only use LASSO_SIGNATURE_TYPE_WITHX509 (including a <KeyInfo/> in message) if

we have a certificate to use; use LASSO_SIGNATURE_TYPE_SIMPLE otherwise.

6 files changed, 40 insertions, 15 deletions

diff --git a/lasso/id-ff/defederation.c b/lasso/id-ff/defederation.c
index b357f8d9..4b8534e8 100644
--- a/lasso/id-ff/defederation.c
+++ b/lasso/id-ff/defederation.c
@@ -203,7 +203,8 @@ lasso_defederation_init_notification(LassoDefederation *defederation, gchar *rem
 		profile->request = lasso_lib_federation_termination_notification_new_full(
 				LASSO_PROVIDER(profile->server)->ProviderID,
 				nameIdentifier,
-				LASSO_SIGNATURE_TYPE_WITHX509,
+				profile->server->certificate ? 
+					LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
 				LASSO_SIGNATURE_METHOD_RSA_SHA1);
 		if (profile->msg_relayState) {
 			message(G_LOG_LEVEL_WARNING,
diff --git a/lasso/id-ff/login.c b/lasso/id-ff/login.c
index 64628158..b361e735 100644
--- a/lasso/id-ff/login.c
+++ b/lasso/id-ff/login.c
@@ -752,7 +752,10 @@ lasso_login_build_authn_response_msg(LassoLogin *login)
 
 	/* Countermeasure: The issuer should sign <lib:AuthnResponse> messages.
 	 * (binding and profiles (1.2errata2, page 65) */
-	profile->response->sign_type = LASSO_SIGNATURE_TYPE_WITHX509;
+	if (profile->server->certificate)
+		profile->response->sign_type = LASSO_SIGNATURE_TYPE_WITHX509;
+	else
+		profile->response->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE;
 	profile->response->sign_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
 	profile->response->private_key_file = profile->server->private_key;
 	profile->response->certificate_file = profile->server->certificate;
@@ -835,7 +838,13 @@ lasso_login_build_response_msg(LassoLogin *login, gchar *remote_providerID)
 		profile->response->MinorVersion = 0;
 	}
 
-	LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_type = LASSO_SIGNATURE_TYPE_WITHX509;
+	if (profile->server->certificate) {
+		LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_type = 
+			LASSO_SIGNATURE_TYPE_WITHX509;
+	} else {
+		LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_type = 
+			LASSO_SIGNATURE_TYPE_SIMPLE;
+	}
 	LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_method = 
 		LASSO_SIGNATURE_METHOD_RSA_SHA1;
 
@@ -970,7 +979,11 @@ lasso_login_init_authn_request(LassoLogin *login, const gchar *remote_providerID
 
 	if (http_method == LASSO_HTTP_METHOD_POST) {
 		profile->request->sign_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
-		profile->request->sign_type = LASSO_SIGNATURE_TYPE_WITHX509;
+		if (profile->server->certificate) {
+			profile->request->sign_type = LASSO_SIGNATURE_TYPE_WITHX509;
+		} else {
+			profile->request->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE;
+		}
 	}
 
 	return 0;
@@ -1056,7 +1069,11 @@ lasso_login_init_request(LassoLogin *login, gchar *response_msg,
 	request->IssueInstant = lasso_get_current_time();
 
 	LASSO_SAMLP_REQUEST(request)->AssertionArtifact = artifact_b64;
-	request->sign_type = LASSO_SIGNATURE_TYPE_WITHX509;
+	if (LASSO_PROFILE(login)->server->certificate) {
+		request->sign_type = LASSO_SIGNATURE_TYPE_WITHX509;
+	} else {
+		request->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE;
+	}
 	request->sign_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
 
 	LASSO_PROFILE(login)->request = LASSO_SAMLP_REQUEST_ABSTRACT(request);
diff --git a/lasso/id-ff/logout.c b/lasso/id-ff/logout.c
index 0360fe9b..0f61d53e 100644
--- a/lasso/id-ff/logout.c
+++ b/lasso/id-ff/logout.c
@@ -360,7 +360,8 @@ lasso_logout_init_request(LassoLogout *logout, char *remote_providerID,
 		profile->request = lasso_lib_logout_request_new_full(
 				LASSO_PROVIDER(profile->server)->ProviderID,
 				nameIdentifier,
-				LASSO_SIGNATURE_TYPE_WITHX509,
+				profile->server->certificate ? 
+					LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
 				LASSO_SIGNATURE_METHOD_RSA_SHA1);
 	} else { /* http_method == LASSO_HTTP_METHOD_REDIRECT */
 		is_http_redirect_get_method = TRUE;
@@ -697,7 +698,8 @@ lasso_logout_validate_request(LassoLogout *logout)
 				LASSO_PROVIDER(profile->server)->ProviderID,
 				LASSO_SAML_STATUS_CODE_SUCCESS,
 				LASSO_LIB_LOGOUT_REQUEST(profile->request),
-				LASSO_SIGNATURE_TYPE_WITHX509,
+				profile->server->certificate ? 
+					LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
 				LASSO_SIGNATURE_METHOD_RSA_SHA1);
 	}
 	if (profile->http_request_method == LASSO_HTTP_METHOD_REDIRECT) {
diff --git a/lasso/id-ff/name_identifier_mapping.c b/lasso/id-ff/name_identifier_mapping.c
index d49cfdf1..f718cc26 100644
--- a/lasso/id-ff/name_identifier_mapping.c
+++ b/lasso/id-ff/name_identifier_mapping.c
@@ -235,7 +235,8 @@ lasso_name_identifier_mapping_init_request(LassoNameIdentifierMapping *mapping,
 			LASSO_PROVIDER(profile->server)->ProviderID,
 			nameIdentifier,
 			targetNamespace,
-			LASSO_SIGNATURE_TYPE_WITHX509,
+			profile->server->certificate ? 
+				LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
 			LASSO_SIGNATURE_METHOD_RSA_SHA1);
 	if (LASSO_IS_LIB_NAME_IDENTIFIER_MAPPING_REQUEST(profile->request) == FALSE) {
 		return critical_error(LASSO_PROFILE_ERROR_BUILDING_REQUEST_FAILED);
@@ -424,7 +425,8 @@ lasso_name_identifier_mapping_validate_request(LassoNameIdentifierMapping *mappi
 			LASSO_PROVIDER(profile->server)->ProviderID,
 			LASSO_SAML_STATUS_CODE_SUCCESS,
 			request,
-			LASSO_SIGNATURE_TYPE_WITHX509,
+			profile->server->certificate ? 
+				LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
 			LASSO_SIGNATURE_METHOD_RSA_SHA1);
 
 	if (LASSO_IS_LIB_NAME_IDENTIFIER_MAPPING_RESPONSE(profile->response) == FALSE) {
diff --git a/lasso/id-ff/name_registration.c b/lasso/id-ff/name_registration.c
index fe6e91d8..1086a06b 100644
--- a/lasso/id-ff/name_registration.c
+++ b/lasso/id-ff/name_registration.c
@@ -314,7 +314,9 @@ lasso_name_registration_init_request(LassoNameRegistration *name_registration,
 	profile->request = lasso_lib_register_name_identifier_request_new_full(
 			LASSO_PROVIDER(profile->server)->ProviderID,
 			idpNameIdentifier, spNameIdentifier, oldNameIdentifier,
-			LASSO_SIGNATURE_TYPE_WITHX509, LASSO_SIGNATURE_METHOD_RSA_SHA1);
+			profile->server->certificate ? 
+				LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
+			LASSO_SIGNATURE_METHOD_RSA_SHA1);
 	if (profile->request == NULL) {
 		return critical_error(LASSO_PROFILE_ERROR_BUILDING_REQUEST_FAILED);
 	}
@@ -554,7 +556,9 @@ lasso_name_registration_validate_request(LassoNameRegistration *name_registratio
 			LASSO_PROVIDER(profile->server)->ProviderID,
 			LASSO_SAML_STATUS_CODE_SUCCESS, 
 			LASSO_LIB_REGISTER_NAME_IDENTIFIER_REQUEST(profile->request),
-			LASSO_SIGNATURE_TYPE_WITHX509, LASSO_SIGNATURE_METHOD_RSA_SHA1);
+			profile->server->certificate ? 
+				LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
+			LASSO_SIGNATURE_METHOD_RSA_SHA1);
 	if (LASSO_IS_LIB_REGISTER_NAME_IDENTIFIER_RESPONSE(profile->response) == FALSE) {
 		return critical_error(LASSO_PROFILE_ERROR_BUILDING_RESPONSE_FAILED);
 	}
diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c
index 361ea2bc..3ba46097 100644
--- a/lasso/xml/xml.c
+++ b/lasso/xml/xml.c
@@ -1034,7 +1034,7 @@ void lasso_node_add_signature_template(LassoNode *node, xmlNode *xmlnode,
 	LassoNodeClass *klass = LASSO_NODE_GET_CLASS(node);
 	LassoSignatureType sign_type;
 	LassoSignatureMethod sign_method;
-	xmlNode *signature = NULL, *reference, *key_info;
+	xmlNode *signature = NULL, *reference, *key_info, *t;
 	char *uri;
 	char *id;
 
@@ -1082,9 +1082,8 @@ void lasso_node_add_signature_template(LassoNode *node, xmlNode *xmlnode,
 
 	if (sign_type == LASSO_SIGNATURE_TYPE_WITHX509) {
 		/* add <dsig:KeyInfo/> */
-		key_info = xmlSecTmplSignatureEnsureKeyInfo(
-				signature, NULL);
-		xmlSecTmplKeyInfoAddX509Data(key_info);
+		key_info = xmlSecTmplSignatureEnsureKeyInfo(signature, NULL);
+		t = xmlSecTmplKeyInfoAddX509Data(key_info);
 	}
 }