/** * lasso_server_load_affiliation: * @server: a #LassoServer * @filename: file name of the affiliation metadata to load * * Load an affiliation metadata file into @server; this must be called after * providers have been added to @server. * * Return value: 0 on success; another value if an error occured. **/ int lasso_server_load_affiliation(LassoServer *server, const gchar *filename) { LassoProvider *provider = LASSO_PROVIDER(server); xmlDoc *doc; xmlNode *node; int rc = 0; doc = lasso_xml_parse_file(filename); goto_cleanup_if_fail_with_rc (doc != NULL, LASSO_XML_ERROR_INVALID_FILE); node = xmlDocGetRootElement(doc); goto_cleanup_if_fail_with_rc (node != NULL && node->ns != NULL, LASSO_XML_ERROR_NODE_NOT_FOUND); if (provider->private_data->conformance == LASSO_PROTOCOL_SAML_2_0) { rc = lasso_saml20_server_load_affiliation(server, node); } else { /* affiliations are not supported in ID-FF 1.2 mode */ rc = LASSO_ERROR_UNIMPLEMENTED; } cleanup: lasso_release_doc(doc); return rc; }
int lasso_ecp_process_response_msg(LassoEcp *ecp, const char *response_msg) { xmlDoc *doc; xmlXPathContext *xpathCtx; xmlXPathObject *xpathObj; xmlNode *new_envelope, *header, *paos_response, *ecp_relay_state; xmlNode *body = NULL; xmlNs *soap_env_ns, *ecp_ns; g_return_val_if_fail(LASSO_IS_ECP(ecp), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ); g_return_val_if_fail(response_msg != NULL, LASSO_PARAM_ERROR_INVALID_VALUE); doc = lasso_xml_parse_memory(response_msg, strlen(response_msg)); xpathCtx = xmlXPathNewContext(doc); xmlXPathRegisterNs(xpathCtx, (xmlChar*)"s", (xmlChar*)LASSO_SOAP_ENV_HREF); xpathObj = xmlXPathEvalExpression((xmlChar*)"//s:Body", xpathCtx); if (xpathObj && xpathObj->nodesetval && xpathObj->nodesetval->nodeNr) { body = xmlCopyNode(xpathObj->nodesetval->nodeTab[0], 1); } xmlXPathFreeObject(xpathObj); xmlXPathRegisterNs(xpathCtx, (xmlChar*)"ecp", (xmlChar*)LASSO_ECP_HREF); xpathObj = xmlXPathEvalExpression((xmlChar*)"//ecp:Response", xpathCtx); if (xpathObj && xpathObj->nodesetval && xpathObj->nodesetval->nodeNr) { ecp->assertionConsumerURL = (char*)xmlGetProp( xpathObj->nodesetval->nodeTab[0], (xmlChar*)"AssertionConsumerURL"); } xmlXPathFreeObject(xpathObj); xmlXPathFreeContext(xpathCtx); xpathCtx = NULL; xpathObj = NULL; new_envelope = xmlNewNode(NULL, (xmlChar*)"Envelope"); xmlSetNs(new_envelope, xmlNewNs(new_envelope, (xmlChar*)LASSO_SOAP_ENV_HREF, (xmlChar*)LASSO_SOAP_ENV_PREFIX)); xmlNewNs(new_envelope, (xmlChar*)LASSO_SAML_ASSERTION_HREF, (xmlChar*)LASSO_SAML_ASSERTION_PREFIX); header = xmlNewTextChild(new_envelope, NULL, (xmlChar*)"Header", NULL); /* PAOS request header block */ soap_env_ns = xmlNewNs(new_envelope, (xmlChar*)LASSO_SOAP_ENV_HREF, (xmlChar*)LASSO_SOAP_ENV_PREFIX); paos_response = xmlNewNode(NULL, (xmlChar*)"Response"); xmlSetNs(paos_response, xmlNewNs(paos_response, (xmlChar*)LASSO_PAOS_HREF, (xmlChar*)LASSO_PAOS_PREFIX)); xmlSetNsProp(paos_response, soap_env_ns, (xmlChar*)"mustUnderstand", (xmlChar*)"1"); xmlSetNsProp(paos_response, soap_env_ns, (xmlChar*)"actor", (xmlChar*)LASSO_SOAP_ENV_ACTOR); if (ecp->private_data->messageID) { xmlSetNsProp(paos_response, soap_env_ns, (xmlChar*)"refToMessageID", (xmlChar*)ecp->private_data->messageID); } xmlAddChild(header, paos_response); /* ECP relay state block */ if (ecp->private_data->relay_state) { ecp_relay_state = xmlNewNode(NULL, (xmlChar*)"RelayState"); xmlNodeSetContent(ecp_relay_state, (xmlChar*)ecp->private_data->relay_state); ecp_ns = xmlNewNs(ecp_relay_state, (xmlChar*)LASSO_ECP_HREF, (xmlChar*)LASSO_ECP_PREFIX); xmlSetNs(ecp_relay_state, ecp_ns); xmlSetNsProp(ecp_relay_state, soap_env_ns, (xmlChar*)"mustUnderstand", (xmlChar*)"1"); xmlSetNsProp(ecp_relay_state, soap_env_ns, (xmlChar*)"actor", (xmlChar*)LASSO_SOAP_ENV_ACTOR); xmlAddChild(header, ecp_relay_state); } xmlAddChild(new_envelope, body); lasso_assign_new_string(LASSO_PROFILE(ecp)->msg_body, lasso_xmlnode_to_string(new_envelope, 0, 0)) lasso_release_doc(doc); return 0; }
int lasso_ecp_process_authn_request_msg(LassoEcp *ecp, const char *authn_request_msg) { xmlDoc *doc; xmlXPathContext *xpathCtx; xmlXPathObject *xpathObj; xmlNode *xmlnode; LassoProfile *profile; LassoProvider *remote_provider; g_return_val_if_fail(LASSO_IS_ECP(ecp), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ); g_return_val_if_fail(authn_request_msg != NULL, LASSO_PARAM_ERROR_INVALID_VALUE); profile = LASSO_PROFILE(ecp); doc = lasso_xml_parse_memory(authn_request_msg, strlen(authn_request_msg)); xpathCtx = xmlXPathNewContext(doc); xmlXPathRegisterNs(xpathCtx, (xmlChar*)"ecp", (xmlChar*)LASSO_ECP_HREF); xpathObj = xmlXPathEvalExpression((xmlChar*)"//ecp:RelayState", xpathCtx); if (xpathObj && xpathObj->nodesetval && xpathObj->nodesetval->nodeNr) { xmlnode = xpathObj->nodesetval->nodeTab[0]; ecp->private_data->relay_state = xmlNodeGetContent(xmlnode); } xmlXPathFreeObject(xpathObj); xmlXPathRegisterNs(xpathCtx, (xmlChar*)"paos", (xmlChar*)LASSO_PAOS_HREF); xpathObj = xmlXPathEvalExpression((xmlChar*)"//paos:Request", xpathCtx); if (xpathObj && xpathObj->nodesetval && xpathObj->nodesetval->nodeNr) { ecp->private_data->messageID = xmlGetProp( xpathObj->nodesetval->nodeTab[0], (xmlChar*)"messageID"); } xmlXPathFreeObject(xpathObj); xmlXPathRegisterNs(xpathCtx, (xmlChar*)"s", (xmlChar*)LASSO_SOAP_ENV_HREF); xpathObj = xmlXPathEvalExpression((xmlChar*)"//s:Header", xpathCtx); if (xpathObj && xpathObj->nodesetval && xpathObj->nodesetval->nodeNr) { xmlnode = xpathObj->nodesetval->nodeTab[0]; xmlUnlinkNode(xmlnode); xmlFreeNode(xmlnode); } xmlXPathFreeObject(xpathObj); xmlXPathFreeContext(xpathCtx); xpathCtx = NULL; xpathObj = NULL; xmlnode = xmlDocGetRootElement(doc); lasso_assign_new_string(LASSO_PROFILE(ecp)->msg_body, lasso_xmlnode_to_string(xmlnode, 0, 0)) lasso_release_doc(doc); profile->remote_providerID = lasso_server_get_first_providerID_by_role(profile->server, LASSO_PROVIDER_ROLE_IDP); if (profile->remote_providerID == NULL) { return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND); } remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID); if (LASSO_IS_PROVIDER(remote_provider) == FALSE) { return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND); } profile->msg_url = lasso_provider_get_metadata_one(remote_provider, "SingleSignOnService SOAP"); if (profile->msg_url == NULL) { return critical_error(LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL); } return 0; }
END_TEST START_TEST(test08_lasso_key) { /* normal query as produces by Lasso */ const char query1[] = "SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D&RelayState=fake%5B%5D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TaCCtwg%3D%3D"; /* SAMLRequest field was moved in the middle, Signature to the beginning and all & were * changed to ; */ const char query2[] = "Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TaCCtwg%3D%3D;RelayState=fake%5B%5D;SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D;SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1"; const char query3[] = "RelayState=fake%5B%5D&SAMLRequest=fZHNasMwEIRfxeieWrYTtQjb4DgJBNqSNqWHXopw1kQgS6523Z%2B3r%2BxQSKDkOppvd2aVo%2BpML6uBjvYZPgZAir47Y1FODwUbvJVOoUZpVQcoqZH76uFepjdc9t6Ra5xhZ8h1QiGCJ%2B0si7argr0vxTLJ1guRilpU8%2FWtyKpNnaXrukoF32SCRa%2FgMfgLFvAAIQ6wtUjKUpB4wmc8nSX8hXOZ3Ml0%2FsaijfMNTIUK1iqDMGK7sFl%2Fwp9S5mNWOY3z5ZGol3GM%2FSLugNRBkcrjc0N%2ButJj6LNd7ZzRzc%2B4plN0ve6o6MOsnayyH6sggSUW7XfjsKdBGd1q8AX7JwOLKmPcV%2B1BUUhOfgAWl6dkl19W%2FgI%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=wDxMSEPKhK%2FuU06cmL50oVx%2B7eP5%2FQirShQE%2BLv9pT3CrVwb6WBV1Tp9XS2VVJ2odLHogdA%2FE1XDW7BIRKYgkN8bXVlC2GybSYBhyn8bwAuyHs%2BnMW48LF%2FE5vFiZxbw8tMWUAktdvDuaXoZLhubX7UgV%2B%2BdRyjhckolpXTC9xuJdoHJUDF0vzzNm8xZs6LR7tjWUoz5CcjMJA3LVfWmpE5UjCyRmGbi9knGWHdY75CFtArD%2BNSkGeNx9xySrUlik6e57Zlodv4V9WBdeopAWskO58BA27GqTmnSLooeo%2FrtLxc1NZeuau11YxNzwl%2FvN8%2FQ5IsR3Xic8X1TacCtwg%3D%3D"; /* sp5-saml2 key */ const char pkey[] = "-----BEGIN CERTIFICATE-----\n\ MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP\n\ MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczETMBEGA1UEChMKRW50cm91\n\ dmVydDEPMA0GA1UEAxMGRGFtaWVuMB4XDTA2MTAyNzA5MDc1NFoXDTExMTAyNjA5\n\ MDc1NFowVDELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkZyYW5jZTEOMAwGA1UEBxMF\n\ UGFyaXMxEzARBgNVBAoTCkVudHJvdXZlcnQxDzANBgNVBAMTBkRhbWllbjCCASIw\n\ DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM06Hx6VgHYR9wUf/tZVVTRkVWNq\n\ h9x+PvHA2qH4OYMuqGs4Af6lU2YsZvnrmRdcFWv0+UkdAgXhReCWAZgtB1pd/W9m\n\ 6qDRldCCyysow6xPPKRz/pOTwRXm/fM0QGPeXzwzj34BXOIOuFu+n764vKn18d+u\n\ uVAEzk1576pxTp4pQPzJfdNLrLeQ8vyCshoFU+MYJtp1UA+h2JoO0Y8oGvywbUxH\n\ ioHN5PvnzObfAM4XaDQohmfxM9Uc7Wp4xKAc1nUq5hwBrHpjFMRSz6UCfMoJSGIi\n\ +3xJMkNCjL0XEw5NKVc5jRKkzSkN5j8KTM/k1jPPsDHPRYzbWWhnNtd6JlkCAwEA\n\ AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0\n\ ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFP2WWMDShux3iF74+SoO1xf6qhqaMB8G\n\ A1UdIwQYMBaAFGjl6TRXbQDHzSlZu+e8VeBaZMB5MA0GCSqGSIb3DQEBBQUAA4IB\n\ AQAZ/imK7UMognXbs5RfSB8cMW6iNAI+JZqe9XWjvtmLfIIPbHM96o953SiFvrvQ\n\ BZjGmmPMK3UH29cjzDx1R/RQaYTyMrHyTePLh3BMd5mpJ/9eeJCSxPzE2ECqWRUa\n\ pkjukecFXqmRItwgTxSIUE9QkpzvuQRb268PwmgroE0mwtiREADnvTFkLkdiEMew\n\ fiYxZfJJLPBqwlkw/7f1SyzXoPXnz5QbNwDmrHelga6rKSprYKb3pueqaIe8j/AP\n\ NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR\n\ LlTxKnCrWAXftSm1rNtewTsF\n\ -----END CERTIFICATE-----"; LassoKey *key = lasso_key_new_for_signature_from_memory(pkey, strlen(pkey), NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL); LassoKey *key2 = lasso_key_new_for_signature_from_file( TESTSDATADIR "/sp5-saml2/private-key.pem", NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL); char *message = "<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_E3F8E9116EE08F0E2607CF9789649BB4\" Version=\"2.0\" IssueInstant=\"2012-03-09T11:34:48Z\" ForceAuthn=\"false\" IsPassive=\"false\"><saml:Issuer>http://sp5/metadata</saml:Issuer><Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n\ <SignedInfo>\n\ <CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n\ <SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/>\n\ <Reference URI=\"#_E3F8E9116EE08F0E2607CF9789649BB4\">\n\ <Transforms>\n\ <Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/>\n\ <Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n\ </Transforms>\n\ <DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/>\n\ <DigestValue>tMncKjklMJaJLbmB7bARmX14Fdg=</DigestValue>\n\ </Reference>\n\ </SignedInfo>\n\ <SignatureValue>VjAHErXE8rz5yQ/t9Ubws11E59PsU/tXPtL6eCMAVLQxV4Bv0dwyYkeHtge1DXDT\n\ usTy1c17+iuYCVqD3Db51+LMVsHchj0j44fhu/PXNQTmgiT2AuVfH97YhiBWykAs\n\ LwT8MiE9vNGiHQwsWVjhdzooVmU0M80m0Ij2DFMcYiKzmuMhE4M65qUO4tygQLiL\n\ YB5oPe0VYKEBJLfaTvuijLBTi4ecx6aU+HptAvuEOcCbcJZtGyv7jr2yuEDSq72S\n\ 0hwOV0CIsQoSf/vL7R9RzTs2bpgYVGqgerhpWsz6dqo7YX0NSj9pMbXZiOyX/YzS\n\ uP3QSjow05NiPhy8ywKW8A==</SignatureValue>\n\ <KeyInfo>\n\ <KeyValue>\n\ <RSAKeyValue>\n\ <Modulus>\n\ zTofHpWAdhH3BR/+1lVVNGRVY2qH3H4+8cDaofg5gy6oazgB/qVTZixm+euZF1wV\n\ a/T5SR0CBeFF4JYBmC0HWl39b2bqoNGV0ILLKyjDrE88pHP+k5PBFeb98zRAY95f\n\ PDOPfgFc4g64W76fvri8qfXx3665UATOTXnvqnFOnilA/Ml900ust5Dy/IKyGgVT\n\ 4xgm2nVQD6HYmg7Rjyga/LBtTEeKgc3k++fM5t8AzhdoNCiGZ/Ez1RztanjEoBzW\n\ dSrmHAGsemMUxFLPpQJ8yglIYiL7fEkyQ0KMvRcTDk0pVzmNEqTNKQ3mPwpMz+TW\n\ M8+wMc9FjNtZaGc213omWQ==\n\ </Modulus>\n\ <Exponent>\n\ AQAB\n\ </Exponent>\n\ </RSAKeyValue>\n\ </KeyValue>\n\ </KeyInfo>\n\ </Signature><samlp:NameIDPolicy Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\" AllowCreate=\"true\"/></samlp:AuthnRequest>"; xmlDoc *doc; doc = xmlParseDoc(BAD_CAST message); fail_unless(key != NULL, "Cannot load public key"); fail_unless(lasso_key_query_verify(key, query1) == 0, "Signature was not validated"); /* test reordering and semi-colon separator support */ fail_unless(lasso_key_query_verify(key, query2) == 0, "Disordered signature was not validated"); fail_unless(lasso_key_query_verify(key, query3) != 0, "Altered signature was validated"); fail_unless(lasso_key_saml2_xml_verify(key, "_E3F8E9116EE08F0E2607CF9789649BB4", xmlDocGetRootElement(doc)) == 0, "XML Signature is not validated"); g_object_unref(key); fail_unless(key2 != NULL, "Cannot load public key2"); fail_unless(lasso_key_query_verify(key2, query1) == 0, "Signature was not validated"); /* test reordering and semi-colon separator support */ fail_unless(lasso_key_query_verify(key2, query2) == 0, "Disordered signature was not validated"); fail_unless(lasso_key_query_verify(key2, query3) != 0, "Altered signature was validated"); fail_unless(lasso_key_saml2_xml_verify(key2, "_E3F8E9116EE08F0E2607CF9789649BB4", xmlDocGetRootElement(doc)) == 0, "XML Signature is not validated"); g_object_unref(key2); lasso_release_doc(doc); }