added support for encrypting name identifiers with id-ff 1.2

author: Damien Laniel <dlaniel@entrouvert.com> 2007-12-05 10:48:49 +0000
committer: Damien Laniel <dlaniel@entrouvert.com> 2007-12-05 10:48:49 +0000
commit: 38acc2883bc4ccecd4887e523ca69c2be178d967 (patch)
tree: 05e697e7510ce98453dfc3608785ff6841498fc6
parent: caa91cb653a1bdb0b815d6f5dc22b537ff25539f (diff)
download: lasso-38acc2883bc4ccecd4887e523ca69c2be178d967.tar.gz
lasso-38acc2883bc4ccecd4887e523ca69c2be178d967.tar.xz
lasso-38acc2883bc4ccecd4887e523ca69c2be178d967.zip
5 files changed, 80 insertions, 10 deletions
diff --git a/lasso/id-ff/login.c b/lasso/id-ff/login.c
index 4ca78840..b16052df 100644
--- a/lasso/id-ff/login.c
+++ b/lasso/id-ff/login.c
@@ -33,6 +33,7 @@
 #include <lasso/xml/saml_audience_restriction_condition.h>
 #include <lasso/xml/saml_conditions.h>
 #include <lasso/xml/samlp_response.h>
+#include <lasso/xml/saml-2.0/saml2_encrypted_element.h>
 
 #ifdef LASSO_WSF_ENABLED
 #include <lasso/xml/disco_description.h>
@@ -203,6 +204,9 @@ lasso_login_build_assertion(LassoLogin *login,
 	LassoSamlNameIdentifier *nameIdentifier = NULL;
 	LassoProfile *profile;
 	LassoFederation *federation;
+	LassoProvider *provider = NULL;
+	LassoSaml2EncryptedElement *encrypted_element = NULL;
+	LassoSamlSubjectStatementAbstract *ss;
 
 	g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
 
@@ -244,6 +248,21 @@ lasso_login_build_assertion(LassoLogin *login,
 				LASSO_SAML_NAME_IDENTIFIER(federation->local_nameIdentifier));
 	}
 
+	/* Encrypt NameID */
+	provider = g_hash_table_lookup(profile->server->providers, profile->remote_providerID);
+	ss = LASSO_SAML_SUBJECT_STATEMENT_ABSTRACT(as);
+	if (provider && provider->private_data->encryption_mode & LASSO_ENCRYPTION_MODE_NAMEID
+			&& provider->private_data->encryption_public_key != NULL) {
+		encrypted_element = LASSO_SAML2_ENCRYPTED_ELEMENT(lasso_node_encrypt(
+			LASSO_NODE(ss->Subject->NameIdentifier),
+			provider->private_data->encryption_public_key,
+			provider->private_data->encryption_sym_key_type));
+		if (encrypted_element != NULL) {
+			ss->Subject->EncryptedNameIdentifier = encrypted_element;
+			ss->Subject->NameIdentifier = NULL;
+		}
+	}
+
 	assertion->AuthenticationStatement = LASSO_SAML_AUTHENTICATION_STATEMENT(as);
 
 	if (profile->server->certificate) {
@@ -276,7 +295,6 @@ lasso_login_build_assertion(LassoLogin *login,
 	if (LASSO_SAMLP_REQUEST_ABSTRACT(profile->request)->MajorVersion == 1 && 
 			LASSO_SAMLP_REQUEST_ABSTRACT(profile->request)->MinorVersion < 2) {
 		/* pre-id-ff 1.2, saml 1.0 */
-		LassoSamlSubjectStatementAbstract *ss;
 
 		/* needs assertion artifact */
 		lasso_login_build_assertion_artifact(login);
@@ -479,6 +497,12 @@ lasso_login_process_response_status_and_assertion(LassoLogin *login)
 	LassoProvider *idp;
 	LassoSamlpResponse *response;
 	char *status_value;
+	LassoSamlSubjectStatementAbstract *sssa = NULL;
+	LassoSamlSubjectStatementAbstract *sas = NULL;
+	LassoNode *encrypted_id = NULL;
+	LassoSaml2EncryptedElement* encrypted_element = NULL;
+	xmlSecKey *encryption_private_key = NULL;
+	LassoNode *decrypted_node = NULL;
 	int ret = 0;
 
 	g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
@@ -525,24 +549,55 @@ lasso_login_process_response_status_and_assertion(LassoLogin *login)
 
 		/* store NameIdentifier */
 		if (assertion->AuthenticationStatement) {
-			LassoSamlSubjectStatementAbstract *sssa;
 			sssa = LASSO_SAML_SUBJECT_STATEMENT_ABSTRACT(
 					assertion->AuthenticationStatement);
 			if (sssa->Subject && sssa->Subject->NameIdentifier) {
 				profile->nameIdentifier = g_object_ref(
 						sssa->Subject->NameIdentifier);
+			} else {
+				encrypted_id = g_object_ref(sssa->Subject->EncryptedNameIdentifier);
 			}
 		}
 
-		if (profile->nameIdentifier == NULL) {
+		if (profile->nameIdentifier == NULL && encrypted_id == NULL) {
 			/* it was not found in AuthenticationStatement, look it
 			 * up in saml:AttributeStatement */
-			LassoSamlSubjectStatementAbstract *sas;
-
 			sas = LASSO_SAML_SUBJECT_STATEMENT_ABSTRACT(assertion->AttributeStatement);
 			if (sas->Subject && sas->Subject->NameIdentifier) {
 				profile->nameIdentifier = g_object_ref(
 						sas->Subject->NameIdentifier);
+			} else {
+				encrypted_id = g_object_ref(sas->Subject->EncryptedNameIdentifier);
+			}
+		}
+
+		if (profile->nameIdentifier == NULL && encrypted_id == NULL) {
+			return LASSO_PROFILE_ERROR_NAME_IDENTIFIER_NOT_FOUND;
+		}
+
+		if (profile->nameIdentifier != NULL) {
+			return ret;
+		}
+
+		encrypted_element = LASSO_SAML2_ENCRYPTED_ELEMENT(encrypted_id);
+		encryption_private_key =
+			LASSO_PROFILE(profile)->server->private_data->encryption_private_key;
+		if (encrypted_element != NULL && encryption_private_key == NULL) {
+			return LASSO_PROFILE_ERROR_MISSING_ENCRYPTION_PRIVATE_KEY;
+		}
+
+		/* Decrypt NameID */
+		if (encrypted_element != NULL && encryption_private_key != NULL) {
+			profile->nameIdentifier = LASSO_NODE(
+				lasso_node_decrypt(encrypted_element, encryption_private_key));
+			if (sssa != NULL && sssa->Subject != NULL) {
+				sssa->Subject->NameIdentifier = LASSO_SAML_NAME_IDENTIFIER(
+					profile->nameIdentifier);
+				sssa->Subject->EncryptedNameIdentifier = NULL;
+			} else if (sas != NULL && sas->Subject != NULL) {
+				sas->Subject->NameIdentifier = LASSO_SAML_NAME_IDENTIFIER(
+					profile->nameIdentifier);
+				sas->Subject->EncryptedNameIdentifier = NULL;
 			}
 		}
 
diff --git a/lasso/id-ff/provider.c b/lasso/id-ff/provider.c
index e8c6570f..159a8095 100644
--- a/lasso/id-ff/provider.c
+++ b/lasso/id-ff/provider.c
@@ -364,6 +364,7 @@ load_descriptor(xmlNode *xmlnode, GHashTable *descriptor, LassoProvider *provide
 	GList *elements;
 	char *name;
 	xmlChar *value;
+	xmlChar *use;
 
 	t = xmlnode->children;
 	while (t) {
@@ -372,10 +373,14 @@ load_descriptor(xmlNode *xmlnode, GHashTable *descriptor, LassoProvider *provide
 			continue;
 		}
 		if (strcmp((char*)t->name, "KeyDescriptor") == 0) {
-			xmlChar *use = xmlGetProp(t, (xmlChar*)"use");
-			if (use && strcmp((char*)use, "signing") == 0) {
+			use = xmlGetProp(t, (xmlChar*)"use");
+			if (use && strcmp(use, "signing") == 0) {
 				provider->private_data->signing_key_descriptor = xmlCopyNode(t, 1);
 			}
+			if (use && strcmp(use, "encryption") == 0) {
+				provider->private_data->encryption_key_descriptor = 
+					xmlCopyNode(t, 1);
+			}
 			if (use) {
 				xmlFree(use);
 			}
diff --git a/lasso/saml-2.0/provider.c b/lasso/saml-2.0/provider.c
index e6b251dc..f7fd7a0a 100644
--- a/lasso/saml-2.0/provider.c
+++ b/lasso/saml-2.0/provider.c
@@ -47,7 +47,9 @@ load_descriptor(xmlNode *xmlnode, GHashTable *descriptor, LassoProvider *provide
 	xmlNode *t;
 	GList *elements;
 	char *name, *binding, *response_name;
-	xmlChar *value, *response_value;
+	xmlChar *value;
+	xmlChar *response_value;
+	xmlChar *use;
 
 	t = xmlnode->children;
 	while (t) {
@@ -56,7 +58,7 @@ load_descriptor(xmlNode *xmlnode, GHashTable *descriptor, LassoProvider *provide
 			continue;
 		}
 		if (strcmp((char*)t->name, "KeyDescriptor") == 0) {
-			char *use = (char*)xmlGetProp(t, (xmlChar*)"use");
+			use = xmlGetProp(t, (xmlChar*)"use");
 			if (use && strcmp(use, "signing") == 0) {
 				provider->private_data->signing_key_descriptor = xmlCopyNode(t, 1);
 			}
@@ -64,7 +66,9 @@ load_descriptor(xmlNode *xmlnode, GHashTable *descriptor, LassoProvider *provide
 				provider->private_data->encryption_key_descriptor = 
 					xmlCopyNode(t, 1);
 			}
-			xmlFree(use);
+			if (use) {
+				xmlFree(use);
+			}
 			t = t->next;
 			continue;
 		}
diff --git a/lasso/xml/saml_subject.c b/lasso/xml/saml_subject.c
index 88a8fe82..61d3879b 100644
--- a/lasso/xml/saml_subject.c
+++ b/lasso/xml/saml_subject.c
@@ -46,6 +46,9 @@
 static struct XmlSnippet schema_snippets[] = {
 	{ "NameIdentifier", SNIPPET_NODE,
 		G_STRUCT_OFFSET(LassoSamlSubject, NameIdentifier) },
+	{ "EncryptedNameIdentifier", SNIPPET_NODE,
+		G_STRUCT_OFFSET(LassoSamlSubject, EncryptedNameIdentifier),
+		"LassoSaml2EncryptedElement" },
 	{ "SubjectConfirmation", SNIPPET_NODE,
 		G_STRUCT_OFFSET(LassoSamlSubject, SubjectConfirmation) },
 	{ NULL, 0, 0}
@@ -59,6 +62,7 @@ static void
 instance_init(LassoSamlSubject *node)
 {
 	node->NameIdentifier = NULL;
+	node->EncryptedNameIdentifier = NULL;
 	node->SubjectConfirmation = NULL;
 }
 
diff --git a/lasso/xml/saml_subject.h b/lasso/xml/saml_subject.h
index 125d3fef..75b72619 100644
--- a/lasso/xml/saml_subject.h
+++ b/lasso/xml/saml_subject.h
@@ -32,6 +32,7 @@ extern "C" {
 #include <lasso/xml/xml.h>
 #include <lasso/xml/saml_name_identifier.h>
 #include <lasso/xml/saml_subject_confirmation.h>
+#include <lasso/xml/saml-2.0/saml2_encrypted_element.h>
 
 #define LASSO_TYPE_SAML_SUBJECT (lasso_saml_subject_get_type())
 #define LASSO_SAML_SUBJECT(obj) \
@@ -52,6 +53,7 @@ struct _LassoSamlSubject {
 
 	/*< public >*/
 	LassoSamlNameIdentifier *NameIdentifier;
+	LassoSaml2EncryptedElement *EncryptedNameIdentifier;
 	LassoSamlSubjectConfirmation *SubjectConfirmation;
 };
author	Damien Laniel <dlaniel@entrouvert.com>	2007-12-05 10:48:49 +0000
committer	Damien Laniel <dlaniel@entrouvert.com>	2007-12-05 10:48:49 +0000
commit	38acc2883bc4ccecd4887e523ca69c2be178d967 (patch)
tree	05e697e7510ce98453dfc3608785ff6841498fc6
parent	caa91cb653a1bdb0b815d6f5dc22b537ff25539f (diff)
download	lasso-38acc2883bc4ccecd4887e523ca69c2be178d967.tar.gz lasso-38acc2883bc4ccecd4887e523ca69c2be178d967.tar.xz lasso-38acc2883bc4ccecd4887e523ca69c2be178d967.zip