You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by sh...@apache.org on 2009/07/16 12:57:26 UTC
svn commit: r794624 [1/2] - in /webservices/rampart/trunk/c: include/
samples/client/sec_echo/ src/core/ src/omxmlsec/ src/omxmlsec/openssl/
src/util/
Author: shankar
Date: Thu Jul 16 10:57:25 2009
New Revision: 794624
URL: http://svn.apache.org/viewvc?rev=794624&view=rev
Log:
Adding signature validation, fixing endorsing signature validation.
Modified:
webservices/rampart/trunk/c/include/openssl_digest.h
webservices/rampart/trunk/c/include/oxs_saml_token.h
webservices/rampart/trunk/c/include/rampart_constants.h
webservices/rampart/trunk/c/include/rampart_context.h
webservices/rampart/trunk/c/include/rampart_sec_header_processor.h
webservices/rampart/trunk/c/include/rampart_token_processor.h
webservices/rampart/trunk/c/samples/client/sec_echo/echo.c
webservices/rampart/trunk/c/src/core/mod_rampart.c
webservices/rampart/trunk/c/src/omxmlsec/openssl/digest.c
webservices/rampart/trunk/c/src/omxmlsec/xml_signature.c
webservices/rampart/trunk/c/src/util/rampart_context.c
webservices/rampart/trunk/c/src/util/rampart_policy_validator.c
webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
webservices/rampart/trunk/c/src/util/rampart_signature.c
webservices/rampart/trunk/c/src/util/rampart_token_processor.c
Modified: webservices/rampart/trunk/c/include/openssl_digest.h
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/openssl_digest.h?rev=794624&r1=794623&r2=794624&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/openssl_digest.h (original)
+++ webservices/rampart/trunk/c/include/openssl_digest.h Thu Jul 16 10:57:25 2009
@@ -15,7 +15,6 @@
*/
#include <openssl/sha.h>
-
#include <axutil_utils_defines.h>
#include <axis2_defines.h>
#include <axutil_env.h>
@@ -44,14 +43,23 @@
* @return calculated digest
*/
AXIS2_EXTERN axis2_char_t *AXIS2_CALL
- openssl_sha1(const axutil_env_t *env,
- axis2_char_t *input,
- int length);
+ openssl_sha1(
+ const axutil_env_t *env,
+ axis2_char_t *input,
+ int length);
+
+ AXIS2_EXTERN axis2_char_t *AXIS2_CALL
+ openssl_sha256(
+ const axutil_env_t *env,
+ axis2_char_t *input,
+ int length);
AXIS2_EXTERN axis2_char_t *AXIS2_CALL
- openssl_md5(const axutil_env_t *env,
- axis2_char_t *input,
- int length);
+ openssl_md5(
+ const axutil_env_t *env,
+ axis2_char_t *input,
+ int length);
+
/* @} */
#ifdef __cplusplus
}
Modified: webservices/rampart/trunk/c/include/oxs_saml_token.h
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/oxs_saml_token.h?rev=794624&r1=794623&r2=794624&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/oxs_saml_token.h (original)
+++ webservices/rampart/trunk/c/include/oxs_saml_token.h Thu Jul 16 10:57:25 2009
@@ -26,6 +26,7 @@
{
#endif
+ /* TODO OXS_ST_KEY_ID_VALUE_TYPE looks odd. Rename it properly */
#define OXS_ST_KEY_ID_VALUE_TYPE "http://docs.oasis-open.org/wss/oass-wss-saml-token-profile-1.0#SAMLAssertionID"
AXIS2_EXTERN axiom_node_t * AXIS2_CALL
Modified: webservices/rampart/trunk/c/include/rampart_constants.h
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/rampart_constants.h?rev=794624&r1=794623&r2=794624&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/rampart_constants.h (original)
+++ webservices/rampart/trunk/c/include/rampart_constants.h Thu Jul 16 10:57:25 2009
@@ -143,7 +143,6 @@
#define RAMPART_SPR_ENC_CHECKED "SPR_ENC_Checked"
#define RAMPART_SPR_SIG_VALUE "SPR_Sig_Val"
#define RAMPART_SPR_ENDORSED_VALUE "SPR_Endorsed_Value"
-#define RAMPART_SPR_SIG_VERIFIED "SPR_Sig_Verified"
#define RAMPART_SPR_SIG_ENCRYPTED "SPR_Sig_Encrypted"
#define RAMPART_SPR_SIG_CONFIRM_FOUND "SPR_Sig_Confirmation_Found"
#define RAMPART_SPR_BODY_ENCRYPTED "SPR_Body_Encrypted"
Modified: webservices/rampart/trunk/c/include/rampart_context.h
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/rampart_context.h?rev=794624&r1=794623&r2=794624&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/rampart_context.h (original)
+++ webservices/rampart/trunk/c/include/rampart_context.h Thu Jul 16 10:57:25 2009
@@ -1163,18 +1163,29 @@
rampart_context_get_enc_asym_algo(
rampart_context_t *rampart_context,
const axutil_env_t *env);
+
/**
- *
* @param rampart_context
* @param env pointer to environment struct,Must not be NULL.
* @returns status of the op.
* AXIS2_SUCCESS on success and AXIS2_FAILURE on error
*/
-
AXIS2_EXTERN axis2_char_t *AXIS2_CALL
rampart_context_get_asym_sig_algo(
rampart_context_t *rampart_context,
const axutil_env_t *env);
+
+ /**
+ * @param rampart_context
+ * @param env pointer to environment struct,Must not be NULL.
+ * @returns status of the op.
+ * AXIS2_SUCCESS on success and AXIS2_FAILURE on error
+ */
+ AXIS2_EXTERN axis2_char_t *AXIS2_CALL
+ rampart_context_get_sym_sig_algo(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env);
+
/**
*
* @param rampart_context
Modified: webservices/rampart/trunk/c/include/rampart_sec_header_processor.h
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/rampart_sec_header_processor.h?rev=794624&r1=794623&r2=794624&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/rampart_sec_header_processor.h (original)
+++ webservices/rampart/trunk/c/include/rampart_sec_header_processor.h Thu Jul 16 10:57:25 2009
@@ -59,6 +59,14 @@
axiom_soap_envelope_t *soap_envelope,
axiom_node_t *sec_node);
+ AXIS2_EXTERN axis2_status_t AXIS2_CALL
+ rampart_shp_add_security_context_token(
+ const axutil_env_t* env,
+ axis2_char_t* identifier,
+ axis2_char_t* key_name,
+ rampart_context_t* rampart_context,
+ axis2_msg_ctx_t* msg_ctx);
+
/* @} */
#ifdef __cplusplus
Modified: webservices/rampart/trunk/c/include/rampart_token_processor.h
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/rampart_token_processor.h?rev=794624&r1=794623&r2=794624&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/rampart_token_processor.h (original)
+++ webservices/rampart/trunk/c/include/rampart_token_processor.h Thu Jul 16 10:57:25 2009
@@ -21,6 +21,7 @@
#include <axutil_env.h>
#include <axiom_node.h>
#include <oxs_x509_cert.h>
+#include <rampart_context.h>
/**
* @file rampart_token_processor.h
@@ -39,14 +40,43 @@
#ifdef __cplusplus
extern "C" {
#endif
-
+
+ /**
+ * Extract certificate/session_key related information using given key_info node and scope node
+ * This will extract either certificate(asymmetric signing) or session_key (symmetric signing)
+ * @param env Environment structure
+ * @param key_info_node key info node.
+ * @param sec_node security header node
+ * @param rampart_context rampart context where key details could be found.
+ * @param msg_ctx message context
+ * @param is_signature boolean denoting whether the key_info is for signature
+ * @param cert where the certificate extracted (if any) should be populated
+ * @param key where the session key extracted (if any) should be populated
+ * @param token_type where the token type should be populated
+ * @param reference_method where the token reference method should be populated
+ * @return status of the operation
+ */
+ AXIS2_EXTERN axis2_status_t AXIS2_CALL
+ rampart_token_process_key_info(
+ const axutil_env_t *env,
+ axiom_node_t *key_info_node,
+ axiom_node_t *sec_node,
+ rampart_context_t* rampart_context,
+ axis2_msg_ctx_t *msg_ctx,
+ axis2_bool_t is_signature,
+ oxs_x509_cert_t **cert,
+ oxs_key_t **key,
+ axis2_char_t **token_type,
+ axis2_char_t **reference_method);
+
+#if 0 /* These methods are not used will be removed from next release*/
/**
* extract certificate related information using given token_reference node and scope node
* @param env Environment structure
- * @param st_ref_node security token reference node.
- * @param scope_node node where additional details should be found. Can be NULL for all other
+ * @param st_ref_node security token reference node.
+ * @param scope_node node where additional details should be found. Can be NULL for all other
* scenarios but the Direct Reference
- * @param cert certificate where values extracted shuold be populated
+ * @param cert certificate where values extracted should be populated
* @return status of the operation
*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
@@ -61,7 +91,7 @@
* @param env Environment structure
* @param ref_node security token reference node.
* @param scope_node node where certificate details should be found using reference id
- * @param cert certificate where values extracted shuold be populated
+ * @param cert certificate where values extracted should be populated
* @return status of the operation
*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
@@ -75,7 +105,7 @@
* extract embedded certificate from given embed_node
* @param env Environment structure
* @param embed_node node where certificate is embedded.
- * @param cert certificate where values extracted shuold be populated
+ * @param cert certificate where values extracted should be populated
* @return status of the operation
*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
@@ -88,7 +118,7 @@
* extract key identifier and populate the certificate
* @param env Environment structure
* @param ki_node node where key identifier is available.
- * @param cert certificate where values extracted shuold be populated
+ * @param cert certificate where values extracted should be populated
* @return status of the operation
*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
@@ -101,7 +131,7 @@
* extract key details from x509data node
* @param env Environment structure
* @param x509_data_node x509data node.
- * @param cert certificate where values extracted shuold be populated
+ * @param cert certificate where values extracted should be populated
* @return status of the operation
*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
@@ -109,6 +139,7 @@
const axutil_env_t *env,
axiom_node_t *x509_data_node,
oxs_x509_cert_t *cert);
+#endif
/* @} */
#ifdef __cplusplus
Modified: webservices/rampart/trunk/c/samples/client/sec_echo/echo.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/samples/client/sec_echo/echo.c?rev=794624&r1=794623&r2=794624&view=diff
==============================================================================
--- webservices/rampart/trunk/c/samples/client/sec_echo/echo.c (original)
+++ webservices/rampart/trunk/c/samples/client/sec_echo/echo.c Thu Jul 16 10:57:25 2009
@@ -34,7 +34,10 @@
axiom_node_t *
build_om_programatically_mtom(const axutil_env_t * env);
-int main(int argc, char** argv)
+int
+main(
+ int argc,
+ char** argv)
{
const axutil_env_t *env = NULL;
const axis2_char_t *address = NULL;
@@ -49,17 +52,17 @@
axis2_status_t status = AXIS2_FAILURE;
neethi_policy_t *policy = NULL;
/*axutil_property_t *property = NULL;
- int i = 0;*/
-
- /* Set up the environment */
+ int i = 0;*/
+
+ /* Set up the environment */
env = axutil_env_create_all("echo.log", AXIS2_LOG_LEVEL_TRACE);
/*if (argc == 4)
- AXIS2_SLEEP(10); */
+ AXIS2_SLEEP(10); */
/* Set end-point-reference of echo service */
address = "http://localhost:9090/axis2/services/echo";
- if (argc > 2)
+ if(argc > 2)
{
address = argv[1];
client_home = argv[2];
@@ -67,7 +70,7 @@
printf("Using client_home : %s\n", client_home);
}
- if ((axutil_strcmp(argv[1], "-h") == 0) || (axutil_strcmp(argv[1], "--help") == 0))
+ if((axutil_strcmp(argv[1], "-h") == 0) || (axutil_strcmp(argv[1], "--help") == 0))
{
printf("Usage : %s [endpoint_url] [client_home]\n", argv[0]);
printf("use -h for help\n");
@@ -80,20 +83,19 @@
/* Setup options */
options = axis2_options_create(env);
axis2_options_set_to(options, env, endpoint_ref);
- axis2_options_set_action(options, env,
- "http://example.com/ws/2004/09/policy/Test/EchoRequest");
-
+ axis2_options_set_action(options, env, "http://example.com/ws/2004/09/policy/Test/EchoRequest");
+
/*axis2_options_set_action(options, env,
- "http://xmlsoap.org/Ping");*/
+ "http://xmlsoap.org/Ping");*/
/*axis2_options_set_action(options, env,
- "urn:echoString");*/
-
+ "urn:echoString");*/
+
/*axis2_options_set_soap_action(options, env, axutil_string_create(env, "http://xmlsoap.org/Ping"));
- axis2_options_set_soap_version(options, env, AXIOM_SOAP11);*/
+ axis2_options_set_soap_version(options, env, AXIOM_SOAP11);*/
axis2_options_set_soap_version(options, env, AXIOM_SOAP12);
/*If the client home is not specified, use the AXIS2C_HOME*/
- if (!client_home)
+ if(!client_home)
{
client_home = AXIS2_GETENV("AXIS2C_HOME");
printf("\nNo client_home specified. Using default %s", client_home);
@@ -102,7 +104,7 @@
/* Create service client */
printf("client_home= %s", client_home);
svc_client = axis2_svc_client_create(env, client_home);
- if (!svc_client)
+ if(!svc_client)
{
printf("Error creating service client\n");
return -1;
@@ -112,27 +114,30 @@
axis2_svc_client_set_options(svc_client, env, options);
/*
- property = axutil_property_create(env);
- axutil_property_set_scope(property, env, AXIS2_SCOPE_APPLICATION);
- axutil_property_set_value(property, env, AXIS2_WSA_NAMESPACE_SUBMISSION);
- axis2_options_set_property(options, env, AXIS2_WSA_VERSION, property);
- */
+ property = axutil_property_create(env);
+ axutil_property_set_scope(property, env, AXIS2_SCOPE_APPLICATION);
+ axutil_property_set_value(property, env, AXIS2_WSA_NAMESPACE_SUBMISSION);
+ axis2_options_set_property(options, env, AXIS2_WSA_VERSION, property);
+ */
/*We need to specify the client's policy file location*/
if(client_home)
{
file_name = axutil_stracat(env, client_home, AXIS2_PATH_SEP_STR);
- policy_file = axutil_stracat(env, file_name, "policy.xml" );
+ policy_file = axutil_stracat(env, file_name, "policy.xml");
AXIS2_FREE(env->allocator, file_name);
- file_name = NULL;
- }else{
+ file_name = NULL;
+ }
+ else
+ {
printf("Client Home not Specified\n");
printf("echo client invoke FAILED!\n");
return 0;
}
- /*Create the policy, from file*/
+ /*Create the policy, from file*/
policy = neethi_util_create_policy_from_file(env, policy_file);
- if(policy_file){
+ if(policy_file)
+ {
AXIS2_FREE(env->allocator, policy_file);
policy_file = NULL;
}
@@ -147,46 +152,43 @@
{
printf("Policy setting failed\n");
}
-
+
/* Build the SOAP request message payload using OM API.*/
payload = build_om_payload_for_echo_svc(env);
/*axis2_options_set_enable_mtom(options, env, AXIS2_TRUE);*/
-
+
/*If not engaged in the client's axis2.xml, uncomment this line*/
/*axis2_svc_client_engage_module(svc_client, env, "rampart");*/
-
+
/* Send request */
ret_node = axis2_svc_client_send_receive(svc_client, env, payload);
-
- if (axis2_svc_client_get_last_response_has_fault(svc_client, env))
+ if(axis2_svc_client_get_last_response_has_fault(svc_client, env))
{
axiom_soap_envelope_t *soap_envelope = NULL;
axiom_soap_body_t *soap_body = NULL;
axiom_soap_fault_t *soap_fault = NULL;
- printf ("\nResponse has a SOAP fault\n");
- soap_envelope =
- axis2_svc_client_get_last_response_soap_envelope(svc_client, env);
- if (soap_envelope)
+ printf("\nResponse has a SOAP fault\n");
+ soap_envelope = axis2_svc_client_get_last_response_soap_envelope(svc_client, env);
+ if(soap_envelope)
soap_body = axiom_soap_envelope_get_body(soap_envelope, env);
- if (soap_body)
+ if(soap_body)
soap_fault = axiom_soap_body_get_fault(soap_body, env);
- if (soap_fault)
+ if(soap_fault)
{
- printf("\nReturned SOAP fault: %s\n",
- axiom_node_to_string(axiom_soap_fault_get_base_node(soap_fault,env),
- env));
+ printf("\nReturned SOAP fault: %s\n", axiom_node_to_string(
+ axiom_soap_fault_get_base_node(soap_fault, env), env));
}
- printf("echo client invoke FAILED!\n");
- return -1;
+ printf("echo client invoke FAILED!\n");
+ return -1;
}
-
- if (ret_node)
+
+ if(ret_node)
{
axis2_char_t *om_str = NULL;
om_str = axiom_node_to_string(ret_node, env);
- if (om_str)
+ if(om_str)
{
printf("\nReceived OM : %s\n", om_str);
}
@@ -200,17 +202,17 @@
return -1;
}
- if (svc_client)
+ if(svc_client)
{
axis2_svc_client_free(svc_client, env);
svc_client = NULL;
}
- if (env)
+ if(env)
{
- axutil_env_free((axutil_env_t *) env);
+ axutil_env_free((axutil_env_t *)env);
env = NULL;
}
-
+
return 0;
}
Modified: webservices/rampart/trunk/c/src/core/mod_rampart.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/core/mod_rampart.c?rev=794624&r1=794623&r2=794624&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/core/mod_rampart.c (original)
+++ webservices/rampart/trunk/c/src/core/mod_rampart.c Thu Jul 16 10:57:25 2009
@@ -14,6 +14,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
+
#include <axis2_module.h>
#include <rampart_mod.h>
#include <rampart_constants.h>
@@ -36,11 +37,8 @@
axis2_module_t *module,
const axutil_env_t *env);
-static const axis2_module_ops_t addr_module_ops_var = {
- rampart_mod_init,
- rampart_mod_shutdown,
- rampart_mod_fill_handler_create_func_map
- };
+static const axis2_module_ops_t addr_module_ops_var = { rampart_mod_init, rampart_mod_shutdown,
+ rampart_mod_fill_handler_create_func_map };
axis2_module_t *
rampart_mod_create(
@@ -48,10 +46,10 @@
{
axis2_module_t *module = NULL;
module = AXIS2_MALLOC(env->allocator, sizeof(axis2_module_t));
- if (!module)
+ if(!module)
{
AXIS2_ERROR_SET(env->error, AXIS2_ERROR_NO_MEMORY, AXIS2_FAILURE);
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_mod] Not enough memory. Cannot create module.");
return NULL;
}
@@ -69,12 +67,11 @@
{
/*
* Any initialization stuff of Rampart module goes here. At the moment we have NONE.
- * Intialization happens in handlers depending on the message flow and policies
+ * Initialization happens in handlers depending on the message flow and policies
*/
rampart_error_init();
-
- AXIS2_LOG_INFO(env->log,
- "[rampart][rampart_mod] rampart_mod initialized");
+
+ AXIS2_LOG_INFO(env->log, "[rampart][rampart_mod] rampart_mod initialized");
return AXIS2_SUCCESS;
}
@@ -83,12 +80,11 @@
axis2_module_t *module,
const axutil_env_t *env)
{
- AXIS2_LOG_INFO(env->log,
- "[rampart][rampart_mod] rampart_mod shutdown");
+ AXIS2_LOG_INFO(env->log, "[rampart][rampart_mod] rampart_mod shutdown");
- if (module)
+ if(module)
{
- if (module->handler_create_func_map)
+ if(module->handler_create_func_map)
{
axutil_hash_free(module->handler_create_func_map, env);
module->handler_create_func_map = NULL;
@@ -105,10 +101,10 @@
const axutil_env_t *env)
{
module->handler_create_func_map = axutil_hash_make(env);
- if (!module->handler_create_func_map)
+ if(!module->handler_create_func_map)
{
AXIS2_ERROR_SET(env->error, AXIS2_ERROR_NO_MEMORY, AXIS2_FAILURE);
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_mod] Cannot create function map.");
return AXIS2_FAILURE;
}
@@ -118,11 +114,11 @@
* 1. Rampart In Handler to process message
* 2. Rampart Out Handler to build the message
*/
- axutil_hash_set(module->handler_create_func_map, RAMPART_IN_HANDLER,
- AXIS2_HASH_KEY_STRING, rampart_in_handler_create);
+ axutil_hash_set(module->handler_create_func_map, RAMPART_IN_HANDLER, AXIS2_HASH_KEY_STRING,
+ rampart_in_handler_create);
- axutil_hash_set(module->handler_create_func_map, RAMPART_OUT_HANDLER,
- AXIS2_HASH_KEY_STRING, rampart_out_handler_create);
+ axutil_hash_set(module->handler_create_func_map, RAMPART_OUT_HANDLER, AXIS2_HASH_KEY_STRING,
+ rampart_out_handler_create);
return AXIS2_SUCCESS;
}
@@ -136,7 +132,7 @@
const axutil_env_t *env)
{
*inst = rampart_mod_create(env);
- if (!(*inst))
+ if(!(*inst))
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
"[rampart][rampart_mod] Rampart module creation failed");
@@ -152,7 +148,7 @@
const axutil_env_t *env)
{
axis2_status_t status = AXIS2_FAILURE;
- if (inst)
+ if(inst)
{
status = rampart_mod_shutdown(inst, env);
}
Modified: webservices/rampart/trunk/c/src/omxmlsec/openssl/digest.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/openssl/digest.c?rev=794624&r1=794623&r2=794624&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/openssl/digest.c (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/openssl/digest.c Thu Jul 16 10:57:25 2009
@@ -25,17 +25,18 @@
#define SIZE_HASH 32
AXIS2_EXTERN axis2_char_t *AXIS2_CALL
-openssl_sha1(const axutil_env_t *env,
- axis2_char_t *input,
- int length)
+openssl_sha1(
+ const axutil_env_t *env,
+ axis2_char_t *input,
+ int length)
{
- SHA_CTX c ;
+ SHA_CTX c;
unsigned char md[SHA_DIGEST_LENGTH];
axis2_char_t* encoded_str = NULL;
SHA1_Init(&c);
- SHA1_Update(&c,(unsigned char*)input,length);
- SHA1_Final(md,&c);
+ SHA1_Update(&c, (unsigned char*)input, length);
+ SHA1_Final(md, &c);
encoded_str = AXIS2_MALLOC(env->allocator, axutil_base64_encode_len(SIZE_HASH));
axutil_base64_encode(encoded_str, (char*)md, SHA_DIGEST_LENGTH);
@@ -44,16 +45,17 @@
}
AXIS2_EXTERN axis2_char_t *AXIS2_CALL
-openssl_md5(const axutil_env_t *env,
- axis2_char_t *input,
- int length)
+openssl_md5(
+ const axutil_env_t *env,
+ axis2_char_t *input,
+ int length)
{
MD5_CTX ctx;
unsigned char md[MD5_DIGEST_LENGTH];
axis2_char_t* encoded_str = NULL;
MD5_Init(&ctx);
- MD5_Update(&ctx, (unsigned char*)input,length);
+ MD5_Update(&ctx, (unsigned char*)input, length);
MD5_Final(md, &ctx);
encoded_str = AXIS2_MALLOC(env->allocator, MD5_DIGEST_LENGTH);
@@ -62,4 +64,22 @@
return encoded_str;
}
+AXIS2_EXTERN axis2_char_t *AXIS2_CALL
+openssl_sha256(
+ const axutil_env_t *env,
+ axis2_char_t *input,
+ int length)
+{
+ SHA256_CTX c;
+ unsigned char md[SHA256_DIGEST_LENGTH];
+ axis2_char_t* encoded_str = NULL;
+
+ SHA256_Init(&c);
+ SHA256_Update(&c, (unsigned char*)input, length);
+ SHA256_Final(md, &c);
+ encoded_str = AXIS2_MALLOC(env->allocator, axutil_base64_encode_len(SHA256_DIGEST_LENGTH));
+ axutil_base64_encode(encoded_str, (char*)md, SHA256_DIGEST_LENGTH);
+
+ return encoded_str;
+}
Modified: webservices/rampart/trunk/c/src/omxmlsec/xml_signature.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/xml_signature.c?rev=794624&r1=794623&r2=794624&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/xml_signature.c (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/xml_signature.c Thu Jul 16 10:57:25 2009
@@ -125,10 +125,18 @@
serialized_node = axiom_node_to_string(node, env);
}
- if(0 == axutil_strcmp( OXS_HREF_SHA1 , digest_mtd)){
+ if(0 == axutil_strcmp(OXS_HREF_SHA1, digest_mtd))
+ {
digest = openssl_sha1(env, serialized_node, axutil_strlen(serialized_node));
- }else{
- oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_TRANSFORM_FAILED,"Unsupported digest method %s", digest_mtd);
+ }
+ else if(0 == axutil_strcmp(OXS_HREF_SHA256, digest_mtd))
+ {
+ digest = openssl_sha256(env, serialized_node, axutil_strlen(serialized_node));
+ }
+ else
+ {
+ oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_TRANSFORM_FAILED,
+ "Unsupported digest method %s", digest_mtd);
return NULL;
}
@@ -194,6 +202,10 @@
/*Transform and Digest*/
digest = oxs_xml_sig_transform_n_digest(env, node, transforms, digest_mtd);
+ if(!digest)
+ {
+ return AXIS2_FAILURE;
+ }
/*Build ds:Transforms node and its children*/
if((transforms) && (0 < axutil_array_list_size(transforms, env))){
@@ -320,7 +332,10 @@
/*Get ith sign_part*/
sign_part = (oxs_sign_part_t*)axutil_array_list_get(sign_parts, env, i);
/*Create <ds:Reference> elements */
- oxs_xml_sig_build_reference(env, signed_info_node, sign_part);
+ if(oxs_xml_sig_build_reference(env, signed_info_node, sign_part) != AXIS2_SUCCESS)
+ {
+ return AXIS2_FAILURE;
+ }
}
/*At this point we have a complete <SignedInfo> node. Now we need to sign it*/
Modified: webservices/rampart/trunk/c/src/util/rampart_context.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_context.c?rev=794624&r1=794623&r2=794624&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_context.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_context.c Thu Jul 16 10:57:25 2009
@@ -16,8 +16,6 @@
*/
#include "oxs_key_mgr.h"
-
-
#include <rampart_context.h>
#include <rampart_constants.h>
#include <oxs_axiom.h>
@@ -2174,8 +2172,47 @@
axiom_soap_envelope_t *soap_envelope,
axutil_array_list_t *nodes_to_sign)
{
+ rp_header_t *header = NULL;
+ axis2_status_t status = AXIS2_FAILURE;
+
+ status = rampart_context_get_nodes_to_protect(rampart_context, env, soap_envelope,
+ nodes_to_sign, AXIS2_TRUE);
+ if(status != AXIS2_SUCCESS)
+ {
+ return AXIS2_FAILURE;
+ }
+
+ header = rp_header_create(env);
+ rp_header_set_name(header, env, RAMPART_SECURITY_TIMESTAMP);
+ rp_header_set_namespace(header, env, RAMPART_WSU_XMLNS);
+ status = rampart_context_set_nodes_to_encrypt_or_sign(header, env, soap_envelope, nodes_to_sign);
+ rp_header_free(header, env);
+ if(status != AXIS2_SUCCESS)
+ {
+ return AXIS2_FAILURE;
+ }
+
+ header = rp_header_create(env);
+ rp_header_set_name(header, env, RAMPART_SECURITY_USERNAMETOKEN);
+ rp_header_set_namespace(header, env, RAMPART_WSSE_XMLNS);
+ status = rampart_context_set_nodes_to_encrypt_or_sign(header, env, soap_envelope, nodes_to_sign);
+ rp_header_free(header, env);
+ if(status != AXIS2_SUCCESS)
+ {
+ return AXIS2_FAILURE;
+ }
+
+ header = rp_header_create(env);
+ rp_header_set_name(header, env, OXS_NODE_SIGNATURE_CONFIRMATION);
+ rp_header_set_namespace(header, env, RAMPART_WSSE_XMLNS);
+ status = rampart_context_set_nodes_to_encrypt_or_sign(header, env, soap_envelope, nodes_to_sign);
+ rp_header_free(header, env);
+ if(status != AXIS2_SUCCESS)
+ {
+ return AXIS2_FAILURE;
+ }
- return rampart_context_get_nodes_to_protect(rampart_context,env,soap_envelope,nodes_to_sign,AXIS2_TRUE);
+ return AXIS2_SUCCESS;
}
AXIS2_EXTERN axis2_status_t AXIS2_CALL
@@ -2253,18 +2290,19 @@
{
axiom_soap_body_t *body = NULL;
axiom_node_t *body_node = NULL;
- axiom_node_t *body_child_node = NULL;
- AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[rampart][rampart_context] Including the body for encryption/sign.");
+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "Including the body for encryption/sign.");
body = axiom_soap_envelope_get_body(soap_envelope, env);
body_node = axiom_soap_body_get_base_node(body, env);
- body_child_node = axiom_node_get_first_element(body_node, env);
+
if(is_sign)
{
axutil_array_list_add(nodes_to_sign_or_encrypt, env, body_node);
}
else
{
+ axiom_node_t *body_child_node = NULL;
+ body_child_node = axiom_node_get_first_element(body_node, env);
if(body_child_node)
{
axutil_array_list_add(nodes_to_sign_or_encrypt, env, body_child_node);
@@ -2651,6 +2689,22 @@
}
AXIS2_EXTERN axis2_char_t *AXIS2_CALL
+rampart_context_get_sym_sig_algo(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env)
+{
+ rp_algorithmsuite_t *algosuite = NULL;
+
+ algosuite = rampart_context_get_algorithmsuite(rampart_context, env);
+ if(algosuite)
+ {
+ return rp_algorithmsuite_get_symmetric_signature(algosuite, env);
+ }
+ else
+ return NULL;
+}
+
+AXIS2_EXTERN axis2_char_t *AXIS2_CALL
rampart_context_get_digest_mtd(
rampart_context_t *rampart_context,
const axutil_env_t *env)
Modified: webservices/rampart/trunk/c/src/util/rampart_policy_validator.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_policy_validator.c?rev=794624&r1=794623&r2=794624&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_policy_validator.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_policy_validator.c Thu Jul 16 10:57:25 2009
@@ -221,43 +221,60 @@
rampart_context_t *rampart_context,
axis2_msg_ctx_t *msg_ctx)
{
- axis2_status_t status = AXIS2_SUCCESS;
- axutil_array_list_t *nodes_to_sign = NULL;
- axiom_soap_envelope_t *soap_envelope = NULL;
axis2_char_t* signature_verified = NULL;
- nodes_to_sign = axutil_array_list_create(env, 0);
- soap_envelope = axis2_msg_ctx_get_soap_envelope(msg_ctx, env);
- status = rampart_context_get_nodes_to_sign(rampart_context, env, soap_envelope, nodes_to_sign);
- status = rampart_context_get_elements_to_sign(
- rampart_context, env, soap_envelope, nodes_to_sign);
-
- signature_verified = (axis2_char_t*)rampart_get_security_processed_result(
- env, msg_ctx, RAMPART_SPR_SIG_VERIFIED);
- if(!axutil_strcmp(RAMPART_YES, signature_verified))
- {
- if(axutil_array_list_size(nodes_to_sign, env) <= 0)
+ signature_verified = (axis2_char_t*)rampart_get_security_processed_result(env, msg_ctx,
+ RAMPART_SPR_SIG_VALUE);
+ if(!signature_verified)
+ {
+ axutil_array_list_t *nodes_to_sign = NULL;
+ axiom_soap_envelope_t *soap_envelope = NULL;
+ int nodes_to_sign_size = 0;
+
+ nodes_to_sign = axutil_array_list_create(env, 0);
+ soap_envelope = axis2_msg_ctx_get_soap_envelope(msg_ctx, env);
+ rampart_context_get_nodes_to_sign(rampart_context, env, soap_envelope, nodes_to_sign);
+ rampart_context_get_elements_to_sign(rampart_context, env, soap_envelope, nodes_to_sign);
+ nodes_to_sign_size = axutil_array_list_size(nodes_to_sign, env);
+ axutil_array_list_free(nodes_to_sign, env);
+
+ if(nodes_to_sign_size > 0)
{
- axutil_array_list_free(nodes_to_sign, env);
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,"[rampart]Signature is not expected.");
- rampart_create_fault_envelope(env, RAMPART_FAULT_FAILED_CHECK,
- "Signature is not expected", RAMPART_FAULT_INVALID_SECURITY, msg_ctx);
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "Could not find signature.");
return AXIS2_FAILURE;
}
}
- else
+
+ /* if signature verified is not null, validation would have done when verifying the signature */
+ return AXIS2_SUCCESS;
+}
+
+static axis2_status_t
+rampart_pv_validate_endorsing(
+ const axutil_env_t *env,
+ rampart_context_t *rampart_context,
+ axis2_msg_ctx_t *msg_ctx)
+{
+ if(axis2_msg_ctx_get_server_side(msg_ctx,env))
{
- if(axutil_array_list_size(nodes_to_sign, env) > 0)
+ /* Endorsing signature is verified only by server side. Not needed for client side */
+ axis2_char_t* endorsing_verified = NULL;
+ endorsing_verified = (axis2_char_t*)rampart_get_security_processed_result(env, msg_ctx,
+ RAMPART_SPR_SIG_VALUE);
+ if(!endorsing_verified)
{
- axutil_array_list_free(nodes_to_sign, env);
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,"[rampart]Could not find signature.");
- rampart_create_fault_envelope(env, RAMPART_FAULT_FAILED_CHECK,
- "Could not find signature", RAMPART_FAULT_INVALID_SECURITY, msg_ctx);
- return AXIS2_FAILURE;
+ /* check whether we need endorsing signature*/
+ rp_property_t *token = NULL;
+ token = rampart_context_get_endorsing_token(rampart_context, env);
+ if(token)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,"Could not find endorsing signature.");
+ return AXIS2_FAILURE;
+ }
}
}
- axutil_array_list_free(nodes_to_sign, env);
+ /* if endorsing verified is not null, validation would have done when verifying the signature */
return AXIS2_SUCCESS;
}
@@ -313,6 +330,12 @@
return AXIS2_FAILURE;
}
+ /* Check if endorsing signature is valid */
+ if(!rampart_pv_validate_endorsing(env, rampart_context, msg_ctx))
+ {
+ return AXIS2_FAILURE;
+ }
+
/* All the policy reqmnts are met. We are good to go */
return AXIS2_SUCCESS;
}
Modified: webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c?rev=794624&r1=794623&r2=794624&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c Thu Jul 16 10:57:25 2009
@@ -51,12 +51,13 @@
/*Private functions*/
/*Get the security context token and store it in key array*/
-static axis2_status_t
-rampart_shp_add_security_context_token(const axutil_env_t* env,
- axis2_char_t* identifier,
- axis2_char_t* key_name,
- rampart_context_t* rampart_context,
- axis2_msg_ctx_t* msg_ctx)
+AXIS2_EXTERN axis2_status_t AXIS2_CALL
+rampart_shp_add_security_context_token(
+ const axutil_env_t* env,
+ axis2_char_t* identifier,
+ axis2_char_t* key_name,
+ rampart_context_t* rampart_context,
+ axis2_msg_ctx_t* msg_ctx)
{
oxs_buffer_t *key_buf = NULL;
oxs_key_t* key = NULL;
@@ -66,139 +67,19 @@
if(!key_buf)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][shp]Cannot get shared secret of security context token");
+ "Cannot get shared secret of security context token");
return AXIS2_FAILURE;
}
key = oxs_key_create(env);
- oxs_key_populate(key, env,
- oxs_buffer_get_data(key_buf, env), key_name,
- oxs_buffer_get_size(key_buf, env), OXS_KEY_USAGE_NONE);
+ oxs_key_populate(key, env, oxs_buffer_get_data(key_buf, env), key_name,
+ oxs_buffer_get_size(key_buf, env), OXS_KEY_USAGE_NONE);
rampart_context_add_key(rampart_context, env, key);
return AXIS2_SUCCESS;
}
-/* Get the client certificaate from key manager by giving
- * subject key identifier
- */
-static oxs_x509_cert_t * get_certificate_by_key_identifier(
- const axutil_env_t *env,
- rampart_context_t *rampart_ctx,
- axiom_node_t *key_id_node)
-{
- oxs_x509_cert_t *cert = NULL;
- axis2_char_t *value_type = NULL;
- axiom_element_t *key_id_element = NULL;
- axis2_char_t *ski = NULL;
- oxs_key_mgr_t *key_mgr = NULL;
-
- if((cert = rampart_context_get_receiver_certificate(rampart_ctx, env)))
- {
- /* In the client side, it is prefered to use certificate files instead
- * of key store, because one client normally interact with only one
- * service. To handle this scenario, if we found reciever certificate file
- * specified in rampart_context we directly call the get_reciever_certificate.
- */
- return cert;
- }
-
- key_id_element = axiom_node_get_data_element(key_id_node, env);
- value_type = axiom_element_get_attribute_value_by_name(key_id_element, env, "ValueType");
-
- key_mgr = rampart_context_get_key_mgr(rampart_ctx, env);
- if(strcmp(value_type, OXS_X509_SUBJ_KI) == 0)
- {
- ski = axiom_element_get_text(key_id_element, env, key_id_node);
- cert = oxs_key_mgr_get_receiver_certificate_from_ski(key_mgr, env, ski);
- }
- else
- {
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][shp] Other KeyIdentifier ValueTypes are not supported.");
- return NULL;
- }
-
- return cert;
-}
-/* Get the client certificaate from key manager by giving
- * issuer and serial number of the certificate
- */
-static oxs_x509_cert_t * get_certificate_by_issuer_serial(
- const axutil_env_t *env,
- rampart_context_t *rampart_ctx,
- axiom_node_t *x509_data_node)
-{
- oxs_x509_cert_t *cert = NULL;
- axiom_node_t *issuer_serial_node = NULL;
- axiom_element_t *issuer_serial_ele = NULL;
- axiom_child_element_iterator_t *child_itr = NULL;
- axiom_node_t *child_node = NULL;
- axiom_element_t *child_ele = NULL;
- axis2_char_t *ele_name = NULL;
- axis2_char_t *issuer_name_str = NULL;
- axis2_char_t *serial_num_str = NULL;
- int serial_num = -1;
- oxs_key_mgr_t *key_mgr = NULL;
-
- if((cert = rampart_context_get_receiver_certificate(rampart_ctx, env)))
- {
- /* In the client side, it is prefered to use certificate files instead
- * of key store, because one client normally interact with only one
- * service. To handle this scenario, if we found reciever certificate file
- * specified in rampart_context we directly call the get_reciever_certificate.
- */
- return cert;
- }
-
- issuer_serial_node = axiom_node_get_first_child(x509_data_node, env);
- issuer_serial_ele = axiom_node_get_data_element(issuer_serial_node, env);
-
- child_itr = axiom_element_get_child_elements(issuer_serial_ele, env, issuer_serial_node);
- while(axiom_child_element_iterator_has_next(child_itr, env))
- {
- child_node = axiom_child_element_iterator_next(child_itr,env);
- child_ele = axiom_node_get_data_element(child_node, env);
- ele_name = axiom_element_get_localname(child_ele, env);
- if(axutil_strcmp(ele_name, OXS_NODE_X509_ISSUER_NAME) == 0)
- {
- issuer_name_str = axiom_element_get_text(child_ele, env, child_node);
- if(!issuer_name_str)
- {
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][shp]Issuer Name cannot be NULL.");
- return NULL;
- }
- AXIS2_LOG_INFO(env->log, AXIS2_LOG_SI,
- "[rampart][shp]X509 Certificate Issuer Name Found: %s", issuer_name_str);
- }
- else if(axutil_strcmp(ele_name, OXS_NODE_X509_SERIAL_NUMBER) == 0)
- {
- serial_num_str = axiom_element_get_text(child_ele, env, child_node);
- if(!serial_num_str)
- {
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][shp]Serial number cannot be null.");
- }
- AXIS2_LOG_INFO(env->log, AXIS2_LOG_SI,
- "[rampart][shp]X509 Certificate Serial Number Found: %s", serial_num_str);
- }
- else
- {
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][shp]Error in incoming key info. These types not supported: %", ele_name);
- return NULL;
- }
- }
-
- serial_num = atoi(serial_num_str);
- key_mgr = rampart_context_get_key_mgr(rampart_ctx, env);
-
- cert = oxs_key_mgr_get_receiver_certificate_from_issuer_serial(key_mgr, env, issuer_name_str, serial_num);
-
- return cert;
-}
static void
rampart_shp_store_token_id(const axutil_env_t *env,
@@ -1102,7 +983,7 @@
return status;
}
-
+#if 0
static axis2_status_t
rampart_shp_process_sym_binding_signature(
const axutil_env_t *env,
@@ -1187,7 +1068,6 @@
axis2_bool_t server_side = AXIS2_FALSE;
axis2_char_t *eki = NULL;
rp_property_type_t token_type;
- axiom_node_t *key_info_node = NULL;
axiom_node_t *str_node = NULL;
axiom_node_t *str_child_node = NULL;
axis2_char_t *str_child_name = NULL;
@@ -1301,8 +1181,8 @@
if(!token)
{
- AXIS2_LOG_INFO(env->log, "[rampart][shp] Signature Token is not specified");
- return AXIS2_SUCCESS;
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shp] Signature Token is not specified");
+ return AXIS2_FAILURE;
}
token_type = rp_property_get_type(token, env);
@@ -1608,41 +1488,330 @@
static axis2_status_t
rampart_shp_process_signature(
-const axutil_env_t *env,
+ const axutil_env_t *env,
axis2_msg_ctx_t *msg_ctx,
rampart_context_t *rampart_context,
axiom_soap_envelope_t *soap_envelope,
axiom_node_t *sec_node,
axiom_node_t *sig_node)
{
+ rp_property_type_t binding_type;
axis2_status_t status = AXIS2_FAILURE;
-
- if((rampart_context_get_binding_type(rampart_context,env)) == RP_PROPERTY_ASYMMETRIC_BINDING){
- status = rampart_shp_process_asym_binding_signature(env, msg_ctx, rampart_context, soap_envelope, sec_node, sig_node, AXIS2_FALSE);
- }else if ((rampart_context_get_binding_type(rampart_context,env)) == RP_PROPERTY_SYMMETRIC_BINDING){
- status = rampart_shp_process_sym_binding_signature(env, msg_ctx, rampart_context, soap_envelope, sec_node, sig_node);
- }else if((rampart_context_get_binding_type(rampart_context,env)) == RP_PROPERTY_TRANSPORT_BINDING){
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shp] Transport Binding Not supported" );
+
+ binding_type = rampart_context_get_binding_type(rampart_context, env);
+
+ if(binding_type == RP_PROPERTY_ASYMMETRIC_BINDING)
+ {
+ status = rampart_shp_process_asym_binding_signature(env, msg_ctx, rampart_context,
+ soap_envelope, sec_node, sig_node, AXIS2_FALSE);
+ }
+ else if(binding_type == RP_PROPERTY_SYMMETRIC_BINDING)
+ {
+ status = rampart_shp_process_sym_binding_signature(env, msg_ctx, rampart_context,
+ soap_envelope, sec_node, sig_node);
+ }
+ else if(binding_type == RP_PROPERTY_TRANSPORT_BINDING)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shp] Transport Binding Not supported");
/*Not supported*/
- }else{
+ }
+ else
+ {
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shp] Binding type not supported");
/*Not supported*/
}
- /*We need to set the Signature Value in the Security Processed Resultsi. This is required for the Signature Confirmation support*/
- if(AXIS2_SUCCESS == status){
- axis2_char_t *sig_val = NULL;
- axiom_node_t *sig_val_node = NULL;
-
- sig_val_node = oxs_axiom_get_first_child_node_by_name(env, sig_node, OXS_NODE_SIGNATURE_VALUE, OXS_DSIG_NS, OXS_DS );
- sig_val = oxs_token_get_signature_value(env, sig_val_node);
-
- rampart_set_security_processed_result(env, msg_ctx, RAMPART_SPR_SIG_VERIFIED, RAMPART_YES);
- rampart_set_security_processed_result(env, msg_ctx, RAMPART_SPR_SIG_VALUE, sig_val);
- }else{
- rampart_set_security_processed_result(env, msg_ctx, RAMPART_SPR_SIG_VERIFIED, RAMPART_NO);
+
+ /* We need to set the Signature Value in the Security Processed Results.
+ * This is required for the Signature Confirmation support */
+ if(AXIS2_SUCCESS == status)
+ {
+ axis2_char_t *sig_val = NULL;
+ axiom_node_t *sig_val_node = NULL;
+
+ sig_val_node = oxs_axiom_get_first_child_node_by_name(env, sig_node,
+ OXS_NODE_SIGNATURE_VALUE, OXS_DSIG_NS, OXS_DS);
+ sig_val = oxs_token_get_signature_value(env, sig_val_node);
+
+ rampart_set_security_processed_result(env, msg_ctx, RAMPART_SPR_SIG_VERIFIED, RAMPART_YES);
+ rampart_set_security_processed_result(env, msg_ctx, RAMPART_SPR_SIG_VALUE, sig_val);
+ }
+ else
+ {
+ rampart_set_security_processed_result(env, msg_ctx, RAMPART_SPR_SIG_VERIFIED, RAMPART_NO);
}
return status;
}
+#endif
+
+static axis2_status_t
+rampart_shp_process_signature(
+ const axutil_env_t *env,
+ axis2_msg_ctx_t *msg_ctx,
+ rampart_context_t *rampart_context,
+ axiom_soap_envelope_t *soap_envelope,
+ axiom_node_t *sec_node,
+ axiom_node_t *sig_node)
+{
+ /* Steps:
+ * (1)get the session key/certificate from key info
+ * (2)validate signature based on what is available in the incoming message
+ * (3)In the validation step, we can get all the nodes which were included in the signature
+ * (4)Check whether this is signature or endorsing, based on the nodes included in signature
+ * (5)Get the parameters (algorithm, key) from policy and validate incoming signature
+ * (6)Get nodes to be included in the signature based on policy and check whether any of them
+ * are missed in the signature. Also, check any additional nodes included in the signature
+ * (7)Store the signature to use in signature confirmation
+ */
+ axiom_node_t *key_info_node = NULL;
+ oxs_key_t *symmetric_key = NULL;
+ oxs_x509_cert_t *public_cert = NULL;
+ oxs_sign_ctx_t *sign_ctx = NULL;
+ axutil_array_list_t *signed_parts = NULL;
+ int signed_parts_size = 0;
+ int i = 0;
+ axis2_bool_t is_endorsing = AXIS2_FALSE;
+ axis2_char_t *token_type = NULL;
+ axis2_char_t *reference_method = NULL;
+ axiom_node_t *envelope_node = NULL;
+ axis2_char_t *sig_val = NULL;
+
+
+ /* Step 1: Get the session key or certificate from the message */
+ key_info_node = oxs_axiom_get_first_child_node_by_name(env, sig_node, OXS_NODE_KEY_INFO,
+ OXS_DSIG_NS, NULL);
+
+ if(!key_info_node)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "Signature verification failed. Key Info node is not available in the message.");
+ return AXIS2_FAILURE;
+ }
+
+ if(rampart_token_process_key_info(env, key_info_node, sec_node, rampart_context, msg_ctx,
+ AXIS2_TRUE, &public_cert, &symmetric_key, &token_type, &reference_method) != AXIS2_SUCCESS)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "Signature verification failed. Unable to identify signing key from key info.");
+ return AXIS2_FAILURE;
+ }
+
+ /* if we reach here, either symmetric key or public certificate should be valid */
+ /* if security context token or X509 token is used, then store it. It will be used by the
+ * server to sign the message */
+ rampart_shp_store_token_id(env, key_info_node, rampart_context, sec_node, AXIS2_FALSE, msg_ctx);
+ if(public_cert)
+ {
+ rampart_context_set_found_cert_in_shp(rampart_context, env, AXIS2_TRUE);
+ rampart_context_set_receiver_cert_found_in_shp(rampart_context, env, public_cert);
+ }
+
+ /* Step 2: validate signature */
+ sign_ctx = oxs_sign_ctx_create(env);
+ if(!sign_ctx)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "Insufficient memory. Sign context creation failed.");
+ return AXIS2_FAILURE;
+ }
+ oxs_sign_ctx_set_operation(sign_ctx, env, OXS_SIGN_OPERATION_VERIFY);
+ oxs_sign_ctx_set_certificate(sign_ctx, env, public_cert);
+ oxs_sign_ctx_set_secret(sign_ctx, env, symmetric_key);
+
+ envelope_node = axiom_soap_envelope_get_base_node(soap_envelope, env);
+ if(!envelope_node)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "Cannot get the Envelope node from envelope.");
+ return AXIS2_FAILURE;
+ }
+
+ if(oxs_xml_sig_verify(env, sign_ctx, sig_node, envelope_node) != AXIS2_SUCCESS)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "Signature Verification failed.");
+ return AXIS2_FAILURE;
+ }
+
+ /* Step 3: get all the nodes which were included in the signature */
+ signed_parts = oxs_sign_ctx_get_sign_parts(sign_ctx, env);
+ signed_parts_size = axutil_array_list_size(signed_parts, env);
+ if(signed_parts_size == 0)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "None of the nodes are included in the signature.");
+ return AXIS2_FAILURE;
+ }
+
+ /* Step 4 - 6: verify whether the signature is according to the policy */
+ if(signed_parts_size == 1)
+ {
+ /* It could be endorsing signature */
+ /* TODO WS-SecurityPolicy 1.2 allows endorsing signature to include some other parts as
+ * well. Rampart/C is not supporting it.
+ */
+ oxs_sign_part_t *sign_part = NULL;
+ axiom_node_t *sign_node = NULL;
+ sign_part = (oxs_sign_part_t*)axutil_array_list_get(signed_parts, env, 0);
+ sign_node = oxs_sign_part_get_node(sign_part, env);
+ is_endorsing = oxs_axiom_check_node_name(env, sign_node, OXS_NODE_SIGNATURE, OXS_DSIG_NS);
+ if(is_endorsing)
+ {
+ rp_property_t *token = NULL;
+ rp_property_type_t rp_token_type;
+
+ /* check whether we need endorsing signature*/
+ token = rampart_context_get_endorsing_token(rampart_context, env);
+ if(!token)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "Endorsing Token is not specified");
+ return AXIS2_FAILURE;
+ }
+
+ /* check whether the algorithms are according to endorsing token */
+ rp_token_type = rp_property_get_type(token, env);
+ if(rp_token_type == RP_PROPERTY_X509_TOKEN)
+ {
+ axis2_char_t *sign_mtd_algo_provided = NULL;
+ axis2_char_t *sign_mtd_algo_needed = NULL;
+ sign_mtd_algo_provided = oxs_sign_ctx_get_sign_mtd_algo(sign_ctx, env);
+ sign_mtd_algo_needed = rampart_context_get_asym_sig_algo(rampart_context,env);
+ if(axutil_strcmp(sign_mtd_algo_provided, sign_mtd_algo_needed) != 0)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "Endorsing signature algorithm is not valid. Expected [%s], given [%s]",
+ sign_mtd_algo_needed, sign_mtd_algo_provided);
+ return AXIS2_FAILURE;
+ }
+ }
+ else
+ {
+ /* TODO for the moment, we support only asymmetric endorsing using x509 */
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "Endorsing signature with non-x509 token is not allowed");
+ return AXIS2_FAILURE;
+ }
+ } /* else part is covered below. It will include the part where signed_parts_size != 1 */
+ }
+
+ /* TODO validate the token type, inclusion method, reference method here */
+
+ if(!is_endorsing)
+ {
+ /* normal signature. Validate whether this signature is valid */
+ axutil_array_list_t *nodes_to_sign = NULL;
+ int nodes_to_sign_size = 0;
+ rp_property_type_t binding_type;
+ axis2_char_t *sign_mtd_algo_provided = NULL;
+ axis2_char_t *sign_mtd_algo_needed = NULL;
+ axis2_char_t *digest_mtd_algo_needed = NULL;
+
+ /* Check the algorithms */
+ sign_mtd_algo_provided = oxs_sign_ctx_get_sign_mtd_algo(sign_ctx, env);
+ binding_type = rampart_context_get_binding_type(rampart_context, env);
+ if(binding_type == RP_PROPERTY_ASYMMETRIC_BINDING)
+ {
+ sign_mtd_algo_needed = rampart_context_get_asym_sig_algo(rampart_context,env);
+ }
+ else if(binding_type == RP_PROPERTY_SYMMETRIC_BINDING)
+ {
+ sign_mtd_algo_needed = rampart_context_get_sym_sig_algo(rampart_context,env);
+ }
+ else
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "Signature is not supported for Transport binding");
+ return AXIS2_FAILURE;
+ }
+
+ if(axutil_strcmp(sign_mtd_algo_provided, sign_mtd_algo_needed) != 0)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "Signature algorithm is not valid. Expected [%s], given [%s]",
+ sign_mtd_algo_needed, sign_mtd_algo_provided);
+ return AXIS2_FAILURE;
+ }
+
+ /* Get the nodes to be signed and check whether they are signed */
+ nodes_to_sign = axutil_array_list_create(env, 0);
+ if(rampart_context_get_nodes_to_sign(rampart_context, env, soap_envelope, nodes_to_sign)
+ != AXIS2_SUCCESS)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "Cannot get information about nodes to be signed from policy.");
+ return AXIS2_FAILURE;
+ }
+
+ nodes_to_sign_size = axutil_array_list_size(nodes_to_sign, env);
+ if(nodes_to_sign_size != signed_parts_size)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "Number of nodes to be signed [%d] and number of nodes which were included in the "
+ "signature [%d] are different.", nodes_to_sign_size, signed_parts_size);
+ return AXIS2_FAILURE;
+ }
+
+ /* Get digest method and check for validity */
+ digest_mtd_algo_needed = rampart_context_get_digest_mtd(rampart_context,env);
+
+ for(i = 0; i < signed_parts_size; ++i)
+ {
+ oxs_sign_part_t *sign_part = NULL;
+ axiom_node_t *signed_node = NULL;
+ axis2_char_t *digest_mtd_algo_provided = NULL;
+ int j = 0;
+ axis2_bool_t match_found = AXIS2_FALSE;
+
+ sign_part = (oxs_sign_part_t*)axutil_array_list_get(signed_parts, env, i);
+
+ /* Check for digest method validity */
+ digest_mtd_algo_provided = oxs_sign_part_get_digest_mtd(sign_part, env);
+ if(axutil_strcmp(digest_mtd_algo_provided, digest_mtd_algo_needed) != 0)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "Digest algorithm is not valid. Expected [%s], given [%s]",
+ digest_mtd_algo_needed, digest_mtd_algo_provided);
+ return AXIS2_FAILURE;
+ }
+
+ signed_node = oxs_sign_part_get_node(sign_part, env);
+
+ for(j=0; i< nodes_to_sign_size; ++j)
+ {
+ axiom_node_t *node_to_be_signed = NULL;
+ node_to_be_signed = (axiom_node_t*)axutil_array_list_get(nodes_to_sign, env, j);
+ if(node_to_be_signed == signed_node)
+ {
+ match_found = AXIS2_TRUE;
+ break;
+ }
+ }
+
+ if(!match_found)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "Some nodes that should be signed are not signed.");
+ return AXIS2_FAILURE;
+ }
+ }
+ }
+
+ /* signature is successful */
+ sig_val = oxs_sign_ctx_get_sig_val(sign_ctx, env);
+ if(is_endorsing)
+ {
+ rampart_set_security_processed_result(env, msg_ctx, RAMPART_SPR_ENDORSED_VALUE, sig_val);
+ }
+ else
+ {
+ rampart_set_security_processed_result(env, msg_ctx, RAMPART_SPR_SIG_VALUE, sig_val);
+ }
+
+
+ if(sign_ctx)
+ {
+ oxs_sign_ctx_free(sign_ctx, env);
+ sign_ctx = NULL;
+ }
+
+ return AXIS2_SUCCESS;
+}
/***/
static axis2_status_t
@@ -1752,50 +1921,47 @@
return AXIS2_SUCCESS;
}
-static axis2_status_t
-rampart_shp_process_saml_token(const axutil_env_t *env,
- axis2_msg_ctx_t *msg_ctx,
- rampart_context_t *rampart_context,
- axiom_node_t *saml_node)
+static axis2_status_t
+rampart_shp_process_saml_token(
+ const axutil_env_t *env,
+ axis2_msg_ctx_t *msg_ctx,
+ rampart_context_t *rampart_context,
+ axiom_node_t *saml_node)
{
axis2_bool_t server_side = AXIS2_FALSE;
rampart_saml_token_t *saml = NULL;
axis2_char_t *sub_conf = NULL;
server_side = axis2_msg_ctx_get_server_side(msg_ctx, env);
-
- if (AXIS2_FAILURE == rampart_saml_token_validate(env, rampart_context, saml_node))
- {
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][shp] SAML Signature Verification Failed");
- return AXIS2_FAILURE;
- }
+
+ if(AXIS2_FAILURE == rampart_saml_token_validate(env, rampart_context, saml_node))
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][shp] SAML Signature Verification Failed");
+ return AXIS2_FAILURE;
+ }
sub_conf = rampart_saml_token_get_subject_confirmation(env, saml_node);
- if (sub_conf && axutil_strcmp(sub_conf, SAML_SUB_CONFIRMATION_SENDER_VOUCHES) == 0)
+ if(sub_conf && axutil_strcmp(sub_conf, SAML_SUB_CONFIRMATION_SENDER_VOUCHES) == 0)
{
- if (!rampart_context_is_include_supporting_token(rampart_context, env,
- !server_side, AXIS2_FALSE, RP_PROPERTY_SAML_TOKEN) &&
- !rampart_context_is_include_supporting_token(rampart_context, env,
- !server_side, AXIS2_FALSE, RP_PROPERTY_ISSUED_TOKEN))
+ if(!rampart_context_is_include_supporting_token(rampart_context, env, !server_side,
+ AXIS2_FALSE, RP_PROPERTY_SAML_TOKEN) && !rampart_context_is_include_supporting_token(
+ rampart_context, env, !server_side, AXIS2_FALSE, RP_PROPERTY_ISSUED_TOKEN))
{
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[Rampart][shp] Unexpected SAML token.");
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[Rampart][shp] Unexpected SAML token.");
return AXIS2_FAILURE;
}
- }
- else if (sub_conf && axutil_strcmp(sub_conf, SAML_SUB_CONFIRMATION_HOLDER_OF_KEY) == 0)
+ }
+ else if(sub_conf && axutil_strcmp(sub_conf, SAML_SUB_CONFIRMATION_HOLDER_OF_KEY) == 0)
{
- if (!rampart_context_is_include_protection_saml_token(rampart_context,
- !server_side, AXIS2_FALSE, env))
+ if(!rampart_context_is_include_protection_saml_token(rampart_context, !server_side,
+ AXIS2_FALSE, env))
{
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[Rampart][shp] Unexpected SAML token.");
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[Rampart][shp] Unexpected SAML token.");
return AXIS2_FAILURE;
}
}
- /* Set the SAML token to the rampart context */
+ /* Set the SAML token to the rampart context */
saml = rampart_saml_token_create(env, saml_node, RAMPART_ST_CONFIR_TYPE_UNSPECIFIED);
- rampart_context_add_saml_token(rampart_context, env, saml);
- return AXIS2_SUCCESS;
+ rampart_context_add_saml_token(rampart_context, env, saml);
+ return AXIS2_SUCCESS;
}
/*Public functions*/
@@ -1810,7 +1976,7 @@
{
axiom_node_t *cur_node = NULL;
axis2_status_t status = AXIS2_FAILURE;
- axis2_bool_t first_signature = AXIS2_TRUE;
+ /*axis2_bool_t first_signature = AXIS2_TRUE;*/
AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[rampart]Processing security header in Strict layout");
@@ -1821,18 +1987,20 @@
{
axis2_char_t *cur_local_name = NULL;
cur_local_name = axiom_util_get_localname(cur_node, env);
- AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI,
- "[rampart]Processing security header element %s", cur_local_name);
+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[rampart]Processing security header element %s",
+ cur_local_name);
+
+ /* TODO validate the namespace */
if(!axutil_strcmp(cur_local_name, OXS_NODE_ENCRYPTED_KEY))
{
- status = rampart_shp_process_encrypted_key(
- env, msg_ctx, rampart_context, soap_envelope, sec_node, cur_node);
+ status = rampart_shp_process_encrypted_key(env, msg_ctx, rampart_context,
+ soap_envelope, sec_node, cur_node);
}
else if(!axutil_strcmp(cur_local_name, OXS_NODE_SECURITY_CONTEXT_TOKEN))
{
- status = rampart_shp_process_security_context_token(
- env, cur_node, rampart_context, msg_ctx);
+ status = rampart_shp_process_security_context_token(env, cur_node, rampart_context,
+ msg_ctx);
}
else if(!axutil_strcmp(cur_local_name, RAMPART_SECURITY_TIMESTAMP))
{
@@ -1844,38 +2012,43 @@
}
else if(!axutil_strcmp(cur_local_name, OXS_NODE_SIGNATURE))
{
+ status = rampart_shp_process_signature(env, msg_ctx, rampart_context, soap_envelope,
+ sec_node, cur_node);
+#if 0
if(first_signature)
{
- status = rampart_shp_process_signature(
- env, msg_ctx, rampart_context, soap_envelope, sec_node, cur_node);
+ status = rampart_shp_process_signature(env, msg_ctx, rampart_context,
+ soap_envelope, sec_node, cur_node);
first_signature = AXIS2_FALSE;
}
else /*endorsing*/
{
- status = rampart_shp_process_asym_binding_signature(
- env, msg_ctx, rampart_context, soap_envelope, sec_node, cur_node, AXIS2_TRUE);
+ /* TODO this way of validating endorsing signature is wrong. Correct it */
+ status = rampart_shp_process_asym_binding_signature(env, msg_ctx, rampart_context,
+ soap_envelope, sec_node, cur_node, AXIS2_TRUE);
if(AXIS2_SUCCESS == status)
{
- axis2_char_t *sig_val = NULL;
+ axis2_char_t *sig_val = NULL;
axiom_node_t *sig_val_node = NULL;
- sig_val_node = oxs_axiom_get_first_child_node_by_name(
- env, cur_node, OXS_NODE_SIGNATURE_VALUE, OXS_DSIG_NS, OXS_DS );
+ sig_val_node = oxs_axiom_get_first_child_node_by_name(env, cur_node,
+ OXS_NODE_SIGNATURE_VALUE, OXS_DSIG_NS, OXS_DS);
sig_val = oxs_token_get_signature_value(env, sig_val_node);
- rampart_set_security_processed_result(
- env, msg_ctx, RAMPART_SPR_ENDORSED_VALUE, sig_val);
+ rampart_set_security_processed_result(env, msg_ctx, RAMPART_SPR_ENDORSED_VALUE,
+ sig_val);
}
}
+#endif
}
else if(!axutil_strcmp(cur_local_name, OXS_NODE_REFERENCE_LIST))
{
- status = rampart_shp_process_reference_list(
- env, msg_ctx, rampart_context, soap_envelope, sec_node, cur_node);
+ status = rampart_shp_process_reference_list(env, msg_ctx, rampart_context,
+ soap_envelope, sec_node, cur_node);
}
else if(!axutil_strcmp(cur_local_name, OXS_NODE_DERIVED_KEY_TOKEN))
{
/* We need to extract this and store in the rampart context*/
- status = rampart_shp_process_derived_key(
- env, msg_ctx, rampart_context, sec_node, cur_node);
+ status = rampart_shp_process_derived_key(env, msg_ctx, rampart_context, sec_node,
+ cur_node);
}
else if(!axutil_strcmp(cur_local_name, OXS_NODE_ENCRYPTED_DATA))
{
@@ -1885,8 +2058,8 @@
}
else if(!axutil_strcmp(cur_local_name, OXS_NODE_SIGNATURE_CONFIRMATION))
{
- status = rampart_shp_process_signature_confirmation(
- env, msg_ctx, rampart_context, cur_node);
+ status = rampart_shp_process_signature_confirmation(env, msg_ctx, rampart_context,
+ cur_node);
}
else if(!axutil_strcmp(cur_local_name, OXS_NODE_BINARY_SECURITY_TOKEN))
{
@@ -1895,7 +2068,7 @@
}
else if(!axutil_strcmp(cur_local_name, OXS_NODE_SAML_ASSERTION))
{
- status = rampart_shp_process_saml_token(env, msg_ctx, rampart_context, cur_node);
+ status = rampart_shp_process_saml_token(env, msg_ctx, rampart_context, cur_node);
}
else if(!axutil_strcmp(cur_local_name, OXS_NODE_SECURITY_TOKEN_REFRENCE))
{
@@ -1905,26 +2078,30 @@
else
{
/* if the security header is unknown, we should not continue. */
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart]Unknown security header %s", cur_local_name);
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart]Unknown security header %s",
+ cur_local_name);
status = AXIS2_FAILURE;
}
if(status != AXIS2_SUCCESS)
{
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart]%s processing failed", cur_local_name);
- return AXIS2_FAILURE;
+ axis2_char_t *reason = NULL;
+ reason = axutil_stracat(env, cur_local_name, " processing failed");
+ rampart_create_fault_envelope(env, RAMPART_FAULT_INVALID_SECURITY, reason,
+ cur_local_name, msg_ctx);
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, reason);
+ AXIS2_FREE(env->allocator, reason);
+ return AXIS2_FAILURE;
}
/* Get next node */
cur_node = axiom_node_get_next_sibling(cur_node, env);
}/*Eof while loop*/
-
+
AXIS2_LOG_INFO(env->log, "Security header processing done");
-
+
/*Now detect replays*/
- status = rampart_shp_detect_replays(env, msg_ctx, rampart_context, soap_envelope, sec_node);
+ status = rampart_shp_detect_replays(env, msg_ctx, rampart_context, soap_envelope, sec_node);
if(status != AXIS2_SUCCESS)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart]Message replay detected.");
@@ -1940,7 +2117,3 @@
}
return AXIS2_SUCCESS;
}
-
-
-
-
Modified: webservices/rampart/trunk/c/src/util/rampart_signature.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_signature.c?rev=794624&r1=794623&r2=794624&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_signature.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_signature.c Thu Jul 16 10:57:25 2009
@@ -421,6 +421,8 @@
nodes_to_sign = NULL;
return AXIS2_SUCCESS;
}
+
+#if 0 /* this block is moved to rampart_context_get_nodes_to_sign */
/*If Timestamp and usernametoken are in the message we should sign them.*/
if(rampart_context_get_require_timestamp(rampart_context, env))
@@ -475,6 +477,7 @@
}
}
}
+#endif
/*Now we have to check whether a token is specified.*/
token = rampart_context_get_token(rampart_context, env, AXIS2_FALSE, server_side, AXIS2_FALSE);
@@ -1114,3 +1117,6 @@
return status;
}
+
+
+