X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;ds=sidebyside;f=saml%2Fsaml2%2Fmetadata%2Fimpl%2FSignatureMetadataFilter.cpp;fp=saml%2Fsaml2%2Fmetadata%2Fimpl%2FSignatureMetadataFilter.cpp;h=da3e787c1c6cb1157b78f24423d3af494d061284;hb=208928133db000b055b99fcbabc245295adb0d48;hp=6b4e82b009548c06832f9611ec0caf027166ad9d;hpb=49e16c539fc7c1e50b358e323ca9421a3ff4a6c8;p=shibboleth%2Fcpp-opensaml.git diff --git a/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp b/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp index 6b4e82b..da3e787 100644 --- a/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp +++ b/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp @@ -49,29 +49,11 @@ using namespace std; namespace opensaml { namespace saml2md { - class SAML_DLLLOCAL DummyCredentialResolver : public CredentialResolver - { - public: - DummyCredentialResolver() {} - ~DummyCredentialResolver() {} - - Lockable* lock() {return this;} - void unlock() {} - - const Credential* resolve(const CredentialCriteria* criteria=nullptr) const {return nullptr;} - vector::size_type resolve( - vector& results, const CredentialCriteria* criteria=nullptr - ) const {return 0;} - }; - class SAML_DLLLOCAL SignatureMetadataFilter : public MetadataFilter { public: SignatureMetadataFilter(const DOMElement* e); - ~SignatureMetadataFilter() { - delete m_credResolver; - delete m_trust; - } + ~SignatureMetadataFilter() {} const char* getId() const { return SIGNATURE_METADATA_FILTER; } void doFilter(XMLObject& xmlObject) const; @@ -82,8 +64,8 @@ namespace opensaml { void verifySignature(Signature* sig, const XMLCh* peerName) const; bool m_verifyRoles,m_verifyName; - CredentialResolver* m_credResolver; - SignatureTrustEngine* m_trust; + auto_ptr m_credResolver,m_dummyResolver; + auto_ptr m_trust; SignatureProfileValidator m_profileValidator; Category& m_log; }; @@ -108,12 +90,11 @@ static const XMLCh verifyName[] = UNICODE_LITERAL_10(v,e,r,i,f,y,N,a,m SignatureMetadataFilter::SignatureMetadataFilter(const DOMElement* e) : m_verifyRoles(XMLHelper::getAttrBool(e, false, verifyRoles)), m_verifyName(XMLHelper::getAttrBool(e, true, verifyName)), - m_credResolver(nullptr), m_trust(nullptr), m_log(Category::getInstance(SAML_LOGCAT".MetadataFilter.Signature")) { if (e && e->hasAttributeNS(nullptr,certificate)) { // Use a file-based credential resolver rooted here. - m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER, e); + m_credResolver.reset(XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER, e)); return; } @@ -121,7 +102,7 @@ SignatureMetadataFilter::SignatureMetadataFilter(const DOMElement* e) if (sub) { string t = XMLHelper::getAttrString(sub, nullptr, type); if (!t.empty()) { - m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(t.c_str(), sub); + m_credResolver.reset(XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(t.c_str(), sub)); return; } } @@ -131,10 +112,15 @@ SignatureMetadataFilter::SignatureMetadataFilter(const DOMElement* e) string t = XMLHelper::getAttrString(sub, nullptr, type); if (!t.empty()) { TrustEngine* trust = XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(t.c_str(), sub); - if (!(m_trust = dynamic_cast(trust))) { + SignatureTrustEngine* sigTrust = dynamic_cast(trust); + if (!sigTrust) { delete trust; throw MetadataFilterException("TrustEngine-based SignatureMetadataFilter requires a SignatureTrustEngine plugin."); } + m_trust.reset(sigTrust); + m_dummyResolver.reset(XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(DUMMY_CREDENTIAL_RESOLVER, nullptr)); + if (!m_dummyResolver.get()) + throw MetadataFilterException("Error creating dummy CredentialResolver."); return; } } @@ -153,7 +139,7 @@ void SignatureMetadataFilter::doFilter(XMLObject& xmlObject) const doFilter(entities, true); return; } - catch (bad_cast) { + catch (bad_cast&) { } catch (exception& ex) { m_log.warn("filtering out group at root of instance after failed signature check: %s", ex.what()); @@ -165,7 +151,7 @@ void SignatureMetadataFilter::doFilter(XMLObject& xmlObject) const doFilter(entity, true); return; } - catch (bad_cast) { + catch (bad_cast&) { } catch (exception& ex) { m_log.warn("filtering out entity at root of instance after failed signature check: %s", ex.what()); @@ -182,8 +168,8 @@ void SignatureMetadataFilter::doFilter(EntitiesDescriptor& entities, bool rootOb throw MetadataFilterException("Root metadata element was unsigned."); verifySignature(sig, entities.getName()); - VectorOf(EntityDescriptor) v=entities.getEntityDescriptors(); - for (VectorOf(EntityDescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -234,8 +220,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(SPSSODescriptor) sp=entity.getSPSSODescriptors(); - for (VectorOf(SPSSODescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -249,8 +235,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(AuthnAuthorityDescriptor) authn=entity.getAuthnAuthorityDescriptors(); - for (VectorOf(AuthnAuthorityDescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -264,8 +250,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(AttributeAuthorityDescriptor) aa=entity.getAttributeAuthorityDescriptors(); - for (VectorOf(AttributeAuthorityDescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -279,8 +265,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(PDPDescriptor) pdp=entity.getPDPDescriptors(); - for (VectorOf(AuthnAuthorityDescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -294,8 +280,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(AuthnQueryDescriptorType) authnq=entity.getAuthnQueryDescriptorTypes(); - for (VectorOf(AuthnQueryDescriptorType)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -309,8 +295,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(AttributeQueryDescriptorType) attrq=entity.getAttributeQueryDescriptorTypes(); - for (VectorOf(AttributeQueryDescriptorType)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -324,8 +310,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(AuthzDecisionQueryDescriptorType) authzq=entity.getAuthzDecisionQueryDescriptorTypes(); - for (VectorOf(AuthzDecisionQueryDescriptorType)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -339,8 +325,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(RoleDescriptor) v=entity.getRoleDescriptors(); - for (VectorOf(RoleDescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -379,12 +365,12 @@ void SignatureMetadataFilter::verifySignature(Signature* sig, const XMLCh* peerN cc.setUsage(Credential::SIGNING_CREDENTIAL); cc.setSignature(*sig, CredentialCriteria::KEYINFO_EXTRACTION_KEY); - if (m_credResolver) { + if (m_credResolver.get()) { if (peerName) { auto_ptr_char pname(peerName); cc.setPeerName(pname.get()); } - Locker locker(m_credResolver); + Locker locker(m_credResolver.get()); vector creds; if (m_credResolver->resolve(creds,&cc)) { SignatureValidator sigValidator; @@ -403,13 +389,12 @@ void SignatureMetadataFilter::verifySignature(Signature* sig, const XMLCh* peerN throw MetadataFilterException("CredentialResolver did not supply any candidate keys."); } } - else if (m_trust) { + else if (m_trust.get()) { if (m_verifyName && peerName) { auto_ptr_char pname(peerName); cc.setPeerName(pname.get()); } - DummyCredentialResolver dummy; - if (m_trust->validate(*sig, dummy, &cc)) + if (m_trust->validate(*sig, *m_dummyResolver, &cc)) return; throw MetadataFilterException("TrustEngine unable to verify signature."); }