save_LIBS="$LIBS"
LIBS="$XMLSEC_LIBS $LIBS"
-AC_CHECK_HEADER([xsec/utils/XSECPlatformUtils.hpp],,AC_MSG_ERROR([unable to find XML-Security header files]))
-AC_MSG_CHECKING([XML-Security version])
+AC_CHECK_HEADER([xsec/utils/XSECPlatformUtils.hpp],,AC_MSG_ERROR([unable to find XML-Security-C header files]))
+AC_MSG_CHECKING([XML-Security-C version])
AC_PREPROC_IFELSE(
[AC_LANG_PROGRAM([#include <xsec/utils/XSECPlatformUtils.hpp>],
[#if XSEC_VERSION_MAJOR > 1 || (XSEC_VERSION_MAJOR == 1 && XSEC_VERSION_MEDIUM > 3)
#error need version 1.4.0 or later
#endif])],
[AC_MSG_RESULT(OK)],
- [AC_MSG_FAILURE([XML-Security version 1.4.0 or greater is required.])])
+ [AC_MSG_FAILURE([XML-Security-C version 1.4.0 or greater is required.])])
AC_TRY_LINK(
[#include <xsec/utils/XSECPlatformUtils.hpp>],
[XSECPlatformUtils::Initialise()],,
[AC_MSG_ERROR([unable to link with XML-Security])])
+
+AC_MSG_CHECKING([whether XML-Security-C supports white/blacklisting of algorithms])
+AC_TRY_COMPILE([#include <xsec/framework/XSECAlgorithmMapper.hpp>],
+ [XSECAlgorithmMapper* mapper; mapper->whitelistAlgorithm(NULL);],
+ [AC_MSG_RESULT([yes])]
+ [AC_DEFINE([SHIBSP_XMLSEC_WHITELISTING], [1], [Define to 1 if XML-Security-C supports white/blacklisting algorithms.])],
+ [AC_MSG_RESULT([no])])
+
+
# restore master libs
LIBS="$save_LIBS"
/*
- * Copyright 2001-2009 Internet2
+ * Copyright 2001-2010 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
# include <xmltooling/security/TrustEngine.h>
# include <xmltooling/util/ReplayCache.h>
# include <xmltooling/util/StorageService.h>
+# include <xercesc/util/XMLStringTokenizer.hpp>
+# include <xsec/utils/XSECPlatformUtils.hpp>
using namespace opensaml::saml2;
using namespace opensaml::saml2p;
using namespace opensaml::saml2md;
#pragma warning( pop )
#endif
+ static const XMLCh AlgorithmBlacklist[] = UNICODE_LITERAL_18(A,l,g,o,r,i,t,h,m,B,l,a,c,k,l,i,s,t);
+ static const XMLCh AlgorithmWhitelist[] = UNICODE_LITERAL_18(A,l,g,o,r,i,t,h,m,W,h,i,t,e,l,i,s,t);
static const XMLCh ApplicationOverride[] = UNICODE_LITERAL_19(A,p,p,l,i,c,a,t,i,o,n,O,v,e,r,r,i,d,e);
static const XMLCh ApplicationDefaults[] = UNICODE_LITERAL_19(A,p,p,l,i,c,a,t,i,o,n,D,e,f,a,u,l,t,s);
static const XMLCh _ArtifactMap[] = UNICODE_LITERAL_11(A,r,t,i,f,a,c,t,M,a,p);
throw ConfigurationException("Can't build SessionCache, missing conf:SessionCache element?");
}
}
+
+#ifndef SHIBSP_LITE
+ child = XMLHelper::getLastChildElement(e, SecurityPolicies);
+ if (child) {
+ const XMLCh* algs = NULL;
+ const DOMElement* alglist = XMLHelper::getLastChildElement(child, AlgorithmBlacklist);
+ if (alglist && alglist->hasChildNodes()) {
+ algs = alglist->getFirstChild()->getNodeValue();
+ }
+ else if ((alglist = XMLHelper::getLastChildElement(child, AlgorithmWhitelist)) && alglist->hasChildNodes()) {
+ algs = alglist->getFirstChild()->getNodeValue();
+ }
+ if (algs) {
+#ifdef SHIBSP_XMLSEC_WHITELISTING
+ const XMLCh* token;
+ XMLStringTokenizer tokenizer(algs);
+ while (tokenizer.hasMoreTokens()) {
+ token = tokenizer.nextToken();
+ if (token) {
+ if (XMLString::equals(alglist->getLocalName(), AlgorithmBlacklist))
+ XSECPlatformUtils::blacklistAlgorithm(token);
+ else
+ XSECPlatformUtils::whitelistAlgorithm(token);
+ }
+ }
+#else
+ log.fatal("XML-Security-C library prior to 1.6.0 does not support algorithm white/blacklists");
+ throw ConfigurationException("XML-Security-C library prior to 1.6.0 does not support algorithm white/blacklists.");
+#endif
+ }
+ }
+#endif
} // end of first-time-only stuff
// Back to the fully dynamic stuff...next up is the RequestMapper.