2 * Copyright 2001-2006 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * SimpleSigningRule.cpp
20 * Blob-oriented signature checking SecurityPolicyRule
24 #include "exceptions.h"
25 #include "binding/HTTPRequest.h"
26 #include "binding/SimpleSigningRule.h"
27 #include "saml2/core/Assertions.h"
28 #include "saml2/metadata/Metadata.h"
29 #include "saml2/metadata/MetadataProvider.h"
31 #include <log4cpp/Category.hh>
33 using namespace opensaml::saml2md;
34 using namespace opensaml;
35 using namespace xmltooling;
36 using namespace log4cpp;
39 using xmlsignature::KeyInfo;
42 SecurityPolicyRule* SAML_DLLLOCAL SimpleSigningRuleFactory(const DOMElement* const & e)
44 return new SimpleSigningRule(e);
47 // Appends a raw parameter=value pair to the string.
48 static bool appendParameter(string& s, const char* data, const char* name)
50 const char* start = strstr(data,name);
55 const char* end = strchr(start,'&');
57 s.append(start, end-start);
65 void SimpleSigningRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const
67 Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.SimpleSigning");
68 log.debug("evaluating simple signing policy");
70 if (!policy.getIssuerMetadata()) {
71 log.debug("ignoring message, no issuer metadata supplied");
74 else if (!policy.getTrustEngine()) {
75 log.debug("ignoring message, no TrustEngine supplied");
79 const HTTPRequest* httpRequest = dynamic_cast<const HTTPRequest*>(request);
80 if (!request || !httpRequest) {
81 log.debug("ignoring message, no HTTP protocol request available");
85 const char* signature = request->getParameter("Signature");
87 log.debug("ignoring unsigned message");
91 const char* sigAlgorithm = request->getParameter("SigAlg");
93 log.error("SigAlg parameter not found, no way to verify the signature");
99 if (!strcmp(httpRequest->getMethod(), "GET")) {
100 // We have to construct a string containing the signature input by accessing the
101 // request directly. We can't use the decoded parameters because we need the raw
102 // data and URL-encoding isn't canonical.
103 pch = httpRequest->getQueryString();
104 if (!appendParameter(input, pch, "SAMLRequest="))
105 appendParameter(input, pch, "SAMLResponse=");
106 appendParameter(input, pch, "RelayState=");
107 appendParameter(input, pch, "SigAlg=");
110 // With POST, the input string is concatenated from the decoded form controls.
111 // GET should be this way too, but I messed up the spec, sorry.
112 pch = httpRequest->getParameter("SAMLRequest");
114 input = string("SAMLRequest=") + pch;
116 pch = httpRequest->getParameter("SAMLResponse");
117 input = string("SAMLResponse=") + pch;
119 pch = httpRequest->getParameter("RelayState");
121 input = input + "&RelayState=" + pch;
122 input = input + "&SigAlg=" + sigAlgorithm;
125 // Check for KeyInfo, but defensively (we might be able to run without it).
126 KeyInfo* keyInfo=NULL;
127 pch = request->getParameter("KeyInfo");
130 istringstream kstrm(pch);
131 DOMDocument* doc = XMLToolingConfig::getConfig().getParser().parse(kstrm);
132 XercesJanitor<DOMDocument> janitor(doc);
133 XMLObject* kxml = XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(), true);
135 if (!(keyInfo=dynamic_cast<KeyInfo*>(kxml)))
138 catch (XMLToolingException& ex) {
139 log.warn("Failed to load KeyInfo from message: %s", ex.what());
143 auto_ptr<KeyInfo> kjanitor(keyInfo);
144 auto_ptr_XMLCh alg(sigAlgorithm);
146 if (!policy.getTrustEngine()->validate(
147 alg.get(), signature, keyInfo, input.c_str(), input.length(),
148 *(policy.getIssuerMetadata()), policy.getMetadataProvider()->getKeyResolver()
150 log.error("unable to verify message signature with supplied trust engine");
154 log.debug("signature verified against message issuer");