See also
mod_auth_saml Apache module documentation: SSO without programming.
zxid_simple() Easy API for SAML
ZXID Raw API: Program like the pros (and fix your own problems). See also Function Reference
ZXID ID-WSF API: Make Identity Web Services Calls using ID-WSF
ZXID Compilation and Installation: Compile and install from source or package.
ZXID Configuration Reference: Nitty gritty on all options.
ZXID Circle of Trust Reference: How to set up the Circle of Trust, i.e. the partners your web site works with.
ZXID Logging Reference: ZXID digitally signed logging facility
javazxid: Using ZXID from Java
Net::SAML: Using ZXID from Perl
php_zxid: Using ZXID from PHP
README.smime: Crypto and Cert Tutorial
Apache hook. Called from httpd-2.2.8/server/request.c: ap_process_request_internal() ap_run_check_user_id(). Return value is processed in modules/http/http_request.c and redirect is in ap_die(), http_protocol.c: ap_send_error_response()
Source file: mod_auth_saml.c
Construct zx_str given sprintf(3) format and grabbing memory from ZX memory allocator.
Source file: zxlib.c
Add Attributes from Querty String to Session attribute pool The qs argument is parsed according to the CGI Query String rules and the attributes are added to the session. If apply_map is 1, the INMAP configuration is applied. While this may seem a hassle, it allows for specification of the values as safe_base64, etc. If values are to be added verbatim, just specify 0 (all other values reserved). The input argument qs gets modified in-situ due to URL decoding and nul termination. Make sure to duplicate any string constant before calling. Returns 1 on success, 0 on failure (return value often not checked).
Source file: zxidpool.c
Call Policy Decision Point (PDP) to obtain an authorization decision about a contemplated action on a resource. The attributes from the session pool, as filtered by PEPMAP are fed to the PDP as inputs for the decision.
the configuration will need to have PEPMAP and PDP_URL options set according to your situation.
if non-null, will resceive error and status codes
all attributes are obtained from the session. You may wish to add additional attributes that are not known by SSO. The session id, such as returned from SSO.
0 on deny (for any reason, e.g. indeterminate), or string containing the obligations on permit.
For simpler API, see zxid_az() family of functions.
Source file: zxidpep.c
Call Policy Decision Point (PDP) to obtain an authorization decision about a contemplated action on a resource. The attributes from the session pool, as filtered by PEPMAP are fed to the PDP as inputs for the decision.
the configuration will need to have PEPMAP and PDP_URL options set according to your situation.
if non-null, will resceive error and status codes
all attributes are obtained from the session. You may wish to add additional attributes that are not known by SSO. The session object, e.g. from zxid_get_ses()
0 on deny (for any reason, e.g. indeterminate), or string containing the obligations on permit.
For simpler API, see zxid_az() family of functions.
Source file: zxidpep.c
Make a SOAP call given XML payload for SOAP
If the string starts by "
ZXID configuration object, see zxid_new_conf()
Session object that contains the EPR cache
URI (often the namespace URI) specifying the kind of service we wish to call. Used for EPR lookup or discovery.
(Optional) If provided, this argument has to match either the ProviderID, EntityID, or actual service endpoint URL.
(Optional) Additional discovery options for selecting the service, query string format
(Optional) Additional authorization credentials or attributes, query string format. These credentials will be populated to the attribute pool in addition to the ones obtained from SSO and other sources. Then a PDP is called to get an authorization decision (as well as obligations we pledge to support). See also PEPMAP configuration option. This implementes generalized (application independent) Requestor Out and Requestor In PEPs. To implement application dependent PEP features you should call zxid_az() directly.
XML payload
SOAP Envelope of the response, as a string. You can parse this string to obtain all returned SOAP headers as well as the Body and its content.
Source file: zxidwsc.c
Check federation, create federation if appropriate.
Source file: zxidpsso.c
Check single item signature on given Request, Response, or Assertion. Typical usage
if (!zxid_chk_sig(cf, cgi, ses, (struct zx_elem_s*)req,
req->Signature, req->Issuer, "LogoutRequest"))
return 0;
ZXID configuration and context object, used for settings and memory allocation
cgi or invocation variables object. cgi->sigval and cgi->sigmsg will be altered, if there is any signature.
Session object. The ses->sigres will be altered to reflect result of verification, if there is signature.
Element that was signed, usually needs type cast.
Signature element within elem
The EntityID zx_str of the signer (Issuer)
0 if sig check could not be made due to error, 1 if there was no signature to check, 2 if check was made, in which case the result is in ses->sigres, 3 if check was not possible (due to error), but sig was not configured to be required (NOSIG_FATAL option).
See also: Signature validation codes VVV in zxid-log.pd, section "ZXID Log Format". N.B: If the signature is over multiple references, you need to do many processing steps manually and then call zxsig_validate() with correctly populate refs array.
Source file: zxidlib.c
Decode redirect or POST binding message. zxid_saml2_redir_enc() performs the opposite operation.
Source file: zxiddec.c
Generate Single Logout button and possibly other federation management buttons for use in logged in state of the app HTML GUI.
Either outputs the management screen to stdout or returns string of HTML (at specified automation level). If res_len is supplied, the string length is returned in res_len. Otherwise you can just run strlen() on return value.
N.B. More complete documentation is available in zxid-simple.pd
Source file: zxidsimp.c
Allocate memory and get session object from the filesystem, populating attributes to pool so they are available for use. You mus obtain session id from some source.
Source file: zxidses.c
Given session object (see zxid_simple_cf_ses() or zxid_fetch_ses()), return n'th value (ix=0 is first) of given attribute, if any, from the session common attribute pool. If apply_map is 0, the value is returned as is. If it is 1 then OUTMAP is applied (the attribute name is in the internal namespace). Other apply_map values are reserved.
Source file: zxidpool.c
Get metadata for entity, either from cache or network (using WKL), depending on configuration options.
ZXID configuration object
Entity ID whose metadata is desired
Entity data structure, including the metadata
Source file: zxidmeta.c
First search epr cache, and if miss, go discover an EPR over the net. This is the main work horse for WSCs wishing to call WSPs via EPR.
ZXID configuration object, also used for memory allocation
Session object in whose EPR cache the file will be searched
Service type (usually a URN)
(Optional) If provided, this argument has to match either the ProviderID, EntityID, or actual service endpoint URL.
(Optional) Additional discovery options for selecting the service, query string format
(Optional) The action, or method, that must be invocable on the service
How manieth matching instance is returned. 1 means first
EPR data structure on success, 0 on failure (no discovery EPR in cache, or not found by the discovery service). If more than one were found, a linked list of EPRs is returned.
Source file: zxidepr.c
Generate IdP selection buttons (Login buttons) for the IdPs that are members of our Circle of Trust (CoT). This can be used as component for developing your application specific (HTML) login screen.
N.B. More complete documentation is available in zxid-simple.pd
Source file: zxidsimp.c
Render entire IdP selection screen. You may use this code, possibly adjusted by some configuration options (see zxidconf.h), or you may choose to develop your own IdP selection screen from scratch.
N.B. More complete documentation is available in zxid-simple.pd
Source file: zxidsimp.c
Generate SSO assertion and ship it to SP by chosen binding.
Source file: zxidpsso.c
Initialize configuration object, which must have already been allocated, to factory defaults (i.e. compiled in defaults, see zxidconf.h).
Pointer to previously allocated configuration object
Since this configuration option is so fundamental, it can be supplied directly as argument.
0 on success (currently, 2008, this function can not fail - thus it is common to ignore the return value)
N.B. This function does NOT initialize the ZX context object although it is a field of this object. You MUST separately initialize the ZX context object, e.g. using zx_reset_ctx() or zx_init_ctx(), before you can use ZXID configuration object in any memory allocation prone activity (which is nearly every function in this API).
Source file: zxidconf.c
Construct an assertion given user's attribute and bootstrap configuration. bs_lvl:: 0: DI (do not add any bs), 1: add all bootstraps at sso level,
<= cf->bootstrap_level: add all boostraps, > cf->bootstrap_level: only add di BS.
Source file: zxidpsso.c
Primary interface to our own Entity ID. While this would usually be automatically generated from URL configuration option so as to conform to the Well Known Location (WKL) metadata exchange convention [SAML2meta], on some sites the entity ID may be different and thus everybody who does not know better should use this interface to obtain it.
ZXID configuration object, used to compute EntityID and also for memory allocation
Entity ID as zx_str
Source file: zxidmeta.c
Parse query string or form POST and detect parameters relevant for ZXID. N.B. This CGI parsing is very specific for needs of ZXID. It is not generic.
Already allocated CGI structure where results of this function are deposited. Note that this structure is not cleared. Thus it is possible to call zxid_parse_cgi() multiple times to accumulate results from multiple sources, e.g. foirst for query string, and then for form POST.
CGI formatted input. Usually query string or form POST content.
0 on success. Other values reserved. Usually return value is ignored as there really is no way for this function to fail. Unrecognized CGI arguments are simply ignored with assumption that some other processing layer will pick them up - hence no need to flag error.
Source file: zxidcgi.c
Parse partial configuration specifications, such as may occur on command line or in a configuration file.
Generally you should call first zxid_new_conf(), or at least zxid_init_conf(), and then call this function to apply modifications over the defaults. The configuration options are named after the config options that appear in zxidconf.h, except that prefix ZXID_ is removed.
N.B. The qs memory must come from static or permanently allocated source as direct pointers to inside it will be taken. The memory will be modified to add nul terminations. Do not use stack based memory like local variable (unless local of main()). Do consider strdup() or similar before calling this function.
Previously allocated and initialized ZXID configuration object
Query String length. -1 means nul terminated C string
Configuration data in extended CGI Query String format. "extended" means newline can be used as separator, in addition to ampersand ("&") This argument is modified in place, changing separators to nul string terminations.
-1 on failure, 0 on success
Source file: zxidconf.c
Call Policy Decision Point (PDP) to obtain an authorization decision about a contemplated action on a resource. The attributes from the session pool, as filtered by PEPMAP are fed to the PDP as inputs for the decision. The call is using XACML SAML profile over SOAP.
the configuration will need to have PEPMAP and PDP_URL options set according to your situation.
if non-null, will receive error and status codes
all attributes are obtained from the session. You may wish to add additional attributes that are not known by SSO.
0 on deny (for any reason, e.g. indeterminate), or string containing the obligations on permit.
For simpler API, see zxid_az() family of functions.
Source file: zxidpep.c
Convert attributes from (session) pool to LDIF entry, applying OUTMAP. This is used by zxid_simple() SSO successful code to generate return value, but can also be used later to regenerate the LDIF given the pool. See zxid_ses_to_pool() for how to create the pool.
N.B. More complete documentation is available in zxid-simple.pd
Source file: zxidpool.c
Encode (and sign if Simple Sign) a form according to SAML2 POST binding. zxid_decode_redir_or_post() performs the opposite operation.
ZXID configuration object, also used for memory allocation
The name of the CGI variable, e.g. "SAMLRequest" or "SAMLResponse"
What should be encoded in the redirect URL. Effectively becomes the query string
Optional relay state argument. Ends up being encoded in the query string
Whether binding layer signature is to be applied: 0=no, 1=POST-Simple-Sign
URL where the form should be posted
Query string encoding of the request. The memory should be freed by the caller. 0 on failure.
Source file: zxidlib.c
Encode and sign a URL according to SAML2 redirect binding. zxid_decode_redir_or_post() performs the opposite operation.
Compress payload
Base64 encode payload
URL encode and concatenate RelayState (if any)
Sign the URL encoded form (SimpleSign signs message prior to base64 and URL encodings)
Base64 encode the sig and concatenate to the URL
ZXID configuration object, also used for memory allocation
The name of the CGI variable, e.g. "SAMLRequest=" or "SAMLResponse="
What should be encoded in the redirect URL. Effectively becomes the query string
Optional relay state argument. Ends up being encoded in the query string
Query string encoding of the request. The memory should be freed by the caller.
Source file: zxidlib.c
Process attributes from the AttributeStatements of the session SSO Assertion and insert them to the pool. NEED, WANT, and INMAP are applied. The pool is suitable for use by PEP or eventually rendering to LDIF (or JSON).
Source file: zxidpool.c
Postprocessing of SSO: Attribute Broker handles attributes and PEP/PDP decide on authorization.
Source file: zxidsimp.c
Simple handler that assumes the configuration has already been read in. The memory for result is grabbed from ZX_ALLOC(), usually malloc(3) and is "given" away to the caller, i.e. caller must free it. The return value is LDIF (or JSON or query string, if configured) of attributes in success case. res_len, if non-null, will receive the length of the response.
The major advantage of zxid_simple_cf_ses() is that the session stays as binary object and does not need to be recreated / reparsed from filesystem representation. The object can be directly used for PEP calls (but see inline PEP call enabled by PDPURL) and WSC.
Configuration object
Length of the query string. -1 = use strlen()
Query string (or POST content)
Session object
Result parameter. If non-null, will be set to the length of the returned string
Automation flags, see zxid-simple.pd for documentation
String representing protocol action or SSO attributes
N.B. More complete documentation is available in zxid-simple.pd
Source file: zxidsimp.c
Send SOAP request and wait for response. Send the message to the server using Curl. Return the parsed XML response data structure. This call will block while the HTTP request-response is happening.
ZXID configuration object, also used for memory allocation
Where the request will be sent
Serialized XML data to be sent
XML data structure representing the response, or 0 upon failure
The underlying HTTP client is libcurl. While libcurl is documented to be "entirely thread safe", one limitation is that chrl handle can not be shared between threads. Since we keep the curl handle a part of the configuration object, which may be shared between threads, we need to take a lock for duration of the curl operation. Thus any given configuration object can have only one HTTP request active at a time. If you need more parallelism, you need more configuration objects.
Source file: zxidcurl.c
Dereference an artifact to obtain an assertion. This is the last
step in artifact SSO profile and involved making a SOAP call to the
IdP. The artifact is received in saml_art CGI field,
Source file: zxidsso.c
Send Single Logout to IdP using redirect binding. This function generates the URL encapsulating the request. You need to pass this URL to the appropriate function in your environment to provoke an HTTP 302 redirect.
ZXID config object, also used for memory allocation
Data parsed from POST or query string. Provides parameters to determine details of the SLO request
Session object. Used to determine session index (ses_ix) and name id, among others
location string if successful. "* ERR" upon failure.
Source file: zxidslo.c
SOAP client for sending Single Logout to IdP. The SOAP call is made using CURL HTTP Client and will block until response is received.
1 if successful. 0 upon failure.
Source file: zxidslo.c
zxid_sp_sso_finalize() gets called irrespective of binding (POST, Artifact) and validates the SSO a7n, including the authentication statement. Then, it creates session and optionally user entry.
Configuration object, used to determine time slops, potentially memalloc via cf->ctx
CGI object. sigval and sigmsg may be set.
Session object. Will be modified according to new session created from the SSO assertion.
Single Sign-On assertion
0 for failure, otherwise some success code such as ZXID_SSO_OK
Source file: zxidsso.c
Generate an authentication request and make a URL out of it. cf:: Used for many configuration options and memory allocation cgi:: Used to pick the desired SSO profile based on hidden fields or user input. return:: Redirect URL as zx_str. Caller should eventually free this memory.
Source file: zxidsso.c
Validates conditions required by Liberty Alliance SAML2 conformance testing.
May eventually validate additional conditions as well (this is the right place to add them). N.B. It is not an error if a condition is missing, or there is no Conditions element at all.
Configuration object, used to determine time slops. Potentially used for memory allocation via cf->ctx.
Optional CGI object. If non-NULL, sigval and sigmsg will be set.
Optional session object. If non-NULL, then sigres code will be set.
Assertion whose conditions are checked.
Entity ID used for checking audience restriction. Typically from zxid_my_entity_id(cf)
Timestamp for validating NotOnOrAfter and NotBefore.
Result argument: Error letter (as may appear in audit log entry). The returned string will be a constant and MUST NOT be freed by the caller.
0 (ZXSIG_OK) if validation was successful, otherwise a ZXSIG error code.
Source file: zxidsso.c
zxid_wsc_call() implements the main low level ID-WSF web service call logic, including preparation of SOAP headers, use of sec mech (e.g. preparation of wsse:Security header and signing of appropriate compoments of the message), and sequencing of the call. In particular, it is possible that WSP requests user interaction and thus the caller web application will need to perform a redirect and then later call this function again to continue the web service call after interaction.
env (rather than Body) is taken as argument so that caller can prepare additional SOAP headers at will before calling this function. This function will add Liberty ID-WSF specific SOAP headers.
Source file: zxidwsc.c
zxid_wsf_decor() implements the main low level ID-WSF web service call logic, including preparation of SOAP headers, use of sec mech (e.g. preparation of wsse:Security header and signing of appropriate compoments of the message), and sequencing of the call. In particular, it is possible that WSP requests user interaction and thus the caller web application will need to perform a redirect and then later call this function again to continue the web service call after interaction.
env (rather than Body) is taken as argument so that caller can prepare additional SOAP headers at will before calling this function. This function will add Liberty ID-WSF specific SOAP headers.
Source file: zxidwsp.c
Add ID-WSF (and TAS3) specific headers and signatures to web service response. Simple and intuitive specification of XML as string: no need to build complex data structures.
If the string starts by "
ZXID configuration object, see zxid_new_conf()
Session object that contains the EPR cache
(Optional) Additional authorization credentials or attributes, query string format. These credentials will be populated to the attribute pool in addition to the ones obtained from token and other sources. Then a PDP is called to get an authorization decision (generating obligations). See also PEPMAP configuration option. This implements generalized (application independent) Responder Out PEP. To implement application dependent PEP features you should call zxid_az() directly.
XML payload
SOAP Envelope of the response, as a string, ready to be sent as HTTP response.
Source file: zxidwsp.c
Validate SOAP request (envelope), specified by the string.
If the string starts by "
ZXID configuration object, see zxid_new_conf()
Session object that contains the EPR cache
(Optional) Additional authorization credentials or attributes, query string format. These credentials will be populated to the attribute pool in addition to the ones obtained from token and other sources. Then a PDP is called to get an authorization decision (matching obligations we support to those in the request, and obligations pleged by caller to those we insist on). See also PEPMAP configuration option. This implements generalized (application independent) Responder In PEP. To implement application dependent PEP features you should call zxid_az() directly.
Entire SOAP envelope as a string
idpnid of target identity of the request (rest of the information is populated to the session object, from where it can be retrieved). NULL if the validation fails. The target identity is still retrievable from the session, should there be desire to process the message despite the validation failure.
Source file: zxidwsp.c
Log to activity and/or error log depending on res and configuration settings. This is the main audit logging function you should call. Please see zxid-log.pd for detailed description of the log format and features. See zxid-conf.pd for configuration options governing the logging.
Proper audit trail is essential for any high value transactions based on SSO. Also some SAML protocol Processing Rules, such as duplicate detection, depend on the logging.
ZXID configuration object, used for configuration options and memory allocation
Timestamp as observed by localhost. Typically the wall clock time. See gettimeofday(3)
Timestamp claimed by the message to which the log entry pertains
IP address and port number from which the message appears to have originated
Entity ID to which the message pertains, usually the issuer. Null ok.
Message ID, can be used for correlation to establish audit trail continuity from request to response. Null ok.
Assertion ID, if message contained assertion (outermost and first assertion if there are multiple relevant assertions). Null ok.
Name ID pertaining to the message
Signature validation letters
Result letters
Operation code for the message
Operation specific argument
Free format message conveying additional information
0 on success, nonzero on failure (often ignored as zxlog() is very robust and rarely fails - and when it does situation is so hopeless that you would not be able to report its failure anyway)
Source file: zxlog.c
Sign, using XML-DSIG, some XML data in the sref array. The XML data is canonicalized and the signature is generated and returned. Typically the caller will then insert the signature to the original data structure and canonicalize for transport.
ZX context. Used for memory allocation.
Number of elements in the sref array
An array of (reference, xml data structure) tuples that are to be signed
Certificate (public key) used for signing
Private key used for signing
Signature as XML data, or 0 if failure.
Steps
Canon tag(s) to sign (done by caller), pass as sig refs
Sha1 each sig ref
Construct the Signature element
Attach signature to the element (done by caller)
Typical XML-DSIG Signature
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#CREDm7unLxp2sOXQYfDR8E4F">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xasa"/></></>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>I2wmlQu11nvfSepvzor29kAZwAo=</></></>
<ds:SignatureValue>
FK6X9qO8qZntp3CeFbA7gpG9n9rWyJWlzSXy0vKNspwMGdl8HPfOGcXEs2Ts=</></>
Source file: zxsig.c
Validate XML-DSIG signature over XML data found in sref array. Signature is validated agaist provided certificate, which must have been previously looked up, usually using Issuer field of message and metadata of the signing party. Trust in the certificate must have been established by other means.
ZX context. Used for memory allocation.
Signing party's certificate (public key), typically from metadata
Parsed XML-DSIG data structure
Number of elements in the sref array
An array of (reference, xml data structure) tuples that are referenced by the signature
ZXSIG value. 0 (ZXSIG_OK) means success. Any other value is some soft of failure
Source file: zxsig.c
Close a file rather than just any file descriptor and check error return. It is important that it is a file since on MS Windows closing files is different from closing descriptors. Checking error return from close is important because in NFS environments you may not know that your write has failed until you actually attempt to close the file.
Source file: zxutil.c
Create default configuration in response for Apache
This is considered internal function to mod_auth_saml. Do not call directly.
Source file: mod_auth_saml.c
Outout a hexdump to stderr. Used for debugging purposes.
Source file: zxutil.c
Generate formatted file name path.
Source file: zxutil.c
Open a file with formatted file name path.
Source file: zxutil.c
Convert session attribute pool into Apache execution environment that will be passed to CGI, mod_php, mod_perl, and other Apache modules.
OUTMAP will be applied to decide which attributes to pass to the environment and to rename them.
This is considered internal function to mod_auth_saml, called by chkuid(). You should not call this directly, unless you know what you are doing.
Source file: mod_auth_saml.c
Read all data from a file at formatted file name path.
Length of buffer
Result parameter. This buffer will be populated with data from the file.
actual total length. The buffer will always be nul terminated.
Source file: zxutil.c
Low level function that keeps on sucking from a file descriptor until want is satisfied or error happens. May block (though usually will not if the file is in cache or local disk) in process. Buffer p must have been allocated. Return value reflects last got, i.e. what last read(2) system call returned. got_all reflects the total number of bytes received.
Source file: zxutil.c
Read POST input, Apache style
This is considered internal function to mod_auth_saml, called by chkuid(). You should not call this directly, unless you know what you are doing.
Source file: mod_auth_saml.c
Register Apache hook for mod_auth_saml
This is considered internal function to mod_auth_saml. Do not call directly.
Source file: mod_auth_saml.c
Send Apache response.
This is considered internal function to mod_auth_saml, called by chkuid(). You should not call this directly, unless you know what you are doing.
Source file: mod_auth_saml.c
Process ZXIDDebug directive in Apache configuration file.
This is considered internal function to mod_auth_saml. Do not call directly.
Source file: mod_auth_saml.c
Process ZXIDConf directive in Apache configuration file. Can be called any number of times to set additional parameters.
This is considered internal function to mod_auth_saml. Do not call directly.
Source file: mod_auth_saml.c
The out_buf should be 28 chars in length. The buffer is not automatically nul termianated. There will be 27 characters of payload, plus one termination character "." (which you can overwrite with nul if you like).
Buffer where result will be written. It must be 28 characters long and already allocated.
Length of data
Data to be digested
Pointer one past last character written
Source file: zxutil.c
Raw version. Can use any encoding table and arbitrary line length. Known bug: line_len is not fully respected on last line - it can be up to 3 characters longer than specified due to padding. Every three chars (from alphabet of 256) of input map to four chars (from alphabet of 64) of output. See also SIMPLE_BASE64_LEN().
input
length of input
Output buffer. Will not be NUL terminated.
The 64 character alphabet to be used, such as std_basis_64 or safe_basis_64
Length of each line. 76 is customary. Or use very large value to avoid any line breaks
Length of End-of-Line string.
End-of-Line string, inserted every line_len.
Padding character, usually equals (=)
Pointer one past last byte written in r. This function never fails.
Source file: zxutil.c
Generate formatted file name path.
Source file: zxutil.c
Open a file with formatted file name path.
Source file: zxutil.c
Write or append all data to a file at the formatted path. Will perform file locking to ensure consistent results. Returns 1 on success, 0 on err
Source file: zxutil.c
Low level function that keeps writing data to a file descriptor unil everything is written. It may block in the process.
Source file: zxutil.c
Write all data to a file at the formatted path. The buf is used for formatting data. The path_fmt can have up to two %s specifiers, which will be satisfied by prepath and postpath. Return 1 on success, 0 on fail.
Source file: zxutil.c
For WO encoder the order of xmlns declarations is not known at compile time. Thus we first add them to the pop_seen list using insertion sort (pop_seen is smallest and prefixes grow from there) and then later render the list using zx_enc_seen().
Source file: zxns.c
ZX memory allocator that does not zero the buffer. Allocation is potentially done relative to ZX context c, though actual (2008) implementation simply uses malloc(3).
Rather than reference this function directly, you should use the ZX_ALLOC() macro as much as possible.
Some implementations may take c->mx mutex lock. However, they will do so such that no deadlock will result even if already taken.
Source file: zxlib.c
sprintf(3) implementation that will grab its memory from ZX memory allocator.
Source file: zxlib.c
vasprintf(3) implementation that will grab its memory from ZX memory allocator.
Source file: zxlib.c
Convert a date-time format timestamp into seconds since Unix epoch. Format is as follows
01234567890123456789 yyyy-MM-ddThh:mm:ssZ
Source file: zxutil.c
ZX verion of strdup().
Source file: zxlib.c
Construct zx_str by duplication of raw string data of given length.
Source file: zxlib.c
Construct zx_str by duplication of C string.
Source file: zxlib.c
ZX memory free'er. Freeing is potentially done relative to ZX context c, though actual (2008) implementation simply uses free(3).
Rather than reference this function directly, you should use the ZX_FREE() macro as much as possible.
Source file: zxlib.c
Obtain RSA public key from X509 certificate. The certificate must have been previously read into a data structure. See zxid_read_cert() and zxid_extract_cert()
Source file: zxcrypto.c
Especially useful as yubikey_modhex_decode() replacement. Supports inplace conversion. Does not nul terminate.
Source file: zxutil.c
Allocate new ZX object and initialize it in standard way, i.e. use malloc(3) for memory allocation.
Source file: zxidconf.c
Given known namespace, does the prefix refer to it, either natively or through an alias.
Source file: zxns.c
Render the unknown attributes list. CSE for almost all tags.
Source file: zxlib.c
Compute MD5-Crypt password hash (starts by 1)
Password in plain
0-8 chars of salt. Preceding 1 is automatically skipped. Salt ends in or nul.
must be at least 120 chars
buf, nul terminated
Source file: zxcrypto.c
ZX implementation of memmem(3) for platforms that do not have this.
Source file: zxlib.c
Newly allocated string (node and data) of specified length, but uninitialized
Source file: zxlib.c
Construct new simple element from zx_str by referencing, not copying, it.
Source file: zxlib.c
zx_prefix_seen_whine() is a good place to detect, and add stub for, wholly unknown prefixes.
Source file: zxns.c
Prepare a context for decoding XML. N.B. Often you would wrap this in locks, like
LOCK(cf->ctx->mx, "valid"); zx_prepare_dec_ctx(cf->ctx, zx_ns_tab, ss->s, ss->s + ss->len); r = zx_DEC_root(cf->ctx, 0, 1); UNLOCK(cf->ctx->mx, "valid");
Source file: zxlib.c
See if prefix has been seen, and in the same meaning. If not, allocate a new node and push or add it to the doubly linked list as well as to the pop_seen list. Returns 0 if no addition was done (i.e. ns had been seen already).
Source file: zxns.c
ZXID centralized hook for obtaning randin numbers. This backends to OpenSSL random number gnerator and seeds from /dev/urandom where available. If you want to use /dev/random, which may block, you need to recompile with ZXID_TRUE_RAND set to true.
Source file: zxcrypto.c
Construct new simple element by referencing, not copying, raw string data of given length.
Source file: zxlib.c
Construct zx_str from length and raw string data, which will be referenced, not copied.
Source file: zxlib.c
Construct new simple element by referencing, not copying, C string.
Source file: zxlib.c
Construct zx_str from C string, which will be referenced, not copied.
Source file: zxlib.c
Walk through the OpenSSL error stack and dump it to the stderr.
Way for caller to indicate what the OpenSSL errors are all about
Number of open SSL errors processed, or 0 if none. Often ignored.
Source file: zxsig.c
Reset the seen doubly linked list to empty and initialize memory allocation related function pointers to system malloc(3). Without such initialization, any meomory allocation activity as well as any XML parsing activity is doomed to segmentation fault.
Source file: zxidconf.c
RSA private key decryption. See zxid_read_private_key() and zxid_extract_private_key() for ways to read in the private key data structure. N.B. This function only does the private key part. It does not perform combined dec-session-key-with-priv-key-and-then-data-with-session-key operation, though this function could be used as a component to implement such a system.
This is considered a low level function. See zxenc_privkey_dec() for a higher level solution.
Source file: zxcrypto.c
RSA private key encryption. See zxid_read_private_key() and zxid_extract_private_key() for ways to read in the private key data structure.
Source file: zxcrypto.c
RSA public key decryption. See zx_get_rsa_pub_from_cert() for a way to obtain public key data structure.
Source file: zxcrypto.c
RSA public key encryption. See zx_get_rsa_pub_from_cert() for a way to obtain public key data structure. N.B. This function only does the public key part. It does not perform combined enc-session-key-with-pub-key-and-then-data-with-session-key operation, though this function could be used as a component to implement such a system.
This is considered a low level function. See zxenc_pubkey_enc() for a higher level solution.
Source file: zxcrypto.c
When trying to scan an element, an annoying feature of XML namespaces is that the namespace may be declared in a xmlns attribute within the element itself. Thus at the time of scanning the <ns:element part we can't know its namespace. What a lousy design. In order to handle this we need to either backtrack or make a special case forward scan for xmlns attributes (which is redundant with normal attribute scanning). It seems simpler to do the latter, so here goes...
The return value represents the list of namespaces that were newly declared at this level, i.e. pushed to the seen stacks. This list is used to pop the seen stacks after we are through with the element.
Source file: zxns.c
zx_str_conv() helps SWIG typemaps to achieve natural conversion to native length + data representations of scripting languages. Should not need to use directly.
Source file: zxlib.c
Check if string ends in suffix
Source file: zxlib.c
Free both the zx_str node and the underlying string data
Source file: zxlib.c
Convert zx_str to C string. The ZX context will provide the memory.
Source file: zxlib.c
Disambiguate token by considering its namespace. See zx_attr_lookup(), zx_elem_lookup() For attributes the namespaceless case is considered.
Source file: zxns.c
Perform URL encoding on buffer. New output buffer is allocated. The low level work is performed by zx_url_encode_raw().
N.B. For zx_url_decode() operation see URL_DECODE() macro in errmac.h
Source file: zxutil.c
Compute length of the URL encoded string. The encoding is done to characters listed in URL_BAD() macro in zxutil.c. return: Required buffer size, including nul term. Subtract 1 for string length.
Source file: zxutil.c
URL encode input into output. The encoding is done to characters listed in URL_BAD() macro in zxutil.c. The output must already have been allocated to correct length (which can be obtained from zx_url_encode_len() function). zx_url_encode() is higher level function that does just that. Raw version does not nul terminate. Returns pointer one past last byte written.
Source file: zxutil.c
Process XML namespace declaration, trying to match it by its declared namespace URI. Should this fail, we will attempt to match by customary (at least in our opinion) namespace prefixes. If deplocate namespaces are detected, they are handled as aliases.
Source file: zxns.c
ZX memory allocator that zeroes the buffer. Allocation is potentially done relative to ZX context c, though actual (2008) implementation simply uses malloc(3).
Rather than reference this function directly, you should use the ZX_ALLOC() macro as much as possible.
Source file: zxlib.c
Compress data using zlib-deflate (RFC1951). The deflated data will be in new buffer, which is returned. out_len will indicate the length of the comressed data. Since the compressed data will be binary, there is no provision for nul termination. Caveat: RFC1951 is not same a gzip.
Source file: zxutil.c
Decompress zlib-deflate (RFC1951) compressed data. The decompressed data will be in a newly allocated buffer which is returned. The length of the decompressed data is returned via out_len. The buffer will always be at least byte one longer than indicated by out_len - this should allow safe nul termination (but the decompressed data itself may contain any number of nuls). Caveat: RFC1951 is not same a gzip.
Source file: zxutil.c
Private key decryption using XML-ENC. The encryption algorithm is auto-detected from the XML-ENC data. The private key is looked up from the configuration object.
ZXID configuration object, used for memory allocation
Encrypted data as XML data structure
Symmetric encryption key data structure. If not supplied, the EncryptedKey element from EncryptedData is used
Decrypted data as zx_str. Caller should free this memory.
Source file: zxsig.c
Public key encryption using XML-ENC. The encryption algorith is auto-detected from the XML-ENC data.
ZXID configuration object, used for memory allocation
Data blob to encrypt. Typically serialized XML
Result parameter. XML data structure corresponding to the
Certificate containing the public key used to encrypt the symmetric key
Use to generate XML Id attributes for
Encrypted data as XML data structure. Caller should free this memory.
Source file: zxsig.c
Symmetric key decryption using XML-ENC. The encryption algorithm is auto-detected from the XML-ENC data.
ZXID configuration object, used for memory allocation
Encrypted data as XML data structure
Symmetric key used for decryption
Decrypted data as zx_str. Caller should free this memory.
Source file: zxsig.c
Symmetric key encryption using XML-ENC. The encryption algorith is auto-detected from the XML-ENC data.
ZXID configuration object, used for memory allocation
Data blob to encrypt. Typically serialized XML
The value of the Id XML attribute of the
Raw symmetric key used for encryption
The value of the Id XML attribute of the
Encrypted data as XML data structure. Caller should free this memory.
Example of XML-ENC encrypted data
<sa:EncryptedID>
<e:EncryptedData
xmlns:e="http://www.w3.org/2001/04/xmlenc#"
Id="ED38"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:RetrievalMethod
Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"
URI="#EK38"/></> # N.B. hash
<e:CipherData>
<e:CipherValue>FWfOV7aytBE2xIMe...YTA3ImLf9JCM/vdLIMizMf1</></></>
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#" Id="EK38">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>***</></></>
<e:CipherData>
<e:CipherValue>xf5HkmQM68t...7zRbxkqtniIVnxBHjkA=</></>
<e:ReferenceList>
<e:DataReference URI="#ED38"/></></></> # N.B. hash
Source file: zxsig.c
Create SAML
Source file: zxidmk.c
Generate Assertion Consumer Service (SSO) Descriptor metadata fragment [SAML2meta].
Source file: zxidmeta.c
Add Attribute Statements of an Assertion to pool, applying NEED, WANT, and INMAP
Source file: zxidpool.c
Add values, applying NEED, WANT, and INMAP
Source file: zxidpool.c
Add simple attribute to pool, applying NEED, WANT, and INMAP
Source file: zxidpool.c
Consider an EPR and user and generate the necessary access credential (SAML a7n). The EPR is modified in place. Returns logging keyword indicating which kind of token was issued.
Source file: zxidpsso.c
For purposes of signing, add references and canon forms of all known SOAP headers
Source file: zxidwsc.c
Parse LDIF format and insert attributes to linked list. Return new head of the list. *** illegal input causes corrupt pointer. For example query string input causes corruption.
Source file: zxidpsso.c
Allocate memory for session object. Used with zxid_simple_cf_ses().
Source file: zxidses.c
Generate IdP Authentication Page.
Either outputs the authencitcation screen to stdout or returns string of HTML (at specified automation level). If res_len is supplied, the string length is returned in res_len. Otherwise you can just run strlen() on return value.
The ssoreq parameter is used for conveying the original AuthnReq from the SP, encoded in SAMLRequest, for processing after the authentication step.
N.B. More complete documentation is available in zxid-simple.pd
Source file: zxidsimp.c
Helper function to sign, if needed, and log the issued assertion. Checks for Assertion ID duplicate and returns 0 on failure (i.e. duplicate), 1 on success.
Source file: zxidpsso.c
Helper function to sign, if needed, and log the issued response. Checks for message ID duplicate and returns 0 on failure (i.e. duplicate), or the canonicalized response message string on success. This string may be useful for caller to send further and should be freed by the caller.
Source file: zxidpsso.c
Generate Artifact Resolution (AR) Descriptor idp metadata fragment [SAML2meta].
Source file: zxidmeta.c
Authentication Service Client See also: zxid_idp_as_do()
Source file: zxidsso.c
See zxid_az_cf() for description. Only difference is that the configuration is accepted as a string instead of an object.
Source file: zxidpep.c
Serialize EPR data structure to XML and write it to session's EPR cache under file name that is both unique and indicates the service type.
ZXID configuration object, also used for memory allocation
Session object in whose EPR cache the file will be located
XML data structure representing the EPR
1 on success, 0 on failure
Source file: zxidepr.c
Call web service, printf style. See zxid_call() for more documentation.
Source file: zxidwsc.c
Process second part of Common Domain Cookie redirection. See zxid_cdc_read() for first part.
The SAML CDC is a standards based method for SSO IdP discovery.
Source file: zxidcdc.c
Read Common Domain Cookie and formulate HTTP redirection to pass it back.
In its current form (2008) this function only works for CGI scripts.
The SAML CDC is a standards based method for SSO IdP discovery.
Source file: zxidcdc.c
Convert configuration string conf to configuration object cf.
Source file: zxidsimp.c
Call back used by Curl to move data from application buffer to Curl internal send buffer. Internal. Do not use directly.
Source file: zxidcurl.c
Call back used by Curl to move received data to application buffer. Internal. Do not use directly.
Source file: zxidcurl.c
Format a date-time string as usually used in XML, SAML, and Liberty. Apparently there are two ways to format this: with or with-out milliseconds. ZXID accepts either form as input, as they are both legal, but will only generate the without milliseconds form. Some other softwares are buggy and fail to accept the without milliseconds form. You can change the format at compile time.
Source file: zxidlib.c
Extract an assertion, decrypting EncryptedAssertion if needed.
Source file: zxidspx.c
Given NameID or
req->NameID = zxid_decrypt_nameid(cf, req->NameID, req->EncryptedID);
ZXID configuration object, also used for memory allocation
XML data structure for Name ID. Possibly 0 (NULL). In that case encid should be specified.
XML Data Structure for Encrypted Name ID. If no nid is specified, this structure is decrypted and its contents returned as the Name ID
XML data structure corresponding to (possibly decrypted) Name ID
Source file: zxidlib.c
Given new nym or
ZXID configuration object, also used for memory allocation
XML data structure for new Name ID. Possibly 0 (NULL). In that case encid should be specified.
XML Data Structure for Encrypted Name ID. If no newnym is specified, this structure is decrypted and its contents returned as the Name ID
XML data structure corresponding to (possibly decrypted) new Name ID
Source file: zxidlib.c
Delete, or archive, session object from file system. Assertion, if any, is not deleted. This is called upon explicit logout events. However, in reality many sessions are simply abandoned, thus a deploying site should implement some mechanism, such as a cron(8) job to remove or archive expired sessions.
Source file: zxidses.c
Server side Discovery Service Query processing. See also zxid_gen_bootstraps()
Source file: zxiddi.c
Compute (and fold) unique EPR name according to /var/zxid/ses/SESID/SVC,SHA1
This name format is designed to ensure unique name for each EPR, while also making it easy to determine the service type from the name. This is useful in the common case where WSC wants to call a specific type of web service.
ZXID configuration object, also used for memory allocation
Directory, such as "ses/"
Session ID whose EPR cache the file is/will be located
result parameter. The buffer, which must have been allocated, will be modified to have the path. The path will be nul terminated.
The length of the buf (including nul termination), usually sizeof(buf)
Service name
content of EPR, used to compute sha1 hash that becomes part of the file name
0 on success (the real return value is returned via buf result parameter)
N.B. This function relies on specific, ANSI documented, functioning of snprintf(3) library function. Unfortunately, it has been found that on some platforms this function only works correctly in the 'C' locale. If you suspect this to be the case, you may want to try
export LANG=C
especially if you get errors about multibyte characters.
Source file: zxidepr.c
Extract from a string representing SOAP envelope, the payload part in the body.
Source file: zxidlib.c
Extract a certificate from PEM encoded string.
Source file: zxidconf.c
Look for issuer in all messages we support.
Source file: zxiddec.c
Extract a private key from PEM encoded string.
Source file: zxidconf.c
Check whether attribute is in pool.
Source file: zxidconf.c
Look into attribute statement(s) of an assertion and scan for nth occurance of named attribute. Ordering of attributes is accoring to their occurance in attribute statement, or more broadly according to ordering of the attribute statements themselves.
NULL or zero length nfmt (name format) will match any
NULL or zero length name will match any
NULL or zero length friendly (name) will match any
minus one (-1) as either length field will cause strlen() to be done
the index n is one based
Arguments
Assertion data structure, obtained from XML parsing
Length of the name format, or 0 if no matching by name format is desired
name format to match (or 0)
Length of the attribute name, or 0 if no matching by attribute name is desired
attribute name to match (or 0)
Length of the friendly name, or 0 if no matching by friendly name is desired
friendly name to match (or 0)
Howmanieth instance of the matching attribute is desired. 1 means first.
Data structure representing the matching attribute.
Source file: zxida7n.c
Check whether name is in the list. Used for Local PDP wite and black lists.
Source file: zxidconf.c
Search the EPRs cached under the session for a match. First directory is searched for files whose name starts by service type. These files are opened and parsed as EPR and further checks are made. The nth match is returned. 1 means first. Typical name: /var/zxid/ses/SESID/SVCTYPE,SHA1
ZXID configuration object, also used for memory allocation
Session object in whose EPR cache the file is searched
Service type (usually a URN)
(Optional) If provided, this argument has to match either the ProviderID, EntityID, or actual service endpoint URL.
(Optional) Additional discovery options for selecting the service, query string format
(Optional) The action, or method, that must be invocable on the service
How manieth matching instance is returned. 1 means first
EPR data structure (or linked list of EPRs) on success, 0 on failure
Source file: zxidepr.c
Check whether attribute is in a (needed or wanted) list. Just a linear scan as it is simple and good enough for handful of attributes.
Source file: zxidconf.c
Find a session object by a number of criteria.
ZXID configuration object
Result parameter. Must have been previously allocated. This will be modified to match the found session.
Session Index, usually from SSO asserion or from SLO request. If not supplied (i.e. 0), the nid MUST be supplied and will be used as sole basis for deleting the session.
The idp assigned Name ID associated with the session. If supplied as 0, then ses_ix MUST be supplied and will be used to determine which session is deleted.
0 unknown session or error, 1 session found successfully
Source file: zxidses.c
Fold service type (or any URN or URL) to file name.
Source file: zxidepr.c
Process .bs directory. See also zxid_di_query()
Source file: zxidpsso.c
Wrapper for zxid_get_ent_ss(), which see.
Source file: zxidmeta.c
Given sha1_name, check in memory cache and if not, the disk cache. Do not try net (WKL).
Source file: zxidmeta.c
In artifact profile concept of "succinct id" appears. If you have one of those, you canuse this function to fetch the entity metadata. Only in-memory and disk caches will be tried. No network connection (WKL) will be initiated.
Source file: zxidmeta.c
Compute sha1_name for an entity and then read the metadata from the CoT metadata cache directory, e.g. /var/zxit/cot.
Source file: zxidmeta.c
Read metadata from a file.
Usually the file will be named according to "sha1 name", which is safe base64 encoded SHA1 digest hash over the EntityID. This is used to ensure unique file name for each entity. However, this function will in fact read from any file name supplied.
See also zxid_get_ent_from_cache() which will compute the sha1_name and then read the metadata.
Source file: zxidmeta.c
Accessor function for extracting endpoint's SAML2 assertion token.
Source file: zxidepr.c
Accessor function for extracting endpoint address URL.
Source file: zxidepr.c
Accessor function for extracting endpoint Description (Abstract).
Source file: zxidepr.c
Accessor function for extracting endpoint ProviderID.
Source file: zxidepr.c
Send HTTP request for metadata using Well Known Location (WKL) method and wait for response. Send the message to the server using Curl. Return the metadata as parsed XML for the entity. This call will block while the HTTP request-response is happening.
ZXID configuration object, also used for memory allocation
Where the request will be sent, i.e. the WKL
XML data structure representing the entity, or 0 upon failure
The underlying HTTP client is libcurl. While libcurl is documented to be "entirely thread safe", one limitation is that chrl handle can not be shared between threads. Since we keep the curl handle a part of the configuration object, which may be shared between threads, we need to take a lock for duration of the curl operation. Thus any given configuration object can have only one HTTP request active at a time. If you need more parallelism, you need more configuration objects.
Source file: zxidcurl.c
Wrapper for zxid_get_meta() so you can provide the URL as zx_str.
Source file: zxidcurl.c
Get simple session object from the filesystem. This just gets the nameid and reference to the assertion. Use zxid_get_ses_sso_a7n() to actually load the assertion, if needed. Or zxid_ses_to_pool() if you need attributes as well. Returns 1 if session gotten, 0 if fail.
Source file: zxidses.c
Get the IdP entity associated with the session. Generally this is figured out from the Issuer field of the SSO assertion that started the session.
Source file: zxidses.c
When session is loaded, we only get the reference to assertion. This is to avoid parsing overhead when the assertion really is not needed. But when the assertion is needed, you have to call this function to load it from file (under /var/zxid/log/rely/EID/a7n/AID) and parse it.
Source file: zxidses.c
Try to extract session ID from a cookie. The extracted value, if any, will be deposited in cgi->sid. If no session ID is found, then cgi->sid is not modified. The name of the cookie is determined by configuration option SES_COOKIE_NAME (see zxidconf.h).
For original Netscape cookie spec see: http://curl.haxx.se/rfc/cookie_spec.html (Oct2007)
Example
ONE_COOKIE=aaa; ZXIDSES=S12cvd324; SOME_OTHER_COOKIE=...
Source file: zxidcgi.c
Locate user file using a NameID, which may be old or current. If old, chase the MNIptr fields until current is found. Mainly used to support MNI.
Source file: zxiduser.c
ID-WSF Authentication Service: check password and emit bootstrap(s) To generate the data, use:
perl -MMIME::Base64 -e 'print encode_base64("\0user\0pw\0")'
perl -MMIME::Base64 -e 'print encode_base64("\0tastest\0tas123\0")'
See also: zxid_as_call_ses()
Source file: zxidpsso.c
Dispatch redirect and post binding requests.
a string (such as Location: header) and let the caller output it.
Source file: zxididpx.c
SAML2 service locator. Given desired service, like SLO or MNI, and possibly binding, locate the appropriate service descriptor from the IdP metadata.
ZXID configuration object, used for preferences and for memory allocation
May contain CGI variables that further indicate preference. Often specified as 0 (no preference).
Session object, which may be used to remember historical events, such as binding of SSO transaction, that may act as preferences for binding. The session MUST have assertion.
Metadata for the IdP
The desired service, indicated as URN
preferred binding URN, or 0 if no preference. In that case the built in preference is used, or if that is indifferent, then first applicable metadata item is picked. If IdP only supports one binding 0 will match that. If nonzero, then the IdP metadata MUST have exactly matching entry or else 0 is returned.
URL for accessing the service or 0 upon failure
Limitation: If binding is not specified, it may be ambiguous what binding the returned URL relates to. Generally the decision will have been taken prior to calling this function.
Source file: zxidloc.c
Raw computation of IdP URL given service type, binding, and whether operation is a request. See zxid_idp_loc() for full description.
Source file: zxidloc.c
Process IdP SLO request. The IdP SLO Requests are complicated by the need to log the user out of other SPs as well, if they belong to same session. Part of the complication is figuring out what constitutes "same session". Finally, the redirect profiles may be "hairy" to handle if some SP does not collaborate in the SLO. For SOAP similar problem exists, but it should be manageable.
Source file: zxidslo.c
Deternine URL for SOAP binding to given service and perform a SOAP call.
ZXID configuration object
CGI variables that may influence determination of end point. Or 0 if no preference.
Session information that may influence the choice of the end point. The session MUST have asserion.
Metadata for the IdP
The desired service, indicated as URN
XML data structure for the SOAP call
XML data structure for Body element of the SOAP call response.
Source file: zxidloc.c
SOAP dispatch can also handle requests and responses received via artifact resolution. However only some combinations make sense. Return 0 for failure, otherwise some success code such as ZXID_SSO_OK *** NOT CALLED FROM ANYWHERE. See zxid_sp_soap_dispatch() for real action
Source file: zxididpx.c
Return 0 for failure, otherwise some success code such as ZXID_SSO_OK
Source file: zxididpx.c
Generate IdP SSO Descriptor metadata fragment [SAML2meta].
Source file: zxidmeta.c
If zxid_path is supplied as NULL, then a minimal initialization of the context is performed. Certificate and key operations as well as CURL initialization are omitted. However the zx_ctx is installed so that memory allocation against the context should work.
Source file: zxidconf.c
Create Authorization Decision
Source file: zxidspx.c
Check whether attribute is in a (needed or wanted) list. Just a linear scan as it is simple and good enough for handful of attributes.
Source file: zxidconf.c
Generate Issuer value. Issuer is often same as Entity ID, but sometimes it will be affiliation ID. This function is a low level interface. Usually you would want to use zxid_my_issuer().
Source file: zxidmeta.c
Generate key descriptor metadata fragment given X509 certificate [SAML2meta].
Source file: zxidmeta.c
Generate XML-DSIG key info given X509 certificate.
Source file: zxidmeta.c
Lazy load signing certificate and private key. This reads them from disk if needed. If they do not exist and auto_cert is enabled, they will be generated on disk and the read. Once read from disk, they will be cached in memory.
Source file: zxidconf.c
Check for ECP indications in HTTP request headers and initiate PAOS based Single Sign On, i.e AuthnRequest. This is part of the SAML2 Enhanced Client Proxy profile.
Current (2008) code only works in CGI environment due to reliance on environment variables.
If you do not know what PAOS, ECP or LECP means, you should read [SAML2bind] specification.
Source file: zxidecp.c
Parse ATTRSRC specification and add it to linked list namespaceA,BweightaccessparamURLAAPMLrefotherLimext;namespaceA,BweightaccessparamURLAAPMLrefotherLimext;...
Source file: zxidconf.c
Usually you will want to use the get_ent() methods if you need only specific entities. Loading the entire cache is expensive and only useful if you really need to enumerate through all available entities. This may be the case when rendering login buttons for all IdPs in a user interface.
ZXID configuration object
Linked list of Entity objects (metadata) for CoT partners
Source file: zxidmeta.c
Parse ATTRSRC specification and add it to linked list namespaceA,BweightaccessparamURLAAPMLrefotherLimext;namespaceA,BweightaccessparamURLAAPMLrefotherLimext;...
Source file: zxidconf.c
Parse map specification and add it to linked list srcnsArulebext;srcArulebext;...
Source file: zxidconf.c
Parse need specification and add it to linked list A,Busageretentionobligext;A,Busageretentionobligext;...
Source file: zxidconf.c
Local Policy Decision Point - decide on role and idpnid. Return: 0 for Deny and 1 for Permit.
Source file: zxidsimp.c
Try to map security mechanisms across different frame works. Low level function.
Source file: zxidwsc.c
Transform content according to map. The returned zx_str will be nul terminated.
Source file: zxidlib.c
Create SAML protocol
Source file: zxidmk.c
Constructor for Assertion
Source file: zxidmk.c
Low level constructor for WSA
Source file: zxidmkwsf.c
Construct AuthnStatement
Source file: zxidmk.c
Make the body for the ArtifactResolve SOAP message, signing it if needed.
Source file: zxidmk.c
Construct SAML SAML Attribute
Source file: zxidmk.c
Interpret ZXID standard form fields to construct a XML structure for AuthnRequest
Source file: zxidmk.c
Construct XACMLAuthzDecisionQuery
Source file: zxidmk.c
Construct XACMLAuthzDecisionQuery according to Commitee Draft 1
Source file: zxidmk.c
Low level constructor for
Source file: zxidmkwsf.c
Low level constructor for
Source file: zxidmkwsf.c
Low level constructor for
Source file: zxidmkwsf.c
Low level constructor for
Source file: zxidmkwsf.c
Low level constructor for
Source file: zxidmkwsf.c
Low level constructor for
Source file: zxidmkwsf.c
Low level constructor for
Source file: zxidmkwsf.c
Low level constructor for discovery
Source file: zxidmkwsf.c
Low level constructor for discovery
Source file: zxidmkwsf.c
Generate headers for use with Liberty ID-FF 1.2 LECP carried AuthnRequest.
If you do not know what PAOS, ECP or LECP means, you should read [SAML2bind] specification.
Source file: zxidecp.c
Create EncryptedAssertion given normal A7N and metadata of destination. Encryption will be done using encryption certificate of the receiver identified by the metadata.
Source file: zxidmk.c
Create EncryptedID given normal NameID and metadata of destination. Encryption will be done using encryption certificate of the receiver identified by the metadata.
Source file: zxidmk.c
Generate pseudorandom or statistically unique identifier of given length. The unique identifier will be safe base64 encoded.
Configuration object, used for memory allocation.
A prefix string, usually used to distinguish classes of unique ids.
Number of pseudorandom bits in the unique ID. For best results, bits should be multiple of 24 (3 bytes expands to 4 safe base64 chars)
The identifier as zx_str. Caller should eventually free this memory.
Source file: zxidlib.c
Build IDPList of IDPEntry(s) from the IdPs know to us at the moment (our CoT). Can be used for ECP and IdP proxying.
ZXID configuration object, used to locate the CoT directory (PATH configuration option) and for memory allocation
The SSO protocol binding the qualifying IdPs MUST support, or 0 if anything goes
IdP list data structure or 0 on failure
Source file: zxidecp.c
Create XML data structure for
Source file: zxidmk.c
Create XML data structure for
Source file: zxidmk.c
Create ID-WSF protocol
Source file: zxidmkwsf.c
Change SPNameID (newnym supplied), or Terminate federation (newnym not supplied).
Create XML data structure for
Source file: zxidmk.c
Create XML data structure for
Source file: zxidmk.c
Generate SOAP headers for use with PAOS carried SAML2 ECP profile AuthnRequest.
If you do not know what PAOS, ECP or LECP means, you should read [SAML2bind] specification.
Source file: zxidecp.c
Construct SAML protocol Response (such as may be used to carry assertion in SSO)
Source file: zxidmk.c
Create Self-Signed Certificate-Private Key pair and Certificate Signing Request This function is invoked when AUTO_CERT is set and a certificate is missing. As this is not expected to be frequent, we are cavalier about releasing the memory needed for each intermediate step.
zxid configuration object, of wich cf->ctx will be used for memory allocation
sizeof(buf)
Buffer used for rendering pem representations of the data
Who and why is calling
Name of the certificate file to be created
See also: keygen() in keygen.c
Source file: zxcrypto.c
Construct Subject, possibly with EncryptedID
Source file: zxidmk.c
Change NameID to be transient and record corresponding mapping.
Source file: zxidpsso.c
Construct XACML Response
Source file: zxidmk.c
Generate Manage Name Id (MNI) Descriptor metadata fragment [SAML2meta].
Source file: zxidmeta.c
Process
Source file: zxidmni.c
Wrapper for zxid_mni_do(), which see.
Source file: zxidmni.c
Dynamically determine our Common Domain Cookie (IdP discovery) URL.
Source file: zxidmeta.c
Generate Issuer value for our entity. Issuer is often same as Entity ID, but sometimes it will be affiliation ID.
Source file: zxidmeta.c
Create new (common pool) attribute and add it to a linked list
Source file: zxidconf.c
Allocate conf object, but do not actually initialize it with default config or config file. See: zxid_new_conf_to_cf() for a more complete solution.
Source file: zxidconf.c
Create new ZXID configuration object given configuration string and possibly configuration file.
Configuration service
Configuration object
Source file: zxidsimp.c
Compute (and fold) unique nice sha1 name according to NAME,SHA1
This name format is designed to ensure unique name, while maintainting human readability. This is useful in the common case where WSC wants to call a specific type of web service.
ZXID configuration object, also used for memory allocation
result parameter. The buffer, which must have been allocated, will be modified to have the path. The path will be nul terminated.
The length of the buf (including nul termination), usually sizeof(buf)
Often Service name or SP Entity ID
content of EPR or the SP EntityID, used to compute sha1 hash that becomes part of the file name
How many characters to ignore from beginning of name: 0 or 7
0 on success (the real return value is returned via buf result parameter)
Source file: zxidepr.c
Wrapper with initial error checking for zxid_parse_conf_raw(), which see.
Source file: zxidconf.c
Parse Metadata, see [SAML2meta]. This function is quite low level and assumes it is processing a buffer (which may contain multiple instances of various metadata).
ZXID configuration object, used here mainly for memory allocation
Value-result parameter. Pointer to char pointer pointing to the beginning of the metadata. As metadata is scanned and parsed, this pointer will be advanced
End of the metadata buffer
Entity data structure composed from the metadata.
Source file: zxidmeta.c
Parse a line from .mni and form a NameID, unless there is mniptr
Source file: zxiduser.c
This function makes the policy decision about which profile to use. It is only used if there was no explicit specification in the CGI form (e.g. "Login (P)" button. Currently it's a stub that always picks the artifact profile. Eventually configuration options or cgi input can be used to determine the profile in a more sophisticated way. Often zxid_mk_authn_req() will override the return value of this function by its own inspection of the CGI variables.
Source file: zxidsso.c
Convert attributes from (session) pool to JSON, applying OUTMAP. *** Need to check escaping JSON values, e.g. " or
Source file: zxidpool.c
Convert attributes from (session) pool to query string, applying OUTMAP. *** Need to check multivalue handling. Now all values are simply blurted
out as separate name=value pairs.
*** Need to figure out how to distinguish query string return from
other returns, like redirect. Perhaps arrange dn field always first?
Source file: zxidpool.c
Process certificates (public keys) from a metadata for entity. Since one entity can be both IdP and SP, this function may be called twice per entity, with different kd argument.
Source file: zxidmeta.c
Map SAML protocol binding URN to form field.
Source file: zxidsso.c
Create new session object in file system. The assertion must have been created separately.
Configuration object
Pointer to previously allocated and populated session object
1 upon success, 0 on failure.
Source file: zxidses.c
Create new user object in file system.
Source file: zxiduser.c
Locally authenticate user. If successful, create a session. Expects to get username and password in cgi->au and cgi->ap respectively. User authetication is done against local database or by default using /var/zxid/uid/uid/.pw file. When filesystem backend is used, for safety reasons the uid (user) component can not have certain characters, such as slash (/) or sequences like "..". See also: zxpasswd.c
0 on failure and sets cgi->err; 1 on success
Source file: zxiduser.c
Extract a certificate from PEM encoded file.
Source file: zxidconf.c
Extract a private key from PEM encoded file.
Source file: zxidconf.c
Map authentication contest class ref form field to SAML specified URN string.
Source file: zxidsso.c
Map name id format form field to SAML specified URN string.
Source file: zxidsso.c
Map protocol binding form field to SAML specified URN string.
Source file: zxidsso.c
SAMLRequest. Return the HTTP 302 redirect LOCATION header + CRLF2. You need to pass this to some application layer facility to effectuate the actual redirect. Wrapper for zxid_saml2_redir_enc(). This is different from zxid_saml2_redir_url() in that the entire Location header is returned, rather than just the url.
ZXID configuration object, also used for memory allocation
The URL up to query string
What should be encoded in the redirect URL. Effectively becomes the query string
Optional relay state argument. Ends up being encoded in the query string
HTTP Location header as zx_str. The memory should be freed by the caller.
Source file: zxidlib.c
SAMLRequest. Return the URL needed for redirect. You need to pass this to some application layer facility to effectuate the actual redirect. Wrapper for zxid_saml2_redir_enc(). This function is different from zxid_saml2_redir() in that only the URL is returned, not the complete Location header.
ZXID configuration object, also used for memory allocation
The URL up to query string
What should be encoded in the redirect URL. Effectively becomes the query string
Optional relay state argument. Ends up being encoded in the query string
URL suitable for redirection as zx_str. The memory should be freed by the caller.
Source file: zxidlib.c
SAMLResponse. Return the HTTP 302 redirect LOCATION header + CRLF2. You need to pass this to some application layer facility to effectuate the actual redirect. Wrapper for zxid_saml2_redir_enc().
ZXID configuration object, also used for memory allocation
The URL up to query string
What should be encoded in the redirect URL. Effectively becomes the query string
Optional relay state argument. Ends up being encoded in the query string
HTTP Location header as zx_str. The memory should be freed by the caller.
Source file: zxidlib.c
Check status codes in SAML response to verify that request was completed OK.
ZXID configuration object, also used for memory allocation
CGI variables decoded from the query string. err field of the CGI object will be set upon failure.
The SAML
Explanatory string used in error and log messages
1 of SAML message is OK, 0 if message is not OK.
Source file: zxidlib.c
Generate our SP metadata and send it to remote partner.
This function only works with CGI as it will print the serialized metadata straight to stdout. There are other methods for getting metadat without this limitation, e.g. zxid_sp_meta()
Source file: zxidmeta.c
Convert attributes from session to JSON, applying OUTMAP.
Source file: zxidpool.c
Convert attributes from session to LDIF, applying OUTMAP.
Source file: zxidpool.c
Convert attributes from session to query string, applying OUTMAP.
Source file: zxidpool.c
Set obscure options of ZX and ZXID layers. Used to set debug options. Generally setting these options is not supported, but this function exists to avoid uncontrolled access to global variables. At least this way the unsupported activity will happen in one controlled place where it can be ignored, if need to be. You have been warned.
Source file: zxidconf.c
Set obscure options of ZX and ZXID layers. Used to set debug options. Generally setting these options is not supported, but this function exists to avoid uncontrolled access to global variables. At least this way the unsupported activity will happen in one controlled place where it can be ignored, if need to be. You have been warned.
Source file: zxidconf.c
Generate our SP CARML and return it as a string.
Source file: zxidconf.c
Pretty print cstr list as used in local PDP.
Source file: zxidconf.c
Pretty print map chain.
Source file: zxidconf.c
Pretty print need or want chain.
Source file: zxidconf.c
Map ZXSIG constant to letter for log and string message.
Source file: zxidsso.c
Main simple interface. C string nul termination is assumed. Really just a wrapper for zxid_simple_cf().
N.B. More complete documentation is available in zxid-simple.pd
Source file: zxidsimp.c
Allocate simple session and then call simple handler. Strings are length + pointer (no C string nul termination needed). A wrapper for zxid_simple_cf().
Configuration object
Length of the query string. -1 = use strlen()
Query string (or POST content)
Result parameter. If non-null, will be set to the length of the returned string
Automation flags, see zxid-simple.pd for documentation
String representing protocol action or SSO attributes
N.B. More complete documentation is available in zxid-simple.pd
Source file: zxidsimp.c
Process IdP side after successful authentication. If IdP was invoked with AuthnReq (in SAMLRequest) then op=='F' as set in zxid_simple_idp_pw_authn() which will trigger the rest of the SSO protocol in zxid_simple_ses_active_cf(). Otherwise just show the IdP management screen.
Source file: zxidsimp.c
Process password authentication form and, if ssoreq (ar=) is present (see zxid_simple_idp_show_an() for how it is embedded to hidden form field), proceed to federated SSO. If login fails, redisplay the authentication page.
N.B. More complete documentation is available in zxid-simple.pd
Source file: zxidsimp.c
Show Authentication screen. Generally this will be in response to the SP having sent used via redirect carrying AuthnRequest encoded in SAMLRequest query string parameter, per SAML redirect binding [SAML2bind]. We must preserve SAMLRequest as hidden field in the page for later processing once the authentication step has been taken care of. It will also be passed on the query string to external authentication page if any was configured with AN_PAGE directive.
N.B. More complete documentation is available in zxid-simple.pd
Source file: zxidsimp.c
Process simple configuration and then call simple handler. Strings are length + pointer (no C string nul termination needed). a wrapper for zxid_simple_cf().
N.B. More complete documentation is available in zxid-simple.pd
Source file: zxidsimp.c
Subroutine of zxid_simple_cf() for the no session detected/active case.
N.B. More complete documentation is available in zxid-simple.pd
Source file: zxidsimp.c
Helper function to redirect according to auto flags.
Source file: zxidsimp.c
Subroutine of zxid_simple_cf() for the session active case.
NULL return means the "not logged in" processing is needed, see zxid_simple_no_ses_cf()
N.B. More complete documentation is available in zxid-simple.pd
Source file: zxidsimp.c
Emit CARML declaration for SP. Corresponds to "o=c" query string.
Source file: zxidsimp.c
Dump internal info and configuration. Corresponds to "o=d" query string.
Source file: zxidsimp.c
Show IdP selection or login screen.
N.B. More complete documentation is available in zxid-simple.pd
Source file: zxidsimp.c
Emit metadata. Corresponds to "o=B" query string.
N.B. More complete documentation is available in zxid-simple.pd
Source file: zxidsimp.c
Deal with the various methods of shipping the page, including CGI stdout, or as string with or without headers, as indicated by the auto_flag. The page is in ss.
Source file: zxidsimp.c
Generate Single Logout (SLO) Descriptor metadata fragment [SAML2meta].
Source file: zxidmeta.c
Generate SLO Response, SP or IdP variant. The actual session invalidation must be done somewhere else, i.e. this is just the final protocol phase of the SLO.
Source file: zxidslo.c
Look into attribute statements of a SSO assertion and extract anything that looks like EPR, storing results in the session for later reference.
ZXID configuration object, also used for memory allocation
Session object in whose EPR cache will be populated
N.B. This approach ignores the official attribute names totally. Anything that looks like an EPR and that is strcturally in right place will work. Typical name /var/zxid/ses/SESID/SVCTYPE,SHA1
Source file: zxidepr.c
Look into attribute statements of a SSO assertion and extract anything that looks like EPR, storing results in the session for later reference.
ZXID configuration object, also used for memory allocation
Session object in whose EPR cache will be populated
N.B. This approach ignores the official attribute names totally. Anything that looks like an EPR and that is strcturally in right place will work. Typical name /var/zxid/ses/SESID/SVCTYPE,SHA1
Source file: zxidepr.c
Encode XML data structure representing SOAP envelope (request) and send the message to the server using Curl. Return the parsed XML response data structure. This call will block while the HTTP request-response is happening. To be called from SSO world. Wrapper for zxid_soap_call_raw().
ZXID configuration object, also used for memory allocation
The endpoint where the request will be sent
XML data structure representing the SOAP body
XML data structure representing the response
Source file: zxidlib.c
Encode XML data structure representing SOAP envelope (request) and send the message to the server using Curl. Return the parsed XML response data structure. This call will block while the HTTP request-response is happening. To be called from ID-WSF world. Wrapper for zxid_soap_call_raw().
ZXID configuration object, also used for memory allocation
The endpoint where the request will be sent
XML data structure representing the request
XML data structure representing the response
Source file: zxidlib.c
Encode XML data structure representing SOAP envelope (request) and send the message to the server using Curl. Return the parsed XML response data structure. This call will block while the HTTP request-response is happening. To be called from SSO world. Wrapper for zxid_soap_call_raw().
ZXID configuration object, also used for memory allocation
The endpoint where the request will be sent
XML data structure representing the SOAP headers. Possibly 0 if no headers are desired
XML data structure representing the SOAP body
XML data structure representing the response
Source file: zxidlib.c
Emit to stdout XML data structure representing SOAP envelope (request). Typically used in CGI environment.
ZXID configuration object, also used for memory allocation
XML data structure representing the request
0 if fail, ZXID_REDIR_OK if success.
Source file: zxidlib.c
Fake a login and generate a session. Used if SSO failure is configured to result anonymous session.
Configuration object, used to determine time slops, potentially memalloc via cf->ctx
CGI object. sigval and sigmsg may be set.
Session object. Will be modified according to new session created from the SSO assertion.
0 for failure, otherwise some success code such as ZXID_SSO_OK
Source file: zxidsso.c
Generate our SP CARML and return it as a string.
Source file: zxidmeta.c
Extract an assertion from Request, decrypting EncryptedAssertion if needed, and perform SSO
Source file: zxidspx.c
Dispatch redirct or post binding requests (and sometimes responses).
a string (such as Location: header) and let the caller output it. Sometimes a dummy string is just output to indicate status, e.g. "O" for SSO OK, "K" for normal OK no further action needed, "M" show management screen, "I" forward to IdP dispatch, or "* ERR" for error situations. These special strings are allocated from static storage and MUST NOT be freed. Other strings such as "Location: ..." should be freed by caller.
Source file: zxidspx.c
SAML2 service locator for SP. Given desired service, like SLO or MNI, and possibly binding, locate the appropriate service descriptor from the Sp metadata.
ZXID configuration object, used for preferences and for memory allocation
May contain CGI variables that further indicate preference. Often specified as 0 (no preference).
Session object, which may be used to remember historical events, such as binding of SSO transaction, that may act as preferences for binding. The session MUST have assertion.
Metadata for the Sp
The desired service, indicated as URN
preferred binding URN, or 0 if no preference. In that case the built in preference is used, or if that is indifferent, then first applicable metadata item is picked. If Sp only supports one binding 0 will match that. If nonzero, then the Sp metadata MUST have exactly matching entry or else 0 is returned.
URL for accessing the service or 0 upon failure
Limitation: If binding is not specified, it may be ambiguous what binding the returned URL relates to. Generally the decision will have been taken prior to calling this function.
Source file: zxidloc.c
Raw computation of SP URL given service type, binding, and whether operation is a request. See zxid_sp_loc() for full description.
URL for the protocol end point, or 0 on failure
Source file: zxidloc.c
Generate our SP metadata and return it as a string.
Source file: zxidmeta.c
Change SPNameID (newnym supplied), or Terminate federation (newnym not supplied), using SAML2 HTTP redirect binding. This is the (SP) client side that contacts the IdP. Return the HTTP 302 redirect LOCATION header + CRLF2. Returns the URL as string to which the environment should cause the user (browser) to be redirected.
Source file: zxidmni.c
Change SPNameID (newnym supplied), or Terminate federation (newnym not supplied), using SAML2 SOAP binding. This is the (SP) client side that contacts the IdP.
Source file: zxidmni.c
Process SP SLO request.
Source file: zxidslo.c
Deternine URL for SOAP binding to given service on SP and perform a SOAP call.
ZXID configuration object
CGI variables that may influence determination of end point. Or 0 if no preference.
Session information that may influence the choice of the end point. The session MUST have asserion.
Metadata for the Sp
The desired service, indicated as URN
XML data structure for the SOAP call
XML data structure for Body element of the SOAP call response.
Source file: zxidloc.c
SOAP dispatch can also handle requests and responses received via artifact resolution. However only some combinations make sense. See zxid/sg/wsf-soap11.sg for the master SOAP dispatch from parsing perspective.
Return 0 for failure, otherwise some success code such as ZXID_SSO_OK
Source file: zxidspx.c
Return 0 for failure, otherwise some success code such as ZXID_SSO_OK
Source file: zxidspx.c
Generate SP SSO Descriptor metadata fragment [SAML2meta].
Source file: zxidmeta.c
Generate Single SignOn (SSO) Descriptor idp metadata fragment [SAML2meta].
Source file: zxidmeta.c
Wrapper for zxid_start_sso_url(), used in CGI scripts.
Source file: zxidsso.c
Wrapper for zxid_start_sso_url(), used when Location header needs to be passed outside. return:: Location header as zx_str. Caller should eventually free this memory.
Source file: zxidsso.c
Set the URL configuration variable. Usually you would use zxid_parse_conf() to manipulate this and some other options. This function exists for some special cases encountered in scripting language bindings.
Source file: zxidconf.c
Change a NameID to newnym. Old NameID's user entry is rewritten to have mniptr
Source file: zxiduser.c
Obtain the hex encoded version integer describing the libzxid. This can be used to effectuate a runtime version number check. For compile time you should check the value of the ZXID_VERSION macro.
Source file: zxidlib.c
Obtain the version string describing the libzxid. This can be used for runtime version display. For compile time you should check the value of the ZXID_VERSION macro.
Source file: zxidlib.c
Write metadata of an entity to the Circle of Trust (CoT) cache of the entity identified by cf. Mainly used by Auto-CoT.
Source file: zxidmeta.c
Create web service response, printf style. See zxid_wsp_decorate() for more documentation.
Source file: zxidwsp.c
Process
Source file: zxidspx.c
Allocate memory for logging purpose. Generally memory allocation goes via zx_alloc() family of functions. However dues to special requirements of cryptographically implemeted logging, we maintain this special allocation function (which backends to zx_alloc()).
This function is considered internal. Do not use unless you know what you are doing.
Source file: zxlog.c
Write a blob of content to log file according to logflag (see zxidconf.h). If the file already exists, i.e. there is a duplicate, the data is simply appended. When logging objects such as assertions, the duplicate check should be done as preprocessing step, see example below.
ZXID configuration object, used for memory allocation
0 if logging should not happen, 1 for normal logging, other values reserved
Path where file is to be written, usually from zxlog_path()
The data to be logged.
Log key. Indicates which part of the program invoked the logging function.
0 if no log written (failure or logflag false), 1 if log written. Often ignored.
Example
logpath = zxlog_path(cf, issuer, a7n->ID, "rely/", "/a7n/", 1);
if (logpath) {
if (zxlog_dup_check(cf, logpath, "SSO assertion")) {
zxlog_blob(cf, cf->log_rely_a7n, logpath, zx_EASY_ENC_WO_sa_Assertion(cf->ctx, a7n), "E");
goto erro;
}
zxlog_blob(cf, cf->log_rely_a7n, logpath, zx_EASY_ENC_WO_sa_Assertion(cf->ctx, a7n), "OK");
}
In the above example we determine the logpath and check for the duplicate and then log even if duplicate. The logic of this is that in case of duplicate, the audit trail captures both the original and the duplicate assertion (the logging is an append), which may have forensic value.
Source file: zxlog.c
Check if file by path already exist. Since each uniquely ID'd object has unique path, mere existence of a file serves as duplicate ID check. This is used to satisfy some SAML processing rule requirements such as duplicate ID check for assertions.
ZXID configuration object, used for memory allocation
Path where file is to be written, usually from zxlog_path()
String that will help to identify reason of failure
0 if no duplicate (success), 1 if duplicate (failure)
Source file: zxlog.c
Write a line to a log, taking care of all formalities of locking and observing all special options for signing and encryption of the logs. Not usually called directly (but you can if you want to), this is the work horse behind zxlog().
ZXID configuration object, used for memory allocation.
Path to the log file, as C string
Encryption flags. See LOG_ERR or LOG_ACT configuration options in zxidconf.h
length of log data
The data that should be logged
Source file: zxlog.c
Sign a blob of data using rsa-sha1 algorithm.
ZX context. Used for memory allocation.
Length of the raw data
Raw data to sign
Result parameter. Raw binary signature data will be returned via this parameter.
Private key used for signing.
Log key. Used to make logs and error messages more meaningful.
-1 on failure. Upon success the length of the raw signature data.
Source file: zxsig.c
Verify a signature over a blob of data using rsa-sha1 algorithm.
Length of the raw data
Raw data to sign
Length of the raw binary signature data
Raw binary signature data
Certificate used for signing
Log key. Used to make logs and error messages more meaningful
ZX_SIG value. o (ZXSIG_OK) means success. Other values mean failure of some sort.
Source file: zxsig.c