The flags parameter allows to control the checking of digital signature
upon EntityDescriptor and EntitiesDescriptor nodes in SAML 2.0 metadata
files.
The default behaviour is to check all found signatures and to inherit
signature from EntitiesDescriptor to their children.
By only enabling checking of EntityDescrtiptor node signatures it's also
possible to only check signature at the EntityDescriptor level and so
only trust individual entities and not the aggregating provider.
The aim of this function is now to load any metadata file, and to
replace completely the use of lasso_server_add_provider.
The metadata content argument is replaced by a metadata file path to
more closely match other APIs.
This method allows to load providers in bulk from what is called a
federation file, i.e a SAML metadata file containing declarations for
more than one provider. Those file are usually signed to bind some trust
to its content, so lasso_server_load_federation can take an optional
file path to a certificate chain file used to check the signature on the
given XML content. Only same document signature is accepted (i.e. there
must be only one XML signature reference and it should be to the empty
string meaning the « current » document).
* lasso/id-ff/server.c:
mark private_key as not mandatory as regression tests expect it to
not be mandatory.
test if loading of private key to encryption_private_key private
field worked, if not abort the constructor and return NULL.
* lasso/id-ff/server.h:
fix name of constructors argument to corresponds with comments
(binding generator use this correspondance to apply annotation from
comments to the model obtained by parsing the headers).
* nearly all C files: change includes for relative paths.
* lasso/id-wsf/id_wsf.h, lasso/id-wsf-2.0/id_wsf_2.h: add top level
public include files for ID-WSF 1.0 and ID-WSF 2.0.
* lasso/id-ff/server.*, lasso/id-ff/session.*, lasso/id-ff/identity.*:
remove most of the code related to ID-WSF and push into
lasso/id-wsf/id_ff_extensions.* and lasso/id-wsf-2.0/identity.c,
lasso/id-wsf-2.0/server.c, lasso/id-wsf-2.0/session.c.
* lasso/id-wsf-2.0/saml2_login.c,
lasso/id-wsf-2.0/saml2_login_private.h: same change but for ID-WSF
2.0 support in SAML2 SSO profile.
* lasso/id-ff/server.c, lasso/id-ff/server.h: add new function to build
a LassoServer object holding content of certificate and private key
files intead of loading them everytime signing is needed. You must
instead load them yourself the first time.
from an XML string of the metadatas (changed semantic of the second argument
compared to lasso_server_add_provider). To support this a new public
LassoProvider constructor was added: lasso_provider_new_from_buffer, where the
second argument is an XML string. It uses a new private function,
lasso_provider_load_metadata_from_buffer.
on October 2nd; occasional merges since then).
- Compatible with current souk test suites.
- Missing memory management for everything in xml/
- Missing xmlsec support for SOAP messages.
Added a new property 'secret_key' in LassoServer object
Changed prototype of lasso_server_new() method
BEFORE:
LassoServer *
lasso_server_new(gchar *metadata,
gchar *public_key,
gchar *private_key,
gchar *certificate,
lassoSignatureMethod signature_method)
AFTER:
LassoServer *
lasso_server_new(const gchar *metadata,
const gchar *private_key,
const gchar *secret_key,
const gchar *certificate)
public_key param was removed because it was useless.
secret_key was added to decrypt private_key
signature_method was removed (default value is lassoSignatureMethodRsaSha1).
2 new methods was added to access 'signature_method' property of LassoServer:
lasso_server_get_signature_method() and lasso_server_set_signature_method()
Update Lasso.i
rather than use the "Lasso" word in the name of nodes,
the namespace of the root elment is now set to the Lasso namespace (without prefix).
Relpaced the lasso_str_hash() call by lasso_sha1() in the
lasso_server_get_providerID_from_hash() method.
Benjamin Dauvergne
Damien Laniel
Frédéric Péters
Emmanuel Raviart
Valery Febvre