X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=saml%2Fsignature%2FSignatureProfileValidator.cpp;h=0786bdb8e9bc4184e46269a5cfa53f6fe8da1f2a;hb=fe3e8f0a2b64bea2d12f7df00c6003fae29e3257;hp=5a9881f606304ecd97b3d150eeac08befc4cde3f;hpb=e90f2a3530fa9867aa4fc31e2fded69e8dfdc097;p=shibboleth%2Fcpp-opensaml.git diff --git a/saml/signature/SignatureProfileValidator.cpp b/saml/signature/SignatureProfileValidator.cpp index 5a9881f..0786bdb 100644 --- a/saml/signature/SignatureProfileValidator.cpp +++ b/saml/signature/SignatureProfileValidator.cpp @@ -1,75 +1,92 @@ -/* - * Copyright 2001-2006 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/** - * SignatureProfileValidator.cpp - * - * SAML-specific signature verification - */ - -#include "internal.h" -#include "exceptions.h" -#include "signature/SignatureProfileValidator.h" - -#include - -#include -#include -#include -#include - -using namespace opensaml; -using namespace xmlsignature; -using namespace xmltooling; -using namespace std; - -void SignatureProfileValidator::validate(const XMLObject* xmlObject) const -{ - const Signature* sigObj=dynamic_cast(xmlObject); - if (!sigObj) - throw ValidationException("Validator only applies to Signature objects."); - DSIGSignature* sig=sigObj->getXMLSignature(); - if (!sig) - throw ValidationException("Signature does not exist yet."); - - const SignableObject* signableObj=dynamic_cast(sigObj->getParent()); - if (!signableObj) - throw ValidationException("Signature is not a child of a signable SAML object."); - - bool valid=false; - DSIGReferenceList* refs=sig->getReferenceList(); - if (refs && refs->getSize()==1) { - DSIGReference* ref=refs->item(0); - if (ref) { - const XMLCh* URI=ref->getURI(); - if (URI==NULL || *URI==0 || (*URI==chPound && !XMLString::compareString(URI+1,signableObj->getId()))) { - DSIGTransformList* tlist=ref->getTransforms(); - for (unsigned int i=0; tlist && igetSize(); i++) { - if (tlist->item(i)->getTransformType()==TRANSFORM_ENVELOPED_SIGNATURE) - valid=true; - else if (tlist->item(i)->getTransformType()!=TRANSFORM_EXC_C14N && - tlist->item(i)->getTransformType()!=TRANSFORM_C14N) { - valid=false; - break; - } - } - } - } - } - - if (!valid) - throw ValidationException("Invalid signature profile for SAML object."); -} +/* + * Copyright 2001-2010 Internet2 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * SignatureProfileValidator.cpp + * + * SAML-specific signature verification. + */ + +#include "internal.h" +#include "exceptions.h" +#include "signature/SignableObject.h" +#include "signature/SignatureProfileValidator.h" + +#include + +#include +#include +#include +#include + +using namespace opensaml; +using namespace xmlsignature; +using namespace xmltooling; +using namespace std; + +SignatureProfileValidator::SignatureProfileValidator() +{ +} + +SignatureProfileValidator::~SignatureProfileValidator() +{ +} + +void SignatureProfileValidator::validate(const XMLObject* xmlObject) const +{ + const Signature* sigObj=dynamic_cast(xmlObject); + if (!sigObj) + throw ValidationException("Validator only applies to Signature objects."); + validateSignature(*sigObj); +} + +void SignatureProfileValidator::validateSignature(const Signature& sigObj) const +{ + DSIGSignature* sig=sigObj.getXMLSignature(); + if (!sig) + throw ValidationException("Signature does not exist yet."); + + const SignableObject* signableObj=dynamic_cast(sigObj.getParent()); + if (!signableObj) + throw ValidationException("Signature is not a child of a signable SAML object."); + + bool valid=false; + DSIGReferenceList* refs=sig->getReferenceList(); + if (refs && refs->getSize()==1) { + DSIGReference* ref=refs->item(0); + if (ref) { + const XMLCh* URI=ref->getURI(); + const XMLCh* ID=signableObj->getXMLID(); + if (URI==nullptr || *URI==0 || (*URI==chPound && ID && !XMLString::compareString(URI+1,ID))) { + DSIGTransformList* tlist=ref->getTransforms(); + if (tlist->getSize() <= 2) { + for (unsigned int i=0; tlist && igetSize(); i++) { + if (tlist->item(i)->getTransformType()==TRANSFORM_ENVELOPED_SIGNATURE) + valid=true; + else if (tlist->item(i)->getTransformType()!=TRANSFORM_EXC_C14N && + tlist->item(i)->getTransformType()!=TRANSFORM_C14N) { + valid=false; + break; + } + } + } + } + } + } + + if (!valid) + throw ValidationException("Invalid signature profile for SAML object."); +}