entrouvert
/
lasso
16
0
Fork 0
Code Issues Pull Requests Releases Activity

Merge branch 'multi-certificates'

This commit is contained in:
Benjamin Dauvergne 2011-05-23 10:53:50 +02:00
parent bd7e649272 8191837436
commit 8036813115
9 changed files with 423 additions and 122 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

245
lasso/id-ff/provider.c
View File

@ -97,15 +97,15 @@ void _lasso_provider_add_metadata_value_for_role(LassoProvider *provider,
typedef int LassoProviderRoleIndex;
static int
lasso_provider_try_loading_public_key(LassoProvider *provider, xmlSecKeyPtr *public_key, gboolean mandatory) {
if (provider->public_key || provider->private_data->signing_key_descriptor) {
*public_key = lasso_provider_get_public_key(provider);
if (*public_key == NULL)
lasso_provider_try_loading_public_keys(LassoProvider *provider, GList **public_keys, gboolean mandatory) {
if (provider->public_key || provider->private_data->signing_key_descriptors) {
*public_keys = lasso_provider_get_public_keys(provider);
if (*public_keys == NULL)
return LASSO_DS_ERROR_PUBLIC_KEY_LOAD_FAILED;
} else {
*public_key = NULL;
*public_keys = NULL;
}
if (*public_key == NULL && mandatory)
if (*public_keys == NULL && mandatory)
return LASSO_PROVIDER_ERROR_MISSING_PUBLIC_KEY;
return 0;
}
@ -521,18 +521,18 @@ static struct XmlSnippet schema_snippets[] = {
static LassoNodeClass *parent_class = NULL;
/**
* lasso_provider_get_public_key:
* lasso_provider_get_public_keys:
* @provider: a #LassoProvider object
*
* Return the public key associated with this provider.
* Return the public keys associated with this provider.
*
* Return value: an #xmlSecKey object.
*/
xmlSecKey*
lasso_provider_get_public_key(const LassoProvider *provider)
GList*
lasso_provider_get_public_keys(const LassoProvider *provider)
{
g_return_val_if_fail(LASSO_IS_PROVIDER(provider), NULL);
return provider->private_data->public_key;
return provider->private_data->signing_public_keys;
}
/**
@ -548,11 +548,16 @@ xmlSecKey*
lasso_provider_get_encryption_public_key(const LassoProvider *provider)
{
g_return_val_if_fail(LASSO_IS_PROVIDER(provider), NULL);
GList *public_keys;
if (provider->private_data->encryption_public_key) {
return provider->private_data->encryption_public_key;
}
return lasso_provider_get_public_key(provider);
public_keys = lasso_provider_get_public_keys(provider);
if (! public_keys) {
return NULL;
}
return (xmlSecKey*)public_keys->data;
}
static void
@ -647,7 +652,8 @@ _lasso_provider_load_key_descriptor(LassoProvider *provider, xmlNode *key_descri
private_data = provider->private_data;
use = xmlGetProp(key_descriptor, (xmlChar*)"use");
if (use == NULL || lasso_strisequal((char *)use,"signing")) {
lasso_assign_xml_node(private_data->signing_key_descriptor, key_descriptor);
lasso_list_add_xml_node(private_data->signing_key_descriptors,
key_descriptor);
}
if (use == NULL || strcmp((char*)use, "encryption") == 0) {
lasso_assign_xml_node(private_data->encryption_key_descriptor, key_descriptor);
@ -835,14 +841,12 @@ dispose(GObject *object)
provider->private_data->default_assertion_consumer = NULL;
}
if (provider->private_data->public_key) {
xmlSecKeyDestroy(provider->private_data->public_key);
provider->private_data->public_key = NULL;
if (provider->private_data->signing_public_keys) {
lasso_release_list_of_sec_key(provider->private_data->signing_public_keys);
}
if (provider->private_data->signing_key_descriptor) {
xmlFreeNode(provider->private_data->signing_key_descriptor);
provider->private_data->signing_key_descriptor = NULL;
if (provider->private_data->signing_key_descriptors) {
lasso_release_list_of_xml_node(provider->private_data->signing_key_descriptors);
}
if (provider->private_data->encryption_key_descriptor) {
@ -898,8 +902,8 @@ instance_init(LassoProvider *provider)
provider->private_data->affiliation_id = NULL;
provider->private_data->affiliation_owner_id = NULL;
provider->private_data->organization = NULL;
provider->private_data->public_key = NULL;
provider->private_data->signing_key_descriptor = NULL;
provider->private_data->signing_public_keys = NULL;
provider->private_data->signing_key_descriptors = NULL;
provider->private_data->encryption_key_descriptor = NULL;
provider->private_data->encryption_public_key_str = NULL;
provider->private_data->encryption_public_key = NULL;
@ -1230,44 +1234,72 @@ gboolean
lasso_provider_load_public_key(LassoProvider *provider, LassoPublicKeyType public_key_type)
{
gchar *public_key = NULL;
GList *keys_descriptors = NULL;
xmlNode *key_descriptor = NULL;
xmlSecKey *pub_key = NULL;
GList *keys = NULL;
g_return_val_if_fail(LASSO_IS_PROVIDER(provider), FALSE);
if (public_key_type == LASSO_PUBLIC_KEY_SIGNING) {
public_key = provider->public_key;
key_descriptor = provider->private_data->signing_key_descriptor;
keys_descriptors = provider->private_data->signing_key_descriptors;
} else {
key_descriptor = provider->private_data->encryption_key_descriptor;
}
if (public_key == NULL && key_descriptor == NULL) {
if (public_key == NULL && keys_descriptors == NULL && key_descriptor == NULL) {
return TRUE;
}
if (public_key == NULL) {
pub_key = lasso_xmlsec_load_key_info(key_descriptor);
if (! pub_key) {
if (public_key != NULL) {
xmlSecKey *key = lasso_xmlsec_load_private_key(public_key, NULL);
if (key) {
lasso_list_add_new_sec_key(keys, key);
} else {
message(G_LOG_LEVEL_WARNING, "Could not read public key from file %s", public_key);
}
}
if (key_descriptor) {
xmlSecKey *key = lasso_xmlsec_load_key_info(key_descriptor);
if (key) {
lasso_list_add_new_sec_key(keys, key);
} else {
message(G_LOG_LEVEL_WARNING, "Could not read KeyInfo from %s KeyDescriptor", public_key_type == LASSO_PUBLIC_KEY_SIGNING ? "signing" : "encryption");
}
} else {
pub_key = lasso_xmlsec_load_private_key(public_key, NULL);
}
if (pub_key) {
if (keys_descriptors) {
lasso_foreach_full_begin(xmlNode*, key_descriptor, it, keys_descriptors);
{
xmlSecKey *key = lasso_xmlsec_load_key_info(key_descriptor);
if (key) {
lasso_list_add_new_sec_key(keys, key);
} else {
message(G_LOG_LEVEL_WARNING, "Could not read KeyInfo from %s "
"KeyDescriptor",
public_key_type == LASSO_PUBLIC_KEY_SIGNING ? "signing" :
"encryption");
}
}
lasso_foreach_full_end();
}
if (keys) {
switch (public_key_type) {
case LASSO_PUBLIC_KEY_SIGNING:
lasso_assign_new_sec_key(provider->private_data->public_key, pub_key);
lasso_transfer_full(provider->private_data->signing_public_keys, keys,
list_of_sec_key);
break;
case LASSO_PUBLIC_KEY_ENCRYPTION:
lasso_assign_new_sec_key(provider->private_data->encryption_public_key, pub_key);
lasso_assign_new_sec_key(provider->private_data->encryption_public_key,
(xmlSecKey*)keys->data);
break;
default:
xmlSecKeyDestroy(pub_key);
lasso_release_list_of_sec_key(keys);
}
return TRUE;
} else {
return FALSE;
}
return (pub_key != NULL);
}
@ -1297,9 +1329,10 @@ lasso_provider_verify_saml_signature(LassoProvider *provider,
{
const char *id_attribute_name = NULL;
const xmlChar *node_ns = NULL;
xmlSecKey *public_key = NULL;
GList *public_keys = NULL;
xmlSecKeysMngr *keys_manager = NULL;
int rc = 0;
int signature_rc = 0;
lasso_bad_param(PROVIDER, provider);
lasso_null_param(signed_node);
@ -1320,9 +1353,17 @@ lasso_provider_verify_saml_signature(LassoProvider *provider,
goto_cleanup_if_fail_with_rc(id_attribute_name, LASSO_PARAM_ERROR_INVALID_VALUE);
/* Get provider credentials */
lasso_check_good_rc(lasso_provider_try_loading_ca_cert_chain(provider, &keys_manager));
lasso_check_good_rc(lasso_provider_try_loading_public_key(provider, &public_key, keys_manager == NULL));
rc = lasso_verify_signature(signed_node, doc, id_attribute_name, keys_manager, public_key,
NO_OPTION, NULL);
lasso_check_good_rc(lasso_provider_try_loading_public_keys(provider, &public_keys, keys_manager == NULL));
lasso_foreach_full_begin(xmlSecKey*, public_key, it, public_keys);
{
signature_rc = lasso_verify_signature(signed_node, doc, id_attribute_name, keys_manager, public_key,
NO_OPTION, NULL);
if (signature_rc == 0) {
break;
}
}
lasso_foreach_full_end();
rc = signature_rc;
cleanup:
lasso_release_key_manager(keys_manager);
return rc;
@ -1336,45 +1377,35 @@ lasso_provider_verify_signature(LassoProvider *provider,
* reflection about code reuse is under way...
*/
xmlDoc *doc = NULL;
xmlNode *xmlnode = NULL, *sign = NULL, *x509data = NULL;
xmlNode *xmlnode = NULL;
xmlSecKeysMngr *keys_mngr = NULL;
xmlSecDSigCtx *dsigCtx = NULL;
int rc = 0;
int signature_rc = 0;
xmlXPathContext *xpathCtx = NULL;
xmlXPathObject *xpathObj = NULL;
xmlSecKey *public_key = NULL;
GList *public_keys = NULL;
g_return_val_if_fail(LASSO_IS_PROVIDER(provider), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
if (lasso_flag_verify_signature == FALSE)
return 0;
if (message == NULL)
return LASSO_PROFILE_ERROR_INVALID_MSG;
if (format == LASSO_MESSAGE_FORMAT_ERROR)
return LASSO_PROFILE_ERROR_INVALID_MSG;
if (format == LASSO_MESSAGE_FORMAT_UNKNOWN)
return LASSO_PROFILE_ERROR_INVALID_MSG;
if (format == LASSO_MESSAGE_FORMAT_QUERY) {
lasso_check_good_rc(lasso_provider_try_loading_public_key(provider, &public_key, TRUE));
switch (lasso_provider_get_protocol_conformance(provider)) {
case LASSO_PROTOCOL_LIBERTY_1_0:
case LASSO_PROTOCOL_LIBERTY_1_1:
case LASSO_PROTOCOL_LIBERTY_1_2:
return lasso_query_verify_signature(message, public_key);
case LASSO_PROTOCOL_SAML_2_0:
return lasso_saml2_query_verify_signature(message, public_key);
default:
return LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE;
}
return lasso_provider_verify_query_signature(provider, message);
}
lasso_check_good_rc(lasso_provider_try_loading_ca_cert_chain(provider, &keys_mngr));
/* public key is mandatory if no keys manager is present */
lasso_check_good_rc(lasso_provider_try_loading_public_key(provider, &public_key, keys_mngr == NULL));
lasso_check_good_rc(lasso_provider_try_loading_public_keys(provider, &public_keys,
keys_mngr == NULL));
if (format == LASSO_MESSAGE_FORMAT_BASE64) {
int len;
@ -1402,64 +1433,20 @@ lasso_provider_verify_signature(LassoProvider *provider,
}
sign = NULL;
for (sign = xmlnode->children; sign; sign = sign->next) {
if (strcmp((char*)sign->name, "Signature") == 0)
lasso_foreach_full_begin(xmlSecKeyPtr, public_key, it, public_keys);
{
signature_rc = lasso_verify_signature(xmlnode, doc, id_attr_name,
keys_mngr, public_key, NO_OPTION, NULL);
if (signature_rc == 0) {
break;
}
/* If no signature was found, look for one in assertion */
if (sign == NULL) {
for (sign = xmlnode->children; sign; sign = sign->next) {
if (strcmp((char*)sign->name, "Assertion") == 0)
break;
}
if (sign != NULL) {
xmlnode = sign;
for (sign = xmlnode->children; sign; sign = sign->next) {
if (strcmp((char*)sign->name, "Signature") == 0)
break;
}
}
}
goto_cleanup_if_fail_with_rc (sign != NULL, LASSO_DS_ERROR_SIGNATURE_NOT_FOUND);
if (id_attr_name) {
xmlChar *id_value = xmlGetProp(xmlnode, (xmlChar*)id_attr_name);
xmlAttr *id_attr = xmlHasProp(xmlnode, (xmlChar*)id_attr_name);
if (id_value != NULL) {
xmlAddID(NULL, doc, id_value, id_attr);
xmlFree(id_value);
}
}
x509data = xmlSecFindNode(xmlnode, xmlSecNodeX509Data, xmlSecDSigNs);
if (x509data == NULL) { /* no need for a keys mngr if there is no X509 data */
lasso_release_key_manager(keys_mngr);
}
dsigCtx = xmlSecDSigCtxCreate(keys_mngr);
if (public_key) {
dsigCtx->signKey = xmlSecKeyDuplicate(public_key);
}
goto_cleanup_if_fail_with_rc (xmlSecDSigCtxVerify(dsigCtx, sign) >= 0,
LASSO_DS_ERROR_SIGNATURE_VERIFICATION_FAILED);
if (dsigCtx->status != xmlSecDSigStatusSucceeded) {
rc = LASSO_DS_ERROR_INVALID_SIGNATURE;
goto cleanup;
}
lasso_foreach_full_end();
rc = signature_rc;
cleanup:
lasso_release_key_manager(keys_mngr);
lasso_release_signature_context(dsigCtx);
if (xpathCtx)
xmlXPathFreeContext(xpathCtx);
if (xpathObj)
xmlXPathFreeObject(xpathObj);
lasso_release_doc(doc);
lasso_release_xpath_job(xpathObj, xpathCtx, doc);
return rc;
}
@ -1543,23 +1530,38 @@ lasso_provider_get_encryption_sym_key_type(const LassoProvider *provider)
int
lasso_provider_verify_query_signature(LassoProvider *provider, const char *message)
{
xmlSecKey *provider_public_key;
int (*check)(const char *, const xmlSecKey *) = NULL;
int rc = 0;
int signature_rc = 0;
GList *public_keys = NULL;
lasso_bad_param(PROVIDER, provider);
lasso_check_good_rc(lasso_provider_try_loading_public_key(provider, &provider_public_key, TRUE));
g_return_val_if_fail(provider_public_key, LASSO_PROVIDER_ERROR_MISSING_PUBLIC_KEY);
lasso_null_param(message);
lasso_check_good_rc(lasso_provider_try_loading_public_keys(provider, &public_keys, TRUE));
switch (lasso_provider_get_protocol_conformance(provider)) {
case LASSO_PROTOCOL_LIBERTY_1_0:
case LASSO_PROTOCOL_LIBERTY_1_1:
case LASSO_PROTOCOL_LIBERTY_1_2:
return lasso_query_verify_signature(message, provider_public_key);
check = lasso_query_verify_signature;
break;
case LASSO_PROTOCOL_SAML_2_0:
return lasso_saml2_query_verify_signature(message, provider_public_key);
check = lasso_saml2_query_verify_signature;
break;
default:
return LASSO_ERROR_UNIMPLEMENTED;
return LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE;
}
/* Check with all known signing keys... */
lasso_foreach_full_begin(xmlSecKeyPtr, public_key, it, public_keys);
{
signature_rc = check(message, public_key);
if (signature_rc == 0) {
break;
}
}
lasso_foreach_full_end();
rc = signature_rc;
cleanup:
return rc;
}
@ -1624,7 +1626,7 @@ int
lasso_provider_verify_single_node_signature (LassoProvider *provider, LassoNode *node, const char *id_attr_name)
{
xmlNode *xmlnode = NULL;
xmlSecKey *public_key = NULL;
GList *public_keys = NULL;
xmlSecKeysMngr *keys_mngr = NULL;
int rc = 0;
@ -1633,10 +1635,17 @@ lasso_provider_verify_single_node_signature (LassoProvider *provider, LassoNode
return LASSO_DS_ERROR_SIGNATURE_VERIFICATION_FAILED;
}
lasso_check_good_rc(lasso_provider_try_loading_ca_cert_chain(provider, &keys_mngr));
lasso_check_good_rc(lasso_provider_try_loading_public_key(provider, &public_key,
lasso_check_good_rc(lasso_provider_try_loading_public_keys(provider, &public_keys,
keys_mngr == NULL));
rc = lasso_verify_signature(xmlnode, NULL, id_attr_name, keys_mngr, public_key,
NO_SINGLE_REFERENCE, NULL);
lasso_foreach_full_begin(xmlSecKey*, public_key, it, public_keys);
{
rc = lasso_verify_signature(xmlnode, NULL, id_attr_name, keys_mngr, public_key,
NO_SINGLE_REFERENCE, NULL);
if (rc == 0)
break;
}
lasso_foreach_full_end();
cleanup:
return rc;
}

8
lasso/id-ff/providerprivate.h
View File

@ -68,11 +68,11 @@ struct _LassoProviderPrivate
char *affiliation_owner_id;
char *affiliation_id;
xmlSecKey *public_key;
xmlNode *signing_key_descriptor;
GList *signing_public_keys;
GList *signing_key_descriptors;
xmlNode *encryption_key_descriptor;
char *encryption_public_key_str;
xmlSecKey *encryption_public_key;
GList *encryption_public_keys;
LassoEncryptionMode encryption_mode;
LassoEncryptionSymKeyType encryption_sym_key_type;
char *valid_until;
@ -86,7 +86,7 @@ int lasso_provider_verify_signature(LassoProvider *provider,
const char *message, const char *id_attr_name, LassoMessageFormat format);
gboolean lasso_provider_load_public_key(LassoProvider *provider,
LassoPublicKeyType public_key_type);
xmlSecKey* lasso_provider_get_public_key(const LassoProvider *provider);
GList* lasso_provider_get_public_keys(const LassoProvider *provider);
xmlSecKey* lasso_provider_get_encryption_public_key(const LassoProvider *provider);
LassoEncryptionSymKeyType lasso_provider_get_encryption_sym_key_type(const LassoProvider* provider);
int lasso_provider_verify_saml_signature(LassoProvider *provider, xmlNode *signed_node, xmlDoc *doc);

9
lasso/utils.h
View File

@ -144,6 +144,9 @@
#define lasso_release_list_of_xml_node_list(dest) \
lasso_release_list_of_full(dest, xmlFreeNodeList)
#define lasso_release_list_of_sec_key(dest) \
lasso_release_list_of_full(dest, xmlSecKeyDestroy)
#define lasso_release_xml_node(node) \
lasso_release_full2(node, xmlFreeNode, xmlNodePtr)
@ -426,6 +429,12 @@
} \
}
#define lasso_list_add_new_sec_key(dest, src) \
{ \
xmlSecKey *__tmp_src = (src); \
lasso_list_add_non_null(dest, __tmp_src); \
}
/* List element removal */
#define lasso_list_remove_gobject(list, gobject) \
do { void *__tmp = gobject; GList **__tmp_list = &(list); \

14
tests/data/idp11-multikey-saml2/certificate-1.pem Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN CERTIFICATE-----
MIICHjCCAYegAwIBAgIJAIqpRTWoklygMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV
BAoTCkVudHJvdXZlcnQwHhcNMTEwMTE5MTg0MzIwWhcNMTEwMjE4MTg0MzIwWjAV
MRMwEQYDVQQKEwpFbnRyb3V2ZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQC3vSEy6WMnyN20hiRAsZ8kAJAS+wgztD3WoyULdTz3S8JlqGRW2cCuoS77o539
aA2C2lUehNrw/0h9uyrT2GroAjlw8wb6pQrpydteL8A59RtvhfdqwOfScV6Y9dUw
KGvoGtC9sbB3mBtkb7MaWmhFucNe02KV5Tas1Xl6hexjEwIDAQABo3YwdDAdBgNV
HQ4EFgQUBe+8IQnCGoU6FG+E2CTD44Mnji0wRQYDVR0jBD4wPIAUBe+8IQnCGoU6
FG+E2CTD44Mnji2hGaQXMBUxEzARBgNVBAoTCkVudHJvdXZlcnSCCQCKqUU1qJJc
oDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABdOD1MRL9hnkc9ilB5V
Z2SDYAqH7L6ed1VwQBzNzIyX3Uy9tldn5jGOEeRTax9I/YTEpcwetlUVE+MiJTa+
V/XlfPC4BcbRE+EdLAT+pmSFAOo/5XoFIgNBTXS1sj0QJ8mZLgGVWmP8rjtvTVIw
995pG1L9No/KM70CaHDKyXq9
-----END CERTIFICATE-----

22
tests/data/idp11-multikey-saml2/certificate-2.pem Normal file
View File

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP
MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczETMBEGA1UEChMKRW50cm91
dmVydDEPMA0GA1UEAxMGRGFtaWVuMB4XDTA2MTAyNzA5MDc1NFoXDTExMTAyNjA5
MDc1NFowVDELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkZyYW5jZTEOMAwGA1UEBxMF
UGFyaXMxEzARBgNVBAoTCkVudHJvdXZlcnQxDzANBgNVBAMTBkRhbWllbjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM06Hx6VgHYR9wUf/tZVVTRkVWNq
h9x+PvHA2qH4OYMuqGs4Af6lU2YsZvnrmRdcFWv0+UkdAgXhReCWAZgtB1pd/W9m
6qDRldCCyysow6xPPKRz/pOTwRXm/fM0QGPeXzwzj34BXOIOuFu+n764vKn18d+u
uVAEzk1576pxTp4pQPzJfdNLrLeQ8vyCshoFU+MYJtp1UA+h2JoO0Y8oGvywbUxH
ioHN5PvnzObfAM4XaDQohmfxM9Uc7Wp4xKAc1nUq5hwBrHpjFMRSz6UCfMoJSGIi
+3xJMkNCjL0XEw5NKVc5jRKkzSkN5j8KTM/k1jPPsDHPRYzbWWhnNtd6JlkCAwEA
AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFP2WWMDShux3iF74+SoO1xf6qhqaMB8G
A1UdIwQYMBaAFGjl6TRXbQDHzSlZu+e8VeBaZMB5MA0GCSqGSIb3DQEBBQUAA4IB
AQAZ/imK7UMognXbs5RfSB8cMW6iNAI+JZqe9XWjvtmLfIIPbHM96o953SiFvrvQ
BZjGmmPMK3UH29cjzDx1R/RQaYTyMrHyTePLh3BMd5mpJ/9eeJCSxPzE2ECqWRUa
pkjukecFXqmRItwgTxSIUE9QkpzvuQRb268PwmgroE0mwtiREADnvTFkLkdiEMew
fiYxZfJJLPBqwlkw/7f1SyzXoPXnz5QbNwDmrHelga6rKSprYKb3pueqaIe8j/AP
NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR
LlTxKnCrWAXftSm1rNtewTsF
-----END CERTIFICATE-----

85
tests/data/idp11-multikey-saml2/metadata.xml Normal file
View File

@ -0,0 +1,85 @@
<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
entityID="http://idp5/metadata">
<IDPSSODescriptor
WantAuthnRequestsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor> <!-- private-key-1.pem -->
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data><ds:X509Certificate>
MIICHjCCAYegAwIBAgIJAIqpRTWoklygMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV
BAoTCkVudHJvdXZlcnQwHhcNMTEwMTE5MTg0MzIwWhcNMTEwMjE4MTg0MzIwWjAV
MRMwEQYDVQQKEwpFbnRyb3V2ZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQC3vSEy6WMnyN20hiRAsZ8kAJAS+wgztD3WoyULdTz3S8JlqGRW2cCuoS77o539
aA2C2lUehNrw/0h9uyrT2GroAjlw8wb6pQrpydteL8A59RtvhfdqwOfScV6Y9dUw
KGvoGtC9sbB3mBtkb7MaWmhFucNe02KV5Tas1Xl6hexjEwIDAQABo3YwdDAdBgNV
HQ4EFgQUBe+8IQnCGoU6FG+E2CTD44Mnji0wRQYDVR0jBD4wPIAUBe+8IQnCGoU6
FG+E2CTD44Mnji2hGaQXMBUxEzARBgNVBAoTCkVudHJvdXZlcnSCCQCKqUU1qJJc
oDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABdOD1MRL9hnkc9ilB5V
Z2SDYAqH7L6ed1VwQBzNzIyX3Uy9tldn5jGOEeRTax9I/YTEpcwetlUVE+MiJTa+
V/XlfPC4BcbRE+EdLAT+pmSFAOo/5XoFIgNBTXS1sj0QJ8mZLgGVWmP8rjtvTVIw
995pG1L9No/KM70CaHDKyXq9
</ds:X509Certificate></ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor> <!-- private-key-2.pem -->
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data><ds:X509Certificate>
MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP
MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczETMBEGA1UEChMKRW50cm91
dmVydDEPMA0GA1UEAxMGRGFtaWVuMB4XDTA2MTAyNzA5MDc1NFoXDTExMTAyNjA5
MDc1NFowVDELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkZyYW5jZTEOMAwGA1UEBxMF
UGFyaXMxEzARBgNVBAoTCkVudHJvdXZlcnQxDzANBgNVBAMTBkRhbWllbjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM06Hx6VgHYR9wUf/tZVVTRkVWNq
h9x+PvHA2qH4OYMuqGs4Af6lU2YsZvnrmRdcFWv0+UkdAgXhReCWAZgtB1pd/W9m
6qDRldCCyysow6xPPKRz/pOTwRXm/fM0QGPeXzwzj34BXOIOuFu+n764vKn18d+u
uVAEzk1576pxTp4pQPzJfdNLrLeQ8vyCshoFU+MYJtp1UA+h2JoO0Y8oGvywbUxH
ioHN5PvnzObfAM4XaDQohmfxM9Uc7Wp4xKAc1nUq5hwBrHpjFMRSz6UCfMoJSGIi
+3xJMkNCjL0XEw5NKVc5jRKkzSkN5j8KTM/k1jPPsDHPRYzbWWhnNtd6JlkCAwEA
AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFP2WWMDShux3iF74+SoO1xf6qhqaMB8G
A1UdIwQYMBaAFGjl6TRXbQDHzSlZu+e8VeBaZMB5MA0GCSqGSIb3DQEBBQUAA4IB
AQAZ/imK7UMognXbs5RfSB8cMW6iNAI+JZqe9XWjvtmLfIIPbHM96o953SiFvrvQ
BZjGmmPMK3UH29cjzDx1R/RQaYTyMrHyTePLh3BMd5mpJ/9eeJCSxPzE2ECqWRUa
pkjukecFXqmRItwgTxSIUE9QkpzvuQRb268PwmgroE0mwtiREADnvTFkLkdiEMew
fiYxZfJJLPBqwlkw/7f1SyzXoPXnz5QbNwDmrHelga6rKSprYKb3pueqaIe8j/AP
NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR
LlTxKnCrWAXftSm1rNtewTsF
</ds:X509Certificate></ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<ArtifactResolutionService isDefault="true" index="0"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://idp5/artifact" />
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://idp5/singleLogoutSOAP" />
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://idp5/singleLogout"
ResponseLocation="http://idp5/singleLogoutReturn" />
<ManageNameIDService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://idp5/manageNameIdSOAP" />
<ManageNameIDService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://idp5/manageNameId"
ResponseLocation="http://idp5/manageNameIdReturn" />
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://idp5/singleSignOn" />
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://idp5/singleSignOnSOAP" />
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="http://idp5/singleSignOnArtifact" />
</IDPSSODescriptor>
<Organization>
<OrganizationName xml:lang="en">Entr'ouvert</OrganizationName>
</Organization>
</EntityDescriptor>

15
tests/data/idp11-multikey-saml2/private-key-1.pem Normal file
View File

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQC3vSEy6WMnyN20hiRAsZ8kAJAS+wgztD3WoyULdTz3S8JlqGRW
2cCuoS77o539aA2C2lUehNrw/0h9uyrT2GroAjlw8wb6pQrpydteL8A59Rtvhfdq
wOfScV6Y9dUwKGvoGtC9sbB3mBtkb7MaWmhFucNe02KV5Tas1Xl6hexjEwIDAQAB
AoGBAJQa7NbYD+gy3ps0gaZwRsJDfd7+4NaklDAeY67/urvwImvFN9RWRB2/qVqH
wcNRC4sNqQ0ntEAM1wcaRuRqj4jDdB8KG2ecE1ASNP1LaaL3AbDY9zADLRGW93W7
FKBksd7PyQoTknzpPoZl2u+dmxKZ7lJrQHilqLcE0VgCLZchAkEA7tr+S+vkPQe6
Bw50vUB8CygB5qN/y96afMm/7guMMVzGvZqfqOPIdLNaJBqTcMWYQKZBLDPrccRE
uPVJ1zt8AwJBAMTtW+tFvlKtBN3NVf7xArWilAEhNtHUUhl0V5w/iWSSnpJyDG5D
M1kuMLjn0yR94YJu14/+ozXcsho8qzYNN7ECQQDWfcoGm5qmQ54GYDDtEk9SJWcv
mntUtF2+2d2FAtGuMkY2VfgyTfrg8X5tFYB5sLd8ts+nxigUTc/42CyrHzvJAkBh
pdULf8TVGCgul7AJv5Z5XImJWd/mAiNHrfH3b2YAcdehhF33mujuUsIkHggLs0PM
Oow3QavKfInwCp9XKQyxAkBTHNG2wBF81ZITfrxJ2XekJYH81P6nPw/UrKerB6qa
BLSQBiELJrHLC8w4hkL4MFDUSS2NJd3kjwXfCQs/HSca
-----END RSA PRIVATE KEY-----

27
tests/data/idp11-multikey-saml2/private-key-2.pem Normal file
View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAzTofHpWAdhH3BR/+1lVVNGRVY2qH3H4+8cDaofg5gy6oazgB
/qVTZixm+euZF1wVa/T5SR0CBeFF4JYBmC0HWl39b2bqoNGV0ILLKyjDrE88pHP+
k5PBFeb98zRAY95fPDOPfgFc4g64W76fvri8qfXx3665UATOTXnvqnFOnilA/Ml9
00ust5Dy/IKyGgVT4xgm2nVQD6HYmg7Rjyga/LBtTEeKgc3k++fM5t8AzhdoNCiG
Z/Ez1RztanjEoBzWdSrmHAGsemMUxFLPpQJ8yglIYiL7fEkyQ0KMvRcTDk0pVzmN
EqTNKQ3mPwpMz+TWM8+wMc9FjNtZaGc213omWQIDAQABAoIBAEPj5keHzWdBqiXX
38WnlPgv+M9afndCjDANTEYoh14OIUjWzlIe/ufd6HLkrVA89hkwgQbewbyQOT2C
YiSlQLl0PlKMCTIKIzVHD07HvXNTAwykEqNfTZChSYEa1/Ixre+MXvugF8nwdKxk
8xN0qXTQF6OXeVYvQNAAdng743YON4ubqKlEezIwnfG/jcoZrGkiTpx+k1JXJsZN
4dHKFP12RRhUTGjaOkBo41w8GNKQLFpy1vqAOYMyi1SJcrwpAu3H0iQug9SylQaM
bFjt8j/m13gu3zXIJbi8xbyg3nqpxl9dxcZG/cDA9z2tLu/h3G3nPq7CXvkZxmjl
ePvOCwECgYEA9zbwYMtd8tT3PHtrCtjwkfxV0dvMmfNw/rRT4ShWtKLmgX+K9nz/
T4qpbehz4z7OvsLjQ6Bt6wjMNMw9SEBeEMyDVTpmzSD2PowARegmeLX4CsilqHHl
/AMYUtywEQ2f65/CWPiMIt8mLnEyJ/dsyVLpuzGUNNt34Yaqpu2qXnUCgYEA1IUy
PObmTh3I8ZyESyGhbu2TYs0A8Zy6eTIAv0ijOIpmUykzjE5pR9sB3nYEd4GTHPEv
hF6SWfNIDDr83TqThJYzkFyXMCxiVLH55U42wlsvwp4jTnOI3K/7Y7U/lEmBlgcl
JbIIv1t9okg3+Kuu4i7iB6JR89cSO/Wfcdu/c9UCgYAHE5eF7cxeqyH4pT/HK7aX
NzXtr/EHZySQ5fCQvWrd+NvIUTJVI/ba/AklkEXg92dLpqCCyxDabYIK8N3AN7d5
m6EWy3kt3geueqt3VNHlGrBi/qNfUwNWV3BWzuJrWox9XjFeAp9gUCrzoWHiKv7+
NFVkemLXsICaABTaemsqEQKBgQDJJ4n1u1gieG7Kwqs1sg9rP9RRoFlUWFTogjvS
0p4r1lQkQstX8qAUM2gBeROhSjRFIMUpNZqxKWT4rpzJibg3tzP3YKx6HIi2Qf+W
3AFY1ZbPT397sj/JI4l/Rv93DFxr9TdkBq/g8GhqQpE3/sj5rgaj0zBe7SOFPWg+
DRGaQQKBgEEcSF5KmpIHnhi3WlfGiEtx3kcD63orKME0YYA5BM6wnmRT4QiSw+qj
i7ljrKGSbmdMFC3ArM42/k2lXYpVLsYWmyaRYSgbdowxLM1XxDJMFIPR2uG6N+vi
HzWkRxi2SXKU42vfs5eA0itHvQP2DfUx8VuvtwVbOxDGgntYia70
-----END RSA PRIVATE KEY-----

120
tests/login_tests_saml2.c
View File

@ -682,6 +682,123 @@ START_TEST(test04_sso_then_slo_soap)
}
END_TEST
START_TEST(test05_sso_idp_with_key_rollover)
{
LassoServer *idpContext1 = NULL;
LassoServer *idpContext2 = NULL;
LassoServer *spContext = NULL;
LassoLogin *idpLoginContext1 = NULL;
LassoLogin *idpLoginContext2 = NULL;
LassoLogin *spLoginContext = NULL;
/* Create an IdP context for IdP initiated SSO with private key 1 */
idpContext1 = lasso_server_new(
TESTSDATADIR "idp11-multikey-saml2/metadata.xml",
TESTSDATADIR "idp11-multikey-saml2/private-key-1.pem",
NULL, /* Secret key to unlock private key */
TESTSDATADIR "idp11-multikey-saml2/certificate-1.pem");
check_not_null(idpContext1)
check_good_rc(lasso_server_add_provider(
idpContext1,
LASSO_PROVIDER_ROLE_SP,
TESTSDATADIR "/sp6-saml2/metadata.xml",
NULL,
NULL));
/* Create an IdP context for IdP initiated SSO with private key 2 */
idpContext2 = lasso_server_new(
TESTSDATADIR "idp11-multikey-saml2/metadata.xml",
TESTSDATADIR "idp11-multikey-saml2/private-key-2.pem",
NULL, /* Secret key to unlock private key */
TESTSDATADIR "idp11-multikey-saml2/certificate-2.pem");
check_not_null(idpContext2)
check_good_rc(lasso_server_add_provider(
idpContext2,
LASSO_PROVIDER_ROLE_SP,
TESTSDATADIR "/sp6-saml2/metadata.xml",
NULL,
NULL));
/* Create an SP context */
spContext = lasso_server_new(
TESTSDATADIR "/sp6-saml2/metadata.xml",
TESTSDATADIR "/sp6-saml2/private-key.pem",
NULL, /* Secret key to unlock private key */
NULL);
check_not_null(spContext)
check_good_rc(lasso_server_add_provider(
spContext,
LASSO_PROVIDER_ROLE_IDP,
TESTSDATADIR "/idp11-multikey-saml2/metadata.xml",
NULL,
NULL));
/* Create login contexts */
idpLoginContext1 = lasso_login_new(idpContext1);
check_not_null(idpLoginContext1);
idpLoginContext2 = lasso_login_new(idpContext2);
check_not_null(idpLoginContext2);
spLoginContext = lasso_login_new(spContext);
check_not_null(spLoginContext);
/* Create first response signed with key 1*/
check_good_rc(lasso_login_init_idp_initiated_authn_request(idpLoginContext1, "http://sp6/metadata"));
lasso_assign_string(LASSO_SAMLP2_AUTHN_REQUEST(idpLoginContext1->parent.request)->ProtocolBinding,
LASSO_SAML2_METADATA_BINDING_POST);
check_good_rc(lasso_login_process_authn_request_msg(idpLoginContext1, NULL));
check_good_rc(lasso_login_validate_request_msg(idpLoginContext1,
1, /* authentication_result */
0 /* is_consent_obtained */
));
check_good_rc(lasso_login_build_assertion(idpLoginContext1,
LASSO_SAML_AUTHENTICATION_METHOD_PASSWORD,
"FIXME: authenticationInstant",
"FIXME: reauthenticateOnOrAfter",
"FIXME: notBefore",
"FIXME: notOnOrAfter"));
check_good_rc(lasso_login_build_authn_response_msg(idpLoginContext1));
check_not_null(idpLoginContext1->parent.msg_body);
check_not_null(idpLoginContext1->parent.msg_url);
/* Create second response signed with key 2 */
check_good_rc(lasso_login_init_idp_initiated_authn_request(idpLoginContext2, "http://sp6/metadata"));
lasso_assign_string(LASSO_SAMLP2_AUTHN_REQUEST(idpLoginContext2->parent.request)->ProtocolBinding,
LASSO_SAML2_METADATA_BINDING_POST);
check_good_rc(lasso_login_process_authn_request_msg(idpLoginContext2, NULL));
check_good_rc(lasso_login_validate_request_msg(idpLoginContext2,
1, /* authentication_result */
0 /* is_consent_obtained */
));
check_good_rc(lasso_login_build_assertion(idpLoginContext2,
LASSO_SAML_AUTHENTICATION_METHOD_PASSWORD,
"FIXME: authenticationInstant",
"FIXME: reauthenticateOnOrAfter",
"FIXME: notBefore",
"FIXME: notOnOrAfter"));
check_good_rc(lasso_login_build_authn_response_msg(idpLoginContext2));
check_not_null(idpLoginContext2->parent.msg_body);
check_not_null(idpLoginContext2->parent.msg_url);
/* Process response 1 */
check_good_rc(lasso_login_process_authn_response_msg(spLoginContext,
idpLoginContext1->parent.msg_body));
check_good_rc(lasso_login_accept_sso(spLoginContext));
/* Process response 2 */
check_good_rc(lasso_login_process_authn_response_msg(spLoginContext,
idpLoginContext2->parent.msg_body));
check_good_rc(lasso_login_accept_sso(spLoginContext));
/* Cleanup */
lasso_release_gobject(idpLoginContext1);
lasso_release_gobject(idpLoginContext2);
lasso_release_gobject(spLoginContext);
lasso_release_gobject(idpContext1);
lasso_release_gobject(idpContext2);
lasso_release_gobject(spContext);
}
END_TEST
Suite*
login_saml2_suite()
{
@ -690,14 +807,17 @@ login_saml2_suite()
TCase *tc_spLogin = tcase_create("Login initiated by service provider");
TCase *tc_spLoginMemory = tcase_create("Login initiated by service provider without key loading");
TCase *tc_spSloSoap = tcase_create("Login initiated by service provider without key loading and with SLO SOAP");
TCase *tc_idpKeyRollover = tcase_create("Login initiated by idp, idp use two differents signing keys (simulate key roll-over)");
suite_add_tcase(s, tc_generate);
suite_add_tcase(s, tc_spLogin);
suite_add_tcase(s, tc_spLoginMemory);
suite_add_tcase(s, tc_spSloSoap);
suite_add_tcase(s, tc_idpKeyRollover);
tcase_add_test(tc_generate, test01_saml2_generateServersContextDumps);
tcase_add_test(tc_spLogin, test02_saml2_serviceProviderLogin);
tcase_add_test(tc_spLoginMemory, test03_saml2_serviceProviderLogin);
tcase_add_test(tc_spSloSoap, test04_sso_then_slo_soap);
tcase_add_test(tc_idpKeyRollover, test05_sso_idp_with_key_rollover);
return s;
}