| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The only expected decryption error is on decryption of the symetric key
used to crypt the data. All other errors are critical and must be
logged.
Client of lasso_node_decrypt_xmlnode can then log the decryption failure
of the symetric if they tried with all possible keys (key rollover
case).
|
| | |
| |
| |
| |
| | |
add LASSO_XMLENC_ERROR_INVALID_ENCRYPTED_DATA for generic unrecoverable
xml decryption errors.
|
| | |
| |
| |
| |
| | |
This commit also improved valgrind suppression file to hide static
allocations done by the GLib type system.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This commit complements the support for multiple signing certificate
support in the metadata files. The use-case is still key roll-over.
The structure LassoServerPrivateData was changed to accomodate multiple
decryption keys, and so:
xmlSecKey *encryption_private_key
became:
GList *encryption_private_keys
All uses of this key were replaced by a loop over this list, terminating
with the first key to be able to decrypt the content.
The private key passed to lasso_server_new() or
lasso_server_new_from_buffers() is first added to the list of decryption
keys. Any other call to
lasso_server_set_encryption_private_key_with_password() or
lasso_server_set_encryption_private_key() will add a new key to the
list.
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| | |
its namespace context
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
and php 5.3.5
- gcc now warns when you compate a typedef to the anonymous enum which
define it.
- some inline function in the zend.h header do compare between signed
and unsigned char.
|
| | |
| |
| |
| |
| | |
- it can support any content and any attribute without validation
xs:any with processContents="lax"
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- added new macros SNIPPET_STRUCT_MEMBER and SNIPPET_STRUCT_MEMBER_P
replaces use of G_STRUCT_MEMBER/_P macros.
- we use the GType of the class containing a given XmlSnippet to find
the proper private structure.
- added flag SNIPPET_PRIVATE to state XmlSnippet whose value
should be extracted from the private structure and not the public
one.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
and php 5.3.5
- gcc now warns when you compate a typedef to the anonymous enum which
define it.
- some inline function in the zend.h header do compare between signed
and unsigned char.
|
| | |
| |
| |
| | |
LassoKeyInformationDataType
|
| | |
| |
| |
| |
| |
| | |
* use a direct mapping to map this class to SubjectConfirmationData
node having the xsi:type attribute.
* overload get_xmlNode method to add the xsi:type attribute on output.
|
| | | |
|
| | |
| |
| |
| | |
Fixes #140.
|
| | |
| |
| |
| |
| |
| |
| | |
consider the first key for id-wsf token generation
ID-WSF never contemplated the fact that sometimes key roll-over happend
(SubjectConfirmation can only containg on ds:KeyInfo), whatever...
|
| | |
| |
| |
| | |
presence of synchronous bindings
|
| | |
| |
| |
| | |
kind of node through LassoMiscTextNode
|
| | |
| |
| |
| |
| |
| | |
If the node has no attributes and has a simple string content, we use the
classic embedding by setting, name, ns_href, ns_prefix. Otherwise the complete
xmlNode is copied.
|
| | | |
|
| | |
| |
| |
| | |
An AttributeValue has an XSchema type of xs:any.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
without error logging
When used inside lasso_node_impl_init_from_xml the error logging is
prematurely sent as there is a backup procedure for parsing unknown
nodes inside a SNIPPET_LIST_NODES by creating a LassoMiscTextNode
containing a copy of the parsed xmlNode child.
|
| | |
| |
| |
| |
| | |
Some code still reference provider->private->encryption_public_key, this
commit make them use lasso_provider_get_encryption_public_key().
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The idea was to replace every use of an xmlSecKey* by a loop over a
GList* of xmlSecKey*.
- In the structure LassoProviderPrivate changed
xmlSecKey*public_key -> GList* signing_public_keys
xmlNode*signing_key_descriptor -> GList* signing_key_descriptors.
- Renamed lasso_provider_try_loading_public_key to
lasso_provider_try_loading_public_keys and chaned its signature
accordingly
- Renamed lasso_provider_get_public_key to
lasso_provider_get_public_keys and changed the signature accordingly.
- Changed lasso_provider_get_encryption_public_key to return the first
signing key from the list as a temporary work around. Multiple
encryption keys will be supported later.
- Changed lasso_provider_load_public_key to load keys from the passed
file on the LassoProvider constructor, from every key descriptors
found for signing and eventually from the key descriptor marked for
encryption.
- Every failure to load from a file or an XML KeyInfo descriptor are
noew reported as warning.
- Query signature checking was completely moved to
lasso_provider_verify_query_signature and
lasso_provider_verify_signature now calls it.
- lasso_provider_verify_signature is now using lasso_verify_signature
from the xml/tools.o module.
- lasso_provider_verify_single_signature was modified to support
multiple signing keys.
|
| | |
| |
| |
| | |
[core] make lasso_provider_verify_query_signature use lasso_provider_verify_signature
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| | |
The servicepoints and roles arrays did not match the provider role
enumerations.
|
| | |
| |
| |
| |
| |
| |
| | |
lasso_saml20_login_process_response_status_and_assertion does analyze
the response status code login specific error codes, if the generic
processing from lasso_saml20_profile_process_any_response returns a
status of response is not success, we must continue processing.
|
| | |
| |
| |
| | |
LASSO_PROFILE_ERROR_REQUEST_DENIED as error
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
checking on metadata files
The flags parameter allows to control the checking of digital signature
upon EntityDescriptor and EntitiesDescriptor nodes in SAML 2.0 metadata
files.
The default behaviour is to check all found signatures and to inherit
signature from EntitiesDescriptor to their children.
By only enabling checking of EntityDescrtiptor node signatures it's also
possible to only check signature at the EntityDescriptor level and so
only trust individual entities and not the aggregating provider.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
The new code can load metadata file with a EntityDescriptor root node,
and with nested EntitiesDescriptor.
Idea and prototype by Olav Morken.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
by lasso_verify_signature
lasso_verify_signature already checks that reference is to the given
signed node, be it referenced through an ID or through an empty
reference.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
root
An empty reference means the complete document, so the signed node is
the root element of this document. We must check that the parameter
signe_node dmatches our assumption.
|
| | |
| |
| |
| |
| |
| |
| | |
The aim of this function is now to load any metadata file, and to
replace completely the use of lasso_server_add_provider.
The metadata content argument is replaced by a metadata file path to
more closely match other APIs.
|
| | |
| |
| |
| |
| | |
It allows to know which entity has been loaded from the metadata file.
It must be freed by the caller.
|
| | |
| |
| |
| | |
The goal is to prevent loading of provider known to have problems.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This method allows to load providers in bulk from what is called a
federation file, i.e a SAML metadata file containing declarations for
more than one provider. Those file are usually signed to bind some trust
to its content, so lasso_server_load_federation can take an optional
file path to a certificate chain file used to check the signature on the
given XML content. Only same document signature is accepted (i.e. there
must be only one XML signature reference and it should be to the empty
string meaning the « current » document).
|
| | |
| |
| |
| |
| |
| |
| |
| | |
I'm not sure of the need outside lasso so I will let this method private
for the moment. It's an helper method for the
lasso_server_load_federation method which traverses an
EntitiesDescriptor node to find all the EntityDescriptor contained
inside.
|
| | |
| |
| |
| |
| |
| |
| | |
It only loads one kind of provider (idp or sp). It's currently
impossible for a provider to have the two roles at the same time toward
a given LassoServer object, i.e. the current service is a service
provider or an identity provider, it cannot be the two at the same time.
|
| | | |
|
| | | |
|
| | | |
|
