[SCM] Debian packaging for OpenSAML 2.0 branch, lenny, updated. debian/2.0-2-2-ga22aa43
Russ Allbery
rra at debian.org
Fri Sep 18 01:54:34 UTC 2009
The following commit has been merged in the lenny branch:
commit 6114edd5a077aaaecc033f9316a0a5d6d528dd54
Author: Russ Allbery <rra at debian.org>
Date: Thu Sep 17 14:23:50 2009 -0700
Merge upstream changes between 2.2 and 2.2.1
* Merge upstream changes between 2.2 and 2.2.1.
- SECURITY: Correctly honor the "use" attribute of <KeyDescriptor>
SAML metadata to honor restrictions to signing or encryption. This
is a partial fix; the complete fix also requires a new version of
the xmltooling library.
diff --git a/debian/changelog b/debian/changelog
index 14a08fc..e9c6ae0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+opensaml2 (2.0-2+lenny1) UNRELEASED; urgency=low
+
+ * Merge upstream changes between 2.2 and 2.2.1.
+ - SECURITY: Correctly honor the "use" attribute of <KeyDescriptor>
+ SAML metadata to honor restrictions to signing or encryption. This
+ is a partial fix; the complete fix also requires a new version of
+ the xmltooling library.
+
+ -- Russ Allbery <rra at debian.org> Thu, 17 Sep 2009 14:23:39 -0700
+
opensaml2 (2.0-2) unstable; urgency=low
* Include fix for https://bugs.internet2.edu/jira/browse/CPPOST-7
diff --git a/saml/saml1/binding/impl/SAML1POSTDecoder.cpp b/saml/saml1/binding/impl/SAML1POSTDecoder.cpp
index 16a6bc1..965e58f 100644
--- a/saml/saml1/binding/impl/SAML1POSTDecoder.cpp
+++ b/saml/saml1/binding/impl/SAML1POSTDecoder.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2007 Internet2
+ * Copyright 2001-2009 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -109,8 +109,7 @@ XMLObject* SAML1POSTDecoder::decode(
if (!response)
throw BindingException("Decoded message was not a SAML 1.x Response.");
- if (!policy.getValidating())
- SchemaValidators.validate(response);
+ SchemaValidators.validate(response);
pair<bool,int> minor = response->getMinorVersion();
extractMessageDetails(
diff --git a/saml/saml1/binding/impl/SAML1SOAPDecoder.cpp b/saml/saml1/binding/impl/SAML1SOAPDecoder.cpp
index d60dced..74c1960 100644
--- a/saml/saml1/binding/impl/SAML1SOAPDecoder.cpp
+++ b/saml/saml1/binding/impl/SAML1SOAPDecoder.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2007 Internet2
+ * Copyright 2001-2009 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -98,8 +98,7 @@ XMLObject* SAML1SOAPDecoder::decode(
if (!env)
throw BindingException("Decoded message was not a SOAP 1.1 Envelope.");
- if (!policy.getValidating())
- SchemaValidators.validate(env);
+ SchemaValidators.validate(env);
Body* body = env->getBody();
if (body && body->hasChildren()) {
diff --git a/saml/saml2/binding/impl/SAML2ECPDecoder.cpp b/saml/saml2/binding/impl/SAML2ECPDecoder.cpp
index d311286..e8ecc34 100644
--- a/saml/saml2/binding/impl/SAML2ECPDecoder.cpp
+++ b/saml/saml2/binding/impl/SAML2ECPDecoder.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2007 Internet2
+ * Copyright 2001-2009 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -99,8 +99,7 @@ XMLObject* SAML2ECPDecoder::decode(
if (!env)
throw BindingException("Decoded message was not a SOAP 1.1 Envelope.");
- if (!policy.getValidating())
- SchemaValidators.validate(env);
+ SchemaValidators.validate(env);
Body* body = env->getBody();
if (body && body->hasChildren()) {
diff --git a/saml/saml2/binding/impl/SAML2ECPEncoder.cpp b/saml/saml2/binding/impl/SAML2ECPEncoder.cpp
index 2cddf29..16ee9f0 100644
--- a/saml/saml2/binding/impl/SAML2ECPEncoder.cpp
+++ b/saml/saml2/binding/impl/SAML2ECPEncoder.cpp
@@ -179,7 +179,7 @@ long SAML2ECPEncoder::encode(
header->getUnknownXMLObjects().push_back(hdrblock);
}
- if (relayState) {
+ if (relayState && *relayState) {
// Create ecp:RelayState header.
static const XMLCh RelayState[] = UNICODE_LITERAL_10(R,e,l,a,y,S,t,a,t,e);
hdrblock = dynamic_cast<ElementProxy*>(m_anyBuilder.buildObject(SAML20ECP_NS, RelayState, SAML20ECP_PREFIX));
@@ -224,8 +224,10 @@ long SAML2ECPEncoder::encode(
stringstream s;
s << *rootElement;
- if (log.isDebugEnabled())
- log.debug("marshalled envelope:\n%s", s.str().c_str());
+ if (log.isDebugEnabled()) {
+ string forlog(s.str());
+ log.debug("marshalled envelope:\n%s", forlog.c_str());
+ }
log.debug("sending serialized envelope");
long ret = genericResponse.sendResponse(s);
diff --git a/saml/saml2/binding/impl/SAML2POSTDecoder.cpp b/saml/saml2/binding/impl/SAML2POSTDecoder.cpp
index 7be9f55..bd0cd73 100644
--- a/saml/saml2/binding/impl/SAML2POSTDecoder.cpp
+++ b/saml/saml2/binding/impl/SAML2POSTDecoder.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2007 Internet2
+ * Copyright 2001-2009 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -122,8 +122,7 @@ XMLObject* SAML2POSTDecoder::decode(
root = static_cast<saml2::RootObject*>(request);
}
- if (!policy.getValidating())
- SchemaValidators.validate(root);
+ SchemaValidators.validate(root);
// Run through the policy.
extractMessageDetails(*root, genericRequest, samlconstants::SAML20P_NS, policy);
diff --git a/saml/saml2/binding/impl/SAML2RedirectDecoder.cpp b/saml/saml2/binding/impl/SAML2RedirectDecoder.cpp
index f682d2d..027b111 100644
--- a/saml/saml2/binding/impl/SAML2RedirectDecoder.cpp
+++ b/saml/saml2/binding/impl/SAML2RedirectDecoder.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2007 Internet2
+ * Copyright 2001-2009 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -134,8 +134,7 @@ XMLObject* SAML2RedirectDecoder::decode(
root = static_cast<saml2::RootObject*>(request);
}
- if (!policy.getValidating())
- SchemaValidators.validate(root);
+ SchemaValidators.validate(root);
// Run through the policy.
extractMessageDetails(*root, genericRequest, samlconstants::SAML20P_NS, policy);
diff --git a/saml/saml2/binding/impl/SAML2SOAPDecoder.cpp b/saml/saml2/binding/impl/SAML2SOAPDecoder.cpp
index e006a9e..346aa99 100644
--- a/saml/saml2/binding/impl/SAML2SOAPDecoder.cpp
+++ b/saml/saml2/binding/impl/SAML2SOAPDecoder.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2007 Internet2
+ * Copyright 2001-2009 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -98,8 +98,7 @@ XMLObject* SAML2SOAPDecoder::decode(
if (!env)
throw BindingException("Decoded message was not a SOAP 1.1 Envelope.");
- if (!policy.getValidating())
- SchemaValidators.validate(env);
+ SchemaValidators.validate(env);
Body* body = env->getBody();
if (body && body->hasChildren()) {
diff --git a/saml/saml2/metadata/MetadataCredentialCriteria.h b/saml/saml2/metadata/MetadataCredentialCriteria.h
index 7d57810..5d3a1c7 100644
--- a/saml/saml2/metadata/MetadataCredentialCriteria.h
+++ b/saml/saml2/metadata/MetadataCredentialCriteria.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2007 Internet2
+ * Copyright 2001-2009 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -64,10 +64,10 @@ namespace opensaml {
const MetadataCredentialContext* context = dynamic_cast<const MetadataCredentialContext*>(credential.getCredentalContext());
if (context) {
// Check for a usage mismatch.
- if ((getUsage() | (xmltooling::Credential::SIGNING_CREDENTIAL & xmltooling::Credential::TLS_CREDENTIAL)) &&
+ if ((getUsage() & (xmltooling::Credential::SIGNING_CREDENTIAL | xmltooling::Credential::TLS_CREDENTIAL)) &&
XMLString::equals(context->getKeyDescriptor().getUse(),KeyDescriptor::KEYTYPE_ENCRYPTION))
return false;
- else if ((getUsage() | xmltooling::Credential::ENCRYPTION_CREDENTIAL) &&
+ else if ((getUsage() & xmltooling::Credential::ENCRYPTION_CREDENTIAL) &&
XMLString::equals(context->getKeyDescriptor().getUse(),KeyDescriptor::KEYTYPE_SIGNING))
return false;
}
diff --git a/saml/saml2/metadata/impl/DynamicMetadataProvider.cpp b/saml/saml2/metadata/impl/DynamicMetadataProvider.cpp
index 835a2ed..03f9809 100644
--- a/saml/saml2/metadata/impl/DynamicMetadataProvider.cpp
+++ b/saml/saml2/metadata/impl/DynamicMetadataProvider.cpp
@@ -30,6 +30,7 @@
#include <xercesc/util/XMLUniDefs.hpp>
#include <xmltooling/logging.h>
#include <xmltooling/util/XMLHelper.h>
+#include <xmltooling/validation/ValidatorSuite.h>
using namespace opensaml::saml2md;
using namespace xmltooling::logging;
@@ -85,6 +86,13 @@ pair<const EntityDescriptor*,const RoleDescriptor*> DynamicMetadataProvider::get
// Try resolving it.
auto_ptr<EntityDescriptor> entity2(resolve(name.c_str()));
+ try {
+ SchemaValidators.validate(entity2.get());
+ }
+ catch (exception& ex) {
+ log.error("metadata intance failed manual validation checking: %s", ex.what());
+ throw MetadataException("Metadata instance failed manual validation checking.");
+ }
// Filter it, which may throw.
doFilters(*entity2.get());
diff --git a/saml/saml2/metadata/impl/XMLMetadataProvider.cpp b/saml/saml2/metadata/impl/XMLMetadataProvider.cpp
index f3f2b39..430288f 100644
--- a/saml/saml2/metadata/impl/XMLMetadataProvider.cpp
+++ b/saml/saml2/metadata/impl/XMLMetadataProvider.cpp
@@ -27,6 +27,7 @@
#include <xmltooling/util/NDC.h>
#include <xmltooling/util/ReloadableXMLFile.h>
+#include <xmltooling/validation/ValidatorSuite.h>
using namespace opensaml::saml2md;
using namespace xmltooling::logging;
@@ -98,6 +99,13 @@ pair<bool,DOMElement*> XMLMetadataProvider::load()
throw MetadataException(
"Root of metadata instance not recognized: $1", params(1,xmlObject->getElementQName().toString().c_str())
);
+ try {
+ SchemaValidators.validate(xmlObject.get());
+ }
+ catch (exception& ex) {
+ m_log.error("metadata intance failed manual validation checking: %s", ex.what());
+ throw MetadataException("Metadata instance failed manual validation checking.");
+ }
// Preprocess the metadata.
doFilters(*xmlObject.get());
--
Debian packaging for OpenSAML 2.0
More information about the Pkg-shibboleth-devel
mailing list