From d6da5e628dbcb84387250ea09ba20424a08ed3b3 Mon Sep 17 00:00:00 2001
From: scantor <scantor@cb58f699-b61c-0410-a6fe-9272a202ed29>
Date: Wed, 1 Aug 2012 04:11:06 +0000
Subject: [PATCH] Refine OAEP supporting elements when SHA-2 is off

git-svn-id: https://svn.shibboleth.net/cpp-sp/branches/REL_2@3744 cb58f699-b61c-0410-a6fe-9272a202ed29
---
 shibsp/handler/impl/MetadataGenerator.cpp | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/shibsp/handler/impl/MetadataGenerator.cpp b/shibsp/handler/impl/MetadataGenerator.cpp
index 0ccf892..d7fe13f 100644
--- a/shibsp/handler/impl/MetadataGenerator.cpp
+++ b/shibsp/handler/impl/MetadataGenerator.cpp
@@ -63,8 +63,7 @@ using namespace shibsp;
 using namespace opensaml::saml2md;
 using namespace opensaml;
 using namespace xmlsignature;
-using xmlencryption::EncryptionMethod;
-using xmlencryption::EncryptionMethodBuilder;
+using namespace xmlencryption;
 #endif
 using namespace xmltooling;
 using namespace boost;
@@ -109,6 +108,30 @@ namespace shibsp {
                     );
                 em->setAlgorithm(alg);
                 m_encryptions.push_back(em);
+
+                if (XMLString::equals(alg, DSIGConstants::s_unicodeStrURIRSA_OAEP) ||
+                        XMLString::equals(alg, DSIGConstants::s_unicodeStrURIRSA_OAEP_MGFP1)) {
+                    // Check for non-support of SHA-256. This is a reasonable guess as to whether
+                    // "all" standard digests and MGF variants will be supported or not, and if not, we
+                    // explicitly advertise only SHA-1.
+                    if (!XMLToolingConfig::getConfig().isXMLAlgorithmSupported(DSIGConstants::s_unicodeStrURISHA256, XMLToolingConfig::ALGTYPE_DIGEST)) {
+                        if (!m_digestBuilder)
+                            m_digestBuilder = XMLObjectBuilder::getBuilder(xmltooling::QName(samlconstants::SAML20MD_ALGSUPPORT_NS, DigestMethod::LOCAL_NAME));
+                        
+                        // Add MGF for new OAEP variant.
+                        if (XMLString::equals(alg, DSIGConstants::s_unicodeStrURIRSA_OAEP)) {
+                            MGF* mgf = MGFBuilder::buildMGF();
+                            mgf->setAlgorithm(DSIGConstants::s_unicodeStrURIMGF1_SHA1);
+                            em->getUnknownXMLObjects().push_back(mgf);
+                        }
+
+                        DigestMethod* dm = dynamic_cast<DigestMethod*>(
+                            m_digestBuilder->buildObject(xmlconstants::XMLSIG_NS, DigestMethod::LOCAL_NAME, xmlconstants::XMLSIG_PREFIX)
+                            );
+                        dm->setAlgorithm(DSIGConstants::s_unicodeStrURISHA1);
+                        em->getUnknownXMLObjects().push_back(dm);
+                    }
+                }
             }
         }
 
@@ -142,6 +165,7 @@ namespace shibsp {
         ptr_vector<DigestMethod> m_digests;
         ptr_vector<SigningMethod> m_signings;
         const XMLObjectBuilder* m_encryptionBuilder;
+        const XMLObjectBuilder* m_digestBuilder;
 #endif
     };
 
@@ -159,7 +183,7 @@ namespace shibsp {
 MetadataGenerator::MetadataGenerator(const DOMElement* e, const char* appId)
     : SecuredHandler(e, Category::getInstance(SHIBSP_LOGCAT".MetadataGenerator"))
 #ifndef SHIBSP_LITE
-        ,m_http(0), m_https(0), m_encryptionBuilder(nullptr)
+        ,m_http(0), m_https(0), m_encryptionBuilder(nullptr), m_digestBuilder(nullptr)
 #endif
 {
     string address(appId);
-- 
2.1.4