[shibboleth-sp2] 08/25: https://issues.shibboleth.net/jira/browse/SSPCPP-119

Ferenc Wágner wferi-guest at moszumanska.debian.org
Tue Jan 26 21:30:02 UTC 2016


This is an automated email from the git hooks/post-receive script.

wferi-guest pushed a commit to annotated tag 1.3.2
in repository shibboleth-sp2.

commit 5916e886cce251c27293e3e4772563abcc7951d0
Author: Scott Cantor <cantor.2 at osu.edu>
Date:   Tue Jul 15 15:49:55 2008 +0000

    https://issues.shibboleth.net/jira/browse/SSPCPP-119
---
 shib/BasicTrust.cpp       | 17 +++++++++++++++--
 shib/ShibbolethTrust.cpp  |  3 ++-
 xmlproviders/XMLTrust.cpp | 16 ++++++++++++++--
 3 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/shib/BasicTrust.cpp b/shib/BasicTrust.cpp
index 195d002..de742d3 100644
--- a/shib/BasicTrust.cpp
+++ b/shib/BasicTrust.cpp
@@ -25,6 +25,7 @@
 #include "internal.h"
 
 #include <openssl/x509.h>
+#include <xsec/enc/XSECCryptoException.hpp>
 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
@@ -117,7 +118,13 @@ bool BasicTrust::validate(void* certEE, const Iterator<void*>& certChain, const
             continue;
         Iterator<KeyInfoResolver*> resolvers(m_resolvers);
         while (resolvers.hasNext()) {
-            XSECCryptoKey* key=((XSECKeyInfoResolver*)*resolvers.next())->resolveKey(KIL);
+            XSECCryptoKey* key=NULL;
+            try {
+                key=((XSECKeyInfoResolver*)*resolvers.next())->resolveKey(KIL);
+            }
+            catch (XSECCryptoException& ex) {
+                log.error("caught an XMLSec crypto exception while resolving key: %s", ex.getMsg());
+            }
             if (key) {
                 log.debug("KeyDescriptor resolved into a key, comparing it...");
                 if (key->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
@@ -197,7 +204,13 @@ bool BasicTrust::validate(const saml::SAMLSignedObject& token, const IRoleDescri
             continue;
         Iterator<KeyInfoResolver*> resolvers(m_resolvers);
         while (resolvers.hasNext()) {
-            XSECCryptoKey* key=((XSECKeyInfoResolver*)*resolvers.next())->resolveKey(KIL);
+            XSECCryptoKey* key=NULL;
+            try {
+                key=((XSECKeyInfoResolver*)*resolvers.next())->resolveKey(KIL);
+            }
+            catch (XSECCryptoException& ex) {
+                log.error("caught an XMLSec crypto exception while resolving key: %s", ex.getMsg());
+            }
             if (key) {
                 log.debug("KeyDescriptor resolved into a key, trying it...");
                 try {
diff --git a/shib/ShibbolethTrust.cpp b/shib/ShibbolethTrust.cpp
index 3cd839d..e6ad31e 100644
--- a/shib/ShibbolethTrust.cpp
+++ b/shib/ShibbolethTrust.cpp
@@ -28,6 +28,7 @@
 #include <openssl/x509_vfy.h>
 #include <openssl/x509v3.h>
 #include <xsec/dsig/DSIGKeyInfoX509.hpp>
+#include <xsec/enc/XSECCryptoException.hpp>
 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
 
 using namespace shibboleth::logging;
@@ -496,7 +497,7 @@ bool ShibbolethTrust::validate(const saml::SAMLSignedObject& token, const IRoleD
             x->loadX509Base64Bin(cert.get(),strlen(cert.get()));
             certs.push_back(x.release());
         }
-        catch (...) {
+        catch (XSECCryptoException&) {
             log.error("unable to load certificate from signature, skipping it");
         }
     }
diff --git a/xmlproviders/XMLTrust.cpp b/xmlproviders/XMLTrust.cpp
index 5642ea3..2fa508a 100644
--- a/xmlproviders/XMLTrust.cpp
+++ b/xmlproviders/XMLTrust.cpp
@@ -298,7 +298,13 @@ void XMLTrustImpl::init()
             }
             
             // Dry run...can we resolve to a key?
-            XSECCryptoKey* key=resolver.resolveKey(KIL);
+            XSECCryptoKey* key=NULL;
+            try {
+                key = resolver.resolveKey(KIL);
+            }
+            catch (XSECCryptoException& xe) {
+                log.error("unable to resolver key from ds:KeyInfo element (%d): %s", count, xe.getMsg());
+            }
             if (key) {
                 // So far so good, now look for the name binding(s).
                 delete key;
@@ -754,7 +760,13 @@ bool XMLTrust::validate(const saml::SAMLSignedObject& token, const IRoleDescript
             // Any inline KeyInfo should ostensibly resolve to a key we can try.
             Iterator<KeyInfoResolver*> resolvers(m_resolvers);
             while (resolvers.hasNext()) {
-                XSECCryptoKey* key=((XSECKeyInfoResolver*)*resolvers.next())->resolveKey(KIL);
+                XSECCryptoKey* key=NULL;
+                try {
+                    key=((XSECKeyInfoResolver*)*resolvers.next())->resolveKey(KIL);
+                }
+                catch (XSECCryptoException& xe) {
+                    log.error("unable to resolver ds:KeyInfo element into key: %s", xe.getMsg());
+                }
                 if (key) {
                     log.debug("resolved key, trying it...");
                     try {

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git



More information about the Pkg-shibboleth-devel mailing list