diff options
| author | Benjamin Dauvergne <bdauvergne@entrouvert.com> | 2009-01-24 09:34:00 +0000 |
|---|---|---|
| committer | Benjamin Dauvergne <bdauvergne@entrouvert.com> | 2009-01-24 09:34:00 +0000 |
| commit | 90b40c874d24c6ef7cbe8b6adcb15abff0d4ee87 (patch) | |
| tree | 59573b292174d891d0e560e495a51c7ae66daf10 | |
| parent | 9c33ce6000b73ee0891657fde290749c7b9234ab (diff) | |
ID-FF 1.2: add validation of assertion signatures
- lasso/id-ff/login.c:
- lasso_login_process_response_status_and_assertion:
- if signature_status is not 0 and an assertion is present, we
validate the signature on this assertion using the
internal API lasso_provider_verify_saml_signature.
| -rw-r--r-- | lasso/id-ff/login.c | 26 |
1 files changed, 21 insertions, 5 deletions
diff --git a/lasso/id-ff/login.c b/lasso/id-ff/login.c index eea5e1aa..aa169671 100644 --- a/lasso/id-ff/login.c +++ b/lasso/id-ff/login.c @@ -562,7 +562,7 @@ lasso_login_process_response_status_and_assertion(LassoLogin *login) LassoNode *encrypted_id = NULL; LassoSaml2EncryptedElement* encrypted_element = NULL; xmlSecKey *encryption_private_key = NULL; - int ret = 0; + int rc = 0; g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ); @@ -603,8 +603,23 @@ lasso_login_process_response_status_and_assertion(LassoLogin *login) if (idp == NULL) { return LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND; } - - /* FIXME: verify assertion signature */ + /* If the status of the signature verification process is not 0, we try to verify on + * the assertion */ + if (profile->signature_status != 0) { + xmlNode *assertion_xmlnode; + gchar *assertion_issuer; + + assertion_xmlnode = lasso_node_get_original_xmlnode(LASSO_NODE(assertion)); + assertion_issuer = (gchar*)xmlGetProp(assertion_xmlnode, (xmlChar*)"Issuer"); + goto_exit_if_fail(assertion_issuer, LASSO_PROFILE_ERROR_MISSING_ISSUER); + goto_exit_if_fail(strcmp(assertion_issuer, profile->remote_providerID) == 0, + LASSO_PROFILE_ERROR_INVALID_ISSUER); + + if (assertion_xmlnode) { + profile->signature_status = lasso_provider_verify_saml_signature(idp, assertion_xmlnode); + goto_exit_if_fail(profile->signature_status == 0, profile->signature_status); + } + } /* store NameIdentifier */ if (assertion->AuthenticationStatement) { @@ -635,7 +650,7 @@ lasso_login_process_response_status_and_assertion(LassoLogin *login) } if (profile->nameIdentifier != NULL) { - return ret; + return rc; } encrypted_element = LASSO_SAML2_ENCRYPTED_ELEMENT(encrypted_id); @@ -666,8 +681,9 @@ lasso_login_process_response_status_and_assertion(LassoLogin *login) return LASSO_PROFILE_ERROR_NAME_IDENTIFIER_NOT_FOUND; } } +exit: - return ret; + return rc; } /*****************************************************************************/ |