1 files changed, 162 insertions, 0 deletions

diff --git a/0004-Mass-replace-LASSO_SIGNATURE_METHOD_RSA_SHA1-with-la.patch b/0004-Mass-replace-LASSO_SIGNATURE_METHOD_RSA_SHA1-with-la.patch
new file mode 100644
index 0000000..02ec907
--- /dev/null
+++ b/0004-Mass-replace-LASSO_SIGNATURE_METHOD_RSA_SHA1-with-la.patch
@@ -0,0 +1,162 @@
+From 0d34c97be1c761a9eb12692e4cc4eac58feb7d19 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 15 Jun 2021 14:45:14 +0200
+Subject: [PATCH 4/7] Mass-replace LASSO_SIGNATURE_METHOD_RSA_SHA1 with
+ lasso_get_default_signature_method() (#54037)
+
+This should be backwards-compatible but at the same time use the
+selected default instead of RSA-SHA1.
+
+Related:
+https://dev.entrouvert.org/issues/54037
+---
+ lasso/id-ff/defederation.c            | 2 +-
+ lasso/id-ff/logout.c                  | 6 +++---
+ lasso/id-ff/name_identifier_mapping.c | 4 ++--
+ lasso/id-ff/name_registration.c       | 4 ++--
+ lasso/id-ff/provider.c                | 2 +-
+ lasso/xml/tools.c                     | 2 +-
+ tests/basic_tests.c                   | 6 +++---
+ 7 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/lasso/id-ff/defederation.c b/lasso/id-ff/defederation.c
+index d711e4eed..d2382f4ae 100644
+--- a/lasso/id-ff/defederation.c
++++ b/lasso/id-ff/defederation.c
+@@ -251,7 +251,7 @@ lasso_defederation_init_notification(LassoDefederation *defederation, gchar *rem
+ 				nameIdentifier,
+ 				profile->server->certificate ?
+ 					LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
+-				LASSO_SIGNATURE_METHOD_RSA_SHA1);
++				lasso_get_default_signature_method());
+ 		if (profile->msg_relayState) {
+ 			message(G_LOG_LEVEL_WARNING,
+ 					"RelayState was defined but can't be used "\
+diff --git a/lasso/id-ff/logout.c b/lasso/id-ff/logout.c
+index 20d04ed82..d307db586 100644
+--- a/lasso/id-ff/logout.c
++++ b/lasso/id-ff/logout.c
+@@ -396,7 +396,7 @@ lasso_logout_build_response_msg(LassoLogout *logout)
+ 						profile->server->certificate ?
+ 						LASSO_SIGNATURE_TYPE_WITHX509 :
+ 						LASSO_SIGNATURE_TYPE_SIMPLE,
+-						LASSO_SIGNATURE_METHOD_RSA_SHA1));
++						lasso_get_default_signature_method()));
+ 		} else if (profile->http_request_method == LASSO_HTTP_METHOD_REDIRECT) {
+ 			lasso_assign_new_gobject(profile->response,
+ 					lasso_lib_logout_response_new_full(
+@@ -608,7 +608,7 @@ lasso_logout_init_request(LassoLogout *logout, char *remote_providerID,
+ 				nameIdentifier,
+ 				profile->server->certificate ?
+ 				LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
+-				LASSO_SIGNATURE_METHOD_RSA_SHA1);
++				lasso_get_default_signature_method());
+ 	} else { /* http_method == LASSO_HTTP_METHOD_REDIRECT */
+ 		is_http_redirect_get_method = TRUE;
+ 		lib_logout_request = (LassoLibLogoutRequest*)lasso_lib_logout_request_new_full(
+@@ -990,7 +990,7 @@ lasso_logout_validate_request(LassoLogout *logout)
+ 				logout_request,
+ 				profile->server->certificate ?
+ 					LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
+-				LASSO_SIGNATURE_METHOD_RSA_SHA1));
++				lasso_get_default_signature_method()));
+ 	}
+ 	if (profile->http_request_method == LASSO_HTTP_METHOD_REDIRECT) {
+ 		lasso_assign_new_gobject(profile->response, lasso_lib_logout_response_new_full(
+diff --git a/lasso/id-ff/name_identifier_mapping.c b/lasso/id-ff/name_identifier_mapping.c
+index 80af6fec4..f84020eb6 100644
+--- a/lasso/id-ff/name_identifier_mapping.c
++++ b/lasso/id-ff/name_identifier_mapping.c
+@@ -259,7 +259,7 @@ lasso_name_identifier_mapping_init_request(LassoNameIdentifierMapping *mapping,
+ 			targetNamespace,
+ 			profile->server->certificate ?
+ 				LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
+-			LASSO_SIGNATURE_METHOD_RSA_SHA1);
++			lasso_get_default_signature_method());
+ 	if (LASSO_IS_LIB_NAME_IDENTIFIER_MAPPING_REQUEST(profile->request) == FALSE) {
+ 		return critical_error(LASSO_PROFILE_ERROR_BUILDING_REQUEST_FAILED);
+ 	}
+@@ -458,7 +458,7 @@ lasso_name_identifier_mapping_validate_request(LassoNameIdentifierMapping *mappi
+ 			request,
+ 			profile->server->certificate ?
+ 				LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
+-			LASSO_SIGNATURE_METHOD_RSA_SHA1);
++			lasso_get_default_signature_method());
+ 
+ 	if (LASSO_IS_LIB_NAME_IDENTIFIER_MAPPING_RESPONSE(profile->response) == FALSE) {
+ 		return critical_error(LASSO_PROFILE_ERROR_BUILDING_RESPONSE_FAILED);
+diff --git a/lasso/id-ff/name_registration.c b/lasso/id-ff/name_registration.c
+index 11dbf24fe..076cf9624 100644
+--- a/lasso/id-ff/name_registration.c
++++ b/lasso/id-ff/name_registration.c
+@@ -339,7 +339,7 @@ lasso_name_registration_init_request(LassoNameRegistration *name_registration,
+ 			idpNameIdentifier, spNameIdentifier, oldNameIdentifier,
+ 			profile->server->certificate ?
+ 				LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
+-			LASSO_SIGNATURE_METHOD_RSA_SHA1);
++			lasso_get_default_signature_method());
+ 	if (profile->request == NULL) {
+ 		return critical_error(LASSO_PROFILE_ERROR_BUILDING_REQUEST_FAILED);
+ 	}
+@@ -575,7 +575,7 @@ lasso_name_registration_validate_request(LassoNameRegistration *name_registratio
+ 			LASSO_LIB_REGISTER_NAME_IDENTIFIER_REQUEST(profile->request),
+ 			profile->server->certificate ?
+ 				LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
+-			LASSO_SIGNATURE_METHOD_RSA_SHA1);
++			lasso_get_default_signature_method());
+ 	if (LASSO_IS_LIB_REGISTER_NAME_IDENTIFIER_RESPONSE(profile->response) == FALSE) {
+ 		return critical_error(LASSO_PROFILE_ERROR_BUILDING_RESPONSE_FAILED);
+ 	}
+diff --git a/lasso/id-ff/provider.c b/lasso/id-ff/provider.c
+index 32a907d43..961c3669d 100644
+--- a/lasso/id-ff/provider.c
++++ b/lasso/id-ff/provider.c
+@@ -1274,7 +1274,7 @@ lasso_provider_load_public_key(LassoProvider *provider, LassoPublicKeyType publi
+ 
+ 	if (public_key != NULL) {
+ 		xmlSecKey *key = lasso_xmlsec_load_private_key(public_key, NULL,
+-				LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
++				lasso_get_default_signature_method(), NULL);
+ 		if (key) {
+ 			lasso_list_add_new_sec_key(keys, key);
+ 		} else {
+diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
+index ce322ee1f..cf6dade09 100644
+--- a/lasso/xml/tools.c
++++ b/lasso/xml/tools.c
+@@ -2746,7 +2746,7 @@ next:
+ 		content = xmlNodeGetContent(key_value);
+ 		if (content) {
+ 			result = lasso_xmlsec_load_private_key_from_buffer((char*)content,
+-					strlen((char*)content), NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
++					strlen((char*)content), NULL, lasso_get_default_signature_method(), NULL);
+ 			xmlFree(content);
+ 		}
+ 	}
+diff --git a/tests/basic_tests.c b/tests/basic_tests.c
+index f9cfef266..0652abc28 100644
+--- a/tests/basic_tests.c
++++ b/tests/basic_tests.c
+@@ -2008,16 +2008,16 @@ START_TEST(test14_lasso_key)
+ 
+ 	check_true(g_file_get_contents(TESTSDATADIR "sp1-la/private-key-raw.pem", &buffer, &length, NULL));
+ 	check_not_null(key = lasso_key_new_for_signature_from_memory(buffer,
+-				length, NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1,
++				length, NULL, lasso_get_default_signature_method(),
+ 				NULL));
+ 	lasso_release_gobject(key);
+ 	check_not_null(key = lasso_key_new_for_signature_from_file(TESTSDATADIR
+-				"sp1-la/private-key-raw.pem", NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1,
++				"sp1-la/private-key-raw.pem", NULL, lasso_get_default_signature_method(),
+ 				NULL));
+ 	lasso_release_gobject(key);
+ 	base64_encoded = g_base64_encode(BAD_CAST buffer, length);
+ 	check_not_null(key = lasso_key_new_for_signature_from_base64_string(base64_encoded, NULL,
+-				LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL));
++				lasso_get_default_signature_method(), NULL));
+ 	lasso_release_string(base64_encoded);
+ 	lasso_release_string(buffer);
+ 	lasso_release_gobject(key);
+-- 
+2.26.3
+