2 * Copyright 2001-2010 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
20 * Shibboleth-specific PKIX-validation TrustEngine.
24 #include "metadata/MetadataExt.h"
25 #include "security/PKIXTrustEngine.h"
27 #include <saml/saml2/metadata/Metadata.h>
28 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
29 #include <saml/saml2/metadata/ObservableMetadataProvider.h>
30 #include <xmltooling/XMLToolingConfig.h>
31 #include <xmltooling/security/AbstractPKIXTrustEngine.h>
32 #include <xmltooling/security/KeyInfoResolver.h>
33 #include <xmltooling/security/X509Credential.h>
34 #include <xmltooling/util/Threads.h>
36 using namespace shibsp;
37 using namespace opensaml::saml2md;
38 using namespace xmlsignature;
39 using namespace xmltooling;
44 class SHIBSP_DLLLOCAL PKIXTrustEngine : public AbstractPKIXTrustEngine, public ObservableMetadataProvider::Observer
47 PKIXTrustEngine(const DOMElement* e=nullptr) : AbstractPKIXTrustEngine(e), m_credLock(RWLock::create()) {
49 virtual ~PKIXTrustEngine() {
50 for (map<const ObservableMetadataProvider*,credmap_t>::iterator i=m_credentialMap.begin(); i!=m_credentialMap.end(); ++i) {
51 i->first->removeObserver(this);
52 for (credmap_t::iterator creds = i->second.begin(); creds!=i->second.end(); ++creds)
53 for_each(creds->second.begin(), creds->second.end(), xmltooling::cleanup<X509Credential>());
58 AbstractPKIXTrustEngine::PKIXValidationInfoIterator* getPKIXValidationInfoIterator(
59 const CredentialResolver& pkixSource, CredentialCriteria* criteria=nullptr
62 void onEvent(const ObservableMetadataProvider& metadata) const {
63 // Destroy credentials we cached from this provider.
65 credmap_t& cmap = m_credentialMap[&metadata];
66 for (credmap_t::iterator creds = cmap.begin(); creds!=cmap.end(); ++creds)
67 for_each(creds->second.begin(), creds->second.end(), xmltooling::cleanup<X509Credential>());
72 const KeyInfoResolver* getKeyInfoResolver() const {
73 return m_keyInfoResolver ? m_keyInfoResolver : XMLToolingConfig::getConfig().getKeyInfoResolver();
77 friend class SHIBSP_DLLLOCAL MetadataPKIXIterator;
78 mutable RWLock* m_credLock;
79 typedef map< const KeyAuthority*,vector<X509Credential*> > credmap_t;
80 mutable map<const ObservableMetadataProvider*,credmap_t> m_credentialMap;
83 SHIBSP_DLLLOCAL PluginManager<TrustEngine,string,const DOMElement*>::Factory PKIXTrustEngineFactory;
85 TrustEngine* SHIBSP_DLLLOCAL PKIXTrustEngineFactory(const DOMElement* const & e)
87 return new PKIXTrustEngine(e);
90 class SHIBSP_DLLLOCAL MetadataPKIXIterator : public AbstractPKIXTrustEngine::PKIXValidationInfoIterator
93 MetadataPKIXIterator(const PKIXTrustEngine& engine, const MetadataProvider& pkixSource, MetadataCredentialCriteria& criteria);
95 virtual ~MetadataPKIXIterator() {
97 m_engine.m_credLock->unlock();
98 for_each(m_ownedCreds.begin(), m_ownedCreds.end(), xmltooling::cleanup<Credential>());
103 int getVerificationDepth() const {
104 pair<bool,int> vd = m_current->getVerifyDepth();
105 return vd.first ? vd.second : 1;
108 const vector<XSECCryptoX509*>& getTrustAnchors() const {
112 const vector<XSECCryptoX509CRL*>& getCRLs() const {
119 const PKIXTrustEngine& m_engine;
120 map<const ObservableMetadataProvider*,PKIXTrustEngine::credmap_t>::iterator m_credCache;
121 const XMLObject* m_obj;
122 const Extensions* m_extBlock;
123 const KeyAuthority* m_current;
124 vector<XMLObject*>::const_iterator m_iter;
125 vector<XSECCryptoX509*> m_certs;
126 vector<XSECCryptoX509CRL*> m_crls;
127 vector<X509Credential*> m_ownedCreds;
131 void shibsp::registerPKIXTrustEngine()
133 XMLToolingConfig::getConfig().TrustEngineManager.registerFactory(SHIBBOLETH_PKIX_TRUSTENGINE, PKIXTrustEngineFactory);
136 AbstractPKIXTrustEngine::PKIXValidationInfoIterator* PKIXTrustEngine::getPKIXValidationInfoIterator(
137 const CredentialResolver& pkixSource, CredentialCriteria* criteria
140 // Make sure these are metadata objects.
141 const MetadataProvider& metadata = dynamic_cast<const MetadataProvider&>(pkixSource);
142 MetadataCredentialCriteria* metacrit = dynamic_cast<MetadataCredentialCriteria*>(criteria);
144 throw MetadataException("Cannot obtain PKIX information without a MetadataCredentialCriteria object.");
146 return new MetadataPKIXIterator(*this, metadata,*metacrit);
149 MetadataPKIXIterator::MetadataPKIXIterator(
150 const PKIXTrustEngine& engine, const MetadataProvider& pkixSource, MetadataCredentialCriteria& criteria
151 ) : m_caching(false), m_engine(engine), m_obj(criteria.getRole().getParent()), m_extBlock(nullptr), m_current(nullptr)
153 // If we can't hook the metadata for changes, then we can't do any caching and the rest of this is academic.
154 const ObservableMetadataProvider* observable = dynamic_cast<const ObservableMetadataProvider*>(&pkixSource);
158 // While holding read lock, see if this metadata plugin has been seen before.
159 m_engine.m_credLock->rdlock();
160 m_credCache = m_engine.m_credentialMap.find(observable);
161 if (m_credCache==m_engine.m_credentialMap.end()) {
163 // We need to elevate the lock and retry.
164 m_engine.m_credLock->unlock();
165 m_engine.m_credLock->wrlock();
166 m_credCache = m_engine.m_credentialMap.find(observable);
167 if (m_credCache==m_engine.m_credentialMap.end()) {
169 // It's still brand new, so hook it for cache activation.
170 observable->addObserver(&m_engine);
172 // Prime the map reference with an empty credential map.
173 m_credCache = m_engine.m_credentialMap.insert(make_pair(observable,PKIXTrustEngine::credmap_t())).first;
175 // Downgrade the lock.
176 // We don't have to recheck because we never erase the master map entry entirely, even on changes.
177 m_engine.m_credLock->unlock();
178 m_engine.m_credLock->rdlock();
182 // We've hooked the metadata for changes, and we know we can cache against it.
187 bool MetadataPKIXIterator::next()
189 // If we had an active block, look for another in the same block.
191 // Keep going until we hit the end of the block.
192 vector<XMLObject*>::const_iterator end = m_extBlock->getUnknownXMLObjects().end();
193 while (m_iter != end) {
194 // If we hit a KeyAuthority, remember it and signal.
195 if (m_current=dynamic_cast<KeyAuthority*>(*m_iter++)) {
201 // If we get here, we hit the end of this Extensions block.
202 // Climb a level, if possible.
203 m_obj = m_obj->getParent();
205 m_extBlock = nullptr;
208 // If we get here, we try and find an Extensions block.
210 const EntityDescriptor* entity = dynamic_cast<const EntityDescriptor*>(m_obj);
212 m_extBlock = entity->getExtensions();
215 const EntitiesDescriptor* entities = dynamic_cast<const EntitiesDescriptor*>(m_obj);
217 m_extBlock = entities->getExtensions();
222 m_iter = m_extBlock->getUnknownXMLObjects().begin();
226 // Jump a level and try again.
227 m_obj = m_obj->getParent();
233 void MetadataPKIXIterator::populate()
235 // Dump anything old.
238 for_each(m_ownedCreds.begin(), m_ownedCreds.end(), xmltooling::cleanup<Credential>());
241 // We're holding a read lock. Search for "resolved" creds.
242 PKIXTrustEngine::credmap_t::iterator cached = m_credCache->second.find(m_current);
243 if (cached!=m_credCache->second.end()) {
244 // Copy over the information.
245 for (vector<X509Credential*>::const_iterator c=cached->second.begin(); c!=cached->second.end(); ++c) {
246 m_certs.insert(m_certs.end(), (*c)->getEntityCertificateChain().begin(), (*c)->getEntityCertificateChain().end());
248 m_crls.push_back((*c)->getCRL());
254 // We're either not caching or didn't find the results we need, so we have to resolve them.
255 const vector<KeyInfo*>& keyInfos = m_current->getKeyInfos();
256 for (vector<KeyInfo*>::const_iterator k = keyInfos.begin(); k!=keyInfos.end(); ++k) {
257 auto_ptr<Credential> cred (m_engine.getKeyInfoResolver()->resolve(*k, X509Credential::RESOLVE_CERTS | X509Credential::RESOLVE_CRLS));
258 X509Credential* xcred = dynamic_cast<X509Credential*>(cred.get());
260 m_ownedCreds.push_back(xcred);
265 // Copy over the new information.
266 for (vector<X509Credential*>::const_iterator c=m_ownedCreds.begin(); c!=m_ownedCreds.end(); ++c) {
267 m_certs.insert(m_certs.end(), (*c)->getEntityCertificateChain().begin(), (*c)->getEntityCertificateChain().end());
269 m_crls.push_back((*c)->getCRL());
272 // As a last step, if we're caching, try and elevate to a write lock for cache insertion.
274 m_engine.m_credLock->unlock();
275 m_engine.m_credLock->wrlock();
276 if (m_credCache->second.count(m_current)==0) {
277 // Transfer objects into cache.
278 m_credCache->second[m_current] = m_ownedCreds;
279 m_ownedCreds.clear();
281 m_engine.m_credLock->unlock();
282 m_engine.m_credLock->rdlock();
284 // In theory we could have lost the objects but that shouldn't be possible
285 // since the metadata itself is locked and shouldn't change behind us.