Adds two new configure options:
--with-default-sign-algo
--min-hash-algo
--with-default-sign-algo sets the default signing algorithm and defaults
to rsa-sha1. At the moment, two algorithms are supported: rsa-sha1 and
rsa-sha256.
--min-hash-algo sets the minimum hash algorithm to be accepted. The
default is sha1 for backwards compatibility as well.
Related:
https://dev.entrouvert.org/issues/54037
These tests use a hardcoded query and private key which makes it
unsuitable to make the tests use the configured default digest. Let's
just convert them to SHA256 unconditionally.
The switch clause was using SHA1 digests for all digest types when
signing. This obviously breaks verifying the signatures if HMAC-SHAXXX
is used and XXX is something else than 1.
With a SAML Authn Response either the message or the assertion
contained in the response message or both can be signed. Most IdP's
sign the message. This fixes a bug when processing an ECP authn
response when only the assertion is signed.
lasso_saml20_profile_process_soap_response_with_headers() performs a
signature check on the SAML message. A signature can also appear on
the assertion which is checked by
lasso_saml20_login_process_response_status_and_assertion() The problem
occurred when the message was not signed and
lasso_saml20_profile_process_soap_response_with_headers() returned
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND as an error code which is not
actually an error because we haven't checked the signature on the
assertion yet. We were returning the first
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND error when in fact the subsequent
signature check in
lasso_saml20_login_process_response_status_and_assertion() succeeded.
The ECP unit tests were enhanced to cover these cases.
The enhanced unit test revealed a problem in two switch statements
operating on the return value of
lasso_profile_get_signature_verify_hint() which were missing a case
statement for LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE which caused
an abort due to an unknown enumeration value.
Fixes Bug: 26828
License: MIT
Signed-off-by: John Dennis <jdennis@redhat.com>
While porting other Python code in the repo to run under Py3 (as well
as Py2) it was discovered there were a number of other Python scripts
which also needed porting. However these scripts are never invoked
during a build so there was no easy way to test the porting work. I
assume these scripts are for developers only and/or are
historical. Because there was no way for me to test the porting
changes on these scripts I did not want to include the changes in the
patch for the Py3 porting which fixed scripts that are invoked during
the build (the former patch is mandatory, this patch is optional at
the moment). I did verify the scripts compile cleanly under both Py2
and Py3, however it's possible I missed porting something or the error
does not show up until run-time.
Examples of the required changes are:
* Replace use of the built-in function file() with open(). file()
does not exist in Py3, open works in both Py2 and Py3. The code was
also modified to use a file context manager (e.g. with open(xxx) as
f:). This assures open files are properly closed when the code block
using the file goes out of scope. This is a standard modern Python
idiom.
* Replace all use of the print keyword with the six.print_()
function, which itself is an emulation of Py3's print function. Py3
no longer has a print keyword, only a print() function.
* The dict methods .keys(), .values(), .items() no longer return a
list in Py3, instead they return a "view" object which is an
iterator whose result is an unordered set. The most notable
consequence is you cannot index the result of these functions like
your could in Py2 (e.g. dict.keys()[0] will raise a run time
exception).
* Replace use of StringIO.StringIO and cStringIO with
six.StringIO. Py3 no longer has cStringIO and the six variant
handles the correct import.
* Py3 no longer allows the "except xxx, variable" syntax, where
variable appering after the comma is assigned the exception object,
you must use the "as" keyword to perform the variable assignment
(e.g. execpt xxx as variable)
* Python PEP 3113 removed tuple parameter unpacking. Therefore you can
no longer define a formal parameter list that contains tuple
notation representing a single parameter that is unpacked into
multiple arguments.
License: MIT
Signed-off-by: John Dennis <jdennis@redhat.com>
We reuse the "message" local variable but we should not.
Also fix a segfault in lasso_xmltextreader_from_message() when getting
the length of "message" before checking if it is NULL or not.
The fail() function from libcheck is doing a longjump() from inside the
logging subsystem, preventing the depth counter to be reinitialised to 0.
(Seen with g_private_get(&g_log_depth) in a gdb session).
validate_idp_list was not using the correct list elements when it
iterated over the known_sp_provided_idp_entries_supporting_ecp list.
It treated them as lists of strings instead of lists of
LassoSamlp2IDPEntry.
Signed-off-by: John Dennis <jdennis@redhat.com>
License: MIT
The goal of those two methods is to allow IdP and SP to load metadata
dynamically without processing completely the incoming. Currently it's
impossible as message parsing and signature checking is done in the same
function.
When the same URL was used for many bindings, the current code did not
work. Now we use
lasso_saml20_provider_check_assertion_consumer_service_url() to validate
url and binding are matching, if no binding is suggested we take the
first one defined for this URL.
Using AssertionConsumerServiceIndex and any of the other assertion
consumer designator attributes is still forbidden.
Instad of referring to an old FSF address, point the reader to the FSF
website where the latest licenses and addresses are published.
Signed-off-by: Simo Sorce <simo@redhat.com>
Benjamin Dauvergne
Jakub Hrozek
John Dennis
Simo Sorce