summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBenjamin Dauvergne <bdauvergne@entrouvert.com>2011-12-02 19:30:31 +0100
committerBenjamin Dauvergne <bdauvergne@entrouvert.com>2011-12-08 17:56:31 +0100
commit641702b346456e47a5eb8a4adcf62ee841d1e47f (patch)
tree599d4e35ea37faa4c54a0b58b49dc1292fa9a584
parent5e5c38b451cfbefe67e836fb82a1719ce00894f3 (diff)
downloadlasso-641702b346456e47a5eb8a4adcf62ee841d1e47f.tar.gz
lasso-641702b346456e47a5eb8a4adcf62ee841d1e47f.tar.xz
lasso-641702b346456e47a5eb8a4adcf62ee841d1e47f.zip
[id-ff] move LassoLogin to use LassoSignatureContext
Diffstat
-rw-r--r--lasso/id-ff/login.c141
1 files changed, 49 insertions, 92 deletions
diff --git a/lasso/id-ff/login.c b/lasso/id-ff/login.c
index 31cb94bc..15e4735e 100644
--- a/lasso/id-ff/login.c
+++ b/lasso/id-ff/login.c
@@ -338,6 +338,7 @@ lasso_login_build_assertion(LassoLogin *login,
LassoProvider *provider = NULL;
LassoSaml2EncryptedElement *encrypted_element = NULL;
LassoSamlSubjectStatementAbstract *ss;
+ lasso_error_t rc = 0;
g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
@@ -400,14 +401,9 @@ lasso_login_build_assertion(LassoLogin *login,
assertion->AuthenticationStatement = LASSO_SAML_AUTHENTICATION_STATEMENT(as);
/* Save signing material in assertion private datas to be able to sign later */
- if (profile->server->certificate) {
- assertion->sign_type = LASSO_SIGNATURE_TYPE_WITHX509;
- } else {
- assertion->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE;
- }
- assertion->sign_method = profile->server->signature_method;
- lasso_assign_string(assertion->private_key_file, profile->server->private_key);
- lasso_assign_string(assertion->certificate_file, profile->server->certificate);
+ lasso_check_good_rc(lasso_server_set_signature_for_provider_by_name(login->parent.server,
+ profile->remote_providerID, (LassoNode*)assertion));
+
if (login->protocolProfile == LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_POST || \
login->protocolProfile == LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_LECP) {
@@ -424,7 +420,7 @@ lasso_login_build_assertion(LassoLogin *login,
if (profile->session == NULL) {
profile->session = lasso_session_new();
}
- lasso_assign_new_gobject(login->assertion, LASSO_SAML_ASSERTION(assertion));
+ lasso_assign_gobject(login->assertion, LASSO_SAML_ASSERTION(assertion));
lasso_session_add_assertion(profile->session, profile->remote_providerID,
LASSO_NODE(assertion));
@@ -454,7 +450,9 @@ lasso_login_build_assertion(LassoLogin *login,
}
}
- return 0;
+cleanup:
+ lasso_release_gobject(assertion);
+ return rc;
}
/**
@@ -1078,15 +1076,15 @@ lasso_login_build_artifact_msg(LassoLogin *login, LassoHttpMethod http_method)
* </para></listitem>
* </itemizedlist>
**/
-gint
+lasso_error_t
lasso_login_build_authn_request_msg(LassoLogin *login)
{
LassoProvider *provider, *remote_provider;
LassoProfile *profile;
- char *md_authnRequestsSigned, *url, *query, *lareq, *protocolProfile;
+ char *md_authnRequestsSigned, *url, *query = NULL, *lareq, *protocolProfile;
LassoProviderRole role, remote_role;
gboolean must_sign;
- gint ret = 0;
+ gint rc = 0;
g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
profile = LASSO_PROFILE(login);
@@ -1132,20 +1130,14 @@ lasso_login_build_authn_request_msg(LassoLogin *login)
provider->role = role;
remote_provider->role = remote_role;
- if (!must_sign)
- LASSO_SAMLP_REQUEST_ABSTRACT(
- profile->request)->sign_type = LASSO_SIGNATURE_TYPE_NONE;
-
if (login->http_method == LASSO_HTTP_METHOD_REDIRECT) {
/* REDIRECT -> query */
if (must_sign) {
- query = lasso_node_export_to_query_with_password(LASSO_NODE(profile->request),
- profile->server->signature_method,
- profile->server->private_key,
- profile->server->private_key_password);
+ lasso_check_good_rc(lasso_server_export_to_query_for_provider_by_name(profile->server,
+ profile->remote_providerID,
+ profile->request, &query));
} else {
- query = lasso_node_export_to_query_with_password(
- LASSO_NODE(profile->request), 0, NULL, NULL);
+ query = lasso_node_build_query(LASSO_NODE(profile->request));
}
if (query == NULL) {
return critical_error(LASSO_PROFILE_ERROR_BUILDING_QUERY_FAILED);
@@ -1164,14 +1156,9 @@ lasso_login_build_authn_request_msg(LassoLogin *login)
}
if (login->http_method == LASSO_HTTP_METHOD_POST) {
if (must_sign) {
- /* XXX: private_key_file is not declared within request
- * snippets so it is not freed on destroy, so it is
- * normal to not strdup() it; nevertheless it would
- * probably be more clean not to to it this way */
- LASSO_SAMLP_REQUEST_ABSTRACT(profile->request)->private_key_file =
- profile->server->private_key;
- LASSO_SAMLP_REQUEST_ABSTRACT(profile->request)->certificate_file =
- profile->server->certificate;
+ lasso_server_set_signature_for_provider_by_name(profile->server,
+ profile->remote_providerID,
+ profile->request);
}
lareq = lasso_node_export_to_base64(profile->request);
@@ -1184,7 +1171,8 @@ lasso_login_build_authn_request_msg(LassoLogin *login)
lasso_assign_new_string(profile->msg_body, lareq);
}
- return ret;
+cleanup:
+ return rc;
}
/**
@@ -1244,8 +1232,9 @@ lasso_login_build_authn_request_msg(LassoLogin *login)
gint
lasso_login_build_authn_response_msg(LassoLogin *login)
{
- LassoProvider *remote_provider;
- LassoProfile *profile;
+ LassoProvider *remote_provider = NULL;
+ LassoProfile *profile = NULL;
+ lasso_error_t rc = 0;
g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
@@ -1274,22 +1263,14 @@ lasso_login_build_authn_response_msg(LassoLogin *login)
/* Countermeasure: The issuer should sign <lib:AuthnResponse> messages.
* (binding and profiles (1.2errata2, page 65) */
- if (profile->server->certificate) {
- LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_type =
- LASSO_SIGNATURE_TYPE_WITHX509;
- } else {
- LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_type =
- LASSO_SIGNATURE_TYPE_SIMPLE;
- }
- LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_method =
- LASSO_SIGNATURE_METHOD_RSA_SHA1;
- LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->private_key_file =
- profile->server->private_key;
- LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->certificate_file =
- profile->server->certificate;
+ lasso_check_good_rc(lasso_server_set_signature_for_provider_by_name(
+ profile->server,
+ profile->remote_providerID,
+ profile->response));
/* build an lib:AuthnResponse base64 encoded */
- lasso_assign_new_string(profile->msg_body, lasso_node_export_to_base64(LASSO_NODE(profile->response)));
+ lasso_assign_new_string(profile->msg_body,
+ lasso_node_export_to_base64(LASSO_NODE(profile->response)));
remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
if (LASSO_IS_PROVIDER(remote_provider) == FALSE)
@@ -1299,8 +1280,8 @@ lasso_login_build_authn_response_msg(LassoLogin *login)
if (profile->msg_url == NULL) {
return LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL;
}
-
- return 0;
+cleanup:
+ return rc;
}
/**
@@ -1327,6 +1308,7 @@ lasso_login_build_request_msg(LassoLogin *login)
{
LassoProvider *remote_provider;
LassoProfile *profile;
+ lasso_error_t rc = 0;
g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
@@ -1342,10 +1324,10 @@ lasso_login_build_request_msg(LassoLogin *login)
return critical_error(LASSO_PROFILE_ERROR_MISSING_REMOTE_PROVIDERID);
}
- LASSO_SAMLP_REQUEST_ABSTRACT(profile->request)->private_key_file =
- profile->server->private_key;
- LASSO_SAMLP_REQUEST_ABSTRACT(profile->request)->certificate_file =
- profile->server->certificate;
+ lasso_check_good_rc(lasso_server_set_signature_for_provider_by_name(
+ profile->server,
+ profile->remote_providerID,
+ profile->request));
lasso_assign_new_string(profile->msg_body, lasso_node_export_to_soap(profile->request));
remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
@@ -1353,7 +1335,8 @@ lasso_login_build_request_msg(LassoLogin *login)
return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
}
lasso_assign_new_string(profile->msg_url, lasso_provider_get_metadata_one(remote_provider, "SoapEndpoint"));
- return 0;
+cleanup:
+ return rc;
}
/**
@@ -1379,7 +1362,7 @@ lasso_login_build_response_msg(LassoLogin *login, gchar *remote_providerID)
{
LassoProvider *remote_provider;
LassoProfile *profile;
- gint ret = 0;
+ lasso_error_t rc = 0;
g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
profile = LASSO_PROFILE(login);
@@ -1398,38 +1381,28 @@ lasso_login_build_response_msg(LassoLogin *login, gchar *remote_providerID)
LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->MinorVersion = 0;
}
- if (profile->server->certificate) {
- LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_type =
- LASSO_SIGNATURE_TYPE_WITHX509;
- } else {
- LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_type =
- LASSO_SIGNATURE_TYPE_SIMPLE;
- }
- LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_method =
- LASSO_SIGNATURE_METHOD_RSA_SHA1;
-
if (remote_providerID != NULL) {
lasso_assign_string(profile->remote_providerID, remote_providerID);
remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
- ret = lasso_provider_verify_signature(remote_provider,
+ rc = lasso_provider_verify_signature(remote_provider,
login->private_data->soap_request_msg,
"RequestID", LASSO_MESSAGE_FORMAT_SOAP);
lasso_release_string(login->private_data->soap_request_msg);
/* lasso_profile_set_session_from_dump has not been called */
if (profile->session == NULL) {
- ret = LASSO_PROFILE_ERROR_SESSION_NOT_FOUND;
+ rc = LASSO_PROFILE_ERROR_SESSION_NOT_FOUND;
}
/* change status code into RequestDenied if signature is
* invalid or not found or if an error occurs during
* verification */
- if (ret != 0) {
+ if (rc != 0) {
lasso_profile_set_response_status(profile,
LASSO_SAML_STATUS_CODE_REQUEST_DENIED);
}
- if (ret == 0) {
+ if (rc == 0) {
/* get assertion in session and add it in response */
LassoSamlAssertion *assertion;
LassoSamlpStatus *status;
@@ -1456,13 +1429,14 @@ lasso_login_build_response_msg(LassoLogin *login, gchar *remote_providerID)
lasso_profile_set_response_status(profile, LASSO_SAML_STATUS_CODE_REQUEST_DENIED);
}
- LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->private_key_file =
- profile->server->private_key;
- LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->certificate_file =
- profile->server->certificate;
+ lasso_check_good_rc(lasso_server_set_signature_for_provider_by_name(
+ profile->server,
+ profile->remote_providerID,
+ profile->response));
lasso_assign_new_string(profile->msg_body, lasso_node_export_to_soap(profile->response));
- return ret;
+cleanup:
+ return rc;
}
/**
@@ -1567,15 +1541,6 @@ lasso_login_init_authn_request(LassoLogin *login, const gchar *remote_providerID
lasso_assign_string(LASSO_LIB_AUTHN_REQUEST(profile->request)->RelayState,
profile->msg_relayState);
- if (http_method == LASSO_HTTP_METHOD_POST) {
- request->sign_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
- if (profile->server->certificate) {
- request->sign_type = LASSO_SIGNATURE_TYPE_WITHX509;
- } else {
- request->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE;
- }
- }
-
return 0;
}
@@ -1709,15 +1674,7 @@ lasso_login_init_request(LassoLogin *login, gchar *response_msg,
request->MajorVersion = LASSO_SAML_MAJOR_VERSION_N;
request->MinorVersion = LASSO_SAML_MINOR_VERSION_N;
lasso_assign_new_string(request->IssueInstant, lasso_get_current_time());
-
LASSO_SAMLP_REQUEST(request)->AssertionArtifact = artifact_b64;
- if (profile->server->certificate) {
- request->sign_type = LASSO_SIGNATURE_TYPE_WITHX509;
- } else {
- request->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE;
- }
- request->sign_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
-
lasso_assign_new_gobject(profile->request, LASSO_NODE(request));
return ret;
generated by cgit (git 2.34.1) at 2026-01-07 19:07:56 +0000