Blame SOURCES/0003-Choose-the-Reference-transform-based-on-the-chosen-S.patch

59ada4
From 9525237236eef4097300d9b6e93d2178a7a72267 Mon Sep 17 00:00:00 2001
59ada4
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
59ada4
Date: Fri, 4 Mar 2016 10:38:07 +0100
59ada4
Subject: [PATCH] Choose the Reference transform based on the chosen Signature
59ada4
 transform (fixes #10155)
59ada4
59ada4
i.e. if the signature use SHA2 then use SHA2 of the same strength for digesting
59ada4
references.
59ada4
---
59ada4
 lasso/xml/tools.c         | 41 +++++++++++++++++++++++++++++++++--------
59ada4
 tests/login_tests_saml2.c | 45 +++++++++++++++++++++++++++++++++++++++++++--
59ada4
 2 files changed, 76 insertions(+), 10 deletions(-)
59ada4
59ada4
diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
59ada4
index 0405592..cf9fe65 100644
59ada4
--- a/lasso/xml/tools.c
59ada4
+++ b/lasso/xml/tools.c
59ada4
@@ -2823,14 +2823,39 @@ lasso_xmlnode_add_saml2_signature_template(xmlNode *node, LassoSignatureContext
59ada4
 		xmlAddChild(node, signature);
59ada4
 	}
59ada4
 
59ada4
-	/* Normally the signature is son of the signed node, which holds an Id attribute, but in
59ada4
-	 * other cases, set snippet->offset to 0 and use xmlSecTmpSignatureAddReference from another
59ada4
-	 * node get_xmlNode virtual method to add the needed reference.
59ada4
-	 */
59ada4
-	uri = g_strdup_printf("#%s", id);
59ada4
-	reference = xmlSecTmplSignatureAddReference(signature,
59ada4
-			xmlSecTransformSha1Id, NULL, (xmlChar*)uri, NULL);
59ada4
-	lasso_release(uri);
59ada4
+	/* choose a digest for handling references based on the chosen signature algorithm */
59ada4
+	{
59ada4
+		xmlSecTransformId digest_method_id;
59ada4
+		switch (context.signature_method) {
59ada4
+			case LASSO_SIGNATURE_METHOD_RSA_SHA1:
59ada4
+			case LASSO_SIGNATURE_METHOD_DSA_SHA1:
59ada4
+			case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
59ada4
+				digest_method_id = xmlSecTransformSha1Id;
59ada4
+				break;
59ada4
+			case LASSO_SIGNATURE_METHOD_RSA_SHA256:
59ada4
+			case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
59ada4
+				digest_method_id = xmlSecTransformSha256Id;
59ada4
+				break;
59ada4
+			case LASSO_SIGNATURE_METHOD_RSA_SHA384:
59ada4
+			case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
59ada4
+				digest_method_id = xmlSecTransformSha384Id;
59ada4
+				break;
59ada4
+			case LASSO_SIGNATURE_METHOD_RSA_SHA512:
59ada4
+			case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
59ada4
+				digest_method_id = xmlSecTransformSha384Id;
59ada4
+				break;
59ada4
+			default:
59ada4
+				g_assert_not_reached();
59ada4
+		}
59ada4
+		/* Normally the signature is son of the signed node, which holds an Id attribute, but in
59ada4
+		 * other cases, set snippet->offset to 0 and use xmlSecTmpSignatureAddReference from another
59ada4
+		 * node get_xmlNode virtual method to add the needed reference.
59ada4
+		 */
59ada4
+		uri = g_strdup_printf("#%s", id);
59ada4
+		reference = xmlSecTmplSignatureAddReference(signature, digest_method_id, NULL,
59ada4
+				(xmlChar*)uri, NULL);
59ada4
+		lasso_release(uri);
59ada4
+	}
59ada4
 
59ada4
 	/* add enveloped transform */
59ada4
 	xmlSecTmplReferenceAddTransform(reference, xmlSecTransformEnvelopedId);
59ada4
diff --git a/tests/login_tests_saml2.c b/tests/login_tests_saml2.c
59ada4
index 9cd04ce..7f45099 100644
59ada4
--- a/tests/login_tests_saml2.c
59ada4
+++ b/tests/login_tests_saml2.c
59ada4
@@ -925,8 +925,10 @@ END_TEST
59ada4
 	lasso_provider_add_key(LASSO_PROVIDER(providers->data), key, FALSE); \
59ada4
 	g_list_free(providers);
59ada4
 
59ada4
+typedef void (*SsoCallback)(LassoLogin *idp_login_context, LassoLogin *sp_login_context);
59ada4
+
59ada4
 static void
59ada4
-sso_initiated_by_sp(LassoServer *idp_context, LassoServer *sp_context)
59ada4
+sso_initiated_by_sp(LassoServer *idp_context, LassoServer *sp_context, SsoCallback sso_callback)
59ada4
 {
59ada4
 	LassoLogin *idp_login_context;
59ada4
 	LassoLogin *sp_login_context;
59ada4
@@ -970,6 +972,10 @@ sso_initiated_by_sp(LassoServer *idp_context, LassoServer *sp_context)
59ada4
 				idp_login_context->parent.msg_body));
59ada4
 	check_good_rc(lasso_login_accept_sso(sp_login_context));
59ada4
 
59ada4
+	if (sso_callback) {
59ada4
+		sso_callback(idp_login_context, sp_login_context);
59ada4
+	}
59ada4
+
59ada4
 	/* Cleanup */
59ada4
 	lasso_release_gobject(idp_login_context);
59ada4
 	lasso_release_gobject(sp_login_context);
59ada4
@@ -991,8 +997,9 @@ START_TEST(test07_sso_sp_with_hmac_sha1_signatures)
59ada4
 	test07_make_context(idp_context, "idp6-saml2", LASSO_PROVIDER_ROLE_SP, "sp6-saml2", key)
59ada4
 	test07_make_context(sp_context, "sp6-saml2", LASSO_PROVIDER_ROLE_IDP, "idp6-saml2", key)
59ada4
 
59ada4
+
59ada4
 	block_lasso_logs;
59ada4
-	sso_initiated_by_sp(idp_context, sp_context);
59ada4
+	sso_initiated_by_sp(idp_context, sp_context, NULL);
59ada4
 	unblock_lasso_logs;
59ada4
 
59ada4
 	/* Cleanup */
59ada4
@@ -1514,6 +1521,39 @@ START_TEST(test11_ecp)
59ada4
 }
59ada4
 END_TEST
59ada4
 
59ada4
+void check_digest_method(LassoLogin *idp_login_context, LassoLogin *sp_login_context)
59ada4
+{
59ada4
+	char *dump = lasso_node_debug((LassoNode*)sp_login_context->parent.response, 10);
59ada4
+	check_true(strstr(dump, "<DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/>") != NULL);
59ada4
+	lasso_release_string(dump)
59ada4
+}
59ada4
+
59ada4
+START_TEST(test12_sso_sp_with_rsa_sha256_signatures)
59ada4
+{
59ada4
+	LassoServer *idp_context = NULL;
59ada4
+	LassoServer *sp_context = NULL;
59ada4
+	GList *providers;
59ada4
+	LassoKey *key = NULL;
59ada4
+
59ada4
+	/* Create a key for signature algorithm RSA_SHA256 */
59ada4
+	key = lasso_key_new_for_signature_from_file(TESTSDATADIR "idp6-saml2/private-key.pem", NULL,
59ada4
+			LASSO_SIGNATURE_METHOD_RSA_SHA256, NULL);
59ada4
+	check_true(LASSO_IS_KEY(key));
59ada4
+
59ada4
+	test07_make_context(idp_context, "idp6-saml2", LASSO_PROVIDER_ROLE_SP, "sp6-saml2", key)
59ada4
+	test07_make_context(sp_context, "sp6-saml2", LASSO_PROVIDER_ROLE_IDP, "idp6-saml2", key)
59ada4
+
59ada4
+	block_lasso_logs;
59ada4
+	sso_initiated_by_sp(idp_context, sp_context, check_digest_method);
59ada4
+	unblock_lasso_logs;
59ada4
+
59ada4
+	/* Cleanup */
59ada4
+	lasso_release_gobject(idp_context);
59ada4
+	lasso_release_gobject(sp_context);
59ada4
+	lasso_release_gobject(key);
59ada4
+}
59ada4
+END_TEST
59ada4
+
59ada4
 Suite*
59ada4
 login_saml2_suite()
59ada4
 {
59ada4
@@ -1545,6 +1585,7 @@ login_saml2_suite()
59ada4
 	tcase_add_test(tc_ecp, test09_ecp);
59ada4
 	tcase_add_test(tc_ecp, test10_ecp);
59ada4
 	tcase_add_test(tc_ecp, test11_ecp);
59ada4
+	tcase_add_test(tc_spLogin, test12_sso_sp_with_rsa_sha256_signatures);
59ada4
 	return s;
59ada4
 }
59ada4
 
59ada4
-- 
59ada4
1.8.3.1
59ada4