IMPL_TYPED_CHILDREN(AuthorizationDecisionStatement, m_pos_Signature);
protected:
+ void prepareForMarshalling() const {
+ if (m_Signature)
+ declareNonVisibleNamespaces();
+ }
+
void marshallAttributes(DOMElement* domElement) const {
static const XMLCh MAJORVERSION[] = UNICODE_LITERAL_12(M,a,j,o,r,V,e,r,s,i,o,n);
domElement->setAttributeNS(nullptr,MAJORVERSION,XML_ONE);
IMPL_TYPED_CHILDREN(RespondWith,m_pos_Signature);
protected:
+ void prepareForMarshalling() const {
+ if (m_Signature)
+ declareNonVisibleNamespaces();
+ }
+
void marshallAttributes(DOMElement* domElement) const {
static const XMLCh MAJORVERSION[] = UNICODE_LITERAL_12(M,a,j,o,r,V,e,r,s,i,o,n);
domElement->setAttributeNS(nullptr,MAJORVERSION,XML_ONE);
IMPL_STRING_ATTRIB(Recipient);
protected:
+ void prepareForMarshalling() const {
+ if (m_Signature)
+ declareNonVisibleNamespaces();
+ }
+
void marshallAttributes(DOMElement* domElement) const {
static const XMLCh MAJORVERSION[] = UNICODE_LITERAL_12(M,a,j,o,r,V,e,r,s,i,o,n);
domElement->setAttributeNS(nullptr,MAJORVERSION,XML_ONE);
IMPL_TYPED_CHILDREN(AuthzDecisionStatement, m_children.end());
protected:
+ void prepareForMarshalling() const {
+ if (m_Signature)
+ declareNonVisibleNamespaces();
+ }
+
void marshallAttributes(DOMElement* domElement) const {
if (!m_Version)
const_cast<AssertionImpl*>(this)->m_Version=XMLString::transcode("2.0");
IMPL_TYPED_CHILD(Extensions);
protected:
+ void prepareForMarshalling() const {
+ if (m_Signature)
+ declareNonVisibleNamespaces();
+ }
+
void marshallAttributes(DOMElement* domElement) const {
if (!m_Version)
const_cast<RequestAbstractTypeImpl*>(this)->m_Version=XMLString::transcode("2.0");
IMPL_TYPED_CHILD(Status);
protected:
+ void prepareForMarshalling() const {
+ if (m_Signature)
+ declareNonVisibleNamespaces();
+ }
+
void marshallAttributes(DOMElement* domElement) const {
if (!m_Version)
const_cast<StatusResponseTypeImpl*>(this)->m_Version=XMLString::transcode("2.0");
}
protected:
+ void prepareForMarshalling() const {
+ if (m_Signature)
+ declareNonVisibleNamespaces();
+ }
+
void marshallAttributes(DOMElement* domElement) const {
MARSHALL_ID_ATTRIB(ID,ID,nullptr);
MARSHALL_STRING_ATTRIB(ProtocolSupportEnumeration,PROTOCOLSUPPORTENUMERATION,nullptr);
}
protected:
+ void prepareForMarshalling() const {
+ if (m_Signature)
+ declareNonVisibleNamespaces();
+ }
+
void marshallAttributes(DOMElement* domElement) const {
MARSHALL_ID_ATTRIB(ID,ID,nullptr);
MARSHALL_STRING_ATTRIB(AffiliationOwnerID,AFFILIATIONOWNERID,nullptr);
}
protected:
+ void prepareForMarshalling() const {
+ if (m_Signature)
+ declareNonVisibleNamespaces();
+ }
+
void marshallAttributes(DOMElement* domElement) const {
MARSHALL_ID_ATTRIB(ID,ID,nullptr);
MARSHALL_STRING_ATTRIB(EntityID,ENTITYID,nullptr);
IMPL_TYPED_CHILDREN(EntitiesDescriptor,m_children.end());
protected:
+ void prepareForMarshalling() const {
+ if (m_Signature)
+ declareNonVisibleNamespaces();
+ }
+
void marshallAttributes(DOMElement* domElement) const {
MARSHALL_ID_ATTRIB(ID,ID,nullptr);
MARSHALL_STRING_ATTRIB(Name,NAME,nullptr);
using namespace xmltooling;
using namespace std;
+void SignableObject::declareNonVisibleNamespaces() const
+{
+ ContentReference* cr = getSignature() ? dynamic_cast<ContentReference*>(getSignature()->getContentReference()) : nullptr;
+
+ // Compute inclusive prefix set.
+ map<xstring,xstring> decls;
+ XMLHelper::getNonVisiblyUsedPrefixes(*this, decls);
+
+ for (map<xstring,xstring>::const_iterator decl = decls.begin(); decl != decls.end(); ++decl) {
+
+ // Pin it to the object root. An existing copy of the prefix on the root will take precedence.
+ addNamespace(Namespace(decl->second.c_str(), decl->first.c_str(), true, Namespace::NonVisiblyUsed));
+
+ // Add to content reference, if any.
+ if (cr)
+ cr->addInclusivePrefix(decl->first.c_str());
+ }
+}
+
ContentReference::ContentReference(const SignableObject& signableObject)
: m_signableObject(signableObject), m_digest(nullptr), m_c14n(nullptr)
{
DSIGTransformC14n* c14n=ref->appendCanonicalizationTransform(m_c14n ? m_c14n : DSIGConstants::s_unicodeStrURIEXC_C14N_NOC);
if (!m_c14n || m_c14n == DSIGConstants::s_unicodeStrURIEXC_C14N_NOC || m_c14n == DSIGConstants::s_unicodeStrURIEXC_C14N_COM) {
- // Compute inclusive prefix set.
- set<xstring> prefix_set;
- XMLHelper::getNonVisiblyUsedPrefixes(m_signableObject, prefix_set);
- prefix_set.insert(m_prefixes.begin(), m_prefixes.end());
-
// Build up the string of prefixes.
xstring prefixes;
static const XMLCh _default[] = { chPound, chLatin_d, chLatin_e, chLatin_f, chLatin_a, chLatin_u, chLatin_l, chLatin_t, chNull };
- for (set<xstring>::const_iterator p = prefix_set.begin(); p != prefix_set.end(); ++p) {
+ for (set<xstring>::const_iterator p = m_prefixes.begin(); p != m_prefixes.end(); ++p) {
prefixes += (p->empty() ? _default : p->c_str());
prefixes += chSpace;
}
protected:
SignableObject();
+
+ /**
+ * Search the object for non-visible namespaces, and pin them
+ * on the root of the object where necessary, adding them to
+ * the inclusive prefix list for signing purposes.
+ */
+ void declareNonVisibleNamespaces() const;
};
};
-<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="1970-01-02T01:01:02.100Z" MajorVersion="1" MinorVersion="1" ResponseID="rident"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:shib="urn:mace:shibboleth" IssueInstant="1970-01-02T01:01:02.100Z" MajorVersion="1" MinorVersion="1" ResponseID="rident"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#rident">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
-<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="shib"/>
+</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
-<ds:DigestValue>LLd/E9wNLNBk2y3QM5Hnus2bfbU=</ds:DigestValue>
+<ds:DigestValue>9sBlLRUZWT199jgSaCfzqSRWMTc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
-<ds:SignatureValue>sJJgyDky3ddp2PGAgBEHAl3BhPs9uI8gJSeb9NQ3C/frkX8S/maAWaX49nzncX9s
-8npru0M8CvluArgE7EtPAPoSfcT+M1nmpqn5vikkMN1V6rd7ogwTik9A/c7zv+E7
-OZwJtSDDBV7dwB3645iJUHW4SGxRyJUOiaAKHf7thwc=</ds:SignatureValue>
+<ds:SignatureValue>BpkmYve9GGRwMOUpRRnINKGhAK2mmZZSFFTImpxzD62++Kbzygg4+T6OP+5cs1BR
+wf/Ca+uuEHIeo/1MHpmqVASMfDPMY3L1M7JzZ+kAbmnywohhwtj7zMSQ8kOFRVDo
+mEbY9lFSfb7VRDMKWOGZPRAj7ezZdeXmGpdrHobrY5s=</ds:SignatureValue>
<ds:KeyInfo><ds:KeyName>sp.example.org</ds:KeyName><ds:X509Data><ds:X509SubjectName>CN=sp.example.org,O=Internet2,C=US</ds:X509SubjectName><ds:X509Certificate>MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
b3JnMB4XDTA1MDYyMDE1NDgzNFoXDTMyMTEwNTE1NDgzNFowOjELMAkGA1UEBhMC
LJZ2E6mEvZZFHCHUtl7mGDvsRwgZ85YCtRbvleEpqfgNQToto9pLYe+X6vvH9Z6p
gmYsTmak+kxO93JprrOd9xp8aZPMEprL7VCdrhbZEfyYER0=
</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode
-Value="samlp:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="aident"
+Value="samlp:Success"><samlp:StatusCode Value="shib:NoReally"/></samlp:StatusCode></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="aident"
IssueInstant="1970-01-02T01:01:02.100Z" Issuer="issuer" MajorVersion="1" MinorVersion="1"><saml:AuthenticationStatement
AuthenticationInstant="1970-01-02T01:01:02.100Z"
AuthenticationMethod="method"><saml:Subject><saml:NameIdentifier>John Doe</saml:NameIdentifier></saml:Subject></saml:AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
gYEAMFq/UeSQyngE0GpZueyD2UW0M358uhseYOgGEIfm+qXIFQF6MYwNoX7WFzhC
LJZ2E6mEvZZFHCHUtl7mGDvsRwgZ85YCtRbvleEpqfgNQToto9pLYe+X6vvH9Z6p
gmYsTmak+kxO93JprrOd9xp8aZPMEprL7VCdrhbZEfyYER0=
-</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature></saml:Assertion></samlp:Response>
+</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature></saml:Assertion></samlp:Response>
\ No newline at end of file
sc->setValue(&StatusCode::SUCCESS);
Status* status=StatusBuilder::buildStatus();
status->setStatusCode(sc);
+ sc = StatusCodeBuilder::buildStatusCode();
+ xmltooling::QName subcode("urn:mace:shibboleth", "NoReally", "shib");
+ sc->setValue(&subcode);
+ status->getStatusCode()->setStatusCode(sc);
auto_ptr<Response> response(ResponseBuilder::buildResponse());
response->setResponseID(rid.get());