diff options
| author | Benjamin Dauvergne <bdauvergne@entrouvert.com> | 2009-04-27 08:19:35 +0000 |
|---|---|---|
| committer | Benjamin Dauvergne <bdauvergne@entrouvert.com> | 2009-04-27 08:19:35 +0000 |
| commit | bb7af761c5e2ae68a8ea9bdc7463a9dd7e54d47f (patch) | |
| tree | 9f8726f245f905525b7eeb7c4400df07ea922df3 /lasso | |
| parent | 96d33b6542a64daa69f1789317815ced0ff26952 (diff) | |
| download | lasso-bb7af761c5e2ae68a8ea9bdc7463a9dd7e54d47f.tar.gz lasso-bb7af761c5e2ae68a8ea9bdc7463a9dd7e54d47f.tar.xz lasso-bb7af761c5e2ae68a8ea9bdc7463a9dd7e54d47f.zip | |
new function lasso_saml20_login_check_assertion_signature()
* lasso/saml-2.0/login.c:
lasso_saml20_login_check_assertion_signature() find the issuer of an
assertion, look it up in the server object and try to validate its
signature. It returns an error code if any of this step fails.
Diffstat (limited to 'lasso')
| -rw-r--r-- | lasso/saml-2.0/login.c | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c index 17deb56c..e24a4757 100644 --- a/lasso/saml-2.0/login.c +++ b/lasso/saml-2.0/login.c @@ -1130,6 +1130,69 @@ lasso_saml20_login_process_response_msg(LassoLogin *login, gchar *response_msg) } static gint +lasso_saml20_login_check_assertion_signature(LassoLogin *login, + LassoSaml2Assertion *assertion) +{ + xmlNode *original_node = NULL; + LassoSaml2NameID *Issuer = NULL; + LassoServer *server = NULL; + LassoProfile *profile = NULL; + char *remote_provider_id = NULL; + LassoProvider *remote_provider; + int rc = 0; + + lasso_bad_param(LOGIN, login); + lasso_bad_param(SAML2_ASSERTION, assertion); + + profile = (LassoProfile*)login; + lasso_extract_node_or_fail(server, lasso_profile_get_server(profile), + SERVER, LASSO_PROFILE_ERROR_MISSING_SERVER); + + /* Get an issuer */ + Issuer = assertion->Issuer; + if (! Issuer || /* No issuer */ + ! Issuer->content || /* No issuer content */ + (Issuer->Format && + strcmp(Issuer->Format, LASSO_SAML2_NAME_IDENTIFIER_FORMAT_ENTITY) != 0)) + /* Issuer format is not entity */ + { + rc = LASSO_PROFILE_ERROR_MISSING_ISSUER; + } else { + remote_provider_id = Issuer->content; + } + remote_provider = lasso_server_get_provider(server, remote_provider_id); + goto_cleanup_if_fail_with_rc(remote_provider, LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND); + + /* Get the original node */ + original_node = lasso_node_get_original_xmlnode(LASSO_NODE(assertion)); + goto_cleanup_if_fail_with_rc(original_node, LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE); + + rc = profile->signature_status = lasso_provider_verify_saml_signature(remote_provider, original_node, NULL); + +#define log_verify_assertion_signature_error(msg) \ + message(G_LOG_LEVEL_WARNING, "Could not verify signature of assertion" \ + "ID:%s, " msg ".", assertion->ID); +cleanup: + switch (rc) { + case LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND: + log_verify_assertion_signature_error("Issuer is unknown"); + break; + case LASSO_PROFILE_ERROR_MISSING_ISSUER: + log_verify_assertion_signature_error( + "no Issuer found or Issuer has bad format"); + break; + case LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE: + log_verify_assertion_signature_error( + " the original xmlNode is certainly not accessible anymore"); + + default: + break; + } +#undef log_verify_assertion_signature_error + return rc; +} + +static gint lasso_saml20_login_process_response_status_and_assertion(LassoLogin *login) { LassoSamlp2StatusResponse *response; |