You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by su...@apache.org on 2008/04/18 07:58:14 UTC
svn commit: r649377 - in /webservices/rampart/trunk/c: include/saml.h
src/omxmlsec/saml/assertion.c src/omxmlsec/saml/attr_stmt.c
src/omxmlsec/saml/sutil.c src/omxmlsec/xml_signature.c
src/util/rampart_saml.c
Author: supun
Date: Thu Apr 17 22:58:09 2008
New Revision: 649377
URL: http://svn.apache.org/viewvc?rev=649377&view=rev
Log:
Fixed issue RAMPARTC-89
Modified:
webservices/rampart/trunk/c/include/saml.h
webservices/rampart/trunk/c/src/omxmlsec/saml/assertion.c
webservices/rampart/trunk/c/src/omxmlsec/saml/attr_stmt.c
webservices/rampart/trunk/c/src/omxmlsec/saml/sutil.c
webservices/rampart/trunk/c/src/omxmlsec/xml_signature.c
webservices/rampart/trunk/c/src/util/rampart_saml.c
Modified: webservices/rampart/trunk/c/include/saml.h
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/saml.h?rev=649377&r1=649376&r2=649377&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/saml.h (original)
+++ webservices/rampart/trunk/c/include/saml.h Thu Apr 17 22:58:09 2008
@@ -613,8 +613,8 @@
* @param env pointer to environment struct
*/
AXIS2_EXTERN int AXIS2_CALL
-saml_assertion_sign(saml_assertion_t *assertion, axutil_env_t *env,
- oxs_sign_ctx_t *sign_ctx, axiom_node_t **node);
+saml_assertion_sign(saml_assertion_t *assertion,
+ axiom_node_t *node, axutil_env_t *env);
/*
* Remove the information set for signing or verifying the assertion.
Modified: webservices/rampart/trunk/c/src/omxmlsec/saml/assertion.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/saml/assertion.c?rev=649377&r1=649376&r2=649377&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/saml/assertion.c (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/saml/assertion.c Thu Apr 17 22:58:09 2008
@@ -34,6 +34,8 @@
assertion->issuer = NULL;
assertion->issue_instant = NULL;
assertion->signature = NULL;
+ assertion->sign_ctx = NULL;
+ assertion->ori_xml = NULL;
}
return assertion;
}
@@ -42,6 +44,8 @@
saml_assertion_free(saml_assertion_t *assertion, axutil_env_t *env)
{
int i = 0, size = 0;
+
+
if (assertion->major_version)
{
AXIS2_FREE(env->allocator, assertion->major_version);
@@ -78,7 +82,7 @@
size = axutil_array_list_size(assertion->conditions, env);
for (i = 0; i < size; i++)
{
- cond = axutil_array_list_get(assertion->conditions, env, i);
+ cond = (saml_condition_t*)axutil_array_list_get(assertion->conditions, env, i);
if (cond)
{
saml_condition_free(cond, env);
@@ -307,14 +311,15 @@
}
}
}
- if (assertion->signature)
+ /*if (assertion->signature)
{
- }
- /*if (assertion->sign_ctx)
- {
- oxs_xml_sig_sign(env, assertion->sign_ctx, n, &assertion->signature);
}*/
+ if (assertion->sign_ctx)
+ {
+ //oxs_xml_sig_sign(env, assertion->sign_ctx, n, &assertion->signature);
+ saml_assertion_sign(assertion, n, env);
+ }
}
return n;
}
@@ -551,7 +556,7 @@
}
AXIS2_EXTERN int AXIS2_CALL
-saml_assertion_sign(saml_assertion_t *a, axutil_env_t *env, oxs_sign_ctx_t *sign_ctx, axiom_node_t **node)
+saml_assertion_sign(saml_assertion_t *a, axiom_node_t *node, axutil_env_t *env)
{
axiom_node_t *n= NULL;
oxs_sign_part_t* sig_part = NULL;
@@ -567,12 +572,12 @@
sig_part = axutil_array_list_get(sig_parts, env, i);
if(sig_part)
{
- oxs_sign_part_set_node(sig_part, env, *node);
+ oxs_sign_part_set_node(sig_part, env, node);
}
}
}
- oxs_xml_sig_sign(env, a->sign_ctx, *node, &n);
+ oxs_xml_sig_sign(env, a->sign_ctx, node, &n);
/*Finally build KeyInfo*/
oxs_xml_key_info_build(env, n, oxs_sign_ctx_get_certificate(a->sign_ctx, env), OXS_KIBP_X509DATA_X509CERTIFICATE);
return AXIS2_SUCCESS;
Modified: webservices/rampart/trunk/c/src/omxmlsec/saml/attr_stmt.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/saml/attr_stmt.c?rev=649377&r1=649376&r2=649377&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/saml/attr_stmt.c (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/saml/attr_stmt.c Thu Apr 17 22:58:09 2008
@@ -204,10 +204,10 @@
axutil_hash_this(hi, NULL, NULL, &v);
if (v)
{
- axis2_char_t *attr_val = NULL;
+ axis2_char_t *attr_local_name = NULL;
axiom_attribute_t *attr = (axiom_attribute_t*)v;
- attr_val = axiom_attribute_get_value(attr, env);
- if (0 != axutil_strcmp(attr_val, SAML_ATTRIBUTE_NAME) && 0 != axutil_strcmp(attr_val, SAML_ATTRIBUTE_NAMESPACE))
+ attr_local_name = axiom_attribute_get_localname(attr, env);
+ if (0 != axutil_strcmp(attr_local_name, SAML_ATTRIBUTE_NAME) && 0 != axutil_strcmp(attr_local_name, SAML_ATTRIBUTE_NAMESPACE))
{
return AXIS2_FALSE;
}
@@ -218,11 +218,13 @@
{
while(AXIS2_TRUE == axiom_child_element_iterator_has_next(ci, env))
{
+
fcn = axiom_child_element_iterator_next(ci, env);
fce = axiom_node_get_data_element(fcn, env);
if (strcmp(axiom_element_get_localname(fce, env), SAML_ATTRIBUTE_VALUE) == 0)
{
- axutil_array_list_add(attr->attr_value, env, axiom_node_get_first_child(fcn, env));
+ axiom_node_t *temp = axiom_node_get_first_child(fcn, env);
+ axutil_array_list_add(attr->attr_value, env, temp);
}
else
{
@@ -258,13 +260,15 @@
}
if (sattr->attr_value)
{
+ size = axutil_array_list_size(sattr->attr_value, env);
+
for (i = 0; i < size; i++)
{
ns = axiom_namespace_create(env, SAML_NMSP_URI, SAML_PREFIX);
ce = axiom_element_create(env, n, SAML_ATTRIBUTE_VALUE, ns, &cn);
if (ce)
{
- axiom_node_add_child(cn, env, axutil_array_list_get(sattr->attr_value, env, i));
+ axiom_node_add_child(cn, env, (axiom_node_t*)axutil_array_list_get(sattr->attr_value, env, i));
}
}
}
Modified: webservices/rampart/trunk/c/src/omxmlsec/saml/sutil.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/saml/sutil.c?rev=649377&r1=649376&r2=649377&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/saml/sutil.c (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/saml/sutil.c Thu Apr 17 22:58:09 2008
@@ -23,20 +23,26 @@
oxs_sign_part_t* sig_part = NULL;
oxs_transform_t *tr = NULL;
axutil_array_list_t *sig_parts = NULL, *trans = NULL;
-
+ axiom_namespace_t *ns = NULL;
trans = axutil_array_list_create(env, SAML_ARRAY_LIST_DEF);
/*create transform sor SAML XML signature with identifier*/
tr = oxs_transforms_factory_produce_transform(env, OXS_HREF_TRANSFORM_ENVELOPED_SIGNATURE);
axutil_array_list_add(trans, env, tr);
+ /*Create the EXCL-C14N Transformation*/
+ tr = oxs_transforms_factory_produce_transform(env, OXS_HREF_TRANSFORM_XML_EXC_C14N);
+ axutil_array_list_add(trans, env, tr);
+
sig_part = oxs_sign_part_create(env);
oxs_sign_part_set_digest_mtd(sig_part, env, OXS_HREF_SHA1);
oxs_sign_part_set_transforms(sig_part, env, trans);
oxs_sign_part_set_id_name(sig_part, env, id);
- oxs_sign_part_set_sign_namespace(sig_part,env, NULL);
+
+ //ns = axiom_namespace_create(env, "", "");
+ //oxs_sign_part_set_sign_namespace(sig_part,env, ns);
sig_parts = axutil_array_list_create(env, SAML_ARRAY_LIST_DEF);
axutil_array_list_add(sig_parts, env, sig_part);
Modified: webservices/rampart/trunk/c/src/omxmlsec/xml_signature.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/xml_signature.c?rev=649377&r1=649376&r2=649377&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/xml_signature.c (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/xml_signature.c Thu Apr 17 22:58:09 2008
@@ -45,11 +45,13 @@
{
axis2_char_t *serialized_node = NULL;
axis2_char_t *digest = NULL;
+ axiom_node_t *ori_node = NULL, *sig_node = NULL;
+ oxs_tr_dtype_t output_dtype = OXS_TRANSFORM_TYPE_UNKNOWN;/*This will always be the current dtype*/
+ void *tr_output = NULL;
int i = 0;
if((transforms) && (0 < axutil_array_list_size(transforms, env))){
- oxs_tr_dtype_t output_dtype = OXS_TRANSFORM_TYPE_UNKNOWN;/*This will always be the current dtype*/
- void *tr_output = NULL;
+
output_dtype = OXS_TRANSFORM_TYPE_NODE; /*We always begin with a node*/
tr_output = node; /*The first transformation is applied to the node*/
@@ -77,6 +79,14 @@
}else if((input_dtype == OXS_TRANSFORM_TYPE_NODE) && (output_dtype == OXS_TRANSFORM_TYPE_CHAR)){
/*De-serialize*/
tr_input = oxs_axiom_deserialize_node(env, (axis2_char_t *)tr_output);
+ }else if((input_dtype == OXS_TRANSFORM_TYPE_NODE) && (output_dtype == OXS_TRANSFORM_TYPE_NODE_ARRAY_LIST)){
+ ori_node = axutil_array_list_get((axutil_array_list_t*)tr_output, env, 0);
+ sig_node = axutil_array_list_get((axutil_array_list_t*)tr_output, env, 1);
+ tr_input = ori_node;
+ }else if((input_dtype == OXS_TRANSFORM_TYPE_CHAR) && (output_dtype == OXS_TRANSFORM_TYPE_NODE_ARRAY_LIST)){
+ ori_node = axutil_array_list_get((axutil_array_list_t*)tr_output, env, 0);
+ sig_node = axutil_array_list_get((axutil_array_list_t*)tr_output, env, 1);
+ tr_input = axiom_node_to_string(ori_node, env);
}else{
/*Let it go as it is. */
tr_input = tr_output;
@@ -92,18 +102,24 @@
oxs_error(env, ERROR_LOCATION, OXS_ERROR_TRANSFORM_FAILED,"Transform failed for %s", tr_id);
return NULL;
}
- }/*eof for loop*/
+ }/*eof for loop*/
/*We have applied all our transforms now*/
/*Serialize node*/
if(OXS_TRANSFORM_TYPE_NODE == output_dtype ){
serialized_node = axiom_node_to_string((axiom_node_t*)tr_output, env);
}else if(OXS_TRANSFORM_TYPE_CHAR == output_dtype){
serialized_node = (axis2_char_t*)tr_output;
- }else{
+ }
+ else if(OXS_TRANSFORM_TYPE_NODE_ARRAY_LIST == output_dtype){
+ ori_node = (axiom_node_t*)axutil_array_list_get((axutil_array_list_t*)tr_output, env, 0);
+ sig_node = (axiom_node_t*)axutil_array_list_get((axutil_array_list_t*)tr_output, env, 1);
+ serialized_node = axiom_node_to_string(ori_node, env);
+ }
+ else{
/*Error*/
oxs_error(env, ERROR_LOCATION, OXS_ERROR_TRANSFORM_FAILED,"Unsupported transform data type %d", output_dtype);
}
- }else{
+ }else{
/*No transforms defined. Thus we simply direct the node, to make the digest*/
serialized_node = axiom_node_to_string(node, env);
}
@@ -114,11 +130,14 @@
oxs_error(env, ERROR_LOCATION, OXS_ERROR_TRANSFORM_FAILED,"Unsupported digest method %s", digest_mtd);
return NULL;
}
+
+ if(ori_node && sig_node){
+ axiom_node_add_child(ori_node, env, sig_node);
+ }
if(serialized_node){
AXIS2_FREE(env->allocator, serialized_node);
serialized_node = NULL;
}
-
return digest;
}
@@ -145,15 +164,17 @@
node = oxs_sign_part_get_node(sign_part, env);
id_name = oxs_sign_part_get_id_name(sign_part, env);
- if(!id_name)
- id_name = OXS_ATTR_ID;
-
ns = oxs_sign_part_get_sign_namespace(sign_part, env);
if(ns)
ns_uri = axiom_namespace_get_uri(ns, env);
- else
+ else if (!ns && !id_name)
ns_uri = OXS_WSU_XMLNS;
+ else
+ ns_uri = NULL;
+
+ if(!id_name)
+ id_name = OXS_ATTR_ID;
/*Get the reference ID from the node and hence to the ds:Reference node*/
id = oxs_axiom_get_attribute_value_of_node_by_name(env, node, id_name,
@@ -422,8 +443,7 @@
if(!reffed_node)
{
reffed_node = oxs_axiom_get_node_by_id(env, scope_node, "Id", ref_id2, NULL );
- }
-
+ }
}
/*Find the node refered by this ref_id2 and set to the sign part*/
Modified: webservices/rampart/trunk/c/src/util/rampart_saml.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_saml.c?rev=649377&r1=649376&r2=649377&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_saml.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_saml.c Thu Apr 17 22:58:09 2008
@@ -28,6 +28,11 @@
rampart_saml_token_t *saml);
AXIS2_EXTERN axis2_status_t AXIS2_CALL
+rampart_saml_token_validate(const axutil_env_t *env,
+ rampart_context_t *rampart_context,
+ axiom_node_t *assertion);
+
+AXIS2_EXTERN axis2_status_t AXIS2_CALL
rampart_saml_supporting_token_build(const axutil_env_t *env,
rampart_context_t *rampart_context,
axiom_node_t *sec_node,
@@ -114,10 +119,33 @@
rampart_saml_token_validate(const axutil_env_t *env,
rampart_context_t *rampart_context,
axiom_node_t *assertion)
-{
- /* At the moment SAML validation is not done. But we need to validate the signature of SAML tokens.
- We can look at this after the PKS12 integration*/
- return AXIS2_SUCCESS;
+{
+ axis2_status_t status = AXIS2_FAILURE;
+ oxs_sign_ctx_t *sign_ctx = NULL;
+ oxs_x509_cert_t *certificate = NULL;
+ axiom_node_t *sig_node = NULL;
+
+ /* Need to get the certificate of the STS */
+ if (!certificate)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][rs] Certificate cannot be found for the STS");
+ return AXIS2_FAILURE;
+ }
+ /*Create sign context*/
+ sign_ctx = oxs_sign_ctx_create(env);
+
+ /*Set the Certificate*/
+ oxs_sign_ctx_set_certificate(sign_ctx, env, certificate);
+ sig_node = oxs_axiom_get_node_by_local_name(env, assertion, OXS_NODE_SIGNATURE);
+ if (!sig_node)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][rs] No Signature node in the SAML Assertion");
+ return AXIS2_FAILURE;
+ }
+ status = oxs_xml_sig_verify(env, sign_ctx, sig_node, assertion);
+ return status;
}
AXIS2_EXTERN char * AXIS2_CALL