saml2/binding/impl/SAML2SOAPEncoder.cpp \
saml2/binding/impl/SAML2SOAPClient.cpp \
saml2/binding/impl/SAML2MessageRule.cpp \
- saml2/profile/AssertionValidator.cpp \
- saml2/profile/BrowserSSOProfileValidator.cpp \
+ saml2/profile/Assertion20Validator.cpp \
+ saml2/profile/BrowserSSOProfile20Validator.cpp \
encryption/EncryptedKeyResolver.cpp \
signature/ContentReference.cpp \
signature/SignatureProfileValidator.cpp \
* @param recipientID optional entityID of message recipient
* @param relayState optional RelayState value to accompany message
* @param credential optional Credential to supply signing key
- * @param sigAlgorithm optional signature algorithm identifier
+ * @param signatureAlg optional signature algorithm identifier
+ * @param digestAlg optional reference digest algorithm identifier
*/
virtual long encode(
GenericResponse& genericResponse,
const char* recipientID=NULL,
const char* relayState=NULL,
const xmltooling::Credential* credential=NULL,
- const XMLCh* sigAlgorithm=NULL
+ const XMLCh* signatureAlg=NULL,
+ const XMLCh* digestAlg=NULL
) const=0;
protected:
auto_ptr<KeyInfo> kjanitor(keyInfo);
auto_ptr_XMLCh alg(sigAlgorithm);
- // Set up criteria object, including peer name to enforce cert name checking.
+ // Set up criteria object.
MetadataCredentialCriteria cc(*(policy.getIssuerMetadata()));
- auto_ptr_char pn(policy.getIssuer()->getName());
- cc.setPeerName(pn.get());
- cc.setKeyAlgorithm(sigAlgorithm);
+ cc.setXMLAlgorithm(alg.get());
if (!policy.getTrustEngine()->validate(alg.get(), signature, keyInfo, input.c_str(), input.length(), *(policy.getMetadataProvider()), &cc)) {
log.error("unable to verify message signature with supplied trust engine");
return;
}
- // Set up criteria object, including peer name to enforce cert name checking.
+ // Set up criteria object.
MetadataCredentialCriteria cc(*(policy.getIssuerMetadata()));
- auto_ptr_char pn(policy.getIssuer()->getName());
- cc.setPeerName(pn.get());
if (!policy.getTrustEngine()->validate(*(signable->getSignature()), *(policy.getMetadataProvider()), &cc)) {
log.error("unable to verify message signature with supplied trust engine");
Name="profile"\r
>\r
<File\r
- RelativePath=".\saml2\profile\AssertionValidator.cpp"\r
+ RelativePath=".\saml2\profile\Assertion20Validator.cpp"\r
>\r
<FileConfiguration\r
Name="Debug|Win32"\r
</FileConfiguration>\r
</File>\r
<File\r
- RelativePath=".\saml2\profile\BrowserSSOProfileValidator.cpp"\r
+ RelativePath=".\saml2\profile\BrowserSSOProfile20Validator.cpp"\r
>\r
<FileConfiguration\r
Name="Debug|Win32"\r
const char* recipientID=NULL,
const char* relayState=NULL,
const Credential* credential=NULL,
- const XMLCh* sigAlgorithm=NULL
+ const XMLCh* signatureAlg=NULL,
+ const XMLCh* digestAlg=NULL
) const;
};
const char* recipientID,
const char* relayState,
const Credential* credential,
- const XMLCh* sigAlgorithm
+ const XMLCh* signatureAlg,
+ const XMLCh* digestAlg
) const
{
#ifdef _DEBUG
#include "internal.h"
#include "exceptions.h"
#include "binding/MessageEncoder.h"
+#include "signature/ContentReference.h"
#include "saml1/core/Protocols.h"
#include <fstream>
const char* recipientID=NULL,
const char* relayState=NULL,
const Credential* credential=NULL,
- const XMLCh* sigAlgorithm=NULL
+ const XMLCh* signatureAlg=NULL,
+ const XMLCh* digestAlg=NULL
) const;
protected:
const char* recipientID,
const char* relayState,
const Credential* credential,
- const XMLCh* sigAlgorithm
+ const XMLCh* signatureAlg,
+ const XMLCh* digestAlg
) const
{
#ifdef _DEBUG
// Build a Signature.
Signature* sig = SignatureBuilder::buildSignature();
response->setSignature(sig);
- if (sigAlgorithm)
- sig->setSignatureAlgorithm(sigAlgorithm);
+ if (signatureAlg)
+ sig->setSignatureAlgorithm(signatureAlg);
+ if (digestAlg) {
+ opensaml::ContentReference* cr = dynamic_cast<opensaml::ContentReference*>(sig->getContentReference());
+ if (cr)
+ cr->setDigestAlgorithm(digestAlg);
+ }
// Sign response while marshalling.
vector<Signature*> sigs(1,sig);
#include "exceptions.h"
#include "binding/HTTPResponse.h"
#include "binding/MessageEncoder.h"
+#include "signature/ContentReference.h"
#include "saml1/core/Protocols.h"
#include <sstream>
const char* recipientID=NULL,
const char* relayState=NULL,
const Credential* credential=NULL,
- const XMLCh* sigAlgorithm=NULL
+ const XMLCh* signatureAlg=NULL,
+ const XMLCh* digestAlg=NULL
) const;
};
const char* recipientID,
const char* relayState,
const Credential* credential,
- const XMLCh* sigAlgorithm
+ const XMLCh* signatureAlg,
+ const XMLCh* digestAlg
) const
{
#ifdef _DEBUG
// Build a Signature.
Signature* sig = SignatureBuilder::buildSignature();
response->setSignature(sig);
- if (sigAlgorithm)
- sig->setSignatureAlgorithm(sigAlgorithm);
+ if (signatureAlg)
+ sig->setSignatureAlgorithm(signatureAlg);
+ if (digestAlg) {
+ opensaml::ContentReference* cr = dynamic_cast<opensaml::ContentReference*>(sig->getContentReference());
+ if (cr)
+ cr->setDigestAlgorithm(digestAlg);
+ }
// Sign response while marshalling.
vector<Signature*> sigs(1,sig);
MARSHALL_INTEGER_ATTRIB(MinorVersion,MINORVERSION,NULL);
if (!m_AssertionID)
const_cast<AssertionImpl*>(this)->m_AssertionID=SAMLConfig::getConfig().generateIdentifier();
- domElement->setAttributeNS(NULL, ASSERTIONID_ATTRIB_NAME, m_AssertionID);\r
- if (*m_MinorVersion!=chDigit_0)\r
- domElement->setIdAttributeNS(NULL, ASSERTIONID_ATTRIB_NAME);\r
+ domElement->setAttributeNS(NULL, ASSERTIONID_ATTRIB_NAME, m_AssertionID);
+ if (*m_MinorVersion!=chDigit_0)
+ domElement->setIdAttributeNS(NULL, ASSERTIONID_ATTRIB_NAME);
MARSHALL_STRING_ATTRIB(Issuer,ISSUER,NULL);
if (!m_IssueInstant) {
const_cast<AssertionImpl*>(this)->m_IssueInstantEpoch=time(NULL);
MARSHALL_INTEGER_ATTRIB(MinorVersion,MINORVERSION,NULL);
if (!m_RequestID)
const_cast<RequestAbstractTypeImpl*>(this)->m_RequestID=SAMLConfig::getConfig().generateIdentifier();
- domElement->setAttributeNS(NULL, REQUESTID_ATTRIB_NAME, m_RequestID);\r
- if (*m_MinorVersion!=chDigit_0)\r
- domElement->setIdAttributeNS(NULL, REQUESTID_ATTRIB_NAME);\r
+ domElement->setAttributeNS(NULL, REQUESTID_ATTRIB_NAME, m_RequestID);
+ if (*m_MinorVersion!=chDigit_0)
+ domElement->setIdAttributeNS(NULL, REQUESTID_ATTRIB_NAME);
if (!m_IssueInstant) {
const_cast<RequestAbstractTypeImpl*>(this)->m_IssueInstantEpoch=time(NULL);
const_cast<RequestAbstractTypeImpl*>(this)->m_IssueInstant=new DateTime(m_IssueInstantEpoch);
MARSHALL_INTEGER_ATTRIB(MinorVersion,MINORVERSION,NULL);
if (!m_ResponseID)
const_cast<ResponseAbstractTypeImpl*>(this)->m_ResponseID=SAMLConfig::getConfig().generateIdentifier();
- domElement->setAttributeNS(NULL, RESPONSEID_ATTRIB_NAME, m_ResponseID);\r
- if (*m_MinorVersion!=chDigit_0)\r
- domElement->setIdAttributeNS(NULL, RESPONSEID_ATTRIB_NAME);\r
+ domElement->setAttributeNS(NULL, RESPONSEID_ATTRIB_NAME, m_ResponseID);
+ if (*m_MinorVersion!=chDigit_0)
+ domElement->setIdAttributeNS(NULL, RESPONSEID_ATTRIB_NAME);
MARSHALL_STRING_ATTRIB(InResponseTo,INRESPONSETO,NULL);
if (!m_IssueInstant) {
const_cast<ResponseAbstractTypeImpl*>(this)->m_IssueInstantEpoch=time(NULL);
const char* recipientID=NULL,
const char* relayState=NULL,
const Credential* credential=NULL,
- const XMLCh* sigAlgorithm=NULL
+ const XMLCh* signatureAlg=NULL,
+ const XMLCh* digestAlg=NULL
) const;
private:
const char* recipientID,
const char* relayState,
const Credential* credential,
- const XMLCh* sigAlgorithm
+ const XMLCh* signatureAlg,
+ const XMLCh* digestAlg
) const
{
#ifdef _DEBUG
// Build a Signature.
Signature* sig = SignatureBuilder::buildSignature();
request ? request->setSignature(sig) : response->setSignature(sig);
- if (sigAlgorithm)
- sig->setSignatureAlgorithm(sigAlgorithm);
+ if (signatureAlg)
+ sig->setSignatureAlgorithm(signatureAlg);
+ if (digestAlg) {
+ opensaml::ContentReference* cr = dynamic_cast<opensaml::ContentReference*>(sig->getContentReference());
+ if (cr)
+ cr->setDigestAlgorithm(digestAlg);
+ }
// Sign response while marshalling.
vector<Signature*> sigs(1,sig);
#include "internal.h"
#include "exceptions.h"
#include "binding/MessageEncoder.h"
+#include "signature/ContentReference.h"
#include "saml2/core/Protocols.h"
#include <fstream>
const char* recipientID=NULL,
const char* relayState=NULL,
const Credential* credential=NULL,
- const XMLCh* sigAlgorithm=NULL
+ const XMLCh* signatureAlg=NULL,
+ const XMLCh* digestAlg=NULL
) const;
private:
const char* recipientID,
const char* relayState,
const Credential* credential,
- const XMLCh* sigAlgorithm
+ const XMLCh* signatureAlg,
+ const XMLCh* digestAlg
) const
{
#ifdef _DEBUG
// Build a Signature.
Signature* sig = SignatureBuilder::buildSignature();
request ? request->setSignature(sig) : response->setSignature(sig);
- if (sigAlgorithm)
- sig->setSignatureAlgorithm(sigAlgorithm);
+ if (signatureAlg)
+ sig->setSignatureAlgorithm(signatureAlg);
+ if (digestAlg) {
+ opensaml::ContentReference* cr = dynamic_cast<opensaml::ContentReference*>(sig->getContentReference());
+ if (cr)
+ cr->setDigestAlgorithm(digestAlg);
+ }
// Sign response while marshalling.
vector<Signature*> sigs(1,sig);
string input = (request ? "SAMLRequest=" : "SAMLResponse=") + msg;
if (relayState)
input = input + "&RelayState=" + relayState;
- if (!sigAlgorithm)
- sigAlgorithm = DSIGConstants::s_unicodeStrURIRSA_SHA1;
- auto_ptr_char alg(sigAlgorithm);
+ if (!signatureAlg)
+ signatureAlg = DSIGConstants::s_unicodeStrURIRSA_SHA1;
+ auto_ptr_char alg(signatureAlg);
pmap.m_map["SigAlg"] = alg.get();
input = input + "&SigAlg=" + alg.get();
char sigbuf[1024];
memset(sigbuf,0,sizeof(sigbuf));
- Signature::createRawSignature(credential->getPrivateKey(), sigAlgorithm, input.c_str(), input.length(), sigbuf, sizeof(sigbuf)-1);
+ Signature::createRawSignature(credential->getPrivateKey(), signatureAlg, input.c_str(), input.length(), sigbuf, sizeof(sigbuf)-1);
pmap.m_map["Signature"] = sigbuf;
}
const char* recipientID=NULL,
const char* relayState=NULL,
const Credential* credential=NULL,
- const XMLCh* sigAlgorithm=NULL
+ const XMLCh* signatureAlg=NULL,
+ const XMLCh* digestAlg=NULL
) const;
};
const char* recipientID,
const char* relayState,
const Credential* credential,
- const XMLCh* sigAlgorithm
+ const XMLCh* signatureAlg,
+ const XMLCh* digestAlg
) const
{
#ifdef _DEBUG
if (credential) {
// Sign the query string after adding the algorithm.
- if (!sigAlgorithm)
- sigAlgorithm = DSIGConstants::s_unicodeStrURIRSA_SHA1;
- auto_ptr_char alg(sigAlgorithm);
+ if (!signatureAlg)
+ signatureAlg = DSIGConstants::s_unicodeStrURIRSA_SHA1;
+ auto_ptr_char alg(signatureAlg);
xmlbuf = xmlbuf + "&SigAlg=" + escaper->encode(alg.get());
char sigbuf[1024];
memset(sigbuf,0,sizeof(sigbuf));
- Signature::createRawSignature(credential->getPrivateKey(), sigAlgorithm, xmlbuf.c_str(), xmlbuf.length(), sigbuf, sizeof(sigbuf)-1);
+ Signature::createRawSignature(credential->getPrivateKey(), signatureAlg, xmlbuf.c_str(), xmlbuf.length(), sigbuf, sizeof(sigbuf)-1);
xmlbuf = xmlbuf + "&Signature=" + escaper->encode(sigbuf);
}
#include "exceptions.h"
#include "binding/HTTPResponse.h"
#include "binding/MessageEncoder.h"
+#include "signature/ContentReference.h"
#include "saml2/core/Protocols.h"
#include <sstream>
const char* recipientID=NULL,
const char* relayState=NULL,
const Credential* credential=NULL,
- const XMLCh* sigAlgorithm=NULL
+ const XMLCh* signatureAlg=NULL,
+ const XMLCh* digestAlg=NULL
) const;
};
const char* recipientID,
const char* relayState,
const Credential* credential,
- const XMLCh* sigAlgorithm
+ const XMLCh* signatureAlg,
+ const XMLCh* digestAlg
) const
{
#ifdef _DEBUG
// Build a Signature.
Signature* sig = SignatureBuilder::buildSignature();
response->setSignature(sig);
- if (sigAlgorithm)
- sig->setSignatureAlgorithm(sigAlgorithm);
+ if (signatureAlg)
+ sig->setSignatureAlgorithm(signatureAlg);
+ if (digestAlg) {
+ opensaml::ContentReference* cr = dynamic_cast<opensaml::ContentReference*>(sig->getContentReference());
+ if (cr)
+ cr->setDigestAlgorithm(digestAlg);
+ }
// Sign response while marshalling.
vector<Signature*> sigs(1,sig);
else if (criteria->getUsage()==CredentialCriteria::ENCRYPTION_CREDENTIAL && XMLString::equals(cred.first,KeyDescriptor::KEYTYPE_SIGNING))
return false;
+ const char* alg = criteria->getKeyAlgorithm();
+ if (alg && *alg) {
+ const char* alg2 = cred.second->getAlgorithm();
+ if (alg2 && *alg2) {
+ if (!XMLString::equals(alg,alg2))
+ return false;
+ }
+ }
+ if (criteria->getKeySize()>0 && cred.second->getKeySize()>0) {
+ if (criteria->getKeySize() != cred.second->getKeySize())
+ return false;
+ }
+
if (cred.second->getPublicKey()) {
// See if we have to match a specific key.
auto_ptr<Credential> critcred(
*/
/**
- * AssertionValidator.cpp
+ * Assertion20Validator.cpp
*
* SAML 2.0 basic assertion validator
*/
*/
/**
- * BrowserSSOProfileValidator.cpp
+ * BrowserSSOProfile20Validator.cpp
*
* SAML 2.0 Browser SSO Profile Assertion Validator
*/
#include <xsec/dsig/DSIGTransformC14n.hpp>
using namespace opensaml;
+using namespace xmltooling;
using namespace std;
-class _addprefix : public binary_function<DSIGTransformC14n*,string,void> {
-public:
- void operator()(DSIGTransformC14n* t, const string& s) const {
- if (s.empty())
- t->addInclusiveNamespace("#default");
- else
- t->addInclusiveNamespace(s.c_str());
- }
-};
-
void ContentReference::createReferences(DSIGSignature* sig)
{
DSIGReference* ref=NULL;
buf[1]=chNull;
XMLString::catString(buf,id);
try {
- ref=sig->createReference(buf);
+ ref=sig->createReference(buf, m_digest ? m_digest : DSIGConstants::s_unicodeStrURISHA1);
delete[] buf;
}
catch(...) {
throw;
}
}
+
ref->appendEnvelopedSignatureTransform();
- DSIGTransformC14n* c14n=ref->appendCanonicalizationTransform(CANON_C14NE_NOC);
- for_each(m_prefixes.begin(), m_prefixes.end(), bind1st(_addprefix(),c14n));
+ DSIGTransformC14n* c14n=ref->appendCanonicalizationTransform(m_c14n ? m_c14n : DSIGConstants::s_unicodeStrURIEXC_C14N_NOC);
+ if (!m_c14n || m_c14n == DSIGConstants::s_unicodeStrURIEXC_C14N_NOC || m_c14n == DSIGConstants::s_unicodeStrURIEXC_C14N_COM) {
+ //addPrefixes(m_signableObject);
+#ifdef HAVE_GOOD_STL
+ xstring prefixes;
+ for (set<xstring>::const_iterator p = m_prefixes.begin(); p!=m_prefixes.end(); ++p)
+ prefixes += *p + chSpace;
+ if (!prefixes.empty()) {
+ prefixes.erase(prefixes.begin() + prefixes.size() - 1);
+ c14n->setInclusiveNamespaces(XMLString::replicate(prefixes.c_str()));
+ }
+#else
+ for (set<string>::const_iterator p = m_prefixes.begin(); p!=m_prefixes.end(); ++p)
+ c14n->addInclusiveNamespace(p->c_str());
+#endif
+ }
+}
+
+void ContentReference::addInclusivePrefix(const XMLCh* prefix)
+{
+ static const XMLCh _default[] = { chPound, chLatin_d, chLatin_e, chLatin_f, chLatin_a, chLatin_u, chLatin_l, chLatin_t, chNull };
+
+#ifdef HAVE_GOOD_STL
+ if (prefix && *prefix)
+ m_prefixes.insert(prefix);
+ else
+ m_prefixes.insert(_default);
+#else
+ if (prefix && *prefix) {
+ auto_ptr_char p(prefix);
+ m_prefixes.insert(p.get());
+ }
+ else
+ m_prefixes.insert("#default");
+#endif
+}
+
+void ContentReference::addPrefixes(const std::set<Namespace>& namespaces)
+{
+ for (set<Namespace>::const_iterator n = namespaces.begin(); n!=namespaces.end(); ++n)
+ addInclusivePrefix(n->getNamespacePrefix());
+}
+
+void ContentReference::addPrefixes(const XMLObject& xmlObject)
+{
+ addPrefixes(xmlObject.getNamespaces());
+ const list<XMLObject*>& children = xmlObject.getOrderedChildren();
+ for (list<XMLObject*>::const_iterator child = children.begin(); child!=children.end(); ++child) {
+ if (*child)
+ addPrefixes(*(*child));
+ }
}
#define __saml_sigref_h__
#include <saml/base.h>
+#include <xmltooling/XMLObject.h>
#include <xmltooling/signature/ContentReference.h>
+#include <set>
#include <string>
namespace opensaml {
*
* @param signableObject reference to object being signed
*/
- ContentReference(const SignableObject& signableObject) : m_signableObject(signableObject) {
+ ContentReference(const SignableObject& signableObject)
+ : m_signableObject(signableObject), m_digest(NULL), m_c14n(NULL) {
}
virtual ~ContentReference() {}
virtual void createReferences(DSIGSignature* sig);
/**
- * Adds a namespace prefix for "inclusive" processing by the
+ * Adds a namespace prefix for "inclusive" processing by an
* Exclusive C14N Transform applied to the object.
* An empty string will be transformed into "#default".
*
* @param prefix the prefix to add
*/
- void addInclusivePrefix(const char* prefix) {
- m_prefixes.push_back(prefix);
+ void addInclusivePrefix(const XMLCh* prefix);
+
+ /**
+ * Sets the digest algorithm for the signature reference,
+ * using a constant.
+ *
+ * @param digest the digest algorithm
+ */
+ void setDigestAlgorithm(const XMLCh* digest) {
+ m_digest = digest;
}
- protected:
- /** Reference to object to sign. */
- const SignableObject& m_signableObject;
+ /**
+ * Sets the canonicalization method to include in the reference,
+ * using a constant.
+ *
+ * @param c14n the canonicalization method
+ */
+ void setCanonicalizationMethod(const XMLCh* c14n) {
+ m_c14n = c14n;
+ }
+
+ private:
+ void addPrefixes(const std::set<xmltooling::Namespace>& namespaces);
+ void addPrefixes(const xmltooling::XMLObject& xmlObject);
- /** Inclusive prefixes. */
- std::vector<std::string> m_prefixes;
+ const SignableObject& m_signableObject;
+#ifdef HAVE_GOOD_STL
+ std::set<xmltooling::xstring> m_prefixes;
+#else
+ std::set<std::string> m_prefixes;
+#endif
+ const XMLCh* m_digest;
+ const XMLCh* m_c14n;
};
};
SAMLConfig::getConfig().getArtifactMap()->retrieveContent(&artifact, "https://sp.example.org/");\r
Response* payload = dynamic_cast<Response*>(xmlObject);\r
TSM_ASSERT("Not a response.", payload!=NULL);\r
+\r
auto_ptr<ArtifactResponse> response(ArtifactResponseBuilder::buildArtifactResponse());\r
response->setPayload(payload);\r
Status* status = StatusBuilder::buildStatus();\r