diff options
author | Frederic Peters <fpeters@entrouvert.com> | 2004-12-20 10:23:53 +0000 |
---|---|---|
committer | Frederic Peters <fpeters@entrouvert.com> | 2004-12-20 10:23:53 +0000 |
commit | 612d8dce2517c2c27ab13f53e047790d9fa6fffe (patch) | |
tree | 8a2a2cc44a206aaf2632051946ee3332a43c7113 /lasso/xml | |
parent | 95afff30e76e9a0cf32651f726ea932b678c7410 (diff) | |
download | lasso-612d8dce2517c2c27ab13f53e047790d9fa6fffe.tar.gz lasso-612d8dce2517c2c27ab13f53e047790d9fa6fffe.tar.xz lasso-612d8dce2517c2c27ab13f53e047790d9fa6fffe.zip |
Refactored signature code so it is now shared between requests/responses and
artifacts.
Diffstat (limited to 'lasso/xml')
-rw-r--r-- | lasso/xml/errors.c | 2 | ||||
-rw-r--r-- | lasso/xml/errors.h | 1 | ||||
-rw-r--r-- | lasso/xml/saml_assertion.c | 61 | ||||
-rw-r--r-- | lasso/xml/tools.c | 53 | ||||
-rw-r--r-- | lasso/xml/tools.h | 2 | ||||
-rw-r--r-- | lasso/xml/xml.c | 63 |
6 files changed, 75 insertions, 107 deletions
diff --git a/lasso/xml/errors.c b/lasso/xml/errors.c index 9a938677..351878c6 100644 --- a/lasso/xml/errors.c +++ b/lasso/xml/errors.c @@ -60,6 +60,8 @@ lasso_strerror(int error_code) return "Failed to verify signature of %s."; case LASSO_DS_ERROR_INVALID_SIGALG: return "Invalid signature algorithm."; + case LASSO_DS_ERROR_SIGNATURE_TEMPLATE_NOT_FOUND: + return "Signature template has not been found."; case LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND: return "Failed to get LassoProvider object "\ diff --git a/lasso/xml/errors.h b/lasso/xml/errors.h index 1a5fdf8b..e15cfdcd 100644 --- a/lasso/xml/errors.h +++ b/lasso/xml/errors.h @@ -50,6 +50,7 @@ #define LASSO_DS_ERROR_CA_CERT_CHAIN_LOAD_FAILED -112 #define LASSO_DS_ERROR_INVALID_SIGALG -113 #define LASSO_DS_ERROR_DIGEST_COMPUTE_FAILED -114 +#define LASSO_DS_ERROR_SIGNATURE_TEMPLATE_NOT_FOUND -115 /* Server */ #define LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND -201 diff --git a/lasso/xml/saml_assertion.c b/lasso/xml/saml_assertion.c index 161a55f0..679d92ce 100644 --- a/lasso/xml/saml_assertion.c +++ b/lasso/xml/saml_assertion.c @@ -136,69 +136,16 @@ get_xmlNode(LassoNode *node, gboolean lasso_dump) LassoSamlAssertion *assertion = LASSO_SAML_ASSERTION(node); xmlNode *xmlnode; xmlNs *ns; + int rc; xmlnode = parent_class->get_xmlNode(node, lasso_dump); ns = xmlSearchNs(NULL, xmlnode, "saml"); insure_namespace(xmlnode, ns); if (lasso_dump == FALSE && assertion->sign_type) { - /* sign assertion now */ - /* code could be refactored with lasso_node_export_to_signed_xmlnode */ - xmlDoc *doc; - xmlNode *sign_tmpl; - xmlSecDSigCtx *dsig_ctx; - char *id_value; - xmlAttr *id_attr; - - sign_tmpl = xmlSecFindNode(xmlnode, xmlSecNodeSignature, xmlSecDSigNs); - if (sign_tmpl == NULL) - return xmlnode; - - doc = xmlNewDoc("1.0"); - xmlDocSetRootElement(doc, xmlnode); - xmlSetTreeDoc(sign_tmpl, doc); - - id_value = xmlGetProp(xmlnode, "AssertionID"); - id_attr = xmlHasProp(xmlnode, "AssertionID"); - if (id_value) { - xmlAddID(NULL, doc, id_value, id_attr); - xmlFree(id_value); - } - - dsig_ctx = xmlSecDSigCtxCreate(NULL); - dsig_ctx->signKey = xmlSecCryptoAppKeyLoad(assertion->private_key_file, - xmlSecKeyDataFormatPem, - NULL, NULL, NULL); - if (dsig_ctx->signKey == NULL) { - /* XXX: file existence should actually be tested on - * LassoServer creation */ - message(G_LOG_LEVEL_CRITICAL, - lasso_strerror(LASSO_DS_ERROR_PRIVATE_KEY_LOAD_FAILED), - assertion->private_key_file); - xmlSecDSigCtxDestroy(dsig_ctx); - return NULL; - } - if (assertion->certificate_file != NULL && assertion->certificate_file[0] != 0) { - if (xmlSecCryptoAppKeyCertLoad(dsig_ctx->signKey, - assertion->certificate_file, - xmlSecKeyDataFormatPem) < 0) { - message(G_LOG_LEVEL_CRITICAL, - lasso_strerror(LASSO_DS_ERROR_CERTIFICATE_LOAD_FAILED), - assertion->certificate_file); - xmlSecDSigCtxDestroy(dsig_ctx); - return NULL; - } - } - if (xmlSecDSigCtxSign(dsig_ctx, sign_tmpl) < 0) { - message(G_LOG_LEVEL_CRITICAL, - lasso_strerror(LASSO_DS_ERROR_SIGNATURE_FAILED), - xmlnode->name); - xmlSecDSigCtxDestroy(dsig_ctx); - return NULL; - } - xmlSecDSigCtxDestroy(dsig_ctx); - xmlUnlinkNode(xmlnode); - xmlFreeDoc(doc); + rc = lasso_sign_node(xmlnode, "AssertionID", assertion->AssertionID, + assertion->private_key_file, assertion->certificate_file); + /* signature may have failed; what to do ? */ } return xmlnode; diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c index 00803da4..c43d26d5 100644 --- a/lasso/xml/tools.c +++ b/lasso/xml/tools.c @@ -33,6 +33,9 @@ #include <openssl/engine.h> #include <xmlsec/base64.h> +#include <xmlsec/crypto.h> +#include <xmlsec/templates.h> +#include <xmlsec/xmldsig.h> #include <xmlsec/xmltree.h> #include <lasso/xml/xml.h> @@ -597,3 +600,53 @@ error_code(GLogLevelFlags level, int error, ...) return error; } + +int +lasso_sign_node(xmlNode *xmlnode, const char *id_attr_name, const char *id_value, + const char *private_key_file, const char *certificate_file) +{ + xmlDoc *doc; + xmlNode *sign_tmpl; + xmlSecDSigCtx *dsig_ctx; + + sign_tmpl = xmlSecFindNode(xmlnode, xmlSecNodeSignature, xmlSecDSigNs); + if (sign_tmpl == NULL) + return LASSO_DS_ERROR_SIGNATURE_TEMPLATE_NOT_FOUND; + + doc = xmlNewDoc("1.0"); + xmlDocSetRootElement(doc, xmlnode); + xmlSetTreeDoc(sign_tmpl, doc); + if (id_attr_name) { + xmlAttr *id_attr = xmlHasProp(xmlnode, id_attr_name); + if (id_value) { + xmlAddID(NULL, doc, id_value, id_attr); + } + } + + dsig_ctx = xmlSecDSigCtxCreate(NULL); + dsig_ctx->signKey = xmlSecCryptoAppKeyLoad(private_key_file, + xmlSecKeyDataFormatPem, + NULL, NULL, NULL); + if (dsig_ctx->signKey == NULL) { + xmlSecDSigCtxDestroy(dsig_ctx); + return critical_error(LASSO_DS_ERROR_PRIVATE_KEY_LOAD_FAILED, private_key_file); + } + if (certificate_file != NULL && certificate_file[0] != 0) { + if (xmlSecCryptoAppKeyCertLoad(dsig_ctx->signKey, certificate_file, + xmlSecKeyDataFormatPem) < 0) { + xmlSecDSigCtxDestroy(dsig_ctx); + return critical_error(LASSO_DS_ERROR_CERTIFICATE_LOAD_FAILED, + certificate_file); + } + } + if (xmlSecDSigCtxSign(dsig_ctx, sign_tmpl) < 0) { + xmlSecDSigCtxDestroy(dsig_ctx); + return critical_error(LASSO_DS_ERROR_SIGNATURE_FAILED, xmlnode->name); + } + xmlSecDSigCtxDestroy(dsig_ctx); + xmlUnlinkNode(xmlnode); + xmlFreeDoc(doc); + + return 0; +} + diff --git a/lasso/xml/tools.h b/lasso/xml/tools.h index 3de9a716..56b141d3 100644 --- a/lasso/xml/tools.h +++ b/lasso/xml/tools.h @@ -58,6 +58,8 @@ char* lasso_sha1(const char *str); char** urlencoded_to_strings(const char *str); +int lasso_sign_node(xmlNode *xmlnode, const char *id_attr_name, const char *id_value, + const char *private_key_file, const char *certificate_file); void _debug(GLogLevelFlags level, const char *filename, int line, const char *function, const char *format, ...); diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c index c93e703b..227d08d7 100644 --- a/lasso/xml/xml.c +++ b/lasso/xml/xml.c @@ -124,62 +124,25 @@ static xmlNode* lasso_node_export_to_signed_xmlnode(LassoNode *node, const char *private_key_file, const char *certificate_file) { - xmlDoc *doc; - xmlNode *message, *sign_tmpl; - xmlSecDSigCtx *dsig_ctx; - char *id_attr_name = NULL; + xmlNode *message; + char *id_attr_name = NULL, *id_value = NULL; message = lasso_node_get_xmlNode(node, FALSE); - sign_tmpl = xmlSecFindNode(message, xmlSecNodeSignature, xmlSecDSigNs); - if (sign_tmpl && private_key_file) { - doc = xmlNewDoc("1.0"); - xmlDocSetRootElement(doc, message); - xmlSetTreeDoc(sign_tmpl, doc); - if (LASSO_NODE_GET_CLASS(node)->get_sign_attr_name) + if (private_key_file) { + int rc; + + if (LASSO_NODE_GET_CLASS(node)->get_sign_attr_name) { id_attr_name = LASSO_NODE_GET_CLASS(node)->get_sign_attr_name(); - if (id_attr_name) { - char *id_value = xmlGetProp(message, id_attr_name); - xmlAttr *id_attr = xmlHasProp(message, id_attr_name); - if (id_value) { - xmlAddID(NULL, doc, id_value, id_attr); - xmlFree(id_value); - } + id_value = xmlGetProp(message, id_attr_name); } - dsig_ctx = xmlSecDSigCtxCreate(NULL); - dsig_ctx->signKey = xmlSecCryptoAppKeyLoad(private_key_file, - xmlSecKeyDataFormatPem, - NULL, NULL, NULL); - if (dsig_ctx->signKey == NULL) { - /* XXX: file existence should actually be tested on - * LassoServer creation */ - message(G_LOG_LEVEL_CRITICAL, - lasso_strerror(LASSO_DS_ERROR_PRIVATE_KEY_LOAD_FAILED), - private_key_file); - xmlSecDSigCtxDestroy(dsig_ctx); - return NULL; - } - if (certificate_file != NULL && certificate_file[0] != 0) { - if (xmlSecCryptoAppKeyCertLoad(dsig_ctx->signKey, certificate_file, - xmlSecKeyDataFormatPem) < 0) { - message(G_LOG_LEVEL_CRITICAL, - lasso_strerror(LASSO_DS_ERROR_CERTIFICATE_LOAD_FAILED), - certificate_file); - xmlSecDSigCtxDestroy(dsig_ctx); - return NULL; - } - } - if (xmlSecDSigCtxSign(dsig_ctx, sign_tmpl) < 0) { - message(G_LOG_LEVEL_CRITICAL, - lasso_strerror(LASSO_DS_ERROR_SIGNATURE_FAILED), - message->name); - xmlSecDSigCtxDestroy(dsig_ctx); - return NULL; - } - xmlSecDSigCtxDestroy(dsig_ctx); - xmlUnlinkNode(message); - xmlFreeDoc(doc); + rc = lasso_sign_node(message, id_attr_name, id_value, + private_key_file, certificate_file); + /* it may have failed; should we care and return NULL or let + * the unsigned message go on the wire ? */ + if (id_value) + xmlFree(id_value); } return message; |