[id-ff] move LassoLogin to use LassoSignatureContext
This commit is contained in:
parent
5e5c38b451
commit
641702b346
|
@ -338,6 +338,7 @@ lasso_login_build_assertion(LassoLogin *login,
|
||||||
LassoProvider *provider = NULL;
|
LassoProvider *provider = NULL;
|
||||||
LassoSaml2EncryptedElement *encrypted_element = NULL;
|
LassoSaml2EncryptedElement *encrypted_element = NULL;
|
||||||
LassoSamlSubjectStatementAbstract *ss;
|
LassoSamlSubjectStatementAbstract *ss;
|
||||||
|
lasso_error_t rc = 0;
|
||||||
|
|
||||||
g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
|
g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
|
||||||
|
|
||||||
|
@ -400,14 +401,9 @@ lasso_login_build_assertion(LassoLogin *login,
|
||||||
assertion->AuthenticationStatement = LASSO_SAML_AUTHENTICATION_STATEMENT(as);
|
assertion->AuthenticationStatement = LASSO_SAML_AUTHENTICATION_STATEMENT(as);
|
||||||
|
|
||||||
/* Save signing material in assertion private datas to be able to sign later */
|
/* Save signing material in assertion private datas to be able to sign later */
|
||||||
if (profile->server->certificate) {
|
lasso_check_good_rc(lasso_server_set_signature_for_provider_by_name(login->parent.server,
|
||||||
assertion->sign_type = LASSO_SIGNATURE_TYPE_WITHX509;
|
profile->remote_providerID, (LassoNode*)assertion));
|
||||||
} else {
|
|
||||||
assertion->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE;
|
|
||||||
}
|
|
||||||
assertion->sign_method = profile->server->signature_method;
|
|
||||||
lasso_assign_string(assertion->private_key_file, profile->server->private_key);
|
|
||||||
lasso_assign_string(assertion->certificate_file, profile->server->certificate);
|
|
||||||
|
|
||||||
if (login->protocolProfile == LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_POST || \
|
if (login->protocolProfile == LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_POST || \
|
||||||
login->protocolProfile == LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_LECP) {
|
login->protocolProfile == LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_LECP) {
|
||||||
|
@ -424,7 +420,7 @@ lasso_login_build_assertion(LassoLogin *login,
|
||||||
if (profile->session == NULL) {
|
if (profile->session == NULL) {
|
||||||
profile->session = lasso_session_new();
|
profile->session = lasso_session_new();
|
||||||
}
|
}
|
||||||
lasso_assign_new_gobject(login->assertion, LASSO_SAML_ASSERTION(assertion));
|
lasso_assign_gobject(login->assertion, LASSO_SAML_ASSERTION(assertion));
|
||||||
lasso_session_add_assertion(profile->session, profile->remote_providerID,
|
lasso_session_add_assertion(profile->session, profile->remote_providerID,
|
||||||
LASSO_NODE(assertion));
|
LASSO_NODE(assertion));
|
||||||
|
|
||||||
|
@ -454,7 +450,9 @@ lasso_login_build_assertion(LassoLogin *login,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
cleanup:
|
||||||
|
lasso_release_gobject(assertion);
|
||||||
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -1078,15 +1076,15 @@ lasso_login_build_artifact_msg(LassoLogin *login, LassoHttpMethod http_method)
|
||||||
* </para></listitem>
|
* </para></listitem>
|
||||||
* </itemizedlist>
|
* </itemizedlist>
|
||||||
**/
|
**/
|
||||||
gint
|
lasso_error_t
|
||||||
lasso_login_build_authn_request_msg(LassoLogin *login)
|
lasso_login_build_authn_request_msg(LassoLogin *login)
|
||||||
{
|
{
|
||||||
LassoProvider *provider, *remote_provider;
|
LassoProvider *provider, *remote_provider;
|
||||||
LassoProfile *profile;
|
LassoProfile *profile;
|
||||||
char *md_authnRequestsSigned, *url, *query, *lareq, *protocolProfile;
|
char *md_authnRequestsSigned, *url, *query = NULL, *lareq, *protocolProfile;
|
||||||
LassoProviderRole role, remote_role;
|
LassoProviderRole role, remote_role;
|
||||||
gboolean must_sign;
|
gboolean must_sign;
|
||||||
gint ret = 0;
|
gint rc = 0;
|
||||||
|
|
||||||
g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
|
g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
|
||||||
profile = LASSO_PROFILE(login);
|
profile = LASSO_PROFILE(login);
|
||||||
|
@ -1132,20 +1130,14 @@ lasso_login_build_authn_request_msg(LassoLogin *login)
|
||||||
provider->role = role;
|
provider->role = role;
|
||||||
remote_provider->role = remote_role;
|
remote_provider->role = remote_role;
|
||||||
|
|
||||||
if (!must_sign)
|
|
||||||
LASSO_SAMLP_REQUEST_ABSTRACT(
|
|
||||||
profile->request)->sign_type = LASSO_SIGNATURE_TYPE_NONE;
|
|
||||||
|
|
||||||
if (login->http_method == LASSO_HTTP_METHOD_REDIRECT) {
|
if (login->http_method == LASSO_HTTP_METHOD_REDIRECT) {
|
||||||
/* REDIRECT -> query */
|
/* REDIRECT -> query */
|
||||||
if (must_sign) {
|
if (must_sign) {
|
||||||
query = lasso_node_export_to_query_with_password(LASSO_NODE(profile->request),
|
lasso_check_good_rc(lasso_server_export_to_query_for_provider_by_name(profile->server,
|
||||||
profile->server->signature_method,
|
profile->remote_providerID,
|
||||||
profile->server->private_key,
|
profile->request, &query));
|
||||||
profile->server->private_key_password);
|
|
||||||
} else {
|
} else {
|
||||||
query = lasso_node_export_to_query_with_password(
|
query = lasso_node_build_query(LASSO_NODE(profile->request));
|
||||||
LASSO_NODE(profile->request), 0, NULL, NULL);
|
|
||||||
}
|
}
|
||||||
if (query == NULL) {
|
if (query == NULL) {
|
||||||
return critical_error(LASSO_PROFILE_ERROR_BUILDING_QUERY_FAILED);
|
return critical_error(LASSO_PROFILE_ERROR_BUILDING_QUERY_FAILED);
|
||||||
|
@ -1164,14 +1156,9 @@ lasso_login_build_authn_request_msg(LassoLogin *login)
|
||||||
}
|
}
|
||||||
if (login->http_method == LASSO_HTTP_METHOD_POST) {
|
if (login->http_method == LASSO_HTTP_METHOD_POST) {
|
||||||
if (must_sign) {
|
if (must_sign) {
|
||||||
/* XXX: private_key_file is not declared within request
|
lasso_server_set_signature_for_provider_by_name(profile->server,
|
||||||
* snippets so it is not freed on destroy, so it is
|
profile->remote_providerID,
|
||||||
* normal to not strdup() it; nevertheless it would
|
profile->request);
|
||||||
* probably be more clean not to to it this way */
|
|
||||||
LASSO_SAMLP_REQUEST_ABSTRACT(profile->request)->private_key_file =
|
|
||||||
profile->server->private_key;
|
|
||||||
LASSO_SAMLP_REQUEST_ABSTRACT(profile->request)->certificate_file =
|
|
||||||
profile->server->certificate;
|
|
||||||
}
|
}
|
||||||
lareq = lasso_node_export_to_base64(profile->request);
|
lareq = lasso_node_export_to_base64(profile->request);
|
||||||
|
|
||||||
|
@ -1184,7 +1171,8 @@ lasso_login_build_authn_request_msg(LassoLogin *login)
|
||||||
lasso_assign_new_string(profile->msg_body, lareq);
|
lasso_assign_new_string(profile->msg_body, lareq);
|
||||||
}
|
}
|
||||||
|
|
||||||
return ret;
|
cleanup:
|
||||||
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -1244,8 +1232,9 @@ lasso_login_build_authn_request_msg(LassoLogin *login)
|
||||||
gint
|
gint
|
||||||
lasso_login_build_authn_response_msg(LassoLogin *login)
|
lasso_login_build_authn_response_msg(LassoLogin *login)
|
||||||
{
|
{
|
||||||
LassoProvider *remote_provider;
|
LassoProvider *remote_provider = NULL;
|
||||||
LassoProfile *profile;
|
LassoProfile *profile = NULL;
|
||||||
|
lasso_error_t rc = 0;
|
||||||
|
|
||||||
g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
|
g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
|
||||||
|
|
||||||
|
@ -1274,22 +1263,14 @@ lasso_login_build_authn_response_msg(LassoLogin *login)
|
||||||
|
|
||||||
/* Countermeasure: The issuer should sign <lib:AuthnResponse> messages.
|
/* Countermeasure: The issuer should sign <lib:AuthnResponse> messages.
|
||||||
* (binding and profiles (1.2errata2, page 65) */
|
* (binding and profiles (1.2errata2, page 65) */
|
||||||
if (profile->server->certificate) {
|
lasso_check_good_rc(lasso_server_set_signature_for_provider_by_name(
|
||||||
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_type =
|
profile->server,
|
||||||
LASSO_SIGNATURE_TYPE_WITHX509;
|
profile->remote_providerID,
|
||||||
} else {
|
profile->response));
|
||||||
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_type =
|
|
||||||
LASSO_SIGNATURE_TYPE_SIMPLE;
|
|
||||||
}
|
|
||||||
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_method =
|
|
||||||
LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
|
||||||
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->private_key_file =
|
|
||||||
profile->server->private_key;
|
|
||||||
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->certificate_file =
|
|
||||||
profile->server->certificate;
|
|
||||||
|
|
||||||
/* build an lib:AuthnResponse base64 encoded */
|
/* build an lib:AuthnResponse base64 encoded */
|
||||||
lasso_assign_new_string(profile->msg_body, lasso_node_export_to_base64(LASSO_NODE(profile->response)));
|
lasso_assign_new_string(profile->msg_body,
|
||||||
|
lasso_node_export_to_base64(LASSO_NODE(profile->response)));
|
||||||
|
|
||||||
remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
|
remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
|
||||||
if (LASSO_IS_PROVIDER(remote_provider) == FALSE)
|
if (LASSO_IS_PROVIDER(remote_provider) == FALSE)
|
||||||
|
@ -1299,8 +1280,8 @@ lasso_login_build_authn_response_msg(LassoLogin *login)
|
||||||
if (profile->msg_url == NULL) {
|
if (profile->msg_url == NULL) {
|
||||||
return LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL;
|
return LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL;
|
||||||
}
|
}
|
||||||
|
cleanup:
|
||||||
return 0;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -1327,6 +1308,7 @@ lasso_login_build_request_msg(LassoLogin *login)
|
||||||
{
|
{
|
||||||
LassoProvider *remote_provider;
|
LassoProvider *remote_provider;
|
||||||
LassoProfile *profile;
|
LassoProfile *profile;
|
||||||
|
lasso_error_t rc = 0;
|
||||||
|
|
||||||
g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
|
g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
|
||||||
|
|
||||||
|
@ -1342,10 +1324,10 @@ lasso_login_build_request_msg(LassoLogin *login)
|
||||||
return critical_error(LASSO_PROFILE_ERROR_MISSING_REMOTE_PROVIDERID);
|
return critical_error(LASSO_PROFILE_ERROR_MISSING_REMOTE_PROVIDERID);
|
||||||
}
|
}
|
||||||
|
|
||||||
LASSO_SAMLP_REQUEST_ABSTRACT(profile->request)->private_key_file =
|
lasso_check_good_rc(lasso_server_set_signature_for_provider_by_name(
|
||||||
profile->server->private_key;
|
profile->server,
|
||||||
LASSO_SAMLP_REQUEST_ABSTRACT(profile->request)->certificate_file =
|
profile->remote_providerID,
|
||||||
profile->server->certificate;
|
profile->request));
|
||||||
lasso_assign_new_string(profile->msg_body, lasso_node_export_to_soap(profile->request));
|
lasso_assign_new_string(profile->msg_body, lasso_node_export_to_soap(profile->request));
|
||||||
|
|
||||||
remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
|
remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
|
||||||
|
@ -1353,7 +1335,8 @@ lasso_login_build_request_msg(LassoLogin *login)
|
||||||
return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
|
return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
|
||||||
}
|
}
|
||||||
lasso_assign_new_string(profile->msg_url, lasso_provider_get_metadata_one(remote_provider, "SoapEndpoint"));
|
lasso_assign_new_string(profile->msg_url, lasso_provider_get_metadata_one(remote_provider, "SoapEndpoint"));
|
||||||
return 0;
|
cleanup:
|
||||||
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -1379,7 +1362,7 @@ lasso_login_build_response_msg(LassoLogin *login, gchar *remote_providerID)
|
||||||
{
|
{
|
||||||
LassoProvider *remote_provider;
|
LassoProvider *remote_provider;
|
||||||
LassoProfile *profile;
|
LassoProfile *profile;
|
||||||
gint ret = 0;
|
lasso_error_t rc = 0;
|
||||||
|
|
||||||
g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
|
g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
|
||||||
profile = LASSO_PROFILE(login);
|
profile = LASSO_PROFILE(login);
|
||||||
|
@ -1398,38 +1381,28 @@ lasso_login_build_response_msg(LassoLogin *login, gchar *remote_providerID)
|
||||||
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->MinorVersion = 0;
|
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->MinorVersion = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (profile->server->certificate) {
|
|
||||||
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_type =
|
|
||||||
LASSO_SIGNATURE_TYPE_WITHX509;
|
|
||||||
} else {
|
|
||||||
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_type =
|
|
||||||
LASSO_SIGNATURE_TYPE_SIMPLE;
|
|
||||||
}
|
|
||||||
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_method =
|
|
||||||
LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
|
||||||
|
|
||||||
if (remote_providerID != NULL) {
|
if (remote_providerID != NULL) {
|
||||||
lasso_assign_string(profile->remote_providerID, remote_providerID);
|
lasso_assign_string(profile->remote_providerID, remote_providerID);
|
||||||
remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
|
remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
|
||||||
ret = lasso_provider_verify_signature(remote_provider,
|
rc = lasso_provider_verify_signature(remote_provider,
|
||||||
login->private_data->soap_request_msg,
|
login->private_data->soap_request_msg,
|
||||||
"RequestID", LASSO_MESSAGE_FORMAT_SOAP);
|
"RequestID", LASSO_MESSAGE_FORMAT_SOAP);
|
||||||
lasso_release_string(login->private_data->soap_request_msg);
|
lasso_release_string(login->private_data->soap_request_msg);
|
||||||
|
|
||||||
/* lasso_profile_set_session_from_dump has not been called */
|
/* lasso_profile_set_session_from_dump has not been called */
|
||||||
if (profile->session == NULL) {
|
if (profile->session == NULL) {
|
||||||
ret = LASSO_PROFILE_ERROR_SESSION_NOT_FOUND;
|
rc = LASSO_PROFILE_ERROR_SESSION_NOT_FOUND;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* change status code into RequestDenied if signature is
|
/* change status code into RequestDenied if signature is
|
||||||
* invalid or not found or if an error occurs during
|
* invalid or not found or if an error occurs during
|
||||||
* verification */
|
* verification */
|
||||||
if (ret != 0) {
|
if (rc != 0) {
|
||||||
lasso_profile_set_response_status(profile,
|
lasso_profile_set_response_status(profile,
|
||||||
LASSO_SAML_STATUS_CODE_REQUEST_DENIED);
|
LASSO_SAML_STATUS_CODE_REQUEST_DENIED);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ret == 0) {
|
if (rc == 0) {
|
||||||
/* get assertion in session and add it in response */
|
/* get assertion in session and add it in response */
|
||||||
LassoSamlAssertion *assertion;
|
LassoSamlAssertion *assertion;
|
||||||
LassoSamlpStatus *status;
|
LassoSamlpStatus *status;
|
||||||
|
@ -1456,13 +1429,14 @@ lasso_login_build_response_msg(LassoLogin *login, gchar *remote_providerID)
|
||||||
lasso_profile_set_response_status(profile, LASSO_SAML_STATUS_CODE_REQUEST_DENIED);
|
lasso_profile_set_response_status(profile, LASSO_SAML_STATUS_CODE_REQUEST_DENIED);
|
||||||
}
|
}
|
||||||
|
|
||||||
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->private_key_file =
|
lasso_check_good_rc(lasso_server_set_signature_for_provider_by_name(
|
||||||
profile->server->private_key;
|
profile->server,
|
||||||
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->certificate_file =
|
profile->remote_providerID,
|
||||||
profile->server->certificate;
|
profile->response));
|
||||||
lasso_assign_new_string(profile->msg_body, lasso_node_export_to_soap(profile->response));
|
lasso_assign_new_string(profile->msg_body, lasso_node_export_to_soap(profile->response));
|
||||||
|
|
||||||
return ret;
|
cleanup:
|
||||||
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -1567,15 +1541,6 @@ lasso_login_init_authn_request(LassoLogin *login, const gchar *remote_providerID
|
||||||
lasso_assign_string(LASSO_LIB_AUTHN_REQUEST(profile->request)->RelayState,
|
lasso_assign_string(LASSO_LIB_AUTHN_REQUEST(profile->request)->RelayState,
|
||||||
profile->msg_relayState);
|
profile->msg_relayState);
|
||||||
|
|
||||||
if (http_method == LASSO_HTTP_METHOD_POST) {
|
|
||||||
request->sign_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
|
||||||
if (profile->server->certificate) {
|
|
||||||
request->sign_type = LASSO_SIGNATURE_TYPE_WITHX509;
|
|
||||||
} else {
|
|
||||||
request->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1709,15 +1674,7 @@ lasso_login_init_request(LassoLogin *login, gchar *response_msg,
|
||||||
request->MajorVersion = LASSO_SAML_MAJOR_VERSION_N;
|
request->MajorVersion = LASSO_SAML_MAJOR_VERSION_N;
|
||||||
request->MinorVersion = LASSO_SAML_MINOR_VERSION_N;
|
request->MinorVersion = LASSO_SAML_MINOR_VERSION_N;
|
||||||
lasso_assign_new_string(request->IssueInstant, lasso_get_current_time());
|
lasso_assign_new_string(request->IssueInstant, lasso_get_current_time());
|
||||||
|
|
||||||
LASSO_SAMLP_REQUEST(request)->AssertionArtifact = artifact_b64;
|
LASSO_SAMLP_REQUEST(request)->AssertionArtifact = artifact_b64;
|
||||||
if (profile->server->certificate) {
|
|
||||||
request->sign_type = LASSO_SIGNATURE_TYPE_WITHX509;
|
|
||||||
} else {
|
|
||||||
request->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE;
|
|
||||||
}
|
|
||||||
request->sign_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
|
||||||
|
|
||||||
lasso_assign_new_gobject(profile->request, LASSO_NODE(request));
|
lasso_assign_new_gobject(profile->request, LASSO_NODE(request));
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
|
|
Loading…
Reference in New Issue