[SCM] Debian packaging for OpenSAML 2.0 branch, lenny, updated. debian/2.0-2-2-ga22aa43

Russ Allbery rra at debian.org
Fri Sep 18 01:54:34 UTC 2009


The following commit has been merged in the lenny branch:
commit 6114edd5a077aaaecc033f9316a0a5d6d528dd54
Author: Russ Allbery <rra at debian.org>
Date:   Thu Sep 17 14:23:50 2009 -0700

    Merge upstream changes between 2.2 and 2.2.1
    
    * Merge upstream changes between 2.2 and 2.2.1.
      - SECURITY: Correctly honor the "use" attribute of <KeyDescriptor>
        SAML metadata to honor restrictions to signing or encryption.  This
        is a partial fix; the complete fix also requires a new version of
        the xmltooling library.

diff --git a/debian/changelog b/debian/changelog
index 14a08fc..e9c6ae0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+opensaml2 (2.0-2+lenny1) UNRELEASED; urgency=low
+
+  * Merge upstream changes between 2.2 and 2.2.1.
+    - SECURITY: Correctly honor the "use" attribute of <KeyDescriptor>
+      SAML metadata to honor restrictions to signing or encryption.  This
+      is a partial fix; the complete fix also requires a new version of
+      the xmltooling library.
+
+ -- Russ Allbery <rra at debian.org>  Thu, 17 Sep 2009 14:23:39 -0700
+
 opensaml2 (2.0-2) unstable; urgency=low
 
   * Include fix for https://bugs.internet2.edu/jira/browse/CPPOST-7
diff --git a/saml/saml1/binding/impl/SAML1POSTDecoder.cpp b/saml/saml1/binding/impl/SAML1POSTDecoder.cpp
index 16a6bc1..965e58f 100644
--- a/saml/saml1/binding/impl/SAML1POSTDecoder.cpp
+++ b/saml/saml1/binding/impl/SAML1POSTDecoder.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2001-2007 Internet2
+ *  Copyright 2001-2009 Internet2
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -109,8 +109,7 @@ XMLObject* SAML1POSTDecoder::decode(
     if (!response)
         throw BindingException("Decoded message was not a SAML 1.x Response.");
 
-    if (!policy.getValidating())
-        SchemaValidators.validate(response);
+    SchemaValidators.validate(response);
     
     pair<bool,int> minor = response->getMinorVersion();
     extractMessageDetails(
diff --git a/saml/saml1/binding/impl/SAML1SOAPDecoder.cpp b/saml/saml1/binding/impl/SAML1SOAPDecoder.cpp
index d60dced..74c1960 100644
--- a/saml/saml1/binding/impl/SAML1SOAPDecoder.cpp
+++ b/saml/saml1/binding/impl/SAML1SOAPDecoder.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2001-2007 Internet2
+ *  Copyright 2001-2009 Internet2
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -98,8 +98,7 @@ XMLObject* SAML1SOAPDecoder::decode(
     if (!env)
         throw BindingException("Decoded message was not a SOAP 1.1 Envelope.");
 
-    if (!policy.getValidating())
-        SchemaValidators.validate(env);
+    SchemaValidators.validate(env);
     
     Body* body = env->getBody();
     if (body && body->hasChildren()) {
diff --git a/saml/saml2/binding/impl/SAML2ECPDecoder.cpp b/saml/saml2/binding/impl/SAML2ECPDecoder.cpp
index d311286..e8ecc34 100644
--- a/saml/saml2/binding/impl/SAML2ECPDecoder.cpp
+++ b/saml/saml2/binding/impl/SAML2ECPDecoder.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2001-2007 Internet2
+ *  Copyright 2001-2009 Internet2
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -99,8 +99,7 @@ XMLObject* SAML2ECPDecoder::decode(
     if (!env)
         throw BindingException("Decoded message was not a SOAP 1.1 Envelope.");
 
-    if (!policy.getValidating())
-        SchemaValidators.validate(env);
+    SchemaValidators.validate(env);
     
     Body* body = env->getBody();
     if (body && body->hasChildren()) {
diff --git a/saml/saml2/binding/impl/SAML2ECPEncoder.cpp b/saml/saml2/binding/impl/SAML2ECPEncoder.cpp
index 2cddf29..16ee9f0 100644
--- a/saml/saml2/binding/impl/SAML2ECPEncoder.cpp
+++ b/saml/saml2/binding/impl/SAML2ECPEncoder.cpp
@@ -179,7 +179,7 @@ long SAML2ECPEncoder::encode(
         header->getUnknownXMLObjects().push_back(hdrblock);
     }
     
-    if (relayState) {
+    if (relayState && *relayState) {
         // Create ecp:RelayState header.
         static const XMLCh RelayState[] = UNICODE_LITERAL_10(R,e,l,a,y,S,t,a,t,e);
         hdrblock = dynamic_cast<ElementProxy*>(m_anyBuilder.buildObject(SAML20ECP_NS, RelayState, SAML20ECP_PREFIX));
@@ -224,8 +224,10 @@ long SAML2ECPEncoder::encode(
         stringstream s;
         s << *rootElement;
         
-        if (log.isDebugEnabled())
-            log.debug("marshalled envelope:\n%s", s.str().c_str());
+        if (log.isDebugEnabled()) {
+            string forlog(s.str());
+            log.debug("marshalled envelope:\n%s", forlog.c_str());
+        }
 
         log.debug("sending serialized envelope");
         long ret = genericResponse.sendResponse(s);
diff --git a/saml/saml2/binding/impl/SAML2POSTDecoder.cpp b/saml/saml2/binding/impl/SAML2POSTDecoder.cpp
index 7be9f55..bd0cd73 100644
--- a/saml/saml2/binding/impl/SAML2POSTDecoder.cpp
+++ b/saml/saml2/binding/impl/SAML2POSTDecoder.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2001-2007 Internet2
+ *  Copyright 2001-2009 Internet2
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -122,8 +122,7 @@ XMLObject* SAML2POSTDecoder::decode(
         root = static_cast<saml2::RootObject*>(request);
     }
     
-    if (!policy.getValidating())
-        SchemaValidators.validate(root);
+    SchemaValidators.validate(root);
 
     // Run through the policy.
     extractMessageDetails(*root, genericRequest, samlconstants::SAML20P_NS, policy);
diff --git a/saml/saml2/binding/impl/SAML2RedirectDecoder.cpp b/saml/saml2/binding/impl/SAML2RedirectDecoder.cpp
index f682d2d..027b111 100644
--- a/saml/saml2/binding/impl/SAML2RedirectDecoder.cpp
+++ b/saml/saml2/binding/impl/SAML2RedirectDecoder.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2001-2007 Internet2
+ *  Copyright 2001-2009 Internet2
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -134,8 +134,7 @@ XMLObject* SAML2RedirectDecoder::decode(
         root = static_cast<saml2::RootObject*>(request);
     }
     
-    if (!policy.getValidating())
-        SchemaValidators.validate(root);
+    SchemaValidators.validate(root);
     
     // Run through the policy.
     extractMessageDetails(*root, genericRequest, samlconstants::SAML20P_NS, policy);
diff --git a/saml/saml2/binding/impl/SAML2SOAPDecoder.cpp b/saml/saml2/binding/impl/SAML2SOAPDecoder.cpp
index e006a9e..346aa99 100644
--- a/saml/saml2/binding/impl/SAML2SOAPDecoder.cpp
+++ b/saml/saml2/binding/impl/SAML2SOAPDecoder.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2001-2007 Internet2
+ *  Copyright 2001-2009 Internet2
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -98,8 +98,7 @@ XMLObject* SAML2SOAPDecoder::decode(
     if (!env)
         throw BindingException("Decoded message was not a SOAP 1.1 Envelope.");
 
-    if (!policy.getValidating())
-        SchemaValidators.validate(env);
+    SchemaValidators.validate(env);
     
     Body* body = env->getBody();
     if (body && body->hasChildren()) {
diff --git a/saml/saml2/metadata/MetadataCredentialCriteria.h b/saml/saml2/metadata/MetadataCredentialCriteria.h
index 7d57810..5d3a1c7 100644
--- a/saml/saml2/metadata/MetadataCredentialCriteria.h
+++ b/saml/saml2/metadata/MetadataCredentialCriteria.h
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2001-2007 Internet2
+ *  Copyright 2001-2009 Internet2
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -64,10 +64,10 @@ namespace opensaml {
                 const MetadataCredentialContext* context = dynamic_cast<const MetadataCredentialContext*>(credential.getCredentalContext());
                 if (context) {
                     // Check for a usage mismatch.
-                    if ((getUsage() | (xmltooling::Credential::SIGNING_CREDENTIAL & xmltooling::Credential::TLS_CREDENTIAL)) &&
+                    if ((getUsage() & (xmltooling::Credential::SIGNING_CREDENTIAL | xmltooling::Credential::TLS_CREDENTIAL)) &&
                             XMLString::equals(context->getKeyDescriptor().getUse(),KeyDescriptor::KEYTYPE_ENCRYPTION))
                         return false;
-                    else if ((getUsage() | xmltooling::Credential::ENCRYPTION_CREDENTIAL) &&
+                    else if ((getUsage() & xmltooling::Credential::ENCRYPTION_CREDENTIAL) &&
                             XMLString::equals(context->getKeyDescriptor().getUse(),KeyDescriptor::KEYTYPE_SIGNING))
                         return false;
                 }
diff --git a/saml/saml2/metadata/impl/DynamicMetadataProvider.cpp b/saml/saml2/metadata/impl/DynamicMetadataProvider.cpp
index 835a2ed..03f9809 100644
--- a/saml/saml2/metadata/impl/DynamicMetadataProvider.cpp
+++ b/saml/saml2/metadata/impl/DynamicMetadataProvider.cpp
@@ -30,6 +30,7 @@
 #include <xercesc/util/XMLUniDefs.hpp>
 #include <xmltooling/logging.h>
 #include <xmltooling/util/XMLHelper.h>
+#include <xmltooling/validation/ValidatorSuite.h>
 
 using namespace opensaml::saml2md;
 using namespace xmltooling::logging;
@@ -85,6 +86,13 @@ pair<const EntityDescriptor*,const RoleDescriptor*> DynamicMetadataProvider::get
 
     // Try resolving it.
     auto_ptr<EntityDescriptor> entity2(resolve(name.c_str()));
+    try {
+        SchemaValidators.validate(entity2.get());
+    }
+    catch (exception& ex) {
+        log.error("metadata intance failed manual validation checking: %s", ex.what());
+        throw MetadataException("Metadata instance failed manual validation checking.");
+    }
 
     // Filter it, which may throw.
     doFilters(*entity2.get());
diff --git a/saml/saml2/metadata/impl/XMLMetadataProvider.cpp b/saml/saml2/metadata/impl/XMLMetadataProvider.cpp
index f3f2b39..430288f 100644
--- a/saml/saml2/metadata/impl/XMLMetadataProvider.cpp
+++ b/saml/saml2/metadata/impl/XMLMetadataProvider.cpp
@@ -27,6 +27,7 @@
 
 #include <xmltooling/util/NDC.h>
 #include <xmltooling/util/ReloadableXMLFile.h>
+#include <xmltooling/validation/ValidatorSuite.h>
 
 using namespace opensaml::saml2md;
 using namespace xmltooling::logging;
@@ -98,6 +99,13 @@ pair<bool,DOMElement*> XMLMetadataProvider::load()
         throw MetadataException(
             "Root of metadata instance not recognized: $1", params(1,xmlObject->getElementQName().toString().c_str())
             );
+    try {
+        SchemaValidators.validate(xmlObject.get());
+    }
+    catch (exception& ex) {
+        m_log.error("metadata intance failed manual validation checking: %s", ex.what());
+        throw MetadataException("Metadata instance failed manual validation checking.");
+    }
     
     // Preprocess the metadata.
     doFilters(*xmlObject.get());

-- 
Debian packaging for OpenSAML 2.0



More information about the Pkg-shibboleth-devel mailing list