Branch data Line data Source code
1 : : /* zxidwsf.c - Handwritten nitty-gritty functions for Liberty ID-WSF Framework level
2 : : * Copyright (c) 2009-2010 Sampo Kellomaki (sampo@iki.fi), All Rights Reserved.
3 : : * Copyright (c) 2007-2009 Symlabs (symlabs@symlabs.com), All Rights Reserved.
4 : : * Author: Sampo Kellomaki (sampo@iki.fi)
5 : : * This is confidential unpublished proprietary source code of the author.
6 : : * NO WARRANTY, not even implied warranties. Contains trade secrets.
7 : : * Distribution prohibited unless authorized in writing.
8 : : * Licensed under Apache License 2.0, see file COPYING.
9 : : * $Id: zxidwsc.c,v 1.19 2010-01-08 02:10:09 sampo Exp $
10 : : *
11 : : * 7.1.2007, created --Sampo
12 : : * 7.10.2008, added documentation --Sampo
13 : : * 7.1.2010, added WSC signing --Sampo
14 : : * 31.5.2010, added complex sig validation and hunt --Sampo
15 : : */
16 : :
17 : : #include "platform.h" /* needed on Win32 for pthread_mutex_lock() et al. */
18 : :
19 : : #include "errmac.h"
20 : : #include "zxid.h"
21 : : #include "zxidpriv.h"
22 : : #include "zxidconf.h"
23 : : #include "saml2.h"
24 : : #include "wsf.h"
25 : : #include "c/zx-const.h"
26 : : #include "c/zx-ns.h"
27 : : #include "c/zx-data.h"
28 : :
29 : : #define XS_STRING "http://www.w3.org/2001/XMLSchema#string"
30 : : #define BOOL_STR_TEST(x) ((x) && (x) != '0')
31 : :
32 : : /*() Try to map security mechanisms across different frame works. Low level
33 : : * function. This also makes some elementary checks as to whether the
34 : : * EPR is even capable of supporting the sec mech. */
35 : :
36 : : /* Called by: zxid_wsc_prep_secmech */
37 : : int zxid_map_sec_mech(zxid_epr* epr)
38 : 38 : {
39 : : int len;
40 : : const char* s;
41 : : struct zx_elem_s* secmechid;
42 [ + - + - : 38 : if (!epr || !epr->Metadata || !epr->Metadata->SecurityContext) {
- + ]
43 : 0 : INFO("EPR lacks Metadata or SecurityContext. Forcing X509. %p", epr->Metadata);
44 : 0 : return ZXID_SEC_MECH_X509;
45 : : }
46 : 38 : secmechid = epr->Metadata->SecurityContext->SecurityMechID;
47 [ + - + - : 38 : if (!ZX_SIMPLE_ELEM_CHK(secmechid)) {
+ - + - +
- - + ]
48 [ # # ]: 0 : if (epr->Metadata->SecurityContext->Token) {
49 : 0 : INFO("EPR does not specify sec mech id. Forcing Bearer. %p", secmechid);
50 : 0 : return ZXID_SEC_MECH_BEARER;
51 : : } else {
52 : 0 : INFO("EPR lacks Token. Forcing X509. %p", secmechid);
53 : 0 : return ZXID_SEC_MECH_X509;
54 : : }
55 : : }
56 : :
57 [ + - + - : 38 : len = ZX_GET_CONTENT_LEN(secmechid);
+ - ]
58 [ + - + - : 38 : s = ZX_GET_CONTENT_S(secmechid);
+ - ]
59 : :
60 [ + + - + ]: 38 : D("mapping secmec(%.*s)", len, s);
61 : :
62 : : #define SEC_MECH_TEST(ret, val) if (len == sizeof(val)-1 && !memcmp(s, val, sizeof(val)-1)) return ret;
63 : :
64 [ - + # # ]: 38 : SEC_MECH_TEST(ZXID_SEC_MECH_X509, WSF11_SEC_MECH_NULL_X509);
65 [ - + # # ]: 38 : SEC_MECH_TEST(ZXID_SEC_MECH_X509, WSF11_SEC_MECH_TLS_X509);
66 [ - + # # ]: 38 : SEC_MECH_TEST(ZXID_SEC_MECH_X509, WSF11_SEC_MECH_CLTLS_X509);
67 : :
68 [ - + # # ]: 38 : SEC_MECH_TEST(ZXID_SEC_MECH_NULL, WSF11_SEC_MECH_NULL_NULL);
69 [ - + # # ]: 38 : SEC_MECH_TEST(ZXID_SEC_MECH_NULL, WSF11_SEC_MECH_TLS_NULL);
70 [ - + # # ]: 38 : SEC_MECH_TEST(ZXID_SEC_MECH_NULL, WSF11_SEC_MECH_CLTLS_NULL);
71 [ - + # # ]: 38 : SEC_MECH_TEST(ZXID_SEC_MECH_NULL, WSF20_SEC_MECH_NULL_NULL);
72 [ - + # # ]: 38 : SEC_MECH_TEST(ZXID_SEC_MECH_NULL, WSF20_SEC_MECH_TLS_NULL);
73 : :
74 [ - + # # ]: 38 : SEC_MECH_TEST(ZXID_SEC_MECH_PEERS, WSF20_SEC_MECH_CLTLS_PEERS2);
75 : :
76 [ - + ]: 38 : if (!epr->Metadata->SecurityContext->Token) {
77 : 0 : INFO("EPR lacks Token despite not being NULL or X509. Forcing X509. %.*s", len, s);
78 : 0 : return ZXID_SEC_MECH_X509;
79 : : }
80 : :
81 [ - + # # ]: 38 : SEC_MECH_TEST(ZXID_SEC_MECH_BEARER, WSF10_SEC_MECH_NULL_BEARER);
82 [ + - - + ]: 38 : SEC_MECH_TEST(ZXID_SEC_MECH_BEARER, WSF10_SEC_MECH_TLS_BEARER);
83 [ - + # # ]: 38 : SEC_MECH_TEST(ZXID_SEC_MECH_BEARER, WSF11_SEC_MECH_NULL_BEARER);
84 [ + - + - ]: 38 : SEC_MECH_TEST(ZXID_SEC_MECH_BEARER, WSF11_SEC_MECH_TLS_BEARER);
85 [ # # # # ]: 0 : SEC_MECH_TEST(ZXID_SEC_MECH_BEARER, WSF11_SEC_MECH_CLTLS_BEARER);
86 [ # # # # ]: 0 : SEC_MECH_TEST(ZXID_SEC_MECH_BEARER, WSF20_SEC_MECH_NULL_BEARER);
87 [ # # # # ]: 0 : SEC_MECH_TEST(ZXID_SEC_MECH_BEARER, WSF20_SEC_MECH_TLS_BEARER);
88 : :
89 [ # # # # ]: 0 : SEC_MECH_TEST(ZXID_SEC_MECH_SAML, WSF11_SEC_MECH_NULL_SAML);
90 [ # # # # ]: 0 : SEC_MECH_TEST(ZXID_SEC_MECH_SAML, WSF11_SEC_MECH_TLS_SAML);
91 [ # # # # ]: 0 : SEC_MECH_TEST(ZXID_SEC_MECH_SAML, WSF11_SEC_MECH_CLTLS_SAML);
92 [ # # # # ]: 0 : SEC_MECH_TEST(ZXID_SEC_MECH_SAML, WSF20_SEC_MECH_NULL_SAML2);
93 [ # # # # ]: 0 : SEC_MECH_TEST(ZXID_SEC_MECH_SAML, WSF20_SEC_MECH_TLS_SAML2);
94 [ # # # # ]: 0 : SEC_MECH_TEST(ZXID_SEC_MECH_SAML, WSF20_SEC_MECH_CLTLS_SAML2);
95 : :
96 : 0 : ERR("Unknown security mechanism(%.*s), taking a guess...", len, s);
97 : :
98 [ # # # # ]: 0 : if (len >= sizeof("Bearer")-1 && zx_memmem(s, len, "Bearer", sizeof("Bearer")-1))
99 : 0 : return ZXID_SEC_MECH_BEARER;
100 [ # # # # ]: 0 : if (len >= sizeof("SAML")-1 && zx_memmem(s, len, "SAML", sizeof("SAML")-1))
101 : 0 : return ZXID_SEC_MECH_BEARER;
102 [ # # # # ]: 0 : if (len >= sizeof("X509")-1 && zx_memmem(s, len, "X509", sizeof("X509")-1))
103 : 0 : return ZXID_SEC_MECH_BEARER;
104 : :
105 : 0 : ERR("Unknown security mechanism(%.*s), uable to guess.", len, s);
106 : 0 : return ZXID_SEC_MECH_NULL;
107 : : }
108 : :
109 : : #define ZX_URI_Id_CMP(hdr) ((hdr) && (hdr)->Id && (hdr)->Id->g.len == sref->URI->g.len-1 && !memcmp((hdr)->Id->g.s, sref->URI->g.s+1, (hdr)->Id->g.len))
110 : : #define ZX_URI_id_CMP(hdr) ((hdr) && (hdr)->id && (hdr)->id->g.len == sref->URI->g.len-1 && !memcmp((hdr)->id->g.s, sref->URI->g.s+1, (hdr)->id->g.len))
111 : :
112 : : /*() For purposes of signature validation, add references and xml data structures
113 : : * of all apparently signed message parts.
114 : : * See also: zxid_add_header_refs() and zxsig_sign() or zxid_chk_sig() + zxsig_validate() */
115 : :
116 : : /* Called by: wsse_sec_validate, zxid_wsc_valid_re_env, zxid_wsp_validate_env */
117 : : int zxid_hunt_sig_parts(zxid_conf* cf, int n_refs, struct zxsig_ref* refs, struct zx_ds_Reference_s* sref, struct zx_e_Header_s* hdr, struct zx_e_Body_s* bdy)
118 : 57 : {
119 [ + + + - : 587 : for (; sref && sref->gg.g.tok == zx_ds_Reference_ELEM
+ - ]
120 : : && n_refs < ZXID_N_WSF_SIGNED_HEADERS;
121 : 473 : sref = (void*)ZX_NEXT(sref)) {
122 [ + - + - : 473 : if (!sref->URI || !sref->URI->g.len || !sref->URI->g.s || !sref->URI->g.s[0]) {
+ - - + ]
123 : 0 : ERR("Malformed signature: Reference is missing URI %p n_refs=%d", sref->URI, n_refs);
124 : 0 : continue;
125 : : }
126 : 473 : refs[n_refs].sref = sref;
127 : 473 : refs[n_refs].blob = 0;
128 : :
129 : : /* Addressing and Security Headers */
130 : :
131 [ + - + - : 473 : if (ZX_URI_Id_CMP(hdr->Framework)) {
+ + + + ]
132 [ + + - + ]: 57 : D("Found ref URI(%.*s) Framework %d", sref->URI->g.len, sref->URI->g.s, n_refs);
133 : 57 : refs[n_refs].blob = (struct zx_elem_s*)hdr->Framework;
134 : 57 : ++n_refs;
135 : 57 : continue;
136 : : }
137 : :
138 [ + - ]: 416 : if (hdr->Security) {
139 [ + - + - : 416 : if (ZX_URI_Id_CMP(hdr->Security->Timestamp)) {
+ + + + ]
140 [ + + - + ]: 57 : D("Found ref URI(%.*s) Timestamp %d", sref->URI->g.len, sref->URI->g.s, n_refs);
141 : 57 : refs[n_refs].blob = (struct zx_elem_s*)hdr->Security->Timestamp;
142 : 57 : ++n_refs;
143 : 57 : continue;
144 : : }
145 [ + + + - : 359 : if (ZX_URI_Id_CMP(hdr->Security->SecurityTokenReference)) {
+ + + + ]
146 [ + + - + ]: 37 : D("Found ref URI(%.*s) SecurityTokenReference %d", sref->URI->g.len, sref->URI->g.s, n_refs);
147 : 37 : refs[n_refs].blob = (struct zx_elem_s*)hdr->Security->SecurityTokenReference;
148 : 37 : ++n_refs;
149 : 37 : continue;
150 : : }
151 : : }
152 : :
153 [ + - + - : 322 : if (ZX_URI_Id_CMP(hdr->MessageID)) {
+ + + + ]
154 [ + + - + ]: 57 : D("Found ref URI(%.*s) MessageID %d", sref->URI->g.len, sref->URI->g.s, n_refs);
155 : 57 : refs[n_refs].blob = (struct zx_elem_s*)hdr->MessageID;
156 : 57 : ++n_refs;
157 : 57 : continue;
158 : : }
159 : :
160 [ + + + - : 265 : if (ZX_URI_Id_CMP(hdr->RelatesTo)) {
+ + + + ]
161 [ + + - + ]: 20 : D("Found ref URI(%.*s) RelatesTo %d", sref->URI->g.len, sref->URI->g.s, n_refs);
162 : 20 : refs[n_refs].blob = (struct zx_elem_s*)hdr->RelatesTo;
163 : 20 : ++n_refs;
164 : 20 : continue;
165 : : }
166 : :
167 [ - + # # : 245 : if (ZX_URI_Id_CMP(hdr->Action)) {
# # # # ]
168 [ # # # # ]: 0 : D("Found ref URI(%.*s) Action %d", sref->URI->g.len, sref->URI->g.s, n_refs);
169 : 0 : refs[n_refs].blob = (struct zx_elem_s*)hdr->Action;
170 : 0 : ++n_refs;
171 : 0 : continue;
172 : : }
173 : :
174 [ + + + - : 245 : if (ZX_URI_Id_CMP(hdr->To)) {
+ + + + ]
175 [ + + - + ]: 37 : D("Found ref URI(%.*s) To %d", sref->URI->g.len, sref->URI->g.s, n_refs);
176 : 37 : refs[n_refs].blob = (struct zx_elem_s*)hdr->To;
177 : 37 : ++n_refs;
178 : 37 : continue;
179 : : }
180 : :
181 [ + + + - : 208 : if (ZX_URI_Id_CMP(hdr->ReplyTo)) {
+ + + + ]
182 [ + + - + ]: 37 : D("Found ref URI(%.*s) ReplyTo %d", sref->URI->g.len, sref->URI->g.s, n_refs);
183 : 37 : refs[n_refs].blob = (struct zx_elem_s*)hdr->ReplyTo;
184 : 37 : ++n_refs;
185 : 37 : continue;
186 : : }
187 : :
188 [ - + # # : 171 : if (ZX_URI_Id_CMP(hdr->From)) {
# # # # ]
189 [ # # # # ]: 0 : D("Found ref URI(%.*s) From %d", sref->URI->g.len, sref->URI->g.s, n_refs);
190 : 0 : refs[n_refs].blob = (struct zx_elem_s*)hdr->From;
191 : 0 : ++n_refs;
192 : 0 : continue;
193 : : }
194 : :
195 [ + - + - : 171 : if (ZX_URI_Id_CMP(hdr->Sender)) {
+ + + + ]
196 [ + + - + ]: 57 : D("Found ref URI(%.*s) Sender %d", sref->URI->g.len, sref->URI->g.s, n_refs);
197 : 57 : refs[n_refs].blob = (struct zx_elem_s*)hdr->Sender;
198 : 57 : ++n_refs;
199 : 57 : continue;
200 : : }
201 : :
202 [ - + # # : 114 : if (ZX_URI_Id_CMP(hdr->FaultTo)) {
# # # # ]
203 [ # # # # ]: 0 : D("Found ref URI(%.*s) FaultTo %d", sref->URI->g.len, sref->URI->g.s, n_refs);
204 : 0 : refs[n_refs].blob = (struct zx_elem_s*)hdr->FaultTo;
205 : 0 : ++n_refs;
206 : 0 : continue;
207 : : }
208 : :
209 [ - + # # : 114 : if (ZX_URI_Id_CMP(hdr->ReferenceParameters)) {
# # # # ]
210 [ # # # # ]: 0 : D("Found ref URI(%.*s) ReferenceParameters %d", sref->URI->g.len, sref->URI->g.s, n_refs);
211 : 0 : refs[n_refs].blob = (struct zx_elem_s*)hdr->ReferenceParameters;
212 : 0 : ++n_refs;
213 : 0 : continue;
214 : : }
215 : :
216 : : /* ID-WSF headers */
217 : :
218 [ - + # # : 114 : if (ZX_URI_Id_CMP(hdr->TargetIdentity)) {
# # # # ]
219 [ # # # # ]: 0 : D("Found ref URI(%.*s) TargetIdentity %d", sref->URI->g.len, sref->URI->g.s, n_refs);
220 : 0 : refs[n_refs].blob = (struct zx_elem_s*)hdr->TargetIdentity;
221 : 0 : ++n_refs;
222 : 0 : continue;
223 : : }
224 : :
225 [ + - + - : 114 : if (ZX_URI_Id_CMP(hdr->UsageDirective)) {
+ + + - ]
226 [ + + - + ]: 57 : D("Found ref URI(%.*s) UsageDirective %d", sref->URI->g.len, sref->URI->g.s, n_refs);
227 : 57 : refs[n_refs].blob = (struct zx_elem_s*)hdr->UsageDirective;
228 : 57 : ++n_refs;
229 : 57 : continue;
230 : : }
231 : :
232 [ - + # # : 57 : if (ZX_URI_Id_CMP(hdr->UserInteraction)) {
# # # # ]
233 [ # # # # ]: 0 : D("Found ref URI(%.*s) UserInteraction %d", sref->URI->g.len, sref->URI->g.s, n_refs);
234 : 0 : refs[n_refs].blob = (struct zx_elem_s*)hdr->UserInteraction;
235 : 0 : ++n_refs;
236 : 0 : continue;
237 : : }
238 : :
239 [ - + # # : 57 : if (ZX_URI_Id_CMP(hdr->ProcessingContext)) {
# # # # ]
240 [ # # # # ]: 0 : D("Found ref URI(%.*s) ProcessingContext %d", sref->URI->g.len, sref->URI->g.s, n_refs);
241 : 0 : refs[n_refs].blob = (struct zx_elem_s*)hdr->ProcessingContext;
242 : 0 : ++n_refs;
243 : 0 : continue;
244 : : }
245 : :
246 [ - + # # : 57 : if (ZX_URI_Id_CMP(hdr->EndpointUpdate)) {
# # # # ]
247 [ # # # # ]: 0 : D("Found ref URI(%.*s) EndpointUpdate %d", sref->URI->g.len, sref->URI->g.s, n_refs);
248 : 0 : refs[n_refs].blob = (struct zx_elem_s*)hdr->EndpointUpdate;
249 : 0 : ++n_refs;
250 : 0 : continue;
251 : : }
252 : :
253 [ - + # # : 57 : if (ZX_URI_Id_CMP(hdr->Timeout)) {
# # # # ]
254 [ # # # # ]: 0 : D("Found ref URI(%.*s) Timeout %d", sref->URI->g.len, sref->URI->g.s, n_refs);
255 : 0 : refs[n_refs].blob = (struct zx_elem_s*)hdr->Timeout;
256 : 0 : ++n_refs;
257 : 0 : continue;
258 : : }
259 : :
260 [ - + # # : 57 : if (ZX_URI_Id_CMP(hdr->Consent)) {
# # # # ]
261 [ # # # # ]: 0 : D("Found ref URI(%.*s) Consent %d", sref->URI->g.len, sref->URI->g.s, n_refs);
262 : 0 : refs[n_refs].blob = (struct zx_elem_s*)hdr->Consent;
263 : 0 : ++n_refs;
264 : 0 : continue;
265 : : }
266 : :
267 [ - + # # : 57 : if (ZX_URI_Id_CMP(hdr->ApplicationEPR)) {
# # # # ]
268 [ # # # # ]: 0 : D("Found ref URI(%.*s) ApplicationEPR %d", sref->URI->g.len, sref->URI->g.s, n_refs);
269 : 0 : refs[n_refs].blob = (struct zx_elem_s*)hdr->ApplicationEPR;
270 : 0 : ++n_refs;
271 : 0 : continue;
272 : : }
273 : :
274 [ - + # # : 57 : if (ZX_URI_Id_CMP(hdr->RedirectRequest)) {
# # # # ]
275 [ # # # # ]: 0 : D("Found ref URI(%.*s) RedirectRequest %d", sref->URI->g.len, sref->URI->g.s, n_refs);
276 : 0 : refs[n_refs].blob = (struct zx_elem_s*)hdr->RedirectRequest;
277 : 0 : ++n_refs;
278 : 0 : continue;
279 : : }
280 : :
281 [ - + # # : 57 : if (ZX_URI_Id_CMP(hdr->CredentialsContext)) {
# # # # ]
282 [ # # # # ]: 0 : D("Found ref URI(%.*s) CredentialsContext %d", sref->URI->g.len, sref->URI->g.s, n_refs);
283 : 0 : refs[n_refs].blob = (struct zx_elem_s*)hdr->CredentialsContext;
284 : 0 : ++n_refs;
285 : 0 : continue;
286 : : }
287 : :
288 : : /* TAS3 specifics */
289 : :
290 [ - + # # : 57 : if (ZX_URI_Id_CMP(hdr->Credentials)) {
# # # # ]
291 [ # # # # ]: 0 : D("Found ref URI(%.*s) Credentials %d", sref->URI->g.len, sref->URI->g.s, n_refs);
292 : 0 : refs[n_refs].blob = (struct zx_elem_s*)hdr->Credentials;
293 : 0 : ++n_refs;
294 : 0 : continue;
295 : : }
296 : :
297 [ - + # # : 57 : if (ZX_URI_Id_CMP(hdr->ESLPolicies)) {
# # # # ]
298 [ # # # # ]: 0 : D("Found ref URI(%.*s) ESLPolicies %d", sref->URI->g.len, sref->URI->g.s, n_refs);
299 : 0 : refs[n_refs].blob = (struct zx_elem_s*)hdr->ESLPolicies;
300 : 0 : ++n_refs;
301 : 0 : continue;
302 : : }
303 : :
304 : : /* Old ID-WSF 1.2 Headers and App specific headers */
305 : :
306 [ - + # # : 57 : if (ZX_URI_id_CMP(hdr->Correlation)) {
# # # # ]
307 [ # # # # ]: 0 : D("Found ref URI(%.*s) Correlation %d", sref->URI->g.len, sref->URI->g.s, n_refs);
308 : 0 : refs[n_refs].blob = (struct zx_elem_s*)hdr->Correlation;
309 : 0 : ++n_refs;
310 : 0 : continue;
311 : : }
312 : :
313 [ - + # # : 57 : if (ZX_URI_id_CMP(hdr->Provider)) {
# # # # ]
314 [ # # # # ]: 0 : D("Found ref URI(%.*s) Provider %d", sref->URI->g.len, sref->URI->g.s, n_refs);
315 : 0 : refs[n_refs].blob = (struct zx_elem_s*)hdr->Provider;
316 : 0 : ++n_refs;
317 : 0 : continue;
318 : : }
319 : :
320 [ - + # # : 57 : if (ZX_URI_id_CMP(hdr->b12_ProcessingContext)) {
# # # # ]
321 [ # # # # ]: 0 : D("Found ref URI(%.*s) b12_ProcessingContext %d", sref->URI->g.len, sref->URI->g.s, n_refs);
322 : 0 : refs[n_refs].blob = (struct zx_elem_s*)hdr->b12_ProcessingContext;
323 : 0 : ++n_refs;
324 : 0 : continue;
325 : : }
326 : :
327 [ - + # # : 57 : if (ZX_URI_id_CMP(hdr->b12_Consent)) {
# # # # ]
328 [ # # # # ]: 0 : D("Found ref URI(%.*s) b12_Consent %d", sref->URI->g.len, sref->URI->g.s, n_refs);
329 : 0 : refs[n_refs].blob = (struct zx_elem_s*)hdr->b12_Consent;
330 : 0 : ++n_refs;
331 : 0 : continue;
332 : : }
333 : :
334 [ - + # # : 57 : if (ZX_URI_id_CMP(hdr->b12_UsageDirective)) {
# # # # ]
335 [ # # # # ]: 0 : D("Found ref URI(%.*s) b12_UsageDirective %d", sref->URI->g.len, sref->URI->g.s, n_refs);
336 : 0 : refs[n_refs].blob = (struct zx_elem_s*)hdr->b12_UsageDirective;
337 : 0 : ++n_refs;
338 : 0 : continue;
339 : : }
340 : : #if 0
341 : : if (ZX_URI_id_CMP(hdr->TransactionID)) {
342 : : D("Found ref URI(%.*s) TransactionID %d", sref->URI->g.len, sref->URI->g.s, n_refs);
343 : : refs[n_refs].blob = (struct zx_elem_s*)hdr->TransactionID;
344 : : ++n_refs;
345 : : continue;
346 : : }
347 : : #endif
348 [ + - + - : 57 : if (ZX_URI_id_CMP(bdy)) {
+ - + - ]
349 [ + + - + ]: 57 : D("Found ref URI(%.*s) Body %d", sref->URI->g.len, sref->URI->g.s, n_refs);
350 : 57 : refs[n_refs].blob = (struct zx_elem_s*)bdy;
351 : 57 : ++n_refs;
352 : 57 : continue;
353 : : }
354 : : }
355 : 57 : return n_refs;
356 : : }
357 : :
358 : : #define ZXID_ADD_WSU_ID(H,idval) MB if (!H->Id) \
359 : : H->Id = zx_ord_ins_at(&H->gg, zx_ref_attr(cf->ctx, 0, zx_wsu_Id_ATTR, idval)); \
360 : : refs[n_refs].id = &H->Id->g; \
361 : : refs[n_refs].canon = zx_easy_enc_elem_sig(cf, &H->gg); \
362 : : ++n_refs; ME
363 : :
364 : : #define ZXID_ADD_ID(H,idval) MB if (!H->id) \
365 : : H->id = zx_ord_ins_at(&H->gg, zx_ref_attr(cf->ctx, 0, zx_id_ATTR, idval)); \
366 : : refs[n_refs].id = &H->id->g; \
367 : : refs[n_refs].canon = zx_easy_enc_elem_sig(cf, &H->gg); \
368 : : ++n_refs; ME
369 : :
370 : :
371 : : /*() For purposes of signing, add references and canon forms of all known SOAP headers.
372 : : * N.B. This function only works for preparing for signing.
373 : : * See also: zxsig_sign(), zxid_hunt_sig_parts() or zxid_chk_sig() + zxsig_validate() */
374 : :
375 : : /* Called by: zxid_wsf_sign */
376 : : int zxid_add_header_refs(zxid_conf* cf, int n_refs, struct zxsig_ref* refs, struct zx_e_Header_s* hdr)
377 : 191 : {
378 : : /* Addressing and Security Headers */
379 : :
380 [ + - ]: 191 : if (hdr->Framework)
381 [ + - ]: 191 : ZXID_ADD_WSU_ID(hdr->Framework,"FWK");
382 [ + - + - ]: 191 : if (hdr->Security && hdr->Security->Timestamp)
383 [ + - ]: 191 : ZXID_ADD_WSU_ID(hdr->Security->Timestamp,"TS");
384 [ + - ]: 191 : if (hdr->MessageID)
385 [ + - ]: 191 : ZXID_ADD_WSU_ID(hdr->MessageID,"MID");
386 [ + + ]: 191 : if (hdr->RelatesTo)
387 [ + - ]: 35 : ZXID_ADD_WSU_ID(hdr->RelatesTo,"REL");
388 [ - + ]: 191 : if (hdr->Action)
389 [ # # ]: 0 : ZXID_ADD_WSU_ID(hdr->Action,"ACT");
390 [ + + ]: 191 : if (hdr->To)
391 [ + - ]: 38 : ZXID_ADD_WSU_ID(hdr->To,"TO");
392 [ + + ]: 191 : if (hdr->ReplyTo)
393 [ + - ]: 38 : ZXID_ADD_WSU_ID(hdr->ReplyTo,"REP");
394 [ - + ]: 191 : if (hdr->From)
395 [ # # ]: 0 : ZXID_ADD_WSU_ID(hdr->From,"FRM");
396 [ + - ]: 191 : if (hdr->Sender)
397 [ + - ]: 191 : ZXID_ADD_WSU_ID(hdr->Sender,"PRV");
398 [ - + ]: 191 : if (hdr->FaultTo)
399 [ # # ]: 0 : ZXID_ADD_WSU_ID(hdr->FaultTo,"FLT");
400 [ - + ]: 191 : if (hdr->ReferenceParameters)
401 [ # # ]: 0 : ZXID_ADD_WSU_ID(hdr->ReferenceParameters,"PAR");
402 : :
403 : : /* ID-WSF headers */
404 : :
405 [ - + ]: 191 : if (hdr->TargetIdentity)
406 [ # # ]: 0 : ZXID_ADD_WSU_ID(hdr->TargetIdentity,"TRG");
407 [ + + ]: 191 : if (hdr->UsageDirective)
408 [ + - ]: 190 : ZXID_ADD_WSU_ID(hdr->UsageDirective,"UD");
409 [ - + ]: 191 : if (hdr->UserInteraction)
410 [ # # ]: 0 : ZXID_ADD_WSU_ID(hdr->UserInteraction,"UI");
411 [ - + ]: 191 : if (hdr->ProcessingContext)
412 [ # # ]: 0 : ZXID_ADD_WSU_ID(hdr->ProcessingContext,"PC");
413 [ - + ]: 191 : if (hdr->EndpointUpdate)
414 [ # # ]: 0 : ZXID_ADD_WSU_ID(hdr->EndpointUpdate,"EP");
415 [ - + ]: 191 : if (hdr->Timeout)
416 [ # # ]: 0 : ZXID_ADD_WSU_ID(hdr->Timeout,"TI");
417 [ - + ]: 191 : if (hdr->Consent)
418 [ # # ]: 0 : ZXID_ADD_WSU_ID(hdr->Consent,"CON");
419 [ - + ]: 191 : if (hdr->ApplicationEPR)
420 [ # # ]: 0 : ZXID_ADD_WSU_ID(hdr->ApplicationEPR,"AEP");
421 [ - + ]: 191 : if (hdr->RedirectRequest)
422 [ # # ]: 0 : ZXID_ADD_WSU_ID(hdr->RedirectRequest,"RR");
423 [ - + ]: 191 : if (hdr->CredentialsContext)
424 [ # # ]: 0 : ZXID_ADD_WSU_ID(hdr->CredentialsContext,"CCX");
425 : :
426 : : /* TAS3 specifics */
427 : :
428 [ - + ]: 191 : if (hdr->Credentials)
429 [ # # ]: 0 : ZXID_ADD_WSU_ID(hdr->Credentials,"CRED");
430 [ - + ]: 191 : if (hdr->ESLPolicies)
431 [ # # ]: 0 : ZXID_ADD_WSU_ID(hdr->ESLPolicies,"ESL");
432 : :
433 : : /* Old ID-WSF 1.2 Headers and App specific headers */
434 : :
435 [ - + ]: 191 : if (hdr->Correlation)
436 [ # # ]: 0 : ZXID_ADD_ID(hdr->Correlation,"COR");
437 [ - + ]: 191 : if (hdr->Provider)
438 [ # # ]: 0 : ZXID_ADD_ID(hdr->Provider,"PROV12");
439 [ - + ]: 191 : if (hdr->b12_ProcessingContext)
440 [ # # ]: 0 : ZXID_ADD_ID(hdr->b12_ProcessingContext,"PC12");
441 [ - + ]: 191 : if (hdr->b12_Consent)
442 [ # # ]: 0 : ZXID_ADD_ID(hdr->b12_Consent,"CON12");
443 [ - + ]: 191 : if (hdr->b12_UsageDirective)
444 [ # # ]: 0 : ZXID_ADD_ID(hdr->b12_UsageDirective,"UD12");
445 : : #if 0
446 : : if (hdr->TransactionID)
447 : : ZXID_ADD_ID(hdr->TransactionID,"MM7TX"); /* *** mm7:TransactionID does not have id or Id */
448 : : #endif
449 : 191 : return n_refs;
450 : : }
451 : :
452 : : /*() Apply WSF style signature. */
453 : :
454 : : /* Called by: zxid_wsc_prep_secmech x3, zxid_wsf_decor */
455 : : void zxid_wsf_sign(zxid_conf* cf, int sign_flags, struct zx_wsse_Security_s* sec, struct zx_wsse_SecurityTokenReference_s* str, struct zx_e_Header_s* hdr, struct zx_e_Body_s* bdy)
456 : 191 : {
457 : : X509* sign_cert;
458 : : EVP_PKEY* sign_pkey;
459 : : int n_refs;
460 : : struct zxsig_ref refs[ZXID_N_WSF_SIGNED_HEADERS];
461 : :
462 [ + - ]: 191 : if (sign_flags) {
463 : 191 : n_refs = 0;
464 : :
465 [ + - ]: 191 : if (sign_flags & ZXID_SIGN_HDR)
466 : 191 : n_refs = zxid_add_header_refs(cf, n_refs, refs, hdr);
467 : :
468 [ + + ]: 191 : if (str)
469 [ + - ]: 38 : ZXID_ADD_WSU_ID(str,"STR");
470 : :
471 [ + - + - ]: 191 : if (bdy && (sign_flags & ZXID_SIGN_BDY))
472 [ + - ]: 191 : ZXID_ADD_ID(bdy,"BDY");
473 : :
474 [ - + # # ]: 191 : ASSERTOP(n_refs, <=, ZXID_N_WSF_SIGNED_HEADERS);
475 : :
476 [ + - ]: 191 : if (zxid_lazy_load_sign_cert_and_pkey(cf, &sign_cert, &sign_pkey, "use sign cert wsc")) {
477 : 191 : sec->Signature = zxsig_sign(cf->ctx, n_refs, refs, sign_cert, sign_pkey);
478 : 191 : zx_add_kid(&sec->gg, &sec->Signature->gg);
479 : : }
480 : : }
481 : 191 : }
482 : :
483 : : /*() Check ID-WSF Timestamp.
484 : : * The validity is controlled by configuration parameters BEFORE_SLOP and AFTER_SLOP.
485 : : * returns 1 on success, 0 on failure. */
486 : :
487 : : /* Called by: zxid_wsc_valid_re_env, zxid_wsp_validate_env */
488 : : int zxid_timestamp_chk(zxid_conf* cf, zxid_ses* ses, struct zx_wsu_Timestamp_s* ts, struct timeval* ourts, struct timeval* srcts, const char* ctlpt, const char* faultactor)
489 : 55 : {
490 [ + - + - : 110 : if (ts && ZX_SIMPLE_ELEM_CHK(ts->Created)) {
+ - + - +
- + - +
- ]
491 [ + - + - : 55 : srcts->tv_sec = zx_date_time_to_secs(ZX_GET_CONTENT_S(ts->Created));
+ - ]
492 : :
493 [ + - + - ]: 110 : if (srcts->tv_sec >= ourts->tv_sec - cf->before_slop
494 : : && srcts->tv_sec <= ourts->tv_sec + cf->after_slop) {
495 [ + + - + ]: 55 : D("Timestamp accepted src=%d our=%d before_slop=%d after_slop=%d", (int)srcts->tv_sec, (int)ourts->tv_sec, cf->before_slop, cf->after_slop);
496 : : } else {
497 [ # # ]: 0 : if (cf->notimestamp_fatal) {
498 : 0 : ERR("Timestamp rejected: src=%d our=%d before_slop=%d after_slop=%d secs", (int)srcts->tv_sec, (int)ourts->tv_sec, cf->before_slop, cf->after_slop);
499 : 0 : zxid_set_fault(cf, ses, zxid_mk_fault(cf, 0, ctlpt, faultactor, "Message signature did not validate.", "StaleMsg", 0, 0, 0));
500 : 0 : return 0;
501 : : } else {
502 : 0 : INFO("Timestamp rejected: src=%d our=%d before_slop=%d after_slop=%d secs, but configured to ignore this (NOTIMESTAMPFATAL=0)", (int)srcts->tv_sec, (int)ourts->tv_sec, cf->before_slop, cf->after_slop);
503 : : }
504 : : }
505 : :
506 : : } else {
507 [ # # ]: 0 : if (cf->notimestamp_fatal) {
508 : 0 : ERR("No Security/Timestamp found. %p", ts);
509 : 0 : zxid_set_fault(cf, ses, zxid_mk_fault(cf, 0, ctlpt, faultactor, "No unable to find wsse:Security/Timestamp.", "StaleMsg", 0, 0, 0));
510 : 0 : return 0;
511 : : } else {
512 : 0 : INFO("No Security/Timestamp found, but configured to ignore this (NOTIMESTAMP_FATAL=0). %p", ts);
513 [ # # # # ]: 0 : D("No ts OK %p", ts);
514 : : }
515 : : }
516 : 55 : return 1;
517 : : }
518 : :
519 : : /*() Attach a SOL usage directive, unless the envelope already has UsageDirective
520 : : * header. If you wish to add other UsageDirectives, you must provide all of the
521 : : * usage directives to zxid_call() envelope argument.
522 : : * The ud argument typically comes from cf->wsc_localpdp_obl_pledge
523 : : * or cf->wsp_localpdp_obl_emit */
524 : :
525 : : /* Called by: zxid_wsc_prep, zxid_wsf_decor */
526 : : void zxid_attach_sol1_usage_directive(zxid_conf* cf, zxid_ses* ses, struct zx_e_Envelope_s* env, const char* attrid, const char* obl)
527 : 191 : {
528 : : struct zx_b_UsageDirective_s* ud;
529 [ + - - + ]: 191 : if (!env || !env->Header) {
530 : 0 : ERR("Malformed envelope %p", env);
531 : 0 : return;
532 : : }
533 [ + - - + ]: 191 : if (!attrid || !*attrid) {
534 : 0 : ERR("attrid argument must be supplied %p", attrid);
535 : 0 : return;
536 : : }
537 [ - + ]: 191 : if (env->Header->UsageDirective) {
538 : 0 : INFO("UsageDirective already set by caller %d",0);
539 : 0 : return;
540 : : }
541 [ + + - + ]: 191 : if (!obl || !*obl)
542 : 1 : return;
543 : :
544 : 190 : env->Header->UsageDirective = ud = zx_NEW_b_UsageDirective(cf->ctx, &env->Header->gg);
545 : 190 : ud->mustUnderstand = zx_ref_attr(cf->ctx, &ud->gg, zx_e_mustUnderstand_ATTR, XML_TRUE);
546 : 190 : ud->actor = zx_ref_attr(cf->ctx, &ud->gg, zx_e_actor_ATTR, SOAP_ACTOR_NEXT);
547 : 190 : ud->Obligation = zx_NEW_xa_Obligation(cf->ctx, &ud->gg);
548 : 190 : ud->Obligation->ObligationId = zx_ref_attr(cf->ctx, &ud->Obligation->gg, zx_ObligationId_ATTR, TAS3_SOL1_ENGINE);
549 : 190 : ud->Obligation->FulfillOn = zx_ref_attr(cf->ctx, &ud->Obligation->gg, zx_FulfillOn_ATTR, "Permit");
550 : 190 : ud->Obligation->AttributeAssignment = zx_NEW_xa_AttributeAssignment(cf->ctx, &ud->Obligation->gg);
551 : 190 : ud->Obligation->AttributeAssignment->DataType = zx_ref_attr(cf->ctx, &ud->Obligation->AttributeAssignment->gg, zx_DataType_ATTR, XS_STRING);
552 : 190 : ud->Obligation->AttributeAssignment->AttributeId = zx_dup_attr(cf->ctx, &ud->Obligation->AttributeAssignment->gg, zx_AttributeId_ATTR, attrid);
553 : 190 : zx_add_content(cf->ctx, &ud->Obligation->AttributeAssignment->gg, zx_dup_str(cf->ctx, obl));
554 [ + + - + ]: 190 : D("Attached (%s) obligations(%s)", attrid, obl);
555 : : }
556 : :
557 : : /* EOF -- zxidwsf.c */
|