This commit complements the support for multiple signing certificate
support in the metadata files. The use-case is still key roll-over.
The structure LassoServerPrivateData was changed to accomodate multiple
decryption keys, and so:
xmlSecKey *encryption_private_key
became:
GList *encryption_private_keys
All uses of this key were replaced by a loop over this list, terminating
with the first key to be able to decrypt the content.
The private key passed to lasso_server_new() or
lasso_server_new_from_buffers() is first added to the list of decryption
keys. Any other call to
lasso_server_set_encryption_private_key_with_password() or
lasso_server_set_encryption_private_key() will add a new key to the
list.
In lasso_saml20_profile_process_artifact_resolve, we know take a short
path with an error when the remote provider is unknown and we also
respect the lasso_profile_get_signature_verify_hint() when checking the
signature on the artifact resolve message.
The check was missing for processing of logout requests, name id
management request and assertion query responses.
A new internal function lasso_saml20_profile_check_signature_status is
added.
Previously content was stored as the result of lasso_node_dump method
then reloaded, and then serialized again as part of the ArtifactResponse
message. lasso_node_dump was ignoring all hint to sign node, but keeping
the needed parameters around. That's not what must be done, the
signature should happen at the generation of the artifact and the result
must manipulated as is (i.e. XML content) and never moved back to the
land of LassoNode objects.
Now the content is:
- first removed of any signature at the message level, because the
ArtifactResponse will take care of this, (any signature under this
level (like at the assertion) is kept),
- serialized using lasso_node_export_to_xml,
- reloaded using lasso_xml_parse_memory,
- and put into the ArtifactResponse using a
lasso_misc_text_node_new_with_xml_node.
* support private key with new internal API in signature setting
methods
Plug lasso_node_set_signature into
lasso_profile_saml20_setup_message_signature and
lasso_server_saml2_assertion_setup_signature.
* also use lasso_node_get_signature in has_signature
* add forgottent LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE in switch
cases
For AuthnResponse checking the semantic is now that if HINT_FORCE is
used we verify message signature *and* assertion signature. If
HINT_MAYBE is used we check the assertion signature if its issuer
differs from the message issuer.
* lasso/id-ff/profile.h:
- add end symbol for enum LassoProfileSignatureVerifyHint
* lasso/id-ff/profile.c:
- fix documentation of lasso_profile_set_signature_verify_hint
- do not allow to set or return invalid value for the
signature_verify_hint attribute.
* lasso/saml-2.0/login.c:
- handle new enum value
* lasso/saml-2.0/profile.c:
- handle new enum value
- fix missing catch of signature error reporting when
signature_verify_hint is IGNORE.
* docs/reference/lasso/lasso-sections.txt:
- export enums LassoProfileSignatureHint and
LassoProfileSignatureVerifyHint
* tests/metadata_tests.c:
- fix test of all Role enumerations
* lasso/saml-2.0/profile.c:
this change make Lasso respect paragraphs 3.4.5.2 (HTTP-Redirect
binding securit considerations ) and 3.5.5.2 (the same for HTTP-Post)
of the saml-bindings-2.0-os.pdf document, and should allow our Authn
Requests to be accepted by shiboleth IdP.
* lasso/saml-2.0/profile.c:
dump for already signed assertion containing an EncryptedID as
Subject does not work as before, the decrypted NameID is no more
included in it, so instead of trying to plug it in the NameID field
we resort to really deciphering the EncryptedID.
That could be a performance problem if the session object is stuffed
with a lot of assertions.
* lasso/saml-2.0/profile.c:
Issuer is not a mandatory element of SAML 2.0 response,
but if we do not remember which issuer we sent the request (of if
the response is spontaneous) then we will receive a provider not found
error when trying to check the message signature.
* lasso/id-ff/profile.c:
if no LassoIdentity is accessible try to get a name identifier
through the assertion in the LassoSession object. This allows the
logout profile to work without an identity object (which is normal
since logout does not modify the federation status).
* lasso/saml-2.0/profile.c:
* lasso/saml-2.0/profileprivate.h:
make lasso_saml20_profile_set_response_status2 the new implementation
of lasso_saml20_profile_set_response_status.
add helper macros to set success, responder and requester first level
status code.
* saml-2.0/assertion_query.c:
* saml-2.0/login.c:
* saml-2.0/logout.c:
* saml-2.0/name_id_management.c:
adapt consumers to the new signature.
* client of LassoServer should use lasso_server_get_provider.
* LASSO_PROFILE_ERRROR_UNKNOWN_PROVIDER was a mistake, it is
superfluous, use LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND.
Benjamin Dauvergne