[shibboleth-sp2] 20/89: SSPCPP-356 - Better support message-level security on the back channel

Thu Sep 1 09:24:04 UTC 2016

This is an automated email from the git hooks/post-receive script.

wferi pushed a commit to branch master
in repository shibboleth-sp2.

commit 79a1ff234db33055348728ad0b9da1e7df69117c
Author: Scott Cantor <cantor.2 at osu.edu>
Date:   Tue May 10 16:38:45 2016 -0400

    SSPCPP-356 - Better support message-level security on the back channel
    
    https://issues.shibboleth.net/jira/browse/SSPCPP-356
    
    Change meaning of absent requireTransportAuth setting to behave
    inversely to conditional signing.
---
 shibsp/binding/impl/SOAPClient.cpp | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/shibsp/binding/impl/SOAPClient.cpp b/shibsp/binding/impl/SOAPClient.cpp
index cd01c8f..46d7fe6 100644
--- a/shibsp/binding/impl/SOAPClient.cpp
+++ b/shibsp/binding/impl/SOAPClient.cpp
@@ -61,8 +61,8 @@ void SOAPClient::send(const soap11::Envelope& env, const char* from, MetadataCre
 {
     // Check for message signing requirements.   
     m_relyingParty = m_app.getRelyingParty(dynamic_cast<const EntityDescriptor*>(to.getRole().getParent()));
-    pair<bool, const char*> flag = m_relyingParty->getString("signing");
-    if (SPConfig::shouldSignOrEncrypt(flag.first ? flag.second : "conditional", endpoint, false)) {
+    pair<bool, const char*> signing = m_relyingParty->getString("signing");
+    if (SPConfig::shouldSignOrEncrypt(signing.first ? signing.second : "conditional", endpoint, false)) {
         m_credResolver=m_app.getCredentialResolver();
         if (m_credResolver) {
             m_credResolver->lock();
@@ -126,7 +126,18 @@ void SOAPClient::send(const soap11::Envelope& env, const char* from, MetadataCre
             Category::getInstance(SHIBSP_LOGCAT ".SOAPClient").warn("no CredentialResolver available, leaving unsigned");
         }
     }
-    
+
+    pair<bool,bool> flag = m_relyingParty->getBool("requireTransportAuth");
+    if (flag.first) {
+        forceTransportAuthentication(flag.second);
+    }
+    else {
+        // If not set, toggle transport authentication requirement inversely to conditional signing/encryption.
+        // That is, if we would force on signing, we probably expect the IdP to sign, and allow the transport layer
+        // to be ignored. This allows us to ignore regular certificates on standard ports.
+        forceTransportAuthentication(!SPConfig::shouldSignOrEncrypt("conditional", endpoint, false));
+    }
+
     opensaml::SOAPClient::send(env, from, to, endpoint);
 }
 
@@ -143,8 +154,6 @@ void SOAPClient::prepareTransport(SOAPTransport& transport)
         throw opensaml::BindingException("Transport confidentiality required, but not available."); 
 
     setValidating(getPolicy().getValidating());
-    flag = m_relyingParty->getBool("requireTransportAuth");
-    forceTransportAuthentication(!flag.first || flag.second);
 
     opensaml::SOAPClient::prepareTransport(transport);
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git

