X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=saml%2Fbinding%2Fimpl%2FClientCertAuthRule.cpp;h=33273ec218c5df9d969783ce6a45a2cfeea71c81;hb=e9554c255ad3c91c7c4976e7a1a54905903e66a2;hp=095eb9cfc68d0763b31afce07f078d2eb22201e2;hpb=932cfaae2176c2eba1a9938dc420591a9551a7f3;p=shibboleth%2Fcpp-opensaml.git

diff --git a/saml/binding/impl/ClientCertAuthRule.cpp b/saml/binding/impl/ClientCertAuthRule.cpp
index 095eb9c..33273ec 100644
--- a/saml/binding/impl/ClientCertAuthRule.cpp
+++ b/saml/binding/impl/ClientCertAuthRule.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2001-2007 Internet2
+ *  Copyright 2001-2010 Internet2
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,64 +17,97 @@
 /**
  * ClientCertAuthRule.cpp
  * 
- * TLS client authentication SecurityPolicyRule
+ * TLS client authentication SecurityPolicyRule.
  */
 
 #include "internal.h"
 #include "exceptions.h"
-#include "binding/ClientCertAuthRule.h"
+#include "binding/SecurityPolicy.h"
+#include "binding/SecurityPolicyRule.h"
 #include "saml2/metadata/Metadata.h"
+#include "saml2/metadata/MetadataCredentialCriteria.h"
 #include "saml2/metadata/MetadataProvider.h"
 
+#include <xmltooling/logging.h>
+#include <xmltooling/io/GenericRequest.h>
+#include <xmltooling/security/Credential.h>
 #include <xmltooling/security/X509TrustEngine.h>
 #include <xmltooling/util/ReplayCache.h>
-#include <log4cpp/Category.hh>
 
 using namespace opensaml::saml2md;
 using namespace opensaml;
+using namespace xmltooling::logging;
 using namespace xmltooling;
-using namespace log4cpp;
 using namespace std;
 
 namespace opensaml {
+    class SAML_DLLLOCAL ClientCertAuthRule : public SecurityPolicyRule
+    {
+    public:
+        ClientCertAuthRule(const DOMElement* e);
+        virtual ~ClientCertAuthRule() {}
+        
+        const char* getType() const {
+            return CLIENTCERTAUTH_POLICY_RULE;
+        }
+        bool evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const;
+
+    private:
+        bool m_errorFatal;
+    };
+
     SecurityPolicyRule* SAML_DLLLOCAL ClientCertAuthRuleFactory(const DOMElement* const & e)
     {
         return new ClientCertAuthRule(e);
     }
+
+    static const XMLCh errorFatal[] = UNICODE_LITERAL_10(e,r,r,o,r,F,a,t,a,l);
 };
 
-void ClientCertAuthRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const
+ClientCertAuthRule::ClientCertAuthRule(const DOMElement* e) : m_errorFatal(false)
+{
+    if (e) {
+        const XMLCh* flag = e->getAttributeNS(nullptr, errorFatal);
+        m_errorFatal = (flag && (*flag==chLatin_t || *flag==chDigit_1)); 
+    }
+}
+
+bool ClientCertAuthRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const
 {
     Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.ClientCertAuth");
-    log.debug("evaluating client certificate authentication policy");
     
-    if (!request) {
-        log.debug("ignoring message, no protocol request available");
-        return;
-    }
-    else if (!policy.getIssuerMetadata()) {
+    if (!request)
+        return false;
+    
+    if (!policy.getIssuerMetadata()) {
         log.debug("ignoring message, no issuer metadata supplied");
-        return;
+        return false;
     }
 
     const X509TrustEngine* x509trust;
     if (!(x509trust=dynamic_cast<const X509TrustEngine*>(policy.getTrustEngine()))) {
         log.debug("ignoring message, no X509TrustEngine supplied");
-        return;
+        return false;
     }
     
-    const std::vector<XSECCryptoX509*>& chain = request->getClientCertificates();
-    if (chain.empty()) {
-        log.debug("ignoring message, no client certificates in request");
-        return;
-    }
+    const vector<XSECCryptoX509*>& chain = request->getClientCertificates();
+    if (chain.empty())
+        return false;
     
-    if (!x509trust->validate(chain.front(), chain, *(policy.getIssuerMetadata()), true,
-            policy.getMetadataProvider()->getKeyResolver())) {
+    // Set up criteria object, including peer name to enforce cert name checking.
+    MetadataCredentialCriteria cc(*(policy.getIssuerMetadata()));
+    auto_ptr_char pn(policy.getIssuer()->getName());
+    cc.setPeerName(pn.get());
+    cc.setUsage(Credential::TLS_CREDENTIAL);
+
+    if (!x509trust->validate(chain.front(), chain, *(policy.getMetadataProvider()), &cc)) {
+        if (m_errorFatal)
+            throw SecurityPolicyException("Client certificate supplied, but could not be verified.");
         log.error("unable to verify certificate chain with supplied trust engine");
-        return;
+        return false;
     }
     
     log.debug("client certificate verified against message issuer");
-    policy.setSecure(true);
+    policy.setAuthenticated(true);
+    return true;
 }