backport-encrypted-private-key.patch
| bindings/python/tests/profiles_tests.py | ||
|---|---|---|
| 43 | 43 |
srcdir = os.environ.get('srcdir', '.')
|
| 44 | 44 |
dataDir = '%s/../../../tests/data' % srcdir |
| 45 | 45 | |
| 46 |
def server(local_name, remote_role, remote_name): |
|
| 47 |
pwd = os.path.join(dataDir, local_name, 'password') |
|
| 48 |
password = None |
|
| 49 |
if os.path.exists(pwd): |
|
| 50 |
password = file(pwd).read() |
|
| 51 |
s = lasso.Server(os.path.join(dataDir, local_name, 'metadata.xml'), |
|
| 52 |
os.path.join(dataDir, local_name, 'private-key.pem'), |
|
| 53 |
password) |
|
| 54 |
s.addProvider(remote_role, os.path.join(dataDir, remote_name, 'metadata.xml')) |
|
| 55 |
return s |
|
| 56 | ||
| 46 | 57 | |
| 47 | 58 |
class ServerTestCase(unittest.TestCase): |
| 48 | 59 |
def test01(self): |
| ... | ... | |
| 208 | 219 |
self.failUnless('<action2>do action 2</action2>' in extensionsList[0])
|
| 209 | 220 |
self.failUnless('<action3>do action 3</action3>' in extensionsList[0])
|
| 210 | 221 | |
| 222 |
def test_05(self): |
|
| 223 |
'''Login test between SP and IdP with encrypted private keys''' |
|
| 224 |
sp_server = server('sp7-saml2', lasso.PROVIDER_ROLE_IDP, 'idp7-saml2')
|
|
| 225 |
idp_server = server('idp7-saml2', lasso.PROVIDER_ROLE_SP, 'sp7-saml2')
|
|
| 226 | ||
| 227 |
sp_login = lasso.Login(sp_server) |
|
| 228 |
sp_login.initAuthnRequest() |
|
| 229 |
sp_login.request.protocolBinding = lasso.SAML2_METADATA_BINDING_POST; |
|
| 230 |
sp_login.buildAuthnRequestMsg() |
|
| 231 |
idp_login = lasso.Login(idp_server) |
|
| 232 |
# idp_login.setSignatureVerifyHint(lasso.PROFILE_SIGNATURE_VERIFY_HINT_FORCE) |
|
| 233 |
idp_login.processAuthnRequestMsg(sp_login.msgUrl.split('?')[1])
|
|
| 234 |
idp_login.validateRequestMsg(True, True) |
|
| 235 |
idp_login.buildAssertion("None", "None", "None", "None", "None")
|
|
| 236 |
idp_login.buildAuthnResponseMsg() |
|
| 237 |
# sp_login.setSignatureVerifyHint(lasso.PROFILE_SIGNATURE_VERIFY_HINT_FORCE) |
|
| 238 |
sp_login.processAuthnResponseMsg(idp_login.msgBody) |
|
| 239 |
sp_login.acceptSso() |
|
| 211 | 240 | |
| 212 | 241 |
class LogoutTestCase(unittest.TestCase): |
| 213 | 242 |
def test01(self): |
| lasso/saml-2.0/assertion_query.c | ||
|---|---|---|
| 292 | 292 |
response->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE; |
| 293 | 293 |
} |
| 294 | 294 |
response->private_key_file = g_strdup(profile->server->private_key); |
| 295 |
response->private_key_password = g_strdup(profile->server->private_key_password); |
|
| 295 | 296 |
response->certificate_file = g_strdup(profile->server->certificate); |
| 296 | 297 | |
| 297 | 298 |
/* verify signature status */ |
| ... | ... | |
| 346 | 347 |
response->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE; |
| 347 | 348 |
} |
| 348 | 349 |
response->private_key_file = g_strdup(profile->server->private_key); |
| 350 |
response->private_key_password = g_strdup(profile->server->private_key_password); |
|
| 349 | 351 |
response->certificate_file = g_strdup(profile->server->certificate); |
| 350 | 352 |
return 0; |
| 351 | 353 |
} |
| lasso/saml-2.0/login.c | ||
|---|---|---|
| 144 | 144 |
if (must_sign) {
|
| 145 | 145 |
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->private_key_file = |
| 146 | 146 |
g_strdup(profile->server->private_key); |
| 147 |
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->private_key_password = |
|
| 148 |
g_strdup(profile->server->private_key_password); |
|
| 147 | 149 |
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->certificate_file = |
| 148 | 150 |
g_strdup(profile->server->certificate); |
| 149 | 151 |
} |
| ... | ... | |
| 867 | 869 |
} |
| 868 | 870 |
assertion->sign_method = profile->server->signature_method; |
| 869 | 871 |
assertion->private_key_file = g_strdup(profile->server->private_key); |
| 872 |
assertion->private_key_password = g_strdup(profile->server->private_key_password); |
|
| 870 | 873 |
assertion->certificate_file = g_strdup(profile->server->certificate); |
| 871 | 874 | |
| 872 | 875 |
/* Save encryption material in assertion private datas to be able to encrypt later */ |
| ... | ... | |
| 985 | 988 | |
| 986 | 989 |
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->private_key_file = |
| 987 | 990 |
g_strdup(profile->server->private_key); |
| 991 |
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->private_key_password = |
|
| 992 |
g_strdup(profile->server->private_key_password); |
|
| 988 | 993 |
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->certificate_file = |
| 989 | 994 |
g_strdup(profile->server->certificate); |
| 990 | 995 |
profile->msg_body = lasso_node_export_to_soap(profile->request); |
| ... | ... | |
| 1036 | 1041 | |
| 1037 | 1042 |
LASSO_SAMLP2_STATUS_RESPONSE(profile->response)->private_key_file = |
| 1038 | 1043 |
g_strdup(profile->server->private_key); |
| 1044 |
LASSO_SAMLP2_STATUS_RESPONSE(profile->response)->private_key_password = |
|
| 1045 |
g_strdup(profile->server->private_key_password); |
|
| 1039 | 1046 |
LASSO_SAMLP2_STATUS_RESPONSE(profile->response)->certificate_file = |
| 1040 | 1047 |
g_strdup(profile->server->certificate); |
| 1041 | 1048 | |
| ... | ... | |
| 1397 | 1404 | |
| 1398 | 1405 |
LASSO_SAMLP2_STATUS_RESPONSE(profile->response)->private_key_file = |
| 1399 | 1406 |
g_strdup(profile->server->private_key); |
| 1407 |
LASSO_SAMLP2_STATUS_RESPONSE(profile->response)->private_key_password = |
|
| 1408 |
g_strdup(profile->server->private_key_password); |
|
| 1400 | 1409 |
LASSO_SAMLP2_STATUS_RESPONSE(profile->response)->certificate_file = |
| 1401 | 1410 |
g_strdup(profile->server->certificate); |
| 1402 | 1411 | |
| lasso/saml-2.0/logout.c | ||
|---|---|---|
| 199 | 199 |
} |
| 200 | 200 |
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->private_key_file = |
| 201 | 201 |
g_strdup(profile->server->private_key); |
| 202 |
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->private_key_password = |
|
| 203 |
g_strdup(profile->server->private_key_password); |
|
| 202 | 204 |
LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->certificate_file = |
| 203 | 205 |
g_strdup(profile->server->certificate); |
| 204 | 206 | |
| ... | ... | |
| 299 | 301 |
response->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE; |
| 300 | 302 |
} |
| 301 | 303 |
response->private_key_file = g_strdup(profile->server->private_key); |
| 304 |
response->private_key_password = g_strdup(profile->server->private_key_password); |
|
| 302 | 305 |
response->certificate_file = g_strdup(profile->server->certificate); |
| 303 | 306 | |
| 304 | 307 |
/* verify signature status */ |
| ... | ... | |
| 466 | 469 |
response->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE; |
| 467 | 470 |
} |
| 468 | 471 |
response->private_key_file = g_strdup(profile->server->private_key); |
| 472 |
response->private_key_password = g_strdup(profile->server->private_key_password); |
|
| 469 | 473 |
response->certificate_file = g_strdup(profile->server->certificate); |
| 470 | 474 |
} |
| 471 | 475 | |
| lasso/saml-2.0/profile.c | ||
|---|---|---|
| 340 | 340 |
response->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE; |
| 341 | 341 |
} |
| 342 | 342 |
response->private_key_file = g_strdup(profile->server->private_key); |
| 343 |
response->private_key_password = g_strdup(profile->server->private_key_password); |
|
| 343 | 344 |
response->certificate_file = g_strdup(profile->server->certificate); |
| 344 | 345 | |
| 345 | 346 |
profile->response = LASSO_NODE(response); |
| ... | ... | |
| 791 | 792 |
request_abstract->sign_type = server->certificate ? LASSO_SIGNATURE_TYPE_WITHX509 : |
| 792 | 793 |
LASSO_SIGNATURE_TYPE_SIMPLE; |
| 793 | 794 |
lasso_assign_string(request_abstract->private_key_file, server->private_key); |
| 795 |
lasso_assign_string(request_abstract->private_key_password, server->private_key_password); |
|
| 794 | 796 |
lasso_assign_string(request_abstract->certificate_file, server->certificate); |
| 795 | 797 | |
| 796 | 798 |
cleanup: |
| ... | ... | |
| 935 | 937 |
response_abstract->sign_type = server->certificate ? LASSO_SIGNATURE_TYPE_WITHX509 : |
| 936 | 938 |
LASSO_SIGNATURE_TYPE_SIMPLE; |
| 937 | 939 |
lasso_assign_string(response_abstract->private_key_file, server->private_key); |
| 940 |
lasso_assign_string(response_abstract->private_key_password, server->private_key_password); |
|
| 938 | 941 |
lasso_assign_string(response_abstract->certificate_file, server->certificate); |
| 939 | 942 | |
| 940 | 943 |
cleanup: |
| ... | ... | |
| 1039 | 1042 |
} |
| 1040 | 1043 |
if (sign && lasso_flag_add_signature) {
|
| 1041 | 1044 |
result = lasso_query_sign(unsigned_query, profile->server->signature_method, |
| 1042 |
profile->server->private_key); |
|
| 1045 |
profile->server->private_key, profile->server->private_key_password);
|
|
| 1043 | 1046 |
lasso_release_string(unsigned_query); |
| 1044 | 1047 |
} else {
|
| 1045 | 1048 |
result = unsigned_query; |
| lasso/xml/private.h | ||
|---|---|---|
| 121 | 121 |
xmlSecKeysMngr* lasso_load_certs_from_pem_certs_chain_file (const char *file); |
| 122 | 122 | |
| 123 | 123 |
char* lasso_query_sign(char *query, LassoSignatureMethod sign_method, |
| 124 |
const char *private_key_file); |
|
| 124 |
const char *private_key_file, const char *private_key_password);
|
|
| 125 | 125 | |
| 126 | 126 |
int lasso_query_verify_signature(const char *query, const xmlSecKey *public_key); |
| 127 | 127 | |
| ... | ... | |
| 130 | 130 |
char** urlencoded_to_strings(const char *str); |
| 131 | 131 | |
| 132 | 132 |
int lasso_sign_node(xmlNode *xmlnode, const char *id_attr_name, const char *id_value, |
| 133 |
const char *private_key_file, const char *certificate_file); |
|
| 133 |
const char *private_key_file, const char *private_key_password, |
|
| 134 |
const char *certificate_file); |
|
| 134 | 135 | |
| 135 | 136 |
int lasso_verify_signature(xmlNode *signed_node, xmlDoc *doc, const char *id_attr_name, |
| 136 | 137 |
xmlSecKeysMngr *keys_manager, xmlSecKey *public_key, |
| lasso/xml/saml-2.0/saml2_assertion.c | ||
|---|---|---|
| 98 | 98 |
G_STRUCT_OFFSET(LassoSaml2Assertion, sign_method), NULL, NULL, NULL}, |
| 99 | 99 |
{ "PrivateKeyFile", SNIPPET_CONTENT | SNIPPET_LASSO_DUMP,
|
| 100 | 100 |
G_STRUCT_OFFSET(LassoSaml2Assertion, private_key_file), NULL, NULL, NULL}, |
| 101 |
{ "PrivateKeyPassword", SNIPPET_CONTENT | SNIPPET_LASSO_DUMP,
|
|
| 102 |
G_STRUCT_OFFSET(LassoSaml2Assertion, private_key_password), NULL, NULL, NULL}, |
|
| 101 | 103 |
{ "CertificateFile", SNIPPET_CONTENT | SNIPPET_LASSO_DUMP,
|
| 102 | 104 |
G_STRUCT_OFFSET(LassoSaml2Assertion, certificate_file), NULL, NULL, NULL}, |
| 103 | 105 |
{ "EncryptionActivated", SNIPPET_ATTRIBUTE | SNIPPET_BOOLEAN | SNIPPET_LASSO_DUMP,
|
| ... | ... | |
| 129 | 131 |
"No Private Key set for signing saml2:Assertion"); |
| 130 | 132 |
} else {
|
| 131 | 133 |
rc = lasso_sign_node(xmlnode, "ID", assertion->ID, |
| 132 |
assertion->private_key_file, assertion->certificate_file); |
|
| 134 |
assertion->private_key_file, assertion->private_key_password, assertion->certificate_file);
|
|
| 133 | 135 |
if (rc != 0) {
|
| 134 | 136 |
message(G_LOG_LEVEL_WARNING, "Signing of saml2:Assertion failed: %s", lasso_strerror(rc)); |
| 135 | 137 |
} |
| lasso/xml/saml-2.0/saml2_assertion.h | ||
|---|---|---|
| 77 | 77 |
LassoSignatureType sign_type; |
| 78 | 78 |
LassoSignatureMethod sign_method; |
| 79 | 79 |
char *private_key_file; |
| 80 |
char *private_key_password; |
|
| 80 | 81 |
char *certificate_file; |
| 81 | 82 |
gboolean encryption_activated; |
| 82 | 83 |
char *encryption_public_key_str; |
| lasso/xml/saml-2.0/samlp2_request_abstract.c | ||
|---|---|---|
| 84 | 84 |
G_STRUCT_OFFSET(LassoSamlp2RequestAbstract, sign_method), NULL, NULL, NULL}, |
| 85 | 85 |
{ "PrivateKeyFile", SNIPPET_CONTENT | SNIPPET_LASSO_DUMP,
|
| 86 | 86 |
G_STRUCT_OFFSET(LassoSamlp2RequestAbstract, private_key_file), NULL, NULL, NULL}, |
| 87 |
{ "PrivateKeyPassword", SNIPPET_CONTENT | SNIPPET_LASSO_DUMP,
|
|
| 88 |
G_STRUCT_OFFSET(LassoSamlp2RequestAbstract, private_key_password), NULL, NULL, NULL}, |
|
| 87 | 89 |
{ "CertificateFile", SNIPPET_CONTENT | SNIPPET_LASSO_DUMP,
|
| 88 | 90 |
G_STRUCT_OFFSET(LassoSamlp2RequestAbstract, certificate_file), NULL, NULL, NULL}, |
| 89 | 91 | |
| ... | ... | |
| 127 | 129 |
"No Private Key set for signing samlp2:RequestAbstract"); |
| 128 | 130 |
} else {
|
| 129 | 131 |
rc = lasso_sign_node(xmlnode, "ID", request->ID, |
| 130 |
request->private_key_file, request->certificate_file); |
|
| 132 |
request->private_key_file, request->private_key_password, request->certificate_file);
|
|
| 131 | 133 |
if (rc != 0) {
|
| 132 | 134 |
message(G_LOG_LEVEL_WARNING, "Signing of samlp2:RequestAbstract failed: %s", lasso_strerror(rc)); |
| 133 | 135 |
} |
| lasso/xml/saml-2.0/samlp2_request_abstract.h | ||
|---|---|---|
| 69 | 69 |
LassoSignatureType sign_type; |
| 70 | 70 |
LassoSignatureMethod sign_method; |
| 71 | 71 |
char *private_key_file; |
| 72 |
char *private_key_password; |
|
| 72 | 73 |
char *certificate_file; |
| 73 | 74 | |
| 74 | 75 |
}; |
| lasso/xml/saml-2.0/samlp2_status_response.c | ||
|---|---|---|
| 89 | 89 |
G_STRUCT_OFFSET(LassoSamlp2StatusResponse, sign_method), NULL, NULL, NULL}, |
| 90 | 90 |
{ "PrivateKeyFile", SNIPPET_CONTENT | SNIPPET_LASSO_DUMP,
|
| 91 | 91 |
G_STRUCT_OFFSET(LassoSamlp2StatusResponse, private_key_file), NULL, NULL, NULL}, |
| 92 |
{ "PrivateKeyPassword", SNIPPET_CONTENT | SNIPPET_LASSO_DUMP,
|
|
| 93 |
G_STRUCT_OFFSET(LassoSamlp2StatusResponse, private_key_password), NULL, NULL, NULL}, |
|
| 92 | 94 |
{ "CertificateFile", SNIPPET_CONTENT | SNIPPET_LASSO_DUMP,
|
| 93 | 95 |
G_STRUCT_OFFSET(LassoSamlp2StatusResponse, certificate_file), NULL, NULL, NULL}, |
| 94 | 96 | |
| ... | ... | |
| 132 | 134 |
"No Private Key set for signing samlp2:StatusResponse"); |
| 133 | 135 |
} else {
|
| 134 | 136 |
rc = lasso_sign_node(xmlnode, "ID", response->ID, |
| 135 |
response->private_key_file, response->certificate_file); |
|
| 137 |
response->private_key_file, response->private_key_password, response->certificate_file);
|
|
| 136 | 138 |
if (rc != 0) {
|
| 137 | 139 |
message(G_LOG_LEVEL_WARNING, "Signing of samlp2:StatusResponse failed: %s", lasso_strerror(rc)); |
| 138 | 140 |
} |
| lasso/xml/saml-2.0/samlp2_status_response.h | ||
|---|---|---|
| 72 | 72 |
LassoSignatureType sign_type; |
| 73 | 73 |
LassoSignatureMethod sign_method; |
| 74 | 74 |
char *private_key_file; |
| 75 |
char *private_key_password; |
|
| 75 | 76 |
char *certificate_file; |
| 76 | 77 | |
| 77 | 78 |
}; |
| lasso/xml/saml_assertion.c | ||
|---|---|---|
| 165 | 165 |
"No Private Key set for signing saml:Assertion"); |
| 166 | 166 |
} else {
|
| 167 | 167 |
rc = lasso_sign_node(xmlnode, "AssertionID", assertion->AssertionID, |
| 168 |
assertion->private_key_file, assertion->certificate_file); |
|
| 168 |
assertion->private_key_file, NULL, assertion->certificate_file);
|
|
| 169 | 169 |
if (rc != 0) {
|
| 170 | 170 |
message(G_LOG_LEVEL_WARNING, "Signing of saml:Assertion failed: %s", lasso_strerror(rc)); |
| 171 | 171 |
} |
| lasso/xml/samlp_request_abstract.c | ||
|---|---|---|
| 93 | 93 |
"No Private Key set for signing samlp:RequestAbstract"); |
| 94 | 94 |
} else {
|
| 95 | 95 |
rc = lasso_sign_node(xmlnode, "RequestID", request->RequestID, |
| 96 |
request->private_key_file, request->certificate_file); |
|
| 96 |
request->private_key_file, NULL, request->certificate_file);
|
|
| 97 | 97 |
if (rc != 0) {
|
| 98 | 98 |
message(G_LOG_LEVEL_WARNING, "Signing of samlp:RequestAbstract failed: %s", lasso_strerror(rc)); |
| 99 | 99 |
} |
| lasso/xml/samlp_response_abstract.c | ||
|---|---|---|
| 97 | 97 |
"No Private Key set for signing samlp:ResponseAbstract"); |
| 98 | 98 |
} else {
|
| 99 | 99 |
rc = lasso_sign_node(xmlnode, "ResponseID", response->ResponseID, |
| 100 |
response->private_key_file, response->certificate_file); |
|
| 100 |
response->private_key_file, NULL, response->certificate_file);
|
|
| 101 | 101 |
if (rc != 0) {
|
| 102 | 102 |
message(G_LOG_LEVEL_WARNING, "Signing of samlp:ResponseAbstract failed: %s", lasso_strerror(rc)); |
| 103 | 103 |
} |
| lasso/xml/tools.c | ||
|---|---|---|
| 379 | 379 |
* Return value: a newly allocated query signed or NULL if an error occurs. |
| 380 | 380 |
**/ |
| 381 | 381 |
char* |
| 382 |
lasso_query_sign(char *query, LassoSignatureMethod sign_method, const char *private_key_file) |
|
| 382 |
lasso_query_sign(char *query, LassoSignatureMethod sign_method, const char *private_key_file, |
|
| 383 |
G_GNUC_UNUSED const char *private_key_password) |
|
| 383 | 384 |
{
|
| 384 | 385 |
BIO *bio = NULL; |
| 385 | 386 |
char *digest = NULL; /* 160 bit buffer */ |
| ... | ... | |
| 433 | 434 |
/* calculate signature value */ |
| 434 | 435 |
if (sign_method == LASSO_SIGNATURE_METHOD_RSA_SHA1) {
|
| 435 | 436 |
/* load private key */ |
| 436 |
rsa = PEM_read_bio_RSAPrivateKey(bio, NULL, NULL, NULL);
|
|
| 437 |
rsa = PEM_read_bio_RSAPrivateKey(bio, NULL, NULL, (void*)private_key_password);
|
|
| 437 | 438 |
if (rsa == NULL) {
|
| 438 | 439 |
goto done; |
| 439 | 440 |
} |
| ... | ... | |
| 443 | 444 |
status = RSA_sign(NID_sha1, (unsigned char*)digest, 20, sigret, &siglen, rsa); |
| 444 | 445 |
RSA_free(rsa); |
| 445 | 446 |
} else if (sign_method == LASSO_SIGNATURE_METHOD_DSA_SHA1) {
|
| 446 |
dsa = PEM_read_bio_DSAPrivateKey(bio, NULL, NULL, NULL);
|
|
| 447 |
dsa = PEM_read_bio_DSAPrivateKey(bio, NULL, NULL, (void*)private_key_password);
|
|
| 447 | 448 |
if (dsa == NULL) {
|
| 448 | 449 |
goto done; |
| 449 | 450 |
} |
| ... | ... | |
| 744 | 745 | |
| 745 | 746 |
int |
| 746 | 747 |
lasso_sign_node(xmlNode *xmlnode, const char *id_attr_name, const char *id_value, |
| 747 |
const char *private_key_file, const char *certificate_file) |
|
| 748 |
const char *private_key_file, G_GNUC_UNUSED const char* private_key_password, const char *certificate_file)
|
|
| 748 | 749 |
{
|
| 749 | 750 |
xmlDoc *doc; |
| 750 | 751 |
xmlNode *sign_tmpl, *old_parent; |
| ... | ... | |
| 769 | 770 |
if (access(private_key_file, R_OK) == 0) {
|
| 770 | 771 |
dsig_ctx->signKey = xmlSecCryptoAppKeyLoad(private_key_file, |
| 771 | 772 |
xmlSecKeyDataFormatPem, |
| 772 |
NULL, NULL, NULL);
|
|
| 773 |
private_key_password, NULL, NULL);
|
|
| 773 | 774 |
} else {
|
| 774 | 775 |
int len = private_key_file ? strlen(private_key_file) : 0; |
| 775 | 776 |
dsig_ctx->signKey = xmlSecCryptoAppKeyLoadMemory((xmlSecByte*)private_key_file, len, |
| 776 |
xmlSecKeyDataFormatPem, NULL, NULL, NULL);
|
|
| 777 |
xmlSecKeyDataFormatPem, private_key_password, NULL, NULL);
|
|
| 777 | 778 |
} |
| 778 | 779 |
if (dsig_ctx->signKey == NULL) {
|
| 779 | 780 |
xmlSecDSigCtxDestroy(dsig_ctx); |
| lasso/xml/xml.c | ||
|---|---|---|
| 390 | 390 | |
| 391 | 391 |
unsigned_query = lasso_node_build_query(node); |
| 392 | 392 |
if (private_key_file) {
|
| 393 |
query = lasso_query_sign(unsigned_query, sign_method, private_key_file); |
|
| 393 |
query = lasso_query_sign(unsigned_query, sign_method, private_key_file, NULL);
|
|
| 394 | 394 |
} else {
|
| 395 | 395 |
lasso_transfer_string(query, unsigned_query); |
| 396 | 396 |
} |
| tests/data/idp7-saml2/metadata.xml | ||
|---|---|---|
| 1 |
<?xml version="1.0"?> |
|
| 2 |
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" |
|
| 3 |
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" |
|
| 4 |
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" |
|
| 5 |
entityID="http://idp5/metadata"> |
|
| 6 |
<IDPSSODescriptor |
|
| 7 |
WantAuthnRequestsSigned="true" |
|
| 8 |
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> |
|
| 9 |
<KeyDescriptor use="signing"> |
|
| 10 |
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> |
|
| 11 |
<ds:X509Data><ds:X509Certificate> |
|
| 12 |
MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP |
|
| 13 |
MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczETMBEGA1UEChMKRW50cm91 |
|
| 14 |
dmVydDEPMA0GA1UEAxMGRGFtaWVuMB4XDTA2MTAyNzA5MDc1NFoXDTExMTAyNjA5 |
|
| 15 |
MDc1NFowVDELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkZyYW5jZTEOMAwGA1UEBxMF |
|
| 16 |
UGFyaXMxEzARBgNVBAoTCkVudHJvdXZlcnQxDzANBgNVBAMTBkRhbWllbjCCASIw |
|
| 17 |
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM06Hx6VgHYR9wUf/tZVVTRkVWNq |
|
| 18 |
h9x+PvHA2qH4OYMuqGs4Af6lU2YsZvnrmRdcFWv0+UkdAgXhReCWAZgtB1pd/W9m |
|
| 19 |
6qDRldCCyysow6xPPKRz/pOTwRXm/fM0QGPeXzwzj34BXOIOuFu+n764vKn18d+u |
|
| 20 |
uVAEzk1576pxTp4pQPzJfdNLrLeQ8vyCshoFU+MYJtp1UA+h2JoO0Y8oGvywbUxH |
|
| 21 |
ioHN5PvnzObfAM4XaDQohmfxM9Uc7Wp4xKAc1nUq5hwBrHpjFMRSz6UCfMoJSGIi |
|
| 22 |
+3xJMkNCjL0XEw5NKVc5jRKkzSkN5j8KTM/k1jPPsDHPRYzbWWhnNtd6JlkCAwEA |
|
| 23 |
AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0 |
|
| 24 |
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFP2WWMDShux3iF74+SoO1xf6qhqaMB8G |
|
| 25 |
A1UdIwQYMBaAFGjl6TRXbQDHzSlZu+e8VeBaZMB5MA0GCSqGSIb3DQEBBQUAA4IB |
|
| 26 |
AQAZ/imK7UMognXbs5RfSB8cMW6iNAI+JZqe9XWjvtmLfIIPbHM96o953SiFvrvQ |
|
| 27 |
BZjGmmPMK3UH29cjzDx1R/RQaYTyMrHyTePLh3BMd5mpJ/9eeJCSxPzE2ECqWRUa |
|
| 28 |
pkjukecFXqmRItwgTxSIUE9QkpzvuQRb268PwmgroE0mwtiREADnvTFkLkdiEMew |
|
| 29 |
fiYxZfJJLPBqwlkw/7f1SyzXoPXnz5QbNwDmrHelga6rKSprYKb3pueqaIe8j/AP |
|
| 30 |
NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR |
|
| 31 |
LlTxKnCrWAXftSm1rNtewTsF |
|
| 32 |
</ds:X509Certificate></ds:X509Data> |
|
| 33 |
</ds:KeyInfo> |
|
| 34 |
</KeyDescriptor> |
|
| 35 |
<KeyDescriptor use="encryption"> |
|
| 36 |
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> |
|
| 37 |
<ds:KeyValue> |
|
| 38 |
MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP |
|
| 39 |
MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczETMBEGA1UEChMKRW50cm91 |
|
| 40 |
dmVydDEPMA0GA1UEAxMGRGFtaWVuMB4XDTA2MTAyNzA5MDc1NFoXDTExMTAyNjA5 |
|
| 41 |
MDc1NFowVDELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkZyYW5jZTEOMAwGA1UEBxMF |
|
| 42 |
UGFyaXMxEzARBgNVBAoTCkVudHJvdXZlcnQxDzANBgNVBAMTBkRhbWllbjCCASIw |
|
| 43 |
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM06Hx6VgHYR9wUf/tZVVTRkVWNq |
|
| 44 |
h9x+PvHA2qH4OYMuqGs4Af6lU2YsZvnrmRdcFWv0+UkdAgXhReCWAZgtB1pd/W9m |
|
| 45 |
6qDRldCCyysow6xPPKRz/pOTwRXm/fM0QGPeXzwzj34BXOIOuFu+n764vKn18d+u |
|
| 46 |
uVAEzk1576pxTp4pQPzJfdNLrLeQ8vyCshoFU+MYJtp1UA+h2JoO0Y8oGvywbUxH |
|
| 47 |
ioHN5PvnzObfAM4XaDQohmfxM9Uc7Wp4xKAc1nUq5hwBrHpjFMRSz6UCfMoJSGIi |
|
| 48 |
+3xJMkNCjL0XEw5NKVc5jRKkzSkN5j8KTM/k1jPPsDHPRYzbWWhnNtd6JlkCAwEA |
|
| 49 |
AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0 |
|
| 50 |
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFP2WWMDShux3iF74+SoO1xf6qhqaMB8G |
|
| 51 |
A1UdIwQYMBaAFGjl6TRXbQDHzSlZu+e8VeBaZMB5MA0GCSqGSIb3DQEBBQUAA4IB |
|
| 52 |
AQAZ/imK7UMognXbs5RfSB8cMW6iNAI+JZqe9XWjvtmLfIIPbHM96o953SiFvrvQ |
|
| 53 |
BZjGmmPMK3UH29cjzDx1R/RQaYTyMrHyTePLh3BMd5mpJ/9eeJCSxPzE2ECqWRUa |
|
| 54 |
pkjukecFXqmRItwgTxSIUE9QkpzvuQRb268PwmgroE0mwtiREADnvTFkLkdiEMew |
|
| 55 |
fiYxZfJJLPBqwlkw/7f1SyzXoPXnz5QbNwDmrHelga6rKSprYKb3pueqaIe8j/AP |
|
| 56 |
NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR |
|
| 57 |
LlTxKnCrWAXftSm1rNtewTsF |
|
| 58 |
</ds:KeyValue> |
|
| 59 |
</ds:KeyInfo> |
|
| 60 |
</KeyDescriptor> |
|
| 61 | ||
| 62 |
<ArtifactResolutionService isDefault="true" index="0" |
|
| 63 |
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" |
|
| 64 |
Location="http://idp5/artifact" /> |
|
| 65 |
<SingleLogoutService |
|
| 66 |
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" |
|
| 67 |
Location="http://idp5/singleLogoutSOAP" /> |
|
| 68 |
<SingleLogoutService |
|
| 69 |
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" |
|
| 70 |
Location="http://idp5/singleLogout" |
|
| 71 |
ResponseLocation="http://idp5/singleLogoutReturn" /> |
|
| 72 |
<ManageNameIDService |
|
| 73 |
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" |
|
| 74 |
Location="http://idp5/manageNameIdSOAP" /> |
|
| 75 |
<ManageNameIDService |
|
| 76 |
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" |
|
| 77 |
Location="http://idp5/manageNameId" |
|
| 78 |
ResponseLocation="http://idp5/manageNameIdReturn" /> |
|
| 79 |
<SingleSignOnService |
|
| 80 |
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" |
|
| 81 |
Location="http://idp5/singleSignOn" /> |
|
| 82 |
<SingleSignOnService |
|
| 83 |
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" |
|
| 84 |
Location="http://idp5/singleSignOnSOAP" /> |
|
| 85 |
</IDPSSODescriptor> |
|
| 86 |
<AuthnAuthorityDescriptor |
|
| 87 |
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> |
|
| 88 |
<AuthnQueryService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://idp6/authnQueryService"/> |
|
| 89 |
<AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://idp6/authnAuthAssertionIDRequestService"/> |
|
| 90 |
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> |
|
| 91 |
</AuthnAuthorityDescriptor> |
|
| 92 |
<PDPDescriptor |
|
| 93 |
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> |
|
| 94 |
<AuthzService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://idp6/authzService"/> |
|
| 95 |
<AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://idp6/PDPAuthAssertionIDRequestService"/> |
|
| 96 |
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:kerberos</NameIDFormat> |
|
| 97 |
</PDPDescriptor> |
|
| 98 |
<AttributeAuthorityDescriptor |
|
| 99 |
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> |
|
| 100 |
<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://idp6/attributeService"/> |
|
| 101 |
<AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://idp6/AttributeAuthAssertionIDRequestService"/> |
|
| 102 |
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat> |
|
| 103 |
</AttributeAuthorityDescriptor> |
|
| 104 |
<Organization> |
|
| 105 |
<OrganizationName xml:lang="en">Entr'ouvert</OrganizationName> |
|
| 106 |
</Organization> |
|
| 107 | ||
| 108 |
</EntityDescriptor> |
|
| tests/data/idp7-saml2/password | ||
|---|---|---|
| 1 |
geronimo |
|
| tests/data/idp7-saml2/private-key.pem | ||
|---|---|---|
| 1 |
-----BEGIN RSA PRIVATE KEY----- |
|
| 2 |
Proc-Type: 4,ENCRYPTED |
|
| 3 |
DEK-Info: AES-256-CBC,41BE9422FBDF1769BFEF03F9116F7A86 |
|
| 4 | ||
| 5 |
qKrThgVCsCb5Lx/7RIpwuvDZi6gvxEFb33QEjIEWdZ+ad0dkGRvxrIqqj+XvHEeW |
|
| 6 |
V57oPO1sFAlgb+zBrGZpqItCAJEqC4NU55SwKZpKUtT0XdlHFRyfORlBwzb0qW/3 |
|
| 7 |
dZbyhsEm+164MdXsCZiUYS/VAm8b1pYmBIkoPSZMMnPljNYVigRpYttF9dwMYgTQ |
|
| 8 |
u/FwRS696qGSyo7ko00P8UbtTLgM+ufkCFNld6uxYphSNXAQyRQz4vQs97emNE58 |
|
| 9 |
4JB5//0agCOa9qUz14ZQSpM2JyoevMHUOHyjbGJOLsCMPnQEboKvgj0gsZcgP2Ys |
|
| 10 |
K4Nf/EQKadBbXpK4olxz50e6ybR0i7nylYsu7YVFyFR9GWbra29OAYEPvQxvBll7 |
|
| 11 |
RIoZ4hI0ZgBY0qFFcyZbKH94Pqk5w0QSjfkHPcH/WL0UjLb+n59KsIUnmZ3dtiF9 |
|
| 12 |
9mdE71wq94jOcqibjVmUy3Gyw4COZKTTjq9ptuLBC6fEPxGh6dfpSSV431Wpvpxy |
|
| 13 |
OE15vfeT1i/ymH0ckWsQXgUqZ6QTuaTvlu5JpD94Blu7p6Rzj5fxEnLhOtwjXWpq |
|
| 14 |
k6MAlS9bKhGbPbnzAqm5HkRypgDaNBPRXZhb9LClB5ysfjZRNdxCWrWusEGEtioQ |
|
| 15 |
TdkPsUZ78d8m3u+FvOM2mTVkQBa6sAEl1l8fuOITuaNCYLBIIhyAvJfXRHhOC+zs |
|
| 16 |
nvS6DX+3bZupxFJFcMi9fqlmz0QSXj4tKlbHY/xo3dGqQj5BWyibo8tDVhVIYy99 |
|
| 17 |
zo/t8J0LTfSSCIvoV2gFHSoC7RIJ9Q25L0AV6TQiB2F/7FTeznfd7Tk9ZHokmiED |
|
| 18 |
5VAKGRjDmPCZIJr2pbeEmwzs3r/p53JfLyNProv+ljTJLgdFtG1en5A3MsmymR0c |
|
| 19 |
LTIxHWZjAwl7ai1yGghzqVYllm+OFjo6LsSusbuQwKs+Bo9qZPCBb10gQGur+ZR8 |
|
| 20 |
r9Vfd3WV/WMJfi8Ciogd+uXhPzVxf5PyBvZh9vwqXHSB9YLxe+NpAxLxF5OuZmJx |
|
| 21 |
VBdTA5y19XUvyucOOxjcJZaZTP6BYADsaUxhQIQHfyUtk6Y7Iwk2Abf4TQIuC5x6 |
|
| 22 |
XEeRSmbKPCkuKh9L0H4KcK6hmFSyh7AICpUEW7tcMtK9HaZT/K5jsHPkG5q/3GXh |
|
| 23 |
ed7e0QaA2Qc0uAvoFgGTPkgE6Nym30R6NUlnHl2T3gK9Ei6fQKdTYPYgRXAKmbNO |
|
| 24 |
Wp0cjQ7w1zUNjoxkACX2Br2xm3DhnLVFPj6AWpnCsTtQA3ecgIzvSZugxpr0muP0 |
|
| 25 |
SIPpBuyko+t0YQjP3DOZxeiLQ5o+3VxI749KfDuaNZsDN7ZPso7Pt1oG34uGgsFl |
|
| 26 |
UypVEv+CgzTkepPPqJTWgK5VfNrSK3ev7Is90bpiyjwqywlwYaZUOXBm+wBwUmtH |
|
| 27 |
T+lLtw00R5JGolA4I2MCd4PTauzbj30jLYJWLLW8sZcfMgpwnKUNtVwRaDMnOXIA |
|
| 28 |
eX0cesfIbMiYF1sgR2Lqar/uqSJf1Kx8xIFdvqYZWsudF0ij4fva4xtCc0bgrnSy |
|
| 29 |
lz91YgfF95hTd/qcCiO5GQxScG7umtUZLYmZKqtYKDjCkvtvnGFhqB5Ie21DK6OX |
|
| 30 |
-----END RSA PRIVATE KEY----- |
|
| tests/data/sp7-saml2/metadata.xml | ||
|---|---|---|
| 1 |
<?xml version="1.0"?> |
|
| 2 |
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" |
|
| 3 |
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" |
|
| 4 |
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" |
|
| 5 |
entityID="http://sp7/metadata"> |
|
| 6 |
<SPSSODescriptor |
|
| 7 |
AuthnRequestsSigned="true" |
|
| 8 |
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> |
|
| 9 | ||
| 10 |
<KeyDescriptor use="signing"> |
|
| 11 |
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> |
|
| 12 |
<ds:KeyValue>-----BEGIN PUBLIC KEY----- |
|
| 13 |
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN0uVeOaTMQjhFlwGv/yBiGOdHDwiHb3 |
|
| 14 |
BD+ALxLgfcd9LpbAePbKk4Tx/juoEEPT3guQD0zyg0IcqkXO/JxrPa0CAwEAAQ== |
|
| 15 |
-----END PUBLIC KEY-----</ds:KeyValue> |
|
| 16 |
</ds:KeyInfo> |
|
| 17 |
</KeyDescriptor> |
|
| 18 | ||
| 19 |
<SingleLogoutService |
|
| 20 |
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" |
|
| 21 |
Location="http://sp7/singleLogoutSOAP" /> |
|
| 22 |
<SingleLogoutService |
|
| 23 |
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" |
|
| 24 |
Location="http://sp7/singleLogout" |
|
| 25 |
ResponseLocation="http://sp7/singleLogoutReturn" /> |
|
| 26 |
<ManageNameIDService |
|
| 27 |
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" |
|
| 28 |
Location="http://sp7/manageNameIdSOAP" /> |
|
| 29 |
<ManageNameIDService |
|
| 30 |
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" |
|
| 31 |
Location="http://sp7/manageNameId" |
|
| 32 |
ResponseLocation="http://sp7/manageNameIdReturn" /> |
|
| 33 |
<AssertionConsumerService isDefault="true" index="0" |
|
| 34 |
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" |
|
| 35 |
Location="http://sp7/singleSignOnArtifact" /> |
|
| 36 |
<AssertionConsumerService index="1" |
|
| 37 |
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" |
|
| 38 |
Location="http://sp7/singleSignOnPost" /> |
|
| 39 |
<AssertionConsumerService index="2" |
|
| 40 |
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" |
|
| 41 |
Location="http://sp7/singleSignOnSOAP" /> |
|
| 42 |
</SPSSODescriptor> |
|
| 43 |
<Organization> |
|
| 44 |
<OrganizationName xml:lang="en">Lasso Test SP7</OrganizationName> |
|
| 45 |
</Organization> |
|
| 46 |
</EntityDescriptor> |
|
| tests/data/sp7-saml2/password | ||
|---|---|---|
| 1 |
geronimo |
|
| tests/data/sp7-saml2/private-key.pem | ||
|---|---|---|
| 1 |
-----BEGIN RSA PRIVATE KEY----- |
|
| 2 |
Proc-Type: 4,ENCRYPTED |
|
| 3 |
DEK-Info: AES-256-CBC,EF4EF473516D85011B23403600D01371 |
|
| 4 | ||
| 5 |
kwbLjFZ8SsSyhTosBKpU1N5hvh4INRpJkXmj8aNHppz75nyGTo/jar+FRD6LA0fX |
|
| 6 |
3dbXdcHveUHSFs9t2AADQfVAJUbZU0D3bN0horJljA+ymiZ22Fr421cdxqbd2+1U |
|
| 7 |
4ZmPKF+w/ALkal821a2+br/OP6V1mA4KH7/YScmSGKGKkl1TZ/5cV8bjwAQGJyck |
|
| 8 |
4e0loU9yrAkw3oua1bWAudl7suS62K0AQA3K5lmfUld3JNzO/TQq2qIcvJVU1hEi |
|
| 9 |
UtE8biPKjcNOdEcz98+hgsHd1+jBR4tazaaib92P3ga7IgAr+AGwoHd6wBh5q11+ |
|
| 10 |
1/cNTH8MC2AbQhhll4e9bo7A/RmorqvIUQ4/7b8lBzi8JbcgME3UOhBJqSzkgnTb |
|
| 11 |
emO3IOAQHLbcvel03MbiwS8nhKjdldNdj2NudHD8FPI= |
|
| 12 |
-----END RSA PRIVATE KEY----- |
|