- build_response_msg will report signature error in response status
code when called without an initialized response (without a call to
validate_request)
- process_response_msg now use
lasso_saml20_profile_check_signature_status to check the signature
status only if permitted.
And also handle the signature verification hint. If process_msg fails,
you must just call build_response_msg directly.
Only check the signature on the response if asked, most applications
should not care.
The check was missing for processing of logout requests, name id
management request and assertion query responses.
A new internal function lasso_saml20_profile_check_signature_status is
added.
Code in core source file which depend upon ID-WSF symbols have been
conditionalized, and each id-wsf source file now include directly its
need string header.
Previously content was stored as the result of lasso_node_dump method
then reloaded, and then serialized again as part of the ArtifactResponse
message. lasso_node_dump was ignoring all hint to sign node, but keeping
the needed parameters around. That's not what must be done, the
signature should happen at the generation of the artifact and the result
must manipulated as is (i.e. XML content) and never moved back to the
land of LassoNode objects.
Now the content is:
- first removed of any signature at the message level, because the
ArtifactResponse will take care of this, (any signature under this
level (like at the assertion) is kept),
- serialized using lasso_node_export_to_xml,
- reloaded using lasso_xml_parse_memory,
- and put into the ArtifactResponse using a
lasso_misc_text_node_new_with_xml_node.
Generic signature parameters (attached as qdata to nodes) is now
reloaded when initializing a node from XML for a node type with a
signature snippet in its metadatas.
It fixes the problematic usage of ciphered private keys with the
HTTP-Artifact binding (which needs to keep a copy of the AuthnResponse
around and to sign it later).
Add string constants for signature method, signature type, private key
(file path or content), private key password and certificate (file path
or content).
Add cast for xmlChar constant strings definition in python bindings, it
assumed all constant strings were char*.
The first is trying to use provider->role to know which kind of role
descriptor to lookup, but for the server object this field is 0 and when
building authn request we know that we want our default NameIDFormat for
the SP sso descriptor.
The new way of storing endpoints allows to keep ordering between
endpoints with respect to the order of the index and isDefault field for
indexed endpoint type, and to the XML node orders for other endpoints.
It also simplifies the code.
Benjamin Dauvergne
Frédéric Péters
Benjamin Dauvergne