From f575ac1a7cd7ecbc75323c6b24c1291208d4b40f Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Wed, 24 Jan 2024 21:18:02 +0100 Subject: [PATCH] xmlsec: re-enable KeyValue nodes when reading KeyInfo descriptors (#85339) KeyValue has been disabled in libxmlsec >= 1.3.3, as it can be a security liability in other settings than SAML: (xmlsec-core) Disabled KeyValue and DEREncodedKeyValue XML nodes by default. Use the '--enabled-key-data' option for the xmlsec command line utility or update the 'keyInfoCtx->enabledKeyData' parameter if you need to re-enable these nodes (also see question 3.5 in the FAQ). --- lasso/xml/tools.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c index 181771ac..d220576a 100644 --- a/lasso/xml/tools.c +++ b/lasso/xml/tools.c @@ -2749,6 +2749,17 @@ lasso_xmlsec_load_key_info(xmlNode *key_descriptor) ctx.keyReq.keyUsage = xmlSecKeyDataUsageAny; ctx.certsVerificationDepth = 0; + if((xmlSecPtrListAdd(&ctx.enabledKeyData, BAD_CAST xmlSecKeyDataX509Id) < 0) || + (xmlSecPtrListAdd(&ctx.enabledKeyData, BAD_CAST xmlSecKeyDataValueId) < 0) || + (xmlSecPtrListAdd(&ctx.enabledKeyData, BAD_CAST xmlSecKeyDataRsaId) < 0) || + (xmlSecPtrListAdd(&ctx.enabledKeyData, BAD_CAST xmlSecKeyDataDsaId) < 0) || + (xmlSecPtrListAdd(&ctx.enabledKeyData, BAD_CAST xmlSecKeyDataHmacId) < 0)) { + message(G_LOG_LEVEL_CRITICAL, "Could not enable needed KeyData"); + goto next; + } + + + key = xmlSecKeyCreate(); if (lasso_flag_pem_public_key) { xmlSecErrorsDefaultCallbackEnableOutput(FALSE);