Sophie: opensaml-2.3-4.fc15 src

opensaml-2.3-4.fc15.src.rpm

--- opensaml2-2.3.orig/saml/signature/ContentReference.cpp
+++ opensaml2-2.3/saml/signature/ContentReference.cpp
@@ -46,6 +46,7 @@
 void ContentReference::createReferences(DSIGSignature* sig)
 {
     DSIGReference* ref=NULL;
+    sig->setIdByAttributeName(false);
     const XMLCh* id=m_signableObject.getXMLID();
     if (!id || !*id)
         ref=sig->createReference(&chNull, m_digest ? m_digest : DSIGConstants::s_unicodeStrURISHA1);  // whole doc reference
--- opensaml2-2.3.orig/saml/signature/SignatureProfileValidator.cpp
+++ opensaml2-2.3/saml/signature/SignatureProfileValidator.cpp
@@ -25,6 +25,7 @@
 #include "signature/SignableObject.h"
 #include "signature/SignatureProfileValidator.h"
 
+#include <xmltooling/logging.h>
 #include <xmltooling/signature/Signature.h>
 
 #include <xercesc/util/XMLUniDefs.hpp>
@@ -35,6 +36,7 @@
 
 using namespace opensaml;
 using namespace xmlsignature;
+using namespace xmltooling::logging;
 using namespace xmltooling;
 using namespace std;
 
@@ -63,7 +65,14 @@
     const SignableObject* signableObj=dynamic_cast<const SignableObject*>(sigObj.getParent());
     if (!signableObj)
         throw ValidationException("Signature is not a child of a signable SAML object.");
-    
+
+    if (sig->getObjectLength() != 0) {
+        Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature contained an embedded <Object> element");
+        throw ValidationException("Invalid signature profile for SAML object.");
+    }
+
+    sig->setIdByAttributeName(false);
+
     bool valid=false;
     DSIGReferenceList* refs=sig->getReferenceList();
     if (refs && refs->getSize()==1) {
@@ -80,13 +89,33 @@
                         else if (tlist->item(i)->getTransformType()!=TRANSFORM_EXC_C14N &&
                                  tlist->item(i)->getTransformType()!=TRANSFORM_C14N) {
                             valid=false;
+                            Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature contained an invalid transform");
                             break;
                         }
                     }
                 }
+
+                if (valid && URI && *URI) {
+                    valid = false;
+                    if (sigObj.getDOM() && signableObj->getDOM()) {
+                        DOMElement* signedNode = sigObj.getDOM()->getOwnerDocument()->getElementById(ID);
+                        if (signedNode && signedNode->isSameNode(signableObj->getDOM())) {
+                            valid = true;
+                        }
+                        else {
+                            Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature reference does not match parent object node");
+                        }
+                    }
+                }
+            }
+            else {
+                Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature reference does not match parent object ID");
             }
         }
     }
+    else {
+        Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature contained multiple or zero references");
+    }
     
     if (!valid)
         throw ValidationException("Invalid signature profile for SAML object.");