more work

git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/saml@23150 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/plugins/authdata/TODO.SAML b/src/plugins/authdata/TODO.SAML
index ac738070144a1adc4cc62100fa25d668b0d14f71..f3b08a0e635ef7d38f71046609c72cbae41b18da 100644 (file)
--- a/src/plugins/authdata/TODO.SAML
+++ b/src/plugins/authdata/TODO.SAML
@@ -1,2 +1,5 @@
 - add string/base64 xsi:type
-
+- add trustengine support
+- test PKI verficiation
+- add secret signing to Shib IdP
+- add OpenSAML dependencies to configure

diff --git a/src/plugins/authdata/saml_client/Makefile.in b/src/plugins/authdata/saml_client/Makefile.in
index de69882a64b1ddd728d7adee22dbf6e5ea861553..4314dc3e83db91ed3c232b6fa42c8a205b7de564 100644 (file)
--- a/src/plugins/authdata/saml_client/Makefile.in
+++ b/src/plugins/authdata/saml_client/Makefile.in
@@ -23,9 +23,9 @@ SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(SUPPORT_LIB) $(LIBS) $(SAML_LIBS)
 SHLIB_DIRS=-L$(TOPLIBD)
 SHLIB_RDIRS=$(KRB5_LIBDIR)
 STOBJLISTS=OBJS.ST
-STLIBOBJS= saml_authdata.o ../saml_server/saml_util.o
+STLIBOBJS= saml_authdata.o ../saml_server/saml_util.o ../saml_server/saml_trust.o
 
-SRCS=  saml_authdata.cpp ../saml_server/saml_util.cpp
+SRCS=  saml_authdata.cpp ../saml_server/saml_util.cpp ../saml_server/saml_trust.cpp
 
 all-unix:: all-liblinks
 install-unix:: install-libs

diff --git a/src/plugins/authdata/saml_server/Makefile.in b/src/plugins/authdata/saml_server/Makefile.in
index f6d5e8653e13bbeb58ffdd2947b4aa9e788e41b9..8c2188f8371b15e28ad178e7658fffeea44a3124 100644 (file)
--- a/src/plugins/authdata/saml_server/Makefile.in
+++ b/src/plugins/authdata/saml_server/Makefile.in
@@ -24,8 +24,8 @@ SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto -lkdb_ldap $(SUPPORT_LIB) $(LIBS) @LD
 SHLIB_DIRS=-L$(TOPLIBD)
 SHLIB_RDIRS=$(KRB5_LIBDIR)
 STOBJLISTS=OBJS.ST
-STLIBOBJS= saml_kdc.o saml_ldap.o saml_util.o
-SRCS=saml_kdc.cpp saml_ldap.cpp saml_util.cpp
+STLIBOBJS= saml_kdc.o saml_ldap.o saml_util.o saml_trust.o
+SRCS=saml_kdc.cpp saml_ldap.cpp saml_util.cpp saml_trust.cpp
 
 all-unix:: all-liblinks
 install-unix:: install-libs
@@ -39,5 +39,5 @@ clean::
 
 # XXX for now
 CC=$(CXX)
-CXXFLAGS=-g
+CXXFLAGS=-g -DGCC_HASCLASSVISIBILITY=1 -fvisibility=default
 

diff --git a/src/plugins/authdata/saml_server/saml_krb.h b/src/plugins/authdata/saml_server/saml_krb.h
index d7750daee0be595bc4b4e162d5868145abc14018..0a3ecd660d14d93a471273a1f22710687d0e67d3 100644 (file)
--- a/src/plugins/authdata/saml_server/saml_krb.h
+++ b/src/plugins/authdata/saml_server/saml_krb.h
@@ -75,6 +75,8 @@ using namespace std;
 #define SAML_KRB_USAGE_SESSION_KEY      1   /* derive from session key */
 #define SAML_KRB_USAGE_SERVER_KEY       2   /* derive from server key */
 
+/* saml_util.cpp */
+
 krb5_error_code
 saml_krb_derive_key(krb5_context context,
                     const krb5_keyblock *basekey,
@@ -219,5 +221,16 @@ class auto_ptr_krb5_data {
         XMLCh *m_buf;
 };
 
+/* saml_trust.cpp */
+
+krb5_error_code
+saml_krb_verify_trustengine(krb5_context context,
+                            Signature *signature,
+                            const krb5_keyblock *key,
+                            krb5_const_principal server,
+                            unsigned int flags,
+                            krb5_boolean bound,
+                            krb5_boolean *pValid);
+
 #endif /* SAML_KRB_H_ */
 

diff --git a/src/plugins/authdata/saml_server/saml_util.cpp b/src/plugins/authdata/saml_server/saml_util.cpp
index 8cc92dddc3bfe2714e0a413da523fc17e2266994..eb105459f8704a8182f22b4a0ebf10f1d2e1242a 100644 (file)
--- a/src/plugins/authdata/saml_server/saml_util.cpp
+++ b/src/plugins/authdata/saml_server/saml_util.cpp
@@ -496,6 +496,7 @@ krb5_error_code
 saml_krb_verify_signature(krb5_context context,
                           Signature *signature,
                           const krb5_keyblock *key,
+                          krb5_const_principal server,
                           unsigned int flags,
                           krb5_boolean bound,
                           krb5_boolean *pValid)
@@ -530,6 +531,8 @@ saml_krb_verify_signature(krb5_context context,
              * Note the verification policy may differ depending on whether
              * we also trust this signer to bind the name.
              */
+            code = saml_krb_verify_trustengine(context, signature, key,
+                                               server, flags, bound, pValid);
         }
     } catch (exception &e) {
         code = KRB5_CRYPTO_INTERNAL;
@@ -616,6 +619,16 @@ saml_krb_verify(krb5_context context,
     if (signature == NULL)
         return 0;
 
+    /*
+     * Verify any signatures present on the assertion.
+     */
+    if ((flags & SAML_KRB_VERIFY_KDC_VOUCHED) == 0) {
+        code = saml_krb_verify_signature(context, signature, key, server,
+                                         flags, bound, &verified);
+        if (code != 0 || verified == FALSE)
+            return KRB5KRB_AP_ERR_MODIFIED;
+    }
+
     if (saml_krb_get_authtime(context, assertion) < authtime)
         return KRB5KDC_ERR_CLIENT_NOTYET;
 
@@ -629,17 +642,7 @@ saml_krb_verify(krb5_context context,
     else if (verified == FALSE)
         return KRB5KDC_ERR_CLIENT_NOT_TRUSTED;
 
-    /*
-     * Verify any signatures present on the assertion.
-     */
-    if ((flags & SAML_KRB_VERIFY_KDC_VOUCHED) != 0) {
-        code = saml_krb_verify_signature(context, signature, key,
-                                         flags, bound, &verified);
-        if (code != 0 || verified == FALSE)
-            return KRB5KRB_AP_ERR_MODIFIED;
-    }
-
-    /*
+   /*
      * Verify that the Recipient in any bearer SubjectConfirmationData
      * matches the service principal.
      */