summaryrefslogtreecommitdiffstats
path: root/lasso/id-ff
Commit message (Collapse)AuthorAgeFilesLines
* id-ff/provider: fix leak of xmlSecKeyBenjamin Dauvergne2014-06-081-0/+3
|
* xml/samlp2_logout_request: fix leaks around session indexesBenjamin Dauvergne2014-06-081-0/+1
|
* server: fix leak of xmlSecKey objectsBenjamin Dauvergne2014-06-081-1/+0
|
* session: fix leak of _NidAndSessionIndex structuresBenjamin Dauvergne2014-06-081-0/+1
|
* login: complete document of lasso_login_process_authn_response_msg on ↵Benjamin Dauvergne2014-05-211-1/+32
| | | | expectable error codes
* id-ff/providerprivate.h,id-ff/provider.h: make ↵Benjamin Dauvergne2013-12-182-2/+3
| | | | | | lasso_provider_verify_signature public API It's necessary for the crudeSAML SASL mechanism.
* id-ff/session.c: fix wrong variable reference in ↵Benjamin Dauvergne2013-12-081-1/+1
| | | | init_from_xml_nid_and_session_index
* Fix license boilerplatesSimo Sorce2013-12-0331-62/+31
| | | | | | | Instad of referring to an old FSF address, point the reader to the FSF website where the latest licenses and addresses are published. Signed-off-by: Simo Sorce <simo@redhat.com>
* id-ff/login.c: initialize role status of sp and idp in ↵Benjamin Dauvergne2013-09-271-1/+10
| | | | lasso_login_init_authn_request
* fix warnings about unused but set variablesBenjamin Dauvergne2013-09-083-15/+0
|
* Rewrite all xmlNode serialization code to be compatible with libxml 2.9.0Benjamin Dauvergne2012-09-282-40/+7
| | | | | | | | | | Libxml stopped exposing the internal of the xmlOutputBuffer structure; it was replace by proper use of the API and of the xmlBuffer structure. There could be regression for older version of libxml as some functions appeared in recent version of libxml; but the reference API document does not give any introduction date for functions so it's hard to be sure.
* [id-ff 1.2] change websso with artifact binding to work as SAML 2.0Benjamin Dauvergne2011-12-231-21/+48
| | | | | | | | | | | | | | | | | The old way of transmiting the assertion to return via the session is kept, but a new way more semblable to the one used in the SAML 2.0 code is added. After lasso_login_build_artifact_msg() you must save the return of lasso_profile_get_artifact_message() linked to the value of the artifact obtained via lasso_profile_get_artifact(). In the artifact-resolve endpoint you must find the artifact message corresponding to the return value of lasso_profile_get_artifact() reinstall the artifact message using lasso_profile_set_artifact_message() just before calling lasso_login_build_response_msg(). This change is necessary for ID-FF 1.2 SSO profile to work with the thin-sessions.
* [id-ff 1.2] in lasso_login_build_assertion() always add the assertion to the ↵Benjamin Dauvergne2011-12-221-7/+4
| | | | response
* [doc] do some documentation fixingBenjamin Dauvergne2011-12-222-1/+4
|
* [id-ff 1.2] provision the SessionIndex into the assertionsBenjamin Dauvergne2011-12-221-0/+6
| | | | Without it SLO session management is broken.
* [id-ff 1.1] add support for multiple SessionIndex to lib:LogoutRequestBenjamin Dauvergne2011-12-221-80/+32
| | | | | Combined with the new LassoSession storage for SessionIndex, it should fix many bugs when doing SLO.
* [core] add support for thin-sessions environment flag, to reduce size of ↵Benjamin Dauvergne2011-12-221-0/+3
| | | | LassoSession dumps
* [core] add simpler storage for SessionIndexes in the LassoSessionBenjamin Dauvergne2011-12-223-30/+400
|
* Simplify useless complexity in include pathsBenjamin Dauvergne2011-12-163-3/+3
|
* [xml] rewrite schema directed serialization/deserialization methodsBenjamin Dauvergne2011-12-169-89/+47
| | | | | | | | | | | | | | | | | | | | | | | | The new implementations of lasso_node_impl_init_from_xml now validate namespace of all child nodes befores parsing. It stops on any error. For node which implement their own parsing of an attribute or a node, it must declare an XmlSnippet with an offset field set to 0. The 0 value is invalid for public GObject structure (it's the place of the GObject machinery like the reference count). The 0 offset can be used for XmlSnippet in a private structure, so never set the offset to 0 with the flag SNIPPET_PRIVATE, for a field which is parsed by you get_xmlNode virtual method. Other ameliorations in this commit is the possibility to set attributes with namespace when using the flags SNIPPET_ATTRIBUTE|SNIPPET_ANY. The syntax for an attribute is inspired by the element tree API from Python: {namespace}attribute_name an example: {http://www.w3.org/2001/XMLSchema-instance}type for the classic xsi:type attribute.
* [provider] fix doc commentBenjamin Dauvergne2011-12-081-4/+3
|
* [id-ff] move LassoLogout to use LassoSignatureContextBenjamin Dauvergne2011-12-081-135/+98
|
* [id-ff] move LassoLogin to use LassoSignatureContextBenjamin Dauvergne2011-12-081-92/+49
|
* [core] rename lasso_provider_set_specific_signing_key to ↵Benjamin Dauvergne2011-12-052-3/+3
| | | | lasso_provider_set_server_signing_key
* [core] add the HMAC-SHA1 shared secret signature methodBenjamin Dauvergne2011-12-051-1/+4
|
* [core] add lasso_provider_add_key to add other key for signature validationBenjamin Dauvergne2011-12-052-0/+43
| | | | | | The added key can be appended or prepended, depending on the need for the key: - rollover - improving performances (using simpler cryptographic algorithmss using shared secret keys)
* [core] add method lasso_provider_set_specific_signing_keyBenjamin Dauvergne2011-12-052-0/+32
| | | | | | | Using this method you can specify a signing which will be used for communication with the specified provider instead of the one configured on the LassoServer object. The main objective is to allow shared secret cryptography instead of public key cryptography.
* [core] introduce the LassoSignatureContext context, to pass around signature ↵Benjamin Dauvergne2011-12-055-30/+212
| | | | | | | parameters This structure is used to pass around the signature algorithm and the signature key.
* [core] replace explicit allocation of LassoProviderPrivate by use of ↵Benjamin Dauvergne2011-12-051-13/+3
| | | | | | g_type_class_add_private The private part is allocated contiguously to the public structure data.
* [id-ff/saml2] add a lasso_server_add_provider2Benjamin Dauvergne2011-12-052-0/+24
| | | | | It allows to add LassoProvider objects directly to a LassoServer object, without using the metadata loading methods.
* [core] simplify lasso_provider_load_public_keyBenjamin Dauvergne2011-12-051-9/+10
|
* [core] multiple decryption keys supportBenjamin Dauvergne2011-11-214-42/+38
| | | | | | | | | | | | | | | | | | | | | | | | This commit complements the support for multiple signing certificate support in the metadata files. The use-case is still key roll-over. The structure LassoServerPrivateData was changed to accomodate multiple decryption keys, and so: xmlSecKey *encryption_private_key became: GList *encryption_private_keys All uses of this key were replaced by a loop over this list, terminating with the first key to be able to decrypt the content. The private key passed to lasso_server_new() or lasso_server_new_from_buffers() is first added to the list of decryption keys. Any other call to lasso_server_set_encryption_private_key_with_password() or lasso_server_set_encryption_private_key() will add a new key to the list.
* [core] finish transition from single encryption key to multiple onesBenjamin Dauvergne2011-05-302-10/+9
| | | | | Some code still reference provider->private->encryption_public_key, this commit make them use lasso_provider_get_encryption_public_key().
* [core] start of support multiple keys for encryptionBenjamin Dauvergne2011-05-191-1/+1
|
* [core] first try at multiple signing keys supportBenjamin Dauvergne2011-05-192-116/+143
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The idea was to replace every use of an xmlSecKey* by a loop over a GList* of xmlSecKey*. - In the structure LassoProviderPrivate changed xmlSecKey*public_key -> GList* signing_public_keys xmlNode*signing_key_descriptor -> GList* signing_key_descriptors. - Renamed lasso_provider_try_loading_public_key to lasso_provider_try_loading_public_keys and chaned its signature accordingly - Renamed lasso_provider_get_public_key to lasso_provider_get_public_keys and changed the signature accordingly. - Changed lasso_provider_get_encryption_public_key to return the first signing key from the list as a temporary work around. Multiple encryption keys will be supported later. - Changed lasso_provider_load_public_key to load keys from the passed file on the LassoProvider constructor, from every key descriptors found for signing and eventually from the key descriptor marked for encryption. - Every failure to load from a file or an XML KeyInfo descriptor are noew reported as warning. - Query signature checking was completely moved to lasso_provider_verify_query_signature and lasso_provider_verify_signature now calls it. - lasso_provider_verify_signature is now using lasso_verify_signature from the xml/tools.o module. - lasso_provider_verify_single_signature was modified to support multiple signing keys.
* [utils] add macros to append to and release a list of xmlSecKey*Benjamin Dauvergne2011-05-191-19/+1
| | | | [core] make lasso_provider_verify_query_signature use lasso_provider_verify_signature
* [core] make LassoServerLoadMetadataFlag enum a typedefBenjamin Dauvergne2011-04-202-4/+4
|
* [core] add flags parameter to lasso_server_load_metadata to tune signature ↵Benjamin Dauvergne2011-04-142-11/+33
| | | | | | | | | | | | | | | checking on metadata files The flags parameter allows to control the checking of digital signature upon EntityDescriptor and EntitiesDescriptor nodes in SAML 2.0 metadata files. The default behaviour is to check all found signatures and to inherit signature from EntitiesDescriptor to their children. By only enabling checking of EntityDescrtiptor node signatures it's also possible to only check signature at the EntityDescriptor level and so only trust individual entities and not the aggregating provider.
* [core] update documentation of lasso_server_load_metadataBenjamin Dauvergne2011-04-041-7/+8
|
* [core] make lasso_server_load_metadata load any metadata fileBenjamin Dauvergne2011-04-041-1/+2
| | | | | | | The new code can load metadata file with a EntityDescriptor root node, and with nested EntitiesDescriptor. Idea and prototype by Olav Morken.
* [server] in lasso_server_load_metadata do not duplicate checks already made ↵Benjamin Dauvergne2011-04-041-7/+1
| | | | | | | | by lasso_verify_signature lasso_verify_signature already checks that reference is to the given signed node, be it referenced through an ID or through an empty reference.
* [core] rename lasso_server_load_federation to lasso_server_load_metadataBenjamin Dauvergne2011-04-042-8/+5
| | | | | | | The aim of this function is now to load any metadata file, and to replace completely the use of lasso_server_add_provider. The metadata content argument is replaced by a metadata file path to more closely match other APIs.
* [core] add a loaded_entity_ids output parameter to lasso_server_load_federationBenjamin Dauvergne2011-03-302-3/+5
| | | | | It allows to know which entity has been loaded from the metadata file. It must be freed by the caller.
* [core] add a blacklisted_entity_ids parameter to lasso_server_load_federationBenjamin Dauvergne2011-03-302-3/+5
| | | | The goal is to prevent loading of provider known to have problems.
* [core] add a lasso_server_load_federation methodBenjamin Dauvergne2011-03-292-0/+74
| | | | | | | | | | | This method allows to load providers in bulk from what is called a federation file, i.e a SAML metadata file containing declarations for more than one provider. Those file are usually signed to bind some trust to its content, so lasso_server_load_federation can take an optional file path to a certificate chain file used to check the signature on the given XML content. Only same document signature is accepted (i.e. there must be only one XML signature reference and it should be to the empty string meaning the « current » document).
* [core] add a private constructor to build LassoProvider object from an xmlNodeBenjamin Dauvergne2011-03-293-17/+41
| | | | | | | | I'm not sure of the need outside lasso so I will let this method private for the moment. It's an helper method for the lasso_server_load_federation method which traverses an EntitiesDescriptor node to find all the EntityDescriptor contained inside.
* [core] add missing namespace definitions to internal objectsBenjamin Dauvergne2011-03-017-6/+31
| | | | | | | Identity, Lecp, Login, Logout, NameIdentifierMapping, NameRegistration, Session, AssertionQuery, Ecp and NameIdManagement objects were missing a namespace association to their GObject class. It broke when you try to dump a node created by lasso_node_new_from_dump.
* [wsf] fix wsf preprocessor conditionalsBenjamin Dauvergne2011-01-045-0/+5
|
* [profile] prefer to lookup the session before the identity for looking up a ↵Benjamin Dauvergne2010-12-171-14/+14
| | | | name identifier;
* [core] check type of first argument of lasso_provider_get_assertion_consumer_urlBenjamin Dauvergne2010-10-091-1/+3
|
generated by cgit (git 2.34.1) at 2026-01-07 12:00:21 +0000