Support alternate hash algorithms.

diff --git a/shibsp/attribute/KeyInfoAttributeDecoder.cpp b/shibsp/attribute/KeyInfoAttributeDecoder.cpp
index 17a4683..182e082 100644 (file)
--- a/shibsp/attribute/KeyInfoAttributeDecoder.cpp
+++ b/shibsp/attribute/KeyInfoAttributeDecoder.cpp
@@ -55,8 +55,11 @@ namespace shibsp {
         void extract(const KeyInfo* k, vector<string>& dest) const {
             auto_ptr<Credential> cred (getKeyInfoResolver()->resolve(k, Credential::RESOLVE_KEYS));
             if (cred.get()) {
+                const char* alg = m_hashAlg.get();
+                if (!alg || !*alg)
+                    alg = "SHA1";
                 dest.push_back(string());
-                dest.back() = SecurityHelper::getDEREncoding(*cred.get(), m_hash);
+                dest.back() = SecurityHelper::getDEREncoding(*cred.get(), m_hash, true, alg);
                 if (dest.back().empty())
                     dest.pop_back();
             }
@@ -67,6 +70,7 @@ namespace shibsp {
         }
 
         bool m_hash;
+        auto_ptr_char m_hashAlg;
         KeyInfoResolver* m_keyInfoResolver;
     };
 
@@ -77,10 +81,12 @@ namespace shibsp {
 
     static const XMLCh _KeyInfoResolver[] = UNICODE_LITERAL_15(K,e,y,I,n,f,o,R,e,s,o,l,v,e,r);
     static const XMLCh _hash[] =            UNICODE_LITERAL_4(h,a,s,h);
+    static const XMLCh _hashAlg[] =         UNICODE_LITERAL_7(h,a,s,h,A,l,g);
     static const XMLCh _type[] =            UNICODE_LITERAL_4(t,y,p,e);
 };
 
-KeyInfoAttributeDecoder::KeyInfoAttributeDecoder(const DOMElement* e) : AttributeDecoder(e), m_hash(false), m_keyInfoResolver(NULL) {
+KeyInfoAttributeDecoder::KeyInfoAttributeDecoder(const DOMElement* e)
+        : AttributeDecoder(e), m_hash(false), m_hashAlg(e ? e->getAttributeNS(NULL, _hashAlg) : NULL), m_keyInfoResolver(NULL) {
     const XMLCh* flag = e ? e->getAttributeNS(NULL, _hash) : NULL;
     m_hash = (flag && (*flag == chLatin_t || *flag == chDigit_1));
     e = e ? XMLHelper::getFirstChildElement(e,_KeyInfoResolver) : NULL;

diff --git a/shibsp/attribute/resolver/impl/KeyDescriptorAttributeExtractor.cpp b/shibsp/attribute/resolver/impl/KeyDescriptorAttributeExtractor.cpp
index 415ccac..9729e82 100644 (file)
--- a/shibsp/attribute/resolver/impl/KeyDescriptorAttributeExtractor.cpp
+++ b/shibsp/attribute/resolver/impl/KeyDescriptorAttributeExtractor.cpp
@@ -75,6 +75,7 @@ namespace shibsp {
         }
 
     private:
+        auto_ptr_char m_hashAlg;
         vector<string> m_hashId;
         vector<string> m_signingId;
         vector<string> m_encryptionId;
@@ -91,10 +92,11 @@ namespace shibsp {
 
     static const XMLCh encryptionId[] = UNICODE_LITERAL_12(e,n,c,r,y,p,t,i,o,n,I,d);
     static const XMLCh hashId[] =       UNICODE_LITERAL_6(h,a,s,h,I,d);
+    static const XMLCh hashAlg[] =      UNICODE_LITERAL_7(h,a,s,h,A,l,g);
     static const XMLCh signingId[] =    UNICODE_LITERAL_9(s,i,g,n,i,n,g,I,d);
 };
 
-KeyDescriptorExtractor::KeyDescriptorExtractor(const DOMElement* e)
+KeyDescriptorExtractor::KeyDescriptorExtractor(const DOMElement* e) : m_hashAlg(e ? e->getAttributeNS(NULL, hashAlg) : NULL)
 {
     if (e) {
         const XMLCh* a = e->getAttributeNS(NULL, hashId);
@@ -132,12 +134,15 @@ void KeyDescriptorExtractor::extractAttributes(
         mcc.setUsage(Credential::SIGNING_CREDENTIAL);
         if (application.getMetadataProvider()->resolve(creds, &mcc)) {
             if (!m_hashId.empty()) {
+                const char* alg = m_hashAlg.get();
+                if (!alg || !*alg)
+                    alg = "SHA1";
                 auto_ptr<SimpleAttribute> attr(new SimpleAttribute(m_hashId));
                 vector<string>& vals = attr->getValues();
                 for (vector<const Credential*>::const_iterator c = creds.begin(); c != creds.end(); ++c) {
                     if (vals.empty() || !vals.back().empty())
                         vals.push_back(string());
-                    vals.back() = SecurityHelper::getDEREncoding(*(*c), true);
+                    vals.back() = SecurityHelper::getDEREncoding(*(*c), true, true, alg);
                 }
                 if (vals.back().empty())
                     vals.pop_back();