--- opensaml2-2.3.orig/saml/signature/ContentReference.cpp +++ opensaml2-2.3/saml/signature/ContentReference.cpp @@ -46,6 +46,7 @@ void ContentReference::createReferences(DSIGSignature* sig) { DSIGReference* ref=NULL; + sig->setIdByAttributeName(false); const XMLCh* id=m_signableObject.getXMLID(); if (!id || !*id) ref=sig->createReference(&chNull, m_digest ? m_digest : DSIGConstants::s_unicodeStrURISHA1); // whole doc reference --- opensaml2-2.3.orig/saml/signature/SignatureProfileValidator.cpp +++ opensaml2-2.3/saml/signature/SignatureProfileValidator.cpp @@ -25,6 +25,7 @@ #include "signature/SignableObject.h" #include "signature/SignatureProfileValidator.h" +#include <xmltooling/logging.h> #include <xmltooling/signature/Signature.h> #include <xercesc/util/XMLUniDefs.hpp> @@ -35,6 +36,7 @@ using namespace opensaml; using namespace xmlsignature; +using namespace xmltooling::logging; using namespace xmltooling; using namespace std; @@ -63,7 +65,14 @@ const SignableObject* signableObj=dynamic_cast<const SignableObject*>(sigObj.getParent()); if (!signableObj) throw ValidationException("Signature is not a child of a signable SAML object."); - + + if (sig->getObjectLength() != 0) { + Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature contained an embedded <Object> element"); + throw ValidationException("Invalid signature profile for SAML object."); + } + + sig->setIdByAttributeName(false); + bool valid=false; DSIGReferenceList* refs=sig->getReferenceList(); if (refs && refs->getSize()==1) { @@ -80,13 +89,33 @@ else if (tlist->item(i)->getTransformType()!=TRANSFORM_EXC_C14N && tlist->item(i)->getTransformType()!=TRANSFORM_C14N) { valid=false; + Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature contained an invalid transform"); break; } } } + + if (valid && URI && *URI) { + valid = false; + if (sigObj.getDOM() && signableObj->getDOM()) { + DOMElement* signedNode = sigObj.getDOM()->getOwnerDocument()->getElementById(ID); + if (signedNode && signedNode->isSameNode(signableObj->getDOM())) { + valid = true; + } + else { + Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature reference does not match parent object node"); + } + } + } + } + else { + Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature reference does not match parent object ID"); } } } + else { + Category::getInstance(SAML_LOGCAT".SignatureProfileValidator").error("signature contained multiple or zero references"); + } if (!valid) throw ValidationException("Invalid signature profile for SAML object.");