use common PRF for SAML signing key

git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/saml@23051 dc483132-0cff-0310-8789-dd5450dbe970

4 files changed, 133 insertions, 66 deletions

diff --git a/src/plugins/authdata/saml_client/saml_authdata.cpp b/src/plugins/authdata/saml_client/saml_authdata.cpp
index 2264af2..fa07ad0 100644
--- a/src/plugins/authdata/saml_client/saml_authdata.cpp
+++ b/src/plugins/authdata/saml_client/saml_authdata.cpp
@@ -29,28 +29,7 @@
 #include <string.h>
 #include <errno.h>
 
-extern "C" {
-#include "k5-int.h"
-#include <krb5/authdata_plugin.h>
-}
-
-#include <saml/SAMLConfig.h>
-#include <saml/saml2/metadata/Metadata.h>
-#include <saml/saml2/metadata/MetadataProvider.h>
-#include <saml/saml2/metadata/MetadataCredentialCriteria.h>
-#include <saml/signature/SignatureProfileValidator.h>
-#include <saml/util/SAMLConstants.h>
-#include <xmltooling/logging.h>
-#include <xmltooling/XMLToolingConfig.h>
-#include <xmltooling/security/SignatureTrustEngine.h>
-#include <xmltooling/security/OpenSSLCredential.h>
-#include <xmltooling/signature/Signature.h>
-#include <xmltooling/signature/SignatureValidator.h>
-#include <xmltooling/util/XMLHelper.h>
-#include <xsec/enc/XSECCryptoKeyHMAC.hpp>
-#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyHMAC.hpp>
-#include <xsec/enc/XSECCryptoException.hpp>
-#include <xsec/framework/XSECException.hpp>
+#include "../saml_server/saml_krb.h"
 
 using namespace xmlsignature;
 using namespace xmlconstants;
@@ -371,22 +350,25 @@ saml_verify_authdata(krb5_context kcontext,
 {
     krb5_error_code code;
     struct saml_context *sc = (struct saml_context *)request_context;
-    krb5_keyblock *skey = req->ticket->enc_part2->session;
+    XSECCryptoKey *xkey;
 
     if (sc->assertion == NULL)
         return EINVAL;
 
+    code = saml_krb_derive_key(kcontext, req->ticket->enc_part2->session, &xkey);
+    if (code != 0)
+        return code;
+
     try {
-        OpenSSLCryptoKeyHMAC xkey;
         Signature *signature = sc->assertion->getSignature();
         DSIGSignature *dsig = signature->getXMLSignature();
 
-        if (dsig == NULL)
+        if (dsig == NULL) {
+            delete xkey;
             return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+        }
 
-        xkey.setKey(skey->contents, skey->length);
-
-        dsig->setSigningKey(xkey.clone());
+        dsig->setSigningKey(xkey);
         if (dsig->verify())
             code = 0;
         else
diff --git a/src/plugins/authdata/saml_server/saml_kdc.cpp b/src/plugins/authdata/saml_server/saml_kdc.cpp
index b356bad..010a103 100644
--- a/src/plugins/authdata/saml_server/saml_kdc.cpp
+++ b/src/plugins/authdata/saml_server/saml_kdc.cpp
@@ -211,7 +211,7 @@ saml_kdc_issue(krb5_context context,
     krb5_error_code code;
     saml2::Assertion *assertion = NULL;
     Signature *signature = NULL;
-    OpenSSLCryptoKeyHMAC *hmackey;
+    XSECCryptoKey *key;
     string buf;
     krb5_data data;
     auto_ptr_XMLCh algorithm(URI_ID_HMAC_SHA512);
@@ -225,13 +225,14 @@ saml_kdc_issue(krb5_context context,
     if (code != 0)
         return code;
 
+    code = saml_krb_derive_key(context, enc_tkt_reply->session, &key);
+    if (code != 0)
+	return code;
+
     try {
-        hmackey = new OpenSSLCryptoKeyHMAC();
-        hmackey->setKey(enc_tkt_reply->session->contents,
-                        enc_tkt_reply->session->length);
         signature = SignatureBuilder::buildSignature();
         signature->setSignatureAlgorithm(algorithm.get());
-        signature->setSigningKey(hmackey);
+        signature->setSigningKey(key);
 
         assertion->addNamespace(Namespace(XSD_NS, XSD_PREFIX));
         assertion->addNamespace(Namespace(XSI_NS, XSI_PREFIX));
diff --git a/src/plugins/authdata/saml_server/saml_kdc.h b/src/plugins/authdata/saml_server/saml_kdc.h
index 08e6bfc..8a3b604 100644
--- a/src/plugins/authdata/saml_server/saml_kdc.h
+++ b/src/plugins/authdata/saml_server/saml_kdc.h
@@ -29,13 +29,10 @@
 #ifndef SAML_KDC_H_
 #define SAML_KDC_H_ 1
 
-extern "C" {
+#include "saml_krb.h"
 
-#include <string.h>
-#include <errno.h>
+extern "C" {
 
-#include <k5-int.h>
-#include <krb5/authdata_plugin.h>
 #include <kdb.h>
 #include <kdb_ext.h>
 
@@ -62,34 +59,6 @@ saml_authdata(krb5_context context,
 
 }
 
-#include <saml/SAMLConfig.h>
-#include <saml/saml2/metadata/Metadata.h>
-#include <saml/saml2/metadata/MetadataProvider.h>
-#include <saml/saml2/metadata/MetadataCredentialCriteria.h>
-#include <saml/signature/SignatureProfileValidator.h>
-#include <saml/util/SAMLConstants.h>
-#include <xmltooling/logging.h>
-#include <xmltooling/XMLToolingConfig.h>
-#include <xmltooling/security/SignatureTrustEngine.h>
-#include <xmltooling/security/OpenSSLCredential.h>
-#include <xmltooling/signature/Signature.h>
-#include <xmltooling/signature/SignatureValidator.h>
-#include <xmltooling/util/XMLHelper.h>
-#include <xsec/enc/XSECCryptoKeyHMAC.hpp>
-#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyHMAC.hpp>
-#include <xercesc/util/Base64.hpp>
-
-using namespace xmlsignature;
-using namespace xmlconstants;
-using namespace xmltooling::logging;
-using namespace xmltooling;
-using namespace samlconstants;
-using namespace opensaml::saml2md;
-using namespace opensaml::saml2;
-using namespace opensaml;
-using namespace xercesc;
-using namespace std;
-
 krb5_error_code
 saml_kdc_ldap_issue(krb5_context context,
                     krb5_db_entry *client,
diff --git a/src/plugins/authdata/saml_server/saml_krb.h b/src/plugins/authdata/saml_server/saml_krb.h
new file mode 100644
index 0000000..8d9a556
--- /dev/null
+++ b/src/plugins/authdata/saml_server/saml_krb.h
@@ -0,0 +1,115 @@
+/*
+ * plugins/authdata/saml_server/saml_kerb.h
+ *
+ * Copyright 2009 by the Massachusetts Institute of Technology.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * SAML Kerberos helpers
+ */
+
+#ifndef SAML_KRB_H_
+#define SAML_KRB_H_ 1
+
+extern "C" {
+#include <k5-int.h>
+#include <krb5/authdata_plugin.h>
+}
+
+#include <saml/SAMLConfig.h>
+#include <saml/saml2/metadata/Metadata.h>
+#include <saml/saml2/metadata/MetadataProvider.h>
+#include <saml/saml2/metadata/MetadataCredentialCriteria.h>
+#include <saml/signature/SignatureProfileValidator.h>
+#include <saml/util/SAMLConstants.h>
+#include <xmltooling/logging.h>
+#include <xmltooling/XMLToolingConfig.h>
+#include <xmltooling/security/SignatureTrustEngine.h>
+#include <xmltooling/security/OpenSSLCredential.h>
+#include <xmltooling/signature/Signature.h>
+#include <xmltooling/signature/SignatureValidator.h>
+#include <xmltooling/util/XMLHelper.h>
+#include <xsec/framework/XSECException.hpp>
+#include <xsec/enc/XSECCryptoKeyHMAC.hpp>
+#include <xsec/enc/XSECCryptoException.hpp>
+#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyHMAC.hpp>
+#include <xercesc/util/Base64.hpp>
+
+using namespace xmlsignature;
+using namespace xmlconstants;
+using namespace xmltooling::logging;
+using namespace xmltooling;
+using namespace samlconstants;
+using namespace opensaml::saml2md;
+using namespace opensaml::saml2;
+using namespace opensaml;
+using namespace xercesc;
+using namespace std;
+
+static inline krb5_error_code
+saml_krb_derive_key(krb5_context context,
+                    krb5_keyblock *basekey,
+                    XSECCryptoKey **pXMLKey)
+{
+    OpenSSLCryptoKeyHMAC *hmackey;
+    krb5_error_code code;
+    char constant[] = "saml";
+    krb5_data cdata;
+    krb5_data dk;
+    size_t dklen;
+
+    *pXMLKey = NULL;
+
+    cdata.data = constant;
+    cdata.length = sizeof(constant) - 1;
+
+    code = krb5_c_prf_length(context, basekey->enctype, &dklen);
+    if (code != 0)
+        return code;
+
+    dk.data = (char *)k5alloc(dklen, &code);
+    if (code != 0)
+        return code;
+
+    dk.length = dklen;
+
+    code = krb5_c_prf(context, basekey, &cdata, &dk);
+    if (code != 0)
+        return code;
+
+    try {
+        hmackey = new OpenSSLCryptoKeyHMAC();
+        hmackey->setKey((unsigned char *)dk.data, dk.length);
+    } catch (XSECCryptoException &e) {
+        code = KRB5_CRYPTO_INTERNAL;
+    } catch (XSECException &e) {
+        code = KRB5_CRYPTO_INTERNAL;
+    }
+
+    *pXMLKey = hmackey;
+
+    krb5_free_data_contents(context, &dk);
+
+    return code;
+}
+
+#endif /* SAML_KRB_H_ */
+