/*
- * Copyright 2001-2006 Internet2
+ * Copyright 2001-2007 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*/
/**
- * BlacklistMetadataFilter.cpp
+ * SignatureMetadataFilter.cpp
*
- * Removes blacklisted entities from a metadata instance
+ * Filters out unsigned or mis-signed elements.
*/
#include "internal.h"
#include "saml2/metadata/MetadataFilter.h"
#include "signature/SignatureProfileValidator.h"
-#include <log4cpp/Category.hh>
-
-#include <xmltooling/util/NDC.h>
+#include <xmltooling/logging.h>
+#include <xmltooling/security/Credential.h>
+#include <xmltooling/security/CredentialCriteria.h>
+#include <xmltooling/security/CredentialResolver.h>
#include <xmltooling/signature/SignatureValidator.h>
+#include <xmltooling/util/NDC.h>
using namespace opensaml::saml2md;
using namespace opensaml;
using namespace xmlsignature;
+using namespace xmltooling::logging;
using namespace xmltooling;
-using namespace log4cpp;
using namespace std;
namespace opensaml {
public:
SignatureMetadataFilter(const DOMElement* e);
~SignatureMetadataFilter() {
- delete m_sigValidator;
+ delete m_credResolver;
}
const char* getId() const { return SIGNATURE_METADATA_FILTER; }
void verifySignature(Signature* sig) const {
if (sig) {
m_profileValidator.validate(sig);
- m_sigValidator->validate(sig);
+ m_sigValidator.validate(sig);
}
}
+ CredentialResolver* m_credResolver;
SignatureProfileValidator m_profileValidator;
- SignatureValidator* m_sigValidator;
+ mutable SignatureValidator m_sigValidator;
};
MetadataFilter* SAML_DLLLOCAL SignatureMetadataFilterFactory(const DOMElement* const & e)
};
};
-static const XMLCh GenericKeyResolver[] = UNICODE_LITERAL_11(K,e,y,R,e,s,o,l,v,e,r);
+static const XMLCh _CredentialResolver[] = UNICODE_LITERAL_18(C,r,e,d,e,n,t,i,a,l,R,e,s,o,l,v,e,r);
static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e);
+static const XMLCh certificate[] = UNICODE_LITERAL_11(c,e,r,t,i,f,i,c,a,t,e);
+static const XMLCh Certificate[] = UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e);
+static const XMLCh Path[] = UNICODE_LITERAL_4(P,a,t,h);
-SignatureMetadataFilter::SignatureMetadataFilter(const DOMElement* e) : m_sigValidator(NULL)
+SignatureMetadataFilter::SignatureMetadataFilter(const DOMElement* e) : m_credResolver(NULL)
{
- e = XMLHelper::getFirstChildElement(e, GenericKeyResolver);
+ if (e && e->hasAttributeNS(NULL,certificate)) {
+ // Dummy up a file resolver.
+ DOMElement* dummy = e->getOwnerDocument()->createElementNS(NULL,_CredentialResolver);
+ DOMElement* child = e->getOwnerDocument()->createElementNS(NULL,Certificate);
+ dummy->appendChild(child);
+ DOMElement* path = e->getOwnerDocument()->createElementNS(NULL,Path);
+ child->appendChild(path);
+ path->appendChild(e->getOwnerDocument()->createTextNode(e->getAttributeNS(NULL,certificate)));
+ m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER,dummy);
+ return;
+ }
+
+ e = e ? XMLHelper::getFirstChildElement(e, _CredentialResolver) : NULL;
auto_ptr_char t(e ? e->getAttributeNS(NULL,type) : NULL);
if (t.get()) {
- auto_ptr<KeyResolver> kr(XMLToolingConfig::getConfig().KeyResolverManager.newPlugin(t.get(),e));
- m_sigValidator = new SignatureValidator(kr.get());
- kr.release();
+ m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(t.get(),e);
}
else
- throw MetadataFilterException("missing <KeyResolver> element, or no type attribute found");
+ throw MetadataFilterException("Missing <CredentialResolver> element, or no type attribute found");
}
void SignatureMetadataFilter::doFilter(XMLObject& xmlObject) const
NDC ndc("doFilter");
#endif
+ CredentialCriteria cc;
+ cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
+ Locker locker(m_credResolver);
+ m_sigValidator.setCredential(m_credResolver->resolve(&cc));
+
try {
EntitiesDescriptor& entities = dynamic_cast<EntitiesDescriptor&>(xmlObject);
doFilter(entities, true);
projects / shibboleth / opensaml2.git / blobdiff