
|
||||||
|
{
|
||||||
|
LassoServer *idp_context = NULL;
|
||||||
|
LassoServer *sp_context = NULL;
|
||||||
|
@@ -990,7 +990,7 @@ START_TEST(test07_sso_sp_with_hmac_sha1_signatures)
|
||||||
|
|
||||||
|
/* Create the shared key */
|
||||||
|
key = lasso_key_new_for_signature_from_memory("xxxxxxxxxxxxxxxx", 16,
|
||||||
|
- NULL, LASSO_SIGNATURE_METHOD_HMAC_SHA1, NULL);
|
||||||
|
+ NULL, LASSO_SIGNATURE_METHOD_HMAC_SHA256, NULL);
|
||||||
|
check_true(LASSO_IS_KEY(key));
|
||||||
|
|
||||||
|
/* Create an IdP context for IdP initiated SSO with provider metadata 1 */
|
||||||
|
@@ -1640,7 +1640,7 @@ login_saml2_suite()
|
||||||
|
tcase_add_test(tc_spSloSoap, test04_sso_then_slo_soap);
|
||||||
|
tcase_add_test(tc_idpKeyRollover, test05_sso_idp_with_key_rollover);
|
||||||
|
tcase_add_test(tc_spKeyRollover, test06_sso_sp_with_key_rollover);
|
||||||
|
- tcase_add_test(tc_hmacSignature, test07_sso_sp_with_hmac_sha1_signatures);
|
||||||
|
+ tcase_add_test(tc_hmacSignature, test07_sso_sp_with_hmac_sha256_signatures);
|
||||||
|
tcase_add_test(tc_spLogin, test08_test_authnrequest_flags);
|
||||||
|
tcase_add_test(tc_ecp, test09_ecp);
|
||||||
|
tcase_add_test(tc_ecp, test10_ecp);
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -0,0 +1,129 @@
|
|||||||
|
From f625eaa007fa3a1f6c846be0d70d26de33887714 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Wed, 16 Jun 2021 10:28:53 +0200
|
||||||
|
Subject: [PATCH 2/7] tests: Move test08_lasso_key and
|
||||||
|
test07_saml2_query_verify_signature to SHA256 (#54037)
|
||||||
|
|
||||||
|
These tests use a hardcoded query and private key which makes it
|
||||||
|
unsuitable to make the tests use the configured default digest. Let's
|
||||||
|
just convert them to SHA256 unconditionally.
|
||||||
|
---
|
||||||
|
tests/random_tests.c | 46 ++++++++++++++++++++++----------------------
|
||||||
|
1 file changed, 23 insertions(+), 23 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/random_tests.c b/tests/random_tests.c
|
||||||
|
index c4fe85883..fa0367a3c 100644
|
||||||
|
--- a/tests/random_tests.c
|
||||||
|
+++ b/tests/random_tests.c
|
||||||
|
@@ -287,11 +287,11 @@ extern int lasso_saml2_query_verify_signature(const char *query, const xmlSecKey
|
||||||
|
START_TEST(test07_saml2_query_verify_signature)
|
||||||
|
{
|
||||||
|
/* normal query as produces by Lasso */
|
||||||
|
- const char query1[] = "SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D&RelayState=fake%5B%5D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TaCCtwg%3D%3D";
|
||||||
|
+ const char query1[] = "SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D&RelayState=fake&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=Zfz3DE1VMV3thaV4FWpH0fkWsBMzAFJcfvVWAbo0a3cY48Et%2BXUcbr1nvOJUJmhGoie0pQ4%2BcD9ToQlSk7BbJSBCct%2FQQgn2QNkX%2F1lk4v8RU8p5ptJRJ2iPLb8nC6WZhs81HoihQePSuj7Qe5bRUsDKvnWMq6OkD%2Fe6YO77dMXregTcfmnkrXqRb2T6TFfqyOz9i0%2FjmISsmj%2F3kEEfUzVA4LEbeEgiJDj1hec4XW26gQTih53v0sYukq4Eyb4zS2jVd3apUUxUrjn1NUpr7Z7dZ7w5MQlgZ8aw1xFDE8BkxymvIjwf8ciyx6sfTKbCRsoS9E0pQB1vxvh6OMt1Ww%3D%3D";
|
||||||
|
/* SAMLRequest field was moved in the middle, Signature to the beginning and all & were
|
||||||
|
* changed to ; */
|
||||||
|
- const char query2[] = "Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TaCCtwg%3D%3D;RelayState=fake%5B%5D;SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D;SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1";
|
||||||
|
- const char query3[] = "RelayState=fake%5B%5D&SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TacCtwg%3D%3D";
|
||||||
|
+ const char query2[] = "Signature=Zfz3DE1VMV3thaV4FWpH0fkWsBMzAFJcfvVWAbo0a3cY48Et%2BXUcbr1nvOJUJmhGoie0pQ4%2BcD9ToQlSk7BbJSBCct%2FQQgn2QNkX%2F1lk4v8RU8p5ptJRJ2iPLb8nC6WZhs81HoihQePSuj7Qe5bRUsDKvnWMq6OkD%2Fe6YO77dMXregTcfmnkrXqRb2T6TFfqyOz9i0%2FjmISsmj%2F3kEEfUzVA4LEbeEgiJDj1hec4XW26gQTih53v0sYukq4Eyb4zS2jVd3apUUxUrjn1NUpr7Z7dZ7w5MQlgZ8aw1xFDE8BkxymvIjwf8ciyx6sfTKbCRsoS9E0pQB1vxvh6OMt1Ww%3D%3D;SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D;RelayState=fake;SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256";
|
||||||
|
+ const char query3[] = "SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D&RelayState=fake&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=rUJ%2B9wVSvdGSmZWGuGXgudAPV5KBxRfxRKraBWGIslBz2XreyNbQjSA47DhIfi%2Bxf0awIIGkKcieN3Qd5sqVn4wvFU8fsmfqrdtouYi46aKsj4W91N19TxJ%2BCgrP7ygVEGDaGdc%2BrCQC3%2FuoYTELXq0gYP7tHaXA%2FCaZHfx5Z159crpRxS6eabZ6BGf4ImxiKhE1FuYzKHeISEV1iSyvgx5%2FE8ydSO%2FSP6yA5Rck4JxVJWH6ImbswCVQ80qfqR4NoJ%2BxiZqilbDJnQaSKZggx%2FgjNVoX%2FMVW1FqEmgJNcZpSjNUQqy9u4veSllpxPc2aB%2FpiUjzpbq9XzyFDOQfkUQ%3D%3D";
|
||||||
|
/* sp5-saml2 key */
|
||||||
|
const char pkey[] = "-----BEGIN CERTIFICATE-----\n\
|
||||||
|
MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP\n\
|
||||||
|
@@ -317,7 +317,7 @@ LlTxKnCrWAXftSm1rNtewTsF\n\
|
||||||
|
-----END CERTIFICATE-----";
|
||||||
|
|
||||||
|
xmlSecKeyPtr key = lasso_xmlsec_load_private_key_from_buffer(pkey, sizeof(pkey)-1, NULL,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
|
||||||
|
+ LASSO_SIGNATURE_METHOD_RSA_SHA256, NULL);
|
||||||
|
|
||||||
|
fail_unless(key != NULL, "Cannot load public key");
|
||||||
|
fail_unless(lasso_saml2_query_verify_signature(query1, key) == 0, "Signature was not validated");
|
||||||
|
@@ -332,11 +332,11 @@ END_TEST
|
||||||
|
START_TEST(test08_lasso_key)
|
||||||
|
{
|
||||||
|
/* normal query as produces by Lasso */
|
||||||
|
- const char query1[] = "SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D&RelayState=fake%5B%5D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TaCCtwg%3D%3D";
|
||||||
|
+ const char query1[] = "SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D&RelayState=fake&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=Zfz3DE1VMV3thaV4FWpH0fkWsBMzAFJcfvVWAbo0a3cY48Et%2BXUcbr1nvOJUJmhGoie0pQ4%2BcD9ToQlSk7BbJSBCct%2FQQgn2QNkX%2F1lk4v8RU8p5ptJRJ2iPLb8nC6WZhs81HoihQePSuj7Qe5bRUsDKvnWMq6OkD%2Fe6YO77dMXregTcfmnkrXqRb2T6TFfqyOz9i0%2FjmISsmj%2F3kEEfUzVA4LEbeEgiJDj1hec4XW26gQTih53v0sYukq4Eyb4zS2jVd3apUUxUrjn1NUpr7Z7dZ7w5MQlgZ8aw1xFDE8BkxymvIjwf8ciyx6sfTKbCRsoS9E0pQB1vxvh6OMt1Ww%3D%3D";
|
||||||
|
/* SAMLRequest field was moved in the middle, Signature to the beginning and all & were
|
||||||
|
* changed to ; */
|
||||||
|
- const char query2[] = "Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TaCCtwg%3D%3D;RelayState=fake%5B%5D;SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D;SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1";
|
||||||
|
- const char query3[] = "RelayState=fake%5B%5D&SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TacCtwg%3D%3D";
|
||||||
|
+ const char query2[] = "Signature=Zfz3DE1VMV3thaV4FWpH0fkWsBMzAFJcfvVWAbo0a3cY48Et%2BXUcbr1nvOJUJmhGoie0pQ4%2BcD9ToQlSk7BbJSBCct%2FQQgn2QNkX%2F1lk4v8RU8p5ptJRJ2iPLb8nC6WZhs81HoihQePSuj7Qe5bRUsDKvnWMq6OkD%2Fe6YO77dMXregTcfmnkrXqRb2T6TFfqyOz9i0%2FjmISsmj%2F3kEEfUzVA4LEbeEgiJDj1hec4XW26gQTih53v0sYukq4Eyb4zS2jVd3apUUxUrjn1NUpr7Z7dZ7w5MQlgZ8aw1xFDE8BkxymvIjwf8ciyx6sfTKbCRsoS9E0pQB1vxvh6OMt1Ww%3D%3D;SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D;RelayState=fake;SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256";
|
||||||
|
+ const char query3[] = "SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D&RelayState=fake&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=rUJ%2B9wVSvdGSmZWGuGXgudAPV5KBxRfxRKraBWGIslBz2XreyNbQjSA47DhIfi%2Bxf0awIIGkKcieN3Qd5sqVn4wvFU8fsmfqrdtouYi46aKsj4W91N19TxJ%2BCgrP7ygVEGDaGdc%2BrCQC3%2FuoYTELXq0gYP7tHaXA%2FCaZHfx5Z159crpRxS6eabZ6BGf4ImxiKhE1FuYzKHeISEV1iSyvgx5%2FE8ydSO%2FSP6yA5Rck4JxVJWH6ImbswCVQ80qfqR4NoJ%2BxiZqilbDJnQaSKZggx%2FgjNVoX%2FMVW1FqEmgJNcZpSjNUQqy9u4veSllpxPc2aB%2FpiUjzpbq9XzyFDOQfkUQ%3D%3D";
|
||||||
|
/* sp5-saml2 key */
|
||||||
|
const char pkey[] = "-----BEGIN CERTIFICATE-----\n\
|
||||||
|
MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP\n\
|
||||||
|
@@ -361,29 +361,29 @@ NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR\n\
|
||||||
|
LlTxKnCrWAXftSm1rNtewTsF\n\
|
||||||
|
-----END CERTIFICATE-----";
|
||||||
|
LassoKey *key = lasso_key_new_for_signature_from_memory(pkey, strlen(pkey), NULL,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
|
||||||
|
+ LASSO_SIGNATURE_METHOD_RSA_SHA256, NULL);
|
||||||
|
LassoKey *key2 = lasso_key_new_for_signature_from_file(
|
||||||
|
TESTSDATADIR "/sp5-saml2/private-key.pem", NULL,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
|
||||||
|
- char *message = "<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_E3F8E9116EE08F0E2607CF9789649BB4\" Version=\"2.0\" IssueInstant=\"2012-03-09T11:34:48Z\" ForceAuthn=\"false\" IsPassive=\"false\"><saml:Issuer>http://sp5/metadata</saml:Issuer><Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n\
|
||||||
|
+ LASSO_SIGNATURE_METHOD_RSA_SHA256, NULL);
|
||||||
|
+ char *message = "<s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\"><s:Body><samlp:ArtifactResolve ID=\"_5E4DB038BC15C020CE085F743D485443\" Version=\"2.0\" IssueInstant=\"2021-06-18T16:07:49Z\" Destination=\"http://idp5/artifact\"><saml:Issuer>http://sp5/metadata</saml:Issuer><Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n\
|
||||||
|
<SignedInfo>\n\
|
||||||
|
<CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n\
|
||||||
|
-<SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/>\n\
|
||||||
|
-<Reference URI=\"#_E3F8E9116EE08F0E2607CF9789649BB4\">\n\
|
||||||
|
+<SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/>\n\
|
||||||
|
+<Reference URI=\"#_5E4DB038BC15C020CE085F743D485443\">\n\
|
||||||
|
<Transforms>\n\
|
||||||
|
<Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/>\n\
|
||||||
|
<Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n\
|
||||||
|
</Transforms>\n\
|
||||||
|
-<DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/>\n\
|
||||||
|
-<DigestValue>tMncKjklMJaJLbmB7bARmX14Fdg=</DigestValue>\n\
|
||||||
|
+<DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/>\n\
|
||||||
|
+<DigestValue>1Xy/VevGqojdKIvLzkczdd9Mp3AFYvZfsakldADTuO4=</DigestValue>\n\
|
||||||
|
</Reference>\n\
|
||||||
|
</SignedInfo>\n\
|
||||||
|
-<SignatureValue>VjAHErXE8rz5yQ/t9Ubws11E59PsU/tXPtL6eCMAVLQxV4Bv0dwyYkeHtge1DXDT\n\
|
||||||
|
-usTy1c17+iuYCVqD3Db51+LMVsHchj0j44fhu/PXNQTmgiT2AuVfH97YhiBWykAs\n\
|
||||||
|
-LwT8MiE9vNGiHQwsWVjhdzooVmU0M80m0Ij2DFMcYiKzmuMhE4M65qUO4tygQLiL\n\
|
||||||
|
-YB5oPe0VYKEBJLfaTvuijLBTi4ecx6aU+HptAvuEOcCbcJZtGyv7jr2yuEDSq72S\n\
|
||||||
|
-0hwOV0CIsQoSf/vL7R9RzTs2bpgYVGqgerhpWsz6dqo7YX0NSj9pMbXZiOyX/YzS\n\
|
||||||
|
-uP3QSjow05NiPhy8ywKW8A==</SignatureValue>\n\
|
||||||
|
+<SignatureValue>R5unK5JQ8no8VCokUKKw8zXglIsjggH16cQxnqKl2GpFeeFh8Tzi4KRXTzVNXi9c\n\
|
||||||
|
+dID0FTAsFM2Ol5Sqg/j2TVasR93PyIg2pUOb00tNwx8D81xEi1lXdWThHfiinYI0\n\
|
||||||
|
+2qJSFj1H8wt/ceULmnvC0F01ga78LQervkjMaSpqlvyKYrNNOEJEYo0SJSUnUE5p\n\
|
||||||
|
+wlv30BjnUCyXWQl9i03MvpPSOTJkXrFLqbJB8rB/HNdS71lWAU3k8r56OAxzTXUn\n\
|
||||||
|
+WXr73mrQrLGJzbofDjO1Lfz8JpZXRzsffAsMCxKfoL+VzrElPNW5aklrFm603w2w\n\
|
||||||
|
+6/xQk0BsHvPP8k6V32RuXQ==</SignatureValue>\n\
|
||||||
|
<KeyInfo>\n\
|
||||||
|
<KeyValue>\n\
|
||||||
|
<RSAKeyValue>\n\
|
||||||
|
@@ -401,7 +401,7 @@ AQAB\n\
|
||||||
|
</RSAKeyValue>\n\
|
||||||
|
</KeyValue>\n\
|
||||||
|
</KeyInfo>\n\
|
||||||
|
-</Signature><samlp:NameIDPolicy Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\" AllowCreate=\"true\"/></samlp:AuthnRequest>";
|
||||||
|
+</Signature><samlp:Artifact>AAQAALQUO+cobSry7mQpUjWDhKkaePFoNDRBMDY3RDY3QjNFM0QzQzA1NzQ=</samlp:Artifact></samlp:ArtifactResolve></s:Body></s:Envelope>";
|
||||||
|
xmlDoc *doc;
|
||||||
|
|
||||||
|
doc = xmlParseDoc(BAD_CAST message);
|
||||||
|
@@ -411,7 +411,7 @@ AQAB\n\
|
||||||
|
fail_unless(lasso_key_query_verify(key, query2) == 0, "Disordered signature was not validated");
|
||||||
|
fail_unless(lasso_key_query_verify(key, query3) != 0, "Altered signature was validated");
|
||||||
|
fail_unless(lasso_key_saml2_xml_verify(key,
|
||||||
|
- "_E3F8E9116EE08F0E2607CF9789649BB4", xmlDocGetRootElement(doc)) == 0,
|
||||||
|
+ "_5E4DB038BC15C020CE085F743D485443", xmlDocGetRootElement(doc)) == 0,
|
||||||
|
"XML Signature is not validated");
|
||||||
|
g_object_unref(key);
|
||||||
|
fail_unless(key2 != NULL, "Cannot load public key2");
|
||||||
|
@@ -420,7 +420,7 @@ AQAB\n\
|
||||||
|
fail_unless(lasso_key_query_verify(key2, query2) == 0, "Disordered signature was not validated");
|
||||||
|
fail_unless(lasso_key_query_verify(key2, query3) != 0, "Altered signature was validated");
|
||||||
|
fail_unless(lasso_key_saml2_xml_verify(key2,
|
||||||
|
- "_E3F8E9116EE08F0E2607CF9789649BB4", xmlDocGetRootElement(doc)) == 0,
|
||||||
|
+ "_5E4DB038BC15C020CE085F743D485443", xmlDocGetRootElement(doc)) == 0,
|
||||||
|
"XML Signature is not validated");
|
||||||
|
g_object_unref(key2);
|
||||||
|
lasso_release_doc(doc);
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -0,0 +1,363 @@
|
|||||||
|
From f095ac8f5740b6eee687cac97840bc7e72992999 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Mon, 7 Jun 2021 12:27:15 +0200
|
||||||
|
Subject: [PATCH 3/7] Make the default signature method and the minimal hash
|
||||||
|
strength configurable (#54037)
|
||||||
|
|
||||||
|
Adds two new configure options:
|
||||||
|
--with-default-sign-algo
|
||||||
|
--min-hash-algo
|
||||||
|
|
||||||
|
--with-default-sign-algo sets the default signing algorithm and defaults
|
||||||
|
to rsa-sha1. At the moment, two algorithms are supported: rsa-sha1 and
|
||||||
|
rsa-sha256.
|
||||||
|
|
||||||
|
--min-hash-algo sets the minimum hash algorithm to be accepted. The
|
||||||
|
default is sha1 for backwards compatibility as well.
|
||||||
|
|
||||||
|
Related:
|
||||||
|
https://dev.entrouvert.org/issues/54037
|
||||||
|
---
|
||||||
|
configure.ac | 42 +++++++++++++++++++++++++++++
|
||||||
|
lasso/id-ff/server.c | 2 +-
|
||||||
|
lasso/id-ff/server.h | 2 ++
|
||||||
|
lasso/lasso.c | 51 +++++++++++++++++++++++++++++++++++
|
||||||
|
lasso/xml/tools.c | 63 +++++++++++++++++++++++++++++++++++---------
|
||||||
|
lasso/xml/xml.c | 24 +++++++++++++++++
|
||||||
|
lasso/xml/xml.h | 9 +++++++
|
||||||
|
tests/random_tests.c | 6 ++---
|
||||||
|
8 files changed, 182 insertions(+), 17 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index b527def43..2cdfbb149 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -795,6 +795,43 @@ else
|
||||||
|
AC_MSG_RESULT(no)
|
||||||
|
fi
|
||||||
|
|
||||||
|
+AC_ARG_WITH([default-sign-algo],
|
||||||
|
+ [AS_HELP_STRING([--with-default-sign-algo=[rsa-sha1|rsa-sha256]],
|
||||||
|
+ [Default signing algorithm (rsa-sha1)]
|
||||||
|
+ )
|
||||||
|
+ ]
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
+SIGNING_ALGO=rsa-sha1
|
||||||
|
+if test x"$with_default_sign_algo" != x; then
|
||||||
|
+ if test ! "$with_default_sign_algo" = "rsa-sha1" -a ! "$with_default_sign_algo" = "rsa-sha256"; then
|
||||||
|
+ AC_MSG_ERROR("Default signing algorithm must be either rsa-sha1 or rsa-sha256")
|
||||||
|
+ else
|
||||||
|
+ SIGNING_ALGO=$with_default_sign_algo
|
||||||
|
+ fi
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+AC_DEFINE_UNQUOTED(DEFAULT_SIGNING_ALGO, "$SIGNING_ALGO", ["The default signing algorithm"])
|
||||||
|
+
|
||||||
|
+AC_ARG_WITH([min-hash-algo],
|
||||||
|
+ [AS_HELP_STRING([--with-min-hash-algo=[sha1|sha256|sha384|sha512]],
|
||||||
|
+ [Minimal allowed hash algorithm (rsa-sha1)]
|
||||||
|
+ )
|
||||||
|
+ ]
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
+MIN_HASH_ALGO=sha1
|
||||||
|
+if test x"$with_min_hash_algo" != x; then
|
||||||
|
+ if test ! "$with_min_hash_algo" = "sha1" -a ! "$with_min_hash_algo" = "sha256" -a ! "$with_min_hash_algo" = "sha384" -a ! "$with_min_hash_algo" = "sha512"; then
|
||||||
|
+ AC_MSG_ERROR("Minimal allowed hash algorithm must be one of sha1, sha256, sha384 or sha512)
|
||||||
|
+ else
|
||||||
|
+ MIN_HASH_ALGO=$with_min_hash_algo
|
||||||
|
+ fi
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+AC_DEFINE_UNQUOTED(MIN_HASH_ALGO, "$MIN_HASH_ALGO", ["The minimal hash algorithm"])
|
||||||
|
+
|
||||||
|
+
|
||||||
|
dnl ==========================================================================
|
||||||
|
dnl Pedantic compilation
|
||||||
|
dnl ==========================================================================
|
||||||
|
@@ -939,4 +976,9 @@ Python binding: ${enable_python}
|
||||||
|
|
||||||
|
C API references: ${enable_gtk_doc}
|
||||||
|
Tests suite: ${enable_tests}
|
||||||
|
+
|
||||||
|
+Crypto settings
|
||||||
|
+---------------
|
||||||
|
+Default signature: ${SIGNING_ALGO}
|
||||||
|
+Minimal accepted hash: ${MIN_HASH_ALGO}
|
||||||
|
)
|
||||||
|
diff --git a/lasso/id-ff/server.c b/lasso/id-ff/server.c
|
||||||
|
index 08bbde833..2bf5b7a8c 100644
|
||||||
|
--- a/lasso/id-ff/server.c
|
||||||
|
+++ b/lasso/id-ff/server.c
|
||||||
|
@@ -682,7 +682,7 @@ instance_init(LassoServer *server)
|
||||||
|
server->private_key = NULL;
|
||||||
|
server->private_key_password = NULL;
|
||||||
|
server->certificate = NULL;
|
||||||
|
- server->signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
||||||
|
+ server->signature_method = lasso_get_default_signature_method();
|
||||||
|
|
||||||
|
server->services = g_hash_table_new_full(g_str_hash, g_str_equal,
|
||||||
|
(GDestroyNotify)g_free,
|
||||||
|
diff --git a/lasso/id-ff/server.h b/lasso/id-ff/server.h
|
||||||
|
index 8b4192793..5f9022e9d 100644
|
||||||
|
--- a/lasso/id-ff/server.h
|
||||||
|
+++ b/lasso/id-ff/server.h
|
||||||
|
@@ -133,6 +133,8 @@ LASSO_EXPORT gchar *lasso_server_get_endpoint_url_by_id(const LassoServer *serve
|
||||||
|
LASSO_EXPORT GList *lasso_server_get_filtered_provider_list(const LassoServer *server,
|
||||||
|
LassoProviderRole role, LassoMdProtocolType protocol_type, LassoHttpMethod http_method);
|
||||||
|
|
||||||
|
+LASSO_EXPORT LassoSignatureMethod lasso_get_default_signature_method();
|
||||||
|
+void lasso_set_default_signature_method(LassoSignatureMethod meth);
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
}
|
||||||
|
diff --git a/lasso/lasso.c b/lasso/lasso.c
|
||||||
|
index 087485998..67340317d 100644
|
||||||
|
--- a/lasso/lasso.c
|
||||||
|
+++ b/lasso/lasso.c
|
||||||
|
@@ -149,6 +149,44 @@ lasso_xmlsec_errors_callback(const char *file G_GNUC_UNUSED, int line G_GNUC_UNU
|
||||||
|
g_log("libxmlsec", G_LOG_LEVEL_DEBUG, "libxmlsec: %s:%d:%s:%s:%s:%s:%s", file, line, func, errorObject, errorSubject, xmlSecErrorsGetMsg(reason), msg);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+set_default_signature_method()
|
||||||
|
+{
|
||||||
|
+ int rv = LASSO_ERROR_UNDEFINED;
|
||||||
|
+
|
||||||
|
+ if (lasso_strisequal(DEFAULT_SIGNING_ALGO, "rsa-sha256")) {
|
||||||
|
+ lasso_set_default_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA256);
|
||||||
|
+ rv = 0;
|
||||||
|
+ } else if (lasso_strisequal(DEFAULT_SIGNING_ALGO, "rsa-sha1")) {
|
||||||
|
+ lasso_set_default_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ rv = 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return rv;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+set_min_allowed_hash_algo()
|
||||||
|
+{
|
||||||
|
+ int rv = LASSO_ERROR_UNDEFINED;
|
||||||
|
+
|
||||||
|
+ if (lasso_strisequal(MIN_HASH_ALGO, "sha1")) {
|
||||||
|
+ lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ rv = 0;
|
||||||
|
+ } else if (lasso_strisequal(MIN_HASH_ALGO, "sha256")) {
|
||||||
|
+ lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA256);
|
||||||
|
+ rv = 0;
|
||||||
|
+ } else if (lasso_strisequal(MIN_HASH_ALGO, "sha384")) {
|
||||||
|
+ lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA384);
|
||||||
|
+ rv = 0;
|
||||||
|
+ } else if (lasso_strisequal(MIN_HASH_ALGO, "sha512")) {
|
||||||
|
+ lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA512);
|
||||||
|
+ rv = 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return rv;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
* lasso_init:
|
||||||
|
*
|
||||||
|
@@ -164,6 +202,19 @@ int lasso_init()
|
||||||
|
g_type_init();
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+ /* Set the default hash algo */
|
||||||
|
+ if (set_default_signature_method() != 0) {
|
||||||
|
+ message(G_LOG_LEVEL_CRITICAL, "Unsupported signature "
|
||||||
|
+ "algorithm "DEFAULT_SIGNING_ALGO" configured");
|
||||||
|
+ return LASSO_ERROR_UNDEFINED;
|
||||||
|
+ }
|
||||||
|
+ if (set_min_allowed_hash_algo() != 0) {
|
||||||
|
+ message(G_LOG_LEVEL_CRITICAL, "Unsupported hash algorithm "
|
||||||
|
+ "algorithm "MIN_HASH_ALGO" configured");
|
||||||
|
+ return LASSO_ERROR_UNDEFINED;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+
|
||||||
|
/* Init Lasso classes */
|
||||||
|
for (i=0; functions[i]; i++)
|
||||||
|
functions[i]();
|
||||||
|
diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
|
||||||
|
index 290fd55f2..ce322ee1f 100644
|
||||||
|
--- a/lasso/xml/tools.c
|
||||||
|
+++ b/lasso/xml/tools.c
|
||||||
|
@@ -1505,16 +1505,6 @@ lasso_saml_constrain_dsigctxt(xmlSecDSigCtxPtr dsigCtx) {
|
||||||
|
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformExclC14NWithCommentsId) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14N11Id) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14N11WithCommentsId) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha1Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha1Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformDsaSha1Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha1Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha256Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha256Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha256Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha384Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha384Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha384Id) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha512Id) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha512Id) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha512Id) < 0)
|
||||||
|
@@ -1523,15 +1513,62 @@ lasso_saml_constrain_dsigctxt(xmlSecDSigCtxPtr dsigCtx) {
|
||||||
|
message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed signature transforms");
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if (lasso_get_min_signature_method() <= LASSO_SIGNATURE_METHOD_RSA_SHA384) {
|
||||||
|
+ if ((xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha384Id) < 0) ||
|
||||||
|
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha384Id) < 0) ||
|
||||||
|
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha384Id) < 0)) {
|
||||||
|
+
|
||||||
|
+ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha384 signature transforms");
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha384Id) < 0) {
|
||||||
|
+
|
||||||
|
+ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha384 reference transforms");
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (lasso_get_min_signature_method() <= LASSO_SIGNATURE_METHOD_RSA_SHA256) {
|
||||||
|
+ if ((xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha256Id) < 0) ||
|
||||||
|
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha256Id) < 0) ||
|
||||||
|
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha256Id) < 0)) {
|
||||||
|
+
|
||||||
|
+ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha256 signature transforms");
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha256Id) < 0) {
|
||||||
|
+
|
||||||
|
+ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha256 reference transforms");
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (lasso_get_min_signature_method() <= LASSO_SIGNATURE_METHOD_RSA_SHA1) {
|
||||||
|
+ if ((xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha1Id) < 0) ||
|
||||||
|
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha1Id) < 0) ||
|
||||||
|
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformDsaSha1Id) < 0) ||
|
||||||
|
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha1Id) < 0)) {
|
||||||
|
+
|
||||||
|
+ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha1 signature transforms");
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha1Id) < 0) {
|
||||||
|
+
|
||||||
|
+ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha1 reference transforms");
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if((xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformInclC14NId) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformExclC14NId) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14NWithCommentsId) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformExclC14NWithCommentsId) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14N11Id) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14N11WithCommentsId) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha1Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha256Id) < 0) ||
|
||||||
|
- (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha384Id) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha512Id) < 0) ||
|
||||||
|
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformEnvelopedId) < 0)) {
|
||||||
|
|
||||||
|
diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c
|
||||||
|
index 938844baf..f017ebbe3 100644
|
||||||
|
--- a/lasso/xml/xml.c
|
||||||
|
+++ b/lasso/xml/xml.c
|
||||||
|
@@ -91,6 +91,10 @@ GHashTable *dst_services_by_prefix = NULL; /* ID-WSF 1 extra DST services, index
|
||||||
|
GHashTable *idwsf2_dst_services_by_href = NULL; /* ID-WSF 2 DST services, indexed on href */
|
||||||
|
GHashTable *idwsf2_dst_services_by_prefix = NULL; /* ID-WSF 2 DST services, indexed on prefix */
|
||||||
|
|
||||||
|
+
|
||||||
|
+static LassoSignatureMethod default_signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
||||||
|
+static LassoSignatureMethod min_signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
||||||
|
+
|
||||||
|
/*****************************************************************************/
|
||||||
|
/* global methods */
|
||||||
|
/*****************************************************************************/
|
||||||
|
@@ -3689,3 +3693,23 @@ lasso_node_new_from_saml2_query(const char *url_or_qs, const char *param_name, L
|
||||||
|
cleanup:
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+LassoSignatureMethod
|
||||||
|
+lasso_get_default_signature_method() {
|
||||||
|
+ return default_signature_method;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+lasso_set_default_signature_method(LassoSignatureMethod meth) {
|
||||||
|
+ default_signature_method = meth;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+LassoSignatureMethod
|
||||||
|
+lasso_get_min_signature_method() {
|
||||||
|
+ return min_signature_method;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+lasso_set_min_signature_method(LassoSignatureMethod meth) {
|
||||||
|
+ min_signature_method = meth;
|
||||||
|
+}
|
||||||
|
diff --git a/lasso/xml/xml.h b/lasso/xml/xml.h
|
||||||
|
index 7660a0647..d0d3e1b0d 100644
|
||||||
|
--- a/lasso/xml/xml.h
|
||||||
|
+++ b/lasso/xml/xml.h
|
||||||
|
@@ -116,6 +116,15 @@ typedef enum {
|
||||||
|
LASSO_SIGNATURE_METHOD_LAST
|
||||||
|
} LassoSignatureMethod;
|
||||||
|
|
||||||
|
+/* signature method and hash strength */
|
||||||
|
+LassoSignatureMethod lasso_get_default_signature_method();
|
||||||
|
+
|
||||||
|
+void lasso_set_default_signature_method(LassoSignatureMethod meth);
|
||||||
|
+
|
||||||
|
+LassoSignatureMethod lasso_get_min_signature_method();
|
||||||
|
+
|
||||||
|
+void lasso_set_min_signature_method(LassoSignatureMethod meth);
|
||||||
|
+
|
||||||
|
static inline gboolean
|
||||||
|
lasso_validate_signature_method(LassoSignatureMethod signature_method)
|
||||||
|
{
|
||||||
|
diff --git a/tests/random_tests.c b/tests/random_tests.c
|
||||||
|
index fa0367a3c..cf112c7e2 100644
|
||||||
|
--- a/tests/random_tests.c
|
||||||
|
+++ b/tests/random_tests.c
|
||||||
|
@@ -97,7 +97,7 @@ START_TEST(test01_server_new)
|
||||||
|
fail_unless(server->private_key != NULL);
|
||||||
|
fail_unless(server->private_key_password == NULL);
|
||||||
|
fail_unless(server->certificate != NULL);
|
||||||
|
- fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ fail_unless(server->signature_method == lasso_get_default_signature_method());
|
||||||
|
fail_unless(provider->ProviderID != NULL);
|
||||||
|
fail_unless(provider->role == 0);
|
||||||
|
fail_unless(g_file_get_contents(TESTSDATADIR "/idp1-la/metadata.xml", &content, &len, NULL));
|
||||||
|
@@ -115,7 +115,7 @@ START_TEST(test01_server_new)
|
||||||
|
fail_unless(server->private_key != NULL);
|
||||||
|
fail_unless(server->private_key_password == NULL);
|
||||||
|
fail_unless(server->certificate != NULL);
|
||||||
|
- fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ fail_unless(server->signature_method == lasso_get_default_signature_method());
|
||||||
|
fail_unless(server->providers != NULL);
|
||||||
|
fail_unless(provider->ProviderID != NULL);
|
||||||
|
fail_unless(provider->role == 0, "provider->role != 0 => provider := %d", provider->role);
|
||||||
|
@@ -143,7 +143,7 @@ START_TEST(test02_server_add_provider)
|
||||||
|
fail_unless(server->private_key != NULL);
|
||||||
|
fail_unless(! server->private_key_password);
|
||||||
|
fail_unless(server->certificate != NULL);
|
||||||
|
- fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ fail_unless(server->signature_method == lasso_get_default_signature_method());
|
||||||
|
fail_unless(server->providers != NULL);
|
||||||
|
lasso_server_add_provider(
|
||||||
|
server,
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -0,0 +1,162 @@
|
|||||||
|
From 0d34c97be1c761a9eb12692e4cc4eac58feb7d19 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Tue, 15 Jun 2021 14:45:14 +0200
|
||||||
|
Subject: [PATCH 4/7] Mass-replace LASSO_SIGNATURE_METHOD_RSA_SHA1 with
|
||||||
|
lasso_get_default_signature_method() (#54037)
|
||||||
|
|
||||||
|
This should be backwards-compatible but at the same time use the
|
||||||
|
selected default instead of RSA-SHA1.
|
||||||
|
|
||||||
|
Related:
|
||||||
|
https://dev.entrouvert.org/issues/54037
|
||||||
|
---
|
||||||
|
lasso/id-ff/defederation.c | 2 +-
|
||||||
|
lasso/id-ff/logout.c | 6 +++---
|
||||||
|
lasso/id-ff/name_identifier_mapping.c | 4 ++--
|
||||||
|
lasso/id-ff/name_registration.c | 4 ++--
|
||||||
|
lasso/id-ff/provider.c | 2 +-
|
||||||
|
lasso/xml/tools.c | 2 +-
|
||||||
|
tests/basic_tests.c | 6 +++---
|
||||||
|
7 files changed, 13 insertions(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lasso/id-ff/defederation.c b/lasso/id-ff/defederation.c
|
||||||
|
index d711e4eed..d2382f4ae 100644
|
||||||
|
--- a/lasso/id-ff/defederation.c
|
||||||
|
+++ b/lasso/id-ff/defederation.c
|
||||||
|
@@ -251,7 +251,7 @@ lasso_defederation_init_notification(LassoDefederation *defederation, gchar *rem
|
||||||
|
nameIdentifier,
|
||||||
|
profile->server->certificate ?
|
||||||
|
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ lasso_get_default_signature_method());
|
||||||
|
if (profile->msg_relayState) {
|
||||||
|
message(G_LOG_LEVEL_WARNING,
|
||||||
|
"RelayState was defined but can't be used "\
|
||||||
|
diff --git a/lasso/id-ff/logout.c b/lasso/id-ff/logout.c
|
||||||
|
index 20d04ed82..d307db586 100644
|
||||||
|
--- a/lasso/id-ff/logout.c
|
||||||
|
+++ b/lasso/id-ff/logout.c
|
||||||
|
@@ -396,7 +396,7 @@ lasso_logout_build_response_msg(LassoLogout *logout)
|
||||||
|
profile->server->certificate ?
|
||||||
|
LASSO_SIGNATURE_TYPE_WITHX509 :
|
||||||
|
LASSO_SIGNATURE_TYPE_SIMPLE,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1));
|
||||||
|
+ lasso_get_default_signature_method()));
|
||||||
|
} else if (profile->http_request_method == LASSO_HTTP_METHOD_REDIRECT) {
|
||||||
|
lasso_assign_new_gobject(profile->response,
|
||||||
|
lasso_lib_logout_response_new_full(
|
||||||
|
@@ -608,7 +608,7 @@ lasso_logout_init_request(LassoLogout *logout, char *remote_providerID,
|
||||||
|
nameIdentifier,
|
||||||
|
profile->server->certificate ?
|
||||||
|
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ lasso_get_default_signature_method());
|
||||||
|
} else { /* http_method == LASSO_HTTP_METHOD_REDIRECT */
|
||||||
|
is_http_redirect_get_method = TRUE;
|
||||||
|
lib_logout_request = (LassoLibLogoutRequest*)lasso_lib_logout_request_new_full(
|
||||||
|
@@ -990,7 +990,7 @@ lasso_logout_validate_request(LassoLogout *logout)
|
||||||
|
logout_request,
|
||||||
|
profile->server->certificate ?
|
||||||
|
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1));
|
||||||
|
+ lasso_get_default_signature_method()));
|
||||||
|
}
|
||||||
|
if (profile->http_request_method == LASSO_HTTP_METHOD_REDIRECT) {
|
||||||
|
lasso_assign_new_gobject(profile->response, lasso_lib_logout_response_new_full(
|
||||||
|
diff --git a/lasso/id-ff/name_identifier_mapping.c b/lasso/id-ff/name_identifier_mapping.c
|
||||||
|
index 80af6fec4..f84020eb6 100644
|
||||||
|
--- a/lasso/id-ff/name_identifier_mapping.c
|
||||||
|
+++ b/lasso/id-ff/name_identifier_mapping.c
|
||||||
|
@@ -259,7 +259,7 @@ lasso_name_identifier_mapping_init_request(LassoNameIdentifierMapping *mapping,
|
||||||
|
targetNamespace,
|
||||||
|
profile->server->certificate ?
|
||||||
|
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ lasso_get_default_signature_method());
|
||||||
|
if (LASSO_IS_LIB_NAME_IDENTIFIER_MAPPING_REQUEST(profile->request) == FALSE) {
|
||||||
|
return critical_error(LASSO_PROFILE_ERROR_BUILDING_REQUEST_FAILED);
|
||||||
|
}
|
||||||
|
@@ -458,7 +458,7 @@ lasso_name_identifier_mapping_validate_request(LassoNameIdentifierMapping *mappi
|
||||||
|
request,
|
||||||
|
profile->server->certificate ?
|
||||||
|
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ lasso_get_default_signature_method());
|
||||||
|
|
||||||
|
if (LASSO_IS_LIB_NAME_IDENTIFIER_MAPPING_RESPONSE(profile->response) == FALSE) {
|
||||||
|
return critical_error(LASSO_PROFILE_ERROR_BUILDING_RESPONSE_FAILED);
|
||||||
|
diff --git a/lasso/id-ff/name_registration.c b/lasso/id-ff/name_registration.c
|
||||||
|
index 11dbf24fe..076cf9624 100644
|
||||||
|
--- a/lasso/id-ff/name_registration.c
|
||||||
|
+++ b/lasso/id-ff/name_registration.c
|
||||||
|
@@ -339,7 +339,7 @@ lasso_name_registration_init_request(LassoNameRegistration *name_registration,
|
||||||
|
idpNameIdentifier, spNameIdentifier, oldNameIdentifier,
|
||||||
|
profile->server->certificate ?
|
||||||
|
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ lasso_get_default_signature_method());
|
||||||
|
if (profile->request == NULL) {
|
||||||
|
return critical_error(LASSO_PROFILE_ERROR_BUILDING_REQUEST_FAILED);
|
||||||
|
}
|
||||||
|
@@ -575,7 +575,7 @@ lasso_name_registration_validate_request(LassoNameRegistration *name_registratio
|
||||||
|
LASSO_LIB_REGISTER_NAME_IDENTIFIER_REQUEST(profile->request),
|
||||||
|
profile->server->certificate ?
|
||||||
|
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
||||||
|
+ lasso_get_default_signature_method());
|
||||||
|
if (LASSO_IS_LIB_REGISTER_NAME_IDENTIFIER_RESPONSE(profile->response) == FALSE) {
|
||||||
|
return critical_error(LASSO_PROFILE_ERROR_BUILDING_RESPONSE_FAILED);
|
||||||
|
}
|
||||||
|
diff --git a/lasso/id-ff/provider.c b/lasso/id-ff/provider.c
|
||||||
|
index 32a907d43..961c3669d 100644
|
||||||
|
--- a/lasso/id-ff/provider.c
|
||||||
|
+++ b/lasso/id-ff/provider.c
|
||||||
|
@@ -1274,7 +1274,7 @@ lasso_provider_load_public_key(LassoProvider *provider, LassoPublicKeyType publi
|
||||||
|
|
||||||
|
if (public_key != NULL) {
|
||||||
|
xmlSecKey *key = lasso_xmlsec_load_private_key(public_key, NULL,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
|
||||||
|
+ lasso_get_default_signature_method(), NULL);
|
||||||
|
if (key) {
|
||||||
|
lasso_list_add_new_sec_key(keys, key);
|
||||||
|
} else {
|
||||||
|
diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
|
||||||
|
index ce322ee1f..cf6dade09 100644
|
||||||
|
--- a/lasso/xml/tools.c
|
||||||
|
+++ b/lasso/xml/tools.c
|
||||||
|
@@ -2746,7 +2746,7 @@ next:
|
||||||
|
content = xmlNodeGetContent(key_value);
|
||||||
|
if (content) {
|
||||||
|
result = lasso_xmlsec_load_private_key_from_buffer((char*)content,
|
||||||
|
- strlen((char*)content), NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
|
||||||
|
+ strlen((char*)content), NULL, lasso_get_default_signature_method(), NULL);
|
||||||
|
xmlFree(content);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
diff --git a/tests/basic_tests.c b/tests/basic_tests.c
|
||||||
|
index f9cfef266..0652abc28 100644
|
||||||
|
--- a/tests/basic_tests.c
|
||||||
|
+++ b/tests/basic_tests.c
|
||||||
|
@@ -2008,16 +2008,16 @@ START_TEST(test14_lasso_key)
|
||||||
|
|
||||||
|
check_true(g_file_get_contents(TESTSDATADIR "sp1-la/private-key-raw.pem", &buffer, &length, NULL));
|
||||||
|
check_not_null(key = lasso_key_new_for_signature_from_memory(buffer,
|
||||||
|
- length, NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1,
|
||||||
|
+ length, NULL, lasso_get_default_signature_method(),
|
||||||
|
NULL));
|
||||||
|
lasso_release_gobject(key);
|
||||||
|
check_not_null(key = lasso_key_new_for_signature_from_file(TESTSDATADIR
|
||||||
|
- "sp1-la/private-key-raw.pem", NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1,
|
||||||
|
+ "sp1-la/private-key-raw.pem", NULL, lasso_get_default_signature_method(),
|
||||||
|
NULL));
|
||||||
|
lasso_release_gobject(key);
|
||||||
|
base64_encoded = g_base64_encode(BAD_CAST buffer, length);
|
||||||
|
check_not_null(key = lasso_key_new_for_signature_from_base64_string(base64_encoded, NULL,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL));
|
||||||
|
+ lasso_get_default_signature_method(), NULL));
|
||||||
|
lasso_release_string(base64_encoded);
|
||||||
|
lasso_release_string(buffer);
|
||||||
|
lasso_release_gobject(key);
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -0,0 +1,160 @@
|
|||||||
|
From f9a3aca0cb31a412faae25dd9fdbbf3fb61cb62f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Tue, 15 Jun 2021 15:08:44 +0200
|
||||||
|
Subject: [PATCH 5/7] Check if the signature method is allowed in addition to
|
||||||
|
being valid (#54037)
|
||||||
|
|
||||||
|
Adds a new utility function lasso_allowed_signature_method() that checks
|
||||||
|
if the signature method is allowed. Previously, the code would only
|
||||||
|
check if the method was valid.
|
||||||
|
|
||||||
|
This new function is used whenever lasso_validate_signature_method was
|
||||||
|
previously used through lasso_ok_signature_method() which wraps both
|
||||||
|
validate and allowed.
|
||||||
|
|
||||||
|
lasso_allowed_signature_method() is also used on a couple of places,
|
||||||
|
notably lasso_query_verify_helper().
|
||||||
|
|
||||||
|
Related:
|
||||||
|
https://dev.entrouvert.org/issues/54037
|
||||||
|
---
|
||||||
|
lasso/id-ff/server.c | 4 ++--
|
||||||
|
lasso/saml-2.0/profile.c | 4 ++--
|
||||||
|
lasso/xml/tools.c | 11 ++++++++++-
|
||||||
|
lasso/xml/xml.c | 5 +++--
|
||||||
|
lasso/xml/xml.h | 13 +++++++++++++
|
||||||
|
5 files changed, 30 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lasso/id-ff/server.c b/lasso/id-ff/server.c
|
||||||
|
index 2bf5b7a8c..98a6c0214 100644
|
||||||
|
--- a/lasso/id-ff/server.c
|
||||||
|
+++ b/lasso/id-ff/server.c
|
||||||
|
@@ -909,7 +909,7 @@ lasso_server_get_signature_context_for_provider(LassoServer *server,
|
||||||
|
private_context = &provider->private_data->signature_context;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (private_context && lasso_validate_signature_method(private_context->signature_method)) {
|
||||||
|
+ if (private_context && lasso_ok_signature_method(private_context->signature_method)) {
|
||||||
|
lasso_assign_signature_context(*signature_context, *private_context);
|
||||||
|
} else {
|
||||||
|
rc = lasso_server_get_signature_context(server, signature_context);
|
||||||
|
@@ -1014,7 +1014,7 @@ lasso_server_export_to_query_for_provider_by_name(LassoServer *server, const cha
|
||||||
|
provider_id, &context));
|
||||||
|
query = lasso_node_build_query(node);
|
||||||
|
goto_cleanup_if_fail_with_rc(query, LASSO_PROFILE_ERROR_BUILDING_QUERY_FAILED);
|
||||||
|
- if (lasso_validate_signature_method(context.signature_method)) {
|
||||||
|
+ if (lasso_ok_signature_method(context.signature_method)) {
|
||||||
|
lasso_assign_new_string(query, lasso_query_sign(query, context));
|
||||||
|
}
|
||||||
|
goto_cleanup_if_fail_with_rc(query,
|
||||||
|
diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c
|
||||||
|
index 85f535ae0..412c391a6 100644
|
||||||
|
--- a/lasso/saml-2.0/profile.c
|
||||||
|
+++ b/lasso/saml-2.0/profile.c
|
||||||
|
@@ -1181,7 +1181,7 @@ lasso_saml20_profile_export_to_query(LassoProfile *profile, LassoNode *msg, char
|
||||||
|
"see #3.4.3 of saml-bindings-2.0-os");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- if (lasso_validate_signature_method(context.signature_method)) {
|
||||||
|
+ if (lasso_ok_signature_method(context.signature_method)) {
|
||||||
|
result = lasso_query_sign(unsigned_query, context);
|
||||||
|
goto_cleanup_if_fail_with_rc(result != NULL,
|
||||||
|
LASSO_PROFILE_ERROR_BUILDING_QUERY_FAILED);
|
||||||
|
@@ -1219,7 +1219,7 @@ lasso_saml20_profile_build_http_redirect(LassoProfile *profile,
|
||||||
|
goto_cleanup_if_fail_with_rc (url != NULL, LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL);
|
||||||
|
/* if message is signed, remove XML signature, add query signature */
|
||||||
|
lasso_assign_signature_context(context, lasso_node_get_signature(msg));
|
||||||
|
- if (lasso_validate_signature_method(context.signature_method)) {
|
||||||
|
+ if (lasso_ok_signature_method(context.signature_method)) {
|
||||||
|
lasso_node_remove_signature(msg);
|
||||||
|
}
|
||||||
|
lasso_check_good_rc(lasso_saml20_profile_export_to_query(profile, msg, &query, context));
|
||||||
|
diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
|
||||||
|
index cf6dade09..077b1134d 100644
|
||||||
|
--- a/lasso/xml/tools.c
|
||||||
|
+++ b/lasso/xml/tools.c
|
||||||
|
@@ -499,7 +499,7 @@ lasso_query_sign(char *query, LassoSignatureContext context)
|
||||||
|
lasso_error_t rc = 0;
|
||||||
|
|
||||||
|
g_return_val_if_fail(query != NULL, NULL);
|
||||||
|
- g_return_val_if_fail(lasso_validate_signature_method(context.signature_method), NULL);
|
||||||
|
+ g_return_val_if_fail(lasso_ok_signature_method(context.signature_method), NULL);
|
||||||
|
|
||||||
|
key = context.signature_key;
|
||||||
|
sign_method = context.signature_method;
|
||||||
|
@@ -804,6 +804,12 @@ lasso_query_verify_helper(const char *signed_content, const char *b64_signature,
|
||||||
|
} else {
|
||||||
|
goto_cleanup_with_rc(LASSO_DS_ERROR_INVALID_SIGALG);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ /* is the signature algo allowed */
|
||||||
|
+ goto_cleanup_if_fail_with_rc(
|
||||||
|
+ lasso_allowed_signature_method(method),
|
||||||
|
+ LASSO_DS_ERROR_INVALID_SIGALG);
|
||||||
|
+
|
||||||
|
/* decode signature */
|
||||||
|
signature = g_malloc(key_size+1);
|
||||||
|
goto_cleanup_if_fail_with_rc(
|
||||||
|
@@ -2434,6 +2440,9 @@ _lasso_xmlsec_load_key_from_buffer(const char *buffer, size_t length, const char
|
||||||
|
};
|
||||||
|
xmlSecKey *private_key = NULL;
|
||||||
|
|
||||||
|
+ /* is the signature algo allowed */
|
||||||
|
+ goto_cleanup_if_fail(lasso_allowed_signature_method(signature_method));
|
||||||
|
+
|
||||||
|
xmlSecErrorsDefaultCallbackEnableOutput(FALSE);
|
||||||
|
switch (signature_method) {
|
||||||
|
case LASSO_SIGNATURE_METHOD_RSA_SHA1:
|
||||||
|
diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c
|
||||||
|
index f017ebbe3..49574de68 100644
|
||||||
|
--- a/lasso/xml/xml.c
|
||||||
|
+++ b/lasso/xml/xml.c
|
||||||
|
@@ -824,7 +824,7 @@ lasso_legacy_extract_and_copy_signature_parameters(LassoNode *node, LassoNodeCla
|
||||||
|
node_data->sign_method_offset);
|
||||||
|
private_key_file = G_STRUCT_MEMBER(char *, node, node_data->private_key_file_offset);
|
||||||
|
certificate_file = G_STRUCT_MEMBER(char *, node, node_data->certificate_file_offset);
|
||||||
|
- if (! lasso_validate_signature_method(signature_method)) {
|
||||||
|
+ if (! lasso_ok_signature_method(signature_method)) {
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
if (lasso_node_set_signature(node,
|
||||||
|
@@ -1873,10 +1873,11 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode)
|
||||||
|
int what;
|
||||||
|
if (! lasso_get_integer_attribute(xmlnode, LASSO_SIGNATURE_METHOD_ATTRIBUTE,
|
||||||
|
BAD_CAST LASSO_LIB_HREF, &what,
|
||||||
|
- LASSO_SIGNATURE_METHOD_RSA_SHA1,
|
||||||
|
+ lasso_get_min_signature_method(),
|
||||||
|
LASSO_SIGNATURE_METHOD_LAST))
|
||||||
|
break;
|
||||||
|
method = what;
|
||||||
|
+
|
||||||
|
if (! lasso_get_integer_attribute(xmlnode, LASSO_SIGNATURE_METHOD_ATTRIBUTE,
|
||||||
|
BAD_CAST LASSO_LIB_HREF, &what, LASSO_SIGNATURE_TYPE_NONE+1,
|
||||||
|
LASSO_SIGNATURE_TYPE_LAST))
|
||||||
|
diff --git a/lasso/xml/xml.h b/lasso/xml/xml.h
|
||||||
|
index d0d3e1b0d..60c04eae5 100644
|
||||||
|
--- a/lasso/xml/xml.h
|
||||||
|
+++ b/lasso/xml/xml.h
|
||||||
|
@@ -132,6 +132,19 @@ lasso_validate_signature_method(LassoSignatureMethod signature_method)
|
||||||
|
&& signature_method < (LassoSignatureMethod)LASSO_SIGNATURE_METHOD_LAST;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static inline gboolean
|
||||||
|
+lasso_allowed_signature_method(LassoSignatureMethod signature_method)
|
||||||
|
+{
|
||||||
|
+ return signature_method >= lasso_get_min_signature_method();
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static inline gboolean
|
||||||
|
+lasso_ok_signature_method(LassoSignatureMethod signature_method)
|
||||||
|
+{
|
||||||
|
+ return lasso_validate_signature_method(signature_method) \
|
||||||
|
+ && lasso_allowed_signature_method(signature_method);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
typedef struct _LassoNode LassoNode;
|
||||||
|
typedef struct _LassoNodeClass LassoNodeClass;
|
||||||
|
typedef struct _LassoNodeClassData LassoNodeClassData;
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -1,382 +0,0 @@
|
|||||||
From 12a3f6c10ee3d5f321a751cf6c4cb7f63313582e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Thu, 13 Jun 2019 13:03:04 +0200
|
|
||||||
Subject: [PATCH] tests: use self-generated certificate to sign federation
|
|
||||||
metadata file (#33823)
|
|
||||||
|
|
||||||
---
|
|
||||||
tests/basic_tests.c | 13 +---
|
|
||||||
tests/data/lasso.crt | 23 +++++++
|
|
||||||
tests/data/lasso.csr | 15 ++++
|
|
||||||
tests/data/lasso.key | 27 ++++++++
|
|
||||||
.../metadata/metadata-federation-renater.crt | 15 ----
|
|
||||||
tests/data/metadata/renater-metadata.xml | 69 +++++++++++--------
|
|
||||||
tests/data/rootCA.crt | 32 +++++++++
|
|
||||||
tests/data/rootCA.key | 51 ++++++++++++++
|
|
||||||
tests/data/rootCA.srl | 1 +
|
|
||||||
9 files changed, 192 insertions(+), 54 deletions(-)
|
|
||||||
create mode 100644 tests/data/lasso.crt
|
|
||||||
create mode 100644 tests/data/lasso.csr
|
|
||||||
create mode 100644 tests/data/lasso.key
|
|
||||||
delete mode 100644 tests/data/metadata/metadata-federation-renater.crt
|
|
||||||
create mode 100644 tests/data/rootCA.crt
|
|
||||||
create mode 100644 tests/data/rootCA.key
|
|
||||||
create mode 100644 tests/data/rootCA.srl
|
|
||||||
|
|
||||||
diff --git a/tests/basic_tests.c b/tests/basic_tests.c
|
|
||||||
index c08cab69..84999a17 100644
|
|
||||||
--- a/tests/basic_tests.c
|
|
||||||
+++ b/tests/basic_tests.c
|
|
||||||
@@ -1983,24 +1983,13 @@ START_TEST(test13_test_lasso_server_load_metadata)
|
|
||||||
block_lasso_logs;
|
|
||||||
check_good_rc(lasso_server_load_metadata(server, LASSO_PROVIDER_ROLE_IDP,
|
|
||||||
TESTSDATADIR "/metadata/renater-metadata.xml",
|
|
||||||
- TESTSDATADIR "/metadata/metadata-federation-renater.crt",
|
|
||||||
+ TESTSDATADIR "/rootCA.crt",
|
|
||||||
&blacklisted_1, &loaded_entity_ids,
|
|
||||||
LASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT));
|
|
||||||
unblock_lasso_logs;
|
|
||||||
check_equals(g_hash_table_size(server->providers), 110);
|
|
||||||
check_equals(g_list_length(loaded_entity_ids), 110);
|
|
||||||
|
|
||||||
-#if 0
|
|
||||||
- /* UK federation file are too big to distribute (and I don't even known if it's right to do
|
|
||||||
- * it, disable this test for now ) */
|
|
||||||
- check_good_rc(lasso_server_load_metadata(server, LASSO_PROVIDER_ROLE_IDP,
|
|
||||||
- TESTSDATADIR "/ukfederation-metadata.xml",
|
|
||||||
- TESTSDATADIR "/ukfederation.pem",
|
|
||||||
- &blacklisted_1, &loaded_entity_ids,
|
|
||||||
- LASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT));
|
|
||||||
- check_equals(g_list_length(loaded_entity_ids), 283);
|
|
||||||
- check_equals(g_hash_table_size(server->providers), 393);
|
|
||||||
-#endif
|
|
||||||
lasso_release_list_of_strings(loaded_entity_ids);
|
|
||||||
|
|
||||||
lasso_release_gobject(server);
|
|
||||||
diff --git a/tests/data/lasso.crt b/tests/data/lasso.crt
|
|
||||||
new file mode 100644
|
|
||||||
index 00000000..568a0b9c
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/data/lasso.crt
|
|
||||||
@@ -0,0 +1,23 @@
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIID6zCCAdMCFALT+lN2uLJWF7p2xOo65/5KwxixMA0GCSqGSIb3DQEBCwUAMEUx
|
|
||||||
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
|
|
||||||
+cm5ldCBXaWRnaXRzIFB0eSBMdGQwIBcNMTkwNjExMDc0NTU2WhgPMjI5MzAzMjUw
|
|
||||||
+NzQ1NTZaMB0xCzAJBgNVBAYTAkZSMQ4wDAYDVQQDDAVMYXNzbzCCASIwDQYJKoZI
|
|
||||||
+hvcNAQEBBQADggEPADCCAQoCggEBAOIS/WATGMJsv7OvgrjpYmAW3RmojVp4cHi0
|
|
||||||
+17HelWVZ5adX3zSljecmpb1UQcBNzEDb15tOnNO708O94fFLWiWRfjYWa1QYOLkZ
|
|
||||||
+6kHAR2yJTkhBNQl326K6BnJkWoCsErkXa1608+6+rXR+9KchB/lLSY3Dqh8L6N7s
|
|
||||||
+qE+xyD1Z8HM3mHs9CM4crIpCPaZ80/yNfBPqPA2Zv4uIBrwSF32rPnh1ciJuIKQg
|
|
||||||
+jnCQOaKC2j+VsytgthriI0PVRzC7WPAJReQa65N/i721jG6rPecwVcCS9G6cmG+s
|
|
||||||
+pq6GERUe7nFVdNZ5sRzNsGuDpEdmeCS1pCPtW2hufm8vqvtw9ZkCAwEAATANBgkq
|
|
||||||
+hkiG9w0BAQsFAAOCAgEAfbHk+QNvLYDNlqwwlu5+88/3CcEx+s1voXOBTxgyIAR2
|
|
||||||
+NVKkO7dAW5me51jPPZhy+xC4i+AAeLW5JGwirM5LDgU+9P02JBsZ4OoZI3pBAZ5m
|
|
||||||
+GrmxrMm6q+9mJ+6bMHolfBNN6hoaWeJiknvc1Id7o0Dh4PbdV7r6ISuXisDb/1je
|
|
||||||
+tmzxoFuXhmDwwHMTG7eUORVFEgS8V5NNKMv16BeWNDohJVP6icxwoi5JswUl+vfO
|
|
||||||
+rvIwx2GAJ2EQAbSZv5ADFQ4/vxeopULgLnblc3BwVG4RTT7plNgT2iXP8YwmEGKb
|
|
||||||
+JDHRVFUo1tX6EKkBUI9AgETrdUnLq6XxP11JmrqNL9oOHw+hGb5vT1wyn6FFxZo2
|
|
||||||
+BVgfqdiGbjcs1bTKeQAZKuhaW90oV6+yYD6WtWn/LfHnftAJivALkmUk+XaSqqbO
|
|
||||||
+FxuyRsz9C/yq0azr6IkCWhGwBYoLvf2CrvovSYpPXefeQ+1yXNDW7bvfAQfOO9xk
|
|
||||||
+SqQi4cYJw9hNqTk2f61x6UX/o8wKVhXEHyaCr9lVLNpCK0Uy07f3zkubx1mW5PST
|
|
||||||
+ITSnD8sPD7iMyGOJa5tQJ8W5u2NJT6qo52Jubgc8PapkOoYyEhUaTQEb8RN6D3oD
|
|
||||||
+xc8cCKn4HUtpkJKgxYhQDtsomJp2RK7lzjVPXAlFUmld88WgqdJwp9GSvMEktA0=
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
diff --git a/tests/data/lasso.csr b/tests/data/lasso.csr
|
|
||||||
new file mode 100644
|
|
||||||
index 00000000..c450e1b4
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/data/lasso.csr
|
|
||||||
@@ -0,0 +1,15 @@
|
|
||||||
+-----BEGIN CERTIFICATE REQUEST-----
|
|
||||||
+MIICYjCCAUoCAQAwHTELMAkGA1UEBhMCRlIxDjAMBgNVBAMMBUxhc3NvMIIBIjAN
|
|
||||||
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4hL9YBMYwmy/s6+CuOliYBbdGaiN
|
|
||||||
+WnhweLTXsd6VZVnlp1ffNKWN5yalvVRBwE3MQNvXm06c07vTw73h8UtaJZF+NhZr
|
|
||||||
+VBg4uRnqQcBHbIlOSEE1CXfboroGcmRagKwSuRdrXrTz7r6tdH70pyEH+UtJjcOq
|
|
||||||
+Hwvo3uyoT7HIPVnwczeYez0IzhysikI9pnzT/I18E+o8DZm/i4gGvBIXfas+eHVy
|
|
||||||
+Im4gpCCOcJA5ooLaP5WzK2C2GuIjQ9VHMLtY8AlF5Brrk3+LvbWMbqs95zBVwJL0
|
|
||||||
+bpyYb6ymroYRFR7ucVV01nmxHM2wa4OkR2Z4JLWkI+1baG5+by+q+3D1mQIDAQAB
|
|
||||||
+oAAwDQYJKoZIhvcNAQELBQADggEBAJcoM7bn2yEElJjpX8mYuawWwlNdLOCyIPCc
|
|
||||||
+tr6b61CmVDVntWw61fExrg+n1b5uOVuUAEaYNutw6nypzrfvr4wjGKxbl/jTSJCM
|
|
||||||
+WHLl0/+IGQgr41SbRaySA1Y1hdJEd1ummH07sd7FfQNN/T/zLGaM0CI2/yj89VRk
|
|
||||||
+BJwiSwbFp1zqntoITQPjo/vpWAqahqNpSKR+C5l1f870wVI2wPg89McRw35EACdx
|
|
||||||
+Pys8g15+3eKBRTD24eOSWDAL4iDz1jh8ejwtuPjZCQRgg7pkV7uK9Qq4XbStW8AR
|
|
||||||
+JftZ9BBmUOkpdTY0ml6uNojI5u3J/A8KL0UHeiOGLzEy6l64qjE=
|
|
||||||
+-----END CERTIFICATE REQUEST-----
|
|
||||||
diff --git a/tests/data/lasso.key b/tests/data/lasso.key
|
|
||||||
new file mode 100644
|
|
||||||
index 00000000..d6ee4142
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/data/lasso.key
|
|
||||||
@@ -0,0 +1,27 @@
|
|
||||||
+-----BEGIN RSA PRIVATE KEY-----
|
|
||||||
+MIIEpAIBAAKCAQEA4hL9YBMYwmy/s6+CuOliYBbdGaiNWnhweLTXsd6VZVnlp1ff
|
|
||||||
+NKWN5yalvVRBwE3MQNvXm06c07vTw73h8UtaJZF+NhZrVBg4uRnqQcBHbIlOSEE1
|
|
||||||
+CXfboroGcmRagKwSuRdrXrTz7r6tdH70pyEH+UtJjcOqHwvo3uyoT7HIPVnwczeY
|
|
||||||
+ez0IzhysikI9pnzT/I18E+o8DZm/i4gGvBIXfas+eHVyIm4gpCCOcJA5ooLaP5Wz
|
|
||||||
+K2C2GuIjQ9VHMLtY8AlF5Brrk3+LvbWMbqs95zBVwJL0bpyYb6ymroYRFR7ucVV0
|
|
||||||
+1nmxHM2wa4OkR2Z4JLWkI+1baG5+by+q+3D1mQIDAQABAoIBAClNONcFhh93CKrG
|
|
||||||
+JMatdJiDdM9MOM7PdBTJTSKkvHxwqQEij5epqzwQlnT5YK3GSMuMnl40RXh1NyHq
|
|
||||||
+nc2ca5KzevBctiz949cFQgPTIflVOGUA7LSXHhwjiiv544LgbOc9vRLnUi1Kzpua
|
|
||||||
+2g1yfmdv9rcciQb1AQ1BBRrSKvfyD410KojJXwunYx32hrHdnhPwC3xyg6BEMpq9
|
|
||||||
+PtcnTvFY/iDeyzYLwAwJb2xdTCpg7okd1KthtohS740Y0uS+UVaEDK7xOIj+CNIq
|
|
||||||
+ii+j0fv5N5fjke8TdUszLWkDYQQ9BTJWFOjJ72FZs9J8pk7RlNhnt6tEoZ6866+w
|
|
||||||
+nprmJwUCgYEA9VWT0FswnSnm+lkRP7vc/SJYTg6zD2BrGOKEo58L8TObb242G+Fs
|
|
||||||
+JteMvdVm14GublmqXZv6Md5x5iVh3kRlu+8dbM5WnBNpwt6mGZPK7if5K/X1qiJg
|
|
||||||
+BeroAX/KuVjSHBYVDFfHqPQg146RFcj/q7aCsqc+aMwgdUZ8OlBjRf8CgYEA6+cP
|
|
||||||
+GG9VOlXWZ2RzSBoKrvxJgSQRpgVXeJAr1BWZ+pJVGIft3zSbeJ30nsUuob61UDVH
|
|
||||||
+g6HzjOUQWHyK4wq2gyK3kOw/Aii6z4REXDVMVq3OgqaE4Fw+MH31ci8JILU415ZY
|
|
||||||
+DQGo++E87tbSgp32gqou7Aj7Y4Sfvx+V/da4NGcCgYAv+tGSsRLb2cMLePnPnh0F
|
|
||||||
+AH+GnIdWXYP0dPB903ARdwdSDprUbwyouAUVZzPat8j2WeDgt82BjUB3Qx5Vysie
|
|
||||||
+rY/ypJP5qC5J5yNS4z2PwA+SEmM+J8Thw2QmTujFwOIujf8Fz/EDUONPZNlpCks+
|
|
||||||
+OM5sxBqHgkxiwysueGRB3wKBgQCWwXDaMrwKrbR5Gq65kzrknQH0b7J/oMZHnAsG
|
|
||||||
+XE+s3DtZk/SmQh5hNMCRfn3Qi+mfOo1bR/I3RmPtyJmRgtUkdNlO2kth+9l2qJZv
|
|
||||||
+PvhsJGLnB7e/EfQEVVq3/+sbZfTPgZr/pOHzJfwkvlCFfKF+23dlDFBrRuQ35d2a
|
|
||||||
+/M93XQKBgQCmAatw/7+z/CS6HinOW7W4k77eQ4wHb8XwzTl8T/5mf6KzejDUuEpZ
|
|
||||||
+hi4ZMAZqNywiJo7UOu6APVzRU7qF6Dbg4eIZWtIocMhp19kUArAPz7NcrghXsTIZ
|
|
||||||
+UdBWeG3kgUa5Q6d/D2OpWHK9S8LRdUL4/H0WZoqDOoDpJwKpljevyg==
|
|
||||||
+-----END RSA PRIVATE KEY-----
|
|
||||||
diff --git a/tests/data/metadata/metadata-federation-renater.crt b/tests/data/metadata/metadata-federation-renater.crt
|
|
||||||
deleted file mode 100644
|
|
||||||
index b6117441..00000000
|
|
||||||
--- a/tests/data/metadata/metadata-federation-renater.crt
|
|
||||||
+++ /dev/null
|
|
||||||
@@ -1,15 +0,0 @@
|
|
||||||
------BEGIN CERTIFICATE-----
|
|
||||||
-MIICZTCCAc6gAwIBAgIEScn+qTANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJG
|
|
||||||
-UjEQMA4GA1UEChMHUkVOQVRFUjFWMFQGA1UEAxNNQ2VydGlmaWNhdCBkZSBzaWdu
|
|
||||||
-YXR1cmUgZGVzIG1ldGEgZG9ubmVlcyBkZSBsYSBmZWRlcmF0aW9uIEVkdWNhdGlv
|
|
||||||
-bi1SZWNoZXJjaGUwHhcNMDkwMzI1MDk1MTM3WhcNMTkwMzIzMDk1MTM3WjB3MQsw
|
|
||||||
-CQYDVQQGEwJGUjEQMA4GA1UEChMHUkVOQVRFUjFWMFQGA1UEAxNNQ2VydGlmaWNh
|
|
||||||
-dCBkZSBzaWduYXR1cmUgZGVzIG1ldGEgZG9ubmVlcyBkZSBsYSBmZWRlcmF0aW9u
|
|
||||||
-IEVkdWNhdGlvbi1SZWNoZXJjaGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
|
|
||||||
-AJBXcLIguokGiytYSOrgmU6fN+1DXK4eaquvFGMaswuhcRPD4tXtSs8CGxPP8/VF
|
|
||||||
-Mpcry04lfPA3mpwDis47hsvmLqGJVmfSuvkDsPx+I325h4WqGzEV8kfttkJSi8D0
|
|
||||||
-QLKk9wseA+BHzoBpU6e5uWmGqfWJgbZlcUuYKCIE2nL/AgMBAAEwDQYJKoZIhvcN
|
|
||||||
-AQEFBQADgYEAT0rUS5GTtqW9a0pAv0PjieSS6bW3KG3Mtn0jC1dmav6X9fbhhmFL
|
|
||||||
-1XSC9WnCU2UD3986EWWYKhN2INHghHE/fQGveVwdcVSSt601OpAsUF18tx0vHqkf
|
|
||||||
-Shcj7mteq59Gv4hOE8U1Urd/pSRaIO3G42X6/L/AlXeDkicfGZHhq7Q=
|
|
||||||
------END CERTIFICATE-----
|
|
||||||
diff --git a/tests/data/metadata/renater-metadata.xml b/tests/data/metadata/renater-metadata.xml
|
|
||||||
index 868f9259..70517100 100644
|
|
||||||
--- a/tests/data/metadata/renater-metadata.xml
|
|
||||||
+++ b/tests/data/metadata/renater-metadata.xml
|
|
||||||
@@ -1,4 +1,5 @@
|
|
||||||
-<?xml version="1.0" encoding="UTF-8"?><EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="https://federation.renater.fr/" validUntil="2011-05-23T14:24:02Z" xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
|
||||||
+<?xml version="1.0" encoding="UTF-8"?>
|
|
||||||
+<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="https://federation.renater.fr/" validUntil="2011-05-23T14:24:02Z" xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
|
||||||
<ds:SignedInfo>
|
|
||||||
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
||||||
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
|
|
||||||
@@ -11,36 +12,50 @@
|
|
||||||
<ds:DigestValue>AIDrFyG3G6IpXdapls2LeP2Awt8=</ds:DigestValue>
|
|
||||||
</ds:Reference>
|
|
||||||
</ds:SignedInfo>
|
|
||||||
-<ds:SignatureValue>
|
|
||||||
-Mb7C8CsvA6UNnLN+LHCoOG7+c1CYQtUMm+o3p31niDfRcDcCDtuZ521FGM6p6ki6fS8HlncK0Q+h
|
|
||||||
-7rpXNeD2dY12FU94vI5wfF6m89pRs6QYE4O13HPDDZvhRZY+BX4+fqg6tsRz8NRaFS/xvxSzzPzO
|
|
||||||
-dsOrE6R2/QhrcaF1PnA=
|
|
||||||
-</ds:SignatureValue>
|
|
||||||
+<ds:SignatureValue>a47ZynaE+fXQFr2QkjjNsPoWhG0Lbed36MZ2/1jNygD2Ck3zYNSBxFTNI0bhZSi+
|
|
||||||
+sYefYhnYDqpz785/90Ym3hVL+olMZ8z7NLlkeDKCScNCi1436j/W4voR0jez3BkA
|
|
||||||
+IrMW2p4eUtSwfTHRazMtRacQrwTk3JAbShXuWU7fVnRI4t8oa8t43rf2hz+rRG8F
|
|
||||||
+SizMOyyHMak13jaVCmX5qoaO4OWmqs2GhXsx8hRfzJ8o6w417InTLWcuIRNw1/zm
|
|
||||||
+6O6H1as6nmKv34SppCiwdGrTpT6i3/zB3j9Hw7iyuvTF5bbaF+7MMsW/pjw5VOF8
|
|
||||||
+lmNqhsCFdu+JsaTFBIB2Fg==</ds:SignatureValue>
|
|
||||||
<ds:KeyInfo>
|
|
||||||
<ds:KeyValue>
|
|
||||||
<ds:RSAKeyValue>
|
|
||||||
<ds:Modulus>
|
|
||||||
-kFdwsiC6iQaLK1hI6uCZTp837UNcrh5qq68UYxqzC6FxE8Pi1e1KzwIbE8/z9UUylyvLTiV88Dea
|
|
||||||
-nAOKzjuGy+YuoYlWZ9K6+QOw/H4jfbmHhaobMRXyR+22QlKLwPRAsqT3Cx4D4EfOgGlTp7m5aYap
|
|
||||||
-9YmBtmVxS5goIgTacv8=
|
|
||||||
+4hL9YBMYwmy/s6+CuOliYBbdGaiNWnhweLTXsd6VZVnlp1ffNKWN5yalvVRBwE3M
|
|
||||||
+QNvXm06c07vTw73h8UtaJZF+NhZrVBg4uRnqQcBHbIlOSEE1CXfboroGcmRagKwS
|
|
||||||
+uRdrXrTz7r6tdH70pyEH+UtJjcOqHwvo3uyoT7HIPVnwczeYez0IzhysikI9pnzT
|
|
||||||
+/I18E+o8DZm/i4gGvBIXfas+eHVyIm4gpCCOcJA5ooLaP5WzK2C2GuIjQ9VHMLtY
|
|
||||||
+8AlF5Brrk3+LvbWMbqs95zBVwJL0bpyYb6ymroYRFR7ucVV01nmxHM2wa4OkR2Z4
|
|
||||||
+JLWkI+1baG5+by+q+3D1mQ==
|
|
||||||
</ds:Modulus>
|
|
||||||
-<ds:Exponent>AQAB</ds:Exponent>
|
|
||||||
+<ds:Exponent>
|
|
||||||
+AQAB
|
|
||||||
+</ds:Exponent>
|
|
||||||
</ds:RSAKeyValue>
|
|
||||||
</ds:KeyValue>
|
|
||||||
<ds:X509Data>
|
|
||||||
-<ds:X509Certificate>
|
|
||||||
-MIICZTCCAc6gAwIBAgIEScn+qTANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJGUjEQMA4GA1UE
|
|
||||||
-ChMHUkVOQVRFUjFWMFQGA1UEAxNNQ2VydGlmaWNhdCBkZSBzaWduYXR1cmUgZGVzIG1ldGEgZG9u
|
|
||||||
-bmVlcyBkZSBsYSBmZWRlcmF0aW9uIEVkdWNhdGlvbi1SZWNoZXJjaGUwHhcNMDkwMzI1MDk1MTM3
|
|
||||||
-WhcNMTkwMzIzMDk1MTM3WjB3MQswCQYDVQQGEwJGUjEQMA4GA1UEChMHUkVOQVRFUjFWMFQGA1UE
|
|
||||||
-AxNNQ2VydGlmaWNhdCBkZSBzaWduYXR1cmUgZGVzIG1ldGEgZG9ubmVlcyBkZSBsYSBmZWRlcmF0
|
|
||||||
-aW9uIEVkdWNhdGlvbi1SZWNoZXJjaGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJBXcLIg
|
|
||||||
-uokGiytYSOrgmU6fN+1DXK4eaquvFGMaswuhcRPD4tXtSs8CGxPP8/VFMpcry04lfPA3mpwDis47
|
|
||||||
-hsvmLqGJVmfSuvkDsPx+I325h4WqGzEV8kfttkJSi8D0QLKk9wseA+BHzoBpU6e5uWmGqfWJgbZl
|
|
||||||
-cUuYKCIE2nL/AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAT0rUS5GTtqW9a0pAv0PjieSS6bW3KG3M
|
|
||||||
-tn0jC1dmav6X9fbhhmFL1XSC9WnCU2UD3986EWWYKhN2INHghHE/fQGveVwdcVSSt601OpAsUF18
|
|
||||||
-tx0vHqkfShcj7mteq59Gv4hOE8U1Urd/pSRaIO3G42X6/L/AlXeDkicfGZHhq7Q=
|
|
||||||
-</ds:X509Certificate>
|
|
||||||
+<ds:X509Certificate>MIID6zCCAdMCFALT+lN2uLJWF7p2xOo65/5KwxixMA0GCSqGSIb3DQEBCwUAMEUx
|
|
||||||
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
|
|
||||||
+cm5ldCBXaWRnaXRzIFB0eSBMdGQwIBcNMTkwNjExMDc0NTU2WhgPMjI5MzAzMjUw
|
|
||||||
+NzQ1NTZaMB0xCzAJBgNVBAYTAkZSMQ4wDAYDVQQDDAVMYXNzbzCCASIwDQYJKoZI
|
|
||||||
+hvcNAQEBBQADggEPADCCAQoCggEBAOIS/WATGMJsv7OvgrjpYmAW3RmojVp4cHi0
|
|
||||||
+17HelWVZ5adX3zSljecmpb1UQcBNzEDb15tOnNO708O94fFLWiWRfjYWa1QYOLkZ
|
|
||||||
+6kHAR2yJTkhBNQl326K6BnJkWoCsErkXa1608+6+rXR+9KchB/lLSY3Dqh8L6N7s
|
|
||||||
+qE+xyD1Z8HM3mHs9CM4crIpCPaZ80/yNfBPqPA2Zv4uIBrwSF32rPnh1ciJuIKQg
|
|
||||||
+jnCQOaKC2j+VsytgthriI0PVRzC7WPAJReQa65N/i721jG6rPecwVcCS9G6cmG+s
|
|
||||||
+pq6GERUe7nFVdNZ5sRzNsGuDpEdmeCS1pCPtW2hufm8vqvtw9ZkCAwEAATANBgkq
|
|
||||||
+hkiG9w0BAQsFAAOCAgEAfbHk+QNvLYDNlqwwlu5+88/3CcEx+s1voXOBTxgyIAR2
|
|
||||||
+NVKkO7dAW5me51jPPZhy+xC4i+AAeLW5JGwirM5LDgU+9P02JBsZ4OoZI3pBAZ5m
|
|
||||||
+GrmxrMm6q+9mJ+6bMHolfBNN6hoaWeJiknvc1Id7o0Dh4PbdV7r6ISuXisDb/1je
|
|
||||||
+tmzxoFuXhmDwwHMTG7eUORVFEgS8V5NNKMv16BeWNDohJVP6icxwoi5JswUl+vfO
|
|
||||||
+rvIwx2GAJ2EQAbSZv5ADFQ4/vxeopULgLnblc3BwVG4RTT7plNgT2iXP8YwmEGKb
|
|
||||||
+JDHRVFUo1tX6EKkBUI9AgETrdUnLq6XxP11JmrqNL9oOHw+hGb5vT1wyn6FFxZo2
|
|
||||||
+BVgfqdiGbjcs1bTKeQAZKuhaW90oV6+yYD6WtWn/LfHnftAJivALkmUk+XaSqqbO
|
|
||||||
+FxuyRsz9C/yq0azr6IkCWhGwBYoLvf2CrvovSYpPXefeQ+1yXNDW7bvfAQfOO9xk
|
|
||||||
+SqQi4cYJw9hNqTk2f61x6UX/o8wKVhXEHyaCr9lVLNpCK0Uy07f3zkubx1mW5PST
|
|
||||||
+ITSnD8sPD7iMyGOJa5tQJ8W5u2NJT6qo52Jubgc8PapkOoYyEhUaTQEb8RN6D3oD
|
|
||||||
+xc8cCKn4HUtpkJKgxYhQDtsomJp2RK7lzjVPXAlFUmld88WgqdJwp9GSvMEktA0=</ds:X509Certificate>
|
|
||||||
</ds:X509Data>
|
|
||||||
</ds:KeyInfo>
|
|
||||||
</ds:Signature>
|
|
||||||
@@ -1277,7 +1292,7 @@ Ugr24VE4pUTqq2xGSOazVN0EKSqULXvM9ZHupGDCJmRH4P3H/X4w8Cq5Y6c0pDtJ
|
|
||||||
|
|
||||||
<!-- source : http://idpdisc.tge-adonis.fr/exportmetadata.xml -->
|
|
||||||
|
|
||||||
- <EntityDescriptor entityID="https://opensso.tge-adonis.fr:8443/opensso" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
|
|
||||||
+ <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://opensso.tge-adonis.fr:8443/opensso">
|
|
||||||
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
|
||||||
<KeyDescriptor use="signing">
|
|
||||||
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
|
||||||
@@ -8584,7 +8599,7 @@ f6ou5oRTltOZOUJfXI1XMhAUNnU7zQvrFeoGrRzGv3zq8AieXbRyWhXY1Eo1mPpS
|
|
||||||
$Id: renater.xml,v 1.4 2011/03/30 13:23:00 rdc Exp $
|
|
||||||
generated at Wed Mar 30 14:18:20 2011
|
|
||||||
by %Id: shib-config,v 1.6 2010/09/10 15:10:15 pmh Exp %
|
|
||||||
- --><EntityDescriptor entityID="https://ticket.iop.org/shibboleth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
|
|
||||||
+ --><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://ticket.iop.org/shibboleth">
|
|
||||||
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
|
|
||||||
<KeyDescriptor use="signing">
|
|
||||||
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
|
||||||
@@ -15545,7 +15560,7 @@ oZQx
|
|
||||||
|
|
||||||
<!-- source : http://science.thomsonreuters.com/m/xml/SP-Metadata.xml -->
|
|
||||||
|
|
||||||
- <!-- Thomson Reuters 23.08.2010 --><!-- *************************************** --><!-- SP https://sp.tshhosting.com/shibboleth --><!-- *************************************** --><EntityDescriptor entityID="https://sp.tshhosting.com/shibboleth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
|
|
||||||
+ <!-- Thomson Reuters 23.08.2010 --><!-- *************************************** --><!-- SP https://sp.tshhosting.com/shibboleth --><!-- *************************************** --><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://sp.tshhosting.com/shibboleth">
|
|
||||||
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
|
|
||||||
<Extensions>
|
|
||||||
<idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://www.isiknowledge.com/" index="1"/>
|
|
||||||
@@ -30065,4 +30080,4 @@ ihb/MX5UR6g83EMmqZsFt57ANEORMNQywxFa4Q==
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
-</EntitiesDescriptor>
|
|
||||||
\ No newline at end of file
|
|
||||||
+</EntitiesDescriptor>
|
|
||||||
diff --git a/tests/data/rootCA.crt b/tests/data/rootCA.crt
|
|
||||||
new file mode 100644
|
|
||||||
index 00000000..a31c99a2
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/data/rootCA.crt
|
|
||||||
@@ -0,0 +1,32 @@
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIIFbTCCA1WgAwIBAgIUJD9pAmQfrAv6NLPnweO4XUdIbzkwDQYJKoZIhvcNAQEL
|
|
||||||
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
|
|
||||||
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0xOTA2MTEwNzQzNTVaGA8yMjkz
|
|
||||||
+MDMyNTA3NDM1NVowRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
|
|
||||||
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCAiIwDQYJKoZIhvcN
|
|
||||||
+AQEBBQADggIPADCCAgoCggIBAJuPnHwxmpRquFkFok4VkO39j5NT2a8+Wfp8zYnh
|
|
||||||
+qLt3CG3oDyFftWyF97NJYoxDPbio2fVYJiBKutDOMYPsJfrd4SoqcDOGOAdfkNl9
|
|
||||||
+SEhCnzrzlOj6ZcDoNTG0IvKh+NzLgfpU1wggyLW2ZXwvwf8hNGW9YR1i8XY5TSmt
|
|
||||||
+0z9Dawsg2QAyYjoemUeDOVWEFWISmXySC2osXGANcOaaFMEv1Ryj5HWHzcCVZZ0g
|
|
||||||
+UBG9iDZqewDvPg+SRvC2k16coeRjsSstHzVqBxOWpp5Oium39K8jXV6jG+JkFn49
|
|
||||||
+C2RBldpajbPhvHKOdtJeID20njgmfCRZB/KfQGPPf8xXk4wBTxPU9L8wKy370unZ
|
|
||||||
+P4WD1vq35KfPsiUdlavzqYkOkI20iWIZO6853oSPlJ4zmBVNXP8VhQm0h2VovNH+
|
|
||||||
+Zde4vaPtQXPwwNbCvBItu5m1uaigPgRycBJV8M0gdliAICfCMeSwQDrhkX6ck17n
|
|
||||||
+uBpxBTCn9GEFN/+7miNH/roH03NHU3vciqTAi1MrDA3jfOZkYBC/Cd5AmsMc6NTO
|
|
||||||
+Xc57mFwuZ+BmQI6w1ddL5e+5Y/DA57VexfTdG+/TpS+D9oBJUmaczkAG+27YKs8f
|
|
||||||
+mJKoTSPULjXK8pwwcBMk8HuS5bt6fBBmqbJb8bwXceEHCBg7WCYNmXy5lXwUUwAh
|
|
||||||
+NDwDAgMBAAGjUzBRMB0GA1UdDgQWBBRWppx3mP/hCh9ZLKZfwGBeg1wiPjAfBgNV
|
|
||||||
+HSMEGDAWgBRWppx3mP/hCh9ZLKZfwGBeg1wiPjAPBgNVHRMBAf8EBTADAQH/MA0G
|
|
||||||
+CSqGSIb3DQEBCwUAA4ICAQAWfNrX65UUI55f0A8svSIUVy8c7YjX8P70xMWq7Cpe
|
|
||||||
+tRPo8C98JCr8MtUaAx6VFx4sjHyCPmEIIf+u7aDxRhrxpqAQAQl5me8OxqwmOxKu
|
|
||||||
+I7WeRrjAvOux52xfjqtm36fx9SUDu94ox5LdG+NNtG29AbLZeAs4pe4qVqH1GQb9
|
|
||||||
+fw3lvxwKV+AovpVZ7eXyscfSvKWi4rgzVJl27me/rgLZsVYJ2gAjTI77vGN1G0ro
|
|
||||||
+q2iaTvEALHlzhKepVg1IAJAGJLSZegcK3zwWOqZzkL77De6Z3+zbxwNopcy/CGEs
|
|
||||||
+9v9gDyL1LeAJ3o/dehvPiqMWogTVO6X77sNIiiu41sdaWSTiFllmyO+hQqS69R68
|
|
||||||
+NOe+uAP1+taLhD16kp7XHS0MIXEPaQbEgrXtqb163oMJSAaok3xXNyRJ7ZNMS4CT
|
|
||||||
+0QJE15PpnbRYoQOf4QrrsDmpl2ybU7MR9uOj64qVSvUtBcq1w7ljPStbkN7F7OOU
|
|
||||||
+pepVvNaWe820kgQ/l9tu1WY9D7PFGP6iWY4AwdxcpWwlJnIr104X3PQ0Y5/msYVs
|
|
||||||
+zEnqaNiEOnbmTZUvn5jJOwh8DWUo+LffRQx/PoZlhZ/L/L3RtpGUV2E+E5Gzqs7W
|
|
||||||
+gey9iG11CVcvK/wdCj0zhW/XpesQuwinIMawGS6G92igHo+AFjJoGaGiw3jYdep8
|
|
||||||
+CA==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
diff --git a/tests/data/rootCA.key b/tests/data/rootCA.key
|
|
||||||
new file mode 100644
|
|
||||||
index 00000000..6b39fb45
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/data/rootCA.key
|
|
||||||
@@ -0,0 +1,51 @@
|
|
||||||
+-----BEGIN RSA PRIVATE KEY-----
|
|
||||||
+MIIJJwIBAAKCAgEAm4+cfDGalGq4WQWiThWQ7f2Pk1PZrz5Z+nzNieGou3cIbegP
|
|
||||||
+IV+1bIX3s0lijEM9uKjZ9VgmIEq60M4xg+wl+t3hKipwM4Y4B1+Q2X1ISEKfOvOU
|
|
||||||
+6PplwOg1MbQi8qH43MuB+lTXCCDItbZlfC/B/yE0Zb1hHWLxdjlNKa3TP0NrCyDZ
|
|
||||||
+ADJiOh6ZR4M5VYQVYhKZfJILaixcYA1w5poUwS/VHKPkdYfNwJVlnSBQEb2INmp7
|
|
||||||
+AO8+D5JG8LaTXpyh5GOxKy0fNWoHE5amnk6K6bf0ryNdXqMb4mQWfj0LZEGV2lqN
|
|
||||||
+s+G8co520l4gPbSeOCZ8JFkH8p9AY89/zFeTjAFPE9T0vzArLfvS6dk/hYPW+rfk
|
|
||||||
+p8+yJR2Vq/OpiQ6QjbSJYhk7rznehI+UnjOYFU1c/xWFCbSHZWi80f5l17i9o+1B
|
|
||||||
+c/DA1sK8Ei27mbW5qKA+BHJwElXwzSB2WIAgJ8Ix5LBAOuGRfpyTXue4GnEFMKf0
|
|
||||||
+YQU3/7uaI0f+ugfTc0dTe9yKpMCLUysMDeN85mRgEL8J3kCawxzo1M5dznuYXC5n
|
|
||||||
+4GZAjrDV10vl77lj8MDntV7F9N0b79OlL4P2gElSZpzOQAb7btgqzx+YkqhNI9Qu
|
|
||||||
+NcrynDBwEyTwe5Llu3p8EGapslvxvBdx4QcIGDtYJg2ZfLmVfBRTACE0PAMCAwEA
|
|
||||||
+AQKCAgBPPweu1O40cXFcGFyofqAIPUWo/exFM/ROgMmMViLI7UikBLXAgKtBj7Wx
|
|
||||||
+5c6IObD1oz71l2REyw0EViYvWFu4wtNz0Y67EML2Lp7xzLrH5PiM5Y2UagrwDNsc
|
|
||||||
+aPHsvMq0YA/k4NdyUpEs0LA+ZW3kdJvmwGT6vW7YlTRT6TNWZRfg4WjqisAzb2cS
|
|
||||||
+YS0R/WmPPn5mUVfzTIn6fJ5pO1EbYSylnHBD11zfoLvVIaLohq8fWXsz7Kym7hOp
|
|
||||||
+iLjmV9C5MngM0L23Tj4womxa9RQbIBVMKy3jiiAoYmh7AsoM1sRqKftKCdMgYKbz
|
|
||||||
+X/P4u0xmumQ/eANue+YncoteI7cLrjps1RUeodmRgxLt0KHbTW4X35Fd6yI+Nxts
|
|
||||||
+13aA6J/WusELQYigBXG3cHOfxfOMkqjdVozReF+QzsAJFXQwV4lQhsdlkVjnMWB9
|
|
||||||
+iotUVj9X8SWHktBnCHmuyuQoyJIxwM6cBLv1bJCpdiGcJJrtPgTwI3ybjVDlsVpE
|
|
||||||
+A2EaWiH2UDnzmI2OXy2BaOmLoYzV3kYLhd1zG2q2rLDd70kzOHJJmTOp8xFzZVOA
|
|
||||||
+74IbdWb6J3C6o7F8IFK+1strw6ADDINEyg+zoIbNUGVyvGI90Xak+7k8KgGWSplw
|
|
||||||
+318k0xyh6hu9HU/wWHE2WObjIWKnzDHnt917dJkyMazyC2x3wQKCAQEAy4gAWJNM
|
|
||||||
+/mVa4sr2NLUNPQpVfxhSF/jhxdD3b5Z5A/PD+spUcF1WZSpBj8BmNOWilJ2pBMkv
|
|
||||||
+Yp7o2s4MbLIFx1HMgVI/cTo1/kk8hvCBdX9n1Dum3dRNTaxBUaZNDdBZ61b4an/V
|
|
||||||
+lrK20Tx3RY23qInoOUsBFENF+UJUAkujXH3tBv5d//yfX9z75sesQl/HKVr1UAI6
|
|
||||||
+I7a76sO+0bCnDAxooIQH0sLzmWa9JliiFd8gWeY7Yd+/jCw4toptkgtXUUm1dFLL
|
|
||||||
+8s7Eah+P0ORZ17+eBWub/4gOzbgfOh4EKNU/lLI9r2L6RH0F9C3Symm6mu7EBpEC
|
|
||||||
+SzDyHnYqzpAh8wKCAQEAw6nSmp+HBz7AhW+tEiXt1KjvCRgslVMGQ/UTFbU8TqLd
|
|
||||||
+rECn5wKO45EHV4at6jazJUhwIBVty39duiOmmEWOtpCxX3OgdM11s8/LACXv4/B4
|
|
||||||
+pWHqzhJgrwISOLLoxEoM+A3odXoEw95phOy7seBkVxJ6Idq3obpZli0ilDHfFT2R
|
|
||||||
+B+kANrCI5D9d43XdoEBaS6EWvd0TrIbkrfwWrQtbmGuXsmj/ZpOntPixUaZO+go1
|
|
||||||
+P0eDrUZlRcfVWBGNRiEHiGr0InOWrK93OtjoGB3SjtnQkRP5JJSN/2QOCw7LvmZj
|
|
||||||
+GA/KdQxef0Rh5cKLd3LBzwTzGwl+4MMME+WL0M3xsQKCAQAg8bKco7sismUzsIaJ
|
|
||||||
+oYSzDKkqGVWwa6ifzGNAvKp56UsfnQBt7628UkqqagohJcpbI+nnzGjPHcmzIQcB
|
|
||||||
+0Q7+ZE8l35pFSZbTwib58JQD4Mt9nuozndmlaOxpuvFd+wuS/FDZbDe2XNcapx7n
|
|
||||||
+Mzk3HptoKqvSC9GXtxTCClw27GshZqrwdIOXkL11bXyEgdxK5V4vxSyD+2APb//D
|
|
||||||
+EUT4vklxMe3SP5wOiIK1YkNaJvOlmY6jGQR4O/AyG9YAfbV0gunMGlrIwo8oXlN5
|
|
||||||
+DH0+XtXFKtXlVrCOu+7SCWnC8kGIYBF8AhlgXJxKGeC0wshhq6QvK+mjIhkOtTHY
|
|
||||||
+nZvhAoIBAHbQBKcIAAKSRG3CpqHCjmz4OE6Zc1kplUBm7TPdXcWSeHFEwbAxiXr+
|
|
||||||
+cirgCXOTy6z0E8InwQg1S0DgrSUB9+s8abjAicrjiHmr0GVCpC0RtPEYSHDiD/u1
|
|
||||||
+kkMDwPyQytdF+sZ7VbFquUCSUFdvHv8QpUExgxieBBCBT+IVdpV7UTowboTHJhkT
|
|
||||||
+sXuR8waAjVQneZvJR00YjHxp+4sQvooLq44W3B/5wXjPGz2tc3+5+yN11au+d3is
|
|
||||||
+JAzae6L+I4jfCWhyMCikVA5T8HvUgCtmcJPoQP3Jh4BxzWVBks8HdV0DGbmBzVAS
|
|
||||||
+wi+2tuHNuYpwQv9EANuTFR5v4TrmE8ECggEAMXp5rfHt2hKLtkIwqYE7C8IVGQ9q
|
|
||||||
+BcjKAJSuDYkyBpfSp9uxkiyvnND5tEj0uOcMCVZlntSIxWx+HXFu5rL0Ax5ZmSal
|
|
||||||
+uoWpwDXbKYgHF9zlGXqYulsODqZC0cjJpUogXFC0B4pRDUVzuZXO9ACuS5azXYqh
|
|
||||||
+G6Rw0O6rDTHVgkmazJtxreO8v4NpfIbBbFfQgU5xeHdS6ky9LqG+yUKJ5FWkGWcU
|
|
||||||
+SqpZX3yxXM4q/cA1KBN31K3V2xvjVPcEwzkZDGDbLg33DASVF7RV/WYymhDuxE+w
|
|
||||||
+vHDz9Q7dk4pTzCdNiQgomBSjOkLDKWuOvaInQwYWJgavpPGWr31hDyi5Kw==
|
|
||||||
+-----END RSA PRIVATE KEY-----
|
|
||||||
diff --git a/tests/data/rootCA.srl b/tests/data/rootCA.srl
|
|
||||||
new file mode 100644
|
|
||||||
index 00000000..8c619f27
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/data/rootCA.srl
|
|
||||||
@@ -0,0 +1 @@
|
|
||||||
+02D3FA5376B8B25617BA76C4EA3AE7FE4AC318B1
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
@ -1,329 +0,0 @@
|
|||||||
From 642182bdf49c9c93a86b093ad7335c8a7a5ae8cc Mon Sep 17 00:00:00 2001
|
|
||||||
From: John Dennis <jdennis@redhat.com>
|
|
||||||
Date: Wed, 9 Jan 2019 17:23:09 -0500
|
|
||||||
Subject: [PATCH] Fix ECP signature not found error when only assertion is
|
|
||||||
signed (#26828)
|
|
||||||
|
|
||||||
With a SAML Authn Response either the message or the assertion
|
|
||||||
contained in the response message or both can be signed. Most IdP's
|
|
||||||
sign the message. This fixes a bug when processing an ECP authn
|
|
||||||
response when only the assertion is signed.
|
|
||||||
|
|
||||||
lasso_saml20_profile_process_soap_response_with_headers() performs a
|
|
||||||
signature check on the SAML message. A signature can also appear on
|
|
||||||
the assertion which is checked by
|
|
||||||
lasso_saml20_login_process_response_status_and_assertion() The problem
|
|
||||||
occurred when the message was not signed and
|
|
||||||
lasso_saml20_profile_process_soap_response_with_headers() returned
|
|
||||||
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND as an error code which is not
|
|
||||||
actually an error because we haven't checked the signature on the
|
|
||||||
assertion yet. We were returning the first
|
|
||||||
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND error when in fact the subsequent
|
|
||||||
signature check in
|
|
||||||
lasso_saml20_login_process_response_status_and_assertion() succeeded.
|
|
||||||
|
|
||||||
The ECP unit tests were enhanced to cover these cases.
|
|
||||||
|
|
||||||
The enhanced unit test revealed a problem in two switch statements
|
|
||||||
operating on the return value of
|
|
||||||
lasso_profile_get_signature_verify_hint() which were missing a case
|
|
||||||
statement for LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE which caused
|
|
||||||
an abort due to an unknown enumeration value.
|
|
||||||
|
|
||||||
Fixes Bug: 26828
|
|
||||||
License: MIT
|
|
||||||
Signed-off-by: John Dennis <jdennis@redhat.com>
|
|
||||||
---
|
|
||||||
lasso/saml-2.0/login.c | 29 ++++++++----
|
|
||||||
lasso/saml-2.0/profile.c | 2 +
|
|
||||||
tests/login_tests_saml2.c | 97 +++++++++++++++++++++++++++++----------
|
|
||||||
3 files changed, 95 insertions(+), 33 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
|
|
||||||
index 028ffb31..91ff302d 100644
|
|
||||||
--- a/lasso/saml-2.0/login.c
|
|
||||||
+++ b/lasso/saml-2.0/login.c
|
|
||||||
@@ -1107,18 +1107,31 @@ lasso_saml20_login_process_paos_response_msg(LassoLogin *login, gchar *msg)
|
|
||||||
{
|
|
||||||
LassoSoapHeader *header = NULL;
|
|
||||||
LassoProfile *profile;
|
|
||||||
- int rc1, rc2;
|
|
||||||
+ int rc;
|
|
||||||
|
|
||||||
lasso_null_param(msg);
|
|
||||||
|
|
||||||
profile = LASSO_PROFILE(login);
|
|
||||||
|
|
||||||
- rc1 = lasso_saml20_profile_process_soap_response_with_headers(profile, msg, &header);
|
|
||||||
+ /*
|
|
||||||
+ * lasso_saml20_profile_process_soap_response_with_headers()
|
|
||||||
+ * performs a signature check on the SAML message. A signature
|
|
||||||
+ * can also appear on the assertion which is checked by
|
|
||||||
+ * lasso_saml20_login_process_response_status_and_assertion()
|
|
||||||
+ * (below). Therefore if the error is SIGNATURE_NOT_FOUND we
|
|
||||||
+ * proceed because
|
|
||||||
+ * lasso_saml20_login_process_response_status_and_assertion()
|
|
||||||
+ * will test the signature on the assertion.
|
|
||||||
+ */
|
|
||||||
+ rc = lasso_saml20_profile_process_soap_response_with_headers(profile, msg, &header);
|
|
||||||
+ if (rc != 0 && rc != LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) {
|
|
||||||
+ return rc;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/*
|
|
||||||
* If the SOAP message contained a header check for the optional
|
|
||||||
- * paos:Response and ecp:RelayState elements, if they exist extract their
|
|
||||||
- * values into the profile.
|
|
||||||
+ * paos:Response and ecp:RelayState elements, if they exist extract their
|
|
||||||
+ * values into the profile.
|
|
||||||
*/
|
|
||||||
if (header) {
|
|
||||||
GList *i = NULL;
|
|
||||||
@@ -1142,12 +1155,8 @@ lasso_saml20_login_process_paos_response_msg(LassoLogin *login, gchar *msg)
|
|
||||||
lasso_release_gobject(header);
|
|
||||||
}
|
|
||||||
|
|
||||||
- rc2 = lasso_saml20_login_process_response_status_and_assertion(login);
|
|
||||||
- if (rc1) {
|
|
||||||
- return rc1;
|
|
||||||
- }
|
|
||||||
- return rc2;
|
|
||||||
-
|
|
||||||
+ rc = lasso_saml20_login_process_response_status_and_assertion(login);
|
|
||||||
+ return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c
|
|
||||||
index 8171e79e..22a4e08c 100644
|
|
||||||
--- a/lasso/saml-2.0/profile.c
|
|
||||||
+++ b/lasso/saml-2.0/profile.c
|
|
||||||
@@ -398,6 +398,7 @@ lasso_saml20_profile_process_artifact_resolve(LassoProfile *profile, const char
|
|
||||||
|
|
||||||
switch (lasso_profile_get_signature_verify_hint(profile)) {
|
|
||||||
case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
|
|
||||||
+ case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:
|
|
||||||
rc = profile->signature_status;
|
|
||||||
break;
|
|
||||||
case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE:
|
|
||||||
@@ -1559,6 +1560,7 @@ lasso_saml20_profile_process_soap_response_with_headers(LassoProfile *profile,
|
|
||||||
remote_provider, response_msg, "ID", LASSO_MESSAGE_FORMAT_SOAP);
|
|
||||||
switch (lasso_profile_get_signature_verify_hint(profile)) {
|
|
||||||
case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
|
|
||||||
+ case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:
|
|
||||||
rc = profile->signature_status;
|
|
||||||
break;
|
|
||||||
case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE:
|
|
||||||
diff --git a/tests/login_tests_saml2.c b/tests/login_tests_saml2.c
|
|
||||||
index 54c7fb63..e331c07a 100644
|
|
||||||
--- a/tests/login_tests_saml2.c
|
|
||||||
+++ b/tests/login_tests_saml2.c
|
|
||||||
@@ -1090,42 +1090,42 @@ START_TEST(test08_test_authnrequest_flags)
|
|
||||||
make_context(sp_context, "sp5-saml2", "", LASSO_PROVIDER_ROLE_IDP, "idp5-saml2", "")
|
|
||||||
|
|
||||||
block_lasso_logs;
|
|
||||||
- sso_initiated_by_sp2(idp_context, sp_context,
|
|
||||||
- (SsoSettings) {
|
|
||||||
+ sso_initiated_by_sp2(idp_context, sp_context,
|
|
||||||
+ (SsoSettings) {
|
|
||||||
.use_assertion_consumer_service_idx = 1,
|
|
||||||
.assertion_consumer_service_idx = 0,
|
|
||||||
.stop_after_build_assertion = 1,
|
|
||||||
});
|
|
||||||
- sso_initiated_by_sp2(idp_context, sp_context,
|
|
||||||
- (SsoSettings) {
|
|
||||||
+ sso_initiated_by_sp2(idp_context, sp_context,
|
|
||||||
+ (SsoSettings) {
|
|
||||||
.assertion_consumer_service_url = "http://sp5/singleSignOnPost",
|
|
||||||
.stop_after_build_assertion = 1,
|
|
||||||
});
|
|
||||||
- sso_initiated_by_sp2(idp_context, sp_context,
|
|
||||||
- (SsoSettings) {
|
|
||||||
+ sso_initiated_by_sp2(idp_context, sp_context,
|
|
||||||
+ (SsoSettings) {
|
|
||||||
.protocol_binding = LASSO_SAML2_METADATA_BINDING_ARTIFACT,
|
|
||||||
.stop_after_build_assertion = 1,
|
|
||||||
});
|
|
||||||
- sso_initiated_by_sp2(idp_context, sp_context,
|
|
||||||
- (SsoSettings) {
|
|
||||||
+ sso_initiated_by_sp2(idp_context, sp_context,
|
|
||||||
+ (SsoSettings) {
|
|
||||||
.assertion_consumer_service_url = "http://sp5/singleSignOnPost",
|
|
||||||
.protocol_binding = LASSO_SAML2_METADATA_BINDING_POST,
|
|
||||||
.stop_after_build_assertion = 1,
|
|
||||||
});
|
|
||||||
- sso_initiated_by_sp2(idp_context, sp_context,
|
|
||||||
- (SsoSettings) {
|
|
||||||
+ sso_initiated_by_sp2(idp_context, sp_context,
|
|
||||||
+ (SsoSettings) {
|
|
||||||
.assertion_consumer_service_url = "http://sp5/singleSignOnArtifact",
|
|
||||||
.protocol_binding = LASSO_SAML2_METADATA_BINDING_ARTIFACT,
|
|
||||||
.stop_after_build_assertion = 1,
|
|
||||||
});
|
|
||||||
- sso_initiated_by_sp2(idp_context, sp_context,
|
|
||||||
- (SsoSettings) {
|
|
||||||
+ sso_initiated_by_sp2(idp_context, sp_context,
|
|
||||||
+ (SsoSettings) {
|
|
||||||
.assertion_consumer_service_url = "http://sp5/singleSignOnPostAndArtifact",
|
|
||||||
.protocol_binding = LASSO_SAML2_METADATA_BINDING_ARTIFACT,
|
|
||||||
.stop_after_build_assertion = 1,
|
|
||||||
});
|
|
||||||
- sso_initiated_by_sp2(idp_context, sp_context,
|
|
||||||
- (SsoSettings) {
|
|
||||||
+ sso_initiated_by_sp2(idp_context, sp_context,
|
|
||||||
+ (SsoSettings) {
|
|
||||||
.assertion_consumer_service_url = "http://sp5/singleSignOnPostAndArtifact",
|
|
||||||
.protocol_binding = LASSO_SAML2_METADATA_BINDING_POST,
|
|
||||||
.stop_after_build_assertion = 1,
|
|
||||||
@@ -1278,7 +1278,9 @@ static void validate_idp_list(LassoEcp *ecp, EcpIdpListVariant ecpIDPListVariant
|
|
||||||
check_str_equals((char*)g_list_nth(ecp->known_idp_entity_ids_supporting_ecp, 0)->data, "http://idp5/metadata");
|
|
||||||
}
|
|
||||||
|
|
||||||
-void test_ecp(EcpIdpListVariant ecpIDPListVariant)
|
|
||||||
+void test_ecp(EcpIdpListVariant ecpIDPListVariant,
|
|
||||||
+ LassoProfileSignatureHint signature_hint,
|
|
||||||
+ LassoProfileSignatureVerifyHint signature_verify_hint)
|
|
||||||
{
|
|
||||||
char *serviceProviderContextDump = NULL, *identityProviderContextDump = NULL;
|
|
||||||
LassoServer *spContext = NULL, *ecpContext=NULL, *idpContext = NULL;
|
|
||||||
@@ -1286,7 +1288,7 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
|
|
||||||
LassoEcp *ecp = NULL;
|
|
||||||
LassoSamlp2AuthnRequest *request = NULL;
|
|
||||||
gboolean is_passive = FALSE;
|
|
||||||
- char *provider_name = NULL;
|
|
||||||
+ char *provider_name = NULL;
|
|
||||||
char *relayState = NULL;
|
|
||||||
char *messageID = NULL;
|
|
||||||
char *extracted_messageID = NULL;
|
|
||||||
@@ -1296,7 +1298,7 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
|
|
||||||
char *ecpPaosResponseMsg = NULL;
|
|
||||||
char *spLoginDump = NULL;
|
|
||||||
LassoSaml2Assertion *assertion;
|
|
||||||
- LassoSamlp2IDPList *idp_list = NULL;
|
|
||||||
+ LassoSamlp2IDPList *idp_list = NULL;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* SAML2 Profile for ECP (Section 4.2) defines these steps for an ECP
|
|
||||||
@@ -1322,6 +1324,8 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
|
|
||||||
spContext = lasso_server_new_from_dump(serviceProviderContextDump);
|
|
||||||
spLoginContext = lasso_login_new(spContext);
|
|
||||||
check_not_null(spLoginContext);
|
|
||||||
+ lasso_profile_set_signature_hint(LASSO_PROFILE(spLoginContext), signature_hint);
|
|
||||||
+ lasso_profile_set_signature_verify_hint(LASSO_PROFILE(spLoginContext), signature_verify_hint);
|
|
||||||
|
|
||||||
check_good_rc(lasso_login_init_authn_request(spLoginContext, "http://idp5/metadata",
|
|
||||||
LASSO_HTTP_METHOD_PAOS));
|
|
||||||
@@ -1419,6 +1423,8 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
|
|
||||||
idpContext = lasso_server_new_from_dump(identityProviderContextDump);
|
|
||||||
idpLoginContext = lasso_login_new(idpContext);
|
|
||||||
check_not_null(idpLoginContext);
|
|
||||||
+ lasso_profile_set_signature_hint(LASSO_PROFILE(idpLoginContext), signature_hint);
|
|
||||||
+ lasso_profile_set_signature_verify_hint(LASSO_PROFILE(idpLoginContext), signature_verify_hint);
|
|
||||||
|
|
||||||
/* Parse the ecpSoapRequestMsg */
|
|
||||||
check_good_rc(lasso_login_process_authn_request_msg(idpLoginContext, ecpSoapRequestMsg));
|
|
||||||
@@ -1465,7 +1471,7 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
|
|
||||||
check_str_equals(ecp->relaystate, relayState);
|
|
||||||
check_str_equals(ecp->issuer->content, "http://sp5/metadata");
|
|
||||||
check_str_equals(ecp->provider_name, provider_name);
|
|
||||||
- check_equals(ecp->is_passive, is_passive);
|
|
||||||
+ check_equals(ecp->is_passive, is_passive);
|
|
||||||
|
|
||||||
/* Validate ECP IdP list info */
|
|
||||||
validate_idp_list(ecp, ecpIDPListVariant, idp_list);
|
|
||||||
@@ -1480,6 +1486,8 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
|
|
||||||
spContext = lasso_server_new_from_dump(serviceProviderContextDump);
|
|
||||||
spLoginContext = lasso_login_new(spContext);
|
|
||||||
check_not_null(spLoginContext);
|
|
||||||
+ lasso_profile_set_signature_hint(LASSO_PROFILE(spLoginContext), signature_hint);
|
|
||||||
+ lasso_profile_set_signature_verify_hint(LASSO_PROFILE(spLoginContext), signature_verify_hint);
|
|
||||||
|
|
||||||
/* Parse the ecpPaosResponseMsg */
|
|
||||||
check_good_rc(lasso_login_process_paos_response_msg(spLoginContext, ecpPaosResponseMsg));
|
|
||||||
@@ -1515,19 +1523,61 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
|
|
||||||
|
|
||||||
START_TEST(test09_ecp)
|
|
||||||
{
|
|
||||||
- test_ecp(ECP_IDP_LIST_NONE);
|
|
||||||
+ test_ecp(ECP_IDP_LIST_NONE,
|
|
||||||
+ LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
|
|
||||||
+ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE);
|
|
||||||
}
|
|
||||||
END_TEST
|
|
||||||
|
|
||||||
START_TEST(test10_ecp)
|
|
||||||
{
|
|
||||||
- test_ecp(ECP_IDP_LIST_ECP);
|
|
||||||
+ test_ecp(ECP_IDP_LIST_ECP,
|
|
||||||
+ LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
|
|
||||||
+ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE);
|
|
||||||
}
|
|
||||||
END_TEST
|
|
||||||
|
|
||||||
START_TEST(test11_ecp)
|
|
||||||
{
|
|
||||||
- test_ecp(ECP_IDP_LIST_BOGUS);
|
|
||||||
+ test_ecp(ECP_IDP_LIST_BOGUS,
|
|
||||||
+ LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
|
|
||||||
+ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE);
|
|
||||||
+}
|
|
||||||
+END_TEST
|
|
||||||
+
|
|
||||||
+START_TEST(test12_ecp)
|
|
||||||
+{
|
|
||||||
+ /* Maybe Sign */
|
|
||||||
+ test_ecp(ECP_IDP_LIST_NONE,
|
|
||||||
+ LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
|
|
||||||
+ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE);
|
|
||||||
+
|
|
||||||
+ test_ecp(ECP_IDP_LIST_NONE,
|
|
||||||
+ LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
|
|
||||||
+ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE);
|
|
||||||
+
|
|
||||||
+ test_ecp(ECP_IDP_LIST_NONE,
|
|
||||||
+ LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
|
|
||||||
+ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE);
|
|
||||||
+
|
|
||||||
+ /* Force Sign */
|
|
||||||
+ test_ecp(ECP_IDP_LIST_NONE,
|
|
||||||
+ LASSO_PROFILE_SIGNATURE_HINT_FORCE,
|
|
||||||
+ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE);
|
|
||||||
+
|
|
||||||
+ test_ecp(ECP_IDP_LIST_NONE,
|
|
||||||
+ LASSO_PROFILE_SIGNATURE_HINT_FORCE,
|
|
||||||
+ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE);
|
|
||||||
+
|
|
||||||
+ test_ecp(ECP_IDP_LIST_NONE,
|
|
||||||
+ LASSO_PROFILE_SIGNATURE_HINT_FORCE,
|
|
||||||
+ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE);
|
|
||||||
+
|
|
||||||
+ /* Forbid Sign */
|
|
||||||
+ test_ecp(ECP_IDP_LIST_NONE,
|
|
||||||
+ LASSO_PROFILE_SIGNATURE_HINT_FORBID,
|
|
||||||
+ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE);
|
|
||||||
+
|
|
||||||
}
|
|
||||||
END_TEST
|
|
||||||
|
|
||||||
@@ -1538,7 +1588,7 @@ void check_digest_method(G_GNUC_UNUSED LassoLogin *idp_login_context, LassoLogin
|
|
||||||
lasso_release_string(dump)
|
|
||||||
}
|
|
||||||
|
|
||||||
-START_TEST(test12_sso_sp_with_rsa_sha256_signatures)
|
|
||||||
+START_TEST(test13_sso_sp_with_rsa_sha256_signatures)
|
|
||||||
{
|
|
||||||
LassoServer *idp_context = NULL;
|
|
||||||
LassoServer *sp_context = NULL;
|
|
||||||
@@ -1595,7 +1645,8 @@ login_saml2_suite()
|
|
||||||
tcase_add_test(tc_ecp, test09_ecp);
|
|
||||||
tcase_add_test(tc_ecp, test10_ecp);
|
|
||||||
tcase_add_test(tc_ecp, test11_ecp);
|
|
||||||
- tcase_add_test(tc_spLogin, test12_sso_sp_with_rsa_sha256_signatures);
|
|
||||||
+ tcase_add_test(tc_ecp, test12_ecp);
|
|
||||||
+ tcase_add_test(tc_spLogin, test13_sso_sp_with_rsa_sha256_signatures);
|
|
||||||
return s;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
@ -0,0 +1,30 @@
|
|||||||
|
From f70eee9ef7faa9ccfb6f815977431ae2e02260bc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Wed, 16 Jun 2021 12:23:47 +0200
|
||||||
|
Subject: [PATCH 6/7] python: Skip the DSA key test unless SHA-1 is configured
|
||||||
|
(#54037)
|
||||||
|
|
||||||
|
lasso supports DSA-XXX only with SHA-1. The alternative is to use
|
||||||
|
DSA-SHA256.
|
||||||
|
---
|
||||||
|
bindings/python/tests/profiles_tests.py | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/bindings/python/tests/profiles_tests.py b/bindings/python/tests/profiles_tests.py
|
||||||
|
index 6ec612077..501fd9199 100755
|
||||||
|
--- a/bindings/python/tests/profiles_tests.py
|
||||||
|
+++ b/bindings/python/tests/profiles_tests.py
|
||||||
|
@@ -276,6 +276,10 @@ class LoginTestCase(unittest.TestCase):
|
||||||
|
|
||||||
|
def test07(self):
|
||||||
|
'''SAMLv2 SSO with DSA key for the IdP'''
|
||||||
|
+ default_sign_meth = lasso.getDefaultSignatureMethod()
|
||||||
|
+ if default_sign_meth != lasso.SIGNATURE_METHOD_RSA_SHA1:
|
||||||
|
+ self.skipTest("This test requires that lasso is compiled with SHA1 as the default signature method")
|
||||||
|
+
|
||||||
|
sp = lasso.Server(
|
||||||
|
os.path.join(dataDir, 'sp5-saml2/metadata.xml'),
|
||||||
|
os.path.join(dataDir, 'sp5-saml2/private-key.pem'))
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -1,99 +0,0 @@
|
|||||||
From 1e85f1b2bd30c0d93b4a2ef37b35abeae3d15b56 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
|
|
||||||
Date: Fri, 28 Jun 2019 02:36:19 +0300
|
|
||||||
Subject: [PATCH] PAOS: Do not populate "Destination" attribute
|
|
||||||
|
|
||||||
When ECP profile (saml-ecp-v2.0-cs01) is used with PAOS binding Lasso
|
|
||||||
populates an AuthnRequest with the "Destination" attribute set to
|
|
||||||
AssertionConsumerURL of an SP - this leads to IdP-side errors because
|
|
||||||
the destination attribute in the request does not match the IdP URL.
|
|
||||||
|
|
||||||
The "Destination" attribute is mandatory only for HTTP Redirect and HTTP
|
|
||||||
Post bindings when AuthRequests are signed per saml-bindings-2.0-os
|
|
||||||
(sections 3.4.5.2 and 3.5.5.2). Specifically for PAOS it makes sense to
|
|
||||||
avoid setting that optional attribute because an ECP decides which IdP
|
|
||||||
to use, not the SP.
|
|
||||||
|
|
||||||
Fixes Bug: 34409
|
|
||||||
License: MIT
|
|
||||||
Signed-off-by: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
|
|
||||||
---
|
|
||||||
lasso/saml-2.0/login.c | 18 +++++++++---------
|
|
||||||
lasso/saml-2.0/profile.c | 10 +++++++++-
|
|
||||||
2 files changed, 18 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
|
|
||||||
index 6e8f7553..0d4bb1da 100644
|
|
||||||
--- a/lasso/saml-2.0/login.c
|
|
||||||
+++ b/lasso/saml-2.0/login.c
|
|
||||||
@@ -222,7 +222,7 @@ _lasso_login_must_verify_signature(LassoProfile *profile) {
|
|
||||||
gint
|
|
||||||
lasso_saml20_login_build_authn_request_msg(LassoLogin *login)
|
|
||||||
{
|
|
||||||
- char *url = NULL;
|
|
||||||
+ char *assertionConsumerServiceURL = NULL;
|
|
||||||
gboolean must_sign = TRUE;
|
|
||||||
LassoProfile *profile;
|
|
||||||
LassoSamlp2AuthnRequest *authn_request;
|
|
||||||
@@ -247,29 +247,29 @@ lasso_saml20_login_build_authn_request_msg(LassoLogin *login)
|
|
||||||
}
|
|
||||||
|
|
||||||
if (login->http_method == LASSO_HTTP_METHOD_PAOS) {
|
|
||||||
-
|
|
||||||
/*
|
|
||||||
* PAOS is special, the url passed to build_request is the
|
|
||||||
* AssertionConsumerServiceURL of this SP, not the
|
|
||||||
- * destination.
|
|
||||||
+ * destination IdP URL. This is done to fill paos:responseConsumerURL
|
|
||||||
+ * appropriately down the line in build_request_msg.
|
|
||||||
+ * See https://dev.entrouvert.org/issues/34409 for more information.
|
|
||||||
*/
|
|
||||||
if (authn_request->AssertionConsumerServiceURL) {
|
|
||||||
- url = authn_request->AssertionConsumerServiceURL;
|
|
||||||
+ assertionConsumerServiceURL = authn_request->AssertionConsumerServiceURL;
|
|
||||||
if (!lasso_saml20_provider_check_assertion_consumer_service_url(
|
|
||||||
- LASSO_PROVIDER(profile->server), url, LASSO_SAML2_METADATA_BINDING_PAOS)) {
|
|
||||||
+ LASSO_PROVIDER(profile->server), assertionConsumerServiceURL, LASSO_SAML2_METADATA_BINDING_PAOS)) {
|
|
||||||
rc = LASSO_PROFILE_ERROR_INVALID_REQUEST;
|
|
||||||
goto cleanup;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
- url = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
|
|
||||||
+ assertionConsumerServiceURL = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
|
|
||||||
LASSO_PROVIDER(profile->server), LASSO_SAML2_METADATA_BINDING_PAOS);
|
|
||||||
- lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, url);
|
|
||||||
+ lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, assertionConsumerServiceURL);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-
|
|
||||||
lasso_check_good_rc(lasso_saml20_profile_build_request_msg(profile, "SingleSignOnService",
|
|
||||||
- login->http_method, url));
|
|
||||||
+ login->http_method, assertionConsumerServiceURL));
|
|
||||||
|
|
||||||
cleanup:
|
|
||||||
return rc;
|
|
||||||
diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c
|
|
||||||
index 22a4e08c..85f535ae 100644
|
|
||||||
--- a/lasso/saml-2.0/profile.c
|
|
||||||
+++ b/lasso/saml-2.0/profile.c
|
|
||||||
@@ -968,7 +968,15 @@ lasso_saml20_profile_build_request_msg(LassoProfile *profile, const char *servic
|
|
||||||
made_url = url = get_url(provider, service, http_method_to_binding(method));
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (url) {
|
|
||||||
+
|
|
||||||
+ // Usage of the Destination attribute on a request is mandated only
|
|
||||||
+ // in "3.4.5.2" and "3.5.5.2" in saml-bindings-2.0-os for signed requests
|
|
||||||
+ // and is marked as optional in the XSD schema otherwise.
|
|
||||||
+ // PAOS is a special case because an SP does not select an IdP - ECP does
|
|
||||||
+ // it instead. Therefore, this attribute needs to be left unpopulated.
|
|
||||||
+ if (method == LASSO_HTTP_METHOD_PAOS) {
|
|
||||||
+ lasso_release_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination);
|
|
||||||
+ } else if (url) {
|
|
||||||
lasso_assign_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination,
|
|
||||||
url);
|
|
||||||
} else {
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
@ -0,0 +1,41 @@
|
|||||||
|
From 1b0000e0163edc9d831894bf4aac7503f0294062 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Fri, 18 Jun 2021 18:45:38 +0200
|
||||||
|
Subject: [PATCH 7/7] test13_test_lasso_server_load_metadata: Don't verify
|
||||||
|
signature if lasso is not configured with sha-1 (#54037)
|
||||||
|
|
||||||
|
---
|
||||||
|
tests/basic_tests.c | 10 +++++++++-
|
||||||
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tests/basic_tests.c b/tests/basic_tests.c
|
||||||
|
index 0652abc28..470d64fc6 100644
|
||||||
|
--- a/tests/basic_tests.c
|
||||||
|
+++ b/tests/basic_tests.c
|
||||||
|
@@ -1974,6 +1974,14 @@ START_TEST(test13_test_lasso_server_load_metadata)
|
||||||
|
LassoServer *server = NULL;
|
||||||
|
GList *loaded_entity_ids = NULL;
|
||||||
|
GList blacklisted_1 = { .data = "https://identities.univ-jfc.fr/idp/prod", .next = NULL };
|
||||||
|
+ const gchar *trusted_roots = TESTSDATADIR "/rootCA.crt";
|
||||||
|
+
|
||||||
|
+ /* The IDP metadata file is signed with rsa-sha1, so verifying it would
|
||||||
|
+ * fail incase sha1 is not available
|
||||||
|
+ */
|
||||||
|
+ if (lasso_get_default_signature_method() != LASSO_SIGNATURE_METHOD_RSA_SHA1) {
|
||||||
|
+ trusted_roots = NULL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
check_not_null(server = lasso_server_new(
|
||||||
|
TESTSDATADIR "/idp5-saml2/metadata.xml",
|
||||||
|
@@ -1983,7 +1991,7 @@ START_TEST(test13_test_lasso_server_load_metadata)
|
||||||
|
block_lasso_logs;
|
||||||
|
check_good_rc(lasso_server_load_metadata(server, LASSO_PROVIDER_ROLE_IDP,
|
||||||
|
TESTSDATADIR "/metadata/renater-metadata.xml",
|
||||||
|
- TESTSDATADIR "/rootCA.crt",
|
||||||
|
+ trusted_roots,
|
||||||
|
&blacklisted_1, &loaded_entity_ids,
|
||||||
|
LASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT));
|
||||||
|
unblock_lasso_logs;
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -1,183 +0,0 @@
|
|||||||
From ea7e5efe9741e1b1787a58af16cb15b40c23be5a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
|
|
||||||
Date: Mon, 8 Mar 2021 11:33:26 +0100
|
|
||||||
Subject: [PATCH] Fix signature checking on unsigned response with multiple
|
|
||||||
assertions
|
|
||||||
|
|
||||||
CVE-2021-28091 : when AuthnResponse messages are not signed (which is
|
|
||||||
permitted by the specifiation), all assertion's signatures should be
|
|
||||||
checked, but currently after the first signed assertion is checked all
|
|
||||||
following assertions are accepted without checking their signature, and
|
|
||||||
the last one is considered the main assertion.
|
|
||||||
|
|
||||||
This patch :
|
|
||||||
* check signatures from all assertions if the message is not signed,
|
|
||||||
* refuse messages with assertion from different issuers than the one on
|
|
||||||
the message, to prevent assertion bundling event if they are signed.
|
|
||||||
---
|
|
||||||
lasso/saml-2.0/login.c | 102 +++++++++++++++++++++++++++++------------
|
|
||||||
1 file changed, 73 insertions(+), 29 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
|
|
||||||
index 0d4bb1da1..cf62c1cc9 100644
|
|
||||||
--- a/lasso/saml-2.0/login.c
|
|
||||||
+++ b/lasso/saml-2.0/login.c
|
|
||||||
@@ -1257,7 +1257,11 @@ lasso_saml20_login_check_assertion_signature(LassoLogin *login,
|
|
||||||
original_node = lasso_node_get_original_xmlnode(LASSO_NODE(assertion));
|
|
||||||
goto_cleanup_if_fail_with_rc(original_node, LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE);
|
|
||||||
|
|
||||||
- rc = profile->signature_status = lasso_provider_verify_saml_signature(remote_provider, original_node, NULL);
|
|
||||||
+ /* Shouldn't set the profile->signature_status here as we're only
|
|
||||||
+ * checking the assertion signature.
|
|
||||||
+ * Instead, we'll set the status after all the assertions are iterated.
|
|
||||||
+ */
|
|
||||||
+ rc = lasso_provider_verify_saml_signature(remote_provider, original_node, NULL);
|
|
||||||
|
|
||||||
#define log_verify_assertion_signature_error(msg) \
|
|
||||||
message(G_LOG_LEVEL_WARNING, "Could not verify signature of assertion" \
|
|
||||||
@@ -1282,18 +1286,6 @@ cleanup:
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static gboolean
|
|
||||||
-_lasso_check_assertion_issuer(LassoSaml2Assertion *assertion, const gchar *provider_id)
|
|
||||||
-{
|
|
||||||
- if (! LASSO_SAML2_ASSERTION(assertion) || ! provider_id)
|
|
||||||
- return FALSE;
|
|
||||||
-
|
|
||||||
- if (! assertion->Issuer || ! assertion->Issuer->content)
|
|
||||||
- return FALSE;
|
|
||||||
-
|
|
||||||
- return lasso_strisequal(assertion->Issuer->content,provider_id);
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
static gint
|
|
||||||
_lasso_saml20_login_decrypt_assertion(LassoLogin *login, LassoSamlp2Response *samlp2_response)
|
|
||||||
{
|
|
||||||
@@ -1358,11 +1350,23 @@ _lasso_saml20_login_decrypt_assertion(LassoLogin *login, LassoSamlp2Response *sa
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+/* Verify that an assertion comes from a designated Issuer */
|
|
||||||
+static gboolean
|
|
||||||
+_lasso_check_assertion_issuer(LassoSaml2Assertion *assertion, const gchar *provider_id)
|
|
||||||
+{
|
|
||||||
+ if (! LASSO_SAML2_ASSERTION(assertion) || ! provider_id)
|
|
||||||
+ return FALSE;
|
|
||||||
+ if (! assertion->Issuer || ! assertion->Issuer->content)
|
|
||||||
+ return FALSE;
|
|
||||||
+ return lasso_strisequal(assertion->Issuer->content,provider_id);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static gint
|
|
||||||
lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
|
|
||||||
{
|
|
||||||
LassoSamlp2StatusResponse *response;
|
|
||||||
LassoSamlp2Response *samlp2_response = NULL;
|
|
||||||
+ LassoSaml2Assertion *last_assertion = NULL;
|
|
||||||
LassoProfile *profile;
|
|
||||||
char *status_value;
|
|
||||||
lasso_error_t rc = 0;
|
|
||||||
@@ -1404,34 +1408,62 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
|
|
||||||
|
|
||||||
/* Decrypt all EncryptedAssertions */
|
|
||||||
_lasso_saml20_login_decrypt_assertion(login, samlp2_response);
|
|
||||||
- /* traverse all assertions */
|
|
||||||
- goto_cleanup_if_fail_with_rc (samlp2_response->Assertion != NULL,
|
|
||||||
- LASSO_PROFILE_ERROR_MISSING_ASSERTION);
|
|
||||||
|
|
||||||
+ /* Check there is at least one assertion */
|
|
||||||
+ goto_cleanup_if_fail_with_rc (samlp2_response->Assertion != NULL, LASSO_PROFILE_ERROR_MISSING_ASSERTION);
|
|
||||||
+
|
|
||||||
+ /* In case of verify_hint as 'FORCE', if there's no response signature,
|
|
||||||
+ * we reject.
|
|
||||||
+ * In case of 'MAYBE', if response signature is present and valid, or
|
|
||||||
+ * not present, then we proceed with checking assertion signature(s).
|
|
||||||
+ * In any case, if there's a response signature and it's not valid,
|
|
||||||
+ * we reject.
|
|
||||||
+ */
|
|
||||||
verify_hint = lasso_profile_get_signature_verify_hint(profile);
|
|
||||||
+ if (profile->signature_status == LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) {
|
|
||||||
+ if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE) {
|
|
||||||
+ goto_cleanup_with_rc(profile->signature_status);
|
|
||||||
+ }
|
|
||||||
+ } else if (profile->signature_status != 0) {
|
|
||||||
+ goto_cleanup_with_rc(profile->signature_status);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
lasso_foreach_full_begin(LassoSaml2Assertion*, assertion, it, samlp2_response->Assertion);
|
|
||||||
LassoSaml2Subject *subject = NULL;
|
|
||||||
|
|
||||||
- lasso_assign_gobject (login->private_data->saml2_assertion, assertion);
|
|
||||||
+ /* All Assertions MUST come from the same issuer as the Response. */
|
|
||||||
+ if (! _lasso_check_assertion_issuer(assertion, profile->remote_providerID)) {
|
|
||||||
+ goto_cleanup_with_rc(LASSO_PROFILE_ERROR_INVALID_ISSUER);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- /* If signature has already been verified on the message, and assertion has the same
|
|
||||||
- * issuer as the message, the assertion is covered. So no need to verify a second
|
|
||||||
- * time */
|
|
||||||
- if (profile->signature_status != 0
|
|
||||||
- || ! _lasso_check_assertion_issuer(assertion,
|
|
||||||
- profile->remote_providerID)
|
|
||||||
- || verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE) {
|
|
||||||
+ if (profile->signature_status != 0) {
|
|
||||||
+ /* When response signature is not present */
|
|
||||||
+ if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE) {
|
|
||||||
+ assertion_signature_status =
|
|
||||||
+ lasso_saml20_login_check_assertion_signature(login, assertion);
|
|
||||||
+ if (assertion_signature_status) {
|
|
||||||
+ goto_cleanup_with_rc(assertion_signature_status);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ /* response signature is present and valid */
|
|
||||||
assertion_signature_status = lasso_saml20_login_check_assertion_signature(login,
|
|
||||||
- assertion);
|
|
||||||
- /* If signature validation fails, it is the return code for this function */
|
|
||||||
+ assertion);
|
|
||||||
if (assertion_signature_status) {
|
|
||||||
- rc = LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE;
|
|
||||||
+ /* assertion signature is not valid or not present */
|
|
||||||
+ if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE) {
|
|
||||||
+ /* In case of FORCE, we reject right away */
|
|
||||||
+ goto_cleanup_with_rc(assertion_signature_status);
|
|
||||||
+ } else if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE) {
|
|
||||||
+ /* In case of MAYBE, if assertion signature is present and invalid, then we reject */
|
|
||||||
+ if (assertion_signature_status != LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) {
|
|
||||||
+ goto_cleanup_with_rc(assertion_signature_status);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
-
|
|
||||||
lasso_extract_node_or_fail(subject, assertion->Subject, SAML2_SUBJECT,
|
|
||||||
- LASSO_PROFILE_ERROR_MISSING_SUBJECT);
|
|
||||||
+ LASSO_PROFILE_ERROR_MISSING_SUBJECT);
|
|
||||||
|
|
||||||
/* Verify Subject->SubjectConfirmationData->InResponseTo */
|
|
||||||
if (login->private_data->request_id) {
|
|
||||||
@@ -1446,8 +1478,20 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
|
|
||||||
/** Handle nameid */
|
|
||||||
lasso_check_good_rc(lasso_saml20_profile_process_name_identifier_decryption(profile,
|
|
||||||
&subject->NameID, &subject->EncryptedID));
|
|
||||||
+
|
|
||||||
+ last_assertion = assertion;
|
|
||||||
lasso_foreach_full_end();
|
|
||||||
|
|
||||||
+ /* set the profile signature status only after all the signatures are
|
|
||||||
+ * verified.
|
|
||||||
+ */
|
|
||||||
+ profile->signature_status = rc;
|
|
||||||
+
|
|
||||||
+ /* set the default assertion to the last one */
|
|
||||||
+ if (last_assertion) {
|
|
||||||
+ lasso_assign_gobject (login->private_data->saml2_assertion, last_assertion);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
switch (verify_hint) {
|
|
||||||
case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:
|
|
||||||
case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
|
|
||||||
--
|
|
||||||
2.26.3
|
|
||||||
|
|
@ -0,0 +1,28 @@
|
|||||||
|
diff -up lasso-2.7.0/autogen.sh.noconfig lasso-2.7.0/autogen.sh
|
||||||
|
--- lasso-2.7.0/autogen.sh.noconfig 2021-06-28 22:39:00.473005330 +0200
|
||||||
|
+++ lasso-2.7.0/autogen.sh 2021-06-28 22:39:43.028114738 +0200
|
||||||
|
@@ -77,11 +77,6 @@ test $TEST_TYPE $FILE || {
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
-if test "$#" = 0; then
|
||||||
|
- echo "I am going to run ./configure with no arguments - if you wish "
|
||||||
|
- echo "to pass any to it, please specify them on the $0 command line."
|
||||||
|
-fi
|
||||||
|
-
|
||||||
|
# to support timj aclocal setup we are shipping gnome-doc-utils.m4
|
||||||
|
# and making sure automake picks it up ;)
|
||||||
|
# this is bad as -I prepends to the search path
|
||||||
|
@@ -107,12 +102,3 @@ autoconf || exit $?
|
||||||
|
|
||||||
|
echo "* Running $AUTOMAKE"
|
||||||
|
$AUTOMAKE --add-missing -Wno-portability $am_opt || exit $?
|
||||||
|
-
|
||||||
|
-cd "$THEDIR"
|
||||||
|
-
|
||||||
|
-if [ "$1" != "noconfig" ]; then
|
||||||
|
- $srcdir/configure --enable-gtk-doc --enable-maintainer-mode "$@" || exit $?
|
||||||
|
-fi
|
||||||
|
-
|
||||||
|
-echo
|
||||||
|
-echo "Now type 'make install' to install $PROJECT."
|
@ -1,255 +0,0 @@
|
|||||||
commit d526669810e0dc0a454260d5081fc96e16fc9e13
|
|
||||||
Author: John Dennis <jdennis@redhat.com>
|
|
||||||
Date: Mon Jun 25 16:26:24 2018 -0400
|
|
||||||
|
|
||||||
Make Python scripts compatible with both Py2 and Py3
|
|
||||||
|
|
||||||
During the build if the Python3 interpreter is used a number of
|
|
||||||
scripts will fail because they were never ported from Py2 to Py3. In
|
|
||||||
general we want Python code to be compatible with both Py2 and
|
|
||||||
Py3. This patch brings the scripts up to date with Py3 but retains
|
|
||||||
backwards compatibility with Py2 (specifically Py 2.7, the last Py2
|
|
||||||
release).
|
|
||||||
|
|
||||||
Examples of the required changes are:
|
|
||||||
|
|
||||||
* Replace use of the built-in function file() with open(). file()
|
|
||||||
does not exist in Py3, open works in both Py2 and Py3. The code was
|
|
||||||
also modified to use a file context manager (e.g. with open(xxx) as
|
|
||||||
f:). This assures open files are properly closed when the code block
|
|
||||||
using the file goes out of scope. This is a standard modern Python
|
|
||||||
idiom.
|
|
||||||
|
|
||||||
* Replace all use of the print keyword with the six.print_()
|
|
||||||
function, which itself is an emulation of Py3's print function. Py3
|
|
||||||
no longer has a print keyword, only a print() function.
|
|
||||||
|
|
||||||
* The dict methods .keys(), .values(), .items() no longer return a
|
|
||||||
list in Py3, instead they return a "view" object which is an
|
|
||||||
iterator whose result is an unordered set. The most notable
|
|
||||||
consequence is you cannot index the result of these functions like
|
|
||||||
your could in Py2 (e.g. dict.keys()[0] will raise a run time
|
|
||||||
exception).
|
|
||||||
|
|
||||||
* Replace use of StringIO.StringIO and cStringIO with
|
|
||||||
six.StringIO. Py3 no longer has cStringIO and the six variant
|
|
||||||
handles the correct import.
|
|
||||||
|
|
||||||
* Py3 no longer allows the "except xxx, variable" syntax, where
|
|
||||||
variable appering after the comma is assigned the exception object,
|
|
||||||
you must use the "as" keyword to perform the variable assignment
|
|
||||||
(e.g. execpt xxx as variable)
|
|
||||||
|
|
||||||
Note: the modifications in this patch are the minimum necessary to get
|
|
||||||
the build to run with the Py3 interpreter. There are numerous other
|
|
||||||
Python scripts in the repo which need Py3 porting as well but because
|
|
||||||
they are not invoked during a build they will be updated in a
|
|
||||||
subsequent patch.
|
|
||||||
|
|
||||||
License: MIT
|
|
||||||
Signed-off-by: John Dennis <jdennis@redhat.com>
|
|
||||||
|
|
||||||
diff --git a/bindings/python/examples/get_attributes_from_assertion.py b/bindings/python/examples/get_attributes_from_assertion.py
|
|
||||||
index 44ceb9e5..8f37a337 100644
|
|
||||||
--- a/bindings/python/examples/get_attributes_from_assertion.py
|
|
||||||
+++ b/bindings/python/examples/get_attributes_from_assertion.py
|
|
||||||
@@ -1,8 +1,10 @@
|
|
||||||
# Example SP Python code to get attributes from an assertion
|
|
||||||
|
|
||||||
+from six import print_
|
|
||||||
+
|
|
||||||
for attribute in assertion.attributeStatement[0].attribute:
|
|
||||||
if attribute.name == lasso.SAML2_ATTRIBUTE_NAME_EPR:
|
|
||||||
continue
|
|
||||||
- print 'attribute : ' + attribute.name
|
|
||||||
+ print_('attribute : ' + attribute.name)
|
|
||||||
for value in attribute.attributeValue:
|
|
||||||
- print ' value : ' + value.any[0].content
|
|
||||||
+ print_(' value : ' + value.any[0].content)
|
|
||||||
diff --git a/bindings/python/tests/binding_tests.py b/bindings/python/tests/binding_tests.py
|
|
||||||
index 6d8e0dfa..54c3635f 100755
|
|
||||||
--- a/bindings/python/tests/binding_tests.py
|
|
||||||
+++ b/bindings/python/tests/binding_tests.py
|
|
||||||
@@ -311,8 +311,8 @@ class BindingTestCase(unittest.TestCase):
|
|
||||||
</samlp:Extensions>'''
|
|
||||||
node = lasso.Node.newFromXmlNode(content)
|
|
||||||
assert 'next_url' in node.any[1]
|
|
||||||
- assert 'huhu' in node.attributes.keys()[0]
|
|
||||||
- assert node.attributes.values()[0] == 'xxx'
|
|
||||||
+ assert '{https://www.entrouvert.com/}huhu' in node.attributes.keys()
|
|
||||||
+ assert 'xxx' in node.attributes.values()
|
|
||||||
node.any = ('<zob>coin</zob>',)
|
|
||||||
node.attributes = {'michou': 'zozo'}
|
|
||||||
assert '<zob>coin</zob>' in node.dump()
|
|
||||||
diff --git a/bindings/python/tests/idwsf2_tests.py b/bindings/python/tests/idwsf2_tests.py
|
|
||||||
index 6f80c53d..4e47a4a1 100755
|
|
||||||
--- a/bindings/python/tests/idwsf2_tests.py
|
|
||||||
+++ b/bindings/python/tests/idwsf2_tests.py
|
|
||||||
@@ -27,7 +27,7 @@
|
|
||||||
import os
|
|
||||||
import unittest
|
|
||||||
import sys
|
|
||||||
-from StringIO import StringIO
|
|
||||||
+from six import StringIO
|
|
||||||
import logging
|
|
||||||
|
|
||||||
logging.basicConfig()
|
|
||||||
@@ -310,11 +310,11 @@ class MetadataTestCase(IdWsf2TestCase):
|
|
||||||
self.failUnless(idp_disco.request.svcMD[0].svcMDID is None)
|
|
||||||
try:
|
|
||||||
idp_disco.checkSecurityMechanism()
|
|
||||||
- except lasso.Error, e:
|
|
||||||
+ except lasso.Error as e:
|
|
||||||
self.fail(e)
|
|
||||||
try:
|
|
||||||
idp_disco.validateRequest()
|
|
||||||
- except lasso.Error, e:
|
|
||||||
+ except lasso.Error as e:
|
|
||||||
self.fail(e)
|
|
||||||
self.failUnless(idp_disco.response is not None)
|
|
||||||
self.failUnlessEqual(len(idp_disco.metadatas), 1)
|
|
||||||
@@ -391,16 +391,16 @@ class MetadataTestCase(IdWsf2TestCase):
|
|
||||||
self.failUnless(idp_disco is not None)
|
|
||||||
try:
|
|
||||||
idp_disco.processRequestMsg(wsp_disco.msgBody)
|
|
||||||
- except lasso.Error, e:
|
|
||||||
+ except lasso.Error as e:
|
|
||||||
self.fail(e)
|
|
||||||
self.failUnless(idp_disco.request is not None)
|
|
||||||
try:
|
|
||||||
idp_disco.checkSecurityMechanism()
|
|
||||||
- except lasso.Error, e:
|
|
||||||
+ except lasso.Error as e:
|
|
||||||
self.fail(e)
|
|
||||||
try:
|
|
||||||
idp_disco.failRequest(lasso.IDWSF2_DISCOVERY_STATUS_CODE_FAILED, lasso.IDWSF2_DISCOVERY_STATUS_CODE_FORBIDDEN)
|
|
||||||
- except lasso.Error, e:
|
|
||||||
+ except lasso.Error as e:
|
|
||||||
self.fail(e)
|
|
||||||
self.failUnless(idp_disco.response is not None)
|
|
||||||
self.failUnless(idp_disco.response.status is not None)
|
|
||||||
@@ -415,7 +415,7 @@ class MetadataTestCase(IdWsf2TestCase):
|
|
||||||
wsp_disco.processResponseMsg(idp_disco.msgBody)
|
|
||||||
except lasso.Idwsf2DiscoveryForbiddenError:
|
|
||||||
pass
|
|
||||||
- except lasso.Error, e:
|
|
||||||
+ except lasso.Error as e:
|
|
||||||
self.fail(e)
|
|
||||||
|
|
||||||
def test03(self):
|
|
||||||
@@ -475,7 +475,7 @@ class MetadataTestCase(IdWsf2TestCase):
|
|
||||||
self.failUnless(soap_envelope.getMessageId() is not None)
|
|
||||||
try:
|
|
||||||
idp_disco.checkSecurityMechanism()
|
|
||||||
- except lasso.Error, e:
|
|
||||||
+ except lasso.Error as e:
|
|
||||||
self.fail(e)
|
|
||||||
# redirect
|
|
||||||
interactionUrl = spInteractionUrl
|
|
||||||
@@ -488,7 +488,7 @@ class MetadataTestCase(IdWsf2TestCase):
|
|
||||||
self.failUnless(response.detail.any[0].redirectURL.startswith(interactionUrl + '?transactionID='))
|
|
||||||
try:
|
|
||||||
idp_disco.buildResponseMsg()
|
|
||||||
- except lasso.Error, e:
|
|
||||||
+ except lasso.Error as e:
|
|
||||||
self.fail(e)
|
|
||||||
self.failUnless(idp_disco.msgBody is not None)
|
|
||||||
|
|
||||||
@@ -500,7 +500,7 @@ class MetadataTestCase(IdWsf2TestCase):
|
|
||||||
wsp_disco.processResponseMsg(idp_disco.msgBody)
|
|
||||||
except lasso.WsfprofileRedirectRequestError:
|
|
||||||
pass
|
|
||||||
- except lasso.Error, e:
|
|
||||||
+ except lasso.Error as e:
|
|
||||||
self.fail(e)
|
|
||||||
response_envelope = wsp_disco.getSoapEnvelopeResponse()
|
|
||||||
self.failUnless(response_envelope.sb2GetRedirectRequestUrl().startswith(interactionUrl + '?transactionID='))
|
|
||||||
@@ -527,11 +527,11 @@ class MetadataTestCase(IdWsf2TestCase):
|
|
||||||
self.failUnless(idp_disco.request.svcMD[0].svcMDID is None)
|
|
||||||
try:
|
|
||||||
idp_disco.checkSecurityMechanism()
|
|
||||||
- except lasso.Error, e:
|
|
||||||
+ except lasso.Error as e:
|
|
||||||
self.fail(e)
|
|
||||||
try:
|
|
||||||
idp_disco.validateRequest()
|
|
||||||
- except lasso.Error, e:
|
|
||||||
+ except lasso.Error as e:
|
|
||||||
self.fail(e)
|
|
||||||
self.failUnless(idp_disco.response is not None)
|
|
||||||
self.failUnlessEqual(len(idp_disco.metadatas), 1)
|
|
||||||
diff --git a/lasso/build_strerror.py b/lasso/build_strerror.py
|
|
||||||
index fca59628..908638d5 100644
|
|
||||||
--- a/lasso/build_strerror.py
|
|
||||||
+++ b/lasso/build_strerror.py
|
|
||||||
@@ -1,42 +1,42 @@
|
|
||||||
#! /usr/bin/env python
|
|
||||||
|
|
||||||
-from cStringIO import StringIO
|
|
||||||
import glob
|
|
||||||
import re
|
|
||||||
import sys
|
|
||||||
import os
|
|
||||||
+from six import print_, StringIO
|
|
||||||
|
|
||||||
srcdir = sys.argv[1]
|
|
||||||
|
|
||||||
-hlines = file('%s/errors.h' % srcdir,'r').readlines()
|
|
||||||
messages = dict()
|
|
||||||
description = ''
|
|
||||||
|
|
||||||
-for line in hlines:
|
|
||||||
- m = re.match(r'^ \* LASSO.*ERROR', line)
|
|
||||||
- if m:
|
|
||||||
- description = ''
|
|
||||||
- continue
|
|
||||||
- m = re.match(r'^ \* (.*[^:])$', line)
|
|
||||||
- if m:
|
|
||||||
- description += m.group(1)
|
|
||||||
- m = re.match(r'#define (LASSO_\w*ERROR\w+)', line)
|
|
||||||
- if m and description:
|
|
||||||
- description = re.sub(r'[ \n]+', ' ', description).strip()
|
|
||||||
- messages[m.group(1)] = description
|
|
||||||
- description = ''
|
|
||||||
- else:
|
|
||||||
- m = re.match(r'#define (LASSO_\w*ERROR\w+)',line)
|
|
||||||
+with open('%s/errors.h' % srcdir,'r') as f:
|
|
||||||
+ for line in f:
|
|
||||||
+ m = re.match(r'^ \* LASSO.*ERROR', line)
|
|
||||||
if m:
|
|
||||||
- messages[m.group(1)] = m.group(1)
|
|
||||||
+ description = ''
|
|
||||||
+ continue
|
|
||||||
+ m = re.match(r'^ \* (.*[^:])$', line)
|
|
||||||
+ if m:
|
|
||||||
+ description += m.group(1)
|
|
||||||
+ m = re.match(r'#define (LASSO_\w*ERROR\w+)', line)
|
|
||||||
+ if m and description:
|
|
||||||
+ description = re.sub(r'[ \n]+', ' ', description).strip()
|
|
||||||
+ messages[m.group(1)] = description
|
|
||||||
+ description = ''
|
|
||||||
+ else:
|
|
||||||
+ m = re.match(r'#define (LASSO_\w*ERROR\w+)',line)
|
|
||||||
+ if m:
|
|
||||||
+ messages[m.group(1)] = m.group(1)
|
|
||||||
|
|
||||||
-clines = file('%s/errors.c.in' % srcdir,'r').readlines()
|
|
||||||
-for line in clines:
|
|
||||||
- if '@ERROR_CASES@' in line:
|
|
||||||
- keys = messages.keys()
|
|
||||||
- keys.sort()
|
|
||||||
- for k in keys:
|
|
||||||
- print """ case %s:
|
|
||||||
- return "%s";""" % (k,messages[k].rstrip('\n'))
|
|
||||||
- else:
|
|
||||||
- print line,
|
|
||||||
+with open('%s/errors.c.in' % srcdir,'r') as f:
|
|
||||||
+ for line in f:
|
|
||||||
+ if '@ERROR_CASES@' in line:
|
|
||||||
+ keys = sorted(messages.keys())
|
|
||||||
+ for k in keys:
|
|
||||||
+ print_(' case %s:\n'
|
|
||||||
+ ' return "%s";' %
|
|
||||||
+ (k,messages[k].rstrip('\n')))
|
|
||||||
+ else:
|
|
||||||
+ print_(line, end="")
|
|
@ -1,83 +0,0 @@
|
|||||||
commit 623d785f957acc9eccb47a9a3f88e5e167a370b6
|
|
||||||
Author: John Dennis <jdennis@redhat.com>
|
|
||||||
Date: Mon Jun 25 17:37:45 2018 -0400
|
|
||||||
|
|
||||||
fix duplicate definition of LogoutTestCase and logoutSuite
|
|
||||||
|
|
||||||
Commit 6f617027e added a duplicate definition of the LogoutTestCase
|
|
||||||
class containing only 1 test which shaddowed the original
|
|
||||||
LogoutTestCase containing 4 tests. The logoutSuite variable was also
|
|
||||||
shadowed and the allTests variable contained a duplicate of
|
|
||||||
logoutSuite causing the 2nd definition of LogoutTestCase to be run
|
|
||||||
twice.
|
|
||||||
|
|
||||||
Not only were the original 4 tests not being run but the entire unit
|
|
||||||
test in profiles_tests.py was failing under Python3. This is because
|
|
||||||
the unittest code in Py3 deletes a test from it's list of tests to run
|
|
||||||
once it's been run. The second time the logoutSuite was invoked it no
|
|
||||||
longer contained any tests which caused an exception to be raised
|
|
||||||
because there were no tests to be run.
|
|
||||||
|
|
||||||
License: MIT
|
|
||||||
Signed-off-by: John Dennis <jdennis@redhat.com>
|
|
||||||
|
|
||||||
diff --git a/bindings/python/tests/profiles_tests.py b/bindings/python/tests/profiles_tests.py
|
|
||||||
index 547c9e24..0ba1e56e 100755
|
|
||||||
--- a/bindings/python/tests/profiles_tests.py
|
|
||||||
+++ b/bindings/python/tests/profiles_tests.py
|
|
||||||
@@ -386,6 +386,21 @@ class LogoutTestCase(unittest.TestCase):
|
|
||||||
else:
|
|
||||||
self.fail('Logout processResponseMsg should have failed.')
|
|
||||||
|
|
||||||
+ def test05(self):
|
|
||||||
+ '''Test parsing of a logout request with more than one session index'''
|
|
||||||
+ content = '''<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="xxxx" Version="2.0" IssueInstant="2010-06-14T22:00:00">
|
|
||||||
+ <saml:Issuer>me</saml:Issuer>
|
|
||||||
+ <saml:NameID>coin</saml:NameID>
|
|
||||||
+ <samlp:SessionIndex>id1</samlp:SessionIndex>
|
|
||||||
+ <samlp:SessionIndex>id2</samlp:SessionIndex>
|
|
||||||
+ <samlp:SessionIndex>id3</samlp:SessionIndex>
|
|
||||||
+ </samlp:LogoutRequest>'''
|
|
||||||
+
|
|
||||||
+ node = lasso.Samlp2LogoutRequest.newFromXmlNode(content)
|
|
||||||
+ assert isinstance(node, lasso.Samlp2LogoutRequest)
|
|
||||||
+ assert node.sessionIndex == 'id1'
|
|
||||||
+ assert node.sessionIndexes == ('id1', 'id2', 'id3')
|
|
||||||
+
|
|
||||||
class DefederationTestCase(unittest.TestCase):
|
|
||||||
def test01(self):
|
|
||||||
"""IDP initiated defederation; testing processNotificationMsg with non Liberty query."""
|
|
||||||
@@ -478,32 +493,15 @@ class AttributeAuthorityTestCase(unittest.TestCase):
|
|
||||||
assert aq.response.assertion[0].attributeStatement[0].attribute[0]
|
|
||||||
assert aq.response.assertion[0].attributeStatement[0].attribute[0].attributeValue[0]
|
|
||||||
|
|
||||||
-class LogoutTestCase(unittest.TestCase):
|
|
||||||
- def test01(self):
|
|
||||||
- '''Test parsing of a logout request with more than one session index'''
|
|
||||||
- content = '''<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="xxxx" Version="2.0" IssueInstant="2010-06-14T22:00:00">
|
|
||||||
- <saml:Issuer>me</saml:Issuer>
|
|
||||||
- <saml:NameID>coin</saml:NameID>
|
|
||||||
- <samlp:SessionIndex>id1</samlp:SessionIndex>
|
|
||||||
- <samlp:SessionIndex>id2</samlp:SessionIndex>
|
|
||||||
- <samlp:SessionIndex>id3</samlp:SessionIndex>
|
|
||||||
- </samlp:LogoutRequest>'''
|
|
||||||
-
|
|
||||||
- node = lasso.Samlp2LogoutRequest.newFromXmlNode(content)
|
|
||||||
- assert isinstance(node, lasso.Samlp2LogoutRequest)
|
|
||||||
- assert node.sessionIndex == 'id1'
|
|
||||||
- assert node.sessionIndexes == ('id1', 'id2', 'id3')
|
|
||||||
-
|
|
||||||
serverSuite = unittest.makeSuite(ServerTestCase, 'test')
|
|
||||||
loginSuite = unittest.makeSuite(LoginTestCase, 'test')
|
|
||||||
logoutSuite = unittest.makeSuite(LogoutTestCase, 'test')
|
|
||||||
defederationSuite = unittest.makeSuite(DefederationTestCase, 'test')
|
|
||||||
identitySuite = unittest.makeSuite(IdentityTestCase, 'test')
|
|
||||||
attributeSuite = unittest.makeSuite(AttributeAuthorityTestCase, 'test')
|
|
||||||
-logoutSuite = unittest.makeSuite(LogoutTestCase, 'test')
|
|
||||||
|
|
||||||
allTests = unittest.TestSuite((serverSuite, loginSuite, logoutSuite, defederationSuite,
|
|
||||||
- identitySuite, attributeSuite, logoutSuite))
|
|
||||||
+ identitySuite, attributeSuite))
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
|
||||||
sys.exit(not unittest.TextTestRunner(verbosity = 2).run(allTests).wasSuccessful())
|
|
@ -1,80 +0,0 @@
|
|||||||
commit e3e904af7dd308fe7530773bd9ea136afc90049b
|
|
||||||
Author: John Dennis <jdennis@redhat.com>
|
|
||||||
Date: Thu Jun 21 10:49:30 2018 -0400
|
|
||||||
|
|
||||||
Use python interpreter specified configure script
|
|
||||||
|
|
||||||
The configure script allows you to specify the python interpreter to
|
|
||||||
use via the --with-python option. There were several places where the
|
|
||||||
python interpreter was implicity invoked without using the specified
|
|
||||||
version. This can create a number of problems in an environment with
|
|
||||||
multiple python versions as is the case during the transition from
|
|
||||||
Python 2 to Python 3. Python 2 is not compatible with Python
|
|
||||||
3. Lasso's Python code is supposed to be compatible with both
|
|
||||||
versions. But during the build and when running the unit tests it is
|
|
||||||
essential the same interpreter be used consistently otherwise you can
|
|
||||||
have problems.
|
|
||||||
|
|
||||||
This patch assures whenever python is invoked it does so via the
|
|
||||||
$(PYTHON) configuration variable.
|
|
||||||
|
|
||||||
What about shebang lines (e.g #/usr/bin/python) at the top of scripts?
|
|
||||||
Python PEP 394 (https://www.python.org/dev/peps/pep-0394/) covers
|
|
||||||
this. Basically it says if a script is compatible only with Py2 the
|
|
||||||
shebang should be #/usr/bin/python2, if only compatible with Py3 the
|
|
||||||
shebang should be #/usr/bin/python3. However, if the script is
|
|
||||||
compatible with both versions it can continue to use the
|
|
||||||
compatible with both Py2 and Py3.
|
|
||||||
|
|
||||||
License: MIT
|
|
||||||
Signed-off-by: John Dennis <jdennis@redhat.com>
|
|
||||||
|
|
||||||
diff --git a/bindings/java/Makefile.am b/bindings/java/Makefile.am
|
|
||||||
index 05e5f9ee..8de0178d 100644
|
|
||||||
--- a/bindings/java/Makefile.am
|
|
||||||
+++ b/bindings/java/Makefile.am
|
|
||||||
@@ -26,7 +26,7 @@ if WSF_ENABLED
|
|
||||||
EXTRA_ARGS = --enable-id-wsf
|
|
||||||
endif
|
|
||||||
|
|
||||||
-java_lasso_source_files := $(shell python $(top_srcdir)/bindings/bindings.py -l java-list --src-dir=$(top_srcdir)/lasso/ $(EXTRA_ARGS) )
|
|
||||||
+java_lasso_source_files := $(shell $(PYTHON) $(top_srcdir)/bindings/bindings.py -l java-list --src-dir=$(top_srcdir)/lasso/ $(EXTRA_ARGS) )
|
|
||||||
|
|
||||||
lasso_jardir=$(prefix)/share/java
|
|
||||||
lasso_jar_DATA=lasso.jar
|
|
||||||
diff --git a/bindings/python/tests/Makefile.am b/bindings/python/tests/Makefile.am
|
|
||||||
index 205e7613..1305f26f 100644
|
|
||||||
--- a/bindings/python/tests/Makefile.am
|
|
||||||
+++ b/bindings/python/tests/Makefile.am
|
|
||||||
@@ -11,5 +11,8 @@ if WSF_ENABLED
|
|
||||||
TESTS += idwsf1_tests.py idwsf2_tests.py
|
|
||||||
endif
|
|
||||||
|
|
||||||
+TEST_EXTENSIONS = .py
|
|
||||||
+PY_LOG_COMPILER = $(PYTHON)
|
|
||||||
+
|
|
||||||
EXTRA_DIST = profiles_tests.py binding_tests.py idwsf1_tests.py idwsf2_tests.py \
|
|
||||||
tests.py XmlTestRunner.py
|
|
||||||
diff --git a/lasso/Makefile.am b/lasso/Makefile.am
|
|
||||||
index 751f9419..49ae88a7 100644
|
|
||||||
--- a/lasso/Makefile.am
|
|
||||||
+++ b/lasso/Makefile.am
|
|
||||||
@@ -91,7 +91,7 @@ liblasso_la_LDFLAGS = -no-undefined -version-info @LASSO_VERSION_INFO@ \
|
|
||||||
endif
|
|
||||||
|
|
||||||
$(srcdir)/errors.c: $(srcdir)/errors.h $(srcdir)/build_strerror.py
|
|
||||||
- python $(srcdir)/build_strerror.py $(srcdir) >.errors.c.new
|
|
||||||
+ $(PYTHON) $(srcdir)/build_strerror.py $(srcdir) >.errors.c.new
|
|
||||||
if ! cmp -s $(srcdir)/errors.c .errors.c.new; then \
|
|
||||||
mv -f .errors.c.new $@; else \
|
|
||||||
rm .errors.c.new; fi
|
|
||||||
diff --git a/tools/check-lasso-sections.py b/tools/check-lasso-sections.py
|
|
||||||
index cb4c39c4..3a6c9880 100755
|
|
||||||
--- a/tools/check-lasso-sections.py
|
|
||||||
+++ b/tools/check-lasso-sections.py
|
|
||||||
@@ -1,4 +1,4 @@
|
|
||||||
-#!/usr/bin/python
|
|
||||||
+#!/usr/bin/env python
|
|
||||||
|
|
||||||
import sys
|
|
||||||
import os.path
|
|
@ -1,48 +0,0 @@
|
|||||||
commit af29047480cacafaed697cb2a1fb24c5143078a8
|
|
||||||
Author: John Dennis <jdennis@redhat.com>
|
|
||||||
Date: Sat Jul 7 10:59:32 2018 -0400
|
|
||||||
|
|
||||||
Configure should search for versioned Python interpreter.
|
|
||||||
|
|
||||||
Following the guidelines in Python PEP 394 with regards to the python
|
|
||||||
command on UNIX like systems preference should be given to explicitly
|
|
||||||
versioned command interpreter as opposed to unversioned and that an
|
|
||||||
unversioned python command should (but might not) refer to
|
|
||||||
Python2. Also in some environments unversioned Python interpreters
|
|
||||||
(e.g. /usr/bin/python) do not even exist, onlyh their explicitly
|
|
||||||
versioned variants are (e.g. /usr/bin/python2 and /usr/bin/python3).
|
|
||||||
|
|
||||||
Therefore the AC_CHECK_PROGS directive in configure.ac should not rely
|
|
||||||
exclusively on an unversioned Python interpreter as it does not,
|
|
||||||
rather it should search in priority order. First for python3, then for
|
|
||||||
an unversionsed python because some distributions have already moved
|
|
||||||
the default unversioned python to python3, and then finally search for
|
|
||||||
python2. In the scenario where unversioned python is still pointing to
|
|
||||||
python2 it's equivalent to selecting the last prority option of
|
|
||||||
python2, but if unversioned python is pointing to python3 you get
|
|
||||||
instead. The net result is always preferring python3 but gracefully
|
|
||||||
falling back to python2 not matter how the environment exports it's
|
|
||||||
Python.
|
|
||||||
|
|
||||||
If AC_CHECK_PROGS for python does not check for the versioned variants
|
|
||||||
the build fails in environments that only have versioned variants with
|
|
||||||
this error:
|
|
||||||
|
|
||||||
configure: error: Python must be installed to compile lasso
|
|
||||||
|
|
||||||
License: MIT
|
|
||||||
Signed-off-by: John Dennis <jdennis@redhat.com>
|
|
||||||
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
|
||||||
index 898468e6..74766972 100644
|
|
||||||
--- a/configure.ac
|
|
||||||
+++ b/configure.ac
|
|
||||||
@@ -131,7 +131,7 @@ dnl AC_CHECK_PROGS(JAR, fastjar jar)
|
|
||||||
AC_CHECK_PROGS(PERL, perl)
|
|
||||||
AC_CHECK_PROGS(PHP5, php5 php)
|
|
||||||
AC_CHECK_PROGS(PHP5_CONFIG, php-config5 php-config)
|
|
||||||
-AC_CHECK_PROGS(PYTHON, python)
|
|
||||||
+AC_CHECK_PROGS(PYTHON, python3 python python2)
|
|
||||||
AC_CHECK_PROGS(SWIG, swig)
|
|
||||||
|
|
||||||
dnl Make sure we have an ANSI compiler
|
|
Loading…
Reference in new issue