Add support for SHA-2 family of hash functions for RSA and HMAC signatures
This commit is contained in:
parent
4436c0d4e4
commit
3e597eedb9
|
@ -49,6 +49,12 @@
|
|||
#define RSA_SHA1 "RSA_SHA1"
|
||||
#define DSA_SHA1 "DSA_SHA1"
|
||||
#define HMAC_SHA1 "HMAC_SHA1"
|
||||
#define RSA_SHA256 "RSA_SHA256"
|
||||
#define HMAC_SHA256 "HMAC_SHA256"
|
||||
#define RSA_SHA384 "RSA_SHA384"
|
||||
#define HMAC_SHA384 "HMAC_SHA384"
|
||||
#define RSA_SHA512 "RSA_SHA512"
|
||||
#define HMAC_SHA512 "HMAC_SHA512"
|
||||
|
||||
/*****************************************************************************/
|
||||
/* public methods */
|
||||
|
@ -283,7 +289,12 @@ static xmlNode*
|
|||
get_xmlNode(LassoNode *node, gboolean lasso_dump)
|
||||
{
|
||||
LassoServer *server = LASSO_SERVER(node);
|
||||
char *signature_methods[] = { NULL, RSA_SHA1, DSA_SHA1, HMAC_SHA1};
|
||||
char *signature_methods[] = { NULL,
|
||||
RSA_SHA1, DSA_SHA1, HMAC_SHA1,
|
||||
RSA_SHA256, HMAC_SHA256,
|
||||
RSA_SHA384, HMAC_SHA384,
|
||||
RSA_SHA512, HMAC_SHA512,
|
||||
};
|
||||
xmlNode *xmlnode = NULL, *ret_xmlnode = NULL;
|
||||
|
||||
xmlnode = parent_class->get_xmlNode(node, lasso_dump);
|
||||
|
@ -339,6 +350,18 @@ init_from_xml(LassoNode *node, xmlNode *xmlnode)
|
|||
server->signature_method = LASSO_SIGNATURE_METHOD_DSA_SHA1;
|
||||
else if (lasso_strisequal((char*) s, HMAC_SHA1))
|
||||
server->signature_method = LASSO_SIGNATURE_METHOD_HMAC_SHA1;
|
||||
else if (lasso_strisequal((char*) s, RSA_SHA256))
|
||||
server->signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA256;
|
||||
else if (lasso_strisequal((char*) s, HMAC_SHA256))
|
||||
server->signature_method = LASSO_SIGNATURE_METHOD_HMAC_SHA256;
|
||||
else if (lasso_strisequal((char*) s, RSA_SHA384))
|
||||
server->signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA384;
|
||||
else if (lasso_strisequal((char*) s, HMAC_SHA384))
|
||||
server->signature_method = LASSO_SIGNATURE_METHOD_HMAC_SHA384;
|
||||
else if (lasso_strisequal((char*) s, RSA_SHA512))
|
||||
server->signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA512;
|
||||
else if (lasso_strisequal((char*) s, HMAC_SHA512))
|
||||
server->signature_method = LASSO_SIGNATURE_METHOD_HMAC_SHA512;
|
||||
else {
|
||||
warning("Unable to rebuild a LassoServer object from XML, bad SignatureMethod: %s",
|
||||
s);
|
||||
|
|
|
@ -224,6 +224,12 @@ int lasso_saml2_query_verify_signature(const char *query, const xmlSecKey *sende
|
|||
|
||||
char* lasso_sha1(const char *str);
|
||||
|
||||
char* lasso_sha256(const char *str);
|
||||
|
||||
char* lasso_sha384(const char *str);
|
||||
|
||||
char* lasso_sha512(const char *str);
|
||||
|
||||
char** urlencoded_to_strings(const char *str);
|
||||
|
||||
int lasso_sign_node(xmlNode *xmlnode, LassoSignatureContext context, const char *id_attr_name, const char *id_value);
|
||||
|
|
|
@ -508,6 +508,24 @@ lasso_query_sign(char *query, LassoSignatureContext context)
|
|||
case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
|
||||
algo_href = xmlSecHrefHmacSha1;
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA256:
|
||||
algo_href = xmlSecHrefRsaSha256;
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||
algo_href = xmlSecHrefHmacSha256;
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA384:
|
||||
algo_href = xmlSecHrefRsaSha384;
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||
algo_href = xmlSecHrefHmacSha384;
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA512:
|
||||
algo_href = xmlSecHrefRsaSha512;
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||
algo_href = xmlSecHrefHmacSha512;
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_NONE:
|
||||
case LASSO_SIGNATURE_METHOD_LAST:
|
||||
g_assert_not_reached();
|
||||
|
@ -520,14 +538,41 @@ lasso_query_sign(char *query, LassoSignatureContext context)
|
|||
}
|
||||
|
||||
/* build buffer digest */
|
||||
digest = lasso_sha1(new_query);
|
||||
if (digest == NULL) {
|
||||
message(G_LOG_LEVEL_CRITICAL, "Failed to build the buffer digest");
|
||||
goto done;
|
||||
switch (sign_method) {
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_DSA_SHA1:
|
||||
digest = lasso_sha1(new_query);
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA256:
|
||||
digest = lasso_sha256(new_query);
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA384:
|
||||
digest = lasso_sha384(new_query);
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA512:
|
||||
digest = lasso_sha512(new_query);
|
||||
default:
|
||||
break;
|
||||
}
|
||||
switch (sign_method) {
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_DSA_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA512:
|
||||
if (digest == NULL) {
|
||||
message(G_LOG_LEVEL_CRITICAL, "Failed to build the buffer digest");
|
||||
goto done;
|
||||
}
|
||||
default:
|
||||
break;
|
||||
}
|
||||
/* extract the OpenSSL key */
|
||||
switch (sign_method) {
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA512:
|
||||
rsa = xmlSecOpenSSLKeyDataRsaGetRsa(key_data);
|
||||
g_assert(rsa);
|
||||
/* alloc memory for sigret */
|
||||
|
@ -540,6 +585,9 @@ lasso_query_sign(char *query, LassoSignatureContext context)
|
|||
sigret_size = DSA_size(dsa);
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||
lasso_get_hmac_key(key, (void**)&hmac_key,
|
||||
&hmac_key_length);
|
||||
g_assert(hmac_key);
|
||||
|
@ -558,6 +606,9 @@ lasso_query_sign(char *query, LassoSignatureContext context)
|
|||
|
||||
switch (sign_method) {
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA512:
|
||||
/* sign digest message */
|
||||
status = RSA_sign(NID_sha1, (unsigned char*)digest, 20, sigret,
|
||||
&siglen, rsa);
|
||||
|
@ -567,6 +618,9 @@ lasso_query_sign(char *query, LassoSignatureContext context)
|
|||
&siglen, dsa);
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||
HMAC(md, hmac_key, hmac_key_length, (unsigned char *)new_query,
|
||||
strlen(new_query), sigret, &siglen);
|
||||
status = 1;
|
||||
|
@ -592,6 +646,12 @@ lasso_query_sign(char *query, LassoSignatureContext context)
|
|||
case LASSO_SIGNATURE_METHOD_RSA_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_DSA_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA512:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||
s_new_query = g_strdup_printf("%s&Signature=%s", new_query, (char*)
|
||||
e_b64_sigret);
|
||||
break;
|
||||
|
@ -644,6 +704,8 @@ lasso_query_verify_helper(const char *signed_content, const char *b64_signature,
|
|||
const EVP_MD *md = NULL;
|
||||
lasso_error_t rc = 0;
|
||||
LassoSignatureMethod method = LASSO_SIGNATURE_METHOD_NONE;
|
||||
size_t digest_size = 1;
|
||||
int type = -1;
|
||||
|
||||
if (lasso_strisequal(algorithm, (char*)xmlSecHrefRsaSha1)) {
|
||||
goto_cleanup_if_fail_with_rc(key->value->id == xmlSecOpenSSLKeyDataRsaId,
|
||||
|
@ -651,16 +713,59 @@ lasso_query_verify_helper(const char *signed_content, const char *b64_signature,
|
|||
rsa = xmlSecOpenSSLKeyDataRsaGetRsa(key->value);
|
||||
key_size = RSA_size(rsa);
|
||||
method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
||||
digest_size = 20;
|
||||
type = NID_sha1;
|
||||
} else if (lasso_strisequal(algorithm, (char*)xmlSecHrefDsaSha1)) {
|
||||
goto_cleanup_if_fail_with_rc(key->value->id == xmlSecOpenSSLKeyDataDsaId, LASSO_DS_ERROR_INVALID_SIGALG);
|
||||
dsa = xmlSecOpenSSLKeyDataDsaGetDsa(key->value);
|
||||
key_size = DSA_size(dsa);
|
||||
method = LASSO_SIGNATURE_METHOD_DSA_SHA1;
|
||||
digest_size = 20;
|
||||
type = NID_sha1;
|
||||
} else if (lasso_strisequal(algorithm, (char*)xmlSecHrefRsaSha256)) {
|
||||
goto_cleanup_if_fail_with_rc(key->value->id == xmlSecOpenSSLKeyDataRsaId,
|
||||
LASSO_DS_ERROR_INVALID_SIGALG)
|
||||
rsa = xmlSecOpenSSLKeyDataRsaGetRsa(key->value);
|
||||
key_size = RSA_size(rsa);
|
||||
method = LASSO_SIGNATURE_METHOD_RSA_SHA256;
|
||||
digest_size = 32;
|
||||
type = NID_sha256;
|
||||
} else if (lasso_strisequal(algorithm, (char*)xmlSecHrefRsaSha384)) {
|
||||
goto_cleanup_if_fail_with_rc(key->value->id == xmlSecOpenSSLKeyDataRsaId,
|
||||
LASSO_DS_ERROR_INVALID_SIGALG)
|
||||
rsa = xmlSecOpenSSLKeyDataRsaGetRsa(key->value);
|
||||
key_size = RSA_size(rsa);
|
||||
method = LASSO_SIGNATURE_METHOD_RSA_SHA384;
|
||||
digest_size = 48;
|
||||
type = NID_sha384;
|
||||
} else if (lasso_strisequal(algorithm, (char*)xmlSecHrefRsaSha512)) {
|
||||
goto_cleanup_if_fail_with_rc(key->value->id == xmlSecOpenSSLKeyDataRsaId,
|
||||
LASSO_DS_ERROR_INVALID_SIGALG)
|
||||
rsa = xmlSecOpenSSLKeyDataRsaGetRsa(key->value);
|
||||
key_size = RSA_size(rsa);
|
||||
method = LASSO_SIGNATURE_METHOD_RSA_SHA512;
|
||||
digest_size = 64;
|
||||
type = NID_sha512;
|
||||
} else if (lasso_strisequal(algorithm, (char*)xmlSecHrefHmacSha1)) {
|
||||
lasso_check_good_rc(lasso_get_hmac_key(key, (void**)&hmac_key, &hmac_key_length));
|
||||
md = EVP_sha1();
|
||||
key_size = EVP_MD_size(md);
|
||||
method = LASSO_SIGNATURE_METHOD_HMAC_SHA1;
|
||||
} else if (lasso_strisequal(algorithm, (char*)xmlSecHrefHmacSha256)) {
|
||||
lasso_check_good_rc(lasso_get_hmac_key(key, (void**)&hmac_key, &hmac_key_length));
|
||||
md = EVP_sha256();
|
||||
key_size = EVP_MD_size(md);
|
||||
method = LASSO_SIGNATURE_METHOD_HMAC_SHA256;
|
||||
} else if (lasso_strisequal(algorithm, (char*)xmlSecHrefHmacSha384)) {
|
||||
lasso_check_good_rc(lasso_get_hmac_key(key, (void**)&hmac_key, &hmac_key_length));
|
||||
md = EVP_sha384();
|
||||
key_size = EVP_MD_size(md);
|
||||
method = LASSO_SIGNATURE_METHOD_HMAC_SHA384;
|
||||
} else if (lasso_strisequal(algorithm, (char*)xmlSecHrefHmacSha512)) {
|
||||
lasso_check_good_rc(lasso_get_hmac_key(key, (void**)&hmac_key, &hmac_key_length));
|
||||
md = EVP_sha512();
|
||||
key_size = EVP_MD_size(md);
|
||||
method = LASSO_SIGNATURE_METHOD_HMAC_SHA512;
|
||||
} else {
|
||||
goto_cleanup_with_rc(LASSO_DS_ERROR_INVALID_SIGALG);
|
||||
}
|
||||
|
@ -675,31 +780,52 @@ lasso_query_verify_helper(const char *signed_content, const char *b64_signature,
|
|||
case LASSO_SIGNATURE_METHOD_DSA_SHA1:
|
||||
digest = lasso_sha1(signed_content);
|
||||
break;
|
||||
default:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA256:
|
||||
digest = lasso_sha256(signed_content);
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA384:
|
||||
digest = lasso_sha384(signed_content);
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA512:
|
||||
digest = lasso_sha512(signed_content);
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||
break;
|
||||
default:
|
||||
g_assert_not_reached();
|
||||
}
|
||||
/* verify signature */
|
||||
switch (method) {
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA512:
|
||||
goto_cleanup_if_fail_with_rc(
|
||||
RSA_verify(
|
||||
NID_sha1,
|
||||
type,
|
||||
(unsigned char*)digest,
|
||||
20,
|
||||
digest_size,
|
||||
signature,
|
||||
key_size, rsa) == 1,
|
||||
LASSO_DS_ERROR_INVALID_SIGNATURE);
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_DSA_SHA1:
|
||||
goto_cleanup_if_fail_with_rc(
|
||||
DSA_verify(NID_sha1,
|
||||
DSA_verify(
|
||||
type,
|
||||
(unsigned char*)digest,
|
||||
20,
|
||||
digest_size,
|
||||
signature,
|
||||
key_size, dsa) == 1,
|
||||
LASSO_DS_ERROR_INVALID_SIGNATURE);
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||
digest = g_malloc(key_size);
|
||||
HMAC(md, hmac_key, hmac_key_length, (unsigned char*)signed_content,
|
||||
strlen(signed_content), (unsigned char*)digest, NULL);
|
||||
|
@ -897,7 +1023,7 @@ cleanup:
|
|||
*
|
||||
* Builds the SHA-1 message digest (cryptographic hash) of @str
|
||||
*
|
||||
* Return value: 20-bytes buffer allocated with xmlMalloc
|
||||
* Return value: 20-bytes buffer allocated with g_malloc
|
||||
**/
|
||||
char*
|
||||
lasso_sha1(const char *str)
|
||||
|
@ -911,6 +1037,66 @@ lasso_sha1(const char *str)
|
|||
return (char*)SHA1((unsigned char*)str, strlen(str), md);
|
||||
}
|
||||
|
||||
/**
|
||||
* lasso_sha256:
|
||||
* @str: a string
|
||||
*
|
||||
* Builds the SHA-256 message digest (cryptographic hash) of @str
|
||||
*
|
||||
* Return value: 32-bytes buffer allocated with g_malloc
|
||||
**/
|
||||
char*
|
||||
lasso_sha256(const char *str)
|
||||
{
|
||||
xmlChar *md;
|
||||
|
||||
if (str == NULL)
|
||||
return NULL;
|
||||
|
||||
md = g_malloc(32);
|
||||
return (char*)SHA256((unsigned char*)str, strlen(str), md);
|
||||
}
|
||||
|
||||
/**
|
||||
* lasso_sha384:
|
||||
* @str: a string
|
||||
*
|
||||
* Builds the SHA-384 message digest (cryptographic hash) of @str
|
||||
*
|
||||
* Return value: 48-bytes buffer allocated with g_malloc
|
||||
**/
|
||||
char*
|
||||
lasso_sha384(const char *str)
|
||||
{
|
||||
xmlChar *md;
|
||||
|
||||
if (str == NULL)
|
||||
return NULL;
|
||||
|
||||
md = g_malloc(48);
|
||||
return (char*)SHA384((unsigned char*)str, strlen(str), md);
|
||||
}
|
||||
|
||||
/**
|
||||
* lasso_sha512:
|
||||
* @str: a string
|
||||
*
|
||||
* Builds the SHA-512 message digest (cryptographic hash) of @str
|
||||
*
|
||||
* Return value: 64-bytes buffer allocated with g_malloc
|
||||
**/
|
||||
char*
|
||||
lasso_sha512(const char *str)
|
||||
{
|
||||
xmlChar *md;
|
||||
|
||||
if (str == NULL)
|
||||
return NULL;
|
||||
|
||||
md = g_malloc(64);
|
||||
return (char*)SHA512((unsigned char*)str, strlen(str), md);
|
||||
}
|
||||
|
||||
char**
|
||||
urlencoded_to_strings(const char *str)
|
||||
{
|
||||
|
@ -1254,7 +1440,17 @@ lasso_saml_constrain_dsigctxt(xmlSecDSigCtxPtr dsigCtx) {
|
|||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha1Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha1Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformDsaSha1Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha1Id) < 0)) {
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha1Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha256Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha256Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha256Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha384Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha384Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha384Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha512Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformHmacSha512Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha512Id) < 0)
|
||||
) {
|
||||
|
||||
message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed signature transforms");
|
||||
return FALSE;
|
||||
|
@ -1262,6 +1458,9 @@ lasso_saml_constrain_dsigctxt(xmlSecDSigCtxPtr dsigCtx) {
|
|||
if((xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformInclC14NId) < 0) ||
|
||||
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformExclC14NId) < 0) ||
|
||||
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha1Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha256Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha384Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha512Id) < 0) ||
|
||||
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformEnvelopedId) < 0)) {
|
||||
|
||||
message(G_LOG_LEVEL_CRITICAL, "Error: failed to limit allowed reference transforms");
|
||||
|
@ -2004,12 +2203,18 @@ _lasso_xmlsec_load_key_from_buffer(const char *buffer, size_t length, const char
|
|||
switch (signature_method) {
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_DSA_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA512:
|
||||
for (i = 0; key_formats[i] && private_key == NULL; i++) {
|
||||
private_key = xmlSecCryptoAppKeyLoadMemory((xmlSecByte*)buffer, length,
|
||||
key_formats[i], password, NULL, NULL);
|
||||
}
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||
private_key = xmlSecKeyReadMemory(xmlSecKeyDataHmacId, (xmlSecByte*)buffer, length);
|
||||
if (private_key) {
|
||||
xmlSecKeySetName(private_key, BAD_CAST "shared");
|
||||
|
@ -2021,27 +2226,34 @@ _lasso_xmlsec_load_key_from_buffer(const char *buffer, size_t length, const char
|
|||
}
|
||||
goto_cleanup_if_fail(private_key != NULL);
|
||||
if (certificate) {
|
||||
if (signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1 || signature_method == LASSO_SIGNATURE_METHOD_DSA_SHA1) {
|
||||
int done = 0;
|
||||
int done = 0;
|
||||
|
||||
for (i=0; cert_formats[i]; i++) {
|
||||
if (xmlSecCryptoAppKeyCertLoad(private_key, certificate, cert_formats[i])
|
||||
== 0) {
|
||||
done = 1;
|
||||
break;
|
||||
switch (signature_method) {
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_DSA_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA512:
|
||||
|
||||
for (i=0; cert_formats[i]; i++) {
|
||||
if (xmlSecCryptoAppKeyCertLoad(private_key, certificate, cert_formats[i])
|
||||
== 0) {
|
||||
done = 1;
|
||||
break;
|
||||
}
|
||||
if (xmlSecCryptoAppKeyCertLoadMemory(private_key, BAD_CAST certificate,
|
||||
strlen(certificate), cert_formats[i]) == 0) {
|
||||
done = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (xmlSecCryptoAppKeyCertLoadMemory(private_key, BAD_CAST certificate,
|
||||
strlen(certificate), cert_formats[i]) == 0) {
|
||||
done = 1;
|
||||
break;
|
||||
if (done == 0) {
|
||||
warning("Unable to load certificate: %s", certificate);
|
||||
}
|
||||
}
|
||||
if (done == 0) {
|
||||
warning("Unable to load certificate: %s", certificate);
|
||||
}
|
||||
} else {
|
||||
warning("Attaching a certificate for signature only "
|
||||
"works with DSA and RSA algorithms.");
|
||||
break;
|
||||
default:
|
||||
warning("Attaching a certificate for signature only "
|
||||
"works with DSA and RSA algorithms.");
|
||||
}
|
||||
}
|
||||
cleanup:
|
||||
|
@ -2540,6 +2752,24 @@ lasso_xmlnode_add_saml2_signature_template(xmlNode *node, LassoSignatureContext
|
|||
case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
|
||||
transform_id = xmlSecTransformHmacSha1Id;
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA256:
|
||||
transform_id = xmlSecTransformRsaSha256Id;
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||
transform_id = xmlSecTransformHmacSha256Id;
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA384:
|
||||
transform_id = xmlSecTransformRsaSha384Id;
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||
transform_id = xmlSecTransformHmacSha384Id;
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA512:
|
||||
transform_id = xmlSecTransformRsaSha512Id;
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||
transform_id = xmlSecTransformHmacSha512Id;
|
||||
break;
|
||||
default:
|
||||
g_assert_not_reached();
|
||||
}
|
||||
|
@ -2570,6 +2800,9 @@ lasso_xmlnode_add_saml2_signature_template(xmlNode *node, LassoSignatureContext
|
|||
switch (context.signature_method) {
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_DSA_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_RSA_SHA512:
|
||||
/* asymetric cryptography methods */
|
||||
key_info = xmlSecTmplSignatureEnsureKeyInfo(signature, NULL);
|
||||
if (xmlSecKeyGetData(context.signature_key, xmlSecOpenSSLKeyDataX509Id)) {
|
||||
|
@ -2580,6 +2813,9 @@ lasso_xmlnode_add_saml2_signature_template(xmlNode *node, LassoSignatureContext
|
|||
}
|
||||
break;
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA1:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA256:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA384:
|
||||
case LASSO_SIGNATURE_METHOD_HMAC_SHA512:
|
||||
if (context.signature_key->name) {
|
||||
key_info = xmlSecTmplSignatureEnsureKeyInfo(signature, NULL);
|
||||
xmlSecTmplKeyInfoAddKeyName(key_info, NULL);
|
||||
|
|
|
@ -100,6 +100,12 @@ typedef enum {
|
|||
LASSO_SIGNATURE_METHOD_RSA_SHA1,
|
||||
LASSO_SIGNATURE_METHOD_DSA_SHA1,
|
||||
LASSO_SIGNATURE_METHOD_HMAC_SHA1,
|
||||
LASSO_SIGNATURE_METHOD_RSA_SHA256,
|
||||
LASSO_SIGNATURE_METHOD_HMAC_SHA256,
|
||||
LASSO_SIGNATURE_METHOD_RSA_SHA384,
|
||||
LASSO_SIGNATURE_METHOD_HMAC_SHA384,
|
||||
LASSO_SIGNATURE_METHOD_RSA_SHA512,
|
||||
LASSO_SIGNATURE_METHOD_HMAC_SHA512,
|
||||
LASSO_SIGNATURE_METHOD_LAST
|
||||
} LassoSignatureMethod;
|
||||
|
||||
|
|
Loading…
Reference in New Issue