[shibboleth-sp2] 16/25: Catch alternate xmlsec exception type during KeyInfo processing.

Ferenc Wágner wferi-guest at moszumanska.debian.org
Tue Jan 26 21:30:03 UTC 2016


This is an automated email from the git hooks/post-receive script.

wferi-guest pushed a commit to annotated tag 1.3.2
in repository shibboleth-sp2.

commit ccb6f7975e820f45d7786c72c9af5c8f259e8f89
Author: Scott Cantor <cantor.2 at osu.edu>
Date:   Tue Apr 7 21:31:54 2009 +0000

    Catch alternate xmlsec exception type during KeyInfo processing.
---
 xmlproviders/XMLMetadata.cpp | 142 ++++++++++++++++++++++---------------------
 1 file changed, 73 insertions(+), 69 deletions(-)

diff --git a/xmlproviders/XMLMetadata.cpp b/xmlproviders/XMLMetadata.cpp
index 7e66077..c79ed48 100644
--- a/xmlproviders/XMLMetadata.cpp
+++ b/xmlproviders/XMLMetadata.cpp
@@ -1,6 +1,6 @@
 /*
  *  Copyright 2001-2005 Internet2
- * 
+ *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
@@ -58,7 +58,7 @@ namespace {
                 delete[] m_surName;
                 delete[] m_company;
             }
-        
+
             ContactType getType() const { return m_type; }
             const char* getCompany() const { return m_company; }
             const char* getGivenName() const { return m_givenName; }
@@ -66,7 +66,7 @@ namespace {
             Iterator<string> getEmailAddresses() const { return m_emails; }
             Iterator<string> getTelephoneNumbers() const { return m_phones; }
             const DOMElement* getElement() const { return m_root; }
-        
+
         private:
             const DOMElement* m_root;
             ContactType m_type;
@@ -75,18 +75,18 @@ namespace {
             char* m_company;
             vector<string> m_emails,m_phones;
         };
-        
+
         class Organization : public IOrganization
         {
         public:
             Organization(const DOMElement* e);
             ~Organization() {}
-            
+
             const char* getName(const char* lang="en") const { return forLang(m_names,lang); }
             const char* getDisplayName(const char* lang="en") const { return forLang(m_displays,lang); }
             const char* getURL(const char* lang="en") const { return forLang(m_urls,lang); }
             const DOMElement* getElement() const { return m_root; }
-        
+
         private:
             const char* forLang(const map<string,string>& m, const char* lang) const {
                 map<string,string>::const_iterator i=m.find(lang);
@@ -97,13 +97,13 @@ namespace {
         };
 
         class EntityDescriptor;
-        
+
         class EncryptionMethod : public XENCEncryptionMethod
         {
         public:
             EncryptionMethod(const DOMElement* e);
             ~EncryptionMethod() {}
-            
+
             const XMLCh * getAlgorithm(void) const { return m_alg; }
             const XMLCh * getDigestMethod(void) const { return m_digest; }
             const XMLCh * getOAEPparams(void) const { return m_params; }
@@ -112,7 +112,7 @@ namespace {
             void setDigestMethod(const XMLCh * method) {throw exception();}
             void setOAEPparams(const XMLCh * params) {throw exception();}
             void setKeySize(int size) {throw exception();}
-        
+
         private:
             const DOMElement* m_root;
             const XMLCh* m_alg;
@@ -120,45 +120,45 @@ namespace {
             const XMLCh* m_params;
             int m_size;
         };
-        
+
         class KeyDescriptor : public IKeyDescriptor
         {
         public:
             KeyDescriptor(const DOMElement* e);
             ~KeyDescriptor();
-            
+
             KeyUse getUse() const { return m_use; }
             DSIGKeyInfoList* getKeyInfo() const { return m_klist; }
             saml::Iterator<const XENCEncryptionMethod*> getEncryptionMethods() const { return m_methods; }
             const DOMElement* getElement() const { return m_root; }
-        
+
         private:
             const DOMElement* m_root;
             KeyUse m_use;
             mutable DSIGKeyInfoList* m_klist;
             vector<const XENCEncryptionMethod*> m_methods;
         };
-        
+
         class KeyAuthority : public IKeyAuthority
         {
         public:
             KeyAuthority(const DOMElement* e);
             ~KeyAuthority();
-            
+
             int getVerifyDepth() const { return m_depth; }
             Iterator<DSIGKeyInfoList*> getKeyInfos() const { return m_klists; }
-        
+
         private:
             int m_depth;
             vector<DSIGKeyInfoList*> m_klists;
         };
-        
+
         class Role : public virtual IRoleDescriptor
         {
         public:
             Role(const EntityDescriptor* provider, time_t validUntil, const DOMElement* e);
             ~Role();
-            
+
             // External contract
             const IEntityDescriptor* getEntityDescriptor() const {return m_provider;}
             Iterator<const XMLCh*> getProtocolSupportEnumeration() const {return m_protocolEnum;}
@@ -170,7 +170,7 @@ namespace {
             Iterator<const IContactPerson*> getContactPersons() const
                 {return (m_contacts.empty() ? m_provider->getContactPersons() : m_contacts);}
             const DOMElement* getElement() const {return m_root;}
-        
+
         protected:
             vector<const XMLCh*> m_protocolEnum;
             vector<const IKeyDescriptor*> m_keys;
@@ -184,7 +184,7 @@ namespace {
             vector<const IContactPerson*> m_contacts;
             time_t m_validUntil;
         };
-        
+
         class Endpoint : public virtual IEndpoint
         {
         public:
@@ -195,29 +195,29 @@ namespace {
             Endpoint(const XMLCh* binding, const XMLCh* loc)
                 : m_root(NULL), m_binding(binding), m_location(loc), m_resploc(NULL) {}
             ~Endpoint() {}
-            
+
             const XMLCh* getBinding() const { return m_binding; }
             const XMLCh* getLocation() const { return m_location; }
             const XMLCh* getResponseLocation() const { return m_resploc; }
             const DOMElement* getElement() const { return m_root; }
-        
+
         private:
             const DOMElement* m_root;
             const XMLCh* m_binding;
             const XMLCh* m_location;
             const XMLCh* m_resploc;
         };
-        
+
         class IndexedEndpoint : public Endpoint, public virtual IIndexedEndpoint
         {
         public:
             IndexedEndpoint(const DOMElement* e) : Endpoint(e), m_index(XMLString::parseInt(e->getAttributeNS(NULL,SHIB_L(index)))) {}
             unsigned short getIndex() const {return m_index;}
-            
+
         private:
             unsigned short m_index;
         };
-        
+
         class EndpointManager : public IEndpointManager
         {
         public:
@@ -261,13 +261,13 @@ namespace {
                     m_soft=e;
                 }
             }
-            
+
         private:
             vector<const IEndpoint*> m_endpoints;
             const IEndpoint* m_soft;    // Soft default (not explicit)
             const IEndpoint* m_hard;    // Hard default (explicit)
         };
-        
+
         class SSORole : public Role, public virtual ISSODescriptor
         {
         public:
@@ -277,7 +277,7 @@ namespace {
             const IEndpointManager* getSingleLogoutServiceManager() const {return &m_logout;}
             const IEndpointManager* getManageNameIDServiceManager() const {return &m_nameid;}
             saml::Iterator<const XMLCh*> getNameIDFormats() const {return m_formats;}
-            
+
         private:
             EndpointManager m_artifact,m_logout,m_nameid;
             vector<const XMLCh*> m_formats;
@@ -292,7 +292,7 @@ namespace {
         private:
             vector<pair<const XMLCh*,bool> > m_scopes;
         };
-        
+
         class IDPRole : public SSORole, public ScopedRole, public virtual IIDPSSODescriptor
         {
         public:
@@ -304,7 +304,7 @@ namespace {
             const IEndpointManager* getAssertionIDRequestServiceManager() const {return &m_idreq;}
             saml::Iterator<const XMLCh*> getAttributeProfiles() const {return m_attrprofs;}
             saml::Iterator<const saml::SAMLAttribute*> getAttributes() const {return m_attrs;}
-        
+
         private:
             EndpointManager m_sso,m_mapping,m_idreq;
             vector<const XMLCh*> m_attrprofs;
@@ -324,13 +324,13 @@ namespace {
             saml::Iterator<const XMLCh*> getNameIDFormats() const {return m_formats;}
             saml::Iterator<const XMLCh*> getAttributeProfiles() const {return m_attrprofs;}
             saml::Iterator<const saml::SAMLAttribute*> getAttributes() const {return m_attrs;}
-        
+
         private:
             EndpointManager m_query,m_idreq;
             vector<const XMLCh*> m_formats,m_attrprofs;
             vector<const SAMLAttribute*> m_attrs;
         };
-    
+
         class EntityDescriptor : public IExtendedEntityDescriptor
         {
         public:
@@ -341,7 +341,7 @@ namespace {
                 const IEntitiesDescriptor* parent=NULL
                 );
             ~EntityDescriptor();
-        
+
             // External contract
             const XMLCh* getId() const {return m_id;}
             bool isValid() const {return time(NULL) < m_validUntil;}
@@ -385,7 +385,7 @@ namespace {
                 const IEntitiesDescriptor* parent=NULL
                 );
             ~EntitiesDescriptor();
-            
+
             const XMLCh* getName() const {return m_name;}
             bool isValid() const {return time(NULL) < m_validUntil;}
             const IEntitiesDescriptor* getEntitiesDescriptor() const {return m_parent;}
@@ -393,7 +393,7 @@ namespace {
             Iterator<const IEntityDescriptor*> getEntityDescriptors() const {return m_providers;}
             Iterator<const IKeyAuthority*> getKeyAuthorities() const {return m_keyauths;}
             const DOMElement* getElement() const {return m_root;}
-        
+
             // Used internally
             time_t getValidUntil() const {return m_validUntil;}
         private:
@@ -435,13 +435,13 @@ namespace {
         const IEntitiesDescriptor* lookupGroup(const char* name, bool strict=true) const;
         const IEntitiesDescriptor* lookupGroup(const XMLCh* name, bool strict=true) const;
         pair<const IEntitiesDescriptor*,const IEntityDescriptor*> getRoot() const;
-        
+
         bool verifySignature(DOMDocument* doc, const DOMElement* parent, bool failUnsigned) const;
-        
+
     protected:
         virtual ReloadableXMLFileImpl* newImplementation(const char* pathname, bool first=true) const;
         virtual ReloadableXMLFileImpl* newImplementation(const DOMElement* e, bool first=true) const;
-        
+
     private:
         bool m_exclusions,m_verify;
         set<string> m_set;
@@ -470,7 +470,7 @@ XMLMetadataImpl::ContactPerson::ContactPerson(const DOMElement* e)
     : m_root(e), m_type(IContactPerson::other), m_givenName(NULL), m_surName(NULL), m_company(NULL)
 {
     const XMLCh* type=NULL;
-    
+
     // Old metadata or new?
     if (saml::XML::isElementNamed(e,::XML::SHIB_NS,SHIB_L(Contact))) {
         type=e->getAttributeNS(NULL,SHIB_L(Type));
@@ -518,7 +518,7 @@ XMLMetadataImpl::ContactPerson::ContactPerson(const DOMElement* e)
             e=saml::XML::getNextSiblingElement(e);
         }
     }
-    
+
     if (!XMLString::compareString(type,SHIB_L(technical)))
         m_type=IContactPerson::technical;
     else if (!XMLString::compareString(type,SHIB_L(support)))
@@ -595,7 +595,7 @@ XMLMetadataImpl::KeyDescriptor::KeyDescriptor(const DOMElement* e) : m_root(e),
         m_use=encryption;
     else if (!XMLString::compareString(e->getAttributeNS(NULL,SHIB_L(use)),SHIB_L(signing)))
         m_use=signing;
-    
+
     m_klist = new DSIGKeyInfoList(NULL);
 
     // Process ds:KeyInfo
@@ -609,10 +609,14 @@ XMLMetadataImpl::KeyDescriptor::KeyDescriptor(const DOMElement* e) : m_root(e),
                 "skipping ds:KeyInfo element containing unsupported children"
                 );
     }
+    catch (XSECException& xe) {
+        auto_ptr_char msg(xe.getMsg());
+        Category::getInstance(XMLPROVIDERS_LOGCAT".Metadata").error("unable to process ds:KeyInfo element: %s",msg.get());
+    }
     catch (XSECCryptoException& xe) {
         Category::getInstance(XMLPROVIDERS_LOGCAT".Metadata").error("unable to process ds:KeyInfo element: %s",xe.getMsg());
     }
-    
+
     // Check for encryption methods.
     e=saml::XML::getNextSiblingElement(e,::XML::SAML2META_NS,SHIB_L(EncryptionMethod));
     while (e) {
@@ -635,7 +639,7 @@ XMLMetadataImpl::KeyAuthority::KeyAuthority(const DOMElement* e) : m_depth(1)
 #endif
     if (e->hasAttributeNS(NULL,SHIB_L(VerifyDepth)))
         m_depth=XMLString::parseInt(e->getAttributeNS(NULL,SHIB_L(VerifyDepth)));
-    
+
     // Process ds:KeyInfo children
     e=saml::XML::getFirstChildElement(e,saml::XML::XMLSIG_NS,L(KeyInfo));
     while (e) {
@@ -657,7 +661,7 @@ XMLMetadataImpl::KeyAuthority::KeyAuthority(const DOMElement* e) : m_depth(1)
             }
             child=saml::XML::getNextSiblingElement(child);
         }
-        
+
         if (klist->getSize()>0)
             m_klists.push_back(klist.release());
         else
@@ -678,16 +682,16 @@ XMLMetadataImpl::Role::Role(const EntityDescriptor* provider, time_t validUntil,
 {
     // Check the root element namespace. If SAML2, assume it's the std schema.
     if (e && !XMLString::compareString(e->getNamespaceURI(),::XML::SAML2META_NS)) {
-       
+
         if (e->hasAttributeNS(NULL,SHIB_L(validUntil))) {
             SAMLDateTime exp(e->getAttributeNS(NULL,SHIB_L(validUntil)));
             exp.parseDateTime();
             m_validUntil=min(m_validUntil,exp.getEpoch());
         }
-        
+
         if (e->hasAttributeNS(NULL,SHIB_L(errorURL)))
             m_errorURL=toUTF8(e->getAttributeNS(NULL,SHIB_L(errorURL)));
-        
+
         // Chop the protocol list into pieces...assume any whitespace can appear in between.
         m_protocolEnumCopy=XMLString::replicate(e->getAttributeNS(NULL,SHIB_L(protocolSupportEnumeration)));
         XMLCh* temp=m_protocolEnumCopy;
@@ -699,7 +703,7 @@ XMLMetadataImpl::Role::Role(const EntityDescriptor* provider, time_t validUntil,
             m_protocolEnum.push_back(start);
             while (*temp && XMLChar1_1::isWhitespace(*temp)) temp++;
         }
-        
+
         e=saml::XML::getFirstChildElement(m_root,::XML::SAML2META_NS,SHIB_L(KeyDescriptor));
         while (e) {
             m_keys.push_back(new KeyDescriptor(e));
@@ -781,7 +785,7 @@ XMLMetadataImpl::ScopedRole::ScopedRole(const DOMElement* e)
     else {
         nlist=e->getElementsByTagNameNS(::XML::SHIB_NS,SHIB_L(Domain));
     }
-    
+
     for (XMLSize_t i=0; nlist && i < nlist->getLength(); i++) {
         const XMLCh* dom=(nlist->item(i)->hasChildNodes()) ? nlist->item(i)->getFirstChild()->getNodeValue() : NULL;
         if (dom && *dom) {
@@ -800,7 +804,7 @@ XMLMetadataImpl::IDPRole::IDPRole(const EntityDescriptor* provider, time_t valid
     if (!XMLString::compareString(e->getNamespaceURI(),::XML::SAML2META_NS)) {
         const XMLCh* flag=e->getAttributeNS(NULL,SHIB_L(WantAuthnRequestsSigned));
         m_wantAuthnRequestsSigned=(flag && (*flag==chDigit_1 || *flag==chLatin_t));
-        
+
         // Check for SourceID extension.
         DOMElement* ext=saml::XML::getFirstChildElement(e,::XML::SAML2META_NS,SHIB_L(Extensions));
         if (ext) {
@@ -808,7 +812,7 @@ XMLMetadataImpl::IDPRole::IDPRole(const EntityDescriptor* provider, time_t valid
             if (ext && ext->hasChildNodes())
                 m_sourceId=ext->getFirstChild()->getNodeValue();
         }
-        
+
         XMLSize_t i;
         DOMNodeList* nlist=e->getElementsByTagNameNS(::XML::SAML2META_NS,SHIB_L(SingleSignOnService));
         for (i=0; nlist && i<nlist->getLength(); i++)
@@ -1019,7 +1023,7 @@ XMLMetadataImpl::EntityDescriptor::EntityDescriptor(
     else {
         m_id=e->getAttributeNS(NULL,SHIB_L(Name));
         m_errorURL=toUTF8(e->getAttributeNS(NULL,SHIB_L(ErrorURL)));
-        
+
         bool idp=false,aa=false;    // only want to build a role once
         DOMElement* child=saml::XML::getFirstChildElement(e);
         while (child) {
@@ -1044,7 +1048,7 @@ XMLMetadataImpl::EntityDescriptor::EntityDescriptor(
     if (m_id && *m_id) {
         auto_ptr_char id(m_id);
         wrapper->m_sites.insert(pair<const string,const EntityDescriptor*>(id.get(),this));
-        
+
         // Look for an IdP role, and register the artifact source ID and endpoints.
         const IDPRole* idp=NULL;
         for (vector<const IRoleDescriptor*>::const_iterator r=m_roles.begin(); r!=m_roles.end(); r++) {
@@ -1247,14 +1251,14 @@ XMLMetadata::XMLMetadata(const DOMElement* e) : ReloadableXMLFile(e), m_exclusio
             }
         }
     }
-    
+
     const XMLCh* v=e->getAttributeNS(NULL,SHIB_L(verify));
     m_verify=(v && (*v==chLatin_t || *v==chDigit_1));
 
     string cr_type;
     DOMElement* r=saml::XML::getFirstChildElement(e,::XML::CREDS_NS,SHIB_L(FileResolver));
     if (r)
-        cr_type="edu.internet2.middleware.shibboleth.common.Credentials.FileCredentialResolver";            
+        cr_type="edu.internet2.middleware.shibboleth.common.Credentials.FileCredentialResolver";
     else {
         r=saml::XML::getFirstChildElement(e,::XML::CREDS_NS,SHIB_L(CustomResolver));
         if (r) {
@@ -1262,7 +1266,7 @@ XMLMetadata::XMLMetadata(const DOMElement* e) : ReloadableXMLFile(e), m_exclusio
             cr_type=c.get();
         }
     }
-    
+
     if (!cr_type.empty()) {
         try {
             IPlugIn* plugin=SAMLConfig::getConfig().getPlugMgr().newPlugin(cr_type.c_str(),r);
@@ -1280,7 +1284,7 @@ XMLMetadata::XMLMetadata(const DOMElement* e) : ReloadableXMLFile(e), m_exclusio
             throw;
         }
     }
-    
+
     if (m_verify && !m_credResolver) {
         delete m_credResolver;
         throw MalformedException("Metadata provider told to verify signatures, but a verification key is not available.");
@@ -1296,7 +1300,7 @@ bool XMLMetadata::verifySignature(DOMDocument* doc, const DOMElement* parent, bo
     saml::NDC ndc("verifySignature");
 #endif
     Category& log=Category::getInstance(XMLPROVIDERS_LOGCAT".Metadata");
-    
+
     DOMElement* sigNode=saml::XML::getFirstChildElement(parent,saml::XML::XMLSIG_NS,L(Signature));
     if (!sigNode) {
         if (failUnsigned) {
@@ -1305,7 +1309,7 @@ bool XMLMetadata::verifySignature(DOMDocument* doc, const DOMElement* parent, bo
         }
         return true;
     }
-    
+
     XSECCryptoX509* cert=NULL;
     Iterator<XSECCryptoX509*> certs=m_credResolver->getCertificates();
     if (certs.hasNext())
@@ -1349,20 +1353,20 @@ bool XMLMetadata::verifySignature(DOMDocument* doc, const DOMElement* parent, bo
                 }
             }
         }
-    
+
         if (!valid) {
             auto_ptr_char temp((URI && *URI) ? URI : null);
             log.error("detected an invalid signature profile (Reference URI was %s)",temp.get());
             return false;
         }
-        
+
         sig->setSigningKey(cert->clonePublicKey());
         if (!sig->verify()) {
             auto_ptr_char temp((URI && *URI) ? URI : null);
             log.error("detected an invalid signature value (Reference URI was %s)",temp.get());
             return false;
         }
-        
+
         prov.releaseSignature(sig);
     }
     catch(XSECException& e) {
@@ -1393,7 +1397,7 @@ const IEntityDescriptor* XMLMetadata::lookup(const char* providerId, bool strict
         return NULL;
     else if (strict && !m_exclusions && m_set.find(providerId)==m_set.end())
         return NULL;
-        
+
     XMLMetadataImpl* impl=dynamic_cast<XMLMetadataImpl*>(getImplementation());
     pair<XMLMetadataImpl::sitemap_t::iterator,XMLMetadataImpl::sitemap_t::iterator> range=
         impl->m_sites.equal_range(providerId);
@@ -1402,10 +1406,10 @@ const IEntityDescriptor* XMLMetadata::lookup(const char* providerId, bool strict
     for (XMLMetadataImpl::sitemap_t::const_iterator i=range.first; i!=range.second; i++)
         if (now < i->second->getValidUntil())
             return i->second;
-    
+
     if (!strict && range.first!=range.second)
         return range.first->second;
-        
+
     return NULL;
 }
 
@@ -1420,7 +1424,7 @@ const IEntityDescriptor* XMLMetadata::lookup(const SAMLArtifact* artifact) const
     time_t now=time(NULL);
     XMLMetadataImpl* impl=dynamic_cast<XMLMetadataImpl*>(getImplementation());
     pair<XMLMetadataImpl::sitemap_t::iterator,XMLMetadataImpl::sitemap_t::iterator> range;
-    
+
     // Depends on type of artifact.
     const SAMLArtifactType0001* type1=dynamic_cast<const SAMLArtifactType0001*>(artifact);
     if (type1) {
@@ -1447,7 +1451,7 @@ const IEntityDescriptor* XMLMetadata::lookup(const SAMLArtifact* artifact) const
             if (now < i->second->getValidUntil())
                 return i->second;
     }
-    
+
     return NULL;
 }
 
@@ -1457,7 +1461,7 @@ const IEntitiesDescriptor* XMLMetadata::lookupGroup(const char* name, bool stric
         return NULL;
     else if (strict && !m_exclusions && m_set.find(name)==m_set.end())
         return NULL;
-        
+
     XMLMetadataImpl* impl=dynamic_cast<XMLMetadataImpl*>(getImplementation());
     pair<XMLMetadataImpl::groupmap_t::iterator,XMLMetadataImpl::groupmap_t::iterator> range=
         impl->m_groups.equal_range(name);
@@ -1466,10 +1470,10 @@ const IEntitiesDescriptor* XMLMetadata::lookupGroup(const char* name, bool stric
     for (XMLMetadataImpl::groupmap_t::iterator i=range.first; i!=range.second; i++)
         if (now < i->second->getValidUntil())
             return i->second;
-    
+
     if (!strict && range.first!=range.second)
         return range.first->second;
-        
+
     return NULL;
 }
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git



More information about the Pkg-shibboleth-devel mailing list