0003-Make-the-default-signature-method-and-the-minimal-ha.patch
configure.ac | ||
---|---|---|
795 | 795 |
AC_MSG_RESULT(no) |
796 | 796 |
fi |
797 | 797 | |
798 |
AC_ARG_WITH([default-sign-algo], |
|
799 |
[AS_HELP_STRING([--with-default-sign-algo=[rsa-sha1|rsa-sha256]], |
|
800 |
[Default signing algorithm (rsa-sha1)] |
|
801 |
) |
|
802 |
] |
|
803 |
) |
|
804 | ||
805 |
SIGNING_ALGO=rsa-sha1 |
|
806 |
if test x"$with_default_sign_algo" != x; then |
|
807 |
if test ! "$with_default_sign_algo" = "rsa-sha1" -a ! "$with_default_sign_algo" = "rsa-sha256"; then |
|
808 |
AC_MSG_ERROR("Default signing algorithm must be either rsa-sha1 or rsa-sha256") |
|
809 |
else |
|
810 |
SIGNING_ALGO=$with_default_sign_algo |
|
811 |
fi |
|
812 |
fi |
|
813 | ||
814 |
AC_DEFINE_UNQUOTED(DEFAULT_SIGNING_ALGO, "$SIGNING_ALGO", ["The default signing algorithm"]) |
|
815 | ||
816 |
AC_ARG_WITH([min-hash-algo], |
|
817 |
[AS_HELP_STRING([--with-min-hash-algo=[sha1|sha256|sha384|sha512]], |
|
818 |
[Minimal allowed hash algorithm (rsa-sha1)] |
|
819 |
) |
|
820 |
] |
|
821 |
) |
|
822 | ||
823 |
MIN_HASH_ALGO=sha1 |
|
824 |
if test x"$with_min_hash_algo" != x; then |
|
825 |
if test ! "$with_min_hash_algo" = "sha1" -a ! "$with_min_hash_algo" = "sha256" -a ! "$with_min_hash_algo" = "sha384" -a ! "$with_min_hash_algo" = "sha512"; then |
|
826 |
AC_MSG_ERROR("Minimal allowed hash algorithm must be one of sha1, sha256, sha384 or sha512) |
|
827 |
else |
|
828 |
MIN_HASH_ALGO=$with_min_hash_algo |
|
829 |
fi |
|
830 |
fi |
|
831 | ||
832 |
AC_DEFINE_UNQUOTED(MIN_HASH_ALGO, "$MIN_HASH_ALGO", ["The minimal hash algorithm"]) |
|
833 | ||
834 | ||
798 | 835 |
dnl ========================================================================== |
799 | 836 |
dnl Pedantic compilation |
800 | 837 |
dnl ========================================================================== |
... | ... | |
939 | 976 | |
940 | 977 |
C API references: ${enable_gtk_doc} |
941 | 978 |
Tests suite: ${enable_tests} |
979 | ||
980 |
Crypto settings |
|
981 |
--------------- |
|
982 |
Default signature: ${SIGNING_ALGO} |
|
983 |
Minimal accepted hash: ${MIN_HASH_ALGO} |
|
942 | 984 |
) |
lasso/id-ff/server.c | ||
---|---|---|
682 | 682 |
server->private_key = NULL; |
683 | 683 |
server->private_key_password = NULL; |
684 | 684 |
server->certificate = NULL; |
685 |
server->signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
|
|
685 |
server->signature_method = lasso_get_default_signature_method();
|
|
686 | 686 | |
687 | 687 |
server->services = g_hash_table_new_full(g_str_hash, g_str_equal, |
688 | 688 |
(GDestroyNotify)g_free, |
lasso/id-ff/server.h | ||
---|---|---|
133 | 133 |
LASSO_EXPORT GList *lasso_server_get_filtered_provider_list(const LassoServer *server, |
134 | 134 |
LassoProviderRole role, LassoMdProtocolType protocol_type, LassoHttpMethod http_method); |
135 | 135 | |
136 |
LASSO_EXPORT LassoSignatureMethod lasso_get_default_signature_method(); |
|
137 |
void lasso_set_default_signature_method(LassoSignatureMethod meth); |
|
136 | 138 | |
137 | 139 |
#ifdef __cplusplus |
138 | 140 |
} |
lasso/lasso.c | ||
---|---|---|
149 | 149 |
g_log("libxmlsec", G_LOG_LEVEL_DEBUG, "libxmlsec: %s:%d:%s:%s:%s:%s:%s", file, line, func, errorObject, errorSubject, xmlSecErrorsGetMsg(reason), msg); |
150 | 150 |
} |
151 | 151 | |
152 |
static int |
|
153 |
set_default_signature_method() |
|
154 |
{ |
|
155 |
int rv = LASSO_ERROR_UNDEFINED; |
|
156 | ||
157 |
if (lasso_strisequal(DEFAULT_SIGNING_ALGO, "rsa-sha256")) { |
|
158 |
lasso_set_default_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA256); |
|
159 |
rv = 0; |
|
160 |
} else if (lasso_strisequal(DEFAULT_SIGNING_ALGO, "rsa-sha1")) { |
|
161 |
lasso_set_default_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA1); |
|
162 |
rv = 0; |
|
163 |
} |
|
164 | ||
165 |
return rv; |
|
166 |
} |
|
167 | ||
168 |
static int |
|
169 |
set_min_allowed_hash_algo() |
|
170 |
{ |
|
171 |
int rv = LASSO_ERROR_UNDEFINED; |
|
172 | ||
173 |
if (lasso_strisequal(MIN_HASH_ALGO, "sha1")) { |
|
174 |
lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA1); |
|
175 |
rv = 0; |
|
176 |
} else if (lasso_strisequal(MIN_HASH_ALGO, "sha256")) { |
|
177 |
lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA256); |
|
178 |
rv = 0; |
|
179 |
} else if (lasso_strisequal(MIN_HASH_ALGO, "sha384")) { |
|
180 |
lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA384); |
|
181 |
rv = 0; |
|
182 |
} else if (lasso_strisequal(MIN_HASH_ALGO, "sha512")) { |
|
183 |
lasso_set_min_signature_method(LASSO_SIGNATURE_METHOD_RSA_SHA512); |
|
184 |
rv = 0; |
|
185 |
} |
|
186 | ||
187 |
return rv; |
|
188 |
} |
|
189 | ||
152 | 190 |
/** |
153 | 191 |
* lasso_init: |
154 | 192 |
* |
... | ... | |
164 | 202 |
g_type_init(); |
165 | 203 |
#endif |
166 | 204 | |
205 |
/* Set the default hash algo */ |
|
206 |
if (set_default_signature_method() != 0) { |
|
207 |
message(G_LOG_LEVEL_CRITICAL, "Unsupported signature " |
|
208 |
"algorithm "DEFAULT_SIGNING_ALGO" configured"); |
|
209 |
return LASSO_ERROR_UNDEFINED; |
|
210 |
} |
|
211 |
if (set_min_allowed_hash_algo() != 0) { |
|
212 |
message(G_LOG_LEVEL_CRITICAL, "Unsupported hash algorithm " |
|
213 |
"algorithm "MIN_HASH_ALGO" configured"); |
|
214 |
return LASSO_ERROR_UNDEFINED; |
|
215 |
} |
|
216 | ||
217 | ||
167 | 218 |
/* Init Lasso classes */ |
168 | 219 |
for (i=0; functions[i]; i++) |
169 | 220 |
functions[i](); |
lasso/xml/xml.c | ||
---|---|---|
91 | 91 |
GHashTable *idwsf2_dst_services_by_href = NULL; /* ID-WSF 2 DST services, indexed on href */ |
92 | 92 |
GHashTable *idwsf2_dst_services_by_prefix = NULL; /* ID-WSF 2 DST services, indexed on prefix */ |
93 | 93 | |
94 | ||
95 |
static LassoSignatureMethod default_signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1; |
|
96 |
static LassoSignatureMethod min_signature_method = LASSO_SIGNATURE_METHOD_RSA_SHA1; |
|
97 | ||
94 | 98 |
/*****************************************************************************/ |
95 | 99 |
/* global methods */ |
96 | 100 |
/*****************************************************************************/ |
... | ... | |
3689 | 3693 |
cleanup: |
3690 | 3694 |
return result; |
3691 | 3695 |
} |
3696 | ||
3697 |
LassoSignatureMethod |
|
3698 |
lasso_get_default_signature_method() { |
|
3699 |
return default_signature_method; |
|
3700 |
} |
|
3701 | ||
3702 |
void |
|
3703 |
lasso_set_default_signature_method(LassoSignatureMethod meth) { |
|
3704 |
default_signature_method = meth; |
|
3705 |
} |
|
3706 | ||
3707 |
LassoSignatureMethod |
|
3708 |
lasso_get_min_signature_method() { |
|
3709 |
return min_signature_method; |
|
3710 |
} |
|
3711 | ||
3712 |
void |
|
3713 |
lasso_set_min_signature_method(LassoSignatureMethod meth) { |
|
3714 |
min_signature_method = meth; |
|
3715 |
} |
lasso/xml/xml.h | ||
---|---|---|
116 | 116 |
LASSO_SIGNATURE_METHOD_LAST |
117 | 117 |
} LassoSignatureMethod; |
118 | 118 | |
119 |
/* signature method and hash strength */ |
|
120 |
LassoSignatureMethod lasso_get_default_signature_method(); |
|
121 | ||
122 |
void lasso_set_default_signature_method(LassoSignatureMethod meth); |
|
123 | ||
124 |
LassoSignatureMethod lasso_get_min_signature_method(); |
|
125 | ||
126 |
void lasso_set_min_signature_method(LassoSignatureMethod meth); |
|
127 | ||
119 | 128 |
static inline gboolean |
120 | 129 |
lasso_validate_signature_method(LassoSignatureMethod signature_method) |
121 | 130 |
{ |
tests/random_tests.c | ||
---|---|---|
97 | 97 |
fail_unless(server->private_key != NULL); |
98 | 98 |
fail_unless(server->private_key_password == NULL); |
99 | 99 |
fail_unless(server->certificate != NULL); |
100 |
fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
|
100 |
fail_unless(server->signature_method == lasso_get_default_signature_method());
|
|
101 | 101 |
fail_unless(provider->ProviderID != NULL); |
102 | 102 |
fail_unless(provider->role == 0); |
103 | 103 |
fail_unless(g_file_get_contents(TESTSDATADIR "/idp1-la/metadata.xml", &content, &len, NULL)); |
... | ... | |
115 | 115 |
fail_unless(server->private_key != NULL); |
116 | 116 |
fail_unless(server->private_key_password == NULL); |
117 | 117 |
fail_unless(server->certificate != NULL); |
118 |
fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
|
118 |
fail_unless(server->signature_method == lasso_get_default_signature_method());
|
|
119 | 119 |
fail_unless(server->providers != NULL); |
120 | 120 |
fail_unless(provider->ProviderID != NULL); |
121 | 121 |
fail_unless(provider->role == 0, "provider->role != 0 => provider := %d", provider->role); |
... | ... | |
143 | 143 |
fail_unless(server->private_key != NULL); |
144 | 144 |
fail_unless(! server->private_key_password); |
145 | 145 |
fail_unless(server->certificate != NULL); |
146 |
fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
|
|
146 |
fail_unless(server->signature_method == lasso_get_default_signature_method());
|
|
147 | 147 |
fail_unless(server->providers != NULL); |
148 | 148 |
lasso_server_add_provider( |
149 | 149 |
server, |
150 |
- |