m_credResolver=m_app.getCredentialResolver();
if (m_credResolver) {
m_credResolver->lock();
+ const Credential* cred = nullptr;
+
// Fill in criteria to use.
to.setUsage(Credential::SIGNING_CREDENTIAL);
pair<bool,const char*> keyName = m_relyingParty->getString("keyName");
if (keyName.first)
to.getKeyNames().insert(keyName.second);
+
+ // Check for an explicit algorithm, in which case resolve a credential directly.
pair<bool,const XMLCh*> sigalg = m_relyingParty->getXMLString("signingAlg");
- if (sigalg.first)
+ if (sigalg.first) {
to.setXMLAlgorithm(sigalg.second);
- const Credential* cred = m_credResolver->resolve(&to);
+ cred = m_credResolver->resolve(&to);
+ }
+ else {
+ // Prefer credential based on peer's requirements.
+ pair<const SigningMethod*,const Credential*> p = to.getRole().getSigningMethod(*m_credResolver, to);
+ if (p.first)
+ sigalg = make_pair(true, p.first->getAlgorithm());
+ if (p.second)
+ cred = p.second;
+ }
+
// Reset criteria back.
- to.setKeyAlgorithm(nullptr);
- to.setKeySize(0);
- to.getKeyNames().clear();
+ to.reset();
if (cred) {
// Check for message.
if (sigalg.first)
sig->setSignatureAlgorithm(sigalg.second);
sigalg = m_relyingParty->getXMLString("digestAlg");
+ if (!sigalg.first) {
+ const DigestMethod* dm = to.getRole().getDigestMethod();
+ if (dm)
+ sigalg = make_pair(true, dm->getAlgorithm());
+ }
if (sigalg.first)
dynamic_cast<opensaml::ContentReference*>(sig->getContentReference())->setDigestAlgorithm(sigalg.second);
}
}
else {
- Category::getInstance(SHIBSP_LOGCAT".SOAPClient").error("no signing credential supplied, leaving unsigned.");
+ Category::getInstance(SHIBSP_LOGCAT".SOAPClient").warn("no signing credential resolved, leaving message unsigned");
}
}
else {
- Category::getInstance(SHIBSP_LOGCAT".SOAPClient").error("no CredentialResolver available, leaving unsigned.");
+ Category::getInstance(SHIBSP_LOGCAT".SOAPClient").warn("no CredentialResolver available, leaving unsigned");
}
}
mcc.setUsage(Credential::SIGNING_CREDENTIAL);
if (keyName.first)
mcc.getKeyNames().insert(keyName.second);
- if (sigalg.first)
+ if (sigalg.first) {
+ // Using an explicit algorithm, so resolve a credential directly.
mcc.setXMLAlgorithm(sigalg.second);
- cred = credResolver->resolve(&mcc);
+ cred = credResolver->resolve(&mcc);
+ }
+ else {
+ // Prefer credential based on peer's requirements.
+ pair<const SigningMethod*,const Credential*> p = role->getSigningMethod(*credResolver, mcc);
+ if (p.first)
+ sigalg = make_pair(true, p.first->getAlgorithm());
+ if (p.second)
+ cred = p.second;
+ }
}
else {
CredentialCriteria cc;
}
if (cred) {
// Signed request.
+ pair<bool,const XMLCh*> digalg = relyingParty->getXMLString("digestAlg");
+ if (!digalg.first && role) {
+ const DigestMethod* dm = role->getDigestMethod();
+ if (dm)
+ digalg = make_pair(true, dm->getAlgorithm());
+ }
return encoder.encode(
httpResponse,
msg,
&application,
cred,
sigalg.second,
- relyingParty->getXMLString("digestAlg").second
+ (digalg.first ? digalg.second : nullptr)
);
}
else {
projects / shibboleth / sp.git / commitdiff