From de5d798e5a116d657cfeff7d276648ec595af1d2 Mon Sep 17 00:00:00 2001 From: Scott Cantor Date: Mon, 25 Jul 2011 19:52:17 +0000 Subject: [PATCH] https://issues.shibboleth.net/jira/browse/CPPOST-67 --- saml/signature/ContentReference.cpp | 1 + saml/signature/SignatureProfileValidator.cpp | 31 +++++++++++++++++++++++++++- 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/saml/signature/ContentReference.cpp b/saml/signature/ContentReference.cpp index 320daac..e430fb4 100644 --- a/saml/signature/ContentReference.cpp +++ b/saml/signature/ContentReference.cpp @@ -69,6 +69,7 @@ ContentReference::~ContentReference() void ContentReference::createReferences(DSIGSignature* sig) { DSIGReference* ref = nullptr; + sig->setIdByAttributeName(false); const XMLCh* id=m_signableObject.getXMLID(); if (!id || !*id) ref=sig->createReference(&chNull, m_digest ? m_digest : DSIGConstants::s_unicodeStrURISHA1); // whole doc reference diff --git a/saml/signature/SignatureProfileValidator.cpp b/saml/signature/SignatureProfileValidator.cpp index 603d24b..76623a1 100644 --- a/saml/signature/SignatureProfileValidator.cpp +++ b/saml/signature/SignatureProfileValidator.cpp @@ -29,6 +29,7 @@ #include "signature/SignableObject.h" #include "signature/SignatureProfileValidator.h" +#include #include #include @@ -38,6 +39,7 @@ using namespace opensaml; using namespace xmlsignature; +using namespace xmltooling::logging; using namespace xmltooling; using namespace std; @@ -66,7 +68,14 @@ void SignatureProfileValidator::validateSignature(const Signature& sigObj) const const SignableObject* signableObj=dynamic_cast(sigObj.getParent()); if (!signableObj) throw ValidationException("Signature is not a child of a signable SAML object."); - + + if (sig->getObjectLength() != 0) { + Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature contained an embedded element"); + throw ValidationException("Invalid signature profile for SAML object."); + } + + sig->setIdByAttributeName(false); + bool valid=false; DSIGReferenceList* refs=sig->getReferenceList(); if (refs && refs->getSize()==1) { @@ -83,13 +92,33 @@ void SignatureProfileValidator::validateSignature(const Signature& sigObj) const else if (tlist->item(i)->getTransformType()!=TRANSFORM_EXC_C14N && tlist->item(i)->getTransformType()!=TRANSFORM_C14N) { valid=false; + Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature contained an invalid transform"); break; } } } + + if (valid && URI && *URI) { + valid = false; + if (sigObj.getDOM() && signableObj->getDOM()) { + DOMElement* signedNode = sigObj.getDOM()->getOwnerDocument()->getElementById(ID); + if (signedNode && signedNode->isSameNode(signableObj->getDOM())) { + valid = true; + } + else { + Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature reference does not match parent object node"); + } + } + } + } + else { + Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature reference does not match parent object ID"); } } } + else { + Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature contained multiple or zero references"); + } if (!valid) throw ValidationException("Invalid signature profile for SAML object."); -- 2.1.4