2 * The Shibboleth License, Version 1.
4 * University Corporation for Advanced Internet Development, Inc.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions are met:
11 * Redistributions of source code must retain the above copyright notice, this
12 * list of conditions and the following disclaimer.
14 * Redistributions in binary form must reproduce the above copyright notice,
15 * this list of conditions and the following disclaimer in the documentation
16 * and/or other materials provided with the distribution, if any, must include
17 * the following acknowledgment: "This product includes software developed by
18 * the University Corporation for Advanced Internet Development
19 * <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement
20 * may appear in the software itself, if and wherever such third-party
21 * acknowledgments normally appear.
23 * Neither the name of Shibboleth nor the names of its contributors, nor
24 * Internet2, nor the University Corporation for Advanced Internet Development,
25 * Inc., nor UCAID may be used to endorse or promote products derived from this
26 * software without specific prior written permission. For written permission,
27 * please contact shibboleth@shibboleth.org
29 * Products derived from this software may not be called Shibboleth, Internet2,
30 * UCAID, or the University Corporation for Advanced Internet Development, nor
31 * may Shibboleth appear in their name, without prior written permission of the
32 * University Corporation for Advanced Internet Development.
35 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
36 * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
37 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
38 * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK
39 * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE.
40 * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
41 * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT,
42 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
43 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
44 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
45 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
46 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
47 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
51 /* internal.h - internally visible classes
59 #ifndef __shib_internal_h__
60 #define __shib_internal_h__
63 # define SHIB_EXPORTS __declspec(dllexport)
66 // eventually we might be able to support autoconf via cygwin...
67 #if defined (_MSC_VER) || defined(__BORLANDC__)
68 # include "config_win32.h"
75 #include <openssl/x509.h>
77 #define SHIB_LOGCAT "Shibboleth"
81 class ClubShibPOSTProfile : public ShibPOSTProfile
85 const saml::Iterator<IMetadata*>& metadatas, const saml::Iterator<ITrust*>& trusts,
86 const saml::Iterator<const XMLCh*>& policies, const XMLCh* receiver, int ttlSeconds
89 const saml::Iterator<IMetadata*>& metadatas, const saml::Iterator<ICredentials*>& creds,
90 const saml::Iterator<const XMLCh*>& policies, const XMLCh* issuer
92 virtual ~ClubShibPOSTProfile();
94 saml::SAMLResponse* prepare(
95 const XMLCh* recipient,
97 const XMLCh* nameQualifier,
98 const XMLCh* subjectIP,
99 const XMLCh* authMethod,
101 const saml::Iterator<saml::SAMLAuthorityBinding*>& bindings,
102 XSECCryptoKey* responseKey,
103 const saml::Iterator<XSECCryptoX509*>& responseCerts=EMPTY(XSECCryptoX509*),
104 XSECCryptoKey* assertionKey=NULL,
105 const saml::Iterator<XSECCryptoX509*>& assertionCerts=EMPTY(XSECCryptoX509*)
109 void verifySignature(
110 const saml::SAMLSignedObject& obj,
111 const IOriginSite* originSite,
112 const XMLCh* signerName,
113 XSECCryptoKey* knownKey=NULL);
116 class ShibSOAPBinding : public saml::SAMLSOAPBinding
120 const saml::Iterator<IMetadata*>& metadatas,
121 const saml::Iterator<ITrust*>& trusts,
122 const saml::Iterator<ICredentials*>& creds,
123 const XMLCh* subject,
124 const ISite* relyingParty
125 ) : m_metadatas(metadatas), m_creds(creds), m_trusts(trusts), m_subject(subject), m_relyingParty(relyingParty) {}
126 virtual ~ShibSOAPBinding() {}
128 virtual saml::SAMLResponse* send(
129 const saml::SAMLAuthorityBinding& bindingInfo,
130 saml::SAMLRequest& req,
131 saml::SAMLConfig::SAMLBindingConfig& conf=saml::SAMLConfig::getConfig().binding_defaults
135 friend bool ssl_ctx_callback(void* ssl_ctx, void* userptr);
136 const XMLCh* m_subject;
137 const ISite* m_relyingParty;
138 const saml::Iterator<IMetadata*>& m_metadatas;
139 const saml::Iterator<ITrust*>& m_trusts;
140 const saml::Iterator<ICredentials*>& m_creds;
143 class ShibInternalConfig : public ShibConfig
146 ShibInternalConfig() {}
151 void regFactory(const char* type, MetadataFactory* factory);
152 void regFactory(const char* type, TrustFactory* factory);
153 void regFactory(const char* type, CredentialsFactory* factory);
154 void regFactory(const char* type, CredResolverFactory* factory);
155 void regFactory(const char* type, AAPFactory* factory);
156 void unregFactory(const char* type);
158 IMetadata* newMetadata(const char* type, const char* source) const;
159 ITrust* newTrust(const char* type, const char* source) const;
160 ICredentials* newCredentials(const char* type, const char* source) const;
161 IAAP* newAAP(const char* type, const char* source) const;
162 ICredResolver* newCredResolver(const char* type, const DOMElement* source) const;
165 friend class OriginMetadata;
167 friend class Credentials;
170 typedef std::map<std::string, MetadataFactory*> MetadataFactoryMap;
171 typedef std::map<std::string, TrustFactory*> TrustFactoryMap;
172 typedef std::map<std::string, CredentialsFactory*> CredentialsFactoryMap;
173 typedef std::map<std::string, CredResolverFactory*> CredResolverFactoryMap;
174 typedef std::map<std::string, AAPFactory*> AAPFactoryMap;
175 MetadataFactoryMap m_metadataFactoryMap;
176 TrustFactoryMap m_trustFactoryMap;
177 CredentialsFactoryMap m_credFactoryMap;
178 CredResolverFactoryMap m_credResolverFactoryMap;
179 AAPFactoryMap m_aapFactoryMap;
184 // Custom metadata-driven SSL context callback
185 bool ssl_ctx_callback(void* ssl_ctx, void* userptr);
187 // Log errors from OpenSSL error queue
190 // build an OpenSSL cert out of a base-64 encoded DER buffer (XML style)
191 X509* B64_to_X509(const char* buf);