diff options
-rw-r--r-- | docs/reference/lasso/lasso-sections.txt | 11 | ||||
-rw-r--r-- | lasso/errors.c | 2 | ||||
-rw-r--r-- | lasso/errors.h | 7 | ||||
-rw-r--r-- | lasso/xml/idwsf_strings.h | 30 | ||||
-rw-r--r-- | lasso/xml/ws/wsse_username_token.c | 321 | ||||
-rw-r--r-- | lasso/xml/ws/wsse_username_token.h | 61 |
6 files changed, 361 insertions, 71 deletions
diff --git a/docs/reference/lasso/lasso-sections.txt b/docs/reference/lasso/lasso-sections.txt index 44aa0927..dc60ff6e 100644 --- a/docs/reference/lasso/lasso-sections.txt +++ b/docs/reference/lasso/lasso-sections.txt @@ -3458,9 +3458,15 @@ LASSO_WSA_RELATES_TO_GET_CLASS <SECTION> <FILE>wsse_username_token</FILE> -<TITLE>LassoWsSec1UsernameToken</TITLE> -LassoWsSec1UsernameToken +LassoWsseUsernameTokenPasswordType +<TITLE>LassoWsseUsernameToken</TITLE> +LassoWsseUsernameToken lasso_wsse_username_token_new +lasso_wsse_username_token_reset_nonce +lasso_wsse_username_token_set_password_kind +lasso_wsse_username_token_set_password +lasso_wsse_username_token_check_password +lasso_wsse_username_token_derive_key <SUBSECTION Standard> LASSO_WSSE_USERNAME_TOKEN LASSO_IS_WSSE_USERNAME_TOKEN @@ -6006,3 +6012,4 @@ lasso_soap_envelope_sb2_get_provider_id lasso_soap_envelope_sb2_get_redirect_request_url lasso_soap_envelope_sb2_get_target_identity_header </SECTION> + diff --git a/lasso/errors.c b/lasso/errors.c index 00e93127..aadfe5ed 100644 --- a/lasso/errors.c +++ b/lasso/errors.c @@ -313,6 +313,8 @@ lasso_strerror(int error_code) return "Missing SOAP fault detail"; case LASSO_NAME_IDENTIFIER_MAPPING_ERROR_FORBIDDEN_CALL_ON_THIS_SIDE: return "LASSO_NAME_IDENTIFIER_MAPPING_ERROR_FORBIDDEN_CALL_ON_THIS_SIDE"; + case LASSO_WSSE_BAD_PASSWORD: + return "The known password does not match the UsernameToken"; case LASSO_XML_ERROR_OBJECT_CONSTRUCTION_FAILED: return "Construction of an object from an XML document failed."; case LASSO_DS_ERROR_SIGNATURE_VERIFICATION_FAILED: diff --git a/lasso/errors.h b/lasso/errors.h index e55440a9..0629bc00 100644 --- a/lasso/errors.h +++ b/lasso/errors.h @@ -897,6 +897,13 @@ */ #define LASSO_WSSEC_ERROR_MISSING_SECURITY_TOKEN 1600 +/** + * LASSO_WSSE_BAD_PASSWORD: + * + * The known password does not match the UsernameToken + */ +#define LASSO_WSSEC_BAD_PASSWORD 1600 + /* ID-WSF 2.0 Discovery Service */ /** * LASSO_IDWSF2_DISCOVERY_ERROR_FAILED: diff --git a/lasso/xml/idwsf_strings.h b/lasso/xml/idwsf_strings.h index 90d7e682..431f2e1a 100644 --- a/lasso/xml/idwsf_strings.h +++ b/lasso/xml/idwsf_strings.h @@ -593,6 +593,36 @@ #define LASSO_WSSE_SECEXT_FAULT_CODE_SECURITY_TOKEN_UNAVAILABLE \ "wsse:SecurityTokenUnavailable" +/* + * Username token profile + */ + +/** + * LASSO_WSSE_USERNAME_TOKEN_PROFILE_HREF: + */ +#define LASSO_WSSE_USERNAME_TOKEN_PROFILE_HREF \ + "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0" + +/** + * LASSO_WSSE_USERNAME_TOKEN_PROFILE_PASSWORD_DIGEST: + * + * Identifier for a UsernameToken of type PasswordDigest + */ +#define LASSO_WSSE_USERNAME_TOKEN_PROFILE_PASSWORD_DIGEST \ + LASSO_WSSE_USERNAME_TOKEN_PROFILE_HREF "#PasswordDigest" + +/** + * LASSO_WSSE_USERNAME_TOKEN_PROFILE_PASSWORD_TEXT: + * + * Identifier for a UsernameToken of type PasswordText + */ +#define LASSO_WSSE_USERNAME_TOKEN_PROFILE_PASSWORD_TEXT \ + LASSO_WSSE_USERNAME_TOKEN_PROFILE_HREF "#PasswordText" + +/* + * WS-Security Utility + */ + /** * LASSO_WSUTIL1_HREF: * diff --git a/lasso/xml/ws/wsse_username_token.c b/lasso/xml/ws/wsse_username_token.c index 966b389a..9b82ecb1 100644 --- a/lasso/xml/ws/wsse_username_token.c +++ b/lasso/xml/ws/wsse_username_token.c @@ -1,5 +1,4 @@ -/* $Id: wsse_username_token.c,v 1.0 2005/10/14 15:17:55 fpeters Exp $ - * +/* $Id$ * Lasso - A free implementation of the Liberty Alliance specifications. * * Copyright (C) 2004-2007 Entr'ouvert @@ -22,62 +21,108 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ -#include "../private.h" -#include "wsse_username_token.h" +/** + * SECTION:wsse_username_token + * Transmit username and password credential as a WS-Security token. The password can be transmitted + * as cleartext or using a digest mode. It also allows to derive encryption and HMAC signing keys. + */ -/* - * Schema fragment (oasis-200401-wss-wssecurity-secext-1.0.xsd): +/** + * LassoWsseUsernameToken: + * @Id: the identifier of the UsernameToken + * @Username: the username + * @Nonce: a nonce used to compute the digest of the password + * @Created: the timestamp for the generation of the token, also used in the digest of the password + * @Salt: the salt for generating derived key + * @Iteration: how many times to apply SHA1 for generating derivated key * - * <xs:complexType name="UsernameTokenType"> - * <xs:annotation> - * <xs:documentation>This type represents a username token per Section - * 4.1</xs:documentation> - * </xs:annotation> - * <xs:sequence> - * <xs:element name="Username" type="wsse:AttributedString"/> - * <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded"/> - * </xs:sequence> - * <xs:attribute ref="wsu:Id"/> - * <xs:anyAttribute namespace="##other" processContents="lax"/> - * </xs:complexType> */ +#include "./wsse_username_token.h" +#include <xmlsec/xmltree.h> +#include <openssl/sha.h> +#include <glib.h> +#include "../string.h" +#include "../private.h" +#include "../../utils.h" +#include "../../errors.h" + +struct _LassoWsseUsernameTokenPrivate { + char *Password; + LassoWsseUsernameTokenPasswordType PasswordType; +}; + +typedef struct _LassoWsseUsernameTokenPrivate LassoWsseUsernameTokenPrivate; + +#define LASSO_WSSE_USERNAME_TOKEN_GET_PRIVATE(o) \ + (G_TYPE_INSTANCE_GET_PRIVATE ((o), LASSO_TYPE_WSSE_USERNAME_TOKEN, LassoWsseUsernameTokenPrivate)) + +static LassoNodeClass *parent_class = NULL; + /*****************************************************************************/ /* private methods */ /*****************************************************************************/ - static struct XmlSnippet schema_snippets[] = { - { "Username", SNIPPET_NODE, - G_STRUCT_OFFSET(LassoWsSec1UsernameToken, Username), NULL, NULL, NULL}, - { "Id", SNIPPET_ATTRIBUTE, - G_STRUCT_OFFSET(LassoWsSec1UsernameToken, Id), NULL, NULL, NULL}, + { "Id", SNIPPET_ATTRIBUTE, G_STRUCT_OFFSET(LassoWsseUsernameToken, Id), NULL, LASSO_WSU_PREFIX, LASSO_WSU_HREF}, + { "Username", SNIPPET_CONTENT, G_STRUCT_OFFSET(LassoWsseUsernameToken, Username), NULL, NULL, NULL}, + { "Nonce", SNIPPET_CONTENT, G_STRUCT_OFFSET(LassoWsseUsernameToken, Nonce), NULL, NULL, NULL}, + { "Created", SNIPPET_CONTENT, G_STRUCT_OFFSET(LassoWsseUsernameToken, Created), NULL, NULL, NULL}, + { "Salt", SNIPPET_CONTENT, G_STRUCT_OFFSET(LassoWsseUsernameToken, Salt), NULL, LASSO_WSSE11_PREFIX, LASSO_WSSE11_HREF}, + { "Iteration", SNIPPET_CONTENT | SNIPPET_INTEGER, G_STRUCT_OFFSET(LassoWsseUsernameToken, Iteration), NULL, LASSO_WSSE11_PREFIX, LASSO_WSSE11_HREF}, { "attributes", SNIPPET_ATTRIBUTE | SNIPPET_ANY, - G_STRUCT_OFFSET(LassoWsSec1UsernameToken, attributes), NULL, NULL, NULL}, + G_STRUCT_OFFSET(LassoWsseUsernameToken, attributes), NULL, NULL, NULL}, {NULL, 0, 0, NULL, NULL, NULL} }; -static LassoNodeClass *parent_class = NULL; - - /*****************************************************************************/ /* instance and class init functions */ /*****************************************************************************/ +static int +init_from_xml(LassoNode *node, xmlNode *xmlnode) +{ + int rc; + xmlNode *password; + xmlChar *kind; + LassoWsseUsernameTokenPrivate *private = LASSO_WSSE_USERNAME_TOKEN_GET_PRIVATE(node); + + password = xmlSecFindNode(xmlnode, (xmlChar*)"Password", (xmlChar*)LASSO_WSSE1_HREF); + if (password) { + xmlChar *content = xmlNodeGetContent(password); + kind = xmlGetNsProp(password, (xmlChar*)"Type", (xmlChar*)LASSO_WSSE1_HREF); + lasso_assign_string(private->Password, (char*)content); + if (kind && strcmp((char*)kind, LASSO_WSSE_USERNAME_TOKEN_PROFILE_PASSWORD_TEXT)) { + private->PasswordType = LASSO_WSSE_USERNAME_TOKEN_PASSWORD_TYPE_DIGEST; + } else if (kind && strcmp((char*)kind, LASSO_WSSE_USERNAME_TOKEN_PROFILE_PASSWORD_TEXT)) { + private->PasswordType = LASSO_WSSE_USERNAME_TOKEN_PASSWORD_TYPE_TEXT; + } else { + rc = -1; + } + lasso_release_xml_string(content); + lasso_release_xml_string(kind); + } + + rc = parent_class->init_from_xml(node, xmlnode); + + return 0; +} + static void -instance_init(LassoWsSec1UsernameToken *node) +instance_init(LassoWsseUsernameToken *wsse_username_token) { - node->attributes = g_hash_table_new_full( - g_str_hash, g_str_equal, g_free, g_free); + wsse_username_token->attributes = + g_hash_table_new_full(g_str_hash, g_str_equal, g_free, g_free); } static void -class_init(LassoWsSec1UsernameTokenClass *klass) +class_init(LassoWsseUsernameTokenClass *klass) { LassoNodeClass *nclass = LASSO_NODE_CLASS(klass); parent_class = g_type_class_peek_parent(klass); nclass->node_data = g_new0(LassoNodeClassData, 1); + nclass->init_from_xml = init_from_xml; lasso_node_class_set_nodename(nclass, "UsernameToken"); lasso_node_class_set_ns(nclass, LASSO_WSSE1_HREF, LASSO_WSSE1_PREFIX); lasso_node_class_add_snippets(nclass, schema_snippets); @@ -90,33 +135,227 @@ lasso_wsse_username_token_get_type() if (!this_type) { static const GTypeInfo this_info = { - sizeof (LassoWsSec1UsernameTokenClass), + sizeof (LassoWsseUsernameTokenClass), NULL, NULL, (GClassInitFunc) class_init, NULL, NULL, - sizeof(LassoWsSec1UsernameToken), + sizeof(LassoWsseUsernameToken), 0, - (GInstanceInitFunc) instance_init, + (GInstanceInitFunc)instance_init, NULL }; this_type = g_type_register_static(LASSO_TYPE_NODE, - "LassoWsSec1UsernameToken", &this_info, 0); + "LassoWsseUsernameToken", &this_info, 0); } return this_type; } /** - * lasso_wsse_username_token_new: + * lasso_wsse_username_tokne_new: * - * Creates a new #LassoWsSec1UsernameToken object. + * Create a new #LassoWsseUsernameToken object. * - * Return value: a newly created #LassoWsSec1UsernameToken object - **/ -LassoWsSec1UsernameToken* + * Return value: a newly created #LassoWsseUsernameToken object + */ +LassoWsseUsernameToken* lasso_wsse_username_token_new() { - return g_object_new(LASSO_TYPE_WSSE_USERNAME_TOKEN, NULL); + LassoWsseUsernameToken *node; + + node = (LassoWsseUsernameToken*)g_object_new(LASSO_TYPE_WSSE_USERNAME_TOKEN, NULL); + node->Id = lasso_build_unique_id(40); + node->Created = lasso_get_current_time(); + + return node; +} + +/** + * lasso_wsse_username_token_reset_nonce: + * @wsse_username_token: a #LassoWsseUsernameToken object + * + * Generate a random nonce. + */ +void +lasso_wsse_username_token_reset_nonce(LassoWsseUsernameToken *wsse_username_token) +{ + guint32 nonce[16]; + int i; + + for (i=0; i < 16; i++) { + nonce[i] = g_random_int(); + } + + wsse_username_token->Nonce = g_base64_encode((guchar*)nonce, sizeof(nonce)); +} + + +/** + * lasso_wsse_username_token_set_password_kind: + * @wsse_username_token: a #LassoWsseUsernameToken object + * @password_type: a #LassoWsseUsernameTokenPasswordType enumeration + * + * Set the way to transmit password, that is either cleartext or digest. + */ +void +lasso_wsse_username_token_set_password_kind(LassoWsseUsernameToken *wsse_username_token, LassoWsseUsernameTokenPasswordType password_type) +{ + LassoWsseUsernameTokenPrivate *private = + LASSO_WSSE_USERNAME_TOKEN_GET_PRIVATE(wsse_username_token); + + private->PasswordType = password_type; +} + +static char * +_lasso_wsse_username_token_compute_digest(LassoWsseUsernameToken *wsse_username_token, char *password) +{ + guchar *nonce; + guint nonce_len = 0; + guint created_len = 0; + guint password_len = 0; + guchar *buffer; + gchar *result; + + if (wsse_username_token->Nonce) { + nonce = g_base64_decode((gchar*)wsse_username_token->Nonce, &nonce_len); + } + if (wsse_username_token->Created) { + created_len = strlen(wsse_username_token->Created); + } + if (password) { + password_len = strlen(password); + } + + buffer = g_malloc(nonce_len + created_len + password ? strlen(password) : 0); + memcpy(buffer, nonce, nonce_len); + memcpy(buffer + nonce_len, wsse_username_token->Created, created_len); + memcpy(buffer + nonce_len + created_len, password, password_len); + result = g_base64_encode((guchar*)buffer, nonce_len + created_len + password_len); + g_free(buffer); + + return result; +} + + +/** + * lasso_wsse_username_token_set_password: + * @wsse_username_token: a #LassoWsseUsernameToken object + * @password: an UTF-8 string + * + * Set the password using the given UTF-8 string. If password kind is digest, compute the digest + * SHA1(nonce + created + password), convert to Base64 and set it as the password. If nonce or + * created are NULL, the empty string is used. + * + * Return value: 0 if successfull, an error code otherwise. + */ +int +lasso_wsse_username_token_set_password(LassoWsseUsernameToken *wsse_username_token, char *password) +{ + LassoWsseUsernameTokenPrivate *private = + LASSO_WSSE_USERNAME_TOKEN_GET_PRIVATE(wsse_username_token); + + switch (private->PasswordType) { + case LASSO_WSSE_USERNAME_TOKEN_PASSWORD_TYPE_DIGEST: + lasso_assign_string(private->Password, + _lasso_wsse_username_token_compute_digest( + wsse_username_token, password)); + break; + case LASSO_WSSE_USERNAME_TOKEN_PASSWORD_TYPE_TEXT: + lasso_assign_string(private->Password, password); + break; + default: + return LASSO_ERROR_UNDEFINED; + } + + return 0; +} + +int +lasso_wsse_username_token_check_password(LassoWsseUsernameToken *wsse_username_token, char + *password) +{ + LassoWsseUsernameTokenPrivate *private = + LASSO_WSSE_USERNAME_TOKEN_GET_PRIVATE(wsse_username_token); + int rc = 0; + char *digest; + + switch (private->PasswordType) { + case LASSO_WSSE_USERNAME_TOKEN_PASSWORD_TYPE_DIGEST: + digest = _lasso_wsse_username_token_compute_digest(wsse_username_token, password); + if (strcmp(private->Password, digest) != 0) { + rc = LASSO_WSSE_BAD_PASSWORD; + } + g_free(digest); + break; + case LASSO_WSSE_USERNAME_TOKEN_PASSWORD_TYPE_TEXT: + if (strcmp(private->Password, password) != 0) { + return LASSO_WSSE_BAD_PASSWORD; + } + break; + default: + return LASSO_ERROR_UNDEFINED; + } + return rc; +} + +/** + * lasso_wsse_username_token_derive_key: + * @wsse_username_token: a #LassoWsseUsernameToken object + * @password: the known password + * + * Generate a derived 128bit key using the password and setting from the UsernameToken. + * + * Return value: a 20 byte octet string. + */ +guchar* +lasso_wsse_username_token_derive_key(LassoWsseUsernameToken *wsse_username_token, + char *password) +{ + guchar *salt; + gsize salt_len; + guchar *result = NULL; + guint iteration; + guchar *buffer; + gsize buffer_len; + guint password_len; + guchar hash1[20], hash2[20]; + + if (! wsse_username_token->Salt) + goto exit; + if (wsse_username_token->Iteration <= 0) + iteration = 1000; + else + iteration = wsse_username_token->Iteration; + salt = g_base64_decode(wsse_username_token->Salt, &salt_len); + if (salt_len < 8) + goto exit; + password_len = strlen(password); + buffer = g_malloc(salt_len + password_len); + memcpy(buffer, salt, salt_len); + memcpy(buffer + salt_len, password, password_len); + buffer_len = salt_len + password_len; + if (iteration & 1) { + SHA1(buffer, buffer_len, hash1); + } else { + SHA1(buffer, buffer_len, hash2); + } + iteration--; + while (iteration) { + if (iteration & 1) { + SHA1(hash2, 20, hash1); + } else { + SHA1(hash1, 20, hash2); + } + iteration--; + } + g_free(buffer); + result = g_malloc(20); + memcpy(result, hash1, 20); + +exit: + g_free(salt); + return result; + } diff --git a/lasso/xml/ws/wsse_username_token.h b/lasso/xml/ws/wsse_username_token.h index 960f9c22..ce76ab81 100644 --- a/lasso/xml/ws/wsse_username_token.h +++ b/lasso/xml/ws/wsse_username_token.h @@ -1,4 +1,4 @@ -/* $Id: wsse_username_token.h,v 1.0 2005/10/14 15:17:55 fpeters Exp $ +/* $Id$ * * Lasso - A free implementation of the Liberty Alliance specifications. * @@ -32,50 +32,55 @@ extern "C" { #include "../xml.h" #define LASSO_TYPE_WSSE_USERNAME_TOKEN (lasso_wsse_username_token_get_type()) -#define LASSO_WSSE_USERNAME_TOKEN(obj) \ - (G_TYPE_CHECK_INSTANCE_CAST((obj), \ - LASSO_TYPE_WSSE_USERNAME_TOKEN, \ - LassoWsSec1UsernameToken)) -#define LASSO_WSSE_USERNAME_TOKEN_CLASS(klass) \ - (G_TYPE_CHECK_CLASS_CAST((klass), \ - LASSO_TYPE_WSSE_USERNAME_TOKEN, \ - LassoWsSec1UsernameTokenClass)) -#define LASSO_IS_WSSE_USERNAME_TOKEN(obj) \ - (G_TYPE_CHECK_INSTANCE_TYPE((obj), \ - LASSO_TYPE_WSSE_USERNAME_TOKEN)) +#define LASSO_WSSE_USERNAME_TOKEN(obj) (G_TYPE_CHECK_INSTANCE_CAST((obj), \ + LASSO_TYPE_WSSE_USERNAME_TOKEN, LassoWsseUsernameToken)) +#define LASSO_WSSE_USERNAME_TOKEN_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST((klass), \ + LASSO_TYPE_WSSE_USERNAME_TOKEN, LassoWsseUsernameTokenClass)) +#define LASSO_IS_WSSE_USERNAME_TOKEN(obj) (G_TYPE_CHECK_INSTANCE_TYPE((obj), LASSO_TYPE_WSSE_USERNAME_TOKEN)) #define LASSO_IS_WSSE_USERNAME_TOKEN_CLASS(klass) \ - (G_TYPE_CHECK_CLASS_TYPE ((klass), \ - LASSO_TYPE_WSSE_USERNAME_TOKEN)) + (G_TYPE_CHECK_CLASS_TYPE ((klass),LASSO_TYPE_WSSE_USERNAME_TOKEN)) #define LASSO_WSSE_USERNAME_TOKEN_GET_CLASS(o) \ - (G_TYPE_INSTANCE_GET_CLASS ((o), \ - LASSO_TYPE_WSSE_USERNAME_TOKEN, \ - LassoWsSec1UsernameTokenClass)) + (G_TYPE_INSTANCE_GET_CLASS ((o), LASSO_TYPE_WSSE_USERNAME_TOKEN, LassoWsseUsernameTokenClass)) +typedef struct _LassoWsseUsernameToken LassoWsseUsernameToken; +typedef struct _LassoWsseUsernameTokenClass LassoWsseUsernameTokenClass; -typedef struct _LassoWsSec1UsernameToken LassoWsSec1UsernameToken; -typedef struct _LassoWsSec1UsernameTokenClass LassoWsSec1UsernameTokenClass; +typedef enum { + LASSO_WSSE_USERNAME_TOKEN_PASSWORD_TYPE_UNKNOWN, + LASSO_WSSE_USERNAME_TOKEN_PASSWORD_TYPE_TEXT, + LASSO_WSSE_USERNAME_TOKEN_PASSWORD_TYPE_DIGEST, + LASSO_WSSE_USERNAME_TOKEN_PASSWORD_TYPE_LAST +} LassoWsseUsernameTokenPasswordType; - -struct _LassoWsSec1UsernameToken { +struct _LassoWsseUsernameToken { LassoNode parent; - /*< public >*/ - /* elements */ - /* XXX */ void *Username; - /* attributes */ char *Id; + char *Username; + char *Nonce; + char *Salt; + char *Created; + int Iteration; GHashTable *attributes; }; - -struct _LassoWsSec1UsernameTokenClass { +struct _LassoWsseUsernameTokenClass { LassoNodeClass parent; }; LASSO_EXPORT GType lasso_wsse_username_token_get_type(void); -LASSO_EXPORT LassoWsSec1UsernameToken* lasso_wsse_username_token_new(void); +LASSO_EXPORT LassoWsseUsernameToken* lasso_wsse_username_token_new(void); + +LASSO_EXPORT void lasso_wsse_username_token_reset_nonce(LassoWsseUsernameToken *wsse_username_token); + +LASSO_EXPORT void lasso_wsse_username_token_set_password_kind(LassoWsseUsernameToken *wsse_username_token, LassoWsseUsernameTokenPasswordType password_type); + +LASSO_EXPORT int lasso_wsse_username_token_set_password(LassoWsseUsernameToken *wsse_username_token, char *password); + +LASSO_EXPORT int lasso_wsse_username_token_check_password(LassoWsseUsernameToken *wsse_username_token, char *password); +LASSO_EXPORT guchar* lasso_wsse_username_token_derive_key(LassoWsseUsernameToken *wsse_username_token, char *password); #ifdef __cplusplus } |