Allow only X509 certs to verify the SAML token signature.

diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
index 72f1a495e1dc3377e086457e4185c12f560610f2..14cba1b5bf0ed04206f0e3d0f3f74974d9049831 100644 (file)
--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
+++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c
@@ -1356,7 +1356,14 @@ VerifySignature(xmlDocPtr doc,
     */
    bRet = RegisterID(xmlDocGetRootElement(doc), "ID");
    if (bRet == FALSE) {
-      g_warning("failed to register ID\n");
+      g_warning("Failed to register ID\n");
+      goto done;
+   }
+
+   /* Use only X509 certs to validate the signature */
+   if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData),
+                        BAD_CAST xmlSecKeyDataX509Id) < 0) {
+      g_warning("Failed to limit allowed key data\n");
       goto done;
    }