[SCM] Debian packaging for XMLTooling-C branch, lenny, updated. upstream/1.0-66-g9cc185f
Russ Allbery
rra at debian.org
Wed Sep 23 05:52:44 UTC 2009
The following commit has been merged in the lenny branch:
commit d0635194c23a822492c0f4440ecaa7be248aa33b
Author: Russ Allbery <rra at debian.org>
Date: Tue Sep 22 12:32:29 2009 -0700
Updates to the xmltooling security fixes
The fix for certificate subject names containing nul characters was in
xmltooling rather than in shibboleth-sp2, so include the changelog entry
for it here.
Revert a bunch of changes that were not related to the security
vulnerabilities.
diff --git a/debian/changelog b/debian/changelog
index 92dcf09..2f38c7c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,12 @@
xmltooling (1.0-2+lenny1) UNRELEASED; urgency=high
+ * SECURITY: Certificate subject names were incorrectly matched against
+ trusted "key names" when they contained nul characters. This affects
+ only Shibboleth deployments relying on the "PKIX" style of trust
+ validation, used in the absence of explicit certificate information in
+ the SAML metadata provided to the SP and reliance on certificate
+ authorities found in the <KeyAuthority> metadata extension element.
+ See <http://shibboleth.internet2.edu/secadv/secadv_20090817.txt>
* SECURITY: Correctly handle decoding of malformed URLs, closing a
possibly exploitable buffer overflow.
See <http://shibboleth.internet2.edu/secadv/secadv_20090826.txt>
diff --git a/xmltooling/AbstractComplexElement.cpp b/xmltooling/AbstractComplexElement.cpp
index 631095e..d9ab944 100644
--- a/xmltooling/AbstractComplexElement.cpp
+++ b/xmltooling/AbstractComplexElement.cpp
@@ -1,5 +1,5 @@
/*
-* Copyright 2001-2009 Internet2
+* Copyright 2001-2007 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -28,25 +28,12 @@
using namespace xmltooling;
using namespace std;
-namespace {
- bool _nonnull(const XMLObject* ptr) {
- return (ptr!=NULL);
- }
-}
-
AbstractComplexElement::~AbstractComplexElement() {
for_each(m_children.begin(), m_children.end(), cleanup<XMLObject>());
for (vector<XMLCh*>::iterator i=m_text.begin(); i!=m_text.end(); ++i)
XMLString::release(&(*i));
}
-bool AbstractComplexElement::hasChildren() const
-{
- if (m_children.empty())
- return false;
- return (find_if(m_children.begin(), m_children.end(), _nonnull) != m_children.end());
-}
-
void AbstractComplexElement::removeChild(XMLObject* child)
{
m_children.erase(remove(m_children.begin(), m_children.end(), child), m_children.end());
diff --git a/xmltooling/AbstractComplexElement.h b/xmltooling/AbstractComplexElement.h
index cf88200..d163f29 100644
--- a/xmltooling/AbstractComplexElement.h
+++ b/xmltooling/AbstractComplexElement.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2009 Internet2
+ * Copyright 2001-2007 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -41,7 +41,9 @@ namespace xmltooling {
public:
virtual ~AbstractComplexElement();
- bool hasChildren() const;
+ bool hasChildren() const {
+ return !m_children.empty();
+ }
const std::list<XMLObject*>& getOrderedChildren() const {
return m_children;
diff --git a/xmltooling/security/CredentialCriteria.h b/xmltooling/security/CredentialCriteria.h
index 4011bba..57fd628 100644
--- a/xmltooling/security/CredentialCriteria.h
+++ b/xmltooling/security/CredentialCriteria.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2009 Internet2
+ * Copyright 2001-2007 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -25,7 +25,7 @@
#include <xmltooling/XMLToolingConfig.h>
#include <xmltooling/security/KeyInfoResolver.h>
-#include <xmltooling/security/Credential.h>
+#include <xmltooling/security/X509Credential.h>
#include <xmltooling/signature/KeyInfo.h>
#include <xmltooling/signature/Signature.h>
@@ -214,7 +214,26 @@ namespace xmltooling {
* @param keyInfo the KeyInfo criteria
* @param extraction bitmask of criteria to auto-extract from KeyInfo
*/
- virtual void setKeyInfo(const xmlsignature::KeyInfo* keyInfo, int extraction=0);
+ virtual void setKeyInfo(const xmlsignature::KeyInfo* keyInfo, int extraction=0) {
+ delete m_credential;
+ m_credential = NULL;
+ m_keyInfo = keyInfo;
+ if (!keyInfo || !extraction)
+ return;
+
+ int types = (extraction & KEYINFO_EXTRACTION_KEY) ? Credential::RESOLVE_KEYS : 0;
+ types |= (extraction & KEYINFO_EXTRACTION_KEYNAMES) ? X509Credential::RESOLVE_CERTS : 0;
+ m_credential = XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(keyInfo,types);
+
+ if (extraction & KEYINFO_EXTRACTION_KEY)
+ setPublicKey(m_credential->getPublicKey());
+ if (extraction & KEYINFO_EXTRACTION_KEYNAMES) {
+ X509Credential* xcred = dynamic_cast<X509Credential*>(m_credential);
+ if (xcred)
+ xcred->extract();
+ m_keyNames.insert(m_credential->getKeyNames().begin(), m_credential->getKeyNames().end());
+ }
+ }
/**
* Gets the native KeyInfo criteria.
@@ -231,7 +250,26 @@ namespace xmltooling {
* @param keyInfo the KeyInfo criteria
* @param extraction bitmask of criteria to auto-extract from KeyInfo
*/
- virtual void setNativeKeyInfo(DSIGKeyInfoList* keyInfo, int extraction=0);
+ virtual void setNativeKeyInfo(DSIGKeyInfoList* keyInfo, int extraction=0) {
+ delete m_credential;
+ m_credential = NULL;
+ m_nativeKeyInfo = keyInfo;
+ if (!keyInfo || !extraction)
+ return;
+
+ int types = (extraction & KEYINFO_EXTRACTION_KEY) ? Credential::RESOLVE_KEYS : 0;
+ types |= (extraction & KEYINFO_EXTRACTION_KEYNAMES) ? X509Credential::RESOLVE_CERTS : 0;
+ m_credential = XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(keyInfo,types);
+
+ if (extraction & KEYINFO_EXTRACTION_KEY)
+ setPublicKey(m_credential->getPublicKey());
+ if (extraction & KEYINFO_EXTRACTION_KEYNAMES) {
+ X509Credential* xcred = dynamic_cast<X509Credential*>(m_credential);
+ if (xcred)
+ xcred->extract();
+ m_keyNames.insert(m_credential->getKeyNames().begin(), m_credential->getKeyNames().end());
+ }
+ }
/**
* Sets the KeyInfo criteria from an XML Signature.
@@ -239,7 +277,15 @@ namespace xmltooling {
* @param sig the Signature containing KeyInfo criteria
* @param extraction bitmask of criteria to auto-extract from KeyInfo
*/
- void setSignature(const xmlsignature::Signature& sig, int extraction=0);
+ void setSignature(const xmlsignature::Signature& sig, int extraction=0) {
+ setXMLAlgorithm(sig.getSignatureAlgorithm());
+ xmlsignature::KeyInfo* k = sig.getKeyInfo();
+ if (k)
+ return setKeyInfo(k, extraction);
+ DSIGSignature* dsig = sig.getXMLSignature();
+ if (dsig)
+ setNativeKeyInfo(dsig->getKeyInfoList(), extraction);
+ }
private:
unsigned int m_keyUsage;
diff --git a/xmltooling/security/impl/CredentialCriteria.cpp b/xmltooling/security/impl/CredentialCriteria.cpp
index 5e44496..9d3cabd 100644
--- a/xmltooling/security/impl/CredentialCriteria.cpp
+++ b/xmltooling/security/impl/CredentialCriteria.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2009 Internet2
+ * Copyright 2001-2007 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -22,7 +22,7 @@
#include "internal.h"
#include "logging.h"
-#include "security/X509Credential.h"
+#include "security/Credential.h"
#include "security/CredentialCriteria.h"
#include "security/KeyInfoResolver.h"
@@ -34,57 +34,6 @@
using namespace xmltooling;
using namespace std;
-void CredentialCriteria::setKeyInfo(const xmlsignature::KeyInfo* keyInfo, int extraction)
-{
- delete m_credential;
- m_credential = NULL;
- m_keyInfo = keyInfo;
- if (!keyInfo || !extraction)
- return;
-
- int types = (extraction & KEYINFO_EXTRACTION_KEY) ? Credential::RESOLVE_KEYS : 0;
- types |= (extraction & KEYINFO_EXTRACTION_KEYNAMES) ? X509Credential::RESOLVE_CERTS : 0;
- m_credential = XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(keyInfo,types);
-
- // Ensure any key names have been sucked out for later if desired.
- if (extraction & KEYINFO_EXTRACTION_KEYNAMES) {
- X509Credential* xcred = dynamic_cast<X509Credential*>(m_credential);
- if (xcred)
- xcred->extract();
- }
-}
-
-void CredentialCriteria::setNativeKeyInfo(DSIGKeyInfoList* keyInfo, int extraction)
-{
- delete m_credential;
- m_credential = NULL;
- m_nativeKeyInfo = keyInfo;
- if (!keyInfo || !extraction)
- return;
-
- int types = (extraction & KEYINFO_EXTRACTION_KEY) ? Credential::RESOLVE_KEYS : 0;
- types |= (extraction & KEYINFO_EXTRACTION_KEYNAMES) ? X509Credential::RESOLVE_CERTS : 0;
- m_credential = XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(keyInfo,types);
-
- // Ensure any key names have been sucked out for later if desired.
- if (extraction & KEYINFO_EXTRACTION_KEYNAMES) {
- X509Credential* xcred = dynamic_cast<X509Credential*>(m_credential);
- if (xcred)
- xcred->extract();
- }
-}
-
-void CredentialCriteria::setSignature(const xmlsignature::Signature& sig, int extraction)
-{
- setXMLAlgorithm(sig.getSignatureAlgorithm());
- xmlsignature::KeyInfo* k = sig.getKeyInfo();
- if (k)
- return setKeyInfo(k, extraction);
- DSIGSignature* dsig = sig.getXMLSignature();
- if (dsig)
- setNativeKeyInfo(dsig->getKeyInfoList(), extraction);
-}
-
bool CredentialCriteria::matches(const Credential& credential) const
{
// Usage check, if specified and we have one, compare masks.
@@ -108,9 +57,7 @@ bool CredentialCriteria::matches(const Credential& credential) const
return false;
// See if we can test key names.
- set<string> critnames = getKeyNames();
- if (m_credential)
- critnames.insert(m_credential->getKeyNames().begin(), m_credential->getKeyNames().end());
+ const set<string>& critnames = getKeyNames();
const set<string>& crednames = credential.getKeyNames();
if (!critnames.empty() && !crednames.empty()) {
bool found = false;
@@ -126,8 +73,6 @@ bool CredentialCriteria::matches(const Credential& credential) const
// See if we have to match a specific key.
const XSECCryptoKey* key1 = getPublicKey();
- if (!key1 && m_credential)
- key1 = m_credential->getPublicKey();
if (!key1)
return true; // no key to compare against, so we're done
diff --git a/xmltooling/security/impl/InlineKeyResolver.cpp b/xmltooling/security/impl/InlineKeyResolver.cpp
index 57678c0..67d67cc 100644
--- a/xmltooling/security/impl/InlineKeyResolver.cpp
+++ b/xmltooling/security/impl/InlineKeyResolver.cpp
@@ -95,7 +95,7 @@ namespace xmltooling {
return ret;
}
- const CredentialContext* getCredentialContext() const {
+ const CredentialContext* getCredentalContext() const {
return m_credctx;
}
diff --git a/xmltooling/soap/impl/SOAPClient.cpp b/xmltooling/soap/impl/SOAPClient.cpp
index 3aad2cf..d14d5bd 100644
--- a/xmltooling/soap/impl/SOAPClient.cpp
+++ b/xmltooling/soap/impl/SOAPClient.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2009 Internet2
+ * Copyright 2001-2007 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -98,8 +98,8 @@ Envelope* SOAPClient::receive()
auto_ptr<XMLObject> xmlObject(XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(), true));
janitor.release();
-
- SchemaValidators.validate(xmlObject.get());
+ if (!m_validate)
+ SchemaValidators.validate(xmlObject.get());
Envelope* env = dynamic_cast<Envelope*>(xmlObject.get());
if (!env)
diff --git a/xmltooling/util/XMLHelper.cpp b/xmltooling/util/XMLHelper.cpp
index cdf93bd..7a68ef4 100644
--- a/xmltooling/util/XMLHelper.cpp
+++ b/xmltooling/util/XMLHelper.cpp
@@ -253,7 +253,7 @@ DOMElement* XMLHelper::getPreviousSiblingElement(const DOMNode* n, const XMLCh*
void XMLHelper::serialize(const DOMNode* n, std::string& buf, bool pretty)
{
static const XMLCh impltype[] = { chLatin_L, chLatin_S, chNull };
- static const XMLCh UTF8[]={ chLatin_U, chLatin_T, chLatin_F, chDash, chDigit_8, chNull };
+ static const XMLCh UTF8[]={ chLatin_U, chLatin_T, chLatin_F, chDigit_8, chNull };
DOMImplementation* impl=DOMImplementationRegistry::getDOMImplementation(impltype);
DOMWriter* serializer=(static_cast<DOMImplementationLS*>(impl))->createDOMWriter();
XercesJanitor<DOMWriter> janitor(serializer);
@@ -290,7 +290,7 @@ namespace {
ostream& XMLHelper::serialize(const DOMNode* n, ostream& out, bool pretty)
{
static const XMLCh impltype[] = { chLatin_L, chLatin_S, chNull };
- static const XMLCh UTF8[]={ chLatin_U, chLatin_T, chLatin_F, chDash, chDigit_8, chNull };
+ static const XMLCh UTF8[]={ chLatin_U, chLatin_T, chLatin_F, chDigit_8, chNull };
DOMImplementation* impl=DOMImplementationRegistry::getDOMImplementation(impltype);
DOMWriter* serializer=(static_cast<DOMImplementationLS*>(impl))->createDOMWriter();
XercesJanitor<DOMWriter> janitor(serializer);
--
Debian packaging for XMLTooling-C
More information about the Pkg-shibboleth-devel
mailing list