From: cantor <cantor@cb58f699-b61c-0410-a6fe-9272a202ed29>
Date: Wed, 1 Sep 2010 16:35:29 +0000 (+0000)
Subject: https://bugs.internet2.edu/jira/browse/SSPCPP-304
X-Git-Tag: 2.4~29
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fsp.git;a=commitdiff_plain;h=0e20a8fb4344f2fd4ac4e27787ca4b22050db371

https://bugs.internet2.edu/jira/browse/SSPCPP-304


git-svn-id: https://svn.middleware.georgetown.edu/cpp-sp/branches/REL_2@3310 cb58f699-b61c-0410-a6fe-9272a202ed29
---

diff --git a/shibsp/binding/impl/SOAPClient.cpp b/shibsp/binding/impl/SOAPClient.cpp
index 59f72b1..dc15572 100644
--- a/shibsp/binding/impl/SOAPClient.cpp
+++ b/shibsp/binding/impl/SOAPClient.cpp
@@ -62,19 +62,31 @@ void SOAPClient::send(const soap11::Envelope& env, const char* from, MetadataCre
         m_credResolver=m_app.getCredentialResolver();
         if (m_credResolver) {
             m_credResolver->lock();
+            const Credential* cred = nullptr;
+
             // Fill in criteria to use.
             to.setUsage(Credential::SIGNING_CREDENTIAL);
             pair<bool,const char*> keyName = m_relyingParty->getString("keyName");
             if (keyName.first)
                 to.getKeyNames().insert(keyName.second);
+
+            // Check for an explicit algorithm, in which case resolve a credential directly.
             pair<bool,const XMLCh*> sigalg = m_relyingParty->getXMLString("signingAlg");
-            if (sigalg.first)
+            if (sigalg.first) {
                 to.setXMLAlgorithm(sigalg.second);
-            const Credential* cred = m_credResolver->resolve(&to);
+                cred = m_credResolver->resolve(&to);
+            }
+            else {
+                // Prefer credential based on peer's requirements.
+                pair<const SigningMethod*,const Credential*> p = to.getRole().getSigningMethod(*m_credResolver, to);
+                if (p.first)
+                    sigalg = make_pair(true, p.first->getAlgorithm());
+                if (p.second)
+                    cred = p.second;
+            }
+
             // Reset criteria back.
-            to.setKeyAlgorithm(nullptr);
-            to.setKeySize(0);
-            to.getKeyNames().clear();
+            to.reset();
 
             if (cred) {
                 // Check for message.
@@ -88,6 +100,11 @@ void SOAPClient::send(const soap11::Envelope& env, const char* from, MetadataCre
                         if (sigalg.first)
                             sig->setSignatureAlgorithm(sigalg.second);
                         sigalg = m_relyingParty->getXMLString("digestAlg");
+                        if (!sigalg.first) {
+                            const DigestMethod* dm = to.getRole().getDigestMethod();
+                            if (dm)
+                                sigalg = make_pair(true, dm->getAlgorithm());
+                        }
                         if (sigalg.first)
                             dynamic_cast<opensaml::ContentReference*>(sig->getContentReference())->setDigestAlgorithm(sigalg.second);
 
@@ -98,11 +115,11 @@ void SOAPClient::send(const soap11::Envelope& env, const char* from, MetadataCre
                 }
             }
             else {
-                Category::getInstance(SHIBSP_LOGCAT".SOAPClient").error("no signing credential supplied, leaving unsigned.");
+                Category::getInstance(SHIBSP_LOGCAT".SOAPClient").warn("no signing credential resolved, leaving message unsigned");
             }
         }
         else {
-            Category::getInstance(SHIBSP_LOGCAT".SOAPClient").error("no CredentialResolver available, leaving unsigned.");
+            Category::getInstance(SHIBSP_LOGCAT".SOAPClient").warn("no CredentialResolver available, leaving unsigned");
         }
     }
     
diff --git a/shibsp/handler/impl/AbstractHandler.cpp b/shibsp/handler/impl/AbstractHandler.cpp
index 1b2888a..da9fc01 100644
--- a/shibsp/handler/impl/AbstractHandler.cpp
+++ b/shibsp/handler/impl/AbstractHandler.cpp
@@ -461,9 +461,19 @@ long AbstractHandler::sendMessage(
                 mcc.setUsage(Credential::SIGNING_CREDENTIAL);
                 if (keyName.first)
                     mcc.getKeyNames().insert(keyName.second);
-                if (sigalg.first)
+                if (sigalg.first) {
+                    // Using an explicit algorithm, so resolve a credential directly.
                     mcc.setXMLAlgorithm(sigalg.second);
-                cred = credResolver->resolve(&mcc);
+                    cred = credResolver->resolve(&mcc);
+                }
+                else {
+                    // Prefer credential based on peer's requirements.
+                    pair<const SigningMethod*,const Credential*> p = role->getSigningMethod(*credResolver, mcc);
+                    if (p.first)
+                        sigalg = make_pair(true, p.first->getAlgorithm());
+                    if (p.second)
+                        cred = p.second;
+                }
             }
             else {
                 CredentialCriteria cc;
@@ -476,6 +486,12 @@ long AbstractHandler::sendMessage(
             }
             if (cred) {
                 // Signed request.
+                pair<bool,const XMLCh*> digalg = relyingParty->getXMLString("digestAlg");
+                if (!digalg.first && role) {
+                    const DigestMethod* dm = role->getDigestMethod();
+                    if (dm)
+                        digalg = make_pair(true, dm->getAlgorithm());
+                }
                 return encoder.encode(
                     httpResponse,
                     msg,
@@ -485,7 +501,7 @@ long AbstractHandler::sendMessage(
                     &application,
                     cred,
                     sigalg.second,
-                    relyingParty->getXMLString("digestAlg").second
+                    (digalg.first ? digalg.second : nullptr)
                     );
             }
             else {