Choose the Reference transform based on the chosen Signature transform (fixes #10155)
i.e. if the signature use SHA2 then use SHA2 of the same strength for digesting references.
This commit is contained in:
parent
d8e3ae8504
commit
9525237236
|
|
@ -2823,14 +2823,39 @@ lasso_xmlnode_add_saml2_signature_template(xmlNode *node, LassoSignatureContext
|
|||
xmlAddChild(node, signature);
|
||||
}
|
||||
|
||||
/* Normally the signature is son of the signed node, which holds an Id attribute, but in
|
||||
* other cases, set snippet->offset to 0 and use xmlSecTmpSignatureAddReference from another
|
||||
* node get_xmlNode virtual method to add the needed reference.
|
||||
*/
|
||||
uri = g_strdup_printf("#%s", id);
|
||||
reference = xmlSecTmplSignatureAddReference(signature,
|
||||
xmlSecTransformSha1Id, NULL, (xmlChar*)uri, NULL);
|
||||
lasso_release(uri);
|
||||
/* choose a digest for handling references based on the chosen signature algorithm */
|
||||
{
|
||||
xmlSecTransformId digest_method_id;
|
||||
switch (context.signature_method) {
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_DSA_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
|
||||
digest_method_id = xmlSecTransformSha1Id;
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||
digest_method_id = xmlSecTransformSha256Id;
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||
digest_method_id = xmlSecTransformSha384Id;
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA512:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||
digest_method_id = xmlSecTransformSha384Id;
|
||||
break;
|
||||
default:
|
||||
g_assert_not_reached();
|
||||
}
|
||||
/* Normally the signature is son of the signed node, which holds an Id attribute, but in
|
||||
* other cases, set snippet->offset to 0 and use xmlSecTmpSignatureAddReference from another
|
||||
* node get_xmlNode virtual method to add the needed reference.
|
||||
*/
|
||||
uri = g_strdup_printf("#%s", id);
|
||||
reference = xmlSecTmplSignatureAddReference(signature, digest_method_id, NULL,
|
||||
(xmlChar*)uri, NULL);
|
||||
lasso_release(uri);
|
||||
}
|
||||
|
||||
/* add enveloped transform */
|
||||
xmlSecTmplReferenceAddTransform(reference, xmlSecTransformEnvelopedId);
|
||||
|
|
|
|||
|
|
@ -925,8 +925,10 @@ END_TEST
|
|||
lasso_provider_add_key(LASSO_PROVIDER(providers->data), key, FALSE); \
|
||||
g_list_free(providers);
|
||||
|
||||
typedef void (*SsoCallback)(LassoLogin *idp_login_context, LassoLogin *sp_login_context);
|
||||
|
||||
static void
|
||||
sso_initiated_by_sp(LassoServer *idp_context, LassoServer *sp_context)
|
||||
sso_initiated_by_sp(LassoServer *idp_context, LassoServer *sp_context, SsoCallback sso_callback)
|
||||
{
|
||||
LassoLogin *idp_login_context;
|
||||
LassoLogin *sp_login_context;
|
||||
|
|
@ -970,6 +972,10 @@ sso_initiated_by_sp(LassoServer *idp_context, LassoServer *sp_context)
|
|||
idp_login_context->parent.msg_body));
|
||||
check_good_rc(lasso_login_accept_sso(sp_login_context));
|
||||
|
||||
if (sso_callback) {
|
||||
sso_callback(idp_login_context, sp_login_context);
|
||||
}
|
||||
|
||||
/* Cleanup */
|
||||
lasso_release_gobject(idp_login_context);
|
||||
lasso_release_gobject(sp_login_context);
|
||||
|
|
@ -991,8 +997,9 @@ START_TEST(test07_sso_sp_with_hmac_sha1_signatures)
|
|||
test07_make_context(idp_context, "idp6-saml2", LASSO_PROVIDER_ROLE_SP, "sp6-saml2", key)
|
||||
test07_make_context(sp_context, "sp6-saml2", LASSO_PROVIDER_ROLE_IDP, "idp6-saml2", key)
|
||||
|
||||
|
||||
block_lasso_logs;
|
||||
sso_initiated_by_sp(idp_context, sp_context);
|
||||
sso_initiated_by_sp(idp_context, sp_context, NULL);
|
||||
unblock_lasso_logs;
|
||||
|
||||
/* Cleanup */
|
||||
|
|
@ -1514,6 +1521,39 @@ START_TEST(test11_ecp)
|
|||
}
|
||||
END_TEST
|
||||
|
||||
void check_digest_method(LassoLogin *idp_login_context, LassoLogin *sp_login_context)
|
||||
{
|
||||
char *dump = lasso_node_debug((LassoNode*)sp_login_context->parent.response, 10);
|
||||
check_true(strstr(dump, "<DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/>") != NULL);
|
||||
lasso_release_string(dump)
|
||||
}
|
||||
|
||||
START_TEST(test12_sso_sp_with_rsa_sha256_signatures)
|
||||
{
|
||||
LassoServer *idp_context = NULL;
|
||||
LassoServer *sp_context = NULL;
|
||||
GList *providers;
|
||||
LassoKey *key = NULL;
|
||||
|
||||
/* Create a key for signature algorithm RSA_SHA256 */
|
||||
key = lasso_key_new_for_signature_from_file(TESTSDATADIR "idp6-saml2/private-key.pem", NULL,
|
||||
LASSO_SIGNATURE_METHOD_RSA_SHA256, NULL);
|
||||
check_true(LASSO_IS_KEY(key));
|
||||
|
||||
test07_make_context(idp_context, "idp6-saml2", LASSO_PROVIDER_ROLE_SP, "sp6-saml2", key)
|
||||
test07_make_context(sp_context, "sp6-saml2", LASSO_PROVIDER_ROLE_IDP, "idp6-saml2", key)
|
||||
|
||||
block_lasso_logs;
|
||||
sso_initiated_by_sp(idp_context, sp_context, check_digest_method);
|
||||
unblock_lasso_logs;
|
||||
|
||||
/* Cleanup */
|
||||
lasso_release_gobject(idp_context);
|
||||
lasso_release_gobject(sp_context);
|
||||
lasso_release_gobject(key);
|
||||
}
|
||||
END_TEST
|
||||
|
||||
Suite*
|
||||
login_saml2_suite()
|
||||
{
|
||||
|
|
@ -1545,6 +1585,7 @@ login_saml2_suite()
|
|||
tcase_add_test(tc_ecp, test09_ecp);
|
||||
tcase_add_test(tc_ecp, test10_ecp);
|
||||
tcase_add_test(tc_ecp, test11_ecp);
|
||||
tcase_add_test(tc_spLogin, test12_sso_sp_with_rsa_sha256_signatures);
|
||||
return s;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue