class SHIBSP_DLLLOCAL XMLSecurityPolicyProviderImpl
{
public:
- XMLSecurityPolicyProviderImpl(const DOMElement* e, Category& log);
+ XMLSecurityPolicyProviderImpl(const DOMElement*, Category&);
~XMLSecurityPolicyProviderImpl() {
if (m_document)
m_document->release();
private:
DOMDocument* m_document;
+ bool m_includeDefaultBlacklist;
vector<xstring> m_whitelist,m_blacklist;
vector< boost::shared_ptr<SecurityPolicyRule> > m_ruleJanitor; // need this to maintain vector type in API
typedef map< string,pair< boost::shared_ptr<PropertySet>,vector<const SecurityPolicyRule*> > > policymap_t;
return i->second.second;
throw ConfigurationException("Security Policy ($1) not found, check <SecurityPolicies> element.", params(1,id));
}
+ const vector<xstring>& getDefaultAlgorithmBlacklist() const {
+ return m_impl->m_includeDefaultBlacklist ? m_defaultBlacklist : m_empty;
+ }
const vector<xstring>& getAlgorithmBlacklist() const {
return m_impl->m_blacklist;
}
private:
scoped_ptr<XMLSecurityPolicyProviderImpl> m_impl;
+ static vector<xstring> m_empty;
};
#if defined (_MSC_VER)
static const XMLCh _id[] = UNICODE_LITERAL_2(i,d);
static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e);
+ static const XMLCh includeDefaultBlacklist[] = UNICODE_LITERAL_23(i,n,c,l,u,d,e,D,e,f,a,u,l,t,B,l,a,c,k,l,i,s,t);
static const XMLCh AlgorithmBlacklist[] = UNICODE_LITERAL_18(A,l,g,o,r,i,t,h,m,B,l,a,c,k,l,i,s,t);
static const XMLCh AlgorithmWhitelist[] = UNICODE_LITERAL_18(A,l,g,o,r,i,t,h,m,W,h,i,t,e,l,i,s,t);
static const XMLCh Policy[] = UNICODE_LITERAL_6(P,o,l,i,c,y);
SecurityPolicyProvider::SecurityPolicyProvider()
{
+ m_defaultBlacklist.push_back(DSIGConstants::s_unicodeStrURIRSA_MD5);
+ m_defaultBlacklist.push_back(DSIGConstants::s_unicodeStrURIMD5);
+ m_defaultBlacklist.push_back(DSIGConstants::s_unicodeStrURIRSA_1_5);
}
SecurityPolicyProvider::~SecurityPolicyProvider()
{
}
+const vector<xstring>& SecurityPolicyProvider::getDefaultAlgorithmBlacklist() const
+{
+ return m_defaultBlacklist;
+}
+
SecurityPolicy* SecurityPolicyProvider::createSecurityPolicy(
const Application& application, const xmltooling::QName* role, const char* policyId
) const
}
XMLSecurityPolicyProviderImpl::XMLSecurityPolicyProviderImpl(const DOMElement* e, Category& log)
- : m_document(nullptr), m_defaultPolicy(m_policyMap.end())
+ : m_document(nullptr), m_includeDefaultBlacklist(true), m_defaultPolicy(m_policyMap.end())
{
#ifdef _DEBUG
xmltooling::NDC ndc("XMLSecurityPolicyProviderImpl");
const XMLCh* algs = nullptr;
const DOMElement* alglist = XMLHelper::getLastChildElement(e, AlgorithmBlacklist);
- if (alglist && alglist->hasChildNodes()) {
- algs = alglist->getFirstChild()->getNodeValue();
+ if (alglist) {
+ m_includeDefaultBlacklist = XMLHelper::getAttrBool(alglist, true, includeDefaultBlacklist);
+ if (alglist->hasChildNodes()) {
+ algs = alglist->getFirstChild()->getNodeValue();
+ }
}
else if ((alglist = XMLHelper::getLastChildElement(e, AlgorithmWhitelist)) && alglist->hasChildNodes()) {
algs = alglist->getFirstChild()->getNodeValue();
+ m_includeDefaultBlacklist = false;
}
if (algs) {
const XMLCh* token;
throw ConfigurationException("XML SecurityPolicyProvider requires at least one Policy.");
}
+vector<xstring> XMLSecurityPolicyProvider::m_empty;
+
pair<bool,DOMElement*> XMLSecurityPolicyProvider::load(bool backup)
{
// Load from source using base class.
}
if (first) {
- if (!m_policy->getAlgorithmBlacklist().empty()) {
+ if (!m_policy->getAlgorithmWhitelist().empty()) {
#ifdef SHIBSP_XMLSEC_WHITELISTING
- for_each(
- m_policy->getAlgorithmBlacklist().begin(), m_policy->getAlgorithmBlacklist().end(),
- boost::bind(&XSECPlatformUtils::blacklistAlgorithm, boost::bind(&xstring::c_str, _1))
- );
+ for (vector<xstring>::const_iterator white = m_policy->getAlgorithmWhitelist().begin();
+ white != m_policy->getAlgorithmWhitelist().end(); ++white) {
+ XSECPlatformUtils::whitelistAlgorithm(white->c_str());
+ auto_ptr_char whitelog(white->c_str());
+ log.info("explicitly whitelisting security algorithm (%s)", whitelog.get());
+ }
#else
log.crit("XML-Security-C library prior to 1.6.0 does not support algorithm white/blacklists");
#endif
}
- else if (!m_policy->getAlgorithmWhitelist().empty()) {
+ else if (!m_policy->getDefaultAlgorithmBlacklist().empty() || !m_policy->getAlgorithmBlacklist().empty()) {
#ifdef SHIBSP_XMLSEC_WHITELISTING
- for_each(
- m_policy->getAlgorithmWhitelist().begin(), m_policy->getAlgorithmWhitelist().end(),
- boost::bind(&XSECPlatformUtils::whitelistAlgorithm, boost::bind(&xstring::c_str, _1))
- );
+ for (vector<xstring>::const_iterator black = m_policy->getDefaultAlgorithmBlacklist().begin();
+ black != m_policy->getDefaultAlgorithmBlacklist().end(); ++black) {
+ XSECPlatformUtils::blacklistAlgorithm(black->c_str());
+ auto_ptr_char blacklog(black->c_str());
+ log.info("automatically blacklisting security algorithm (%s)", blacklog.get());
+ }
+ for (vector<xstring>::const_iterator black = m_policy->getAlgorithmBlacklist().begin();
+ black != m_policy->getAlgorithmBlacklist().end(); ++black) {
+ XSECPlatformUtils::blacklistAlgorithm(black->c_str());
+ auto_ptr_char blacklog(black->c_str());
+ log.info("explicitly blacklisting security algorithm (%s)", blacklog.get());
+ }
#else
log.crit("XML-Security-C library prior to 1.6.0 does not support algorithm white/blacklists");
#endif
projects / shibboleth / sp.git / commitdiff