From 9525237236eef4097300d9b6e93d2178a7a72267 Mon Sep 17 00:00:00 2001

From: Benjamin Dauvergne <bdauvergne@entrouvert.com>

Date: Fri, 4 Mar 2016 10:38:07 +0100

Subject: [PATCH] Choose the Reference transform based on the chosen Signature

 transform (fixes #10155)

i.e. if the signature use SHA2 then use SHA2 of the same strength for digesting

references.

---

 lasso/xml/tools.c         | 41 +++++++++++++++++++++++++++++++++--------

 tests/login_tests_saml2.c | 45 +++++++++++++++++++++++++++++++++++++++++++--

 2 files changed, 76 insertions(+), 10 deletions(-)

diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c

index 0405592..cf9fe65 100644

--- a/lasso/xml/tools.c

+++ b/lasso/xml/tools.c

@@ -2823,14 +2823,39 @@ lasso_xmlnode_add_saml2_signature_template(xmlNode *node, LassoSignatureContext

 		xmlAddChild(node, signature);

 	}

-	/* Normally the signature is son of the signed node, which holds an Id attribute, but in

-	 * other cases, set snippet->offset to 0 and use xmlSecTmpSignatureAddReference from another

-	 * node get_xmlNode virtual method to add the needed reference.

-	 */

-	uri = g_strdup_printf("#%s", id);

-	reference = xmlSecTmplSignatureAddReference(signature,

-			xmlSecTransformSha1Id, NULL, (xmlChar*)uri, NULL);

-	lasso_release(uri);

+	/* choose a digest for handling references based on the chosen signature algorithm */

+	{

+		xmlSecTransformId digest_method_id;

+		switch (context.signature_method) {

+			case LASSO_SIGNATURE_METHOD_RSA_SHA1:

+			case LASSO_SIGNATURE_METHOD_DSA_SHA1:

+			case LASSO_SIGNATURE_METHOD_HMAC_SHA1:

+				digest_method_id = xmlSecTransformSha1Id;

+				break;

+			case LASSO_SIGNATURE_METHOD_RSA_SHA256:

+			case LASSO_SIGNATURE_METHOD_HMAC_SHA256:

+				digest_method_id = xmlSecTransformSha256Id;

+				break;

+			case LASSO_SIGNATURE_METHOD_RSA_SHA384:

+			case LASSO_SIGNATURE_METHOD_HMAC_SHA384:

+				digest_method_id = xmlSecTransformSha384Id;

+				break;

+			case LASSO_SIGNATURE_METHOD_RSA_SHA512:

+			case LASSO_SIGNATURE_METHOD_HMAC_SHA512:

+				digest_method_id = xmlSecTransformSha384Id;

+				break;

+			default:

+				g_assert_not_reached();

+		}

+		/* Normally the signature is son of the signed node, which holds an Id attribute, but in

+		 * other cases, set snippet->offset to 0 and use xmlSecTmpSignatureAddReference from another

+		 * node get_xmlNode virtual method to add the needed reference.

+		 */

+		uri = g_strdup_printf("#%s", id);

+		reference = xmlSecTmplSignatureAddReference(signature, digest_method_id, NULL,

+				(xmlChar*)uri, NULL);

+		lasso_release(uri);

+	}

 	/* add enveloped transform */

 	xmlSecTmplReferenceAddTransform(reference, xmlSecTransformEnvelopedId);

diff --git a/tests/login_tests_saml2.c b/tests/login_tests_saml2.c

index 9cd04ce..7f45099 100644

--- a/tests/login_tests_saml2.c

+++ b/tests/login_tests_saml2.c

@@ -925,8 +925,10 @@ END_TEST

 	lasso_provider_add_key(LASSO_PROVIDER(providers->data), key, FALSE); \

 	g_list_free(providers);

+typedef void (*SsoCallback)(LassoLogin *idp_login_context, LassoLogin *sp_login_context);

+

 static void

-sso_initiated_by_sp(LassoServer *idp_context, LassoServer *sp_context)

+sso_initiated_by_sp(LassoServer *idp_context, LassoServer *sp_context, SsoCallback sso_callback)

 {

 	LassoLogin *idp_login_context;

 	LassoLogin *sp_login_context;

@@ -970,6 +972,10 @@ sso_initiated_by_sp(LassoServer *idp_context, LassoServer *sp_context)

 				idp_login_context->parent.msg_body));

 	check_good_rc(lasso_login_accept_sso(sp_login_context));

+	if (sso_callback) {

+		sso_callback(idp_login_context, sp_login_context);

+	}

+

 	/* Cleanup */

 	lasso_release_gobject(idp_login_context);

 	lasso_release_gobject(sp_login_context);

@@ -991,8 +997,9 @@ START_TEST(test07_sso_sp_with_hmac_sha1_signatures)

 	test07_make_context(idp_context, "idp6-saml2", LASSO_PROVIDER_ROLE_SP, "sp6-saml2", key)

 	test07_make_context(sp_context, "sp6-saml2", LASSO_PROVIDER_ROLE_IDP, "idp6-saml2", key)

+

 	block_lasso_logs;

-	sso_initiated_by_sp(idp_context, sp_context);

+	sso_initiated_by_sp(idp_context, sp_context, NULL);

 	unblock_lasso_logs;

 	/* Cleanup */

@@ -1514,6 +1521,39 @@ START_TEST(test11_ecp)

 }

 END_TEST

+void check_digest_method(LassoLogin *idp_login_context, LassoLogin *sp_login_context)

+{

+	char *dump = lasso_node_debug((LassoNode*)sp_login_context->parent.response, 10);

+	check_true(strstr(dump, "<DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/>") != NULL);

+	lasso_release_string(dump)

+}

+

+START_TEST(test12_sso_sp_with_rsa_sha256_signatures)

+{

+	LassoServer *idp_context = NULL;

+	LassoServer *sp_context = NULL;

+	GList *providers;

+	LassoKey *key = NULL;

+

+	/* Create a key for signature algorithm RSA_SHA256 */

+	key = lasso_key_new_for_signature_from_file(TESTSDATADIR "idp6-saml2/private-key.pem", NULL,

+			LASSO_SIGNATURE_METHOD_RSA_SHA256, NULL);

+	check_true(LASSO_IS_KEY(key));

+

+	test07_make_context(idp_context, "idp6-saml2", LASSO_PROVIDER_ROLE_SP, "sp6-saml2", key)

+	test07_make_context(sp_context, "sp6-saml2", LASSO_PROVIDER_ROLE_IDP, "idp6-saml2", key)

+

+	block_lasso_logs;

+	sso_initiated_by_sp(idp_context, sp_context, check_digest_method);

+	unblock_lasso_logs;

+

+	/* Cleanup */

+	lasso_release_gobject(idp_context);

+	lasso_release_gobject(sp_context);

+	lasso_release_gobject(key);

+}

+END_TEST

+

 Suite*

 login_saml2_suite()

 {

@@ -1545,6 +1585,7 @@ login_saml2_suite()

 	tcase_add_test(tc_ecp, test09_ecp);

 	tcase_add_test(tc_ecp, test10_ecp);

 	tcase_add_test(tc_ecp, test11_ecp);

+	tcase_add_test(tc_spLogin, test12_sso_sp_with_rsa_sha256_signatures);

 	return s;

 }

-- 

1.8.3.1