LCOV - code coverage report
Current view: top level - zxid - zxidwsf.c (source / functions) Hit Total Coverage
Test: ZXID Code Coverage Lines: 174 320 54.4 %
Date: 2010-12-19 Functions: 6 6 100.0 %
Branches: 231 702 32.9 %

           Branch data     Line data    Source code
       1                 :            : /* zxidwsf.c  -  Handwritten nitty-gritty functions for Liberty ID-WSF Framework level
       2                 :            :  * Copyright (c) 2009-2010 Sampo Kellomaki (sampo@iki.fi), All Rights Reserved.
       3                 :            :  * Copyright (c) 2007-2009 Symlabs (symlabs@symlabs.com), All Rights Reserved.
       4                 :            :  * Author: Sampo Kellomaki (sampo@iki.fi)
       5                 :            :  * This is confidential unpublished proprietary source code of the author.
       6                 :            :  * NO WARRANTY, not even implied warranties. Contains trade secrets.
       7                 :            :  * Distribution prohibited unless authorized in writing.
       8                 :            :  * Licensed under Apache License 2.0, see file COPYING.
       9                 :            :  * $Id: zxidwsc.c,v 1.19 2010-01-08 02:10:09 sampo Exp $
      10                 :            :  *
      11                 :            :  * 7.1.2007,  created --Sampo
      12                 :            :  * 7.10.2008, added documentation --Sampo
      13                 :            :  * 7.1.2010,  added WSC signing --Sampo
      14                 :            :  * 31.5.2010, added complex sig validation and hunt --Sampo
      15                 :            :  */
      16                 :            : 
      17                 :            : #include "platform.h"  /* needed on Win32 for pthread_mutex_lock() et al. */
      18                 :            : 
      19                 :            : #include "errmac.h"
      20                 :            : #include "zxid.h"
      21                 :            : #include "zxidpriv.h"
      22                 :            : #include "zxidconf.h"
      23                 :            : #include "saml2.h"
      24                 :            : #include "wsf.h"
      25                 :            : #include "c/zx-const.h"
      26                 :            : #include "c/zx-ns.h"
      27                 :            : #include "c/zx-data.h"
      28                 :            : 
      29                 :            : #define XS_STRING "http://www.w3.org/2001/XMLSchema#string"
      30                 :            : #define BOOL_STR_TEST(x) ((x) && (x) != '0')
      31                 :            : 
      32                 :            : /*() Try to map security mechanisms across different frame works. Low level
      33                 :            :  * function. This also makes some elementary checks as to whether the
      34                 :            :  * EPR is even capable of supporting the sec mech. */
      35                 :            : 
      36                 :            : /* Called by:  zxid_wsc_prep_secmech */
      37                 :            : int zxid_map_sec_mech(zxid_epr* epr)
      38                 :         38 : {
      39                 :            :   int len;
      40                 :            :   const char* s;
      41                 :            :   struct zx_elem_s* secmechid;
      42   [ +  -  +  -  :         38 :   if (!epr || !epr->Metadata || !epr->Metadata->SecurityContext) {
                   -  + ]
      43                 :          0 :     INFO("EPR lacks Metadata or SecurityContext. Forcing X509. %p", epr->Metadata);
      44                 :          0 :     return ZXID_SEC_MECH_X509;
      45                 :            :   }
      46                 :         38 :   secmechid = epr->Metadata->SecurityContext->SecurityMechID;
      47   [ +  -  +  -  :         38 :   if (!ZX_SIMPLE_ELEM_CHK(secmechid)) {
          +  -  +  -  +  
                -  -  + ]
      48         [ #  # ]:          0 :     if (epr->Metadata->SecurityContext->Token) {
      49                 :          0 :       INFO("EPR does not specify sec mech id. Forcing Bearer. %p", secmechid);
      50                 :          0 :       return ZXID_SEC_MECH_BEARER;
      51                 :            :     } else {
      52                 :          0 :       INFO("EPR lacks Token. Forcing X509. %p", secmechid);
      53                 :          0 :       return ZXID_SEC_MECH_X509;
      54                 :            :     }
      55                 :            :   }
      56                 :            : 
      57   [ +  -  +  -  :         38 :   len = ZX_GET_CONTENT_LEN(secmechid);
                   +  - ]
      58   [ +  -  +  -  :         38 :   s   = ZX_GET_CONTENT_S(secmechid);
                   +  - ]
      59                 :            : 
      60   [ +  +  -  + ]:         38 :   D("mapping secmec(%.*s)", len, s);
      61                 :            : 
      62                 :            : #define SEC_MECH_TEST(ret, val) if (len == sizeof(val)-1 && !memcmp(s, val, sizeof(val)-1)) return ret;
      63                 :            : 
      64   [ -  +  #  # ]:         38 :   SEC_MECH_TEST(ZXID_SEC_MECH_X509, WSF11_SEC_MECH_NULL_X509);
      65   [ -  +  #  # ]:         38 :   SEC_MECH_TEST(ZXID_SEC_MECH_X509, WSF11_SEC_MECH_TLS_X509);
      66   [ -  +  #  # ]:         38 :   SEC_MECH_TEST(ZXID_SEC_MECH_X509, WSF11_SEC_MECH_CLTLS_X509);
      67                 :            :   
      68   [ -  +  #  # ]:         38 :   SEC_MECH_TEST(ZXID_SEC_MECH_NULL, WSF11_SEC_MECH_NULL_NULL);
      69   [ -  +  #  # ]:         38 :   SEC_MECH_TEST(ZXID_SEC_MECH_NULL, WSF11_SEC_MECH_TLS_NULL);
      70   [ -  +  #  # ]:         38 :   SEC_MECH_TEST(ZXID_SEC_MECH_NULL, WSF11_SEC_MECH_CLTLS_NULL);
      71   [ -  +  #  # ]:         38 :   SEC_MECH_TEST(ZXID_SEC_MECH_NULL, WSF20_SEC_MECH_NULL_NULL);
      72   [ -  +  #  # ]:         38 :   SEC_MECH_TEST(ZXID_SEC_MECH_NULL, WSF20_SEC_MECH_TLS_NULL);
      73                 :            : 
      74   [ -  +  #  # ]:         38 :   SEC_MECH_TEST(ZXID_SEC_MECH_PEERS, WSF20_SEC_MECH_CLTLS_PEERS2);
      75                 :            : 
      76         [ -  + ]:         38 :   if (!epr->Metadata->SecurityContext->Token) {
      77                 :          0 :       INFO("EPR lacks Token despite not being NULL or X509. Forcing X509. %.*s", len, s);
      78                 :          0 :       return ZXID_SEC_MECH_X509;
      79                 :            :   }
      80                 :            :   
      81   [ -  +  #  # ]:         38 :   SEC_MECH_TEST(ZXID_SEC_MECH_BEARER, WSF10_SEC_MECH_NULL_BEARER);
      82   [ +  -  -  + ]:         38 :   SEC_MECH_TEST(ZXID_SEC_MECH_BEARER, WSF10_SEC_MECH_TLS_BEARER);
      83   [ -  +  #  # ]:         38 :   SEC_MECH_TEST(ZXID_SEC_MECH_BEARER, WSF11_SEC_MECH_NULL_BEARER);
      84   [ +  -  +  - ]:         38 :   SEC_MECH_TEST(ZXID_SEC_MECH_BEARER, WSF11_SEC_MECH_TLS_BEARER);
      85   [ #  #  #  # ]:          0 :   SEC_MECH_TEST(ZXID_SEC_MECH_BEARER, WSF11_SEC_MECH_CLTLS_BEARER);
      86   [ #  #  #  # ]:          0 :   SEC_MECH_TEST(ZXID_SEC_MECH_BEARER, WSF20_SEC_MECH_NULL_BEARER);
      87   [ #  #  #  # ]:          0 :   SEC_MECH_TEST(ZXID_SEC_MECH_BEARER, WSF20_SEC_MECH_TLS_BEARER);
      88                 :            :      
      89   [ #  #  #  # ]:          0 :   SEC_MECH_TEST(ZXID_SEC_MECH_SAML, WSF11_SEC_MECH_NULL_SAML);
      90   [ #  #  #  # ]:          0 :   SEC_MECH_TEST(ZXID_SEC_MECH_SAML, WSF11_SEC_MECH_TLS_SAML);
      91   [ #  #  #  # ]:          0 :   SEC_MECH_TEST(ZXID_SEC_MECH_SAML, WSF11_SEC_MECH_CLTLS_SAML);
      92   [ #  #  #  # ]:          0 :   SEC_MECH_TEST(ZXID_SEC_MECH_SAML, WSF20_SEC_MECH_NULL_SAML2);
      93   [ #  #  #  # ]:          0 :   SEC_MECH_TEST(ZXID_SEC_MECH_SAML, WSF20_SEC_MECH_TLS_SAML2);
      94   [ #  #  #  # ]:          0 :   SEC_MECH_TEST(ZXID_SEC_MECH_SAML, WSF20_SEC_MECH_CLTLS_SAML2);
      95                 :            : 
      96                 :          0 :   ERR("Unknown security mechanism(%.*s), taking a guess...", len, s);
      97                 :            :   
      98   [ #  #  #  # ]:          0 :   if (len >= sizeof("Bearer")-1 && zx_memmem(s, len, "Bearer", sizeof("Bearer")-1))
      99                 :          0 :     return ZXID_SEC_MECH_BEARER;
     100   [ #  #  #  # ]:          0 :   if (len >= sizeof("SAML")-1 && zx_memmem(s, len, "SAML", sizeof("SAML")-1))
     101                 :          0 :     return ZXID_SEC_MECH_BEARER;
     102   [ #  #  #  # ]:          0 :   if (len >= sizeof("X509")-1 && zx_memmem(s, len, "X509", sizeof("X509")-1))
     103                 :          0 :     return ZXID_SEC_MECH_BEARER;
     104                 :            :   
     105                 :          0 :   ERR("Unknown security mechanism(%.*s), uable to guess.", len, s);
     106                 :          0 :   return ZXID_SEC_MECH_NULL;
     107                 :            : }
     108                 :            : 
     109                 :            : #define ZX_URI_Id_CMP(hdr) ((hdr) && (hdr)->Id && (hdr)->Id->g.len == sref->URI->g.len-1 && !memcmp((hdr)->Id->g.s, sref->URI->g.s+1, (hdr)->Id->g.len))
     110                 :            : #define ZX_URI_id_CMP(hdr) ((hdr) && (hdr)->id && (hdr)->id->g.len == sref->URI->g.len-1 && !memcmp((hdr)->id->g.s, sref->URI->g.s+1, (hdr)->id->g.len))
     111                 :            : 
     112                 :            : /*() For purposes of signature validation, add references and xml data structures
     113                 :            :  * of all apparently signed message parts.
     114                 :            :  * See also: zxid_add_header_refs() and zxsig_sign() or zxid_chk_sig() + zxsig_validate() */
     115                 :            : 
     116                 :            : /* Called by:  wsse_sec_validate, zxid_wsc_valid_re_env, zxid_wsp_validate_env */
     117                 :            : int zxid_hunt_sig_parts(zxid_conf* cf, int n_refs, struct zxsig_ref* refs, struct zx_ds_Reference_s* sref, struct zx_e_Header_s* hdr, struct zx_e_Body_s* bdy)
     118                 :         57 : {
     119   [ +  +  +  -  :        587 :   for (; sref && sref->gg.g.tok == zx_ds_Reference_ELEM
                   +  - ]
     120                 :            :          && n_refs < ZXID_N_WSF_SIGNED_HEADERS;
     121                 :        473 :        sref = (void*)ZX_NEXT(sref)) {
     122   [ +  -  +  -  :        473 :     if (!sref->URI || !sref->URI->g.len || !sref->URI->g.s || !sref->URI->g.s[0]) {
             +  -  -  + ]
     123                 :          0 :       ERR("Malformed signature: Reference is missing URI %p n_refs=%d", sref->URI, n_refs);
     124                 :          0 :       continue;
     125                 :            :     }
     126                 :        473 :     refs[n_refs].sref = sref;
     127                 :        473 :     refs[n_refs].blob = 0;
     128                 :            : 
     129                 :            :     /* Addressing and Security Headers */
     130                 :            : 
     131   [ +  -  +  -  :        473 :     if (ZX_URI_Id_CMP(hdr->Framework)) {
             +  +  +  + ]
     132   [ +  +  -  + ]:         57 :       D("Found ref URI(%.*s) Framework %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     133                 :         57 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->Framework;
     134                 :         57 :       ++n_refs;
     135                 :         57 :       continue;
     136                 :            :     }
     137                 :            :   
     138         [ +  - ]:        416 :     if (hdr->Security) {
     139   [ +  -  +  -  :        416 :       if (ZX_URI_Id_CMP(hdr->Security->Timestamp)) {
             +  +  +  + ]
     140   [ +  +  -  + ]:         57 :         D("Found ref URI(%.*s) Timestamp %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     141                 :         57 :         refs[n_refs].blob = (struct zx_elem_s*)hdr->Security->Timestamp;
     142                 :         57 :         ++n_refs;
     143                 :         57 :         continue;
     144                 :            :       }
     145   [ +  +  +  -  :        359 :       if (ZX_URI_Id_CMP(hdr->Security->SecurityTokenReference)) {
             +  +  +  + ]
     146   [ +  +  -  + ]:         37 :         D("Found ref URI(%.*s) SecurityTokenReference %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     147                 :         37 :         refs[n_refs].blob = (struct zx_elem_s*)hdr->Security->SecurityTokenReference;
     148                 :         37 :         ++n_refs;
     149                 :         37 :         continue;
     150                 :            :       }
     151                 :            :     }
     152                 :            : 
     153   [ +  -  +  -  :        322 :     if (ZX_URI_Id_CMP(hdr->MessageID)) {
             +  +  +  + ]
     154   [ +  +  -  + ]:         57 :       D("Found ref URI(%.*s) MessageID %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     155                 :         57 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->MessageID;
     156                 :         57 :       ++n_refs;
     157                 :         57 :       continue;
     158                 :            :     }
     159                 :            :   
     160   [ +  +  +  -  :        265 :     if (ZX_URI_Id_CMP(hdr->RelatesTo)) {
             +  +  +  + ]
     161   [ +  +  -  + ]:         20 :       D("Found ref URI(%.*s) RelatesTo %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     162                 :         20 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->RelatesTo;
     163                 :         20 :       ++n_refs;
     164                 :         20 :       continue;
     165                 :            :     }
     166                 :            :   
     167   [ -  +  #  #  :        245 :     if (ZX_URI_Id_CMP(hdr->Action)) {
             #  #  #  # ]
     168   [ #  #  #  # ]:          0 :       D("Found ref URI(%.*s) Action %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     169                 :          0 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->Action;
     170                 :          0 :       ++n_refs;
     171                 :          0 :       continue;
     172                 :            :     }
     173                 :            : 
     174   [ +  +  +  -  :        245 :     if (ZX_URI_Id_CMP(hdr->To)) {
             +  +  +  + ]
     175   [ +  +  -  + ]:         37 :       D("Found ref URI(%.*s) To %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     176                 :         37 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->To;
     177                 :         37 :       ++n_refs;
     178                 :         37 :       continue;
     179                 :            :     }
     180                 :            : 
     181   [ +  +  +  -  :        208 :     if (ZX_URI_Id_CMP(hdr->ReplyTo)) {
             +  +  +  + ]
     182   [ +  +  -  + ]:         37 :       D("Found ref URI(%.*s) ReplyTo %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     183                 :         37 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->ReplyTo;
     184                 :         37 :       ++n_refs;
     185                 :         37 :       continue;
     186                 :            :     }
     187                 :            :   
     188   [ -  +  #  #  :        171 :     if (ZX_URI_Id_CMP(hdr->From)) {
             #  #  #  # ]
     189   [ #  #  #  # ]:          0 :       D("Found ref URI(%.*s) From %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     190                 :          0 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->From;
     191                 :          0 :       ++n_refs;
     192                 :          0 :       continue;
     193                 :            :     }
     194                 :            :   
     195   [ +  -  +  -  :        171 :     if (ZX_URI_Id_CMP(hdr->Sender)) {
             +  +  +  + ]
     196   [ +  +  -  + ]:         57 :       D("Found ref URI(%.*s) Sender %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     197                 :         57 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->Sender;
     198                 :         57 :       ++n_refs;
     199                 :         57 :       continue;
     200                 :            :     }
     201                 :            :   
     202   [ -  +  #  #  :        114 :     if (ZX_URI_Id_CMP(hdr->FaultTo)) {
             #  #  #  # ]
     203   [ #  #  #  # ]:          0 :       D("Found ref URI(%.*s) FaultTo %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     204                 :          0 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->FaultTo;
     205                 :          0 :       ++n_refs;
     206                 :          0 :       continue;
     207                 :            :     }
     208                 :            :   
     209   [ -  +  #  #  :        114 :     if (ZX_URI_Id_CMP(hdr->ReferenceParameters)) {
             #  #  #  # ]
     210   [ #  #  #  # ]:          0 :       D("Found ref URI(%.*s) ReferenceParameters %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     211                 :          0 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->ReferenceParameters;
     212                 :          0 :       ++n_refs;
     213                 :          0 :       continue;
     214                 :            :     }
     215                 :            :   
     216                 :            :     /* ID-WSF headers */
     217                 :            :   
     218   [ -  +  #  #  :        114 :     if (ZX_URI_Id_CMP(hdr->TargetIdentity)) {
             #  #  #  # ]
     219   [ #  #  #  # ]:          0 :       D("Found ref URI(%.*s) TargetIdentity %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     220                 :          0 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->TargetIdentity;
     221                 :          0 :       ++n_refs;
     222                 :          0 :       continue;
     223                 :            :     }
     224                 :            :   
     225   [ +  -  +  -  :        114 :     if (ZX_URI_Id_CMP(hdr->UsageDirective)) {
             +  +  +  - ]
     226   [ +  +  -  + ]:         57 :       D("Found ref URI(%.*s) UsageDirective %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     227                 :         57 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->UsageDirective;
     228                 :         57 :       ++n_refs;
     229                 :         57 :       continue;
     230                 :            :     }
     231                 :            :   
     232   [ -  +  #  #  :         57 :     if (ZX_URI_Id_CMP(hdr->UserInteraction)) {
             #  #  #  # ]
     233   [ #  #  #  # ]:          0 :       D("Found ref URI(%.*s) UserInteraction %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     234                 :          0 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->UserInteraction;
     235                 :          0 :       ++n_refs;
     236                 :          0 :       continue;
     237                 :            :     }
     238                 :            :   
     239   [ -  +  #  #  :         57 :     if (ZX_URI_Id_CMP(hdr->ProcessingContext)) {
             #  #  #  # ]
     240   [ #  #  #  # ]:          0 :       D("Found ref URI(%.*s) ProcessingContext %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     241                 :          0 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->ProcessingContext;
     242                 :          0 :       ++n_refs;
     243                 :          0 :       continue;
     244                 :            :     }
     245                 :            :   
     246   [ -  +  #  #  :         57 :     if (ZX_URI_Id_CMP(hdr->EndpointUpdate)) {
             #  #  #  # ]
     247   [ #  #  #  # ]:          0 :       D("Found ref URI(%.*s) EndpointUpdate %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     248                 :          0 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->EndpointUpdate;
     249                 :          0 :       ++n_refs;
     250                 :          0 :       continue;
     251                 :            :     }
     252                 :            :   
     253   [ -  +  #  #  :         57 :     if (ZX_URI_Id_CMP(hdr->Timeout)) {
             #  #  #  # ]
     254   [ #  #  #  # ]:          0 :       D("Found ref URI(%.*s) Timeout %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     255                 :          0 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->Timeout;
     256                 :          0 :       ++n_refs;
     257                 :          0 :       continue;
     258                 :            :     }
     259                 :            :   
     260   [ -  +  #  #  :         57 :     if (ZX_URI_Id_CMP(hdr->Consent)) {
             #  #  #  # ]
     261   [ #  #  #  # ]:          0 :       D("Found ref URI(%.*s) Consent %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     262                 :          0 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->Consent;
     263                 :          0 :       ++n_refs;
     264                 :          0 :       continue;
     265                 :            :     }
     266                 :            :   
     267   [ -  +  #  #  :         57 :     if (ZX_URI_Id_CMP(hdr->ApplicationEPR)) {
             #  #  #  # ]
     268   [ #  #  #  # ]:          0 :       D("Found ref URI(%.*s) ApplicationEPR %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     269                 :          0 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->ApplicationEPR;
     270                 :          0 :       ++n_refs;
     271                 :          0 :       continue;
     272                 :            :     }
     273                 :            :   
     274   [ -  +  #  #  :         57 :     if (ZX_URI_Id_CMP(hdr->RedirectRequest)) {
             #  #  #  # ]
     275   [ #  #  #  # ]:          0 :       D("Found ref URI(%.*s) RedirectRequest %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     276                 :          0 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->RedirectRequest;
     277                 :          0 :       ++n_refs;
     278                 :          0 :       continue;
     279                 :            :     }
     280                 :            :   
     281   [ -  +  #  #  :         57 :     if (ZX_URI_Id_CMP(hdr->CredentialsContext)) {
             #  #  #  # ]
     282   [ #  #  #  # ]:          0 :       D("Found ref URI(%.*s) CredentialsContext %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     283                 :          0 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->CredentialsContext;
     284                 :          0 :       ++n_refs;
     285                 :          0 :       continue;
     286                 :            :     }
     287                 :            :   
     288                 :            :     /* TAS3 specifics */
     289                 :            :   
     290   [ -  +  #  #  :         57 :     if (ZX_URI_Id_CMP(hdr->Credentials)) {
             #  #  #  # ]
     291   [ #  #  #  # ]:          0 :       D("Found ref URI(%.*s) Credentials %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     292                 :          0 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->Credentials;
     293                 :          0 :       ++n_refs;
     294                 :          0 :       continue;
     295                 :            :     }
     296                 :            :   
     297   [ -  +  #  #  :         57 :     if (ZX_URI_Id_CMP(hdr->ESLPolicies)) {
             #  #  #  # ]
     298   [ #  #  #  # ]:          0 :       D("Found ref URI(%.*s) ESLPolicies %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     299                 :          0 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->ESLPolicies;
     300                 :          0 :       ++n_refs;
     301                 :          0 :       continue;
     302                 :            :     }
     303                 :            :   
     304                 :            :     /* Old ID-WSF 1.2 Headers and App specific headers */
     305                 :            :   
     306   [ -  +  #  #  :         57 :     if (ZX_URI_id_CMP(hdr->Correlation)) {
             #  #  #  # ]
     307   [ #  #  #  # ]:          0 :       D("Found ref URI(%.*s) Correlation %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     308                 :          0 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->Correlation;
     309                 :          0 :       ++n_refs;
     310                 :          0 :       continue;
     311                 :            :     }
     312                 :            :   
     313   [ -  +  #  #  :         57 :     if (ZX_URI_id_CMP(hdr->Provider)) {
             #  #  #  # ]
     314   [ #  #  #  # ]:          0 :       D("Found ref URI(%.*s) Provider %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     315                 :          0 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->Provider;
     316                 :          0 :       ++n_refs;
     317                 :          0 :       continue;
     318                 :            :     }
     319                 :            :   
     320   [ -  +  #  #  :         57 :     if (ZX_URI_id_CMP(hdr->b12_ProcessingContext)) {
             #  #  #  # ]
     321   [ #  #  #  # ]:          0 :       D("Found ref URI(%.*s) b12_ProcessingContext %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     322                 :          0 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->b12_ProcessingContext;
     323                 :          0 :       ++n_refs;
     324                 :          0 :       continue;
     325                 :            :     }
     326                 :            :   
     327   [ -  +  #  #  :         57 :     if (ZX_URI_id_CMP(hdr->b12_Consent)) {
             #  #  #  # ]
     328   [ #  #  #  # ]:          0 :       D("Found ref URI(%.*s) b12_Consent %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     329                 :          0 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->b12_Consent;
     330                 :          0 :       ++n_refs;
     331                 :          0 :       continue;
     332                 :            :     }
     333                 :            :   
     334   [ -  +  #  #  :         57 :     if (ZX_URI_id_CMP(hdr->b12_UsageDirective)) {
             #  #  #  # ]
     335   [ #  #  #  # ]:          0 :       D("Found ref URI(%.*s) b12_UsageDirective %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     336                 :          0 :       refs[n_refs].blob = (struct zx_elem_s*)hdr->b12_UsageDirective;
     337                 :          0 :       ++n_refs;
     338                 :          0 :       continue;
     339                 :            :     }
     340                 :            : #if 0
     341                 :            :     if (ZX_URI_id_CMP(hdr->TransactionID)) {
     342                 :            :       D("Found ref URI(%.*s) TransactionID %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     343                 :            :       refs[n_refs].blob = (struct zx_elem_s*)hdr->TransactionID;
     344                 :            :       ++n_refs;
     345                 :            :       continue;
     346                 :            :     }
     347                 :            : #endif
     348   [ +  -  +  -  :         57 :     if (ZX_URI_id_CMP(bdy)) {
             +  -  +  - ]
     349   [ +  +  -  + ]:         57 :       D("Found ref URI(%.*s) Body %d", sref->URI->g.len, sref->URI->g.s, n_refs);
     350                 :         57 :       refs[n_refs].blob = (struct zx_elem_s*)bdy;
     351                 :         57 :       ++n_refs;
     352                 :         57 :       continue;
     353                 :            :     }
     354                 :            :   }
     355                 :         57 :   return n_refs;
     356                 :            : }
     357                 :            : 
     358                 :            : #define ZXID_ADD_WSU_ID(H,idval) MB if (!H->Id) \
     359                 :            :   H->Id = zx_ord_ins_at(&H->gg, zx_ref_attr(cf->ctx, 0, zx_wsu_Id_ATTR, idval)); \
     360                 :            :   refs[n_refs].id = &H->Id->g; \
     361                 :            :   refs[n_refs].canon = zx_easy_enc_elem_sig(cf, &H->gg); \
     362                 :            :   ++n_refs; ME
     363                 :            : 
     364                 :            : #define ZXID_ADD_ID(H,idval) MB if (!H->id) \
     365                 :            :   H->id = zx_ord_ins_at(&H->gg, zx_ref_attr(cf->ctx, 0, zx_id_ATTR, idval)); \
     366                 :            :   refs[n_refs].id = &H->id->g; \
     367                 :            :   refs[n_refs].canon = zx_easy_enc_elem_sig(cf, &H->gg); \
     368                 :            :   ++n_refs; ME
     369                 :            : 
     370                 :            : 
     371                 :            : /*() For purposes of signing, add references and canon forms of all known SOAP headers.
     372                 :            :  * N.B. This function only works for preparing for signing.
     373                 :            :  * See also: zxsig_sign(), zxid_hunt_sig_parts() or zxid_chk_sig() + zxsig_validate() */
     374                 :            : 
     375                 :            : /* Called by:  zxid_wsf_sign */
     376                 :            : int zxid_add_header_refs(zxid_conf* cf, int n_refs, struct zxsig_ref* refs, struct zx_e_Header_s* hdr)
     377                 :        191 : {
     378                 :            :   /* Addressing and Security Headers */
     379                 :            : 
     380         [ +  - ]:        191 :   if (hdr->Framework)
     381         [ +  - ]:        191 :     ZXID_ADD_WSU_ID(hdr->Framework,"FWK");
     382   [ +  -  +  - ]:        191 :   if (hdr->Security && hdr->Security->Timestamp)
     383         [ +  - ]:        191 :     ZXID_ADD_WSU_ID(hdr->Security->Timestamp,"TS");
     384         [ +  - ]:        191 :   if (hdr->MessageID)
     385         [ +  - ]:        191 :     ZXID_ADD_WSU_ID(hdr->MessageID,"MID");
     386         [ +  + ]:        191 :   if (hdr->RelatesTo)
     387         [ +  - ]:         35 :     ZXID_ADD_WSU_ID(hdr->RelatesTo,"REL");
     388         [ -  + ]:        191 :   if (hdr->Action)
     389         [ #  # ]:          0 :     ZXID_ADD_WSU_ID(hdr->Action,"ACT");
     390         [ +  + ]:        191 :   if (hdr->To)
     391         [ +  - ]:         38 :     ZXID_ADD_WSU_ID(hdr->To,"TO");
     392         [ +  + ]:        191 :   if (hdr->ReplyTo)
     393         [ +  - ]:         38 :     ZXID_ADD_WSU_ID(hdr->ReplyTo,"REP");
     394         [ -  + ]:        191 :   if (hdr->From)
     395         [ #  # ]:          0 :     ZXID_ADD_WSU_ID(hdr->From,"FRM");
     396         [ +  - ]:        191 :   if (hdr->Sender)
     397         [ +  - ]:        191 :     ZXID_ADD_WSU_ID(hdr->Sender,"PRV");
     398         [ -  + ]:        191 :   if (hdr->FaultTo)
     399         [ #  # ]:          0 :     ZXID_ADD_WSU_ID(hdr->FaultTo,"FLT");
     400         [ -  + ]:        191 :   if (hdr->ReferenceParameters)
     401         [ #  # ]:          0 :     ZXID_ADD_WSU_ID(hdr->ReferenceParameters,"PAR");
     402                 :            :   
     403                 :            :   /* ID-WSF headers */
     404                 :            :   
     405         [ -  + ]:        191 :   if (hdr->TargetIdentity)
     406         [ #  # ]:          0 :     ZXID_ADD_WSU_ID(hdr->TargetIdentity,"TRG");
     407         [ +  + ]:        191 :   if (hdr->UsageDirective)
     408         [ +  - ]:        190 :     ZXID_ADD_WSU_ID(hdr->UsageDirective,"UD");
     409         [ -  + ]:        191 :   if (hdr->UserInteraction)
     410         [ #  # ]:          0 :     ZXID_ADD_WSU_ID(hdr->UserInteraction,"UI");
     411         [ -  + ]:        191 :   if (hdr->ProcessingContext)
     412         [ #  # ]:          0 :     ZXID_ADD_WSU_ID(hdr->ProcessingContext,"PC");
     413         [ -  + ]:        191 :   if (hdr->EndpointUpdate)
     414         [ #  # ]:          0 :     ZXID_ADD_WSU_ID(hdr->EndpointUpdate,"EP");
     415         [ -  + ]:        191 :   if (hdr->Timeout)
     416         [ #  # ]:          0 :     ZXID_ADD_WSU_ID(hdr->Timeout,"TI");
     417         [ -  + ]:        191 :   if (hdr->Consent)
     418         [ #  # ]:          0 :     ZXID_ADD_WSU_ID(hdr->Consent,"CON");
     419         [ -  + ]:        191 :   if (hdr->ApplicationEPR)
     420         [ #  # ]:          0 :     ZXID_ADD_WSU_ID(hdr->ApplicationEPR,"AEP");
     421         [ -  + ]:        191 :   if (hdr->RedirectRequest)
     422         [ #  # ]:          0 :     ZXID_ADD_WSU_ID(hdr->RedirectRequest,"RR");
     423         [ -  + ]:        191 :   if (hdr->CredentialsContext)
     424         [ #  # ]:          0 :     ZXID_ADD_WSU_ID(hdr->CredentialsContext,"CCX");
     425                 :            :   
     426                 :            :   /* TAS3 specifics */
     427                 :            :   
     428         [ -  + ]:        191 :   if (hdr->Credentials)
     429         [ #  # ]:          0 :     ZXID_ADD_WSU_ID(hdr->Credentials,"CRED");
     430         [ -  + ]:        191 :   if (hdr->ESLPolicies)
     431         [ #  # ]:          0 :     ZXID_ADD_WSU_ID(hdr->ESLPolicies,"ESL");
     432                 :            :   
     433                 :            :   /* Old ID-WSF 1.2 Headers and App specific headers */
     434                 :            :   
     435         [ -  + ]:        191 :   if (hdr->Correlation)
     436         [ #  # ]:          0 :     ZXID_ADD_ID(hdr->Correlation,"COR");
     437         [ -  + ]:        191 :   if (hdr->Provider)
     438         [ #  # ]:          0 :     ZXID_ADD_ID(hdr->Provider,"PROV12");
     439         [ -  + ]:        191 :   if (hdr->b12_ProcessingContext)
     440         [ #  # ]:          0 :     ZXID_ADD_ID(hdr->b12_ProcessingContext,"PC12");
     441         [ -  + ]:        191 :   if (hdr->b12_Consent)
     442         [ #  # ]:          0 :     ZXID_ADD_ID(hdr->b12_Consent,"CON12");
     443         [ -  + ]:        191 :   if (hdr->b12_UsageDirective)
     444         [ #  # ]:          0 :     ZXID_ADD_ID(hdr->b12_UsageDirective,"UD12");
     445                 :            : #if 0
     446                 :            :   if (hdr->TransactionID)
     447                 :            :     ZXID_ADD_ID(hdr->TransactionID,"MM7TX"); /* *** mm7:TransactionID does not have id or Id */
     448                 :            : #endif
     449                 :        191 :   return n_refs;
     450                 :            : }
     451                 :            : 
     452                 :            : /*() Apply WSF style signature. */
     453                 :            : 
     454                 :            : /* Called by:  zxid_wsc_prep_secmech x3, zxid_wsf_decor */
     455                 :            : void zxid_wsf_sign(zxid_conf* cf, int sign_flags, struct zx_wsse_Security_s* sec, struct zx_wsse_SecurityTokenReference_s* str, struct zx_e_Header_s* hdr, struct zx_e_Body_s* bdy)
     456                 :        191 : {
     457                 :            :   X509* sign_cert;
     458                 :            :   EVP_PKEY* sign_pkey;
     459                 :            :   int n_refs;
     460                 :            :   struct zxsig_ref refs[ZXID_N_WSF_SIGNED_HEADERS];
     461                 :            :       
     462         [ +  - ]:        191 :   if (sign_flags) {
     463                 :        191 :     n_refs = 0;
     464                 :            :     
     465         [ +  - ]:        191 :     if (sign_flags & ZXID_SIGN_HDR)
     466                 :        191 :       n_refs = zxid_add_header_refs(cf, n_refs, refs, hdr);
     467                 :            :     
     468         [ +  + ]:        191 :     if (str)
     469         [ +  - ]:         38 :       ZXID_ADD_WSU_ID(str,"STR");
     470                 :            :     
     471   [ +  -  +  - ]:        191 :     if (bdy && (sign_flags & ZXID_SIGN_BDY))
     472         [ +  - ]:        191 :       ZXID_ADD_ID(bdy,"BDY");
     473                 :            :    
     474   [ -  +  #  # ]:        191 :     ASSERTOP(n_refs, <=, ZXID_N_WSF_SIGNED_HEADERS);
     475                 :            : 
     476         [ +  - ]:        191 :     if (zxid_lazy_load_sign_cert_and_pkey(cf, &sign_cert, &sign_pkey, "use sign cert wsc")) {
     477                 :        191 :       sec->Signature = zxsig_sign(cf->ctx, n_refs, refs, sign_cert, sign_pkey);
     478                 :        191 :       zx_add_kid(&sec->gg, &sec->Signature->gg);
     479                 :            :     }
     480                 :            :   }
     481                 :        191 : }
     482                 :            : 
     483                 :            : /*() Check ID-WSF Timestamp.
     484                 :            :  * The validity is controlled by configuration parameters BEFORE_SLOP and AFTER_SLOP.
     485                 :            :  * returns 1 on success, 0 on failure. */
     486                 :            : 
     487                 :            : /* Called by:  zxid_wsc_valid_re_env, zxid_wsp_validate_env */
     488                 :            : int zxid_timestamp_chk(zxid_conf* cf, zxid_ses* ses, struct zx_wsu_Timestamp_s* ts, struct timeval* ourts, struct timeval* srcts, const char* ctlpt, const char* faultactor)
     489                 :         55 : {
     490   [ +  -  +  -  :        110 :   if (ts && ZX_SIMPLE_ELEM_CHK(ts->Created)) {
          +  -  +  -  +  
             -  +  -  +  
                      - ]
     491   [ +  -  +  -  :         55 :     srcts->tv_sec = zx_date_time_to_secs(ZX_GET_CONTENT_S(ts->Created));
                   +  - ]
     492                 :            :      
     493   [ +  -  +  - ]:        110 :     if (srcts->tv_sec >= ourts->tv_sec - cf->before_slop
     494                 :            :         && srcts->tv_sec <= ourts->tv_sec + cf->after_slop) {
     495   [ +  +  -  + ]:         55 :       D("Timestamp accepted src=%d our=%d before_slop=%d after_slop=%d", (int)srcts->tv_sec, (int)ourts->tv_sec, cf->before_slop, cf->after_slop);
     496                 :            :     } else {
     497         [ #  # ]:          0 :       if (cf->notimestamp_fatal) {
     498                 :          0 :         ERR("Timestamp rejected: src=%d our=%d before_slop=%d after_slop=%d secs", (int)srcts->tv_sec, (int)ourts->tv_sec, cf->before_slop, cf->after_slop);
     499                 :          0 :         zxid_set_fault(cf, ses, zxid_mk_fault(cf, 0, ctlpt, faultactor, "Message signature did not validate.", "StaleMsg", 0, 0, 0));
     500                 :          0 :         return 0;
     501                 :            :       } else {
     502                 :          0 :         INFO("Timestamp rejected: src=%d our=%d before_slop=%d after_slop=%d secs, but configured to ignore this (NOTIMESTAMPFATAL=0)", (int)srcts->tv_sec, (int)ourts->tv_sec, cf->before_slop, cf->after_slop);
     503                 :            :       }
     504                 :            :     }
     505                 :            : 
     506                 :            :   } else {
     507         [ #  # ]:          0 :     if (cf->notimestamp_fatal) {
     508                 :          0 :       ERR("No Security/Timestamp found. %p", ts);
     509                 :          0 :       zxid_set_fault(cf, ses, zxid_mk_fault(cf, 0, ctlpt, faultactor, "No unable to find wsse:Security/Timestamp.", "StaleMsg", 0, 0, 0));
     510                 :          0 :       return 0;
     511                 :            :     } else {
     512                 :          0 :       INFO("No Security/Timestamp found, but configured to ignore this (NOTIMESTAMP_FATAL=0). %p", ts);
     513   [ #  #  #  # ]:          0 :       D("No ts OK %p", ts);
     514                 :            :     }
     515                 :            :   }
     516                 :         55 :   return 1;
     517                 :            : }
     518                 :            : 
     519                 :            : /*() Attach a SOL usage directive, unless the envelope already has UsageDirective
     520                 :            :  * header. If you wish to add other UsageDirectives, you must provide all of the
     521                 :            :  * usage directives to zxid_call() envelope argument.
     522                 :            :  * The ud argument typically comes from cf->wsc_localpdp_obl_pledge
     523                 :            :  * or cf->wsp_localpdp_obl_emit */
     524                 :            : 
     525                 :            : /* Called by:  zxid_wsc_prep, zxid_wsf_decor */
     526                 :            : void zxid_attach_sol1_usage_directive(zxid_conf* cf, zxid_ses* ses, struct zx_e_Envelope_s* env, const char* attrid, const char* obl)
     527                 :        191 : {
     528                 :            :   struct zx_b_UsageDirective_s* ud;
     529   [ +  -  -  + ]:        191 :   if (!env || !env->Header) {
     530                 :          0 :     ERR("Malformed envelope %p", env);
     531                 :          0 :     return;
     532                 :            :   }
     533   [ +  -  -  + ]:        191 :   if (!attrid || !*attrid) {
     534                 :          0 :     ERR("attrid argument must be supplied %p", attrid);
     535                 :          0 :     return;
     536                 :            :   }
     537         [ -  + ]:        191 :   if (env->Header->UsageDirective) {
     538                 :          0 :     INFO("UsageDirective already set by caller %d",0);
     539                 :          0 :     return;
     540                 :            :   }
     541   [ +  +  -  + ]:        191 :   if (!obl || !*obl)
     542                 :          1 :     return;
     543                 :            : 
     544                 :        190 :   env->Header->UsageDirective = ud = zx_NEW_b_UsageDirective(cf->ctx, &env->Header->gg);
     545                 :        190 :   ud->mustUnderstand = zx_ref_attr(cf->ctx, &ud->gg, zx_e_mustUnderstand_ATTR, XML_TRUE);
     546                 :        190 :   ud->actor = zx_ref_attr(cf->ctx, &ud->gg, zx_e_actor_ATTR, SOAP_ACTOR_NEXT);
     547                 :        190 :   ud->Obligation = zx_NEW_xa_Obligation(cf->ctx, &ud->gg);
     548                 :        190 :   ud->Obligation->ObligationId = zx_ref_attr(cf->ctx, &ud->Obligation->gg, zx_ObligationId_ATTR, TAS3_SOL1_ENGINE);
     549                 :        190 :   ud->Obligation->FulfillOn = zx_ref_attr(cf->ctx, &ud->Obligation->gg, zx_FulfillOn_ATTR, "Permit");
     550                 :        190 :   ud->Obligation->AttributeAssignment = zx_NEW_xa_AttributeAssignment(cf->ctx, &ud->Obligation->gg);
     551                 :        190 :   ud->Obligation->AttributeAssignment->DataType = zx_ref_attr(cf->ctx, &ud->Obligation->AttributeAssignment->gg, zx_DataType_ATTR, XS_STRING);
     552                 :        190 :   ud->Obligation->AttributeAssignment->AttributeId = zx_dup_attr(cf->ctx, &ud->Obligation->AttributeAssignment->gg, zx_AttributeId_ATTR, attrid);
     553                 :        190 :   zx_add_content(cf->ctx, &ud->Obligation->AttributeAssignment->gg, zx_dup_str(cf->ctx, obl));
     554   [ +  +  -  + ]:        190 :   D("Attached (%s) obligations(%s)", attrid, obl);
     555                 :            : }
     556                 :            : 
     557                 :            : /* EOF  --  zxidwsf.c */

Generated by: LCOV version 1.9