xmlsec: re-enable KeyValue nodes when reading KeyInfo descriptors (#85339)
gitea/lasso/pipeline/head This commit looks good
Details
gitea/lasso/pipeline/head This commit looks good
Details
KeyValue has been disabled in libxmlsec >= 1.3.3, as it can be a security liability in other settings than SAML: (xmlsec-core) Disabled KeyValue and DEREncodedKeyValue XML nodes by default. Use the '--enabled-key-data' option for the xmlsec command line utility or update the 'keyInfoCtx->enabledKeyData' parameter if you need to re-enable these nodes (also see question 3.5 in the FAQ).
This commit is contained in:
parent
38d9291fd2
commit
f575ac1a7c
|
@ -2749,6 +2749,17 @@ lasso_xmlsec_load_key_info(xmlNode *key_descriptor)
|
|||
ctx.keyReq.keyUsage = xmlSecKeyDataUsageAny;
|
||||
ctx.certsVerificationDepth = 0;
|
||||
|
||||
if((xmlSecPtrListAdd(&ctx.enabledKeyData, BAD_CAST xmlSecKeyDataX509Id) < 0) ||
|
||||
(xmlSecPtrListAdd(&ctx.enabledKeyData, BAD_CAST xmlSecKeyDataValueId) < 0) ||
|
||||
(xmlSecPtrListAdd(&ctx.enabledKeyData, BAD_CAST xmlSecKeyDataRsaId) < 0) ||
|
||||
(xmlSecPtrListAdd(&ctx.enabledKeyData, BAD_CAST xmlSecKeyDataDsaId) < 0) ||
|
||||
(xmlSecPtrListAdd(&ctx.enabledKeyData, BAD_CAST xmlSecKeyDataHmacId) < 0)) {
|
||||
message(G_LOG_LEVEL_CRITICAL, "Could not enable needed KeyData");
|
||||
goto next;
|
||||
}
|
||||
|
||||
|
||||
|
||||
key = xmlSecKeyCreate();
|
||||
if (lasso_flag_pem_public_key) {
|
||||
xmlSecErrorsDefaultCallbackEnableOutput(FALSE);
|
||||
|
|
Loading…
Reference in New Issue