Compare commits

...

No commits in common. 'c9' and 'c8' have entirely different histories.
c9 ... c8

2
.gitignore vendored

@ -1 +1 @@
SOURCES/lasso-2.7.0.tar.gz
SOURCES/lasso-2.6.0.tar.gz

@ -1 +1 @@
7a4175eb925427504ac5d42bb3644a97fc188409 SOURCES/lasso-2.7.0.tar.gz
c48e1d6626e6563163146063cbf65ffef52bac1b SOURCES/lasso-2.6.0.tar.gz

@ -1,104 +0,0 @@
From 8b8fd22a168860c5034822472d1fb5745f8fa0f5 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 16 Jun 2021 10:18:30 +0200
Subject: [PATCH] Fix lasso_query_sign HMAC other than SHA1 (#54037)
The switch clause was using SHA1 digests for all digest types when
signing. This obviously breaks verifying the signatures if HMAC-SHAXXX
is used and XXX is something else than 1.
---
lasso/xml/tools.c | 35 +++++++++++++++++++++++------------
tests/login_tests_saml2.c | 6 +++---
2 files changed, 26 insertions(+), 15 deletions(-)
diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
index 96d88a2c4..290fd55f2 100644
--- a/lasso/xml/tools.c
+++ b/lasso/xml/tools.c
@@ -594,22 +594,20 @@ lasso_query_sign(char *query, LassoSignatureContext context)
sigret_size = DSA_size(dsa);
break;
case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
+ md = EVP_sha1();
+ sigret_size = EVP_MD_size(md);
+ break;
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
+ md = EVP_sha256();
+ sigret_size = EVP_MD_size(md);
+ break;
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
+ md = EVP_sha384();
+ sigret_size = EVP_MD_size(md);
+ break;
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
- if ((rc = lasso_get_hmac_key(key, (void**)&hmac_key,
- &hmac_key_length))) {
- message(G_LOG_LEVEL_CRITICAL, "Failed to get hmac key (%s)", lasso_strerror(rc));
- goto done;
- }
- g_assert(hmac_key);
- md = EVP_sha1();
+ md = EVP_sha512();
sigret_size = EVP_MD_size(md);
- /* key should be at least 128 bits long */
- if (hmac_key_length < 16) {
- critical("HMAC key should be at least 128 bits long");
- goto done;
- }
break;
default:
g_assert_not_reached();
@@ -645,6 +643,19 @@ lasso_query_sign(char *query, LassoSignatureContext context)
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
+ if ((rc = lasso_get_hmac_key(key, (void**)&hmac_key,
+ &hmac_key_length))) {
+ message(G_LOG_LEVEL_CRITICAL, "Failed to get hmac key (%s)", lasso_strerror(rc));
+ goto done;
+ }
+ g_assert(hmac_key);
+
+ /* key should be at least 128 bits long */
+ if (hmac_key_length < 16) {
+ critical("HMAC key should be at least 128 bits long");
+ goto done;
+ }
+
HMAC(md, hmac_key, hmac_key_length, (unsigned char *)new_query,
strlen(new_query), sigret, &siglen);
status = 1;
diff --git a/tests/login_tests_saml2.c b/tests/login_tests_saml2.c
index e331c07a7..e1d78b5b1 100644
--- a/tests/login_tests_saml2.c
+++ b/tests/login_tests_saml2.c
@@ -981,7 +981,7 @@ sso_initiated_by_sp(LassoServer *idp_context, LassoServer *sp_context, SsoCallba
lasso_release_gobject(sp_login_context);
}
-START_TEST(test07_sso_sp_with_hmac_sha1_signatures)
+START_TEST(test07_sso_sp_with_hmac_sha256_signatures)
{
LassoServer *idp_context = NULL;
LassoServer *sp_context = NULL;
@@ -990,7 +990,7 @@ START_TEST(test07_sso_sp_with_hmac_sha1_signatures)
/* Create the shared key */
key = lasso_key_new_for_signature_from_memory("xxxxxxxxxxxxxxxx", 16,
- NULL, LASSO_SIGNATURE_METHOD_HMAC_SHA1, NULL);
+ NULL, LASSO_SIGNATURE_METHOD_HMAC_SHA256, NULL);
check_true(LASSO_IS_KEY(key));
/* Create an IdP context for IdP initiated SSO with provider metadata 1 */
@@ -1640,7 +1640,7 @@ login_saml2_suite()
tcase_add_test(tc_spSloSoap, test04_sso_then_slo_soap);
tcase_add_test(tc_idpKeyRollover, test05_sso_idp_with_key_rollover);
tcase_add_test(tc_spKeyRollover, test06_sso_sp_with_key_rollover);
- tcase_add_test(tc_hmacSignature, test07_sso_sp_with_hmac_sha1_signatures);
+ tcase_add_test(tc_hmacSignature, test07_sso_sp_with_hmac_sha256_signatures);
tcase_add_test(tc_spLogin, test08_test_authnrequest_flags);
tcase_add_test(tc_ecp, test09_ecp);
tcase_add_test(tc_ecp, test10_ecp);
--
2.26.3

@ -1,129 +0,0 @@
From f625eaa007fa3a1f6c846be0d70d26de33887714 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 16 Jun 2021 10:28:53 +0200
Subject: [PATCH 2/7] tests: Move test08_lasso_key and
test07_saml2_query_verify_signature to SHA256 (#54037)
These tests use a hardcoded query and private key which makes it
unsuitable to make the tests use the configured default digest. Let's
just convert them to SHA256 unconditionally.
---
tests/random_tests.c | 46 ++++++++++++++++++++++----------------------
1 file changed, 23 insertions(+), 23 deletions(-)
diff --git a/tests/random_tests.c b/tests/random_tests.c
index c4fe85883..fa0367a3c 100644
--- a/tests/random_tests.c
+++ b/tests/random_tests.c
@@ -287,11 +287,11 @@ extern int lasso_saml2_query_verify_signature(const char *query, const xmlSecKey
START_TEST(test07_saml2_query_verify_signature)
{
/* normal query as produces by Lasso */
- const char query1[] = "SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D&RelayState=fake%5B%5D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TaCCtwg%3D%3D";
+ const char query1[] = "SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D&RelayState=fake&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=Zfz3DE1VMV3thaV4FWpH0fkWsBMzAFJcfvVWAbo0a3cY48Et%2BXUcbr1nvOJUJmhGoie0pQ4%2BcD9ToQlSk7BbJSBCct%2FQQgn2QNkX%2F1lk4v8RU8p5ptJRJ2iPLb8nC6WZhs81HoihQePSuj7Qe5bRUsDKvnWMq6OkD%2Fe6YO77dMXregTcfmnkrXqRb2T6TFfqyOz9i0%2FjmISsmj%2F3kEEfUzVA4LEbeEgiJDj1hec4XW26gQTih53v0sYukq4Eyb4zS2jVd3apUUxUrjn1NUpr7Z7dZ7w5MQlgZ8aw1xFDE8BkxymvIjwf8ciyx6sfTKbCRsoS9E0pQB1vxvh6OMt1Ww%3D%3D";
/* SAMLRequest field was moved in the middle, Signature to the beginning and all & were
* changed to ; */
- const char query2[] = "Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TaCCtwg%3D%3D;RelayState=fake%5B%5D;SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D;SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1";
- const char query3[] = "RelayState=fake%5B%5D&SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TacCtwg%3D%3D";
+ const char query2[] = "Signature=Zfz3DE1VMV3thaV4FWpH0fkWsBMzAFJcfvVWAbo0a3cY48Et%2BXUcbr1nvOJUJmhGoie0pQ4%2BcD9ToQlSk7BbJSBCct%2FQQgn2QNkX%2F1lk4v8RU8p5ptJRJ2iPLb8nC6WZhs81HoihQePSuj7Qe5bRUsDKvnWMq6OkD%2Fe6YO77dMXregTcfmnkrXqRb2T6TFfqyOz9i0%2FjmISsmj%2F3kEEfUzVA4LEbeEgiJDj1hec4XW26gQTih53v0sYukq4Eyb4zS2jVd3apUUxUrjn1NUpr7Z7dZ7w5MQlgZ8aw1xFDE8BkxymvIjwf8ciyx6sfTKbCRsoS9E0pQB1vxvh6OMt1Ww%3D%3D;SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D;RelayState=fake;SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256";
+ const char query3[] = "SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D&RelayState=fake&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=rUJ%2B9wVSvdGSmZWGuGXgudAPV5KBxRfxRKraBWGIslBz2XreyNbQjSA47DhIfi%2Bxf0awIIGkKcieN3Qd5sqVn4wvFU8fsmfqrdtouYi46aKsj4W91N19TxJ%2BCgrP7ygVEGDaGdc%2BrCQC3%2FuoYTELXq0gYP7tHaXA%2FCaZHfx5Z159crpRxS6eabZ6BGf4ImxiKhE1FuYzKHeISEV1iSyvgx5%2FE8ydSO%2FSP6yA5Rck4JxVJWH6ImbswCVQ80qfqR4NoJ%2BxiZqilbDJnQaSKZggx%2FgjNVoX%2FMVW1FqEmgJNcZpSjNUQqy9u4veSllpxPc2aB%2FpiUjzpbq9XzyFDOQfkUQ%3D%3D";
/* sp5-saml2 key */
const char pkey[] = "-----BEGIN CERTIFICATE-----\n\
MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP\n\
@@ -317,7 +317,7 @@ LlTxKnCrWAXftSm1rNtewTsF\n\
-----END CERTIFICATE-----";
xmlSecKeyPtr key = lasso_xmlsec_load_private_key_from_buffer(pkey, sizeof(pkey)-1, NULL,
- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
+ LASSO_SIGNATURE_METHOD_RSA_SHA256, NULL);
fail_unless(key != NULL, "Cannot load public key");
fail_unless(lasso_saml2_query_verify_signature(query1, key) == 0, "Signature was not validated");
@@ -332,11 +332,11 @@ END_TEST
START_TEST(test08_lasso_key)
{
/* normal query as produces by Lasso */
- const char query1[] = "SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D&RelayState=fake%5B%5D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TaCCtwg%3D%3D";
+ const char query1[] = "SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D&RelayState=fake&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=Zfz3DE1VMV3thaV4FWpH0fkWsBMzAFJcfvVWAbo0a3cY48Et%2BXUcbr1nvOJUJmhGoie0pQ4%2BcD9ToQlSk7BbJSBCct%2FQQgn2QNkX%2F1lk4v8RU8p5ptJRJ2iPLb8nC6WZhs81HoihQePSuj7Qe5bRUsDKvnWMq6OkD%2Fe6YO77dMXregTcfmnkrXqRb2T6TFfqyOz9i0%2FjmISsmj%2F3kEEfUzVA4LEbeEgiJDj1hec4XW26gQTih53v0sYukq4Eyb4zS2jVd3apUUxUrjn1NUpr7Z7dZ7w5MQlgZ8aw1xFDE8BkxymvIjwf8ciyx6sfTKbCRsoS9E0pQB1vxvh6OMt1Ww%3D%3D";
/* SAMLRequest field was moved in the middle, Signature to the beginning and all & were
* changed to ; */
- const char query2[] = "Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TaCCtwg%3D%3D;RelayState=fake%5B%5D;SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D;SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1";
- const char query3[] = "RelayState=fake%5B%5D&SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TacCtwg%3D%3D";
+ const char query2[] = "Signature=Zfz3DE1VMV3thaV4FWpH0fkWsBMzAFJcfvVWAbo0a3cY48Et%2BXUcbr1nvOJUJmhGoie0pQ4%2BcD9ToQlSk7BbJSBCct%2FQQgn2QNkX%2F1lk4v8RU8p5ptJRJ2iPLb8nC6WZhs81HoihQePSuj7Qe5bRUsDKvnWMq6OkD%2Fe6YO77dMXregTcfmnkrXqRb2T6TFfqyOz9i0%2FjmISsmj%2F3kEEfUzVA4LEbeEgiJDj1hec4XW26gQTih53v0sYukq4Eyb4zS2jVd3apUUxUrjn1NUpr7Z7dZ7w5MQlgZ8aw1xFDE8BkxymvIjwf8ciyx6sfTKbCRsoS9E0pQB1vxvh6OMt1Ww%3D%3D;SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D;RelayState=fake;SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256";
+ const char query3[] = "SAMLRequest=fVHJasMwEP0Vo3tqRXY2YRvcOIFAl9CUHnopwpkkAllyNeMuf1%2FZaSG95PrmLfNmMlSNaWXZ0ck%2BwXsHSNFXYyzKYZCzzlvpFGqUVjWAkmq5K%2B%2FvpLjhsvWOXO0Mu5BcVyhE8KSdZdGmytnbNEmTBV%2Bli9ulKMt5KlbVfDkbizWfcVEmUxa9gMfAz1mQBxFiBxuLpCwFiIvxiE9H48mz4FJMZJq8sqgKHbRVNKhORK2MY71vJzFqezSw00f7GPLXztcw9M7ZQRmE3n0bFtQf8IcUWV9JDqm%2B%2BPXCYNUAqb0ilcWXhOx8zIdQe1NtndH1dx%2FTKLp%2BlR7R%2B9FhoMq2b4wEllhUGuM%2Blx4UhZ3Id8Di4pz5%2F2fFDw%3D%3D&RelayState=fake&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=rUJ%2B9wVSvdGSmZWGuGXgudAPV5KBxRfxRKraBWGIslBz2XreyNbQjSA47DhIfi%2Bxf0awIIGkKcieN3Qd5sqVn4wvFU8fsmfqrdtouYi46aKsj4W91N19TxJ%2BCgrP7ygVEGDaGdc%2BrCQC3%2FuoYTELXq0gYP7tHaXA%2FCaZHfx5Z159crpRxS6eabZ6BGf4ImxiKhE1FuYzKHeISEV1iSyvgx5%2FE8ydSO%2FSP6yA5Rck4JxVJWH6ImbswCVQ80qfqR4NoJ%2BxiZqilbDJnQaSKZggx%2FgjNVoX%2FMVW1FqEmgJNcZpSjNUQqy9u4veSllpxPc2aB%2FpiUjzpbq9XzyFDOQfkUQ%3D%3D";
/* sp5-saml2 key */
const char pkey[] = "-----BEGIN CERTIFICATE-----\n\
MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP\n\
@@ -361,29 +361,29 @@ NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR\n\
LlTxKnCrWAXftSm1rNtewTsF\n\
-----END CERTIFICATE-----";
LassoKey *key = lasso_key_new_for_signature_from_memory(pkey, strlen(pkey), NULL,
- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
+ LASSO_SIGNATURE_METHOD_RSA_SHA256, NULL);
LassoKey *key2 = lasso_key_new_for_signature_from_file(
TESTSDATADIR "/sp5-saml2/private-key.pem", NULL,
- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
- char *message = "<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_E3F8E9116EE08F0E2607CF9789649BB4\" Version=\"2.0\" IssueInstant=\"2012-03-09T11:34:48Z\" ForceAuthn=\"false\" IsPassive=\"false\"><saml:Issuer>http://sp5/metadata</saml:Issuer><Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n\
+ LASSO_SIGNATURE_METHOD_RSA_SHA256, NULL);
+ char *message = "<s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\"><s:Body><samlp:ArtifactResolve ID=\"_5E4DB038BC15C020CE085F743D485443\" Version=\"2.0\" IssueInstant=\"2021-06-18T16:07:49Z\" Destination=\"http://idp5/artifact\"><saml:Issuer>http://sp5/metadata</saml:Issuer><Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n\
<SignedInfo>\n\
<CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n\
-<SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/>\n\
-<Reference URI=\"#_E3F8E9116EE08F0E2607CF9789649BB4\">\n\
+<SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/>\n\
+<Reference URI=\"#_5E4DB038BC15C020CE085F743D485443\">\n\
<Transforms>\n\
<Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/>\n\
<Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n\
</Transforms>\n\
-<DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/>\n\
-<DigestValue>tMncKjklMJaJLbmB7bARmX14Fdg=</DigestValue>\n\
+<DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/>\n\
+<DigestValue>1Xy/VevGqojdKIvLzkczdd9Mp3AFYvZfsakldADTuO4=</DigestValue>\n\
</Reference>\n\
</SignedInfo>\n\
-<SignatureValue>VjAHErXE8rz5yQ/t9Ubws11E59PsU/tXPtL6eCMAVLQxV4Bv0dwyYkeHtge1DXDT\n\
-usTy1c17+iuYCVqD3Db51+LMVsHchj0j44fhu/PXNQTmgiT2AuVfH97YhiBWykAs\n\
-LwT8MiE9vNGiHQwsWVjhdzooVmU0M80m0Ij2DFMcYiKzmuMhE4M65qUO4tygQLiL\n\
-YB5oPe0VYKEBJLfaTvuijLBTi4ecx6aU+HptAvuEOcCbcJZtGyv7jr2yuEDSq72S\n\
-0hwOV0CIsQoSf/vL7R9RzTs2bpgYVGqgerhpWsz6dqo7YX0NSj9pMbXZiOyX/YzS\n\
-uP3QSjow05NiPhy8ywKW8A==</SignatureValue>\n\
+<SignatureValue>R5unK5JQ8no8VCokUKKw8zXglIsjggH16cQxnqKl2GpFeeFh8Tzi4KRXTzVNXi9c\n\
+dID0FTAsFM2Ol5Sqg/j2TVasR93PyIg2pUOb00tNwx8D81xEi1lXdWThHfiinYI0\n\
+2qJSFj1H8wt/ceULmnvC0F01ga78LQervkjMaSpqlvyKYrNNOEJEYo0SJSUnUE5p\n\
+wlv30BjnUCyXWQl9i03MvpPSOTJkXrFLqbJB8rB/HNdS71lWAU3k8r56OAxzTXUn\n\
+WXr73mrQrLGJzbofDjO1Lfz8JpZXRzsffAsMCxKfoL+VzrElPNW5aklrFm603w2w\n\
+6/xQk0BsHvPP8k6V32RuXQ==</SignatureValue>\n\
<KeyInfo>\n\
<KeyValue>\n\
<RSAKeyValue>\n\
@@ -401,7 +401,7 @@ AQAB\n\
</RSAKeyValue>\n\
</KeyValue>\n\
</KeyInfo>\n\
-</Signature><samlp:NameIDPolicy Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\" AllowCreate=\"true\"/></samlp:AuthnRequest>";
+</Signature><samlp:Artifact>AAQAALQUO+cobSry7mQpUjWDhKkaePFoNDRBMDY3RDY3QjNFM0QzQzA1NzQ=</samlp:Artifact></samlp:ArtifactResolve></s:Body></s:Envelope>";
xmlDoc *doc;
doc = xmlParseDoc(BAD_CAST message);
@@ -411,7 +411,7 @@ AQAB\n\
fail_unless(lasso_key_query_verify(key, query2) == 0, "Disordered signature was not validated");
fail_unless(lasso_key_query_verify(key, query3) != 0, "Altered signature was validated");
fail_unless(lasso_key_saml2_xml_verify(key,
- "_E3F8E9116EE08F0E2607CF9789649BB4", xmlDocGetRootElement(doc)) == 0,
+ "_5E4DB038BC15C020CE085F743D485443", xmlDocGetRootElement(doc)) == 0,
"XML Signature is not validated");
g_object_unref(key);
fail_unless(key2 != NULL, "Cannot load public key2");
@@ -420,7 +420,7 @@ AQAB\n\
fail_unless(lasso_key_query_verify(key2, query2) == 0, "Disordered signature was not validated");
fail_unless(lasso_key_query_verify(key2, query3) != 0, "Altered signature was validated");
fail_unless(lasso_key_saml2_xml_verify(key2,
- "_E3F8E9116EE08F0E2607CF9789649BB4", xmlDocGetRootElement(doc)) == 0,
+ "_5E4DB038BC15C020CE085F743D485443", xmlDocGetRootElement(doc)) == 0,
"XML Signature is not validated");
g_object_unref(key2);
lasso_release_doc(doc);
--
2.26.3

@ -1,363 +0,0 @@
From f095ac8f5740b6eee687cac97840bc7e72992999 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 7 Jun 2021 12:27:15 +0200
Subject: [PATCH 3/7] Make the default signature method and the minimal hash
strength configurable (#54037)
Adds two new configure options:
--with-default-sign-algo
--min-hash-algo
--with-default-sign-algo sets the default signing algorithm and defaults
to rsa-sha1. At the moment, two algorithms are supported: rsa-sha1 and
rsa-sha256.
--min-hash-algo sets the minimum hash algorithm to be accepted. The
default is sha1 for backwards compatibility as well.
Related:
https://dev.entrouvert.org/issues/54037
---
configure.ac | 42 +++++++++++++++++++++++++++++
lasso/id-ff/server.c | 2 +-
lasso/id-ff/server.h | 2 ++
lasso/lasso.c | 51 +++++++++++++++++++++++++++++++++++
lasso/xml/tools.c | 63 +++++++++++++++++++++++++++++++++++---------
lasso/xml/xml.c | 24 +++++++++++++++++
lasso/xml/xml.h | 9 +++++++
tests/random_tests.c | 6 ++---
8 files changed, 182 insertions(+), 17 deletions(-)
diff --git a/configure.ac b/configure.ac
index b527def43..2cdfbb149 100644
--- a/configure.ac
+++ b/configure.ac
@@ -795,6 +795,43 @@ else
AC_MSG_RESULT(no)
fi
+AC_ARG_WITH([default-sign-algo],
+ [AS_HELP_STRING([--with-default-sign-algo=[rsa-sha1|rsa-sha256]],
+ [Default signing algorithm (rsa-sha1)]
+ )
+ ]
+)
+
+SIGNING_ALGO=rsa-sha1
+if test x"$with_default_sign_algo" != x; then
+ if test ! "$with_default_sign_algo" = "rsa-sha1" -a ! "$with_default_sign_algo" = "rsa-sha256"; then
+ AC_MSG_ERROR("Default signing algorithm must be either rsa-sha1 or rsa-sha256")
+ else
+ SIGNING_ALGO=$with_default_sign_algo
+ fi
+fi
+
+AC_DEFINE_UNQUOTED(DEFAULT_SIGNING_ALGO, "$SIGNING_ALGO", ["The default signing algorithm"])
+
+AC_ARG_WITH([min-hash-algo],
+ [AS_HELP_STRING([--with-min-hash-algo=[sha1|sha256|sha384|sha512]],
+ [Minimal allowed hash algorithm (rsa-sha1)]
+ )
+ ]
+)
+
+MIN_HASH_ALGO=sha1
+if test x"$with_min_hash_algo" != x; then
+ if test ! "$with_min_hash_algo" = "sha1" -a ! "$with_min_hash_algo" = "sha256" -a ! "$with_min_hash_algo" = "sha384" -a ! "$with_min_hash_algo" = "sha512"; then
+ AC_MSG_ERROR("Minimal allowed hash algorithm must be one of sha1, sha256, sha384 or sha512)
+ else
+ MIN_HASH_ALGO=$with_min_hash_algo
+ fi
+fi
+
+AC_DEFINE_UNQUOTED(MIN_HASH_ALGO, "$MIN_HASH_ALGO", ["The minimal hash algorithm"])
+
+
dnl ==========================================================================
dnl Pedantic compilation
dnl ==========================================================================
@@ -939,4 +976,9 @@ Python binding: ${enable_python}
C API references: ${enable_gtk_doc}
Tests suite: ${enable_tests}
+
+Crypto settings
+---------------
+Default signature: ${SIGNING_ALGO}
+Minimal accepted hash: ${MIN_HASH_ALGO}
)
diff --git a/lasso/id-ff/server.c b/lasso/id-ff/server.c
index 08bbde833..2bf5b7a8c 100644
--- a/lasso/id-ff/server.c
+++ b/lasso/id-ff/server.c
@@ -682,7 +682,7 @@ instance_init(LassoServer *server)
server->private_key = NULL;
server->private_key_password = NULL;
server->certificate = NULL;
- server->signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
+ server->signature_method = lasso_get_default_signature_method();
server->services = g_hash_table_new_full(g_str_hash, g_str_equal,
(GDestroyNotify)g_free,
diff --git a/lasso/id-ff/server.h b/lasso/id-ff/server.h
index 8b4192793..5f9022e9d 100644
--- a/lasso/id-ff/server.h
+++ b/lasso/id-ff/server.h
@@ -133,6 +133,8 @@ LASSO_EXPORT gchar *lasso_server_get_endpoint_url_by_id(const LassoServer *serve
LASSO_EXPORT GList *lasso_server_get_filtered_provider_list(const LassoServer *server,
LassoProviderRole role, LassoMdProtocolType protocol_type, LassoHttpMethod http_method);
+LASSO_EXPORT LassoSignatureMethod lasso_get_default_signature_method();
+void lasso_set_default_signature_method(LassoSignatureMethod meth);
#ifdef __cplusplus
}
diff --git a/lasso/lasso.c b/lasso/lasso.c
index 087485998..67340317d 100644
--- a/lasso/lasso.c
+++ b/lasso/lasso.c
@@ -149,6 +149,44 @@ lasso_xmlsec_errors_callback(const char *file G_GNUC_UNUSED, int line G_GNUC_UNU
g_log("libxmlsec", G_LOG_LEVEL_DEBUG, "libxmlsec: %s:%d:%s:%s:%s:%s:%s", file, line, func, errorObject, errorSubject, xmlSecErrorsGetMsg(reason), msg);
}
+static int
+set_default_signature_method()
+{
+ int rv = LASSO_ERROR_UNDEFINED;
+
+ if (lasso_strisequal(DEFAULT_SIGNING_ALGO, "rsa-sha256")) {
+ lasso_set_default_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA256);
+ rv = 0;
+ } else if (lasso_strisequal(DEFAULT_SIGNING_ALGO, "rsa-sha1")) {
+ lasso_set_default_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA1);
+ rv = 0;
+ }
+
+ return rv;
+}
+
+static int
+set_min_allowed_hash_algo()
+{
+ int rv = LASSO_ERROR_UNDEFINED;
+
+ if (lasso_strisequal(MIN_HASH_ALGO, "sha1")) {
+ lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA1);
+ rv = 0;
+ } else if (lasso_strisequal(MIN_HASH_ALGO, "sha256")) {
+ lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA256);
+ rv = 0;
+ } else if (lasso_strisequal(MIN_HASH_ALGO, "sha384")) {
+ lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA384);
+ rv = 0;
+ } else if (lasso_strisequal(MIN_HASH_ALGO, "sha512")) {
+ lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA512);
+ rv = 0;
+ }
+
+ return rv;
+}
+
/**
* lasso_init:
*
@@ -164,6 +202,19 @@ int lasso_init()
g_type_init();
#endif
+ /* Set the default hash algo */
+ if (set_default_signature_method() != 0) {
+ message(G_LOG_LEVEL_CRITICAL, "Unsupported signature "
+ "algorithm "DEFAULT_SIGNING_ALGO" configured");
+ return LASSO_ERROR_UNDEFINED;
+ }
+ if (set_min_allowed_hash_algo() != 0) {
+ message(G_LOG_LEVEL_CRITICAL, "Unsupported hash algorithm "
+ "algorithm "MIN_HASH_ALGO" configured");
+ return LASSO_ERROR_UNDEFINED;
+ }
+
+
/* Init Lasso classes */
for (i=0; functions[i]; i++)
functions[i]();
diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
index 290fd55f2..ce322ee1f 100644
--- a/lasso/xml/tools.c
+++ b/lasso/xml/tools.c
@@ -1505,16 +1505,6 @@ lasso_saml_constrain_dsigctxt(xmlSecDSigCtxPtr dsigCtx) {
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformExclC14NWithCommentsId) < 0) ||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14N11Id) < 0) ||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14N11WithCommentsId) < 0) ||
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha1Id) < 0) ||
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha1Id) < 0) ||
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformDsaSha1Id) < 0) ||
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha1Id) < 0) ||
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha256Id) < 0) ||
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha256Id) < 0) ||
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha256Id) < 0) ||
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha384Id) < 0) ||
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha384Id) < 0) ||
- (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha384Id) < 0) ||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha512Id) < 0) ||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha512Id) < 0) ||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha512Id) < 0)
@@ -1523,15 +1513,62 @@ lasso_saml_constrain_dsigctxt(xmlSecDSigCtxPtr dsigCtx) {
message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed signature transforms");
return FALSE;
}
+
+ if (lasso_get_min_signature_method() <= LASSO_SIGNATURE_METHOD_RSA_SHA384) {
+ if ((xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha384Id) < 0) ||
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha384Id) < 0) ||
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha384Id) < 0)) {
+
+ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha384 signature transforms");
+ return FALSE;
+ }
+
+ if (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha384Id) < 0) {
+
+ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha384 reference transforms");
+ return FALSE;
+ }
+ }
+
+ if (lasso_get_min_signature_method() <= LASSO_SIGNATURE_METHOD_RSA_SHA256) {
+ if ((xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha256Id) < 0) ||
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha256Id) < 0) ||
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha256Id) < 0)) {
+
+ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha256 signature transforms");
+ return FALSE;
+ }
+
+ if (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha256Id) < 0) {
+
+ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha256 reference transforms");
+ return FALSE;
+ }
+ }
+
+ if (lasso_get_min_signature_method() <= LASSO_SIGNATURE_METHOD_RSA_SHA1) {
+ if ((xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha1Id) < 0) ||
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha1Id) < 0) ||
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformDsaSha1Id) < 0) ||
+ (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha1Id) < 0)) {
+
+ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha1 signature transforms");
+ return FALSE;
+ }
+
+ if (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha1Id) < 0) {
+
+ message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed sha1 reference transforms");
+ return FALSE;
+ }
+ }
+
if((xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformInclC14NId) < 0) ||
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformExclC14NId) < 0) ||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14NWithCommentsId) < 0) ||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformExclC14NWithCommentsId) < 0) ||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14N11Id) < 0) ||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14N11WithCommentsId) < 0) ||
- (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha1Id) < 0) ||
- (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha256Id) < 0) ||
- (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha384Id) < 0) ||
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha512Id) < 0) ||
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformEnvelopedId) < 0)) {
diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c
index 938844baf..f017ebbe3 100644
--- a/lasso/xml/xml.c
+++ b/lasso/xml/xml.c
@@ -91,6 +91,10 @@ GHashTable *dst_services_by_prefix = NULL; /* ID-WSF 1 extra DST services, index
GHashTable *idwsf2_dst_services_by_href = NULL; /* ID-WSF 2 DST services, indexed on href */
GHashTable *idwsf2_dst_services_by_prefix = NULL; /* ID-WSF 2 DST services, indexed on prefix */
+
+static LassoSignatureMethod default_signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
+static LassoSignatureMethod min_signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
+
/*****************************************************************************/
/* global methods */
/*****************************************************************************/
@@ -3689,3 +3693,23 @@ lasso_node_new_from_saml2_query(const char *url_or_qs, const char *param_name, L
cleanup:
return result;
}
+
+LassoSignatureMethod
+lasso_get_default_signature_method() {
+ return default_signature_method;
+}
+
+void
+lasso_set_default_signature_method(LassoSignatureMethod meth) {
+ default_signature_method = meth;
+}
+
+LassoSignatureMethod
+lasso_get_min_signature_method() {
+ return min_signature_method;
+}
+
+void
+lasso_set_min_signature_method(LassoSignatureMethod meth) {
+ min_signature_method = meth;
+}
diff --git a/lasso/xml/xml.h b/lasso/xml/xml.h
index 7660a0647..d0d3e1b0d 100644
--- a/lasso/xml/xml.h
+++ b/lasso/xml/xml.h
@@ -116,6 +116,15 @@ typedef enum {
LASSO_SIGNATURE_METHOD_LAST
} LassoSignatureMethod;
+/* signature method and hash strength */
+LassoSignatureMethod lasso_get_default_signature_method();
+
+void lasso_set_default_signature_method(LassoSignatureMethod meth);
+
+LassoSignatureMethod lasso_get_min_signature_method();
+
+void lasso_set_min_signature_method(LassoSignatureMethod meth);
+
static inline gboolean
lasso_validate_signature_method(LassoSignatureMethod signature_method)
{
diff --git a/tests/random_tests.c b/tests/random_tests.c
index fa0367a3c..cf112c7e2 100644
--- a/tests/random_tests.c
+++ b/tests/random_tests.c
@@ -97,7 +97,7 @@ START_TEST(test01_server_new)
fail_unless(server->private_key != NULL);
fail_unless(server->private_key_password == NULL);
fail_unless(server->certificate != NULL);
- fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
+ fail_unless(server->signature_method == lasso_get_default_signature_method());
fail_unless(provider->ProviderID != NULL);
fail_unless(provider->role == 0);
fail_unless(g_file_get_contents(TESTSDATADIR "/idp1-la/metadata.xml", &content, &len, NULL));
@@ -115,7 +115,7 @@ START_TEST(test01_server_new)
fail_unless(server->private_key != NULL);
fail_unless(server->private_key_password == NULL);
fail_unless(server->certificate != NULL);
- fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
+ fail_unless(server->signature_method == lasso_get_default_signature_method());
fail_unless(server->providers != NULL);
fail_unless(provider->ProviderID != NULL);
fail_unless(provider->role == 0, "provider->role != 0 => provider := %d", provider->role);
@@ -143,7 +143,7 @@ START_TEST(test02_server_add_provider)
fail_unless(server->private_key != NULL);
fail_unless(! server->private_key_password);
fail_unless(server->certificate != NULL);
- fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
+ fail_unless(server->signature_method == lasso_get_default_signature_method());
fail_unless(server->providers != NULL);
lasso_server_add_provider(
server,
--
2.26.3

@ -1,162 +0,0 @@
From 0d34c97be1c761a9eb12692e4cc4eac58feb7d19 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 15 Jun 2021 14:45:14 +0200
Subject: [PATCH 4/7] Mass-replace LASSO_SIGNATURE_METHOD_RSA_SHA1 with
lasso_get_default_signature_method() (#54037)
This should be backwards-compatible but at the same time use the
selected default instead of RSA-SHA1.
Related:
https://dev.entrouvert.org/issues/54037
---
lasso/id-ff/defederation.c | 2 +-
lasso/id-ff/logout.c | 6 +++---
lasso/id-ff/name_identifier_mapping.c | 4 ++--
lasso/id-ff/name_registration.c | 4 ++--
lasso/id-ff/provider.c | 2 +-
lasso/xml/tools.c | 2 +-
tests/basic_tests.c | 6 +++---
7 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/lasso/id-ff/defederation.c b/lasso/id-ff/defederation.c
index d711e4eed..d2382f4ae 100644
--- a/lasso/id-ff/defederation.c
+++ b/lasso/id-ff/defederation.c
@@ -251,7 +251,7 @@ lasso_defederation_init_notification(LassoDefederation *defederation, gchar *rem
nameIdentifier,
profile->server->certificate ?
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
- LASSO_SIGNATURE_METHOD_RSA_SHA1);
+ lasso_get_default_signature_method());
if (profile->msg_relayState) {
message(G_LOG_LEVEL_WARNING,
"RelayState was defined but can't be used "\
diff --git a/lasso/id-ff/logout.c b/lasso/id-ff/logout.c
index 20d04ed82..d307db586 100644
--- a/lasso/id-ff/logout.c
+++ b/lasso/id-ff/logout.c
@@ -396,7 +396,7 @@ lasso_logout_build_response_msg(LassoLogout *logout)
profile->server->certificate ?
LASSO_SIGNATURE_TYPE_WITHX509 :
LASSO_SIGNATURE_TYPE_SIMPLE,
- LASSO_SIGNATURE_METHOD_RSA_SHA1));
+ lasso_get_default_signature_method()));
} else if (profile->http_request_method == LASSO_HTTP_METHOD_REDIRECT) {
lasso_assign_new_gobject(profile->response,
lasso_lib_logout_response_new_full(
@@ -608,7 +608,7 @@ lasso_logout_init_request(LassoLogout *logout, char *remote_providerID,
nameIdentifier,
profile->server->certificate ?
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
- LASSO_SIGNATURE_METHOD_RSA_SHA1);
+ lasso_get_default_signature_method());
} else { /* http_method == LASSO_HTTP_METHOD_REDIRECT */
is_http_redirect_get_method = TRUE;
lib_logout_request = (LassoLibLogoutRequest*)lasso_lib_logout_request_new_full(
@@ -990,7 +990,7 @@ lasso_logout_validate_request(LassoLogout *logout)
logout_request,
profile->server->certificate ?
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
- LASSO_SIGNATURE_METHOD_RSA_SHA1));
+ lasso_get_default_signature_method()));
}
if (profile->http_request_method == LASSO_HTTP_METHOD_REDIRECT) {
lasso_assign_new_gobject(profile->response, lasso_lib_logout_response_new_full(
diff --git a/lasso/id-ff/name_identifier_mapping.c b/lasso/id-ff/name_identifier_mapping.c
index 80af6fec4..f84020eb6 100644
--- a/lasso/id-ff/name_identifier_mapping.c
+++ b/lasso/id-ff/name_identifier_mapping.c
@@ -259,7 +259,7 @@ lasso_name_identifier_mapping_init_request(LassoNameIdentifierMapping *mapping,
targetNamespace,
profile->server->certificate ?
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
- LASSO_SIGNATURE_METHOD_RSA_SHA1);
+ lasso_get_default_signature_method());
if (LASSO_IS_LIB_NAME_IDENTIFIER_MAPPING_REQUEST(profile->request) == FALSE) {
return critical_error(LASSO_PROFILE_ERROR_BUILDING_REQUEST_FAILED);
}
@@ -458,7 +458,7 @@ lasso_name_identifier_mapping_validate_request(LassoNameIdentifierMapping *mappi
request,
profile->server->certificate ?
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
- LASSO_SIGNATURE_METHOD_RSA_SHA1);
+ lasso_get_default_signature_method());
if (LASSO_IS_LIB_NAME_IDENTIFIER_MAPPING_RESPONSE(profile->response) == FALSE) {
return critical_error(LASSO_PROFILE_ERROR_BUILDING_RESPONSE_FAILED);
diff --git a/lasso/id-ff/name_registration.c b/lasso/id-ff/name_registration.c
index 11dbf24fe..076cf9624 100644
--- a/lasso/id-ff/name_registration.c
+++ b/lasso/id-ff/name_registration.c
@@ -339,7 +339,7 @@ lasso_name_registration_init_request(LassoNameRegistration *name_registration,
idpNameIdentifier, spNameIdentifier, oldNameIdentifier,
profile->server->certificate ?
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
- LASSO_SIGNATURE_METHOD_RSA_SHA1);
+ lasso_get_default_signature_method());
if (profile->request == NULL) {
return critical_error(LASSO_PROFILE_ERROR_BUILDING_REQUEST_FAILED);
}
@@ -575,7 +575,7 @@ lasso_name_registration_validate_request(LassoNameRegistration *name_registratio
LASSO_LIB_REGISTER_NAME_IDENTIFIER_REQUEST(profile->request),
profile->server->certificate ?
LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
- LASSO_SIGNATURE_METHOD_RSA_SHA1);
+ lasso_get_default_signature_method());
if (LASSO_IS_LIB_REGISTER_NAME_IDENTIFIER_RESPONSE(profile->response) == FALSE) {
return critical_error(LASSO_PROFILE_ERROR_BUILDING_RESPONSE_FAILED);
}
diff --git a/lasso/id-ff/provider.c b/lasso/id-ff/provider.c
index 32a907d43..961c3669d 100644
--- a/lasso/id-ff/provider.c
+++ b/lasso/id-ff/provider.c
@@ -1274,7 +1274,7 @@ lasso_provider_load_public_key(LassoProvider *provider, LassoPublicKeyType publi
if (public_key != NULL) {
xmlSecKey *key = lasso_xmlsec_load_private_key(public_key, NULL,
- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
+ lasso_get_default_signature_method(), NULL);
if (key) {
lasso_list_add_new_sec_key(keys, key);
} else {
diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
index ce322ee1f..cf6dade09 100644
--- a/lasso/xml/tools.c
+++ b/lasso/xml/tools.c
@@ -2746,7 +2746,7 @@ next:
content = xmlNodeGetContent(key_value);
if (content) {
result = lasso_xmlsec_load_private_key_from_buffer((char*)content,
- strlen((char*)content), NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
+ strlen((char*)content), NULL, lasso_get_default_signature_method(), NULL);
xmlFree(content);
}
}
diff --git a/tests/basic_tests.c b/tests/basic_tests.c
index f9cfef266..0652abc28 100644
--- a/tests/basic_tests.c
+++ b/tests/basic_tests.c
@@ -2008,16 +2008,16 @@ START_TEST(test14_lasso_key)
check_true(g_file_get_contents(TESTSDATADIR "sp1-la/private-key-raw.pem", &buffer, &length, NULL));
check_not_null(key = lasso_key_new_for_signature_from_memory(buffer,
- length, NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1,
+ length, NULL, lasso_get_default_signature_method(),
NULL));
lasso_release_gobject(key);
check_not_null(key = lasso_key_new_for_signature_from_file(TESTSDATADIR
- "sp1-la/private-key-raw.pem", NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1,
+ "sp1-la/private-key-raw.pem", NULL, lasso_get_default_signature_method(),
NULL));
lasso_release_gobject(key);
base64_encoded = g_base64_encode(BAD_CAST buffer, length);
check_not_null(key = lasso_key_new_for_signature_from_base64_string(base64_encoded, NULL,
- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL));
+ lasso_get_default_signature_method(), NULL));
lasso_release_string(base64_encoded);
lasso_release_string(buffer);
lasso_release_gobject(key);
--
2.26.3

@ -1,160 +0,0 @@
From f9a3aca0cb31a412faae25dd9fdbbf3fb61cb62f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 15 Jun 2021 15:08:44 +0200
Subject: [PATCH 5/7] Check if the signature method is allowed in addition to
being valid (#54037)
Adds a new utility function lasso_allowed_signature_method() that checks
if the signature method is allowed. Previously, the code would only
check if the method was valid.
This new function is used whenever lasso_validate_signature_method was
previously used through lasso_ok_signature_method() which wraps both
validate and allowed.
lasso_allowed_signature_method() is also used on a couple of places,
notably lasso_query_verify_helper().
Related:
https://dev.entrouvert.org/issues/54037
---
lasso/id-ff/server.c | 4 ++--
lasso/saml-2.0/profile.c | 4 ++--
lasso/xml/tools.c | 11 ++++++++++-
lasso/xml/xml.c | 5 +++--
lasso/xml/xml.h | 13 +++++++++++++
5 files changed, 30 insertions(+), 7 deletions(-)
diff --git a/lasso/id-ff/server.c b/lasso/id-ff/server.c
index 2bf5b7a8c..98a6c0214 100644
--- a/lasso/id-ff/server.c
+++ b/lasso/id-ff/server.c
@@ -909,7 +909,7 @@ lasso_server_get_signature_context_for_provider(LassoServer *server,
private_context = &provider->private_data->signature_context;
}
- if (private_context && lasso_validate_signature_method(private_context->signature_method)) {
+ if (private_context && lasso_ok_signature_method(private_context->signature_method)) {
lasso_assign_signature_context(*signature_context, *private_context);
} else {
rc = lasso_server_get_signature_context(server, signature_context);
@@ -1014,7 +1014,7 @@ lasso_server_export_to_query_for_provider_by_name(LassoServer *server, const cha
provider_id, &context));
query = lasso_node_build_query(node);
goto_cleanup_if_fail_with_rc(query, LASSO_PROFILE_ERROR_BUILDING_QUERY_FAILED);
- if (lasso_validate_signature_method(context.signature_method)) {
+ if (lasso_ok_signature_method(context.signature_method)) {
lasso_assign_new_string(query, lasso_query_sign(query, context));
}
goto_cleanup_if_fail_with_rc(query,
diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c
index 85f535ae0..412c391a6 100644
--- a/lasso/saml-2.0/profile.c
+++ b/lasso/saml-2.0/profile.c
@@ -1181,7 +1181,7 @@ lasso_saml20_profile_export_to_query(LassoProfile *profile, LassoNode *msg, char
"see #3.4.3 of saml-bindings-2.0-os");
}
}
- if (lasso_validate_signature_method(context.signature_method)) {
+ if (lasso_ok_signature_method(context.signature_method)) {
result = lasso_query_sign(unsigned_query, context);
goto_cleanup_if_fail_with_rc(result != NULL,
LASSO_PROFILE_ERROR_BUILDING_QUERY_FAILED);
@@ -1219,7 +1219,7 @@ lasso_saml20_profile_build_http_redirect(LassoProfile *profile,
goto_cleanup_if_fail_with_rc (url != NULL, LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL);
/* if message is signed, remove XML signature, add query signature */
lasso_assign_signature_context(context, lasso_node_get_signature(msg));
- if (lasso_validate_signature_method(context.signature_method)) {
+ if (lasso_ok_signature_method(context.signature_method)) {
lasso_node_remove_signature(msg);
}
lasso_check_good_rc(lasso_saml20_profile_export_to_query(profile, msg, &query, context));
diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
index cf6dade09..077b1134d 100644
--- a/lasso/xml/tools.c
+++ b/lasso/xml/tools.c
@@ -499,7 +499,7 @@ lasso_query_sign(char *query, LassoSignatureContext context)
lasso_error_t rc = 0;
g_return_val_if_fail(query != NULL, NULL);
- g_return_val_if_fail(lasso_validate_signature_method(context.signature_method), NULL);
+ g_return_val_if_fail(lasso_ok_signature_method(context.signature_method), NULL);
key = context.signature_key;
sign_method = context.signature_method;
@@ -804,6 +804,12 @@ lasso_query_verify_helper(const char *signed_content, const char *b64_signature,
} else {
goto_cleanup_with_rc(LASSO_DS_ERROR_INVALID_SIGALG);
}
+
+ /* is the signature algo allowed */
+ goto_cleanup_if_fail_with_rc(
+ lasso_allowed_signature_method(method),
+ LASSO_DS_ERROR_INVALID_SIGALG);
+
/* decode signature */
signature = g_malloc(key_size+1);
goto_cleanup_if_fail_with_rc(
@@ -2434,6 +2440,9 @@ _lasso_xmlsec_load_key_from_buffer(const char *buffer, size_t length, const char
};
xmlSecKey *private_key = NULL;
+ /* is the signature algo allowed */
+ goto_cleanup_if_fail(lasso_allowed_signature_method(signature_method));
+
xmlSecErrorsDefaultCallbackEnableOutput(FALSE);
switch (signature_method) {
case LASSO_SIGNATURE_METHOD_RSA_SHA1:
diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c
index f017ebbe3..49574de68 100644
--- a/lasso/xml/xml.c
+++ b/lasso/xml/xml.c
@@ -824,7 +824,7 @@ lasso_legacy_extract_and_copy_signature_parameters(LassoNode *node, LassoNodeCla
node_data->sign_method_offset);
private_key_file = G_STRUCT_MEMBER(char *, node, node_data->private_key_file_offset);
certificate_file = G_STRUCT_MEMBER(char *, node, node_data->certificate_file_offset);
- if (! lasso_validate_signature_method(signature_method)) {
+ if (! lasso_ok_signature_method(signature_method)) {
return FALSE;
}
if (lasso_node_set_signature(node,
@@ -1873,10 +1873,11 @@ lasso_node_impl_init_from_xml(LassoNode *node, xmlNode *xmlnode)
int what;
if (! lasso_get_integer_attribute(xmlnode, LASSO_SIGNATURE_METHOD_ATTRIBUTE,
BAD_CAST LASSO_LIB_HREF, &what,
- LASSO_SIGNATURE_METHOD_RSA_SHA1,
+ lasso_get_min_signature_method(),
LASSO_SIGNATURE_METHOD_LAST))
break;
method = what;
+
if (! lasso_get_integer_attribute(xmlnode, LASSO_SIGNATURE_METHOD_ATTRIBUTE,
BAD_CAST LASSO_LIB_HREF, &what, LASSO_SIGNATURE_TYPE_NONE+1,
LASSO_SIGNATURE_TYPE_LAST))
diff --git a/lasso/xml/xml.h b/lasso/xml/xml.h
index d0d3e1b0d..60c04eae5 100644
--- a/lasso/xml/xml.h
+++ b/lasso/xml/xml.h
@@ -132,6 +132,19 @@ lasso_validate_signature_method(LassoSignatureMethod signature_method)
&& signature_method < (LassoSignatureMethod)LASSO_SIGNATURE_METHOD_LAST;
}
+static inline gboolean
+lasso_allowed_signature_method(LassoSignatureMethod signature_method)
+{
+ return signature_method >= lasso_get_min_signature_method();
+}
+
+static inline gboolean
+lasso_ok_signature_method(LassoSignatureMethod signature_method)
+{
+ return lasso_validate_signature_method(signature_method) \
+ && lasso_allowed_signature_method(signature_method);
+}
+
typedef struct _LassoNode LassoNode;
typedef struct _LassoNodeClass LassoNodeClass;
typedef struct _LassoNodeClassData LassoNodeClassData;
--
2.26.3

@ -0,0 +1,382 @@
From 12a3f6c10ee3d5f321a751cf6c4cb7f63313582e Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 13 Jun 2019 13:03:04 +0200
Subject: [PATCH] tests: use self-generated certificate to sign federation
metadata file (#33823)
---
tests/basic_tests.c | 13 +---
tests/data/lasso.crt | 23 +++++++
tests/data/lasso.csr | 15 ++++
tests/data/lasso.key | 27 ++++++++
.../metadata/metadata-federation-renater.crt | 15 ----
tests/data/metadata/renater-metadata.xml | 69 +++++++++++--------
tests/data/rootCA.crt | 32 +++++++++
tests/data/rootCA.key | 51 ++++++++++++++
tests/data/rootCA.srl | 1 +
9 files changed, 192 insertions(+), 54 deletions(-)
create mode 100644 tests/data/lasso.crt
create mode 100644 tests/data/lasso.csr
create mode 100644 tests/data/lasso.key
delete mode 100644 tests/data/metadata/metadata-federation-renater.crt
create mode 100644 tests/data/rootCA.crt
create mode 100644 tests/data/rootCA.key
create mode 100644 tests/data/rootCA.srl
diff --git a/tests/basic_tests.c b/tests/basic_tests.c
index c08cab69..84999a17 100644
--- a/tests/basic_tests.c
+++ b/tests/basic_tests.c
@@ -1983,24 +1983,13 @@ START_TEST(test13_test_lasso_server_load_metadata)
block_lasso_logs;
check_good_rc(lasso_server_load_metadata(server, LASSO_PROVIDER_ROLE_IDP,
TESTSDATADIR "/metadata/renater-metadata.xml",
- TESTSDATADIR "/metadata/metadata-federation-renater.crt",
+ TESTSDATADIR "/rootCA.crt",
&blacklisted_1, &loaded_entity_ids,
LASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT));
unblock_lasso_logs;
check_equals(g_hash_table_size(server->providers), 110);
check_equals(g_list_length(loaded_entity_ids), 110);
-#if 0
- /* UK federation file are too big to distribute (and I don't even known if it's right to do
- * it, disable this test for now ) */
- check_good_rc(lasso_server_load_metadata(server, LASSO_PROVIDER_ROLE_IDP,
- TESTSDATADIR "/ukfederation-metadata.xml",
- TESTSDATADIR "/ukfederation.pem",
- &blacklisted_1, &loaded_entity_ids,
- LASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT));
- check_equals(g_list_length(loaded_entity_ids), 283);
- check_equals(g_hash_table_size(server->providers), 393);
-#endif
lasso_release_list_of_strings(loaded_entity_ids);
lasso_release_gobject(server);
diff --git a/tests/data/lasso.crt b/tests/data/lasso.crt
new file mode 100644
index 00000000..568a0b9c
--- /dev/null
+++ b/tests/data/lasso.crt
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID6zCCAdMCFALT+lN2uLJWF7p2xOo65/5KwxixMA0GCSqGSIb3DQEBCwUAMEUx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+cm5ldCBXaWRnaXRzIFB0eSBMdGQwIBcNMTkwNjExMDc0NTU2WhgPMjI5MzAzMjUw
+NzQ1NTZaMB0xCzAJBgNVBAYTAkZSMQ4wDAYDVQQDDAVMYXNzbzCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAOIS/WATGMJsv7OvgrjpYmAW3RmojVp4cHi0
+17HelWVZ5adX3zSljecmpb1UQcBNzEDb15tOnNO708O94fFLWiWRfjYWa1QYOLkZ
+6kHAR2yJTkhBNQl326K6BnJkWoCsErkXa1608+6+rXR+9KchB/lLSY3Dqh8L6N7s
+qE+xyD1Z8HM3mHs9CM4crIpCPaZ80/yNfBPqPA2Zv4uIBrwSF32rPnh1ciJuIKQg
+jnCQOaKC2j+VsytgthriI0PVRzC7WPAJReQa65N/i721jG6rPecwVcCS9G6cmG+s
+pq6GERUe7nFVdNZ5sRzNsGuDpEdmeCS1pCPtW2hufm8vqvtw9ZkCAwEAATANBgkq
+hkiG9w0BAQsFAAOCAgEAfbHk+QNvLYDNlqwwlu5+88/3CcEx+s1voXOBTxgyIAR2
+NVKkO7dAW5me51jPPZhy+xC4i+AAeLW5JGwirM5LDgU+9P02JBsZ4OoZI3pBAZ5m
+GrmxrMm6q+9mJ+6bMHolfBNN6hoaWeJiknvc1Id7o0Dh4PbdV7r6ISuXisDb/1je
+tmzxoFuXhmDwwHMTG7eUORVFEgS8V5NNKMv16BeWNDohJVP6icxwoi5JswUl+vfO
+rvIwx2GAJ2EQAbSZv5ADFQ4/vxeopULgLnblc3BwVG4RTT7plNgT2iXP8YwmEGKb
+JDHRVFUo1tX6EKkBUI9AgETrdUnLq6XxP11JmrqNL9oOHw+hGb5vT1wyn6FFxZo2
+BVgfqdiGbjcs1bTKeQAZKuhaW90oV6+yYD6WtWn/LfHnftAJivALkmUk+XaSqqbO
+FxuyRsz9C/yq0azr6IkCWhGwBYoLvf2CrvovSYpPXefeQ+1yXNDW7bvfAQfOO9xk
+SqQi4cYJw9hNqTk2f61x6UX/o8wKVhXEHyaCr9lVLNpCK0Uy07f3zkubx1mW5PST
+ITSnD8sPD7iMyGOJa5tQJ8W5u2NJT6qo52Jubgc8PapkOoYyEhUaTQEb8RN6D3oD
+xc8cCKn4HUtpkJKgxYhQDtsomJp2RK7lzjVPXAlFUmld88WgqdJwp9GSvMEktA0=
+-----END CERTIFICATE-----
diff --git a/tests/data/lasso.csr b/tests/data/lasso.csr
new file mode 100644
index 00000000..c450e1b4
--- /dev/null
+++ b/tests/data/lasso.csr
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICYjCCAUoCAQAwHTELMAkGA1UEBhMCRlIxDjAMBgNVBAMMBUxhc3NvMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4hL9YBMYwmy/s6+CuOliYBbdGaiN
+WnhweLTXsd6VZVnlp1ffNKWN5yalvVRBwE3MQNvXm06c07vTw73h8UtaJZF+NhZr
+VBg4uRnqQcBHbIlOSEE1CXfboroGcmRagKwSuRdrXrTz7r6tdH70pyEH+UtJjcOq
+Hwvo3uyoT7HIPVnwczeYez0IzhysikI9pnzT/I18E+o8DZm/i4gGvBIXfas+eHVy
+Im4gpCCOcJA5ooLaP5WzK2C2GuIjQ9VHMLtY8AlF5Brrk3+LvbWMbqs95zBVwJL0
+bpyYb6ymroYRFR7ucVV01nmxHM2wa4OkR2Z4JLWkI+1baG5+by+q+3D1mQIDAQAB
+oAAwDQYJKoZIhvcNAQELBQADggEBAJcoM7bn2yEElJjpX8mYuawWwlNdLOCyIPCc
+tr6b61CmVDVntWw61fExrg+n1b5uOVuUAEaYNutw6nypzrfvr4wjGKxbl/jTSJCM
+WHLl0/+IGQgr41SbRaySA1Y1hdJEd1ummH07sd7FfQNN/T/zLGaM0CI2/yj89VRk
+BJwiSwbFp1zqntoITQPjo/vpWAqahqNpSKR+C5l1f870wVI2wPg89McRw35EACdx
+Pys8g15+3eKBRTD24eOSWDAL4iDz1jh8ejwtuPjZCQRgg7pkV7uK9Qq4XbStW8AR
+JftZ9BBmUOkpdTY0ml6uNojI5u3J/A8KL0UHeiOGLzEy6l64qjE=
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/data/lasso.key b/tests/data/lasso.key
new file mode 100644
index 00000000..d6ee4142
--- /dev/null
+++ b/tests/data/lasso.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA4hL9YBMYwmy/s6+CuOliYBbdGaiNWnhweLTXsd6VZVnlp1ff
+NKWN5yalvVRBwE3MQNvXm06c07vTw73h8UtaJZF+NhZrVBg4uRnqQcBHbIlOSEE1
+CXfboroGcmRagKwSuRdrXrTz7r6tdH70pyEH+UtJjcOqHwvo3uyoT7HIPVnwczeY
+ez0IzhysikI9pnzT/I18E+o8DZm/i4gGvBIXfas+eHVyIm4gpCCOcJA5ooLaP5Wz
+K2C2GuIjQ9VHMLtY8AlF5Brrk3+LvbWMbqs95zBVwJL0bpyYb6ymroYRFR7ucVV0
+1nmxHM2wa4OkR2Z4JLWkI+1baG5+by+q+3D1mQIDAQABAoIBAClNONcFhh93CKrG
+JMatdJiDdM9MOM7PdBTJTSKkvHxwqQEij5epqzwQlnT5YK3GSMuMnl40RXh1NyHq
+nc2ca5KzevBctiz949cFQgPTIflVOGUA7LSXHhwjiiv544LgbOc9vRLnUi1Kzpua
+2g1yfmdv9rcciQb1AQ1BBRrSKvfyD410KojJXwunYx32hrHdnhPwC3xyg6BEMpq9
+PtcnTvFY/iDeyzYLwAwJb2xdTCpg7okd1KthtohS740Y0uS+UVaEDK7xOIj+CNIq
+ii+j0fv5N5fjke8TdUszLWkDYQQ9BTJWFOjJ72FZs9J8pk7RlNhnt6tEoZ6866+w
+nprmJwUCgYEA9VWT0FswnSnm+lkRP7vc/SJYTg6zD2BrGOKEo58L8TObb242G+Fs
+JteMvdVm14GublmqXZv6Md5x5iVh3kRlu+8dbM5WnBNpwt6mGZPK7if5K/X1qiJg
+BeroAX/KuVjSHBYVDFfHqPQg146RFcj/q7aCsqc+aMwgdUZ8OlBjRf8CgYEA6+cP
+GG9VOlXWZ2RzSBoKrvxJgSQRpgVXeJAr1BWZ+pJVGIft3zSbeJ30nsUuob61UDVH
+g6HzjOUQWHyK4wq2gyK3kOw/Aii6z4REXDVMVq3OgqaE4Fw+MH31ci8JILU415ZY
+DQGo++E87tbSgp32gqou7Aj7Y4Sfvx+V/da4NGcCgYAv+tGSsRLb2cMLePnPnh0F
+AH+GnIdWXYP0dPB903ARdwdSDprUbwyouAUVZzPat8j2WeDgt82BjUB3Qx5Vysie
+rY/ypJP5qC5J5yNS4z2PwA+SEmM+J8Thw2QmTujFwOIujf8Fz/EDUONPZNlpCks+
+OM5sxBqHgkxiwysueGRB3wKBgQCWwXDaMrwKrbR5Gq65kzrknQH0b7J/oMZHnAsG
+XE+s3DtZk/SmQh5hNMCRfn3Qi+mfOo1bR/I3RmPtyJmRgtUkdNlO2kth+9l2qJZv
+PvhsJGLnB7e/EfQEVVq3/+sbZfTPgZr/pOHzJfwkvlCFfKF+23dlDFBrRuQ35d2a
+/M93XQKBgQCmAatw/7+z/CS6HinOW7W4k77eQ4wHb8XwzTl8T/5mf6KzejDUuEpZ
+hi4ZMAZqNywiJo7UOu6APVzRU7qF6Dbg4eIZWtIocMhp19kUArAPz7NcrghXsTIZ
+UdBWeG3kgUa5Q6d/D2OpWHK9S8LRdUL4/H0WZoqDOoDpJwKpljevyg==
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data/metadata/metadata-federation-renater.crt b/tests/data/metadata/metadata-federation-renater.crt
deleted file mode 100644
index b6117441..00000000
--- a/tests/data/metadata/metadata-federation-renater.crt
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICZTCCAc6gAwIBAgIEScn+qTANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJG
-UjEQMA4GA1UEChMHUkVOQVRFUjFWMFQGA1UEAxNNQ2VydGlmaWNhdCBkZSBzaWdu
-YXR1cmUgZGVzIG1ldGEgZG9ubmVlcyBkZSBsYSBmZWRlcmF0aW9uIEVkdWNhdGlv
-bi1SZWNoZXJjaGUwHhcNMDkwMzI1MDk1MTM3WhcNMTkwMzIzMDk1MTM3WjB3MQsw
-CQYDVQQGEwJGUjEQMA4GA1UEChMHUkVOQVRFUjFWMFQGA1UEAxNNQ2VydGlmaWNh
-dCBkZSBzaWduYXR1cmUgZGVzIG1ldGEgZG9ubmVlcyBkZSBsYSBmZWRlcmF0aW9u
-IEVkdWNhdGlvbi1SZWNoZXJjaGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
-AJBXcLIguokGiytYSOrgmU6fN+1DXK4eaquvFGMaswuhcRPD4tXtSs8CGxPP8/VF
-Mpcry04lfPA3mpwDis47hsvmLqGJVmfSuvkDsPx+I325h4WqGzEV8kfttkJSi8D0
-QLKk9wseA+BHzoBpU6e5uWmGqfWJgbZlcUuYKCIE2nL/AgMBAAEwDQYJKoZIhvcN
-AQEFBQADgYEAT0rUS5GTtqW9a0pAv0PjieSS6bW3KG3Mtn0jC1dmav6X9fbhhmFL
-1XSC9WnCU2UD3986EWWYKhN2INHghHE/fQGveVwdcVSSt601OpAsUF18tx0vHqkf
-Shcj7mteq59Gv4hOE8U1Urd/pSRaIO3G42X6/L/AlXeDkicfGZHhq7Q=
------END CERTIFICATE-----
diff --git a/tests/data/metadata/renater-metadata.xml b/tests/data/metadata/renater-metadata.xml
index 868f9259..70517100 100644
--- a/tests/data/metadata/renater-metadata.xml
+++ b/tests/data/metadata/renater-metadata.xml
@@ -1,4 +1,5 @@
-<?xml version="1.0" encoding="UTF-8"?><EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="https://federation.renater.fr/" validUntil="2011-05-23T14:24:02Z" xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<?xml version="1.0" encoding="UTF-8"?>
+<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Name="https://federation.renater.fr/" validUntil="2011-05-23T14:24:02Z" xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
@@ -11,36 +12,50 @@
<ds:DigestValue>AIDrFyG3G6IpXdapls2LeP2Awt8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
-<ds:SignatureValue>
-Mb7C8CsvA6UNnLN+LHCoOG7+c1CYQtUMm+o3p31niDfRcDcCDtuZ521FGM6p6ki6fS8HlncK0Q+h
-7rpXNeD2dY12FU94vI5wfF6m89pRs6QYE4O13HPDDZvhRZY+BX4+fqg6tsRz8NRaFS/xvxSzzPzO
-dsOrE6R2/QhrcaF1PnA=
-</ds:SignatureValue>
+<ds:SignatureValue>a47ZynaE+fXQFr2QkjjNsPoWhG0Lbed36MZ2/1jNygD2Ck3zYNSBxFTNI0bhZSi+
+sYefYhnYDqpz785/90Ym3hVL+olMZ8z7NLlkeDKCScNCi1436j/W4voR0jez3BkA
+IrMW2p4eUtSwfTHRazMtRacQrwTk3JAbShXuWU7fVnRI4t8oa8t43rf2hz+rRG8F
+SizMOyyHMak13jaVCmX5qoaO4OWmqs2GhXsx8hRfzJ8o6w417InTLWcuIRNw1/zm
+6O6H1as6nmKv34SppCiwdGrTpT6i3/zB3j9Hw7iyuvTF5bbaF+7MMsW/pjw5VOF8
+lmNqhsCFdu+JsaTFBIB2Fg==</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
-kFdwsiC6iQaLK1hI6uCZTp837UNcrh5qq68UYxqzC6FxE8Pi1e1KzwIbE8/z9UUylyvLTiV88Dea
-nAOKzjuGy+YuoYlWZ9K6+QOw/H4jfbmHhaobMRXyR+22QlKLwPRAsqT3Cx4D4EfOgGlTp7m5aYap
-9YmBtmVxS5goIgTacv8=
+4hL9YBMYwmy/s6+CuOliYBbdGaiNWnhweLTXsd6VZVnlp1ffNKWN5yalvVRBwE3M
+QNvXm06c07vTw73h8UtaJZF+NhZrVBg4uRnqQcBHbIlOSEE1CXfboroGcmRagKwS
+uRdrXrTz7r6tdH70pyEH+UtJjcOqHwvo3uyoT7HIPVnwczeYez0IzhysikI9pnzT
+/I18E+o8DZm/i4gGvBIXfas+eHVyIm4gpCCOcJA5ooLaP5WzK2C2GuIjQ9VHMLtY
+8AlF5Brrk3+LvbWMbqs95zBVwJL0bpyYb6ymroYRFR7ucVV01nmxHM2wa4OkR2Z4
+JLWkI+1baG5+by+q+3D1mQ==
</ds:Modulus>
-<ds:Exponent>AQAB</ds:Exponent>
+<ds:Exponent>
+AQAB
+</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
<ds:X509Data>
-<ds:X509Certificate>
-MIICZTCCAc6gAwIBAgIEScn+qTANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJGUjEQMA4GA1UE
-ChMHUkVOQVRFUjFWMFQGA1UEAxNNQ2VydGlmaWNhdCBkZSBzaWduYXR1cmUgZGVzIG1ldGEgZG9u
-bmVlcyBkZSBsYSBmZWRlcmF0aW9uIEVkdWNhdGlvbi1SZWNoZXJjaGUwHhcNMDkwMzI1MDk1MTM3
-WhcNMTkwMzIzMDk1MTM3WjB3MQswCQYDVQQGEwJGUjEQMA4GA1UEChMHUkVOQVRFUjFWMFQGA1UE
-AxNNQ2VydGlmaWNhdCBkZSBzaWduYXR1cmUgZGVzIG1ldGEgZG9ubmVlcyBkZSBsYSBmZWRlcmF0
-aW9uIEVkdWNhdGlvbi1SZWNoZXJjaGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJBXcLIg
-uokGiytYSOrgmU6fN+1DXK4eaquvFGMaswuhcRPD4tXtSs8CGxPP8/VFMpcry04lfPA3mpwDis47
-hsvmLqGJVmfSuvkDsPx+I325h4WqGzEV8kfttkJSi8D0QLKk9wseA+BHzoBpU6e5uWmGqfWJgbZl
-cUuYKCIE2nL/AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAT0rUS5GTtqW9a0pAv0PjieSS6bW3KG3M
-tn0jC1dmav6X9fbhhmFL1XSC9WnCU2UD3986EWWYKhN2INHghHE/fQGveVwdcVSSt601OpAsUF18
-tx0vHqkfShcj7mteq59Gv4hOE8U1Urd/pSRaIO3G42X6/L/AlXeDkicfGZHhq7Q=
-</ds:X509Certificate>
+<ds:X509Certificate>MIID6zCCAdMCFALT+lN2uLJWF7p2xOo65/5KwxixMA0GCSqGSIb3DQEBCwUAMEUx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+cm5ldCBXaWRnaXRzIFB0eSBMdGQwIBcNMTkwNjExMDc0NTU2WhgPMjI5MzAzMjUw
+NzQ1NTZaMB0xCzAJBgNVBAYTAkZSMQ4wDAYDVQQDDAVMYXNzbzCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAOIS/WATGMJsv7OvgrjpYmAW3RmojVp4cHi0
+17HelWVZ5adX3zSljecmpb1UQcBNzEDb15tOnNO708O94fFLWiWRfjYWa1QYOLkZ
+6kHAR2yJTkhBNQl326K6BnJkWoCsErkXa1608+6+rXR+9KchB/lLSY3Dqh8L6N7s
+qE+xyD1Z8HM3mHs9CM4crIpCPaZ80/yNfBPqPA2Zv4uIBrwSF32rPnh1ciJuIKQg
+jnCQOaKC2j+VsytgthriI0PVRzC7WPAJReQa65N/i721jG6rPecwVcCS9G6cmG+s
+pq6GERUe7nFVdNZ5sRzNsGuDpEdmeCS1pCPtW2hufm8vqvtw9ZkCAwEAATANBgkq
+hkiG9w0BAQsFAAOCAgEAfbHk+QNvLYDNlqwwlu5+88/3CcEx+s1voXOBTxgyIAR2
+NVKkO7dAW5me51jPPZhy+xC4i+AAeLW5JGwirM5LDgU+9P02JBsZ4OoZI3pBAZ5m
+GrmxrMm6q+9mJ+6bMHolfBNN6hoaWeJiknvc1Id7o0Dh4PbdV7r6ISuXisDb/1je
+tmzxoFuXhmDwwHMTG7eUORVFEgS8V5NNKMv16BeWNDohJVP6icxwoi5JswUl+vfO
+rvIwx2GAJ2EQAbSZv5ADFQ4/vxeopULgLnblc3BwVG4RTT7plNgT2iXP8YwmEGKb
+JDHRVFUo1tX6EKkBUI9AgETrdUnLq6XxP11JmrqNL9oOHw+hGb5vT1wyn6FFxZo2
+BVgfqdiGbjcs1bTKeQAZKuhaW90oV6+yYD6WtWn/LfHnftAJivALkmUk+XaSqqbO
+FxuyRsz9C/yq0azr6IkCWhGwBYoLvf2CrvovSYpPXefeQ+1yXNDW7bvfAQfOO9xk
+SqQi4cYJw9hNqTk2f61x6UX/o8wKVhXEHyaCr9lVLNpCK0Uy07f3zkubx1mW5PST
+ITSnD8sPD7iMyGOJa5tQJ8W5u2NJT6qo52Jubgc8PapkOoYyEhUaTQEb8RN6D3oD
+xc8cCKn4HUtpkJKgxYhQDtsomJp2RK7lzjVPXAlFUmld88WgqdJwp9GSvMEktA0=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
@@ -1277,7 +1292,7 @@ Ugr24VE4pUTqq2xGSOazVN0EKSqULXvM9ZHupGDCJmRH4P3H/X4w8Cq5Y6c0pDtJ
<!-- source : http://idpdisc.tge-adonis.fr/exportmetadata.xml -->
- <EntityDescriptor entityID="https://opensso.tge-adonis.fr:8443/opensso" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+ <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://opensso.tge-adonis.fr:8443/opensso">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
@@ -8584,7 +8599,7 @@ f6ou5oRTltOZOUJfXI1XMhAUNnU7zQvrFeoGrRzGv3zq8AieXbRyWhXY1Eo1mPpS
$Id: renater.xml,v 1.4 2011/03/30 13:23:00 rdc Exp $
generated at Wed Mar 30 14:18:20 2011
by %Id: shib-config,v 1.6 2010/09/10 15:10:15 pmh Exp %
- --><EntityDescriptor entityID="https://ticket.iop.org/shibboleth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+ --><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://ticket.iop.org/shibboleth">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
@@ -15545,7 +15560,7 @@ oZQx
<!-- source : http://science.thomsonreuters.com/m/xml/SP-Metadata.xml -->
- <!-- Thomson Reuters 23.08.2010 --><!-- *************************************** --><!-- SP https://sp.tshhosting.com/shibboleth --><!-- *************************************** --><EntityDescriptor entityID="https://sp.tshhosting.com/shibboleth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+ <!-- Thomson Reuters 23.08.2010 --><!-- *************************************** --><!-- SP https://sp.tshhosting.com/shibboleth --><!-- *************************************** --><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://sp.tshhosting.com/shibboleth">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
<Extensions>
<idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://www.isiknowledge.com/" index="1"/>
@@ -30065,4 +30080,4 @@ ihb/MX5UR6g83EMmqZsFt57ANEORMNQywxFa4Q==
-</EntitiesDescriptor>
\ No newline at end of file
+</EntitiesDescriptor>
diff --git a/tests/data/rootCA.crt b/tests/data/rootCA.crt
new file mode 100644
index 00000000..a31c99a2
--- /dev/null
+++ b/tests/data/rootCA.crt
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFbTCCA1WgAwIBAgIUJD9pAmQfrAv6NLPnweO4XUdIbzkwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0xOTA2MTEwNzQzNTVaGA8yMjkz
+MDMyNTA3NDM1NVowRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAJuPnHwxmpRquFkFok4VkO39j5NT2a8+Wfp8zYnh
+qLt3CG3oDyFftWyF97NJYoxDPbio2fVYJiBKutDOMYPsJfrd4SoqcDOGOAdfkNl9
+SEhCnzrzlOj6ZcDoNTG0IvKh+NzLgfpU1wggyLW2ZXwvwf8hNGW9YR1i8XY5TSmt
+0z9Dawsg2QAyYjoemUeDOVWEFWISmXySC2osXGANcOaaFMEv1Ryj5HWHzcCVZZ0g
+UBG9iDZqewDvPg+SRvC2k16coeRjsSstHzVqBxOWpp5Oium39K8jXV6jG+JkFn49
+C2RBldpajbPhvHKOdtJeID20njgmfCRZB/KfQGPPf8xXk4wBTxPU9L8wKy370unZ
+P4WD1vq35KfPsiUdlavzqYkOkI20iWIZO6853oSPlJ4zmBVNXP8VhQm0h2VovNH+
+Zde4vaPtQXPwwNbCvBItu5m1uaigPgRycBJV8M0gdliAICfCMeSwQDrhkX6ck17n
+uBpxBTCn9GEFN/+7miNH/roH03NHU3vciqTAi1MrDA3jfOZkYBC/Cd5AmsMc6NTO
+Xc57mFwuZ+BmQI6w1ddL5e+5Y/DA57VexfTdG+/TpS+D9oBJUmaczkAG+27YKs8f
+mJKoTSPULjXK8pwwcBMk8HuS5bt6fBBmqbJb8bwXceEHCBg7WCYNmXy5lXwUUwAh
+NDwDAgMBAAGjUzBRMB0GA1UdDgQWBBRWppx3mP/hCh9ZLKZfwGBeg1wiPjAfBgNV
+HSMEGDAWgBRWppx3mP/hCh9ZLKZfwGBeg1wiPjAPBgNVHRMBAf8EBTADAQH/MA0G
+CSqGSIb3DQEBCwUAA4ICAQAWfNrX65UUI55f0A8svSIUVy8c7YjX8P70xMWq7Cpe
+tRPo8C98JCr8MtUaAx6VFx4sjHyCPmEIIf+u7aDxRhrxpqAQAQl5me8OxqwmOxKu
+I7WeRrjAvOux52xfjqtm36fx9SUDu94ox5LdG+NNtG29AbLZeAs4pe4qVqH1GQb9
+fw3lvxwKV+AovpVZ7eXyscfSvKWi4rgzVJl27me/rgLZsVYJ2gAjTI77vGN1G0ro
+q2iaTvEALHlzhKepVg1IAJAGJLSZegcK3zwWOqZzkL77De6Z3+zbxwNopcy/CGEs
+9v9gDyL1LeAJ3o/dehvPiqMWogTVO6X77sNIiiu41sdaWSTiFllmyO+hQqS69R68
+NOe+uAP1+taLhD16kp7XHS0MIXEPaQbEgrXtqb163oMJSAaok3xXNyRJ7ZNMS4CT
+0QJE15PpnbRYoQOf4QrrsDmpl2ybU7MR9uOj64qVSvUtBcq1w7ljPStbkN7F7OOU
+pepVvNaWe820kgQ/l9tu1WY9D7PFGP6iWY4AwdxcpWwlJnIr104X3PQ0Y5/msYVs
+zEnqaNiEOnbmTZUvn5jJOwh8DWUo+LffRQx/PoZlhZ/L/L3RtpGUV2E+E5Gzqs7W
+gey9iG11CVcvK/wdCj0zhW/XpesQuwinIMawGS6G92igHo+AFjJoGaGiw3jYdep8
+CA==
+-----END CERTIFICATE-----
diff --git a/tests/data/rootCA.key b/tests/data/rootCA.key
new file mode 100644
index 00000000..6b39fb45
--- /dev/null
+++ b/tests/data/rootCA.key
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJJwIBAAKCAgEAm4+cfDGalGq4WQWiThWQ7f2Pk1PZrz5Z+nzNieGou3cIbegP
+IV+1bIX3s0lijEM9uKjZ9VgmIEq60M4xg+wl+t3hKipwM4Y4B1+Q2X1ISEKfOvOU
+6PplwOg1MbQi8qH43MuB+lTXCCDItbZlfC/B/yE0Zb1hHWLxdjlNKa3TP0NrCyDZ
+ADJiOh6ZR4M5VYQVYhKZfJILaixcYA1w5poUwS/VHKPkdYfNwJVlnSBQEb2INmp7
+AO8+D5JG8LaTXpyh5GOxKy0fNWoHE5amnk6K6bf0ryNdXqMb4mQWfj0LZEGV2lqN
+s+G8co520l4gPbSeOCZ8JFkH8p9AY89/zFeTjAFPE9T0vzArLfvS6dk/hYPW+rfk
+p8+yJR2Vq/OpiQ6QjbSJYhk7rznehI+UnjOYFU1c/xWFCbSHZWi80f5l17i9o+1B
+c/DA1sK8Ei27mbW5qKA+BHJwElXwzSB2WIAgJ8Ix5LBAOuGRfpyTXue4GnEFMKf0
+YQU3/7uaI0f+ugfTc0dTe9yKpMCLUysMDeN85mRgEL8J3kCawxzo1M5dznuYXC5n
+4GZAjrDV10vl77lj8MDntV7F9N0b79OlL4P2gElSZpzOQAb7btgqzx+YkqhNI9Qu
+NcrynDBwEyTwe5Llu3p8EGapslvxvBdx4QcIGDtYJg2ZfLmVfBRTACE0PAMCAwEA
+AQKCAgBPPweu1O40cXFcGFyofqAIPUWo/exFM/ROgMmMViLI7UikBLXAgKtBj7Wx
+5c6IObD1oz71l2REyw0EViYvWFu4wtNz0Y67EML2Lp7xzLrH5PiM5Y2UagrwDNsc
+aPHsvMq0YA/k4NdyUpEs0LA+ZW3kdJvmwGT6vW7YlTRT6TNWZRfg4WjqisAzb2cS
+YS0R/WmPPn5mUVfzTIn6fJ5pO1EbYSylnHBD11zfoLvVIaLohq8fWXsz7Kym7hOp
+iLjmV9C5MngM0L23Tj4womxa9RQbIBVMKy3jiiAoYmh7AsoM1sRqKftKCdMgYKbz
+X/P4u0xmumQ/eANue+YncoteI7cLrjps1RUeodmRgxLt0KHbTW4X35Fd6yI+Nxts
+13aA6J/WusELQYigBXG3cHOfxfOMkqjdVozReF+QzsAJFXQwV4lQhsdlkVjnMWB9
+iotUVj9X8SWHktBnCHmuyuQoyJIxwM6cBLv1bJCpdiGcJJrtPgTwI3ybjVDlsVpE
+A2EaWiH2UDnzmI2OXy2BaOmLoYzV3kYLhd1zG2q2rLDd70kzOHJJmTOp8xFzZVOA
+74IbdWb6J3C6o7F8IFK+1strw6ADDINEyg+zoIbNUGVyvGI90Xak+7k8KgGWSplw
+318k0xyh6hu9HU/wWHE2WObjIWKnzDHnt917dJkyMazyC2x3wQKCAQEAy4gAWJNM
+/mVa4sr2NLUNPQpVfxhSF/jhxdD3b5Z5A/PD+spUcF1WZSpBj8BmNOWilJ2pBMkv
+Yp7o2s4MbLIFx1HMgVI/cTo1/kk8hvCBdX9n1Dum3dRNTaxBUaZNDdBZ61b4an/V
+lrK20Tx3RY23qInoOUsBFENF+UJUAkujXH3tBv5d//yfX9z75sesQl/HKVr1UAI6
+I7a76sO+0bCnDAxooIQH0sLzmWa9JliiFd8gWeY7Yd+/jCw4toptkgtXUUm1dFLL
+8s7Eah+P0ORZ17+eBWub/4gOzbgfOh4EKNU/lLI9r2L6RH0F9C3Symm6mu7EBpEC
+SzDyHnYqzpAh8wKCAQEAw6nSmp+HBz7AhW+tEiXt1KjvCRgslVMGQ/UTFbU8TqLd
+rECn5wKO45EHV4at6jazJUhwIBVty39duiOmmEWOtpCxX3OgdM11s8/LACXv4/B4
+pWHqzhJgrwISOLLoxEoM+A3odXoEw95phOy7seBkVxJ6Idq3obpZli0ilDHfFT2R
+B+kANrCI5D9d43XdoEBaS6EWvd0TrIbkrfwWrQtbmGuXsmj/ZpOntPixUaZO+go1
+P0eDrUZlRcfVWBGNRiEHiGr0InOWrK93OtjoGB3SjtnQkRP5JJSN/2QOCw7LvmZj
+GA/KdQxef0Rh5cKLd3LBzwTzGwl+4MMME+WL0M3xsQKCAQAg8bKco7sismUzsIaJ
+oYSzDKkqGVWwa6ifzGNAvKp56UsfnQBt7628UkqqagohJcpbI+nnzGjPHcmzIQcB
+0Q7+ZE8l35pFSZbTwib58JQD4Mt9nuozndmlaOxpuvFd+wuS/FDZbDe2XNcapx7n
+Mzk3HptoKqvSC9GXtxTCClw27GshZqrwdIOXkL11bXyEgdxK5V4vxSyD+2APb//D
+EUT4vklxMe3SP5wOiIK1YkNaJvOlmY6jGQR4O/AyG9YAfbV0gunMGlrIwo8oXlN5
+DH0+XtXFKtXlVrCOu+7SCWnC8kGIYBF8AhlgXJxKGeC0wshhq6QvK+mjIhkOtTHY
+nZvhAoIBAHbQBKcIAAKSRG3CpqHCjmz4OE6Zc1kplUBm7TPdXcWSeHFEwbAxiXr+
+cirgCXOTy6z0E8InwQg1S0DgrSUB9+s8abjAicrjiHmr0GVCpC0RtPEYSHDiD/u1
+kkMDwPyQytdF+sZ7VbFquUCSUFdvHv8QpUExgxieBBCBT+IVdpV7UTowboTHJhkT
+sXuR8waAjVQneZvJR00YjHxp+4sQvooLq44W3B/5wXjPGz2tc3+5+yN11au+d3is
+JAzae6L+I4jfCWhyMCikVA5T8HvUgCtmcJPoQP3Jh4BxzWVBks8HdV0DGbmBzVAS
+wi+2tuHNuYpwQv9EANuTFR5v4TrmE8ECggEAMXp5rfHt2hKLtkIwqYE7C8IVGQ9q
+BcjKAJSuDYkyBpfSp9uxkiyvnND5tEj0uOcMCVZlntSIxWx+HXFu5rL0Ax5ZmSal
+uoWpwDXbKYgHF9zlGXqYulsODqZC0cjJpUogXFC0B4pRDUVzuZXO9ACuS5azXYqh
+G6Rw0O6rDTHVgkmazJtxreO8v4NpfIbBbFfQgU5xeHdS6ky9LqG+yUKJ5FWkGWcU
+SqpZX3yxXM4q/cA1KBN31K3V2xvjVPcEwzkZDGDbLg33DASVF7RV/WYymhDuxE+w
+vHDz9Q7dk4pTzCdNiQgomBSjOkLDKWuOvaInQwYWJgavpPGWr31hDyi5Kw==
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data/rootCA.srl b/tests/data/rootCA.srl
new file mode 100644
index 00000000..8c619f27
--- /dev/null
+++ b/tests/data/rootCA.srl
@@ -0,0 +1 @@
+02D3FA5376B8B25617BA76C4EA3AE7FE4AC318B1
--
2.20.1

@ -0,0 +1,329 @@
From 642182bdf49c9c93a86b093ad7335c8a7a5ae8cc Mon Sep 17 00:00:00 2001
From: John Dennis <jdennis@redhat.com>
Date: Wed, 9 Jan 2019 17:23:09 -0500
Subject: [PATCH] Fix ECP signature not found error when only assertion is
signed (#26828)
With a SAML Authn Response either the message or the assertion
contained in the response message or both can be signed. Most IdP's
sign the message. This fixes a bug when processing an ECP authn
response when only the assertion is signed.
lasso_saml20_profile_process_soap_response_with_headers() performs a
signature check on the SAML message. A signature can also appear on
the assertion which is checked by
lasso_saml20_login_process_response_status_and_assertion() The problem
occurred when the message was not signed and
lasso_saml20_profile_process_soap_response_with_headers() returned
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND as an error code which is not
actually an error because we haven't checked the signature on the
assertion yet. We were returning the first
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND error when in fact the subsequent
signature check in
lasso_saml20_login_process_response_status_and_assertion() succeeded.
The ECP unit tests were enhanced to cover these cases.
The enhanced unit test revealed a problem in two switch statements
operating on the return value of
lasso_profile_get_signature_verify_hint() which were missing a case
statement for LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE which caused
an abort due to an unknown enumeration value.
Fixes Bug: 26828
License: MIT
Signed-off-by: John Dennis <jdennis@redhat.com>
---
lasso/saml-2.0/login.c | 29 ++++++++----
lasso/saml-2.0/profile.c | 2 +
tests/login_tests_saml2.c | 97 +++++++++++++++++++++++++++++----------
3 files changed, 95 insertions(+), 33 deletions(-)
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
index 028ffb31..91ff302d 100644
--- a/lasso/saml-2.0/login.c
+++ b/lasso/saml-2.0/login.c
@@ -1107,18 +1107,31 @@ lasso_saml20_login_process_paos_response_msg(LassoLogin *login, gchar *msg)
{
LassoSoapHeader *header = NULL;
LassoProfile *profile;
- int rc1, rc2;
+ int rc;
lasso_null_param(msg);
profile = LASSO_PROFILE(login);
- rc1 = lasso_saml20_profile_process_soap_response_with_headers(profile, msg, &header);
+ /*
+ * lasso_saml20_profile_process_soap_response_with_headers()
+ * performs a signature check on the SAML message. A signature
+ * can also appear on the assertion which is checked by
+ * lasso_saml20_login_process_response_status_and_assertion()
+ * (below). Therefore if the error is SIGNATURE_NOT_FOUND we
+ * proceed because
+ * lasso_saml20_login_process_response_status_and_assertion()
+ * will test the signature on the assertion.
+ */
+ rc = lasso_saml20_profile_process_soap_response_with_headers(profile, msg, &header);
+ if (rc != 0 && rc != LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) {
+ return rc;
+ }
/*
* If the SOAP message contained a header check for the optional
- * paos:Response and ecp:RelayState elements, if they exist extract their
- * values into the profile.
+ * paos:Response and ecp:RelayState elements, if they exist extract their
+ * values into the profile.
*/
if (header) {
GList *i = NULL;
@@ -1142,12 +1155,8 @@ lasso_saml20_login_process_paos_response_msg(LassoLogin *login, gchar *msg)
lasso_release_gobject(header);
}
- rc2 = lasso_saml20_login_process_response_status_and_assertion(login);
- if (rc1) {
- return rc1;
- }
- return rc2;
-
+ rc = lasso_saml20_login_process_response_status_and_assertion(login);
+ return rc;
}
/**
diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c
index 8171e79e..22a4e08c 100644
--- a/lasso/saml-2.0/profile.c
+++ b/lasso/saml-2.0/profile.c
@@ -398,6 +398,7 @@ lasso_saml20_profile_process_artifact_resolve(LassoProfile *profile, const char
switch (lasso_profile_get_signature_verify_hint(profile)) {
case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
+ case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:
rc = profile->signature_status;
break;
case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE:
@@ -1559,6 +1560,7 @@ lasso_saml20_profile_process_soap_response_with_headers(LassoProfile *profile,
remote_provider, response_msg, "ID", LASSO_MESSAGE_FORMAT_SOAP);
switch (lasso_profile_get_signature_verify_hint(profile)) {
case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
+ case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:
rc = profile->signature_status;
break;
case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE:
diff --git a/tests/login_tests_saml2.c b/tests/login_tests_saml2.c
index 54c7fb63..e331c07a 100644
--- a/tests/login_tests_saml2.c
+++ b/tests/login_tests_saml2.c
@@ -1090,42 +1090,42 @@ START_TEST(test08_test_authnrequest_flags)
make_context(sp_context, "sp5-saml2", "", LASSO_PROVIDER_ROLE_IDP, "idp5-saml2", "")
block_lasso_logs;
- sso_initiated_by_sp2(idp_context, sp_context,
- (SsoSettings) {
+ sso_initiated_by_sp2(idp_context, sp_context,
+ (SsoSettings) {
.use_assertion_consumer_service_idx = 1,
.assertion_consumer_service_idx = 0,
.stop_after_build_assertion = 1,
});
- sso_initiated_by_sp2(idp_context, sp_context,
- (SsoSettings) {
+ sso_initiated_by_sp2(idp_context, sp_context,
+ (SsoSettings) {
.assertion_consumer_service_url = "http://sp5/singleSignOnPost",
.stop_after_build_assertion = 1,
});
- sso_initiated_by_sp2(idp_context, sp_context,
- (SsoSettings) {
+ sso_initiated_by_sp2(idp_context, sp_context,
+ (SsoSettings) {
.protocol_binding = LASSO_SAML2_METADATA_BINDING_ARTIFACT,
.stop_after_build_assertion = 1,
});
- sso_initiated_by_sp2(idp_context, sp_context,
- (SsoSettings) {
+ sso_initiated_by_sp2(idp_context, sp_context,
+ (SsoSettings) {
.assertion_consumer_service_url = "http://sp5/singleSignOnPost",
.protocol_binding = LASSO_SAML2_METADATA_BINDING_POST,
.stop_after_build_assertion = 1,
});
- sso_initiated_by_sp2(idp_context, sp_context,
- (SsoSettings) {
+ sso_initiated_by_sp2(idp_context, sp_context,
+ (SsoSettings) {
.assertion_consumer_service_url = "http://sp5/singleSignOnArtifact",
.protocol_binding = LASSO_SAML2_METADATA_BINDING_ARTIFACT,
.stop_after_build_assertion = 1,
});
- sso_initiated_by_sp2(idp_context, sp_context,
- (SsoSettings) {
+ sso_initiated_by_sp2(idp_context, sp_context,
+ (SsoSettings) {
.assertion_consumer_service_url = "http://sp5/singleSignOnPostAndArtifact",
.protocol_binding = LASSO_SAML2_METADATA_BINDING_ARTIFACT,
.stop_after_build_assertion = 1,
});
- sso_initiated_by_sp2(idp_context, sp_context,
- (SsoSettings) {
+ sso_initiated_by_sp2(idp_context, sp_context,
+ (SsoSettings) {
.assertion_consumer_service_url = "http://sp5/singleSignOnPostAndArtifact",
.protocol_binding = LASSO_SAML2_METADATA_BINDING_POST,
.stop_after_build_assertion = 1,
@@ -1278,7 +1278,9 @@ static void validate_idp_list(LassoEcp *ecp, EcpIdpListVariant ecpIDPListVariant
check_str_equals((char*)g_list_nth(ecp->known_idp_entity_ids_supporting_ecp, 0)->data, "http://idp5/metadata");
}
-void test_ecp(EcpIdpListVariant ecpIDPListVariant)
+void test_ecp(EcpIdpListVariant ecpIDPListVariant,
+ LassoProfileSignatureHint signature_hint,
+ LassoProfileSignatureVerifyHint signature_verify_hint)
{
char *serviceProviderContextDump = NULL, *identityProviderContextDump = NULL;
LassoServer *spContext = NULL, *ecpContext=NULL, *idpContext = NULL;
@@ -1286,7 +1288,7 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
LassoEcp *ecp = NULL;
LassoSamlp2AuthnRequest *request = NULL;
gboolean is_passive = FALSE;
- char *provider_name = NULL;
+ char *provider_name = NULL;
char *relayState = NULL;
char *messageID = NULL;
char *extracted_messageID = NULL;
@@ -1296,7 +1298,7 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
char *ecpPaosResponseMsg = NULL;
char *spLoginDump = NULL;
LassoSaml2Assertion *assertion;
- LassoSamlp2IDPList *idp_list = NULL;
+ LassoSamlp2IDPList *idp_list = NULL;
/*
* SAML2 Profile for ECP (Section 4.2) defines these steps for an ECP
@@ -1322,6 +1324,8 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
spContext = lasso_server_new_from_dump(serviceProviderContextDump);
spLoginContext = lasso_login_new(spContext);
check_not_null(spLoginContext);
+ lasso_profile_set_signature_hint(LASSO_PROFILE(spLoginContext), signature_hint);
+ lasso_profile_set_signature_verify_hint(LASSO_PROFILE(spLoginContext), signature_verify_hint);
check_good_rc(lasso_login_init_authn_request(spLoginContext, "http://idp5/metadata",
LASSO_HTTP_METHOD_PAOS));
@@ -1419,6 +1423,8 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
idpContext = lasso_server_new_from_dump(identityProviderContextDump);
idpLoginContext = lasso_login_new(idpContext);
check_not_null(idpLoginContext);
+ lasso_profile_set_signature_hint(LASSO_PROFILE(idpLoginContext), signature_hint);
+ lasso_profile_set_signature_verify_hint(LASSO_PROFILE(idpLoginContext), signature_verify_hint);
/* Parse the ecpSoapRequestMsg */
check_good_rc(lasso_login_process_authn_request_msg(idpLoginContext, ecpSoapRequestMsg));
@@ -1465,7 +1471,7 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
check_str_equals(ecp->relaystate, relayState);
check_str_equals(ecp->issuer->content, "http://sp5/metadata");
check_str_equals(ecp->provider_name, provider_name);
- check_equals(ecp->is_passive, is_passive);
+ check_equals(ecp->is_passive, is_passive);
/* Validate ECP IdP list info */
validate_idp_list(ecp, ecpIDPListVariant, idp_list);
@@ -1480,6 +1486,8 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
spContext = lasso_server_new_from_dump(serviceProviderContextDump);
spLoginContext = lasso_login_new(spContext);
check_not_null(spLoginContext);
+ lasso_profile_set_signature_hint(LASSO_PROFILE(spLoginContext), signature_hint);
+ lasso_profile_set_signature_verify_hint(LASSO_PROFILE(spLoginContext), signature_verify_hint);
/* Parse the ecpPaosResponseMsg */
check_good_rc(lasso_login_process_paos_response_msg(spLoginContext, ecpPaosResponseMsg));
@@ -1515,19 +1523,61 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
START_TEST(test09_ecp)
{
- test_ecp(ECP_IDP_LIST_NONE);
+ test_ecp(ECP_IDP_LIST_NONE,
+ LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
+ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE);
}
END_TEST
START_TEST(test10_ecp)
{
- test_ecp(ECP_IDP_LIST_ECP);
+ test_ecp(ECP_IDP_LIST_ECP,
+ LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
+ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE);
}
END_TEST
START_TEST(test11_ecp)
{
- test_ecp(ECP_IDP_LIST_BOGUS);
+ test_ecp(ECP_IDP_LIST_BOGUS,
+ LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
+ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE);
+}
+END_TEST
+
+START_TEST(test12_ecp)
+{
+ /* Maybe Sign */
+ test_ecp(ECP_IDP_LIST_NONE,
+ LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
+ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE);
+
+ test_ecp(ECP_IDP_LIST_NONE,
+ LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
+ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE);
+
+ test_ecp(ECP_IDP_LIST_NONE,
+ LASSO_PROFILE_SIGNATURE_HINT_MAYBE,
+ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE);
+
+ /* Force Sign */
+ test_ecp(ECP_IDP_LIST_NONE,
+ LASSO_PROFILE_SIGNATURE_HINT_FORCE,
+ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE);
+
+ test_ecp(ECP_IDP_LIST_NONE,
+ LASSO_PROFILE_SIGNATURE_HINT_FORCE,
+ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE);
+
+ test_ecp(ECP_IDP_LIST_NONE,
+ LASSO_PROFILE_SIGNATURE_HINT_FORCE,
+ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE);
+
+ /* Forbid Sign */
+ test_ecp(ECP_IDP_LIST_NONE,
+ LASSO_PROFILE_SIGNATURE_HINT_FORBID,
+ LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE);
+
}
END_TEST
@@ -1538,7 +1588,7 @@ void check_digest_method(G_GNUC_UNUSED LassoLogin *idp_login_context, LassoLogin
lasso_release_string(dump)
}
-START_TEST(test12_sso_sp_with_rsa_sha256_signatures)
+START_TEST(test13_sso_sp_with_rsa_sha256_signatures)
{
LassoServer *idp_context = NULL;
LassoServer *sp_context = NULL;
@@ -1595,7 +1645,8 @@ login_saml2_suite()
tcase_add_test(tc_ecp, test09_ecp);
tcase_add_test(tc_ecp, test10_ecp);
tcase_add_test(tc_ecp, test11_ecp);
- tcase_add_test(tc_spLogin, test12_sso_sp_with_rsa_sha256_signatures);
+ tcase_add_test(tc_ecp, test12_ecp);
+ tcase_add_test(tc_spLogin, test13_sso_sp_with_rsa_sha256_signatures);
return s;
}
--
2.20.1

@ -1,30 +0,0 @@
From f70eee9ef7faa9ccfb6f815977431ae2e02260bc Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 16 Jun 2021 12:23:47 +0200
Subject: [PATCH 6/7] python: Skip the DSA key test unless SHA-1 is configured
(#54037)
lasso supports DSA-XXX only with SHA-1. The alternative is to use
DSA-SHA256.
---
bindings/python/tests/profiles_tests.py | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/bindings/python/tests/profiles_tests.py b/bindings/python/tests/profiles_tests.py
index 6ec612077..501fd9199 100755
--- a/bindings/python/tests/profiles_tests.py
+++ b/bindings/python/tests/profiles_tests.py
@@ -276,6 +276,10 @@ class LoginTestCase(unittest.TestCase):
def test07(self):
'''SAMLv2 SSO with DSA key for the IdP'''
+ default_sign_meth = lasso.getDefaultSignatureMethod()
+ if default_sign_meth != lasso.SIGNATURE_METHOD_RSA_SHA1:
+ self.skipTest("This test requires that lasso is compiled with SHA1 as the default signature method")
+
sp = lasso.Server(
os.path.join(dataDir, 'sp5-saml2/metadata.xml'),
os.path.join(dataDir, 'sp5-saml2/private-key.pem'))
--
2.26.3

@ -0,0 +1,99 @@
From 1e85f1b2bd30c0d93b4a2ef37b35abeae3d15b56 Mon Sep 17 00:00:00 2001
From: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
Date: Fri, 28 Jun 2019 02:36:19 +0300
Subject: [PATCH] PAOS: Do not populate "Destination" attribute
When ECP profile (saml-ecp-v2.0-cs01) is used with PAOS binding Lasso
populates an AuthnRequest with the "Destination" attribute set to
AssertionConsumerURL of an SP - this leads to IdP-side errors because
the destination attribute in the request does not match the IdP URL.
The "Destination" attribute is mandatory only for HTTP Redirect and HTTP
Post bindings when AuthRequests are signed per saml-bindings-2.0-os
(sections 3.4.5.2 and 3.5.5.2). Specifically for PAOS it makes sense to
avoid setting that optional attribute because an ECP decides which IdP
to use, not the SP.
Fixes Bug: 34409
License: MIT
Signed-off-by: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
---
lasso/saml-2.0/login.c | 18 +++++++++---------
lasso/saml-2.0/profile.c | 10 +++++++++-
2 files changed, 18 insertions(+), 10 deletions(-)
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
index 6e8f7553..0d4bb1da 100644
--- a/lasso/saml-2.0/login.c
+++ b/lasso/saml-2.0/login.c
@@ -222,7 +222,7 @@ _lasso_login_must_verify_signature(LassoProfile *profile) {
gint
lasso_saml20_login_build_authn_request_msg(LassoLogin *login)
{
- char *url = NULL;
+ char *assertionConsumerServiceURL = NULL;
gboolean must_sign = TRUE;
LassoProfile *profile;
LassoSamlp2AuthnRequest *authn_request;
@@ -247,29 +247,29 @@ lasso_saml20_login_build_authn_request_msg(LassoLogin *login)
}
if (login->http_method == LASSO_HTTP_METHOD_PAOS) {
-
/*
* PAOS is special, the url passed to build_request is the
* AssertionConsumerServiceURL of this SP, not the
- * destination.
+ * destination IdP URL. This is done to fill paos:responseConsumerURL
+ * appropriately down the line in build_request_msg.
+ * See https://dev.entrouvert.org/issues/34409 for more information.
*/
if (authn_request->AssertionConsumerServiceURL) {
- url = authn_request->AssertionConsumerServiceURL;
+ assertionConsumerServiceURL = authn_request->AssertionConsumerServiceURL;
if (!lasso_saml20_provider_check_assertion_consumer_service_url(
- LASSO_PROVIDER(profile->server), url, LASSO_SAML2_METADATA_BINDING_PAOS)) {
+ LASSO_PROVIDER(profile->server), assertionConsumerServiceURL, LASSO_SAML2_METADATA_BINDING_PAOS)) {
rc = LASSO_PROFILE_ERROR_INVALID_REQUEST;
goto cleanup;
}
} else {
- url = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
+ assertionConsumerServiceURL = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
LASSO_PROVIDER(profile->server), LASSO_SAML2_METADATA_BINDING_PAOS);
- lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, url);
+ lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, assertionConsumerServiceURL);
}
}
-
lasso_check_good_rc(lasso_saml20_profile_build_request_msg(profile, "SingleSignOnService",
- login->http_method, url));
+ login->http_method, assertionConsumerServiceURL));
cleanup:
return rc;
diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c
index 22a4e08c..85f535ae 100644
--- a/lasso/saml-2.0/profile.c
+++ b/lasso/saml-2.0/profile.c
@@ -968,7 +968,15 @@ lasso_saml20_profile_build_request_msg(LassoProfile *profile, const char *servic
made_url = url = get_url(provider, service, http_method_to_binding(method));
}
- if (url) {
+
+ // Usage of the Destination attribute on a request is mandated only
+ // in "3.4.5.2" and "3.5.5.2" in saml-bindings-2.0-os for signed requests
+ // and is marked as optional in the XSD schema otherwise.
+ // PAOS is a special case because an SP does not select an IdP - ECP does
+ // it instead. Therefore, this attribute needs to be left unpopulated.
+ if (method == LASSO_HTTP_METHOD_PAOS) {
+ lasso_release_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination);
+ } else if (url) {
lasso_assign_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination,
url);
} else {
--
2.20.1

@ -1,41 +0,0 @@
From 1b0000e0163edc9d831894bf4aac7503f0294062 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 18 Jun 2021 18:45:38 +0200
Subject: [PATCH 7/7] test13_test_lasso_server_load_metadata: Don't verify
signature if lasso is not configured with sha-1 (#54037)
---
tests/basic_tests.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/tests/basic_tests.c b/tests/basic_tests.c
index 0652abc28..470d64fc6 100644
--- a/tests/basic_tests.c
+++ b/tests/basic_tests.c
@@ -1974,6 +1974,14 @@ START_TEST(test13_test_lasso_server_load_metadata)
LassoServer *server = NULL;
GList *loaded_entity_ids = NULL;
GList blacklisted_1 = { .data = "https://identities.univ-jfc.fr/idp/prod", .next = NULL };
+ const gchar *trusted_roots = TESTSDATADIR "/rootCA.crt";
+
+ /* The IDP metadata file is signed with rsa-sha1, so verifying it would
+ * fail incase sha1 is not available
+ */
+ if (lasso_get_default_signature_method() != LASSO_SIGNATURE_METHOD_RSA_SHA1) {
+ trusted_roots = NULL;
+ }
check_not_null(server = lasso_server_new(
TESTSDATADIR "/idp5-saml2/metadata.xml",
@@ -1983,7 +1991,7 @@ START_TEST(test13_test_lasso_server_load_metadata)
block_lasso_logs;
check_good_rc(lasso_server_load_metadata(server, LASSO_PROVIDER_ROLE_IDP,
TESTSDATADIR "/metadata/renater-metadata.xml",
- TESTSDATADIR "/rootCA.crt",
+ trusted_roots,
&blacklisted_1, &loaded_entity_ids,
LASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT));
unblock_lasso_logs;
--
2.26.3

@ -0,0 +1,183 @@
From ea7e5efe9741e1b1787a58af16cb15b40c23be5a Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Mon, 8 Mar 2021 11:33:26 +0100
Subject: [PATCH] Fix signature checking on unsigned response with multiple
assertions
CVE-2021-28091 : when AuthnResponse messages are not signed (which is
permitted by the specifiation), all assertion's signatures should be
checked, but currently after the first signed assertion is checked all
following assertions are accepted without checking their signature, and
the last one is considered the main assertion.
This patch :
* check signatures from all assertions if the message is not signed,
* refuse messages with assertion from different issuers than the one on
the message, to prevent assertion bundling event if they are signed.
---
lasso/saml-2.0/login.c | 102 +++++++++++++++++++++++++++++------------
1 file changed, 73 insertions(+), 29 deletions(-)
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
index 0d4bb1da1..cf62c1cc9 100644
--- a/lasso/saml-2.0/login.c
+++ b/lasso/saml-2.0/login.c
@@ -1257,7 +1257,11 @@ lasso_saml20_login_check_assertion_signature(LassoLogin *login,
original_node = lasso_node_get_original_xmlnode(LASSO_NODE(assertion));
goto_cleanup_if_fail_with_rc(original_node, LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE);
- rc = profile->signature_status = lasso_provider_verify_saml_signature(remote_provider, original_node, NULL);
+ /* Shouldn't set the profile->signature_status here as we're only
+ * checking the assertion signature.
+ * Instead, we'll set the status after all the assertions are iterated.
+ */
+ rc = lasso_provider_verify_saml_signature(remote_provider, original_node, NULL);
#define log_verify_assertion_signature_error(msg) \
message(G_LOG_LEVEL_WARNING, "Could not verify signature of assertion" \
@@ -1282,18 +1286,6 @@ cleanup:
return rc;
}
-static gboolean
-_lasso_check_assertion_issuer(LassoSaml2Assertion *assertion, const gchar *provider_id)
-{
- if (! LASSO_SAML2_ASSERTION(assertion) || ! provider_id)
- return FALSE;
-
- if (! assertion->Issuer || ! assertion->Issuer->content)
- return FALSE;
-
- return lasso_strisequal(assertion->Issuer->content,provider_id);
-}
-
static gint
_lasso_saml20_login_decrypt_assertion(LassoLogin *login, LassoSamlp2Response *samlp2_response)
{
@@ -1358,11 +1350,23 @@ _lasso_saml20_login_decrypt_assertion(LassoLogin *login, LassoSamlp2Response *sa
return 0;
}
+/* Verify that an assertion comes from a designated Issuer */
+static gboolean
+_lasso_check_assertion_issuer(LassoSaml2Assertion *assertion, const gchar *provider_id)
+{
+ if (! LASSO_SAML2_ASSERTION(assertion) || ! provider_id)
+ return FALSE;
+ if (! assertion->Issuer || ! assertion->Issuer->content)
+ return FALSE;
+ return lasso_strisequal(assertion->Issuer->content,provider_id);
+}
+
static gint
lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
{
LassoSamlp2StatusResponse *response;
LassoSamlp2Response *samlp2_response = NULL;
+ LassoSaml2Assertion *last_assertion = NULL;
LassoProfile *profile;
char *status_value;
lasso_error_t rc = 0;
@@ -1404,34 +1408,62 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
/* Decrypt all EncryptedAssertions */
_lasso_saml20_login_decrypt_assertion(login, samlp2_response);
- /* traverse all assertions */
- goto_cleanup_if_fail_with_rc (samlp2_response->Assertion != NULL,
- LASSO_PROFILE_ERROR_MISSING_ASSERTION);
+ /* Check there is at least one assertion */
+ goto_cleanup_if_fail_with_rc (samlp2_response->Assertion != NULL, LASSO_PROFILE_ERROR_MISSING_ASSERTION);
+
+ /* In case of verify_hint as 'FORCE', if there's no response signature,
+ * we reject.
+ * In case of 'MAYBE', if response signature is present and valid, or
+ * not present, then we proceed with checking assertion signature(s).
+ * In any case, if there's a response signature and it's not valid,
+ * we reject.
+ */
verify_hint = lasso_profile_get_signature_verify_hint(profile);
+ if (profile->signature_status == LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) {
+ if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE) {
+ goto_cleanup_with_rc(profile->signature_status);
+ }
+ } else if (profile->signature_status != 0) {
+ goto_cleanup_with_rc(profile->signature_status);
+ }
lasso_foreach_full_begin(LassoSaml2Assertion*, assertion, it, samlp2_response->Assertion);
LassoSaml2Subject *subject = NULL;
- lasso_assign_gobject (login->private_data->saml2_assertion, assertion);
+ /* All Assertions MUST come from the same issuer as the Response. */
+ if (! _lasso_check_assertion_issuer(assertion, profile->remote_providerID)) {
+ goto_cleanup_with_rc(LASSO_PROFILE_ERROR_INVALID_ISSUER);
+ }
- /* If signature has already been verified on the message, and assertion has the same
- * issuer as the message, the assertion is covered. So no need to verify a second
- * time */
- if (profile->signature_status != 0
- || ! _lasso_check_assertion_issuer(assertion,
- profile->remote_providerID)
- || verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE) {
+ if (profile->signature_status != 0) {
+ /* When response signature is not present */
+ if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE) {
+ assertion_signature_status =
+ lasso_saml20_login_check_assertion_signature(login, assertion);
+ if (assertion_signature_status) {
+ goto_cleanup_with_rc(assertion_signature_status);
+ }
+ }
+ } else {
+ /* response signature is present and valid */
assertion_signature_status = lasso_saml20_login_check_assertion_signature(login,
- assertion);
- /* If signature validation fails, it is the return code for this function */
+ assertion);
if (assertion_signature_status) {
- rc = LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE;
+ /* assertion signature is not valid or not present */
+ if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE) {
+ /* In case of FORCE, we reject right away */
+ goto_cleanup_with_rc(assertion_signature_status);
+ } else if (verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE) {
+ /* In case of MAYBE, if assertion signature is present and invalid, then we reject */
+ if (assertion_signature_status != LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) {
+ goto_cleanup_with_rc(assertion_signature_status);
+ }
+ }
}
}
-
lasso_extract_node_or_fail(subject, assertion->Subject, SAML2_SUBJECT,
- LASSO_PROFILE_ERROR_MISSING_SUBJECT);
+ LASSO_PROFILE_ERROR_MISSING_SUBJECT);
/* Verify Subject->SubjectConfirmationData->InResponseTo */
if (login->private_data->request_id) {
@@ -1446,8 +1478,20 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
/** Handle nameid */
lasso_check_good_rc(lasso_saml20_profile_process_name_identifier_decryption(profile,
&subject->NameID, &subject->EncryptedID));
+
+ last_assertion = assertion;
lasso_foreach_full_end();
+ /* set the profile signature status only after all the signatures are
+ * verified.
+ */
+ profile->signature_status = rc;
+
+ /* set the default assertion to the last one */
+ if (last_assertion) {
+ lasso_assign_gobject (login->private_data->saml2_assertion, last_assertion);
+ }
+
switch (verify_hint) {
case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE:
case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
--
2.26.3

@ -1,25 +1,7 @@
From 20f653f70818b85fe1b4de77a629fce352fb8cbd Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 26 Jul 2021 16:25:52 +0200
Subject: [PATCH] lasso_saml20_login_process_response_status_and_assertion:
handle rc as per verify_hint
In case VERIFY_HINT was set to IGNORE and the login signature was
incorrect, lasso_saml20_login_process_response_status_and_assertion
would have jumped straight to the cleanup label which just returns the
return code. Let's jump to a new label handlerc instead which might set
the return code to 0 in case verify_hint is set to IGNORE.
Related: https://dev.entrouvert.org/issues/54689
---
lasso/saml-2.0/login.c | 20 ++++++--------------
1 file changed, 6 insertions(+), 14 deletions(-)
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
index cf62c1cc9..1d5668b5b 100644
--- a/lasso/saml-2.0/login.c
+++ b/lasso/saml-2.0/login.c
@@ -1371,7 +1371,7 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
diff -up lasso-2.5.1/lasso/saml-2.0/login.c.coverity lasso-2.5.1/lasso/saml-2.0/login.c
--- lasso-2.5.1/lasso/saml-2.0/login.c.coverity 2021-07-27 10:23:31.976845852 +0200
+++ lasso-2.5.1/lasso/saml-2.0/login.c 2021-07-27 10:23:55.358913123 +0200
@@ -1371,7 +1371,7 @@ lasso_saml20_login_process_response_stat
char *status_value;
lasso_error_t rc = 0;
lasso_error_t assertion_signature_status = 0;
@ -28,7 +10,7 @@ index cf62c1cc9..1d5668b5b 100644
profile = &login->parent;
lasso_extract_node_or_fail(response, profile->response, SAMLP2_STATUS_RESPONSE,
@@ -1492,20 +1492,12 @@ lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login)
@@ -1492,20 +1492,12 @@ lasso_saml20_login_process_response_stat
lasso_assign_gobject (login->private_data->saml2_assertion, last_assertion);
}
@ -54,6 +36,3 @@ index cf62c1cc9..1d5668b5b 100644
return rc;
}
--
2.26.3

@ -1,28 +0,0 @@
diff -up lasso-2.7.0/autogen.sh.noconfig lasso-2.7.0/autogen.sh
--- lasso-2.7.0/autogen.sh.noconfig 2021-06-28 22:39:00.473005330 +0200
+++ lasso-2.7.0/autogen.sh 2021-06-28 22:39:43.028114738 +0200
@@ -77,11 +77,6 @@ test $TEST_TYPE $FILE || {
exit 1
}
-if test "$#" = 0; then
- echo "I am going to run ./configure with no arguments - if you wish "
- echo "to pass any to it, please specify them on the $0 command line."
-fi
-
# to support timj aclocal setup we are shipping gnome-doc-utils.m4
# and making sure automake picks it up ;)
# this is bad as -I prepends to the search path
@@ -107,12 +102,3 @@ autoconf || exit $?
echo "* Running $AUTOMAKE"
$AUTOMAKE --add-missing -Wno-portability $am_opt || exit $?
-
-cd "$THEDIR"
-
-if [ "$1" != "noconfig" ]; then
- $srcdir/configure --enable-gtk-doc --enable-maintainer-mode "$@" || exit $?
-fi
-
-echo
-echo "Now type 'make install' to install $PROJECT."

@ -0,0 +1,255 @@
commit d526669810e0dc0a454260d5081fc96e16fc9e13
Author: John Dennis <jdennis@redhat.com>
Date: Mon Jun 25 16:26:24 2018 -0400
Make Python scripts compatible with both Py2 and Py3
During the build if the Python3 interpreter is used a number of
scripts will fail because they were never ported from Py2 to Py3. In
general we want Python code to be compatible with both Py2 and
Py3. This patch brings the scripts up to date with Py3 but retains
backwards compatibility with Py2 (specifically Py 2.7, the last Py2
release).
Examples of the required changes are:
* Replace use of the built-in function file() with open(). file()
does not exist in Py3, open works in both Py2 and Py3. The code was
also modified to use a file context manager (e.g. with open(xxx) as
f:). This assures open files are properly closed when the code block
using the file goes out of scope. This is a standard modern Python
idiom.
* Replace all use of the print keyword with the six.print_()
function, which itself is an emulation of Py3's print function. Py3
no longer has a print keyword, only a print() function.
* The dict methods .keys(), .values(), .items() no longer return a
list in Py3, instead they return a "view" object which is an
iterator whose result is an unordered set. The most notable
consequence is you cannot index the result of these functions like
your could in Py2 (e.g. dict.keys()[0] will raise a run time
exception).
* Replace use of StringIO.StringIO and cStringIO with
six.StringIO. Py3 no longer has cStringIO and the six variant
handles the correct import.
* Py3 no longer allows the "except xxx, variable" syntax, where
variable appering after the comma is assigned the exception object,
you must use the "as" keyword to perform the variable assignment
(e.g. execpt xxx as variable)
Note: the modifications in this patch are the minimum necessary to get
the build to run with the Py3 interpreter. There are numerous other
Python scripts in the repo which need Py3 porting as well but because
they are not invoked during a build they will be updated in a
subsequent patch.
License: MIT
Signed-off-by: John Dennis <jdennis@redhat.com>
diff --git a/bindings/python/examples/get_attributes_from_assertion.py b/bindings/python/examples/get_attributes_from_assertion.py
index 44ceb9e5..8f37a337 100644
--- a/bindings/python/examples/get_attributes_from_assertion.py
+++ b/bindings/python/examples/get_attributes_from_assertion.py
@@ -1,8 +1,10 @@
# Example SP Python code to get attributes from an assertion
+from six import print_
+
for attribute in assertion.attributeStatement[0].attribute:
if attribute.name == lasso.SAML2_ATTRIBUTE_NAME_EPR:
continue
- print 'attribute : ' + attribute.name
+ print_('attribute : ' + attribute.name)
for value in attribute.attributeValue:
- print ' value : ' + value.any[0].content
+ print_(' value : ' + value.any[0].content)
diff --git a/bindings/python/tests/binding_tests.py b/bindings/python/tests/binding_tests.py
index 6d8e0dfa..54c3635f 100755
--- a/bindings/python/tests/binding_tests.py
+++ b/bindings/python/tests/binding_tests.py
@@ -311,8 +311,8 @@ class BindingTestCase(unittest.TestCase):
</samlp:Extensions>'''
node = lasso.Node.newFromXmlNode(content)
assert 'next_url' in node.any[1]
- assert 'huhu' in node.attributes.keys()[0]
- assert node.attributes.values()[0] == 'xxx'
+ assert '{https://www.entrouvert.com/}huhu' in node.attributes.keys()
+ assert 'xxx' in node.attributes.values()
node.any = ('<zob>coin</zob>',)
node.attributes = {'michou': 'zozo'}
assert '<zob>coin</zob>' in node.dump()
diff --git a/bindings/python/tests/idwsf2_tests.py b/bindings/python/tests/idwsf2_tests.py
index 6f80c53d..4e47a4a1 100755
--- a/bindings/python/tests/idwsf2_tests.py
+++ b/bindings/python/tests/idwsf2_tests.py
@@ -27,7 +27,7 @@
import os
import unittest
import sys
-from StringIO import StringIO
+from six import StringIO
import logging
logging.basicConfig()
@@ -310,11 +310,11 @@ class MetadataTestCase(IdWsf2TestCase):
self.failUnless(idp_disco.request.svcMD[0].svcMDID is None)
try:
idp_disco.checkSecurityMechanism()
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
try:
idp_disco.validateRequest()
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
self.failUnless(idp_disco.response is not None)
self.failUnlessEqual(len(idp_disco.metadatas), 1)
@@ -391,16 +391,16 @@ class MetadataTestCase(IdWsf2TestCase):
self.failUnless(idp_disco is not None)
try:
idp_disco.processRequestMsg(wsp_disco.msgBody)
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
self.failUnless(idp_disco.request is not None)
try:
idp_disco.checkSecurityMechanism()
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
try:
idp_disco.failRequest(lasso.IDWSF2_DISCOVERY_STATUS_CODE_FAILED, lasso.IDWSF2_DISCOVERY_STATUS_CODE_FORBIDDEN)
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
self.failUnless(idp_disco.response is not None)
self.failUnless(idp_disco.response.status is not None)
@@ -415,7 +415,7 @@ class MetadataTestCase(IdWsf2TestCase):
wsp_disco.processResponseMsg(idp_disco.msgBody)
except lasso.Idwsf2DiscoveryForbiddenError:
pass
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
def test03(self):
@@ -475,7 +475,7 @@ class MetadataTestCase(IdWsf2TestCase):
self.failUnless(soap_envelope.getMessageId() is not None)
try:
idp_disco.checkSecurityMechanism()
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
# redirect
interactionUrl = spInteractionUrl
@@ -488,7 +488,7 @@ class MetadataTestCase(IdWsf2TestCase):
self.failUnless(response.detail.any[0].redirectURL.startswith(interactionUrl + '?transactionID='))
try:
idp_disco.buildResponseMsg()
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
self.failUnless(idp_disco.msgBody is not None)
@@ -500,7 +500,7 @@ class MetadataTestCase(IdWsf2TestCase):
wsp_disco.processResponseMsg(idp_disco.msgBody)
except lasso.WsfprofileRedirectRequestError:
pass
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
response_envelope = wsp_disco.getSoapEnvelopeResponse()
self.failUnless(response_envelope.sb2GetRedirectRequestUrl().startswith(interactionUrl + '?transactionID='))
@@ -527,11 +527,11 @@ class MetadataTestCase(IdWsf2TestCase):
self.failUnless(idp_disco.request.svcMD[0].svcMDID is None)
try:
idp_disco.checkSecurityMechanism()
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
try:
idp_disco.validateRequest()
- except lasso.Error, e:
+ except lasso.Error as e:
self.fail(e)
self.failUnless(idp_disco.response is not None)
self.failUnlessEqual(len(idp_disco.metadatas), 1)
diff --git a/lasso/build_strerror.py b/lasso/build_strerror.py
index fca59628..908638d5 100644
--- a/lasso/build_strerror.py
+++ b/lasso/build_strerror.py
@@ -1,42 +1,42 @@
#! /usr/bin/env python
-from cStringIO import StringIO
import glob
import re
import sys
import os
+from six import print_, StringIO
srcdir = sys.argv[1]
-hlines = file('%s/errors.h' % srcdir,'r').readlines()
messages = dict()
description = ''
-for line in hlines:
- m = re.match(r'^ \* LASSO.*ERROR', line)
- if m:
- description = ''
- continue
- m = re.match(r'^ \* (.*[^:])$', line)
- if m:
- description += m.group(1)
- m = re.match(r'#define (LASSO_\w*ERROR\w+)', line)
- if m and description:
- description = re.sub(r'[ \n]+', ' ', description).strip()
- messages[m.group(1)] = description
- description = ''
- else:
- m = re.match(r'#define (LASSO_\w*ERROR\w+)',line)
+with open('%s/errors.h' % srcdir,'r') as f:
+ for line in f:
+ m = re.match(r'^ \* LASSO.*ERROR', line)
if m:
- messages[m.group(1)] = m.group(1)
+ description = ''
+ continue
+ m = re.match(r'^ \* (.*[^:])$', line)
+ if m:
+ description += m.group(1)
+ m = re.match(r'#define (LASSO_\w*ERROR\w+)', line)
+ if m and description:
+ description = re.sub(r'[ \n]+', ' ', description).strip()
+ messages[m.group(1)] = description
+ description = ''
+ else:
+ m = re.match(r'#define (LASSO_\w*ERROR\w+)',line)
+ if m:
+ messages[m.group(1)] = m.group(1)
-clines = file('%s/errors.c.in' % srcdir,'r').readlines()
-for line in clines:
- if '@ERROR_CASES@' in line:
- keys = messages.keys()
- keys.sort()
- for k in keys:
- print """ case %s:
- return "%s";""" % (k,messages[k].rstrip('\n'))
- else:
- print line,
+with open('%s/errors.c.in' % srcdir,'r') as f:
+ for line in f:
+ if '@ERROR_CASES@' in line:
+ keys = sorted(messages.keys())
+ for k in keys:
+ print_(' case %s:\n'
+ ' return "%s";' %
+ (k,messages[k].rstrip('\n')))
+ else:
+ print_(line, end="")

@ -0,0 +1,83 @@
commit 623d785f957acc9eccb47a9a3f88e5e167a370b6
Author: John Dennis <jdennis@redhat.com>
Date: Mon Jun 25 17:37:45 2018 -0400
fix duplicate definition of LogoutTestCase and logoutSuite
Commit 6f617027e added a duplicate definition of the LogoutTestCase
class containing only 1 test which shaddowed the original
LogoutTestCase containing 4 tests. The logoutSuite variable was also
shadowed and the allTests variable contained a duplicate of
logoutSuite causing the 2nd definition of LogoutTestCase to be run
twice.
Not only were the original 4 tests not being run but the entire unit
test in profiles_tests.py was failing under Python3. This is because
the unittest code in Py3 deletes a test from it's list of tests to run
once it's been run. The second time the logoutSuite was invoked it no
longer contained any tests which caused an exception to be raised
because there were no tests to be run.
License: MIT
Signed-off-by: John Dennis <jdennis@redhat.com>
diff --git a/bindings/python/tests/profiles_tests.py b/bindings/python/tests/profiles_tests.py
index 547c9e24..0ba1e56e 100755
--- a/bindings/python/tests/profiles_tests.py
+++ b/bindings/python/tests/profiles_tests.py
@@ -386,6 +386,21 @@ class LogoutTestCase(unittest.TestCase):
else:
self.fail('Logout processResponseMsg should have failed.')
+ def test05(self):
+ '''Test parsing of a logout request with more than one session index'''
+ content = '''<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="xxxx" Version="2.0" IssueInstant="2010-06-14T22:00:00">
+ <saml:Issuer>me</saml:Issuer>
+ <saml:NameID>coin</saml:NameID>
+ <samlp:SessionIndex>id1</samlp:SessionIndex>
+ <samlp:SessionIndex>id2</samlp:SessionIndex>
+ <samlp:SessionIndex>id3</samlp:SessionIndex>
+ </samlp:LogoutRequest>'''
+
+ node = lasso.Samlp2LogoutRequest.newFromXmlNode(content)
+ assert isinstance(node, lasso.Samlp2LogoutRequest)
+ assert node.sessionIndex == 'id1'
+ assert node.sessionIndexes == ('id1', 'id2', 'id3')
+
class DefederationTestCase(unittest.TestCase):
def test01(self):
"""IDP initiated defederation; testing processNotificationMsg with non Liberty query."""
@@ -478,32 +493,15 @@ class AttributeAuthorityTestCase(unittest.TestCase):
assert aq.response.assertion[0].attributeStatement[0].attribute[0]
assert aq.response.assertion[0].attributeStatement[0].attribute[0].attributeValue[0]
-class LogoutTestCase(unittest.TestCase):
- def test01(self):
- '''Test parsing of a logout request with more than one session index'''
- content = '''<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="xxxx" Version="2.0" IssueInstant="2010-06-14T22:00:00">
- <saml:Issuer>me</saml:Issuer>
- <saml:NameID>coin</saml:NameID>
- <samlp:SessionIndex>id1</samlp:SessionIndex>
- <samlp:SessionIndex>id2</samlp:SessionIndex>
- <samlp:SessionIndex>id3</samlp:SessionIndex>
- </samlp:LogoutRequest>'''
-
- node = lasso.Samlp2LogoutRequest.newFromXmlNode(content)
- assert isinstance(node, lasso.Samlp2LogoutRequest)
- assert node.sessionIndex == 'id1'
- assert node.sessionIndexes == ('id1', 'id2', 'id3')
-
serverSuite = unittest.makeSuite(ServerTestCase, 'test')
loginSuite = unittest.makeSuite(LoginTestCase, 'test')
logoutSuite = unittest.makeSuite(LogoutTestCase, 'test')
defederationSuite = unittest.makeSuite(DefederationTestCase, 'test')
identitySuite = unittest.makeSuite(IdentityTestCase, 'test')
attributeSuite = unittest.makeSuite(AttributeAuthorityTestCase, 'test')
-logoutSuite = unittest.makeSuite(LogoutTestCase, 'test')
allTests = unittest.TestSuite((serverSuite, loginSuite, logoutSuite, defederationSuite,
- identitySuite, attributeSuite, logoutSuite))
+ identitySuite, attributeSuite))
if __name__ == '__main__':
sys.exit(not unittest.TextTestRunner(verbosity = 2).run(allTests).wasSuccessful())

@ -0,0 +1,80 @@
commit e3e904af7dd308fe7530773bd9ea136afc90049b
Author: John Dennis <jdennis@redhat.com>
Date: Thu Jun 21 10:49:30 2018 -0400
Use python interpreter specified configure script
The configure script allows you to specify the python interpreter to
use via the --with-python option. There were several places where the
python interpreter was implicity invoked without using the specified
version. This can create a number of problems in an environment with
multiple python versions as is the case during the transition from
Python 2 to Python 3. Python 2 is not compatible with Python
3. Lasso's Python code is supposed to be compatible with both
versions. But during the build and when running the unit tests it is
essential the same interpreter be used consistently otherwise you can
have problems.
This patch assures whenever python is invoked it does so via the
$(PYTHON) configuration variable.
What about shebang lines (e.g #/usr/bin/python) at the top of scripts?
Python PEP 394 (https://www.python.org/dev/peps/pep-0394/) covers
this. Basically it says if a script is compatible only with Py2 the
shebang should be #/usr/bin/python2, if only compatible with Py3 the
shebang should be #/usr/bin/python3. However, if the script is
compatible with both versions it can continue to use the
compatible with both Py2 and Py3.
License: MIT
Signed-off-by: John Dennis <jdennis@redhat.com>
diff --git a/bindings/java/Makefile.am b/bindings/java/Makefile.am
index 05e5f9ee..8de0178d 100644
--- a/bindings/java/Makefile.am
+++ b/bindings/java/Makefile.am
@@ -26,7 +26,7 @@ if WSF_ENABLED
EXTRA_ARGS = --enable-id-wsf
endif
-java_lasso_source_files := $(shell python $(top_srcdir)/bindings/bindings.py -l java-list --src-dir=$(top_srcdir)/lasso/ $(EXTRA_ARGS) )
+java_lasso_source_files := $(shell $(PYTHON) $(top_srcdir)/bindings/bindings.py -l java-list --src-dir=$(top_srcdir)/lasso/ $(EXTRA_ARGS) )
lasso_jardir=$(prefix)/share/java
lasso_jar_DATA=lasso.jar
diff --git a/bindings/python/tests/Makefile.am b/bindings/python/tests/Makefile.am
index 205e7613..1305f26f 100644
--- a/bindings/python/tests/Makefile.am
+++ b/bindings/python/tests/Makefile.am
@@ -11,5 +11,8 @@ if WSF_ENABLED
TESTS += idwsf1_tests.py idwsf2_tests.py
endif
+TEST_EXTENSIONS = .py
+PY_LOG_COMPILER = $(PYTHON)
+
EXTRA_DIST = profiles_tests.py binding_tests.py idwsf1_tests.py idwsf2_tests.py \
tests.py XmlTestRunner.py
diff --git a/lasso/Makefile.am b/lasso/Makefile.am
index 751f9419..49ae88a7 100644
--- a/lasso/Makefile.am
+++ b/lasso/Makefile.am
@@ -91,7 +91,7 @@ liblasso_la_LDFLAGS = -no-undefined -version-info @LASSO_VERSION_INFO@ \
endif
$(srcdir)/errors.c: $(srcdir)/errors.h $(srcdir)/build_strerror.py
- python $(srcdir)/build_strerror.py $(srcdir) >.errors.c.new
+ $(PYTHON) $(srcdir)/build_strerror.py $(srcdir) >.errors.c.new
if ! cmp -s $(srcdir)/errors.c .errors.c.new; then \
mv -f .errors.c.new $@; else \
rm .errors.c.new; fi
diff --git a/tools/check-lasso-sections.py b/tools/check-lasso-sections.py
index cb4c39c4..3a6c9880 100755
--- a/tools/check-lasso-sections.py
+++ b/tools/check-lasso-sections.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python
import sys
import os.path

@ -0,0 +1,48 @@
commit af29047480cacafaed697cb2a1fb24c5143078a8
Author: John Dennis <jdennis@redhat.com>
Date: Sat Jul 7 10:59:32 2018 -0400
Configure should search for versioned Python interpreter.
Following the guidelines in Python PEP 394 with regards to the python
command on UNIX like systems preference should be given to explicitly
versioned command interpreter as opposed to unversioned and that an
unversioned python command should (but might not) refer to
Python2. Also in some environments unversioned Python interpreters
(e.g. /usr/bin/python) do not even exist, onlyh their explicitly
versioned variants are (e.g. /usr/bin/python2 and /usr/bin/python3).
Therefore the AC_CHECK_PROGS directive in configure.ac should not rely
exclusively on an unversioned Python interpreter as it does not,
rather it should search in priority order. First for python3, then for
an unversionsed python because some distributions have already moved
the default unversioned python to python3, and then finally search for
python2. In the scenario where unversioned python is still pointing to
python2 it's equivalent to selecting the last prority option of
python2, but if unversioned python is pointing to python3 you get
instead. The net result is always preferring python3 but gracefully
falling back to python2 not matter how the environment exports it's
Python.
If AC_CHECK_PROGS for python does not check for the versioned variants
the build fails in environments that only have versioned variants with
this error:
configure: error: Python must be installed to compile lasso
License: MIT
Signed-off-by: John Dennis <jdennis@redhat.com>
diff --git a/configure.ac b/configure.ac
index 898468e6..74766972 100644
--- a/configure.ac
+++ b/configure.ac
@@ -131,7 +131,7 @@ dnl AC_CHECK_PROGS(JAR, fastjar jar)
AC_CHECK_PROGS(PERL, perl)
AC_CHECK_PROGS(PHP5, php5 php)
AC_CHECK_PROGS(PHP5_CONFIG, php-config5 php-config)
-AC_CHECK_PROGS(PYTHON, python)
+AC_CHECK_PROGS(PYTHON, python3 python python2)
AC_CHECK_PROGS(SWIG, swig)
dnl Make sure we have an ANSI compiler

@ -1,7 +1,6 @@
%global with_java 0
%global with_java 1
%global with_php 0
%global with_perl 1
# The Lasso build system requires python, especially the binding generators
%global with_python 1
%global with_python2 0
%global with_python3 0
@ -31,7 +30,7 @@
%endif
%global configure_args %{nil}
%global configure_args %{configure_args} --with-default-sign-algo=rsa-sha256 --with-min-hash-algo=sha256
%global configure_args %{configure_args}
%if !%{with_java}
%global configure_args %{configure_args} --disable-java
@ -58,45 +57,49 @@
Summary: Liberty Alliance Single Sign On
Name: lasso
Version: 2.7.0
Release: 11%{?dist}
Version: 2.6.0
Release: 13%{?dist}
License: GPLv2+
URL: http://lasso.entrouvert.org/
Group: System Environment/Libraries
Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: check-devel
BuildRequires: glib2-devel
BuildRequires: gtk-doc
BuildRequires: libtool
BuildRequires: libtool-ltdl-devel
BuildRequires: libxml2-devel
BuildRequires: openssl-devel
BuildRequires: swig
BuildRequires: xmlsec1-devel
BuildRequires: xmlsec1-openssl-devel
BuildRequires: zlib-devel
%if %{with_wsf}
BuildRequires: cyrus-sasl-devel
Patch1: use-specified-python-interpreter.patch
Patch2: build-scripts-py3-compatible.patch
Patch3: duplicate-python-LogoutTestCase.patch
Patch4: versioned-python-configure.patch
Patch5: 0005-tests-use-self-generated-certificate-to-sign-federat.patch
Patch6: 0006-Fix-ECP-signature-not-found-error-when-only-assertio.patch
Patch7: 0007-PAOS-Do-not-populate-Destination-attribute.patch
Patch8: 0008-Fix-signature-checking-on-unsigned-response-with-mul.patch
Patch9: 0009-lasso_saml20_login_process_response_status_and_asser.patch
BuildRequires: libtool autoconf automake
# The Lasso build system requires python, especially the binding generators
%if %{with_python2}
BuildRequires: python2
BuildRequires: python2-lxml
BuildRequires: python2-six
%endif
Requires: xmlsec1
%if %{with_python3}
BuildRequires: python3
BuildRequires: python3-lxml
BuildRequires: python3-six
%endif
# lasso upstream no longer supports java bindings
# see https://dev.entrouvert.org/issues/45876#change-289747
# and https://dev.entrouvert.org/issues/51418
Obsoletes: java-lasso < %{version}-%{release}
%if %{with_wsf}
BuildRequires: cyrus-sasl-devel
%endif
BuildRequires: gtk-doc, libtool-ltdl-devel
BuildRequires: glib2-devel, swig
BuildRequires: libxml2-devel, openssl-devel
BuildRequires: xmlsec1-devel >= 1.2.25-4, xmlsec1-openssl-devel >= 1.2.25-4
BuildRequires: zlib-devel, check-devel
BuildRequires: libtool autoconf automake
Url: http://lasso.entrouvert.org/
Patch0001: 0001-Fix-lasso_query_sign-HMAC-other-than-SHA1-54037.patch
Patch0002: 0002-tests-Move-test08_lasso_key-and-test07_saml2_query_v.patch
Patch0003: 0003-Make-the-default-signature-method-and-the-minimal-ha.patch
Patch0004: 0004-Mass-replace-LASSO_SIGNATURE_METHOD_RSA_SHA1-with-la.patch
Patch0005: 0005-Check-if-the-signature-method-is-allowed-in-addition.patch
Patch0006: 0006-python-Skip-the-DSA-key-test-unless-SHA-1-is-configu.patch
Patch0007: 0007-test13_test_lasso_server_load_metadata-Don-t-verify-.patch
Patch0008: autogen.noconfig
Patch0009: 0009-lasso_saml20_login_process_response_status_and_asser.patch
Requires: xmlsec1 >= 1.2.25-4
%description
Lasso is a library that implements the Liberty Alliance Single Sign On
@ -106,6 +109,7 @@ for multiple languages.
%package devel
Summary: Lasso development headers and documentation
Group: Development/Libraries
Requires: %{name}%{?_isa} = %{version}-%{release}
%description devel
@ -115,14 +119,11 @@ documentation for Lasso.
%if %{with_perl}
%package -n perl-%{name}
Summary: Liberty Alliance Single Sign On (lasso) Perl bindings
Group: Development/Libraries
BuildRequires: perl-devel
BuildRequires: perl-generators
BuildRequires: perl(Error)
BuildRequires: perl(ExtUtils::MakeMaker)
BuildRequires: perl(strict)
BuildRequires: perl(Test::More)
BuildRequires: perl(warnings)
BuildRequires: perl(XSLoader)
BuildRequires: perl(Error)
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
Requires: %{name}%{?_isa} = %{version}-%{release}
@ -133,7 +134,8 @@ Perl language bindings for the lasso (Liberty Alliance Single Sign On) library.
%if %{with_java}
%package -n java-%{name}
Summary: Liberty Alliance Single Sign On (lasso) Java bindings
Buildrequires: java-1.8.0-openjdk-devel
Group: Development/Libraries
BuildRequires: java-devel
BuildRequires: jpackage-utils
Requires: java-headless
Requires: jpackage-utils
@ -151,8 +153,8 @@ Java language bindings for the lasso (Liberty Alliance Single Sign On) library.
%if %{with_php}
%package -n php-%{name}
Summary: Liberty Alliance Single Sign On (lasso) PHP bindings
BuildRequires: expat-devel
BuildRequires: php-devel
Group: Development/Libraries
BuildRequires: php-devel, expat-devel
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: php(zend-abi) = %{php_zend_api}
Requires: php(api) = %{php_core_api}
@ -166,14 +168,8 @@ PHP language bindings for the lasso (Liberty Alliance Single Sign On) library.
%package -n python2-%{name}
%{?python_provide:%python_provide python2-%{name}}
Summary: Liberty Alliance Single Sign On (lasso) Python bindings
BuildRequires: python2
Group: Development/Libraries
BuildRequires: python2-devel
%if 0%{?rhel} && 0%{?rhel} <= 7
BuildRequires: python-lxml
%else
BuildRequires: python2-lxml
%endif
BuildRequires: python2-six
Requires: python2
Requires: %{name}%{?_isa} = %{version}-%{release}
%if %{obsolete_old_lang_subpackages}
@ -191,12 +187,9 @@ library.
%package -n python3-%{name}
%{?python_provide:%python_provide python3-%{name}}
Summary: Liberty Alliance Single Sign On (lasso) Python bindings
BuildRequires: python3
Group: Development/Libraries
BuildRequires: python3-devel
BuildRequires: python3-lxml
BuildRequires: python3-six
BuildRequires: make
Requires: python3
%{?__python3:Requires: %{__python3}}
Requires: %{name}%{?_isa} = %{version}-%{release}
%description -n python3-%{name}
@ -205,14 +198,23 @@ library.
%endif
%prep
%autosetup -p1
%setup -q -n %{name}-%{version}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
# Remove any python script shebang lines (unless they refer to python3)
sed -i -E -e '/^#![[:blank:]]*(\/usr\/bin\/env[[:blank:]]+python[^3]?\>)|(\/usr\/bin\/python[^3]?\>)/d' \
`grep -r -l -E '^#![[:blank:]]*(/usr/bin/python[^3]?)|(/usr/bin/env[[:blank:]]+python[^3]?)' *`
%build
export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk
./autogen.sh
%if 0%{?with_python2}
%configure %{configure_args} --with-python=%{__python2}
@ -221,7 +223,7 @@ export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk
popd
pushd bindings/python
make %{?_smp_mflags} CFLAGS="%{optflags}"
make check CK_TIMEOUT_MULTIPLIER=5
make check
mkdir py2
mv lasso.py .libs/_lasso.so py2
popd
@ -233,10 +235,10 @@ export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk
%else
%configure %{configure_args}
%endif
%make_build CFLAGS="%{optflags}"
make %{?_smp_mflags} CFLAGS="%{optflags}"
%check
make check CK_TIMEOUT_MULTIPLIER=20 VERBOSE=yes
make check
%install
#install -m 755 -d %{buildroot}%{_datadir}/gtk-doc/html
@ -279,12 +281,13 @@ fi
# Remove bogus doc files
rm -fr %{buildroot}%{_defaultdocdir}/%{name}
%ldconfig_scriptlets
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files
%{_libdir}/liblasso.so.3*
%doc AUTHORS NEWS README
%license COPYING
%{_libdir}/liblasso.so.*
%doc AUTHORS COPYING NEWS README
%files devel
%{_libdir}/liblasso.so
@ -303,10 +306,10 @@ rm -fr %{buildroot}%{_defaultdocdir}/%{name}
%if %{with_php}
%files -n php-%{name}
%{php_extdir}/lasso.so
%config(noreplace) %{php_inidir}/%{ini_name}
%dir %{_datadir}/php/%{name}
%{_datadir}/php/%{name}/lasso.php
%attr(755,root,root) %{php_extdir}/lasso.so
%config(noreplace) %attr(644,root,root) %{php_inidir}/%{ini_name}
%attr(755,root,root) %dir %{_datadir}/php/%{name}
%attr(644,root,root) %{_datadir}/php/%{name}/lasso.php
%endif
%if %{with_python2}
@ -323,177 +326,59 @@ rm -fr %{buildroot}%{_defaultdocdir}/%{name}
%endif
%changelog
* Wed Nov 9 2022 Tomas Halman <thalman@redhat.com> - 2.7.0-11
- Fixing changelog chronological order
- Related: rhbz#2117590 - release python3-lasso pkg
* Wed Nov 9 2022 Tomas Halman <thalman@redhat.com> - 2.7.0-10
- Publishing python binding package
- Resolves: rhbz#2117590 - release python3-lasso pkg
* Mon Aug 16 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.7.0-9
- Bump the test timeout again
- Related: rhbz#1984822 - lasso: FTBFS in test suite due to short test
timeout (potentially OpenSSL-related)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.7.0-8
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu Jul 29 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.7.0-6
- Resolves: rhbz#1984822 - lasso: FTBFS in test suite due to short test
timeout (potentially OpenSSL-related)
* Mon Jun 28 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.7.0-7
- Fix dead code issue
- Resolves: rhbz#1966606: CVE-2021-28091 lasso: XML signature wrapping
vulnerability when parsing SAML responses
* Mon Jun 28 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.7.0-5
- Don't run configure twice
- Resolves: rhbz#1935987 - lasso implements and/or uses the deprecated
SHA-1 algorithm by default
* Thu Jun 24 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.7.0-4
- Resolves: rhbz#1935987 - lasso implements and/or uses the deprecated
SHA-1 algorithm by default
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.7.0-3
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Fri Jun 4 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.7.0-2
- Rebuild with openssl3, presumably in a buildroot with xmlsec1
linked against openssl3
- Resolves: rhbz#1962052 - lasso: Port to OpenSSL 3.0
* Wed Jun 2 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.7.0-1
- Lasso 2.7.0
- Resolves: rhbz#1966606: CVE-2021-28091 lasso: XML signature wrapping
vulnerability when parsing SAML responses
- Remove java bindings
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.1-9
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Aug 13 2020 Jakub Hrozek <jhrozek@redhat.com> - 2.6.1-7
- Temporarily build with OpenJDK 8
- upstream ticket for OpenJDK11 support: https://dev.entrouvert.org/issues/45876
* Fri Aug 07 2020 Jeff Law <law@redhat.com> - 2.6.1-6
- Revert last change. I lost the patchfile and I can't reproduce the gcc-11
problem which almost certainly prompted it
* Fri Aug 07 2020 Jeff Law <law@redhat.com> - 2.6.1-5
- Fix format string problem
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-4
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Fri Jul 10 2020 Jiri Vanek <jvanek@redhat.com> - 2.6.1-2
- Rebuilt for JDK-11, see https://fedoraproject.org/wiki/Changes/Java11
* Fri Jul 03 2020 Xavier Bachelot <xavier@bachelot.org> - 2.6.1-1
- Update to 2.6.1
* Tue Jun 23 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.6.0-23
- Perl 5.32 rebuild
* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 2.6.0-22
- Rebuilt for Python 3.9
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.0-21
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Jan 17 2020 Jakub Hrozek <jhrozek@redhat.com>
- Resolves: #1778645 - lasso-2.6.0-19.fc32 FTBFS:
non_regression_tests.c:240:51: error: initializer
element is not constant
* Mon Sep 2 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.6.0-19
- Resolves: #1730010 - lasso includes "Destination" attribute in SAML
AuthnRequest populated with SP
AssertionConsumerServiceURL when ECP workflow
is used which leads to IdP-side errors
* Sun Sep 1 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.6.0-18
- Let tests run longer
- Resolves: #1743888 - lasso unit tests time out on slower arches (e.g. arm)
* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 2.6.0-17
- Rebuilt for Python 3.8
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.0-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Jun 17 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.6.0-15
- Use the upstream patch that uses a self-signed cert in tests
- Related: #1705700 - lasso FTBFS because an expired certificate is
used in the tests
- Resolves: #1634266 - ECP signature check fails with
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND when assertion
signed instead of response
* Tue Jun 04 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.6.0-14
- Perl 5.30 re-rebuild updated packages
* Mon Jun 3 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.6.0-13
- Don't use the expired certificate the tarball provides for tests
- Resolves: #1705700 - lasso FTBFS because an expired certificate is
used in the tests
* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.6.0-12
- Perl 5.30 rebuild
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.0-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Tue Dec 04 2018 Xavier Bachelot <xavier@bachelot.org> - 2.6.0-10
- Specfile clean up:
- Consolidate BuildRequires
- Remove Group: tags
- Uppercase and move Url: tag
- Use %%license for COPYING
- Use %%make_build
- Use %%autosetup
- Don't glob soname to prevent unintentionnal soname bump
- Use %%ldconfig_scriptlets
- Specify all perl dependencies in BR:s
- Drop useless %%attr in php-lasso sub-package
* Mon Dec 03 2018 Xavier Bachelot <xavier@bachelot.org> - 2.6.0-9
- Generate perl requires/provides.
* Tue Jul 17 2018 <jdennis@redhat.com> - 2.6.0-8
- more py2/py3 build dependencies fixes
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Sat Jul 7 2018 <jdennis@redhat.com> - 2.6.0-6
* Wed May 4 2022 Tomas Halman <thalman@redhat.com> - 2.6.0-13
- Publishing the python3-lasso binding
- Resolves: rhbz#1888195 - Release python lasso package
* Fri Jul 30 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.6.0-12
- Fix a dead code issue in the signature wrapping patch
- Resolves: rhbz#1951653 - CVE-2021-28091 lasso: XML signature wrapping
vulnerability when parsing SAML responses [rhel-8]
* Mon Jun 21 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.6.0-11
- Bump release to force the package through OSCI as the previous
build reached CI just in time for an outage
- Related: rhbz#1888195 - [RFE] release (built) python3-lasso pkg (comingfrom lasso)
* Fri Jun 4 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.6.0-10
- Resolves: rhbz#1951653 - CVE-2021-28091 lasso: XML signature wrapping
vulnerability when parsing SAML responses [rhel-8]
* Thu May 6 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.6.0-9
- Resolves: rhbz#1888195 - [RFE] release (built) python3-lasso pkg (coming
from lasso)
* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.6.0-8
- Resolves: rhbz#1730018 - lasso includes "Destination" attribute in SAML
AuthnRequest populated with SP
AssertionConsumerServiceURL when ECP workflow
is used which leads to IdP-side errors
* Fri Jun 14 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.6.0-7
- Resolves: rhbz#1634268 - ECP signature check fails with
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND when
assertion signed instead of response
* Thu Jun 13 2019 Jakub Hrozek <jhrozek@redhat.com> - 2.6.0-6
- Resolves: rhbz#1719020 - Expired certificate prevents tests from running
* Tue Sep 25 2018 Tomas Orsava <torsava@redhat.com> - 2.6.0-5
- Require the Python interpreter directly instead of using the package name
- Resolves: rhbz#1633617
* Tue Jul 17 2018 <jdennis@redhat.com> - 2.6.0-4
- more fixes for py2/py3 build dependencies
* Mon Jul 9 2018 <jdennis@redhat.com> - 2.6.0-3
- Modify configure to search for versioned python
- Resolves: rhbz#1598047
* Wed Jul 04 2018 Petr Pisar <ppisar@redhat.com> - 2.6.0-5
- Perl 5.28 rebuild
* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 2.6.0-4
- Rebuilt for Python 3.7
* Sat Jun 30 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.6.0-3
- Perl 5.28 rebuild
- Related: rhbz#1589856
* Wed Jun 27 2018 <jdennis@redhat.com> - 2.6.0-2
- fix language bindings package names to comply with guidelines,
instead of %%{name}-lang use lang-%%{name}
instead of %{name}-lang use lang-%{name}
- fix conditional logic used to build on rhel
- Resolves: rhbz#1589856 Drop python2 subpackage from RHEL8
* Tue Jun 26 2018 <jdennis@redhat.com> - 2.6.0-1
- Upgrade to latest upstream

Loading…
Cancel
Save