/**
* lasso_server_load_affiliation:
* @server: a #LassoServer
* @filename: file name of the affiliation metadata to load
*
* Load an affiliation metadata file into @server; this must be called after
* providers have been added to @server.
*
* Return value: 0 on success; another value if an error occured.
**/
int
lasso_server_load_affiliation(LassoServer *server, const gchar *filename)
{
LassoProvider *provider = LASSO_PROVIDER(server);
xmlDoc *doc;
xmlNode *node;
int rc = 0;
doc = lasso_xml_parse_file(filename);
goto_cleanup_if_fail_with_rc (doc != NULL, LASSO_XML_ERROR_INVALID_FILE);
node = xmlDocGetRootElement(doc);
goto_cleanup_if_fail_with_rc (node != NULL && node->ns != NULL, LASSO_XML_ERROR_NODE_NOT_FOUND);
if (provider->private_data->conformance == LASSO_PROTOCOL_SAML_2_0) {
rc = lasso_saml20_server_load_affiliation(server, node);
} else {
/* affiliations are not supported in ID-FF 1.2 mode */
rc = LASSO_ERROR_UNIMPLEMENTED;
}
cleanup:
lasso_release_doc(doc);
return rc;
}
int
lasso_ecp_process_response_msg(LassoEcp *ecp, const char *response_msg)
{
xmlDoc *doc;
xmlXPathContext *xpathCtx;
xmlXPathObject *xpathObj;
xmlNode *new_envelope, *header, *paos_response, *ecp_relay_state;
xmlNode *body = NULL;
xmlNs *soap_env_ns, *ecp_ns;
g_return_val_if_fail(LASSO_IS_ECP(ecp), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
g_return_val_if_fail(response_msg != NULL, LASSO_PARAM_ERROR_INVALID_VALUE);
doc = lasso_xml_parse_memory(response_msg, strlen(response_msg));
xpathCtx = xmlXPathNewContext(doc);
xmlXPathRegisterNs(xpathCtx, (xmlChar*)"s", (xmlChar*)LASSO_SOAP_ENV_HREF);
xpathObj = xmlXPathEvalExpression((xmlChar*)"//s:Body", xpathCtx);
if (xpathObj && xpathObj->nodesetval && xpathObj->nodesetval->nodeNr) {
body = xmlCopyNode(xpathObj->nodesetval->nodeTab[0], 1);
}
xmlXPathFreeObject(xpathObj);
xmlXPathRegisterNs(xpathCtx, (xmlChar*)"ecp", (xmlChar*)LASSO_ECP_HREF);
xpathObj = xmlXPathEvalExpression((xmlChar*)"//ecp:Response", xpathCtx);
if (xpathObj && xpathObj->nodesetval && xpathObj->nodesetval->nodeNr) {
ecp->assertionConsumerURL = (char*)xmlGetProp(
xpathObj->nodesetval->nodeTab[0], (xmlChar*)"AssertionConsumerURL");
}
xmlXPathFreeObject(xpathObj);
xmlXPathFreeContext(xpathCtx);
xpathCtx = NULL;
xpathObj = NULL;
new_envelope = xmlNewNode(NULL, (xmlChar*)"Envelope");
xmlSetNs(new_envelope, xmlNewNs(new_envelope,
(xmlChar*)LASSO_SOAP_ENV_HREF, (xmlChar*)LASSO_SOAP_ENV_PREFIX));
xmlNewNs(new_envelope,
(xmlChar*)LASSO_SAML_ASSERTION_HREF, (xmlChar*)LASSO_SAML_ASSERTION_PREFIX);
header = xmlNewTextChild(new_envelope, NULL, (xmlChar*)"Header", NULL);
/* PAOS request header block */
soap_env_ns = xmlNewNs(new_envelope,
(xmlChar*)LASSO_SOAP_ENV_HREF, (xmlChar*)LASSO_SOAP_ENV_PREFIX);
paos_response = xmlNewNode(NULL, (xmlChar*)"Response");
xmlSetNs(paos_response, xmlNewNs(paos_response,
(xmlChar*)LASSO_PAOS_HREF, (xmlChar*)LASSO_PAOS_PREFIX));
xmlSetNsProp(paos_response, soap_env_ns, (xmlChar*)"mustUnderstand", (xmlChar*)"1");
xmlSetNsProp(paos_response, soap_env_ns, (xmlChar*)"actor",
(xmlChar*)LASSO_SOAP_ENV_ACTOR);
if (ecp->private_data->messageID) {
xmlSetNsProp(paos_response, soap_env_ns, (xmlChar*)"refToMessageID",
(xmlChar*)ecp->private_data->messageID);
}
xmlAddChild(header, paos_response);
/* ECP relay state block */
if (ecp->private_data->relay_state) {
ecp_relay_state = xmlNewNode(NULL, (xmlChar*)"RelayState");
xmlNodeSetContent(ecp_relay_state, (xmlChar*)ecp->private_data->relay_state);
ecp_ns = xmlNewNs(ecp_relay_state, (xmlChar*)LASSO_ECP_HREF,
(xmlChar*)LASSO_ECP_PREFIX);
xmlSetNs(ecp_relay_state, ecp_ns);
xmlSetNsProp(ecp_relay_state, soap_env_ns, (xmlChar*)"mustUnderstand",
(xmlChar*)"1");
xmlSetNsProp(ecp_relay_state, soap_env_ns, (xmlChar*)"actor",
(xmlChar*)LASSO_SOAP_ENV_ACTOR);
xmlAddChild(header, ecp_relay_state);
}
xmlAddChild(new_envelope, body);
lasso_assign_new_string(LASSO_PROFILE(ecp)->msg_body,
lasso_xmlnode_to_string(new_envelope, 0, 0))
lasso_release_doc(doc);
return 0;
}
int
lasso_ecp_process_authn_request_msg(LassoEcp *ecp, const char *authn_request_msg)
{
xmlDoc *doc;
xmlXPathContext *xpathCtx;
xmlXPathObject *xpathObj;
xmlNode *xmlnode;
LassoProfile *profile;
LassoProvider *remote_provider;
g_return_val_if_fail(LASSO_IS_ECP(ecp), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
g_return_val_if_fail(authn_request_msg != NULL, LASSO_PARAM_ERROR_INVALID_VALUE);
profile = LASSO_PROFILE(ecp);
doc = lasso_xml_parse_memory(authn_request_msg, strlen(authn_request_msg));
xpathCtx = xmlXPathNewContext(doc);
xmlXPathRegisterNs(xpathCtx, (xmlChar*)"ecp", (xmlChar*)LASSO_ECP_HREF);
xpathObj = xmlXPathEvalExpression((xmlChar*)"//ecp:RelayState", xpathCtx);
if (xpathObj && xpathObj->nodesetval && xpathObj->nodesetval->nodeNr) {
xmlnode = xpathObj->nodesetval->nodeTab[0];
ecp->private_data->relay_state = xmlNodeGetContent(xmlnode);
}
xmlXPathFreeObject(xpathObj);
xmlXPathRegisterNs(xpathCtx, (xmlChar*)"paos", (xmlChar*)LASSO_PAOS_HREF);
xpathObj = xmlXPathEvalExpression((xmlChar*)"//paos:Request", xpathCtx);
if (xpathObj && xpathObj->nodesetval && xpathObj->nodesetval->nodeNr) {
ecp->private_data->messageID = xmlGetProp(
xpathObj->nodesetval->nodeTab[0], (xmlChar*)"messageID");
}
xmlXPathFreeObject(xpathObj);
xmlXPathRegisterNs(xpathCtx, (xmlChar*)"s", (xmlChar*)LASSO_SOAP_ENV_HREF);
xpathObj = xmlXPathEvalExpression((xmlChar*)"//s:Header", xpathCtx);
if (xpathObj && xpathObj->nodesetval && xpathObj->nodesetval->nodeNr) {
xmlnode = xpathObj->nodesetval->nodeTab[0];
xmlUnlinkNode(xmlnode);
xmlFreeNode(xmlnode);
}
xmlXPathFreeObject(xpathObj);
xmlXPathFreeContext(xpathCtx);
xpathCtx = NULL;
xpathObj = NULL;
xmlnode = xmlDocGetRootElement(doc);
lasso_assign_new_string(LASSO_PROFILE(ecp)->msg_body,
lasso_xmlnode_to_string(xmlnode, 0, 0))
lasso_release_doc(doc);
profile->remote_providerID = lasso_server_get_first_providerID_by_role(profile->server, LASSO_PROVIDER_ROLE_IDP);
if (profile->remote_providerID == NULL) {
return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
}
remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
if (LASSO_IS_PROVIDER(remote_provider) == FALSE) {
return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
}
profile->msg_url = lasso_provider_get_metadata_one(remote_provider,
"SingleSignOnService SOAP");
if (profile->msg_url == NULL) {
return critical_error(LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL);
}
return 0;
}
END_TEST
START_TEST(test08_lasso_key)
{
/* normal query as produces by Lasso */
const char query1[] = "SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D&RelayState=fake%5B%5D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TaCCtwg%3D%3D";
/* SAMLRequest field was moved in the middle, Signature to the beginning and all & were
* changed to ; */
const char query2[] = "Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TaCCtwg%3D%3D;RelayState=fake%5B%5D;SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D;SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1";
const char query3[] = "RelayState=fake%5B%5D&SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TacCtwg%3D%3D";
/* sp5-saml2 key */
const char pkey[] = "-----BEGIN CERTIFICATE-----\n\
MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP\n\
MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczETMBEGA1UEChMKRW50cm91\n\
dmVydDEPMA0GA1UEAxMGRGFtaWVuMB4XDTA2MTAyNzA5MDc1NFoXDTExMTAyNjA5\n\
MDc1NFowVDELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkZyYW5jZTEOMAwGA1UEBxMF\n\
UGFyaXMxEzARBgNVBAoTCkVudHJvdXZlcnQxDzANBgNVBAMTBkRhbWllbjCCASIw\n\
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM06Hx6VgHYR9wUf/tZVVTRkVWNq\n\
h9x+PvHA2qH4OYMuqGs4Af6lU2YsZvnrmRdcFWv0+UkdAgXhReCWAZgtB1pd/W9m\n\
6qDRldCCyysow6xPPKRz/pOTwRXm/fM0QGPeXzwzj34BXOIOuFu+n764vKn18d+u\n\
uVAEzk1576pxTp4pQPzJfdNLrLeQ8vyCshoFU+MYJtp1UA+h2JoO0Y8oGvywbUxH\n\
ioHN5PvnzObfAM4XaDQohmfxM9Uc7Wp4xKAc1nUq5hwBrHpjFMRSz6UCfMoJSGIi\n\
+3xJMkNCjL0XEw5NKVc5jRKkzSkN5j8KTM/k1jPPsDHPRYzbWWhnNtd6JlkCAwEA\n\
AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0\n\
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFP2WWMDShux3iF74+SoO1xf6qhqaMB8G\n\
A1UdIwQYMBaAFGjl6TRXbQDHzSlZu+e8VeBaZMB5MA0GCSqGSIb3DQEBBQUAA4IB\n\
AQAZ/imK7UMognXbs5RfSB8cMW6iNAI+JZqe9XWjvtmLfIIPbHM96o953SiFvrvQ\n\
BZjGmmPMK3UH29cjzDx1R/RQaYTyMrHyTePLh3BMd5mpJ/9eeJCSxPzE2ECqWRUa\n\
pkjukecFXqmRItwgTxSIUE9QkpzvuQRb268PwmgroE0mwtiREADnvTFkLkdiEMew\n\
fiYxZfJJLPBqwlkw/7f1SyzXoPXnz5QbNwDmrHelga6rKSprYKb3pueqaIe8j/AP\n\
NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR\n\
LlTxKnCrWAXftSm1rNtewTsF\n\
-----END CERTIFICATE-----";
LassoKey *key = lasso_key_new_for_signature_from_memory(pkey, strlen(pkey), NULL,
LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
LassoKey *key2 = lasso_key_new_for_signature_from_file(
TESTSDATADIR "/sp5-saml2/private-key.pem", NULL,
LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
char *message = "<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_E3F8E9116EE08F0E2607CF9789649BB4\" Version=\"2.0\" IssueInstant=\"2012-03-09T11:34:48Z\" ForceAuthn=\"false\" IsPassive=\"false\"><saml:Issuer>http://sp5/metadata</saml:Issuer><Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n\
<SignedInfo>\n\
<CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n\
<SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/>\n\
<Reference URI=\"#_E3F8E9116EE08F0E2607CF9789649BB4\">\n\
<Transforms>\n\
<Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/>\n\
<Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n\
</Transforms>\n\
<DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/>\n\
<DigestValue>tMncKjklMJaJLbmB7bARmX14Fdg=</DigestValue>\n\
</Reference>\n\
</SignedInfo>\n\
<SignatureValue>VjAHErXE8rz5yQ/t9Ubws11E59PsU/tXPtL6eCMAVLQxV4Bv0dwyYkeHtge1DXDT\n\
usTy1c17+iuYCVqD3Db51+LMVsHchj0j44fhu/PXNQTmgiT2AuVfH97YhiBWykAs\n\
LwT8MiE9vNGiHQwsWVjhdzooVmU0M80m0Ij2DFMcYiKzmuMhE4M65qUO4tygQLiL\n\
YB5oPe0VYKEBJLfaTvuijLBTi4ecx6aU+HptAvuEOcCbcJZtGyv7jr2yuEDSq72S\n\
0hwOV0CIsQoSf/vL7R9RzTs2bpgYVGqgerhpWsz6dqo7YX0NSj9pMbXZiOyX/YzS\n\
uP3QSjow05NiPhy8ywKW8A==</SignatureValue>\n\
<KeyInfo>\n\
<KeyValue>\n\
<RSAKeyValue>\n\
<Modulus>\n\
zTofHpWAdhH3BR/+1lVVNGRVY2qH3H4+8cDaofg5gy6oazgB/qVTZixm+euZF1wV\n\
a/T5SR0CBeFF4JYBmC0HWl39b2bqoNGV0ILLKyjDrE88pHP+k5PBFeb98zRAY95f\n\
PDOPfgFc4g64W76fvri8qfXx3665UATOTXnvqnFOnilA/Ml900ust5Dy/IKyGgVT\n\
4xgm2nVQD6HYmg7Rjyga/LBtTEeKgc3k++fM5t8AzhdoNCiGZ/Ez1RztanjEoBzW\n\
dSrmHAGsemMUxFLPpQJ8yglIYiL7fEkyQ0KMvRcTDk0pVzmNEqTNKQ3mPwpMz+TW\n\
M8+wMc9FjNtZaGc213omWQ==\n\
</Modulus>\n\
<Exponent>\n\
AQAB\n\
</Exponent>\n\
</RSAKeyValue>\n\
</KeyValue>\n\
</KeyInfo>\n\
</Signature><samlp:NameIDPolicy Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\" AllowCreate=\"true\"/></samlp:AuthnRequest>";
xmlDoc *doc;
doc = xmlParseDoc(BAD_CAST message);
fail_unless(key != NULL, "Cannot load public key");
fail_unless(lasso_key_query_verify(key, query1) == 0, "Signature was not validated");
/* test reordering and semi-colon separator support */
fail_unless(lasso_key_query_verify(key, query2) == 0, "Disordered signature was not validated");
fail_unless(lasso_key_query_verify(key, query3) != 0, "Altered signature was validated");
fail_unless(lasso_key_saml2_xml_verify(key,
"_E3F8E9116EE08F0E2607CF9789649BB4", xmlDocGetRootElement(doc)) == 0,
"XML Signature is not validated");
g_object_unref(key);
fail_unless(key2 != NULL, "Cannot load public key2");
fail_unless(lasso_key_query_verify(key2, query1) == 0, "Signature was not validated");
/* test reordering and semi-colon separator support */
fail_unless(lasso_key_query_verify(key2, query2) == 0, "Disordered signature was not validated");
fail_unless(lasso_key_query_verify(key2, query3) != 0, "Altered signature was validated");
fail_unless(lasso_key_saml2_xml_verify(key2,
"_E3F8E9116EE08F0E2607CF9789649BB4", xmlDocGetRootElement(doc)) == 0,
"XML Signature is not validated");
g_object_unref(key2);
lasso_release_doc(doc);
}
