entrouvert
/
lasso
16
0
Fork 0
Code Issues Pull Requests Releases Activity

xmlsec: re-enable KeyValue nodes when reading KeyInfo descriptors (#85339)
gitea/lasso/pipeline/head This commit looks good Details 

KeyValue has been disabled in libxmlsec >= 1.3.3, as it can be a security
liability in other settings than SAML:

   (xmlsec-core) Disabled KeyValue and DEREncodedKeyValue XML nodes by default. Use the '--enabled-key-data' option for the xmlsec command line utility or update the 'keyInfoCtx->enabledKeyData' parameter if you need to re-enable these nodes (also see question 3.5 in the FAQ).
This commit is contained in:
Benjamin Dauvergne 2024-01-24 21:18:02 +01:00
parent 38d9291fd2
commit f575ac1a7c
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
lasso/xml/tools.c
View File

@ -2749,6 +2749,17 @@ lasso_xmlsec_load_key_info(xmlNode *key_descriptor)
ctx.keyReq.keyUsage = xmlSecKeyDataUsageAny;
ctx.certsVerificationDepth = 0;
if((xmlSecPtrListAdd(&ctx.enabledKeyData, BAD_CAST xmlSecKeyDataX509Id) < 0) ||
(xmlSecPtrListAdd(&ctx.enabledKeyData, BAD_CAST xmlSecKeyDataValueId) < 0) ||
(xmlSecPtrListAdd(&ctx.enabledKeyData, BAD_CAST xmlSecKeyDataRsaId) < 0) ||
(xmlSecPtrListAdd(&ctx.enabledKeyData, BAD_CAST xmlSecKeyDataDsaId) < 0) ||
(xmlSecPtrListAdd(&ctx.enabledKeyData, BAD_CAST xmlSecKeyDataHmacId) < 0)) {
message(G_LOG_LEVEL_CRITICAL, "Could not enable needed KeyData");
goto next;
}
key = xmlSecKeyCreate();
if (lasso_flag_pem_public_key) {
xmlSecErrorsDefaultCallbackEnableOutput(FALSE);