Bugzilla 1057: enforce SAML no-empty-reference rule in digital signat…

…ures where possible.
InCommon · Nov 12, 2013 · 5961626 · 5961626
1 parent 1e78964
commit 5961626
Show file tree

Hide file tree

Showing 17 changed files with 26 additions and 1 deletion.
diff --git a/mdx/au_aaf/beans.xml b/mdx/au_aaf/beans.xml
@@ -42,6 +42,7 @@
     <bean id="au_aaf_checkSignature" parent="XMLSignatureValidationStage"
         p:id="au_aaf_checkSignature">
         <property name="verificationCertificate" ref="au_aaf_signingCertificate"/>
+        <property name="permittingEmptyReferences" value="true"/>
     </bean>
 
     <!--

diff --git a/mdx/be_belnet/beans.xml b/mdx/be_belnet/beans.xml
@@ -65,6 +65,7 @@
     <bean id="be_belnet_checkSignature" parent="XMLSignatureValidationStage"
         p:id="be_belnet_checkSignature">
         <property name="verificationCertificate" ref="be_belnet_signingCertificate"/>
+        <property name="permittingEmptyReferences" value="true"/>
     </bean>
 
     <!--

diff --git a/mdx/br_cafe/beans.xml b/mdx/br_cafe/beans.xml
@@ -65,6 +65,7 @@
     <bean id="br_cafe_checkSignature" parent="XMLSignatureValidationStage"
         p:id="br_cafe_checkSignature">
         <property name="verificationCertificate" ref="br_cafe_signingCertificate"/>
+        <property name="permittingEmptyReferences" value="true"/>
     </bean>
 
     <!--

diff --git a/mdx/ca_caf/beans.xml b/mdx/ca_caf/beans.xml
@@ -86,8 +86,9 @@
         Check "cafshib" signing signature.
     -->
     <bean id="ca_caf_cafShibCheckSignature" parent="XMLSignatureValidationStage"
-        p:id="ca_caf_checkSignature">
+        p:id="ca_caf_cafShibCheckSignature">
         <property name="verificationCertificate" ref="ca_caf_cafShibSigningCertificate"/>
+        <property name="permittingEmptyReferences" value="true"/>
     </bean>
 
     <!--

diff --git a/mdx/ch_switchaai/beans.xml b/mdx/ch_switchaai/beans.xml
@@ -76,6 +76,7 @@
     <bean id="ch_switchaai_checkSignature" parent="XMLSignatureValidationStage"
         p:id="ch_switchaai_checkSignature">
         <property name="verificationCertificate" ref="ch_switchaai_signingCertificate"/>
+        <property name="permittingEmptyReferences" value="true"/>
     </bean>
 
     <!--
@@ -84,6 +85,7 @@
     <bean id="ch_switchaai_checkInterfedSignature" parent="XMLSignatureValidationStage"
         p:id="ch_switchaai_checkInterfedSignature">
         <property name="verificationCertificate" ref="ch_switchaai_interfedSigningCertificate"/>
+        <property name="permittingEmptyReferences" value="true"/>
     </bean>
 
     <!--

diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
@@ -80,6 +80,11 @@
         
         Applies global algorithm blacklists. For values, see:
             http://www.w3.org/TR/xmlsec-algorithms/
+            
+        Establishes a default of *not* permitting empty references
+        in signatures, per the SAML specification. This will be
+        overridden in specific beans where a signature is known to
+        require it.
     -->
     <bean id="XMLSignatureValidationStage" abstract="true" parent="stage_parent"
         class="net.shibboleth.metadata.dom.XMLSignatureValidationStage">
@@ -93,6 +98,7 @@
                 <value>http://www.w3.org/2001/04/xmldsig-more#rsa-md5</value>
             </list>
         </property>
+        <property name="permittingEmptyReferences" value="false"/>
     </bean>
 
     <!--

diff --git a/mdx/cz_eduid/beans.xml b/mdx/cz_eduid/beans.xml
@@ -75,6 +75,7 @@
     <bean id="cz_eduid_checkSignature" parent="XMLSignatureValidationStage"
         p:id="cz_eduid_checkSignature">
         <property name="verificationCertificate" ref="cz_eduid_signingCertificate"/>
+        <property name="permittingEmptyReferences" value="true"/>
     </bean>
 
     <!--

diff --git a/mdx/es_sir/beans.xml b/mdx/es_sir/beans.xml
@@ -65,6 +65,7 @@
     <bean id="es_sir_checkSignature" parent="XMLSignatureValidationStage"
         p:id="es_sir_checkSignature">
         <property name="verificationCertificate" ref="es_sir_signingCertificate"/>
+        <property name="permittingEmptyReferences" value="true"/>
     </bean>
 
     <!--

diff --git a/mdx/fi_haka/beans.xml b/mdx/fi_haka/beans.xml
@@ -65,6 +65,7 @@
     <bean id="fi_haka_checkSignature" parent="XMLSignatureValidationStage"
         p:id="fi_haka_checkSignature">
         <property name="verificationCertificate" ref="fi_haka_signingCertificate"/>
+        <property name="permittingEmptyReferences" value="true"/>
     </bean>
 
     <!--
@@ -84,6 +85,7 @@
     <bean id="fi_haka_checkEdugainSignature" parent="XMLSignatureValidationStage"
         p:id="fi_haka_checkEdugainSignature">
         <property name="verificationCertificate" ref="fi_haka_edugainSigningCertificate"/>
+        <property name="permittingEmptyReferences" value="true"/>
     </bean>
 
     <!--

diff --git a/mdx/fr_renater/beans.xml b/mdx/fr_renater/beans.xml
@@ -81,6 +81,7 @@
     <bean id="fr_renater_checkSignature" parent="XMLSignatureValidationStage"
         p:id="fr_renater_checkSignature">
         <property name="verificationCertificate" ref="fr_renater_signingCertificate"/>
+        <property name="permittingEmptyReferences" value="true"/>
     </bean>
 
     <!--
@@ -100,6 +101,7 @@
     <bean id="fr_renater_edugainCheckSignature" parent="XMLSignatureValidationStage"
         p:id="fr_renater_edugainCheckSignature">
         <property name="verificationCertificate" ref="fr_renater_edugainSigningCertificate"/>
+        <property name="permittingEmptyReferences" value="true"/>
     </bean>
 
     <!--

diff --git a/mdx/gr_grnet/beans.xml b/mdx/gr_grnet/beans.xml
@@ -65,6 +65,7 @@
     <bean id="gr_grnet_checkSignature" parent="XMLSignatureValidationStage"
         p:id="gr_grnet_checkSignature">
         <property name="verificationCertificate" ref="gr_grnet_signingCertificate"/>
+        <property name="permittingEmptyReferences" value="true"/>
     </bean>
 
     <!--

diff --git a/mdx/ie_edugate/beans.xml b/mdx/ie_edugate/beans.xml
@@ -55,6 +55,7 @@
     <bean id="ie_edugate_checkSignature" parent="XMLSignatureValidationStage"
         p:id="ie_edugate_checkSignature">
         <property name="verificationCertificate" ref="ie_edugate_signingCertificate"/>
+        <property name="permittingEmptyReferences" value="true"/>
     </bean>
 
     <!--

diff --git a/mdx/it_idem/beans.xml b/mdx/it_idem/beans.xml
@@ -65,6 +65,7 @@
     <bean id="it_idem_checkSignature" parent="XMLSignatureValidationStage"
         p:id="it_idem_checkSignature">
         <property name="verificationCertificate" ref="it_idem_signingCertificate"/>
+        <property name="permittingEmptyReferences" value="true"/>
     </bean>
 
     <!--

diff --git a/mdx/jp_gakunin/beans.xml b/mdx/jp_gakunin/beans.xml
@@ -42,6 +42,7 @@
     <bean id="jp_gakunin_checkSignature" parent="XMLSignatureValidationStage"
         p:id="jp_gakunin_checkSignature">
         <property name="verificationCertificate" ref="jp_gakunin_signingCertificate"/>
+        <property name="permittingEmptyReferences" value="true"/>
     </bean>
 
     <!--

diff --git a/mdx/lv_laife/beans.xml b/mdx/lv_laife/beans.xml
@@ -68,6 +68,7 @@
     <bean id="lv_laife_checkSignature" parent="XMLSignatureValidationStage"
         p:id="lv_laife_checkSignature">
         <property name="verificationCertificate" ref="lv_laife_signingCertificate"/>
+        <property name="permittingEmptyReferences" value="true"/>
     </bean>
 
     <!--

diff --git a/mdx/se_swamid/beans.xml b/mdx/se_swamid/beans.xml
@@ -71,6 +71,7 @@
     <bean id="se_swamid_checkSignature" parent="XMLSignatureValidationStage"
         p:id="se_swamid_checkSignature">
         <property name="verificationCertificate" ref="se_swamid_signingCertificate"/>
+        <property name="permittingEmptyReferences" value="true"/>
     </bean>
 
     <!--

diff --git a/mdx/si_arnes/beans.xml b/mdx/si_arnes/beans.xml
@@ -42,6 +42,7 @@
     <bean id="si_arnes_checkSignature" parent="XMLSignatureValidationStage"
         p:id="si_arnes_checkSignature">
         <property name="verificationCertificate" ref="si_arnes_signingCertificate"/>
+        <property name="permittingEmptyReferences" value="true"/>
     </bean>
 
     <!--