Commit 28c4429b authored by Clément OUDOT's avatar Clément OUDOT

Configuration for SAML signature method (#1247)

parent a18037ba
......@@ -221,8 +221,9 @@ sub defaultValues {
'samlNameIDFormatMapX509' => 'mail',
'samlOrganizationDisplayName' => 'Example',
'samlOrganizationName' => 'Example',
'samlOrganizationURL' => 'http://www.example.com',
'samlRelayStateTimeout' => 600,
'samlOrganizationURL' => 'http://www.example.com',
'samlRelayStateTimeout' => 600,
'samlServiceSignatureMethod' => 'RSA_SHA256',
'samlSPSSODescriptorArtifactResolutionServiceArtifact' =>
'1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact',
'samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact' =>
......
......@@ -65,7 +65,7 @@ our $issuerParameters = {
issuerDBOpenIDConnect => [qw(issuerDBOpenIDConnectActivation issuerDBOpenIDConnectPath issuerDBOpenIDConnectRule)],
issuerDBSAML => [qw(issuerDBSAMLActivation issuerDBSAMLPath issuerDBSAMLRule)],
};
our $samlServiceParameters = [qw(samlEntityID samlServicePrivateKeySig samlServicePrivateKeySigPwd samlServicePublicKeySig samlServicePrivateKeyEnc samlServicePrivateKeyEncPwd samlServicePublicKeyEnc samlServiceUseCertificateInResponse samlNameIDFormatMapEmail samlNameIDFormatMapX509 samlNameIDFormatMapWindows samlNameIDFormatMapKerberos samlAuthnContextMapPassword samlAuthnContextMapPasswordProtectedTransport samlAuthnContextMapTLSClient samlAuthnContextMapKerberos samlOrganizationDisplayName samlOrganizationName samlOrganizationURL samlSPSSODescriptorAuthnRequestsSigned samlSPSSODescriptorWantAssertionsSigned samlSPSSODescriptorSingleLogoutServiceHTTPRedirect samlSPSSODescriptorSingleLogoutServiceHTTPPost samlSPSSODescriptorSingleLogoutServiceSOAP samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact samlSPSSODescriptorAssertionConsumerServiceHTTPPost samlSPSSODescriptorArtifactResolutionServiceArtifact samlIDPSSODescriptorWantAuthnRequestsSigned samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect samlIDPSSODescriptorSingleSignOnServiceHTTPPost samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect samlIDPSSODescriptorSingleLogoutServiceHTTPPost samlIDPSSODescriptorSingleLogoutServiceSOAP samlIDPSSODescriptorArtifactResolutionServiceArtifact samlAttributeAuthorityDescriptorAttributeServiceSOAP samlIdPResolveCookie samlMetadataForceUTF8 samlStorage samlStorageOptions samlRelayStateTimeout samlUseQueryStringSpecific samlCommonDomainCookieActivation samlCommonDomainCookieDomain samlCommonDomainCookieReader samlCommonDomainCookieWriter)];
our $samlServiceParameters = [qw(samlEntityID samlServicePrivateKeySig samlServicePrivateKeySigPwd samlServicePublicKeySig samlServicePrivateKeyEnc samlServicePrivateKeyEncPwd samlServicePublicKeyEnc samlServiceUseCertificateInResponse samlServiceSignatureMethod samlNameIDFormatMapEmail samlNameIDFormatMapX509 samlNameIDFormatMapWindows samlNameIDFormatMapKerberos samlAuthnContextMapPassword samlAuthnContextMapPasswordProtectedTransport samlAuthnContextMapTLSClient samlAuthnContextMapKerberos samlOrganizationDisplayName samlOrganizationName samlOrganizationURL samlSPSSODescriptorAuthnRequestsSigned samlSPSSODescriptorWantAssertionsSigned samlSPSSODescriptorSingleLogoutServiceHTTPRedirect samlSPSSODescriptorSingleLogoutServiceHTTPPost samlSPSSODescriptorSingleLogoutServiceSOAP samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact samlSPSSODescriptorAssertionConsumerServiceHTTPPost samlSPSSODescriptorArtifactResolutionServiceArtifact samlIDPSSODescriptorWantAuthnRequestsSigned samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect samlIDPSSODescriptorSingleSignOnServiceHTTPPost samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect samlIDPSSODescriptorSingleLogoutServiceHTTPPost samlIDPSSODescriptorSingleLogoutServiceSOAP samlIDPSSODescriptorArtifactResolutionServiceArtifact samlAttributeAuthorityDescriptorAttributeServiceSOAP samlIdPResolveCookie samlMetadataForceUTF8 samlStorage samlStorageOptions samlRelayStateTimeout samlUseQueryStringSpecific samlCommonDomainCookieActivation samlCommonDomainCookieDomain samlCommonDomainCookieReader samlCommonDomainCookieWriter)];
our $oidcServiceParameters = [qw(oidcServiceMetaDataIssuer oidcServiceMetaDataAuthorizeURI oidcServiceMetaDataTokenURI oidcServiceMetaDataUserInfoURI oidcServiceMetaDataJWKSURI oidcServiceMetaDataRegistrationURI oidcServiceMetaDataEndSessionURI oidcServiceMetaDataCheckSessionURI oidcServiceMetaDataFrontChannelURI oidcServiceMetaDataBackChannelURI oidcServiceMetaDataAuthnContext oidcServicePrivateKeySig oidcServicePublicKeySig oidcServiceKeyIdSig oidcServiceAllowDynamicRegistration oidcServiceAllowAuthorizationCodeFlow oidcServiceAllowImplicitFlow oidcServiceAllowHybridFlow oidcStorage oidcStorageOptions)];
1;
......@@ -27,7 +27,7 @@ sub types {
BEGIN {
${^WARNING_BITS} =
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
}
eval "$s $val";
my $err = join(
......@@ -662,7 +662,7 @@ sub attributes {
BEGIN {
${^WARNING_BITS} =
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
}
eval "$s $val";
my $err = join(
......@@ -1032,7 +1032,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
BEGIN {
${^WARNING_BITS} =
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
}
eval $s;
my $err = join(
......@@ -1117,7 +1117,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
BEGIN {
${^WARNING_BITS} =
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
}
eval "$s $val";
my $err = join(
......@@ -1140,7 +1140,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
BEGIN {
${^WARNING_BITS} =
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
}
eval "$s $val";
my $err = join(
......@@ -1495,7 +1495,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
BEGIN {
${^WARNING_BITS} =
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
}
eval $s;
my $err = join(
......@@ -1541,7 +1541,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
BEGIN {
${^WARNING_BITS} =
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
}
eval "$s $val";
my $err = join(
......@@ -1900,7 +1900,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
BEGIN {
${^WARNING_BITS} =
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
}
eval "$s $val";
my $err = join(
......@@ -2237,7 +2237,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
BEGIN {
${^WARNING_BITS} =
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
}
eval "$s $val";
my $err = join(
......@@ -2822,6 +2822,20 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => '',
'type' => 'RSAPublicKeyOrCertificate'
},
'samlServiceSignatureMethod' => {
'default' => 'RSA_SHA256',
'select' => [
{
'k' => 'RSA_SHA1',
'v' => 'RSA SHA1'
},
{
'k' => 'RSA_SHA256',
'v' => 'RSA SHA256'
}
],
'type' => 'select'
},
'samlServiceUseCertificateInResponse' => {
'default' => 0,
'type' => 'bool'
......@@ -2940,7 +2954,7 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
BEGIN {
${^WARNING_BITS} =
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
}
eval "$s $val";
my $err = join(
......
......@@ -1441,7 +1441,7 @@ sub attributes {
grep { $_ =~ /Undefined subroutine/ ? () : $_ }
split( /\n/, $@ ) );
return $err ? ( 1, "__badExpression__: $err" ) : (1);
}
}
},
documentation => 'Virtualhost headers',
flags => 'h',
......@@ -1741,6 +1741,14 @@ sub attributes {
default => '',
documentation => 'SAML encryption public key',
},
samlServiceSignatureMethod => {
type => 'select',
select => [
{ k => 'RSA_SHA1', v => 'RSA SHA1' },
{ k => 'RSA_SHA256', v => 'RSA SHA256' },
],
default => 'RSA_SHA256',
},
samlServiceUseCertificateInResponse => {
type => 'bool',
default => 0,
......
......@@ -818,7 +818,8 @@ sub tree {
'samlServicePublicKeyEnc'
]
},
'samlServiceUseCertificateInResponse'
'samlServiceUseCertificateInResponse',
'samlServiceSignatureMethod'
]
},
{
......
......@@ -910,6 +910,7 @@
"samlServicePrivateKeyEnc":"المفتاح الخاص",
"samlServicePrivateKeyEncPwd":"مفتاح كلمة المرور الخاصة",
"samlServicePublicKeyEnc":"المفتاح العام",
"samlServiceSignatureMethod":"Signature method",
"samlServiceUseCertificateInResponse":"استخدم الشهادة الرقمية في الردود",
"samlAdvanced":"المتقدمة",
"samlIdPResolveCookie":"اسم ملف تعريف الارتباط IDP",
......
......@@ -910,6 +910,7 @@
"samlServicePrivateKeyEnc":"Private key",
"samlServicePrivateKeyEncPwd":"Private key password",
"samlServicePublicKeyEnc":"Public key",
"samlServiceSignatureMethod":"Signature method",
"samlServiceUseCertificateInResponse":"Use certificate in responses",
"samlAdvanced":"Advanced",
"samlIdPResolveCookie":"IDP resolution cookie name",
......
......@@ -910,6 +910,7 @@
"samlServicePrivateKeyEnc":"Clef privée",
"samlServicePrivateKeyEncPwd":"Mot de passe de la clef privée",
"samlServicePublicKeyEnc":"Clef publique",
"samlServiceSignatureMethod":"Méthode pour la signature",
"samlServiceUseCertificateInResponse":"Utilisation du certificat dans les réponses",
"samlAdvanced":"Avancé",
"samlIdPResolveCookie":"Nom du cookie de résolution IDP",
......
......@@ -910,6 +910,7 @@
"samlServicePrivateKeyEnc":"Chiave privata",
"samlServicePrivateKeyEncPwd":"Password chiave privata",
"samlServicePublicKeyEnc":"Chiave pubblica",
"samlServiceSignatureMethod":"Signature method",
"samlServiceUseCertificateInResponse":"Utilizza il certificato nelle risposte",
"samlAdvanced":"Avanzato",
"samlIdPResolveCookie":"Nome del cookie di risoluzione IDP",
......
......@@ -910,6 +910,7 @@
"samlServicePrivateKeyEnc":"Khóa cá nhân",
"samlServicePrivateKeyEncPwd":"Khóa mật khẩu cá nhân",
"samlServicePublicKeyEnc":"Khóa công khai",
"samlServiceSignatureMethod":"Signature method",
"samlServiceUseCertificateInResponse":"Sử dụng chứng chỉ trong câu trả lời",
"samlAdvanced":"Nâng cao",
"samlIdPResolveCookie":"Tên cookie phân giải IDP",
......
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -202,7 +202,7 @@ sub loadService {
);
# Signature method
my $method = $self->conf->{samlServiceSignatureMethod} || 'SHA1';
my $method = $self->conf->{samlServiceSignatureMethod} || 'RSA_SHA1';
$server->signature_method( $self->getSignatureMethod($method) );
$self->logger->debug("Set $method as SAML server signature method ");
......@@ -3074,9 +3074,9 @@ sub getSignatureMethod {
my $signature_method_none = eval 'Lasso::Constants::SIGNATURE_METHOD_NONE';
return $signature_method_rsa_sha1
if ( $signature_method =~ /^SHA1$/i );
if ( $signature_method =~ /^RSA_SHA1$/i );
return $signature_method_rsa_sha256
if ( $signature_method =~ /^SHA256$/i );
if ( $signature_method =~ /^RSA_SHA256$/i );
return $signature_method_none;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment