xmlsec: use XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH when writing encrypted keys (#85339)
For compatibility with libxmlsec1>=1.3.0, as we do not use KeyName to reference the wrapping key: (API breaking change) Changed the key search to strict mode: only keys referenced by KeyInfo are used. To restore the old "lax" mode, set XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH flag on xmlSecKeyInfoCtx or use '--lax-key-search' option for XMLSec command line utility.
This commit is contained in:
parent
66c9f50f1f
commit
21c224cfef
|
@ -154,7 +154,7 @@ lasso_xmlsec_errors_callback(const char *file G_GNUC_UNUSED, int line G_GNUC_UNU
|
|||
const char *errorObject G_GNUC_UNUSED, const char *errorSubject G_GNUC_UNUSED, int reason G_GNUC_UNUSED,
|
||||
const char *msg)
|
||||
{
|
||||
g_log("libxmlsec", G_LOG_LEVEL_DEBUG, "libxmlsec: %s:%d:%s:%s:%s:%s:%s", file, line, func, errorObject, errorSubject, xmlSecErrorsGetMsg(reason), msg);
|
||||
g_log("libxmlsec", G_LOG_LEVEL_INFO, "libxmlsec: %s:%d:%s:%s:%s:%s:%s", file, line, func, errorObject, errorSubject, xmlSecErrorsGetMsg(reason), msg);
|
||||
}
|
||||
|
||||
static int
|
||||
|
|
|
@ -44,6 +44,7 @@
|
|||
#include <xmlsec/openssl/crypto.h>
|
||||
#include <xmlsec/openssl/x509.h>
|
||||
|
||||
#include <config.h>
|
||||
#include "xml.h"
|
||||
#include "xml_enc.h"
|
||||
#include "saml_name_identifier.h"
|
||||
|
@ -620,6 +621,12 @@ lasso_node_encrypt(LassoNode *lasso_node, xmlSecKey *encryption_public_key,
|
|||
goto cleanup;
|
||||
}
|
||||
|
||||
#if LASSO_XMLSEC_VERSION_NUMBER >= 0x010300
|
||||
enc_ctx->keyInfoWriteCtx.flags |= XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH;
|
||||
enc_ctx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH;
|
||||
enc_ctx->keyInfoReadCtx.flags |= XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH;
|
||||
#endif
|
||||
|
||||
/* generate a symetric key */
|
||||
switch (encryption_sym_key_type) {
|
||||
case LASSO_ENCRYPTION_SYM_KEY_TYPE_AES_256:
|
||||
|
|
Loading…
Reference in New Issue