more worklhoward/saml

git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/saml@23150 dc483132-0cff-0310-8789-dd5450dbe970

5 files changed, 36 insertions, 17 deletions

diff --git a/src/plugins/authdata/TODO.SAML b/src/plugins/authdata/TODO.SAML
index ac7380701..f3b08a0e6 100644
--- a/src/plugins/authdata/TODO.SAML
+++ b/src/plugins/authdata/TODO.SAML
@@ -1,2 +1,5 @@
 - add string/base64 xsi:type
-
+- add trustengine support
+- test PKI verficiation
+- add secret signing to Shib IdP
+- add OpenSAML dependencies to configure
diff --git a/src/plugins/authdata/saml_client/Makefile.in b/src/plugins/authdata/saml_client/Makefile.in
index de69882a6..4314dc3e8 100644
--- a/src/plugins/authdata/saml_client/Makefile.in
+++ b/src/plugins/authdata/saml_client/Makefile.in
@@ -23,9 +23,9 @@ SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(SUPPORT_LIB) $(LIBS) $(SAML_LIBS)
 SHLIB_DIRS=-L$(TOPLIBD)
 SHLIB_RDIRS=$(KRB5_LIBDIR)
 STOBJLISTS=OBJS.ST
-STLIBOBJS= saml_authdata.o ../saml_server/saml_util.o
+STLIBOBJS= saml_authdata.o ../saml_server/saml_util.o ../saml_server/saml_trust.o
 
-SRCS=	saml_authdata.cpp ../saml_server/saml_util.cpp
+SRCS=	saml_authdata.cpp ../saml_server/saml_util.cpp ../saml_server/saml_trust.cpp
 
 all-unix:: all-liblinks
 install-unix:: install-libs
diff --git a/src/plugins/authdata/saml_server/Makefile.in b/src/plugins/authdata/saml_server/Makefile.in
index f6d5e8653..8c2188f83 100644
--- a/src/plugins/authdata/saml_server/Makefile.in
+++ b/src/plugins/authdata/saml_server/Makefile.in
@@ -24,8 +24,8 @@ SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto -lkdb_ldap $(SUPPORT_LIB) $(LIBS) @LD
 SHLIB_DIRS=-L$(TOPLIBD)
 SHLIB_RDIRS=$(KRB5_LIBDIR)
 STOBJLISTS=OBJS.ST
-STLIBOBJS= saml_kdc.o saml_ldap.o saml_util.o
-SRCS=saml_kdc.cpp saml_ldap.cpp saml_util.cpp
+STLIBOBJS= saml_kdc.o saml_ldap.o saml_util.o saml_trust.o
+SRCS=saml_kdc.cpp saml_ldap.cpp saml_util.cpp saml_trust.cpp
 
 all-unix:: all-liblinks
 install-unix:: install-libs
@@ -39,5 +39,5 @@ clean::
 
 # XXX for now
 CC=$(CXX)
-CXXFLAGS=-g
+CXXFLAGS=-g -DGCC_HASCLASSVISIBILITY=1 -fvisibility=default
 
diff --git a/src/plugins/authdata/saml_server/saml_krb.h b/src/plugins/authdata/saml_server/saml_krb.h
index d7750daee..0a3ecd660 100644
--- a/src/plugins/authdata/saml_server/saml_krb.h
+++ b/src/plugins/authdata/saml_server/saml_krb.h
@@ -75,6 +75,8 @@ using namespace std;
 #define SAML_KRB_USAGE_SESSION_KEY      1   /* derive from session key */
 #define SAML_KRB_USAGE_SERVER_KEY       2   /* derive from server key */
 
+/* saml_util.cpp */
+
 krb5_error_code
 saml_krb_derive_key(krb5_context context,
                     const krb5_keyblock *basekey,
@@ -219,5 +221,16 @@ class auto_ptr_krb5_data {
         XMLCh *m_buf;
 };
 
+/* saml_trust.cpp */
+
+krb5_error_code
+saml_krb_verify_trustengine(krb5_context context,
+                            Signature *signature,
+                            const krb5_keyblock *key,
+                            krb5_const_principal server,
+                            unsigned int flags,
+                            krb5_boolean bound,
+                            krb5_boolean *pValid);
+
 #endif /* SAML_KRB_H_ */
 
diff --git a/src/plugins/authdata/saml_server/saml_util.cpp b/src/plugins/authdata/saml_server/saml_util.cpp
index 8cc92dddc..eb105459f 100644
--- a/src/plugins/authdata/saml_server/saml_util.cpp
+++ b/src/plugins/authdata/saml_server/saml_util.cpp
@@ -496,6 +496,7 @@ krb5_error_code
 saml_krb_verify_signature(krb5_context context,
                           Signature *signature,
                           const krb5_keyblock *key,
+                          krb5_const_principal server,
                           unsigned int flags,
                           krb5_boolean bound,
                           krb5_boolean *pValid)
@@ -530,6 +531,8 @@ saml_krb_verify_signature(krb5_context context,
              * Note the verification policy may differ depending on whether
              * we also trust this signer to bind the name.
              */
+            code = saml_krb_verify_trustengine(context, signature, key,
+                                               server, flags, bound, pValid);
         }
     } catch (exception &e) {
         code = KRB5_CRYPTO_INTERNAL;
@@ -616,6 +619,16 @@ saml_krb_verify(krb5_context context,
     if (signature == NULL)
         return 0;
 
+    /*
+     * Verify any signatures present on the assertion.
+     */
+    if ((flags & SAML_KRB_VERIFY_KDC_VOUCHED) == 0) {
+        code = saml_krb_verify_signature(context, signature, key, server,
+                                         flags, bound, &verified);
+        if (code != 0 || verified == FALSE)
+            return KRB5KRB_AP_ERR_MODIFIED;
+    }
+
     if (saml_krb_get_authtime(context, assertion) < authtime)
         return KRB5KDC_ERR_CLIENT_NOTYET;
 
@@ -629,17 +642,7 @@ saml_krb_verify(krb5_context context,
     else if (verified == FALSE)
         return KRB5KDC_ERR_CLIENT_NOT_TRUSTED;
 
-    /*
-     * Verify any signatures present on the assertion.
-     */
-    if ((flags & SAML_KRB_VERIFY_KDC_VOUCHED) != 0) {
-        code = saml_krb_verify_signature(context, signature, key,
-                                         flags, bound, &verified);
-        if (code != 0 || verified == FALSE)
-            return KRB5KRB_AP_ERR_MODIFIED;
-    }
-
-    /*
+   /*
      * Verify that the Recipient in any bearer SubjectConfirmationData
      * matches the service principal.
      */