From 9525237236eef4097300d9b6e93d2178a7a72267 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Fri, 4 Mar 2016 10:38:07 +0100 Subject: [PATCH] Choose the Reference transform based on the chosen Signature transform (fixes #10155) i.e. if the signature use SHA2 then use SHA2 of the same strength for digesting references. --- lasso/xml/tools.c | 41 +++++++++++++++++++++++++++++++++-------- tests/login_tests_saml2.c | 45 +++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 76 insertions(+), 10 deletions(-) diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c index 0405592..cf9fe65 100644 --- a/lasso/xml/tools.c +++ b/lasso/xml/tools.c @@ -2823,14 +2823,39 @@ lasso_xmlnode_add_saml2_signature_template(xmlNode *node, LassoSignatureContext xmlAddChild(node, signature); } - /* Normally the signature is son of the signed node, which holds an Id attribute, but in - * other cases, set snippet->offset to 0 and use xmlSecTmpSignatureAddReference from another - * node get_xmlNode virtual method to add the needed reference. - */ - uri = g_strdup_printf("#%s", id); - reference = xmlSecTmplSignatureAddReference(signature, - xmlSecTransformSha1Id, NULL, (xmlChar*)uri, NULL); - lasso_release(uri); + /* choose a digest for handling references based on the chosen signature algorithm */ + { + xmlSecTransformId digest_method_id; + switch (context.signature_method) { + case LASSO_SIGNATURE_METHOD_RSA_SHA1: + case LASSO_SIGNATURE_METHOD_DSA_SHA1: + case LASSO_SIGNATURE_METHOD_HMAC_SHA1: + digest_method_id = xmlSecTransformSha1Id; + break; + case LASSO_SIGNATURE_METHOD_RSA_SHA256: + case LASSO_SIGNATURE_METHOD_HMAC_SHA256: + digest_method_id = xmlSecTransformSha256Id; + break; + case LASSO_SIGNATURE_METHOD_RSA_SHA384: + case LASSO_SIGNATURE_METHOD_HMAC_SHA384: + digest_method_id = xmlSecTransformSha384Id; + break; + case LASSO_SIGNATURE_METHOD_RSA_SHA512: + case LASSO_SIGNATURE_METHOD_HMAC_SHA512: + digest_method_id = xmlSecTransformSha384Id; + break; + default: + g_assert_not_reached(); + } + /* Normally the signature is son of the signed node, which holds an Id attribute, but in + * other cases, set snippet->offset to 0 and use xmlSecTmpSignatureAddReference from another + * node get_xmlNode virtual method to add the needed reference. + */ + uri = g_strdup_printf("#%s", id); + reference = xmlSecTmplSignatureAddReference(signature, digest_method_id, NULL, + (xmlChar*)uri, NULL); + lasso_release(uri); + } /* add enveloped transform */ xmlSecTmplReferenceAddTransform(reference, xmlSecTransformEnvelopedId); diff --git a/tests/login_tests_saml2.c b/tests/login_tests_saml2.c index 9cd04ce..7f45099 100644 --- a/tests/login_tests_saml2.c +++ b/tests/login_tests_saml2.c @@ -925,8 +925,10 @@ END_TEST lasso_provider_add_key(LASSO_PROVIDER(providers->data), key, FALSE); \ g_list_free(providers); +typedef void (*SsoCallback)(LassoLogin *idp_login_context, LassoLogin *sp_login_context); + static void -sso_initiated_by_sp(LassoServer *idp_context, LassoServer *sp_context) +sso_initiated_by_sp(LassoServer *idp_context, LassoServer *sp_context, SsoCallback sso_callback) { LassoLogin *idp_login_context; LassoLogin *sp_login_context; @@ -970,6 +972,10 @@ sso_initiated_by_sp(LassoServer *idp_context, LassoServer *sp_context) idp_login_context->parent.msg_body)); check_good_rc(lasso_login_accept_sso(sp_login_context)); + if (sso_callback) { + sso_callback(idp_login_context, sp_login_context); + } + /* Cleanup */ lasso_release_gobject(idp_login_context); lasso_release_gobject(sp_login_context); @@ -991,8 +997,9 @@ START_TEST(test07_sso_sp_with_hmac_sha1_signatures) test07_make_context(idp_context, "idp6-saml2", LASSO_PROVIDER_ROLE_SP, "sp6-saml2", key) test07_make_context(sp_context, "sp6-saml2", LASSO_PROVIDER_ROLE_IDP, "idp6-saml2", key) + block_lasso_logs; - sso_initiated_by_sp(idp_context, sp_context); + sso_initiated_by_sp(idp_context, sp_context, NULL); unblock_lasso_logs; /* Cleanup */ @@ -1514,6 +1521,39 @@ START_TEST(test11_ecp) } END_TEST +void check_digest_method(LassoLogin *idp_login_context, LassoLogin *sp_login_context) +{ + char *dump = lasso_node_debug((LassoNode*)sp_login_context->parent.response, 10); + check_true(strstr(dump, "") != NULL); + lasso_release_string(dump) +} + +START_TEST(test12_sso_sp_with_rsa_sha256_signatures) +{ + LassoServer *idp_context = NULL; + LassoServer *sp_context = NULL; + GList *providers; + LassoKey *key = NULL; + + /* Create a key for signature algorithm RSA_SHA256 */ + key = lasso_key_new_for_signature_from_file(TESTSDATADIR "idp6-saml2/private-key.pem", NULL, + LASSO_SIGNATURE_METHOD_RSA_SHA256, NULL); + check_true(LASSO_IS_KEY(key)); + + test07_make_context(idp_context, "idp6-saml2", LASSO_PROVIDER_ROLE_SP, "sp6-saml2", key) + test07_make_context(sp_context, "sp6-saml2", LASSO_PROVIDER_ROLE_IDP, "idp6-saml2", key) + + block_lasso_logs; + sso_initiated_by_sp(idp_context, sp_context, check_digest_method); + unblock_lasso_logs; + + /* Cleanup */ + lasso_release_gobject(idp_context); + lasso_release_gobject(sp_context); + lasso_release_gobject(key); +} +END_TEST + Suite* login_saml2_suite() { @@ -1545,6 +1585,7 @@ login_saml2_suite() tcase_add_test(tc_ecp, test09_ecp); tcase_add_test(tc_ecp, test10_ecp); tcase_add_test(tc_ecp, test11_ecp); + tcase_add_test(tc_spLogin, test12_sso_sp_with_rsa_sha256_signatures); return s; } -- 1.8.3.1