Refactored signature code so it is now shared between requests/responses and

artifacts.

6 files changed, 75 insertions, 107 deletions

diff --git a/lasso/xml/errors.c b/lasso/xml/errors.c
index 9a938677..351878c6 100644
--- a/lasso/xml/errors.c
+++ b/lasso/xml/errors.c
@@ -60,6 +60,8 @@ lasso_strerror(int error_code)
 			return "Failed to verify signature of %s.";
 		case LASSO_DS_ERROR_INVALID_SIGALG:
 			return "Invalid signature algorithm.";
+		case LASSO_DS_ERROR_SIGNATURE_TEMPLATE_NOT_FOUND:
+			return "Signature template has not been found.";
 
 		case LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND:
 			return "Failed to get LassoProvider object "\
diff --git a/lasso/xml/errors.h b/lasso/xml/errors.h
index 1a5fdf8b..e15cfdcd 100644
--- a/lasso/xml/errors.h
+++ b/lasso/xml/errors.h
@@ -50,6 +50,7 @@
 #define LASSO_DS_ERROR_CA_CERT_CHAIN_LOAD_FAILED      -112
 #define LASSO_DS_ERROR_INVALID_SIGALG                 -113
 #define LASSO_DS_ERROR_DIGEST_COMPUTE_FAILED          -114
+#define LASSO_DS_ERROR_SIGNATURE_TEMPLATE_NOT_FOUND   -115
 
 /* Server */
 #define LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND         -201
diff --git a/lasso/xml/saml_assertion.c b/lasso/xml/saml_assertion.c
index 161a55f0..679d92ce 100644
--- a/lasso/xml/saml_assertion.c
+++ b/lasso/xml/saml_assertion.c
@@ -136,69 +136,16 @@ get_xmlNode(LassoNode *node, gboolean lasso_dump)
 	LassoSamlAssertion *assertion = LASSO_SAML_ASSERTION(node);
 	xmlNode *xmlnode;
 	xmlNs *ns;
+	int rc;
 	
 	xmlnode = parent_class->get_xmlNode(node, lasso_dump);
 	ns = xmlSearchNs(NULL, xmlnode, "saml");
 	insure_namespace(xmlnode, ns);
 
 	if (lasso_dump == FALSE && assertion->sign_type) {
-		/* sign assertion now */
-		/* code could be refactored with lasso_node_export_to_signed_xmlnode */
-		xmlDoc *doc;
-		xmlNode *sign_tmpl;
-		xmlSecDSigCtx *dsig_ctx;
-		char *id_value;
-		xmlAttr *id_attr;
-
-		sign_tmpl = xmlSecFindNode(xmlnode, xmlSecNodeSignature, xmlSecDSigNs);
-		if (sign_tmpl == NULL)
-			return xmlnode;
-
-		doc = xmlNewDoc("1.0");
-		xmlDocSetRootElement(doc, xmlnode);
-		xmlSetTreeDoc(sign_tmpl, doc);
-
-		id_value = xmlGetProp(xmlnode, "AssertionID");
-		id_attr = xmlHasProp(xmlnode, "AssertionID");
-		if (id_value) {
-			xmlAddID(NULL, doc, id_value, id_attr);
-			xmlFree(id_value);
-		}
-
-		dsig_ctx = xmlSecDSigCtxCreate(NULL);
-		dsig_ctx->signKey = xmlSecCryptoAppKeyLoad(assertion->private_key_file,
-				xmlSecKeyDataFormatPem,
-				NULL, NULL, NULL);
-		if (dsig_ctx->signKey == NULL) {
-			/* XXX: file existence should actually be tested on
-			 * LassoServer creation */
-			message(G_LOG_LEVEL_CRITICAL,
-					lasso_strerror(LASSO_DS_ERROR_PRIVATE_KEY_LOAD_FAILED),
-					assertion->private_key_file);
-			xmlSecDSigCtxDestroy(dsig_ctx);
-			return NULL;
-		}
-		if (assertion->certificate_file != NULL && assertion->certificate_file[0] != 0) {
-			if (xmlSecCryptoAppKeyCertLoad(dsig_ctx->signKey,
-						assertion->certificate_file,
-						xmlSecKeyDataFormatPem) < 0) {
-				message(G_LOG_LEVEL_CRITICAL,
-					lasso_strerror(LASSO_DS_ERROR_CERTIFICATE_LOAD_FAILED),
-					assertion->certificate_file);
-				xmlSecDSigCtxDestroy(dsig_ctx);
-				return NULL;
-			}
-		}
-		if (xmlSecDSigCtxSign(dsig_ctx, sign_tmpl) < 0) {
-			message(G_LOG_LEVEL_CRITICAL,
-					lasso_strerror(LASSO_DS_ERROR_SIGNATURE_FAILED),
-					xmlnode->name);
-			xmlSecDSigCtxDestroy(dsig_ctx);
-			return NULL;
-		}
-		xmlSecDSigCtxDestroy(dsig_ctx);
-		xmlUnlinkNode(xmlnode);
-		xmlFreeDoc(doc);
+		rc = lasso_sign_node(xmlnode, "AssertionID", assertion->AssertionID,
+				assertion->private_key_file, assertion->certificate_file);
+		/* signature may have failed; what to do ? */
 	}
 
 	return xmlnode;
diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
index 00803da4..c43d26d5 100644
--- a/lasso/xml/tools.c
+++ b/lasso/xml/tools.c
@@ -33,6 +33,9 @@
 #include <openssl/engine.h>
 
 #include <xmlsec/base64.h>
+#include <xmlsec/crypto.h>
+#include <xmlsec/templates.h>
+#include <xmlsec/xmldsig.h>
 #include <xmlsec/xmltree.h>
 
 #include <lasso/xml/xml.h>
@@ -597,3 +600,53 @@ error_code(GLogLevelFlags level, int error, ...)
 	return error;
 }
 
+
+int
+lasso_sign_node(xmlNode *xmlnode, const char *id_attr_name, const char *id_value,
+		const char *private_key_file, const char *certificate_file)
+{
+	xmlDoc *doc;
+	xmlNode *sign_tmpl;
+	xmlSecDSigCtx *dsig_ctx;
+
+	sign_tmpl = xmlSecFindNode(xmlnode, xmlSecNodeSignature, xmlSecDSigNs);
+	if (sign_tmpl == NULL)
+		return LASSO_DS_ERROR_SIGNATURE_TEMPLATE_NOT_FOUND;
+
+	doc = xmlNewDoc("1.0");
+	xmlDocSetRootElement(doc, xmlnode);
+	xmlSetTreeDoc(sign_tmpl, doc);
+	if (id_attr_name) {
+		xmlAttr *id_attr = xmlHasProp(xmlnode, id_attr_name);
+		if (id_value) {
+			xmlAddID(NULL, doc, id_value, id_attr);
+		}
+	}
+
+	dsig_ctx = xmlSecDSigCtxCreate(NULL);
+	dsig_ctx->signKey = xmlSecCryptoAppKeyLoad(private_key_file,
+			xmlSecKeyDataFormatPem,
+			NULL, NULL, NULL);
+	if (dsig_ctx->signKey == NULL) {
+		xmlSecDSigCtxDestroy(dsig_ctx);
+		return critical_error(LASSO_DS_ERROR_PRIVATE_KEY_LOAD_FAILED, private_key_file);
+	}
+	if (certificate_file != NULL && certificate_file[0] != 0) {
+		if (xmlSecCryptoAppKeyCertLoad(dsig_ctx->signKey, certificate_file,
+					xmlSecKeyDataFormatPem) < 0) {
+			xmlSecDSigCtxDestroy(dsig_ctx);
+			return critical_error(LASSO_DS_ERROR_CERTIFICATE_LOAD_FAILED,
+					certificate_file);
+		}
+	}
+	if (xmlSecDSigCtxSign(dsig_ctx, sign_tmpl) < 0) {
+		xmlSecDSigCtxDestroy(dsig_ctx);
+		return critical_error(LASSO_DS_ERROR_SIGNATURE_FAILED, xmlnode->name);
+	}
+	xmlSecDSigCtxDestroy(dsig_ctx);
+	xmlUnlinkNode(xmlnode);
+	xmlFreeDoc(doc);
+
+	return 0;
+}
+
diff --git a/lasso/xml/tools.h b/lasso/xml/tools.h
index 3de9a716..56b141d3 100644
--- a/lasso/xml/tools.h
+++ b/lasso/xml/tools.h
@@ -58,6 +58,8 @@ char* lasso_sha1(const char *str);
 
 char** urlencoded_to_strings(const char *str);
 
+int lasso_sign_node(xmlNode *xmlnode, const char *id_attr_name, const char *id_value,
+		const char *private_key_file, const char *certificate_file);
 
 void _debug(GLogLevelFlags level, const char *filename, int line,
 		const char *function, const char *format, ...);
diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c
index c93e703b..227d08d7 100644
--- a/lasso/xml/xml.c
+++ b/lasso/xml/xml.c
@@ -124,62 +124,25 @@ static xmlNode*
 lasso_node_export_to_signed_xmlnode(LassoNode *node,
 		const char *private_key_file, const char *certificate_file)
 {
-	xmlDoc *doc;
-	xmlNode *message, *sign_tmpl;
-	xmlSecDSigCtx *dsig_ctx;
-	char *id_attr_name = NULL;
+	xmlNode *message;
+	char *id_attr_name = NULL, *id_value = NULL;
 
 	message = lasso_node_get_xmlNode(node, FALSE);
 
-	sign_tmpl = xmlSecFindNode(message, xmlSecNodeSignature, xmlSecDSigNs);
-	if (sign_tmpl && private_key_file) {
-		doc = xmlNewDoc("1.0");
-		xmlDocSetRootElement(doc, message);
-		xmlSetTreeDoc(sign_tmpl, doc);
-		if (LASSO_NODE_GET_CLASS(node)->get_sign_attr_name)
+	if (private_key_file) {
+		int rc;
+
+		if (LASSO_NODE_GET_CLASS(node)->get_sign_attr_name) {
 			id_attr_name = LASSO_NODE_GET_CLASS(node)->get_sign_attr_name();
-		if (id_attr_name) {
-			char *id_value = xmlGetProp(message, id_attr_name);
-			xmlAttr *id_attr = xmlHasProp(message, id_attr_name);
-			if (id_value) {
-				xmlAddID(NULL, doc, id_value, id_attr);
-				xmlFree(id_value);
-			}
+			id_value = xmlGetProp(message, id_attr_name);
 		}
 
-		dsig_ctx = xmlSecDSigCtxCreate(NULL);
-		dsig_ctx->signKey = xmlSecCryptoAppKeyLoad(private_key_file,
-				xmlSecKeyDataFormatPem,
-				NULL, NULL, NULL);
-		if (dsig_ctx->signKey == NULL) {
-			/* XXX: file existence should actually be tested on
-			 * LassoServer creation */
-			message(G_LOG_LEVEL_CRITICAL,
-					lasso_strerror(LASSO_DS_ERROR_PRIVATE_KEY_LOAD_FAILED),
-					private_key_file);
-			xmlSecDSigCtxDestroy(dsig_ctx);
-			return NULL;
-		}
-		if (certificate_file != NULL && certificate_file[0] != 0) {
-			if (xmlSecCryptoAppKeyCertLoad(dsig_ctx->signKey, certificate_file,
-						xmlSecKeyDataFormatPem) < 0) {
-				message(G_LOG_LEVEL_CRITICAL,
-					lasso_strerror(LASSO_DS_ERROR_CERTIFICATE_LOAD_FAILED),
-					certificate_file);
-				xmlSecDSigCtxDestroy(dsig_ctx);
-				return NULL;
-			}
-		}
-		if (xmlSecDSigCtxSign(dsig_ctx, sign_tmpl) < 0) {
-			message(G_LOG_LEVEL_CRITICAL,
-					lasso_strerror(LASSO_DS_ERROR_SIGNATURE_FAILED),
-					message->name);
-			xmlSecDSigCtxDestroy(dsig_ctx);
-			return NULL;
-		}
-		xmlSecDSigCtxDestroy(dsig_ctx);
-		xmlUnlinkNode(message);
-		xmlFreeDoc(doc);
+		rc = lasso_sign_node(message, id_attr_name, id_value,
+				private_key_file, certificate_file);
+		/* it may have failed; should we care and return NULL or let
+		 * the unsigned message go on the wire ? */
+		if (id_value)
+			xmlFree(id_value);
 	}
 
 	return message;