diff options
author | Luke Howard <lukeh@padl.com> | 2009-11-11 17:54:50 +0000 |
---|---|---|
committer | Luke Howard <lukeh@padl.com> | 2009-11-11 17:54:50 +0000 |
commit | e8e1e7470a00ea0ce8c62761486ee7c51d7b139b (patch) | |
tree | 62e478152487798b2692d774f8f1fac83e744dd8 | |
parent | e01f4b60692ed98af7a69ec76a8d5f2ba5b26855 (diff) | |
download | krb5-lhoward/saml.tar.gz |
more worklhoward/saml
git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/saml@23150 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/plugins/authdata/TODO.SAML | 5 | ||||
-rw-r--r-- | src/plugins/authdata/saml_client/Makefile.in | 4 | ||||
-rw-r--r-- | src/plugins/authdata/saml_server/Makefile.in | 6 | ||||
-rw-r--r-- | src/plugins/authdata/saml_server/saml_krb.h | 13 | ||||
-rw-r--r-- | src/plugins/authdata/saml_server/saml_util.cpp | 25 |
5 files changed, 36 insertions, 17 deletions
diff --git a/src/plugins/authdata/TODO.SAML b/src/plugins/authdata/TODO.SAML index ac7380701..f3b08a0e6 100644 --- a/src/plugins/authdata/TODO.SAML +++ b/src/plugins/authdata/TODO.SAML @@ -1,2 +1,5 @@ - add string/base64 xsi:type - +- add trustengine support +- test PKI verficiation +- add secret signing to Shib IdP +- add OpenSAML dependencies to configure diff --git a/src/plugins/authdata/saml_client/Makefile.in b/src/plugins/authdata/saml_client/Makefile.in index de69882a6..4314dc3e8 100644 --- a/src/plugins/authdata/saml_client/Makefile.in +++ b/src/plugins/authdata/saml_client/Makefile.in @@ -23,9 +23,9 @@ SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(SUPPORT_LIB) $(LIBS) $(SAML_LIBS) SHLIB_DIRS=-L$(TOPLIBD) SHLIB_RDIRS=$(KRB5_LIBDIR) STOBJLISTS=OBJS.ST -STLIBOBJS= saml_authdata.o ../saml_server/saml_util.o +STLIBOBJS= saml_authdata.o ../saml_server/saml_util.o ../saml_server/saml_trust.o -SRCS= saml_authdata.cpp ../saml_server/saml_util.cpp +SRCS= saml_authdata.cpp ../saml_server/saml_util.cpp ../saml_server/saml_trust.cpp all-unix:: all-liblinks install-unix:: install-libs diff --git a/src/plugins/authdata/saml_server/Makefile.in b/src/plugins/authdata/saml_server/Makefile.in index f6d5e8653..8c2188f83 100644 --- a/src/plugins/authdata/saml_server/Makefile.in +++ b/src/plugins/authdata/saml_server/Makefile.in @@ -24,8 +24,8 @@ SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto -lkdb_ldap $(SUPPORT_LIB) $(LIBS) @LD SHLIB_DIRS=-L$(TOPLIBD) SHLIB_RDIRS=$(KRB5_LIBDIR) STOBJLISTS=OBJS.ST -STLIBOBJS= saml_kdc.o saml_ldap.o saml_util.o -SRCS=saml_kdc.cpp saml_ldap.cpp saml_util.cpp +STLIBOBJS= saml_kdc.o saml_ldap.o saml_util.o saml_trust.o +SRCS=saml_kdc.cpp saml_ldap.cpp saml_util.cpp saml_trust.cpp all-unix:: all-liblinks install-unix:: install-libs @@ -39,5 +39,5 @@ clean:: # XXX for now CC=$(CXX) -CXXFLAGS=-g +CXXFLAGS=-g -DGCC_HASCLASSVISIBILITY=1 -fvisibility=default diff --git a/src/plugins/authdata/saml_server/saml_krb.h b/src/plugins/authdata/saml_server/saml_krb.h index d7750daee..0a3ecd660 100644 --- a/src/plugins/authdata/saml_server/saml_krb.h +++ b/src/plugins/authdata/saml_server/saml_krb.h @@ -75,6 +75,8 @@ using namespace std; #define SAML_KRB_USAGE_SESSION_KEY 1 /* derive from session key */ #define SAML_KRB_USAGE_SERVER_KEY 2 /* derive from server key */ +/* saml_util.cpp */ + krb5_error_code saml_krb_derive_key(krb5_context context, const krb5_keyblock *basekey, @@ -219,5 +221,16 @@ class auto_ptr_krb5_data { XMLCh *m_buf; }; +/* saml_trust.cpp */ + +krb5_error_code +saml_krb_verify_trustengine(krb5_context context, + Signature *signature, + const krb5_keyblock *key, + krb5_const_principal server, + unsigned int flags, + krb5_boolean bound, + krb5_boolean *pValid); + #endif /* SAML_KRB_H_ */ diff --git a/src/plugins/authdata/saml_server/saml_util.cpp b/src/plugins/authdata/saml_server/saml_util.cpp index 8cc92dddc..eb105459f 100644 --- a/src/plugins/authdata/saml_server/saml_util.cpp +++ b/src/plugins/authdata/saml_server/saml_util.cpp @@ -496,6 +496,7 @@ krb5_error_code saml_krb_verify_signature(krb5_context context, Signature *signature, const krb5_keyblock *key, + krb5_const_principal server, unsigned int flags, krb5_boolean bound, krb5_boolean *pValid) @@ -530,6 +531,8 @@ saml_krb_verify_signature(krb5_context context, * Note the verification policy may differ depending on whether * we also trust this signer to bind the name. */ + code = saml_krb_verify_trustengine(context, signature, key, + server, flags, bound, pValid); } } catch (exception &e) { code = KRB5_CRYPTO_INTERNAL; @@ -616,6 +619,16 @@ saml_krb_verify(krb5_context context, if (signature == NULL) return 0; + /* + * Verify any signatures present on the assertion. + */ + if ((flags & SAML_KRB_VERIFY_KDC_VOUCHED) == 0) { + code = saml_krb_verify_signature(context, signature, key, server, + flags, bound, &verified); + if (code != 0 || verified == FALSE) + return KRB5KRB_AP_ERR_MODIFIED; + } + if (saml_krb_get_authtime(context, assertion) < authtime) return KRB5KDC_ERR_CLIENT_NOTYET; @@ -629,17 +642,7 @@ saml_krb_verify(krb5_context context, else if (verified == FALSE) return KRB5KDC_ERR_CLIENT_NOT_TRUSTED; - /* - * Verify any signatures present on the assertion. - */ - if ((flags & SAML_KRB_VERIFY_KDC_VOUCHED) != 0) { - code = saml_krb_verify_signature(context, signature, key, - flags, bound, &verified); - if (code != 0 || verified == FALSE) - return KRB5KRB_AP_ERR_MODIFIED; - } - - /* + /* * Verify that the Recipient in any bearer SubjectConfirmationData * matches the service principal. */ |