-/*
- * Copyright 2001-2009 Internet2
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
+/**
+ * Licensed to the University Corporation for Advanced Internet
+ * Development, Inc. (UCAID) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for
+ * additional information regarding copyright ownership.
+ *
+ * UCAID licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the
+ * License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the License.
*/
/**
#include <saml/exceptions.h>
#include <saml/saml2/metadata/Metadata.h>
+#include <saml/saml2/metadata/MetadataCredentialCriteria.h>
#include <saml/signature/ContentReference.h>
#include <xmltooling/security/Credential.h>
#include <xmltooling/signature/Signature.h>
using namespace std;
SOAPClient::SOAPClient(SecurityPolicy& policy)
- : opensaml::SOAPClient(policy), m_app(policy.getApplication()), m_relyingParty(NULL), m_credResolver(NULL)
+ : opensaml::SOAPClient(policy), m_app(policy.getApplication()), m_relyingParty(nullptr), m_credResolver(nullptr)
{
}
m_credResolver=m_app.getCredentialResolver();
if (m_credResolver) {
m_credResolver->lock();
+ const Credential* cred = nullptr;
+
// Fill in criteria to use.
to.setUsage(Credential::SIGNING_CREDENTIAL);
pair<bool,const char*> keyName = m_relyingParty->getString("keyName");
if (keyName.first)
to.getKeyNames().insert(keyName.second);
+
+ // Check for an explicit algorithm, in which case resolve a credential directly.
pair<bool,const XMLCh*> sigalg = m_relyingParty->getXMLString("signingAlg");
- if (sigalg.first)
+ if (sigalg.first) {
to.setXMLAlgorithm(sigalg.second);
- const Credential* cred = m_credResolver->resolve(&to);
+ cred = m_credResolver->resolve(&to);
+ }
+ else {
+ // Prefer credential based on peer's requirements.
+ pair<const SigningMethod*,const Credential*> p = to.getRole().getSigningMethod(*m_credResolver, to);
+ if (p.first)
+ sigalg = make_pair(true, p.first->getAlgorithm());
+ if (p.second)
+ cred = p.second;
+ }
+
// Reset criteria back.
- to.setKeyAlgorithm(NULL);
- to.setKeySize(0);
- to.getKeyNames().clear();
+ to.reset();
if (cred) {
// Check for message.
if (sigalg.first)
sig->setSignatureAlgorithm(sigalg.second);
sigalg = m_relyingParty->getXMLString("digestAlg");
+ if (!sigalg.first) {
+ const DigestMethod* dm = to.getRole().getDigestMethod();
+ if (dm)
+ sigalg = make_pair(true, dm->getAlgorithm());
+ }
if (sigalg.first)
dynamic_cast<opensaml::ContentReference*>(sig->getContentReference())->setDigestAlgorithm(sigalg.second);
// Sign it. The marshalling step in the base class should be a no-op.
vector<Signature*> sigs(1,sig);
- env.marshall((DOMDocument*)NULL,&sigs,cred);
+ env.marshall((DOMDocument*)nullptr,&sigs,cred);
}
}
}
else {
- Category::getInstance(SHIBSP_LOGCAT".SOAPClient").error("no signing credential supplied, leaving unsigned.");
+ Category::getInstance(SHIBSP_LOGCAT ".SOAPClient").warn("no signing credential resolved, leaving message unsigned");
}
}
else {
- Category::getInstance(SHIBSP_LOGCAT".SOAPClient").error("no CredentialResolver available, leaving unsigned.");
+ Category::getInstance(SHIBSP_LOGCAT ".SOAPClient").warn("no CredentialResolver available, leaving unsigned");
}
}
#ifdef _DEBUG
xmltooling::NDC("prepareTransport");
#endif
- Category& log=Category::getInstance(SHIBSP_LOGCAT".SOAPClient");
+ Category& log=Category::getInstance(SHIBSP_LOGCAT ".SOAPClient");
log.debug("prepping SOAP transport for use by application (%s)", m_app.getId());
pair<bool,bool> flag = m_relyingParty->getBool("requireConfidentiality");
if (http) {
flag = m_relyingParty->getBool("chunkedEncoding");
http->useChunkedEncoding(flag.first && flag.second);
- http->setRequestHeader("User-Agent", PACKAGE_NAME);
http->setRequestHeader(PACKAGE_NAME, PACKAGE_VERSION);
}
}
void SOAPClient::reset()
{
- m_relyingParty = NULL;
+ m_relyingParty = nullptr;
if (m_credResolver)
m_credResolver->unlock();
- m_credResolver = NULL;
+ m_credResolver = nullptr;
opensaml::SOAPClient::reset();
}