https://issues.shibboleth.net/jira/browse/SSPCPP-119

diff --git a/shib/BasicTrust.cpp b/shib/BasicTrust.cpp
index 195d002..de742d3 100644 (file)
--- a/shib/BasicTrust.cpp
+++ b/shib/BasicTrust.cpp
@@ -25,6 +25,7 @@
 #include "internal.h"
 
 #include <openssl/x509.h>
+#include <xsec/enc/XSECCryptoException.hpp>
 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
@@ -117,7 +118,13 @@ bool BasicTrust::validate(void* certEE, const Iterator<void*>& certChain, const
             continue;
         Iterator<KeyInfoResolver*> resolvers(m_resolvers);
         while (resolvers.hasNext()) {
-            XSECCryptoKey* key=((XSECKeyInfoResolver*)*resolvers.next())->resolveKey(KIL);
+            XSECCryptoKey* key=NULL;
+            try {
+                key=((XSECKeyInfoResolver*)*resolvers.next())->resolveKey(KIL);
+            }
+            catch (XSECCryptoException& ex) {
+                log.error("caught an XMLSec crypto exception while resolving key: %s", ex.getMsg());
+            }
             if (key) {
                 log.debug("KeyDescriptor resolved into a key, comparing it...");
                 if (key->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
@@ -197,7 +204,13 @@ bool BasicTrust::validate(const saml::SAMLSignedObject& token, const IRoleDescri
             continue;
         Iterator<KeyInfoResolver*> resolvers(m_resolvers);
         while (resolvers.hasNext()) {
-            XSECCryptoKey* key=((XSECKeyInfoResolver*)*resolvers.next())->resolveKey(KIL);
+            XSECCryptoKey* key=NULL;
+            try {
+                key=((XSECKeyInfoResolver*)*resolvers.next())->resolveKey(KIL);
+            }
+            catch (XSECCryptoException& ex) {
+                log.error("caught an XMLSec crypto exception while resolving key: %s", ex.getMsg());
+            }
             if (key) {
                 log.debug("KeyDescriptor resolved into a key, trying it...");
                 try {

diff --git a/shib/ShibbolethTrust.cpp b/shib/ShibbolethTrust.cpp
index 3cd839d..e6ad31e 100644 (file)
--- a/shib/ShibbolethTrust.cpp
+++ b/shib/ShibbolethTrust.cpp
@@ -28,6 +28,7 @@
 #include <openssl/x509_vfy.h>
 #include <openssl/x509v3.h>
 #include <xsec/dsig/DSIGKeyInfoX509.hpp>
+#include <xsec/enc/XSECCryptoException.hpp>
 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
 
 using namespace shibboleth::logging;
@@ -496,7 +497,7 @@ bool ShibbolethTrust::validate(const saml::SAMLSignedObject& token, const IRoleD
             x->loadX509Base64Bin(cert.get(),strlen(cert.get()));
             certs.push_back(x.release());
         }
-        catch (...) {
+        catch (XSECCryptoException&) {
             log.error("unable to load certificate from signature, skipping it");
         }
     }

diff --git a/xmlproviders/XMLTrust.cpp b/xmlproviders/XMLTrust.cpp
index 5642ea3..2fa508a 100644 (file)
--- a/xmlproviders/XMLTrust.cpp
+++ b/xmlproviders/XMLTrust.cpp
@@ -298,7 +298,13 @@ void XMLTrustImpl::init()
             }
             
             // Dry run...can we resolve to a key?
-            XSECCryptoKey* key=resolver.resolveKey(KIL);
+            XSECCryptoKey* key=NULL;
+            try {
+                key = resolver.resolveKey(KIL);
+            }
+            catch (XSECCryptoException& xe) {
+                log.error("unable to resolver key from ds:KeyInfo element (%d): %s", count, xe.getMsg());
+            }
             if (key) {
                 // So far so good, now look for the name binding(s).
                 delete key;
@@ -754,7 +760,13 @@ bool XMLTrust::validate(const saml::SAMLSignedObject& token, const IRoleDescript
             // Any inline KeyInfo should ostensibly resolve to a key we can try.
             Iterator<KeyInfoResolver*> resolvers(m_resolvers);
             while (resolvers.hasNext()) {
-                XSECCryptoKey* key=((XSECKeyInfoResolver*)*resolvers.next())->resolveKey(KIL);
+                XSECCryptoKey* key=NULL;
+                try {
+                    key=((XSECKeyInfoResolver*)*resolvers.next())->resolveKey(KIL);
+                }
+                catch (XSECCryptoException& xe) {
+                    log.error("unable to resolver ds:KeyInfo element into key: %s", xe.getMsg());
+                }
                 if (key) {
                     log.debug("resolved key, trying it...");
                     try {