diff options
author | Luke Howard <lukeh@padl.com> | 2009-10-26 22:00:08 +0000 |
---|---|---|
committer | Luke Howard <lukeh@padl.com> | 2009-10-26 22:00:08 +0000 |
commit | 6369724c7ec6719711d540acf0b396d990b4e6c2 (patch) | |
tree | 4a36ae6bc35f06894e04bd041233a74d5fda0115 | |
parent | 478cb76325d7f2301d0b62ef91e1918e466ae8ec (diff) | |
download | krb5-6369724c7ec6719711d540acf0b396d990b4e6c2.zip krb5-6369724c7ec6719711d540acf0b396d990b4e6c2.tar.gz krb5-6369724c7ec6719711d540acf0b396d990b4e6c2.tar.bz2 |
use common PRF for SAML signing key
git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/saml@23051 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/plugins/authdata/saml_client/saml_authdata.cpp | 38 | ||||
-rw-r--r-- | src/plugins/authdata/saml_server/saml_kdc.cpp | 11 | ||||
-rw-r--r-- | src/plugins/authdata/saml_server/saml_kdc.h | 35 | ||||
-rw-r--r-- | src/plugins/authdata/saml_server/saml_krb.h | 115 |
4 files changed, 133 insertions, 66 deletions
diff --git a/src/plugins/authdata/saml_client/saml_authdata.cpp b/src/plugins/authdata/saml_client/saml_authdata.cpp index 2264af2..fa07ad0 100644 --- a/src/plugins/authdata/saml_client/saml_authdata.cpp +++ b/src/plugins/authdata/saml_client/saml_authdata.cpp @@ -29,28 +29,7 @@ #include <string.h> #include <errno.h> -extern "C" { -#include "k5-int.h" -#include <krb5/authdata_plugin.h> -} - -#include <saml/SAMLConfig.h> -#include <saml/saml2/metadata/Metadata.h> -#include <saml/saml2/metadata/MetadataProvider.h> -#include <saml/saml2/metadata/MetadataCredentialCriteria.h> -#include <saml/signature/SignatureProfileValidator.h> -#include <saml/util/SAMLConstants.h> -#include <xmltooling/logging.h> -#include <xmltooling/XMLToolingConfig.h> -#include <xmltooling/security/SignatureTrustEngine.h> -#include <xmltooling/security/OpenSSLCredential.h> -#include <xmltooling/signature/Signature.h> -#include <xmltooling/signature/SignatureValidator.h> -#include <xmltooling/util/XMLHelper.h> -#include <xsec/enc/XSECCryptoKeyHMAC.hpp> -#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyHMAC.hpp> -#include <xsec/enc/XSECCryptoException.hpp> -#include <xsec/framework/XSECException.hpp> +#include "../saml_server/saml_krb.h" using namespace xmlsignature; using namespace xmlconstants; @@ -371,22 +350,25 @@ saml_verify_authdata(krb5_context kcontext, { krb5_error_code code; struct saml_context *sc = (struct saml_context *)request_context; - krb5_keyblock *skey = req->ticket->enc_part2->session; + XSECCryptoKey *xkey; if (sc->assertion == NULL) return EINVAL; + code = saml_krb_derive_key(kcontext, req->ticket->enc_part2->session, &xkey); + if (code != 0) + return code; + try { - OpenSSLCryptoKeyHMAC xkey; Signature *signature = sc->assertion->getSignature(); DSIGSignature *dsig = signature->getXMLSignature(); - if (dsig == NULL) + if (dsig == NULL) { + delete xkey; return KRB5KRB_AP_ERR_BAD_INTEGRITY; + } - xkey.setKey(skey->contents, skey->length); - - dsig->setSigningKey(xkey.clone()); + dsig->setSigningKey(xkey); if (dsig->verify()) code = 0; else diff --git a/src/plugins/authdata/saml_server/saml_kdc.cpp b/src/plugins/authdata/saml_server/saml_kdc.cpp index b356bad..010a103 100644 --- a/src/plugins/authdata/saml_server/saml_kdc.cpp +++ b/src/plugins/authdata/saml_server/saml_kdc.cpp @@ -211,7 +211,7 @@ saml_kdc_issue(krb5_context context, krb5_error_code code; saml2::Assertion *assertion = NULL; Signature *signature = NULL; - OpenSSLCryptoKeyHMAC *hmackey; + XSECCryptoKey *key; string buf; krb5_data data; auto_ptr_XMLCh algorithm(URI_ID_HMAC_SHA512); @@ -225,13 +225,14 @@ saml_kdc_issue(krb5_context context, if (code != 0) return code; + code = saml_krb_derive_key(context, enc_tkt_reply->session, &key); + if (code != 0) + return code; + try { - hmackey = new OpenSSLCryptoKeyHMAC(); - hmackey->setKey(enc_tkt_reply->session->contents, - enc_tkt_reply->session->length); signature = SignatureBuilder::buildSignature(); signature->setSignatureAlgorithm(algorithm.get()); - signature->setSigningKey(hmackey); + signature->setSigningKey(key); assertion->addNamespace(Namespace(XSD_NS, XSD_PREFIX)); assertion->addNamespace(Namespace(XSI_NS, XSI_PREFIX)); diff --git a/src/plugins/authdata/saml_server/saml_kdc.h b/src/plugins/authdata/saml_server/saml_kdc.h index 08e6bfc..8a3b604 100644 --- a/src/plugins/authdata/saml_server/saml_kdc.h +++ b/src/plugins/authdata/saml_server/saml_kdc.h @@ -29,13 +29,10 @@ #ifndef SAML_KDC_H_ #define SAML_KDC_H_ 1 -extern "C" { +#include "saml_krb.h" -#include <string.h> -#include <errno.h> +extern "C" { -#include <k5-int.h> -#include <krb5/authdata_plugin.h> #include <kdb.h> #include <kdb_ext.h> @@ -62,34 +59,6 @@ saml_authdata(krb5_context context, } -#include <saml/SAMLConfig.h> -#include <saml/saml2/metadata/Metadata.h> -#include <saml/saml2/metadata/MetadataProvider.h> -#include <saml/saml2/metadata/MetadataCredentialCriteria.h> -#include <saml/signature/SignatureProfileValidator.h> -#include <saml/util/SAMLConstants.h> -#include <xmltooling/logging.h> -#include <xmltooling/XMLToolingConfig.h> -#include <xmltooling/security/SignatureTrustEngine.h> -#include <xmltooling/security/OpenSSLCredential.h> -#include <xmltooling/signature/Signature.h> -#include <xmltooling/signature/SignatureValidator.h> -#include <xmltooling/util/XMLHelper.h> -#include <xsec/enc/XSECCryptoKeyHMAC.hpp> -#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyHMAC.hpp> -#include <xercesc/util/Base64.hpp> - -using namespace xmlsignature; -using namespace xmlconstants; -using namespace xmltooling::logging; -using namespace xmltooling; -using namespace samlconstants; -using namespace opensaml::saml2md; -using namespace opensaml::saml2; -using namespace opensaml; -using namespace xercesc; -using namespace std; - krb5_error_code saml_kdc_ldap_issue(krb5_context context, krb5_db_entry *client, diff --git a/src/plugins/authdata/saml_server/saml_krb.h b/src/plugins/authdata/saml_server/saml_krb.h new file mode 100644 index 0000000..8d9a556 --- /dev/null +++ b/src/plugins/authdata/saml_server/saml_krb.h @@ -0,0 +1,115 @@ +/* + * plugins/authdata/saml_server/saml_kerb.h + * + * Copyright 2009 by the Massachusetts Institute of Technology. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * SAML Kerberos helpers + */ + +#ifndef SAML_KRB_H_ +#define SAML_KRB_H_ 1 + +extern "C" { +#include <k5-int.h> +#include <krb5/authdata_plugin.h> +} + +#include <saml/SAMLConfig.h> +#include <saml/saml2/metadata/Metadata.h> +#include <saml/saml2/metadata/MetadataProvider.h> +#include <saml/saml2/metadata/MetadataCredentialCriteria.h> +#include <saml/signature/SignatureProfileValidator.h> +#include <saml/util/SAMLConstants.h> +#include <xmltooling/logging.h> +#include <xmltooling/XMLToolingConfig.h> +#include <xmltooling/security/SignatureTrustEngine.h> +#include <xmltooling/security/OpenSSLCredential.h> +#include <xmltooling/signature/Signature.h> +#include <xmltooling/signature/SignatureValidator.h> +#include <xmltooling/util/XMLHelper.h> +#include <xsec/framework/XSECException.hpp> +#include <xsec/enc/XSECCryptoKeyHMAC.hpp> +#include <xsec/enc/XSECCryptoException.hpp> +#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyHMAC.hpp> +#include <xercesc/util/Base64.hpp> + +using namespace xmlsignature; +using namespace xmlconstants; +using namespace xmltooling::logging; +using namespace xmltooling; +using namespace samlconstants; +using namespace opensaml::saml2md; +using namespace opensaml::saml2; +using namespace opensaml; +using namespace xercesc; +using namespace std; + +static inline krb5_error_code +saml_krb_derive_key(krb5_context context, + krb5_keyblock *basekey, + XSECCryptoKey **pXMLKey) +{ + OpenSSLCryptoKeyHMAC *hmackey; + krb5_error_code code; + char constant[] = "saml"; + krb5_data cdata; + krb5_data dk; + size_t dklen; + + *pXMLKey = NULL; + + cdata.data = constant; + cdata.length = sizeof(constant) - 1; + + code = krb5_c_prf_length(context, basekey->enctype, &dklen); + if (code != 0) + return code; + + dk.data = (char *)k5alloc(dklen, &code); + if (code != 0) + return code; + + dk.length = dklen; + + code = krb5_c_prf(context, basekey, &cdata, &dk); + if (code != 0) + return code; + + try { + hmackey = new OpenSSLCryptoKeyHMAC(); + hmackey->setKey((unsigned char *)dk.data, dk.length); + } catch (XSECCryptoException &e) { + code = KRB5_CRYPTO_INTERNAL; + } catch (XSECException &e) { + code = KRB5_CRYPTO_INTERNAL; + } + + *pXMLKey = hmackey; + + krb5_free_data_contents(context, &dk); + + return code; +} + +#endif /* SAML_KRB_H_ */ + |