X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=shibsp%2Fhandler%2Fimpl%2FAbstractHandler.cpp;h=da9fc01c71024ae56d9cf5cffa31c73d9d330110;hb=97442c284593ec3def56e5006fc97125eb06909a;hp=1b2888aec8997c86bc010bbbf9167a732ad16be3;hpb=af7aef3a5b5a03cdd34180fa9df397ca8037d8e9;p=shibboleth%2Fcpp-sp.git diff --git a/shibsp/handler/impl/AbstractHandler.cpp b/shibsp/handler/impl/AbstractHandler.cpp index 1b2888a..da9fc01 100644 --- a/shibsp/handler/impl/AbstractHandler.cpp +++ b/shibsp/handler/impl/AbstractHandler.cpp @@ -461,9 +461,19 @@ long AbstractHandler::sendMessage( mcc.setUsage(Credential::SIGNING_CREDENTIAL); if (keyName.first) mcc.getKeyNames().insert(keyName.second); - if (sigalg.first) + if (sigalg.first) { + // Using an explicit algorithm, so resolve a credential directly. mcc.setXMLAlgorithm(sigalg.second); - cred = credResolver->resolve(&mcc); + cred = credResolver->resolve(&mcc); + } + else { + // Prefer credential based on peer's requirements. + pair p = role->getSigningMethod(*credResolver, mcc); + if (p.first) + sigalg = make_pair(true, p.first->getAlgorithm()); + if (p.second) + cred = p.second; + } } else { CredentialCriteria cc; @@ -476,6 +486,12 @@ long AbstractHandler::sendMessage( } if (cred) { // Signed request. + pair digalg = relyingParty->getXMLString("digestAlg"); + if (!digalg.first && role) { + const DigestMethod* dm = role->getDigestMethod(); + if (dm) + digalg = make_pair(true, dm->getAlgorithm()); + } return encoder.encode( httpResponse, msg, @@ -485,7 +501,7 @@ long AbstractHandler::sendMessage( &application, cred, sigalg.second, - relyingParty->getXMLString("digestAlg").second + (digalg.first ? digalg.second : nullptr) ); } else {