-/*
- * The Shibboleth License, Version 1.
- * Copyright (c) 2002
- * University Corporation for Advanced Internet Development, Inc.
- * All rights reserved
+/*
+ * Copyright 2001-2005 Internet2
*
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution, if any, must include
- * the following acknowledgment: "This product includes software developed by
- * the University Corporation for Advanced Internet Development
- * <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement
- * may appear in the software itself, if and wherever such third-party
- * acknowledgments normally appear.
- *
- * Neither the name of Shibboleth nor the names of its contributors, nor
- * Internet2, nor the University Corporation for Advanced Internet Development,
- * Inc., nor UCAID may be used to endorse or promote products derived from this
- * software without specific prior written permission. For written permission,
- * please contact shibboleth@shibboleth.org
- *
- * Products derived from this software may not be called Shibboleth, Internet2,
- * UCAID, or the University Corporation for Advanced Internet Development, nor
- * may Shibboleth appear in their name, without prior written permission of the
- * University Corporation for Advanced Internet Development.
- *
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
- * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK
- * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE.
- * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
- * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
*/
/* ShibbolethTrust.cpp - a trust implementation that relies solely on standard SAML metadata
~ShibbolethTrust();
bool validate(void* certEE, const Iterator<void*>& certChain, const IRoleDescriptor* role, bool checkName=true);
- bool validate(const saml::SAMLSignedObject& token, const IRoleDescriptor* role);
+ bool validate(const saml::SAMLSignedObject& token, const IRoleDescriptor* role, ITrust* certValidator=NULL);
private:
bool validate(X509* EE, STACK_OF(X509)* untrusted, const IKeyAuthority* rule);
delete *i;
}
-extern "C" int error_callback(int ok, X509_STORE_CTX* ctx)
+static int error_callback(int ok, X509_STORE_CTX* ctx)
{
if (!ok)
Category::getInstance("OpenSSL").error("path validation failure: %s", X509_verify_cert_error_string(ctx->error));
log_openssl();
return false;
}
+#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
X509_STORE_set_flags(store,X509_V_FLAG_CRL_CHECK_ALL);
+#endif
STACK_OF(X509)* CAstack = sk_X509_new_null();
STACK_OF(GENERAL_NAME)* altnames=(STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
if (altnames) {
int numalts = sk_GENERAL_NAME_num(altnames);
- for (int an=0; !checkName && an<numalts; an++) {
+ for (int an=0; checkName && an<numalts; an++) {
const GENERAL_NAME* check = sk_GENERAL_NAME_value(altnames, an);
if (check->type==GEN_DNS || check->type==GEN_URI) {
const char* altptr = (char*)ASN1_STRING_data(check->d.ia5);
for (vector<string>::const_iterator n=keynames.begin(); n!=keynames.end(); n++) {
#ifdef HAVE_STRCASECMP
- if (!strncasecmp(altptr,n->c_str(),altlen)) {
+ if ((check->type==GEN_DNS && !strncasecmp(altptr,n->c_str(),altlen))
#else
- if (!strnicmp(altptr,n->c_str(),altlen)) {
+ if ((check->type==GEN_DNS && !strnicmp(altptr,n->c_str(),altlen))
#endif
+ || (check->type==GEN_URI && !strncmp(altptr,n->c_str(),altlen))) {
log.info("matched DNS/URI subjectAltName to a key name (%s)", n->c_str());
checkName=false;
break;
return false;
}
-bool ShibbolethTrust::validate(const saml::SAMLSignedObject& token, const IRoleDescriptor* role)
+bool ShibbolethTrust::validate(const saml::SAMLSignedObject& token, const IRoleDescriptor* role, ITrust* certValidator)
{
if (BasicTrust::validate(token,role))
return true;
// Find and save off a pointer to the certificate that unlocks the object.
// Most of the time, this will be the first one anyway.
Iterator<XSECCryptoX509*> iter(certs);
- while (!certEE && iter.hasNext()) {
+ while (iter.hasNext()) {
try {
XSECCryptoX509* c=iter.next();
chain.push_back(static_cast<OpenSSLCryptoX509*>(c)->getOpenSSLX509());
- token.verify(*c);
- log.info("signature verified with key inside signature, attempting certificate validation...");
- certEE=static_cast<OpenSSLCryptoX509*>(c)->getOpenSSLX509();
+ if (!certEE) {
+ token.verify(*c);
+ log.info("signature verified with key inside signature, attempting certificate validation...");
+ certEE=static_cast<OpenSSLCryptoX509*>(c)->getOpenSSLX509();
+ }
}
catch (...) {
// trap failures
bool ret=false;
if (certEE)
- ret=validate(certEE,chain,role);
+ ret=(certValidator) ? certValidator->validate(certEE,chain,role) : this->validate(certEE,chain,role);
else
log.debug("failed to verify signature with embedded certificates");