[core] add flags parameter to lasso_server_load_metadata to tune signature checking on metadata files

The flags parameter allows to control the checking of digital signature
upon EntityDescriptor and EntitiesDescriptor nodes in SAML 2.0 metadata
files.

The default behaviour is to check all found signatures and to inherit
signature from EntitiesDescriptor to their children.

By only enabling checking of EntityDescrtiptor node signatures it's also
possible to only check signature at the EntityDescriptor level and so
only trust individual entities and not the aggregating provider.

2 files changed, 33 insertions, 11 deletions

diff --git a/lasso/id-ff/server.c b/lasso/id-ff/server.c
index e209017e..e959376f 100644
--- a/lasso/id-ff/server.c
+++ b/lasso/id-ff/server.c
@@ -760,6 +760,8 @@ lasso_server_get_encryption_private_key(LassoServer *server)
  * loaded, can be NULL.
  * @loaded_entity_ids:(transfer full)(element-type string)(allow-none): an output parameter for the
  * list of the loaded EntityID, can be NULL.
+ * @flags: flags modifying the behaviour for checking signatures on EntityDescriptor and
+ * EntitiesDescriptors nodes.
  *
  * Load all the SAML 2.0 entities from @federation_file which contains a declaration for @role. If
  * @trusted_roots is non-NULL, use it to check a signature on the metadata file, otherwise ignore
@@ -778,18 +780,24 @@ lasso_server_get_encryption_private_key(LassoServer *server)
  */
 lasso_error_t
 lasso_server_load_metadata(LassoServer *server, LassoProviderRole role, const gchar *federation_file,
-		const gchar *trusted_roots, GList *blacklisted_entity_ids, GList **loaded_entity_ids)
+		const gchar *trusted_roots, GList *blacklisted_entity_ids,
+		GList **loaded_entity_ids, enum LassoServerLoadMetadataFlag flags)
 {
 	xmlDoc *doc = NULL;
 	xmlNode *root = NULL;
 	xmlSecKeysMngr *keys_mngr = NULL;
 	lasso_error_t rc = 0;
-	GList *uri_references = NULL;
 
 	lasso_bad_param(SERVER, server);
 	g_return_val_if_fail(role == LASSO_PROVIDER_ROLE_SP || role == LASSO_PROVIDER_ROLE_IDP,
 			LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
 
+	if (flags == LASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT) {
+		flags = LASSO_SERVER_LOAD_METADATA_FLAG_CHECK_ENTITIES_DESCRIPTOR_SIGNATURE
+			| LASSO_SERVER_LOAD_METADATA_FLAG_CHECK_ENTITY_DESCRIPTOR_SIGNATURE
+			| LASSO_SERVER_LOAD_METADATA_FLAG_INHERIT_SIGNATURE;
+	}
+
 	if (trusted_roots) {
 		keys_mngr = lasso_load_certs_from_pem_certs_chain_file(trusted_roots);
 		lasso_return_val_if_fail(keys_mngr != NULL,
@@ -798,20 +806,14 @@ lasso_server_load_metadata(LassoServer *server, LassoProviderRole role, const gc
 	doc = lasso_xml_parse_file(federation_file);
 	goto_cleanup_if_fail_with_rc(doc, LASSO_SERVER_ERROR_INVALID_XML);
 	root = xmlDocGetRootElement(doc);
-	if (trusted_roots) {
-		/* check metadata file signature */
-		lasso_check_good_rc(lasso_verify_signature(root, doc, "ID", keys_mngr, NULL,
-					EMPTY_URI, &uri_references));
-	}
 	if (lasso_strisequal((char*)root->ns->href, LASSO_SAML2_METADATA_HREF)) {
-		lasso_check_good_rc(lasso_saml20_server_load_metadata(server, role, root,
-					blacklisted_entity_ids, loaded_entity_ids));
+		lasso_check_good_rc(lasso_saml20_server_load_metadata(server, role, doc, root,
+					blacklisted_entity_ids, loaded_entity_ids, keys_mngr, flags));
 	} else {
 		goto_cleanup_with_rc(LASSO_ERROR_UNIMPLEMENTED);
 	}
 
 cleanup:
-	lasso_release_list_of_strings(uri_references);
 	lasso_release_key_manager(keys_mngr);
 	lasso_release_doc(doc);
 	return rc;
diff --git a/lasso/id-ff/server.h b/lasso/id-ff/server.h
index 43033858..110f5b5e 100644
--- a/lasso/id-ff/server.h
+++ b/lasso/id-ff/server.h
@@ -67,6 +67,24 @@ struct _LassoServerClass {
 	LassoProviderClass parent;
 };
 
+/**
+ * LassoServerLoadMetadataFlag:
+ * @LASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT: the default policy is to check signature on entity and
+ * entities descriptor, and to let signature be inherited by child nodes.
+ * @LASSO_SERVER_LOAD_METADATA_FLAG_CHECK_ENTITIES_DESCRIPTOR_SIGNATURE: check signature on
+ * EntitiesDesctiptor nodes,
+ * @LASSO_SERVER_LOAD_METADATA_FLAG_CHECK_ENTITY_DESCRIPTOR_SIGNATURE: check signature on
+ * EntityDescriptor nodes,
+ * @LASSO_SERVER_LOAD_METADATA_FLAG_INHERIT_SIGNATURE: when an EntitiesDescriptor is signed, all its
+ * children inherit the trust from this signature and their signature is not checked.
+ */
+enum LassoServerLoadMetadataFlag {
+	LASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT = 0,
+	LASSO_SERVER_LOAD_METADATA_FLAG_CHECK_ENTITIES_DESCRIPTOR_SIGNATURE = 1,
+	LASSO_SERVER_LOAD_METADATA_FLAG_CHECK_ENTITY_DESCRIPTOR_SIGNATURE = 2,
+	LASSO_SERVER_LOAD_METADATA_FLAG_INHERIT_SIGNATURE = 4
+};
+
 LASSO_EXPORT GType lasso_server_get_type(void);
 
 LASSO_EXPORT LassoServer* lasso_server_new(const gchar *metadata,
@@ -104,7 +122,9 @@ LASSO_EXPORT lasso_error_t lasso_server_set_encryption_private_key_with_password
 		const gchar *filename_or_buffer, const gchar *password);
 
 LASSO_EXPORT lasso_error_t lasso_server_load_metadata(LassoServer *server, LassoProviderRole role,
-		const gchar *federation_file, const gchar *trusted_roots, GList *blacklisted_entity_ids, GList **loaded_entity_ids);
+		const gchar *federation_file, const gchar *trusted_roots, GList
+		*blacklisted_entity_ids, GList **loaded_entity_ids,
+		enum LassoServerLoadMetadataFlag flags);
 
 #ifdef __cplusplus
 }