From 00238354a95c71fc5a9a7af1b4ec932b5afff6fa Mon Sep 17 00:00:00 2001
From: Scott Cantor <cantor.2@osu.edu>
Date: Sat, 21 Aug 2010 03:33:18 +0000
Subject: [PATCH] https://issues.shibboleth.net/jira/browse/CPPOST-41

---
 saml/saml1/core/impl/AssertionsImpl.cpp   |  5 +++++
 saml/saml1/core/impl/ProtocolsImpl.cpp    | 10 ++++++++++
 saml/saml2/core/impl/Assertions20Impl.cpp |  5 +++++
 saml/saml2/core/impl/Protocols20Impl.cpp  | 10 ++++++++++
 saml/saml2/metadata/impl/MetadataImpl.cpp | 20 ++++++++++++++++++++
 saml/signature/ContentReference.cpp       | 26 ++++++++++++++++++++------
 saml/signature/SignableObject.h           |  7 +++++++
 samltest/data/signature/SAML1Response.xml | 18 ++++++++++--------
 samltest/signature/SAML1ResponseTest.h    |  4 ++++
 9 files changed, 91 insertions(+), 14 deletions(-)

diff --git a/saml/saml1/core/impl/AssertionsImpl.cpp b/saml/saml1/core/impl/AssertionsImpl.cpp
index bf1101e..da1134a 100644
--- a/saml/saml1/core/impl/AssertionsImpl.cpp
+++ b/saml/saml1/core/impl/AssertionsImpl.cpp
@@ -1063,6 +1063,11 @@ namespace opensaml {
             IMPL_TYPED_CHILDREN(AuthorizationDecisionStatement, m_pos_Signature);
 
         protected:
+            void prepareForMarshalling() const {
+                if (m_Signature)
+                    declareNonVisibleNamespaces();
+            }
+
             void marshallAttributes(DOMElement* domElement) const {
                 static const XMLCh MAJORVERSION[] = UNICODE_LITERAL_12(M,a,j,o,r,V,e,r,s,i,o,n);
                 domElement->setAttributeNS(nullptr,MAJORVERSION,XML_ONE);
diff --git a/saml/saml1/core/impl/ProtocolsImpl.cpp b/saml/saml1/core/impl/ProtocolsImpl.cpp
index 6fe96d0..d765e13 100644
--- a/saml/saml1/core/impl/ProtocolsImpl.cpp
+++ b/saml/saml1/core/impl/ProtocolsImpl.cpp
@@ -388,6 +388,11 @@ namespace opensaml {
             IMPL_TYPED_CHILDREN(RespondWith,m_pos_Signature);
 
         protected:
+            void prepareForMarshalling() const {
+                if (m_Signature)
+                    declareNonVisibleNamespaces();
+            }
+
             void marshallAttributes(DOMElement* domElement) const {
                 static const XMLCh MAJORVERSION[] = UNICODE_LITERAL_12(M,a,j,o,r,V,e,r,s,i,o,n);
                 domElement->setAttributeNS(nullptr,MAJORVERSION,XML_ONE);
@@ -732,6 +737,11 @@ namespace opensaml {
             IMPL_STRING_ATTRIB(Recipient);
 
         protected:
+            void prepareForMarshalling() const {
+                if (m_Signature)
+                    declareNonVisibleNamespaces();
+            }
+
             void marshallAttributes(DOMElement* domElement) const {
                 static const XMLCh MAJORVERSION[] = UNICODE_LITERAL_12(M,a,j,o,r,V,e,r,s,i,o,n);
                 domElement->setAttributeNS(nullptr,MAJORVERSION,XML_ONE);
diff --git a/saml/saml2/core/impl/Assertions20Impl.cpp b/saml/saml2/core/impl/Assertions20Impl.cpp
index aa3953f..798829c 100644
--- a/saml/saml2/core/impl/Assertions20Impl.cpp
+++ b/saml/saml2/core/impl/Assertions20Impl.cpp
@@ -1602,6 +1602,11 @@ namespace opensaml {
             IMPL_TYPED_CHILDREN(AuthzDecisionStatement, m_children.end());
 
         protected:
+            void prepareForMarshalling() const {
+                if (m_Signature)
+                    declareNonVisibleNamespaces();
+            }
+
             void marshallAttributes(DOMElement* domElement) const {
                 if (!m_Version)
                     const_cast<AssertionImpl*>(this)->m_Version=XMLString::transcode("2.0");
diff --git a/saml/saml2/core/impl/Protocols20Impl.cpp b/saml/saml2/core/impl/Protocols20Impl.cpp
index a0a4599..e1e1fa9 100644
--- a/saml/saml2/core/impl/Protocols20Impl.cpp
+++ b/saml/saml2/core/impl/Protocols20Impl.cpp
@@ -325,6 +325,11 @@ namespace opensaml {
             IMPL_TYPED_CHILD(Extensions);
     
         protected:
+            void prepareForMarshalling() const {
+                if (m_Signature)
+                    declareNonVisibleNamespaces();
+            }
+
             void marshallAttributes(DOMElement* domElement) const {
                 if (!m_Version)
                     const_cast<RequestAbstractTypeImpl*>(this)->m_Version=XMLString::transcode("2.0");
@@ -1087,6 +1092,11 @@ namespace opensaml {
             IMPL_TYPED_CHILD(Status);
     
         protected:
+            void prepareForMarshalling() const {
+                if (m_Signature)
+                    declareNonVisibleNamespaces();
+            }
+
             void marshallAttributes(DOMElement* domElement) const {
                 if (!m_Version)
                     const_cast<StatusResponseTypeImpl*>(this)->m_Version=XMLString::transcode("2.0");
diff --git a/saml/saml2/metadata/impl/MetadataImpl.cpp b/saml/saml2/metadata/impl/MetadataImpl.cpp
index d6a0cf5..958094a 100644
--- a/saml/saml2/metadata/impl/MetadataImpl.cpp
+++ b/saml/saml2/metadata/impl/MetadataImpl.cpp
@@ -1086,6 +1086,11 @@ namespace opensaml {
             }
 
         protected:
+            void prepareForMarshalling() const {
+                if (m_Signature)
+                    declareNonVisibleNamespaces();
+            }
+
             void marshallAttributes(DOMElement* domElement) const {
                 MARSHALL_ID_ATTRIB(ID,ID,nullptr);
                 MARSHALL_STRING_ATTRIB(ProtocolSupportEnumeration,PROTOCOLSUPPORTENUMERATION,nullptr);
@@ -2048,6 +2053,11 @@ namespace opensaml {
             }
 
         protected:
+            void prepareForMarshalling() const {
+                if (m_Signature)
+                    declareNonVisibleNamespaces();
+            }
+
             void marshallAttributes(DOMElement* domElement) const {
                 MARSHALL_ID_ATTRIB(ID,ID,nullptr);
                 MARSHALL_STRING_ATTRIB(AffiliationOwnerID,AFFILIATIONOWNERID,nullptr);
@@ -2291,6 +2301,11 @@ namespace opensaml {
             }
 
         protected:
+            void prepareForMarshalling() const {
+                if (m_Signature)
+                    declareNonVisibleNamespaces();
+            }
+
             void marshallAttributes(DOMElement* domElement) const {
                 MARSHALL_ID_ATTRIB(ID,ID,nullptr);
                 MARSHALL_STRING_ATTRIB(EntityID,ENTITYID,nullptr);
@@ -2414,6 +2429,11 @@ namespace opensaml {
             IMPL_TYPED_CHILDREN(EntitiesDescriptor,m_children.end());
 
         protected:
+            void prepareForMarshalling() const {
+                if (m_Signature)
+                    declareNonVisibleNamespaces();
+            }
+
             void marshallAttributes(DOMElement* domElement) const {
                 MARSHALL_ID_ATTRIB(ID,ID,nullptr);
                 MARSHALL_STRING_ATTRIB(Name,NAME,nullptr);
diff --git a/saml/signature/ContentReference.cpp b/saml/signature/ContentReference.cpp
index 92df012..127dbbd 100644
--- a/saml/signature/ContentReference.cpp
+++ b/saml/signature/ContentReference.cpp
@@ -34,6 +34,25 @@ using namespace opensaml;
 using namespace xmltooling;
 using namespace std;
 
+void SignableObject::declareNonVisibleNamespaces() const
+{
+    ContentReference* cr = getSignature() ? dynamic_cast<ContentReference*>(getSignature()->getContentReference()) : nullptr;
+
+    // Compute inclusive prefix set.
+    map<xstring,xstring> decls;
+    XMLHelper::getNonVisiblyUsedPrefixes(*this, decls);
+
+    for (map<xstring,xstring>::const_iterator decl = decls.begin(); decl != decls.end(); ++decl) {
+
+        // Pin it to the object root. An existing copy of the prefix on the root will take precedence.
+        addNamespace(Namespace(decl->second.c_str(), decl->first.c_str(), true, Namespace::NonVisiblyUsed));
+
+        // Add to content reference, if any.
+        if (cr)
+            cr->addInclusivePrefix(decl->first.c_str());
+    }
+}
+
 ContentReference::ContentReference(const SignableObject& signableObject)
     : m_signableObject(signableObject), m_digest(nullptr), m_c14n(nullptr)
 {
@@ -68,15 +87,10 @@ void ContentReference::createReferences(DSIGSignature* sig)
     DSIGTransformC14n* c14n=ref->appendCanonicalizationTransform(m_c14n ? m_c14n : DSIGConstants::s_unicodeStrURIEXC_C14N_NOC);
 
     if (!m_c14n || m_c14n == DSIGConstants::s_unicodeStrURIEXC_C14N_NOC || m_c14n == DSIGConstants::s_unicodeStrURIEXC_C14N_COM) {
-        // Compute inclusive prefix set.
-        set<xstring> prefix_set;
-        XMLHelper::getNonVisiblyUsedPrefixes(m_signableObject, prefix_set);
-        prefix_set.insert(m_prefixes.begin(), m_prefixes.end());
-
         // Build up the string of prefixes.
         xstring prefixes;
         static const XMLCh _default[] = { chPound, chLatin_d, chLatin_e, chLatin_f, chLatin_a, chLatin_u, chLatin_l, chLatin_t, chNull };
-        for (set<xstring>::const_iterator p = prefix_set.begin(); p != prefix_set.end(); ++p) {
+        for (set<xstring>::const_iterator p = m_prefixes.begin(); p != m_prefixes.end(); ++p) {
             prefixes += (p->empty() ? _default : p->c_str());
             prefixes += chSpace;
         }
diff --git a/saml/signature/SignableObject.h b/saml/signature/SignableObject.h
index bd57ade..b7f0b94 100644
--- a/saml/signature/SignableObject.h
+++ b/saml/signature/SignableObject.h
@@ -56,6 +56,13 @@ namespace opensaml {
 
     protected:
         SignableObject();
+
+        /**
+         * Search the object for non-visible namespaces, and pin them
+         * on the root of the object where necessary, adding them to
+         * the inclusive prefix list for signing purposes.
+         */
+        void declareNonVisibleNamespaces() const;
     };
 
 };
diff --git a/samltest/data/signature/SAML1Response.xml b/samltest/data/signature/SAML1Response.xml
index ef8b263..2ddcaa7 100644
--- a/samltest/data/signature/SAML1Response.xml
+++ b/samltest/data/signature/SAML1Response.xml
@@ -1,19 +1,21 @@
-<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="1970-01-02T01:01:02.100Z" MajorVersion="1" MinorVersion="1" ResponseID="rident"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:shib="urn:mace:shibboleth" IssueInstant="1970-01-02T01:01:02.100Z" MajorVersion="1" MinorVersion="1" ResponseID="rident"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <ds:SignedInfo>
 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
 <ds:Reference URI="#rident">
 <ds:Transforms>
 <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
-<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="shib"/>
+</ds:Transform>
 </ds:Transforms>
 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
-<ds:DigestValue>LLd/E9wNLNBk2y3QM5Hnus2bfbU=</ds:DigestValue>
+<ds:DigestValue>9sBlLRUZWT199jgSaCfzqSRWMTc=</ds:DigestValue>
 </ds:Reference>
 </ds:SignedInfo>
-<ds:SignatureValue>sJJgyDky3ddp2PGAgBEHAl3BhPs9uI8gJSeb9NQ3C/frkX8S/maAWaX49nzncX9s
-8npru0M8CvluArgE7EtPAPoSfcT+M1nmpqn5vikkMN1V6rd7ogwTik9A/c7zv+E7
-OZwJtSDDBV7dwB3645iJUHW4SGxRyJUOiaAKHf7thwc=</ds:SignatureValue>
+<ds:SignatureValue>BpkmYve9GGRwMOUpRRnINKGhAK2mmZZSFFTImpxzD62++Kbzygg4+T6OP+5cs1BR
+wf/Ca+uuEHIeo/1MHpmqVASMfDPMY3L1M7JzZ+kAbmnywohhwtj7zMSQ8kOFRVDo
+mEbY9lFSfb7VRDMKWOGZPRAj7ezZdeXmGpdrHobrY5s=</ds:SignatureValue>
 <ds:KeyInfo><ds:KeyName>sp.example.org</ds:KeyName><ds:X509Data><ds:X509SubjectName>CN=sp.example.org,O=Internet2,C=US</ds:X509SubjectName><ds:X509Certificate>MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
 b3JnMB4XDTA1MDYyMDE1NDgzNFoXDTMyMTEwNTE1NDgzNFowOjELMAkGA1UEBhMC
@@ -29,7 +31,7 @@ gYEAMFq/UeSQyngE0GpZueyD2UW0M358uhseYOgGEIfm+qXIFQF6MYwNoX7WFzhC
 LJZ2E6mEvZZFHCHUtl7mGDvsRwgZ85YCtRbvleEpqfgNQToto9pLYe+X6vvH9Z6p
 gmYsTmak+kxO93JprrOd9xp8aZPMEprL7VCdrhbZEfyYER0=
 </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode
-Value="samlp:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="aident"
+Value="samlp:Success"><samlp:StatusCode Value="shib:NoReally"/></samlp:StatusCode></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="aident"
 IssueInstant="1970-01-02T01:01:02.100Z" Issuer="issuer" MajorVersion="1" MinorVersion="1"><saml:AuthenticationStatement
 AuthenticationInstant="1970-01-02T01:01:02.100Z"
 AuthenticationMethod="method"><saml:Subject><saml:NameIdentifier>John Doe</saml:NameIdentifier></saml:Subject></saml:AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
@@ -62,4 +64,4 @@ cGxlLm9yZ4IJAKk8t1hYcMkhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD
 gYEAMFq/UeSQyngE0GpZueyD2UW0M358uhseYOgGEIfm+qXIFQF6MYwNoX7WFzhC
 LJZ2E6mEvZZFHCHUtl7mGDvsRwgZ85YCtRbvleEpqfgNQToto9pLYe+X6vvH9Z6p
 gmYsTmak+kxO93JprrOd9xp8aZPMEprL7VCdrhbZEfyYER0=
-</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature></saml:Assertion></samlp:Response>
+</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature></saml:Assertion></samlp:Response>
\ No newline at end of file
diff --git a/samltest/signature/SAML1ResponseTest.h b/samltest/signature/SAML1ResponseTest.h
index 4c4be02..033e8db 100644
--- a/samltest/signature/SAML1ResponseTest.h
+++ b/samltest/signature/SAML1ResponseTest.h
@@ -84,6 +84,10 @@ public:
         sc->setValue(&StatusCode::SUCCESS);
         Status* status=StatusBuilder::buildStatus();
         status->setStatusCode(sc);
+        sc = StatusCodeBuilder::buildStatusCode();
+        xmltooling::QName subcode("urn:mace:shibboleth", "NoReally", "shib");
+        sc->setValue(&subcode);
+        status->getStatusCode()->setStatusCode(sc);
 
         auto_ptr<Response> response(ResponseBuilder::buildResponse());
         response->setResponseID(rid.get());
-- 
2.1.4