387 lines
11 KiB
C
387 lines
11 KiB
C
/*
|
|
* Lasso - A free implementation of the Liberty Alliance specifications.
|
|
*
|
|
* Copyright (C) 2004-2011 Entr'ouvert
|
|
* http://lasso.entrouvert.org
|
|
*
|
|
* Authors: See AUTHORS file in top-level directory.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "key.h"
|
|
#include "keyprivate.h"
|
|
#include "xml/private.h"
|
|
#include "xmlsec/xmltree.h"
|
|
|
|
/*****************************************************************************/
|
|
/* private methods */
|
|
/*****************************************************************************/
|
|
|
|
struct _LassoKeyPrivate {
|
|
enum _LassoKeyType type;
|
|
union {
|
|
LassoSignatureContext signature;
|
|
} context;
|
|
};
|
|
|
|
#define LASSO_KEY_GET_PRIVATE(o) \
|
|
(G_TYPE_INSTANCE_GET_PRIVATE ((o), LASSO_TYPE_KEY, LassoKeyPrivate))
|
|
|
|
static struct XmlSnippet schema_snippets[] = {
|
|
{NULL, 0, 0, NULL, NULL, NULL}
|
|
};
|
|
|
|
static LassoNodeClass *parent_class = NULL;
|
|
|
|
|
|
/*****************************************************************************/
|
|
/* instance and class init functions */
|
|
/*****************************************************************************/
|
|
|
|
static void
|
|
instance_init(LassoKey *key, G_GNUC_UNUSED void *unused)
|
|
{
|
|
key->private_data = LASSO_KEY_GET_PRIVATE(key);
|
|
}
|
|
|
|
static void
|
|
dispose(GObject *g_object)
|
|
{
|
|
LassoKey *key = (LassoKey*)g_object;
|
|
|
|
if (key->private_data) {
|
|
switch (key->private_data->type) {
|
|
case LASSO_KEY_TYPE_FOR_SIGNATURE:
|
|
lasso_assign_new_signature_context(
|
|
key->private_data->context.signature,
|
|
LASSO_SIGNATURE_CONTEXT_NONE);
|
|
break;
|
|
}
|
|
}
|
|
|
|
G_OBJECT_CLASS(parent_class)->dispose(G_OBJECT(key));
|
|
}
|
|
|
|
static void
|
|
class_init(LassoKeyClass *klass, void *unused G_GNUC_UNUSED)
|
|
{
|
|
LassoNodeClass *nclass = LASSO_NODE_CLASS(klass);
|
|
|
|
parent_class = g_type_class_peek_parent(klass);
|
|
nclass->node_data = g_new0(LassoNodeClassData, 1);
|
|
lasso_node_class_set_nodename(nclass, "Key");
|
|
lasso_node_class_set_ns(nclass, LASSO_LASSO_HREF, LASSO_LASSO_PREFIX);
|
|
lasso_node_class_add_snippets(nclass, schema_snippets);
|
|
g_type_class_add_private(klass, sizeof(LassoKeyPrivate));
|
|
G_OBJECT_CLASS(klass)->dispose = dispose;
|
|
}
|
|
|
|
GType
|
|
lasso_key_get_type()
|
|
{
|
|
static GType this_type = 0;
|
|
|
|
if (!this_type) {
|
|
static const GTypeInfo this_info = {
|
|
sizeof (LassoKeyClass),
|
|
NULL,
|
|
NULL,
|
|
(GClassInitFunc) class_init,
|
|
NULL,
|
|
NULL,
|
|
sizeof(LassoKey),
|
|
0,
|
|
(GInstanceInitFunc) instance_init,
|
|
NULL
|
|
};
|
|
|
|
this_type = g_type_register_static(LASSO_TYPE_NODE,
|
|
"LassoKey", &this_info, 0);
|
|
}
|
|
return this_type;
|
|
}
|
|
|
|
static LassoKey*
|
|
lasso_key_new()
|
|
{
|
|
return g_object_new(LASSO_TYPE_KEY, NULL);
|
|
}
|
|
|
|
static LassoKey*
|
|
lasso_key_new_for_signature_from_context(LassoSignatureContext context) {
|
|
LassoKey *key = lasso_key_new();
|
|
|
|
key->private_data->type = LASSO_KEY_TYPE_FOR_SIGNATURE;
|
|
lasso_assign_new_signature_context(
|
|
key->private_data->context.signature, context);
|
|
if (! lasso_validate_signature_context(key->private_data->context.signature)) {
|
|
lasso_release_gobject(key);
|
|
}
|
|
return key;
|
|
}
|
|
|
|
/**
|
|
* lasso_key_new_for_signature_from_file:
|
|
* @filename_or_buffer: a file path of a string containing the key PEM or Base64 encoded
|
|
* @password: an eventual password to decoded the private key contained in @buffer
|
|
* @signature_method: the signature method to associate to this key
|
|
* @certificate: a certificate as a file path or PEM encoded in a NULL-terminated string, to
|
|
* associate with the key, it will be used to fill the KeyInfo node in an eventual signature.
|
|
*
|
|
* Create a new #LassoKey object, you can use it to sign XML message or to specify the key of a
|
|
* provider.
|
|
*
|
|
* Return value:(transfer full): a newly allocated #LassoKey object
|
|
*/
|
|
LassoKey*
|
|
lasso_key_new_for_signature_from_file(char *filename_or_buffer,
|
|
char *password,
|
|
LassoSignatureMethod signature_method,
|
|
char *certificate) {
|
|
return lasso_key_new_for_signature_from_context(
|
|
lasso_make_signature_context_from_path_or_string(filename_or_buffer,
|
|
password,
|
|
signature_method,
|
|
certificate));
|
|
}
|
|
|
|
/**
|
|
* lasso_key_new_for_signature_from_memory:
|
|
* @buffer: a byte buffer of size @size
|
|
* @size: the size of @buffer
|
|
* @password: an eventual password to decoded the private key contained in @buffer
|
|
* @signature_method: the signature method to associate to this key
|
|
* @certificate: a certificate as a file path or PEM encoded in a NULL-terminated string, to
|
|
* associate with the key, it will be used to fill the KeyInfo node in an eventual signature.
|
|
*
|
|
* Create a new #LassoKey object, you can use it to sign XML message or to specify the key of a
|
|
* provider.
|
|
*
|
|
* Return value:(transfer full): a newly allocated #LassoKey object
|
|
*/
|
|
LassoKey*
|
|
lasso_key_new_for_signature_from_memory(const void *buffer,
|
|
size_t size,
|
|
char *password,
|
|
LassoSignatureMethod signature_method,
|
|
char *certificate)
|
|
{
|
|
return lasso_key_new_for_signature_from_context(
|
|
lasso_make_signature_context_from_buffer(buffer,
|
|
size,
|
|
password,
|
|
signature_method,
|
|
certificate));
|
|
}
|
|
|
|
/**
|
|
* lasso_key_new_for_signature_from_base64_string:
|
|
* @base64_string: a NULL-terminated string containing a base64 encode representation of the key
|
|
* @password: an eventual password to decoded the private key contained in @buffer
|
|
* @signature_method: the signature method to associate to this key
|
|
* @certificate: a certificate as a file path or PEM encoded in a NULL-terminated string, to
|
|
* associate with the key, it will be used to fill the KeyInfo node in an eventual signature.
|
|
*
|
|
* Create a new #LassoKey object, you can use it to sign XML message or to specify the key of a
|
|
* provider.
|
|
*
|
|
* Return value:(transfer full): a newly allocated #LassoKey object
|
|
*/
|
|
LassoKey*
|
|
lasso_key_new_for_signature_from_base64_string(char *base64_string,
|
|
char *password,
|
|
LassoSignatureMethod signature_method,
|
|
char *certificate)
|
|
{
|
|
LassoKey *key = NULL;
|
|
char *buffer = NULL;
|
|
int length = 0;
|
|
|
|
if (lasso_base64_decode(base64_string, &buffer, &length)) {
|
|
key = lasso_key_new_for_signature_from_context(
|
|
lasso_make_signature_context_from_buffer(buffer,
|
|
length,
|
|
password,
|
|
signature_method,
|
|
certificate));
|
|
lasso_release_string(buffer);
|
|
}
|
|
return key;
|
|
}
|
|
|
|
static xmlNode *
|
|
find_xmlnode_with_saml2_id(xmlNode *xmlnode, const char *id)
|
|
{
|
|
xmlNode *found = NULL;
|
|
xmlNode *t;
|
|
|
|
if (! xmlnode)
|
|
return NULL;
|
|
|
|
if (xmlHasProp(xmlnode, BAD_CAST "ID")) {
|
|
xmlChar *value;
|
|
|
|
value = xmlGetProp(xmlnode, BAD_CAST "ID");
|
|
if (lasso_strisequal((char*)value, id)) {
|
|
found = xmlnode;
|
|
}
|
|
xmlFree(value);
|
|
}
|
|
if (found) {
|
|
return found;
|
|
}
|
|
t = xmlSecGetNextElementNode(xmlnode->children);
|
|
while (t) {
|
|
found = find_xmlnode_with_saml2_id(t, id);
|
|
if (found) {
|
|
return found;
|
|
}
|
|
t = xmlSecGetNextElementNode(t->next);
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
/**
|
|
* lasso_key_saml2_xml_verify:
|
|
* @key: a #LassoKey object
|
|
* @id: the value of the ID attribute of signed node
|
|
* @document: the document containing the signed node
|
|
*
|
|
* Verify the first signature node child of the node with the given id. It follows from the profile
|
|
* of XMLDsig used by the SAML 2.0 specification.
|
|
*
|
|
* Return value: 0 if the signature validate, an error code otherwise.
|
|
*/
|
|
lasso_error_t
|
|
lasso_key_saml2_xml_verify(LassoKey *key, char *id, xmlNode *document)
|
|
{
|
|
xmlNode *signed_node;
|
|
LassoSignatureContext signature_context;
|
|
|
|
|
|
signed_node = find_xmlnode_with_saml2_id(document, id);
|
|
if (! signed_node) {
|
|
return LASSO_DS_ERROR_INVALID_REFERENCE_FOR_SAML;
|
|
}
|
|
signature_context = lasso_key_get_signature_context(key);
|
|
return lasso_verify_signature(signed_node, signed_node->doc, "ID", NULL,
|
|
signature_context.signature_key, NO_OPTION, NULL);
|
|
}
|
|
|
|
/**
|
|
* lasso_key_saml2_xml_sign:
|
|
* @key: a #LassoKey object
|
|
* @id: the value of the ID attribute of signed node
|
|
* @document: the document containing the signed node
|
|
*
|
|
* Sign the first signature node child of the node with the given id. It no signature node is found
|
|
* a new one is added at the end of the children list of the signed node.
|
|
*
|
|
* The passed document node is modified in-place.
|
|
*
|
|
* Return value: The modified xmlNode object, or NULL if the signature failed.
|
|
*/
|
|
xmlNode*
|
|
lasso_key_saml2_xml_sign(LassoKey *key, const char *id, xmlNode *document)
|
|
{
|
|
xmlNode *signed_node;
|
|
LassoSignatureContext signature_context;
|
|
|
|
signed_node = find_xmlnode_with_saml2_id(document, id);
|
|
if (! signed_node) {
|
|
return NULL;
|
|
}
|
|
signature_context = lasso_key_get_signature_context(key);
|
|
lasso_xmlnode_add_saml2_signature_template(signed_node, signature_context, id);
|
|
if (lasso_sign_node(signed_node, signature_context,
|
|
"ID", id) == 0) {
|
|
return document;
|
|
} else {
|
|
return NULL;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* lasso_key_query_verify:
|
|
* key: a #LassoKey object
|
|
* query: a raw HTTP query string
|
|
*
|
|
* Check if this query string contains a proper SAML2 signature for this key.
|
|
*
|
|
* Return value: 0 if a valid signature was found, an error code otherwise.
|
|
*/
|
|
lasso_error_t
|
|
lasso_key_query_verify(LassoKey *key, const char *query)
|
|
{
|
|
LassoSignatureContext signature_context;
|
|
lasso_bad_param(KEY, key);
|
|
|
|
signature_context = lasso_key_get_signature_context(key);
|
|
if (! lasso_validate_signature_context(signature_context))
|
|
return LASSO_ERROR_UNDEFINED;
|
|
return lasso_saml2_query_verify_signature(query, signature_context.signature_key);
|
|
}
|
|
|
|
/**
|
|
* lasso_key_query_verify:
|
|
* key: a #LassoKey object
|
|
* query: a raw HTTP query string
|
|
*
|
|
* Sign the given query string using the given key.
|
|
*
|
|
* Return value: the signed query string.
|
|
*/
|
|
char*
|
|
lasso_key_query_sign(LassoKey *key, const char *query)
|
|
{
|
|
LassoSignatureContext signature_context;
|
|
|
|
if (! LASSO_IS_KEY(key))
|
|
return NULL;
|
|
signature_context = lasso_key_get_signature_context(key);
|
|
if (! lasso_validate_signature_context(signature_context))
|
|
return NULL;
|
|
return lasso_query_sign((char*)query, signature_context);
|
|
}
|
|
|
|
/**
|
|
* lasso_key_get_signature_context:
|
|
* @key: a #LassoKey object
|
|
*
|
|
* Private method to extract the signature context embedded in a LassoKey object.
|
|
*
|
|
* Return value: a #LassoSignatureContext structure value.
|
|
*/
|
|
LassoSignatureContext
|
|
lasso_key_get_signature_context(LassoKey *key) {
|
|
if (key->private_data && key->private_data->type == LASSO_KEY_TYPE_FOR_SIGNATURE) {
|
|
return key->private_data->context.signature;
|
|
}
|
|
return LASSO_SIGNATURE_CONTEXT_NONE;
|
|
}
|
|
|
|
/**
|
|
* lasso_key_get_key_type:
|
|
* @key: a #LassoKey object
|
|
*
|
|
* Return the type of key, i.e. which operation it supports.
|
|
*/
|
|
LassoKeyType
|
|
lasso_key_get_key_type(LassoKey *key) {
|
|
lasso_return_val_if_fail(LASSO_IS_KEY(key),
|
|
LASSO_KEY_TYPE_FOR_SIGNATURE);
|
|
return key->private_data->type;
|
|
}
|