2 * Copyright 2001-2007 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 /* siterefresh.cpp - command-line tool to refresh and verify metadata
22 $Id:siterefresh.cpp 2252 2007-05-20 20:20:57Z cantor $
25 #if defined (_MSC_VER) || defined(__BORLANDC__)
26 # include "config_win32.h"
32 # define _CRT_NONSTDC_NO_DEPRECATE 1
33 # define _CRT_SECURE_NO_DEPRECATE 1
36 #include <saml/SAMLConfig.h>
37 #include <saml/saml2/metadata/Metadata.h>
38 #include <saml/saml2/metadata/MetadataProvider.h>
39 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
40 #include <saml/signature/SignatureProfileValidator.h>
41 #include <saml/util/SAMLConstants.h>
42 #include <xmltooling/logging.h>
43 #include <xmltooling/XMLToolingConfig.h>
44 #include <xmltooling/security/SignatureTrustEngine.h>
45 #include <xmltooling/signature/Signature.h>
46 #include <xmltooling/signature/SignatureValidator.h>
47 #include <xmltooling/util/XMLHelper.h>
50 #include <xercesc/framework/LocalFileInputSource.hpp>
51 #include <xercesc/framework/URLInputSource.hpp>
52 #include <xercesc/framework/StdInInputSource.hpp>
53 #include <xercesc/framework/Wrapper4InputSource.hpp>
55 using namespace xmlsignature;
56 using namespace xmlconstants;
57 using namespace xmltooling::logging;
58 using namespace xmltooling;
59 using namespace samlconstants;
60 using namespace opensaml::saml2md;
61 using namespace opensaml;
62 using namespace xercesc;
65 template<class T> T* buildPlugin(const char* path, PluginManager<T,string,const DOMElement*>& mgr)
68 DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
69 XercesJanitor<DOMDocument> janitor(doc);
71 static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e);
72 auto_ptr_char type(doc->getDocumentElement()->getAttributeNS(NULL,_type));
73 if (type.get() && *type.get())
74 return mgr.newPlugin(type.get(), doc->getDocumentElement());
75 throw XMLToolingException("Missing type in plugin configuration.");
78 CredentialResolver* buildSimpleResolver(const char* key, const char* cert)
80 static const XMLCh _CredentialResolver[] = UNICODE_LITERAL_18(C,r,e,d,e,n,t,i,a,l,R,e,s,o,l,v,e,r);
81 static const XMLCh _certificate[] = UNICODE_LITERAL_11(c,e,r,t,i,f,i,c,a,t,e);
82 static const XMLCh _key[] = UNICODE_LITERAL_3(k,e,y);
84 DOMDocument* doc = XMLToolingConfig::getConfig().getParser().newDocument();
85 XercesJanitor<DOMDocument> janitor(doc);
86 DOMElement* root = doc->createElementNS(NULL, _CredentialResolver);
88 auto_ptr_XMLCh widenit(key);
89 root->setAttributeNS(NULL, _key, widenit.get());
92 auto_ptr_XMLCh widenit(cert);
93 root->setAttributeNS(NULL, _certificate, widenit.get());
96 return XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER, root);
99 class DummyCredentialResolver : public CredentialResolver
102 DummyCredentialResolver() {}
103 ~DummyCredentialResolver() {}
105 Lockable* lock() {return this;}
108 const Credential* resolve(const CredentialCriteria* criteria=NULL) const {return NULL;}
109 vector<const Credential*>::size_type resolve(
110 vector<const Credential*>& results, const CredentialCriteria* criteria=NULL
114 int main(int argc,char* argv[])
117 char* url_param=NULL;
118 char* path_param=NULL;
119 char* key_param=NULL;
120 char* cert_param=NULL;
125 // metadata lookup options
129 const XMLCh* protocol = NULL;
133 for (int i=1; i<argc; i++) {
134 if (!strcmp(argv[i],"-u") && i+1<argc)
136 else if (!strcmp(argv[i],"-f") && i+1<argc)
137 path_param=argv[++i];
138 else if (!strcmp(argv[i],"-id") && i+1<argc)
140 else if (!strcmp(argv[i],"-s"))
142 else if (!strcmp(argv[i],"-k") && i+1<argc)
144 else if (!strcmp(argv[i],"-c") && i+1<argc)
145 cert_param=argv[++i];
146 else if (!strcmp(argv[i],"-R") && i+1<argc)
148 else if (!strcmp(argv[i],"-T") && i+1<argc)
150 else if (!strcmp(argv[i],"-M") && i+1<argc)
152 else if (!strcmp(argv[i],"-i") && i+1<argc)
154 else if (!strcmp(argv[i],"-p") && i+1<argc)
156 else if (!strcmp(argv[i],"-r") && i+1<argc)
158 else if (!strcmp(argv[i],"-ns") && i+1<argc)
160 else if (!strcmp(argv[i],"-saml10"))
161 protocol=samlconstants::SAML10_PROTOCOL_ENUM;
162 else if (!strcmp(argv[i],"-saml11"))
163 protocol=samlconstants::SAML11_PROTOCOL_ENUM;
164 else if (!strcmp(argv[i],"-saml2"))
165 protocol=samlconstants::SAML20P_NS;
166 else if (!strcmp(argv[i],"-idp"))
167 rname="IDPSSODescriptor";
168 else if (!strcmp(argv[i],"-aa"))
169 rname="AttributeAuthorityDescriptor";
170 else if (!strcmp(argv[i],"-pdp"))
171 rname="PDPDescriptor";
172 else if (!strcmp(argv[i],"-sp"))
173 rname="SPSSODescriptor";
176 if (verify && !cert_param && !cr_param && !t_param) {
177 cerr << "either -c or -R or -T option required when verifiying, see documentation for usage" << endl;
180 else if (!verify && !key_param && !cr_param) {
181 cerr << "either -k or -R option required when signing, see documentation for usage" << endl;
185 SAMLConfig& conf=SAMLConfig::getConfig();
188 XMLToolingConfig& xmlconf = XMLToolingConfig::getConfig();
189 Category& log = Category::getInstance("OpenSAML.Utility.SAMLSign");
194 // Parse the specified document.
195 static XMLCh base[]={chLatin_f, chLatin_i, chLatin_l, chLatin_e, chColon, chForwardSlash, chForwardSlash, chForwardSlash, chNull};
196 DOMDocument* doc=NULL;
198 URLInputSource src(base,url_param);
199 Wrapper4InputSource dsrc(&src,false);
200 doc=xmlconf.getParser().parse(dsrc);
202 else if (path_param) {
203 auto_ptr_XMLCh widenit(path_param);
204 LocalFileInputSource src(base,widenit.get());
205 Wrapper4InputSource dsrc(&src,false);
206 doc=xmlconf.getParser().parse(dsrc);
209 StdInInputSource src;
210 Wrapper4InputSource dsrc(&src,false);
211 doc=xmlconf.getParser().parse(dsrc);
215 XercesJanitor<DOMDocument> jan(doc);
216 auto_ptr<XMLObject> sourcewrapper(XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(), true));
219 // Navigate to the selected node, or use the root if no ID specified.
220 // Then make sure it's a SignableSAMLObject.
221 XMLObject* source = sourcewrapper.get();
223 auto_ptr_XMLCh widenit(id_param);
224 source = XMLHelper::getXMLObjectById(*source, widenit.get());
226 throw XMLToolingException("Element with ID ($1) not found.", params(1,id_param));
228 SignableObject* signable = dynamic_cast<SignableObject*>(source);
230 throw XMLToolingException("Input is not a signable SAML object.");
233 if (!signable->getSignature())
234 throw SignatureException("Cannot verify unsigned object.");
236 // Check the profile.
237 SignatureProfileValidator sigval;
238 sigval.validate(signable->getSignature());
240 if (cert_param || cr_param) {
241 // Build a resolver to supply trusted credentials.
242 auto_ptr<CredentialResolver> cr(
243 cr_param ? buildPlugin(cr_param, xmlconf.CredentialResolverManager) : buildSimpleResolver(NULL, cert_param)
245 Locker locker(cr.get());
248 CredentialCriteria cc;
249 cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
250 cc.setSignature(*(signable->getSignature()), CredentialCriteria::KEYINFO_EXTRACTION_KEY);
252 cc.setPeerName(issuer);
254 // Try every credential we can find.
255 vector<const Credential*> creds;
256 if (cr->resolve(creds, &cc)) {
258 SignatureValidator sigValidator;
259 for (vector<const Credential*>::const_iterator i = creds.begin(); i != creds.end(); ++i) {
261 sigValidator.setCredential(*i);
262 sigValidator.validate(signable->getSignature());
263 log.info("successful signature verification");
271 throw SignatureException("CredentialResolver did not supply a successful verification key.");
274 throw SignatureException("CredentialResolver did not supply any verification keys.");
278 // TrustEngine-based verification, so try and build the plugins.
279 auto_ptr<TrustEngine> trust(buildPlugin(t_param, xmlconf.TrustEngineManager));
280 SignatureTrustEngine* sigtrust = dynamic_cast<SignatureTrustEngine*>(trust.get());
281 if (m_param && rname && issuer) {
284 protocol = XMLString::transcode(prot);
\r
288 cerr << "use of metadata option requires a protocol option" << endl;
\r
291 auto_ptr<MetadataProvider> metadata(buildPlugin(m_param, conf.MetadataProviderManager));
294 Locker locker(metadata.get());
295 const EntityDescriptor* entity = metadata->getEntityDescriptor(issuer);
\r
297 throw MetadataException("no metadata found for ($1)", params(1, issuer));
\r
298 const XMLCh* ns = rns ? XMLString::transcode(rns) : samlconstants::SAML20MD_NS;
\r
299 auto_ptr_XMLCh n(rname);
\r
300 QName q(ns, n.get());
\r
301 const RoleDescriptor* role = entity->getRoleDescriptor(q, protocol);
\r
303 throw MetadataException("compatible role $1 not found for ($2)", params(2, q.toString().c_str(), issuer));
\r
305 MetadataCredentialCriteria mcc(*role);
\r
306 if (sigtrust->validate(*signable->getSignature(), *metadata.get(), &mcc))
\r
307 log.info("successful signature verification");
309 throw SignatureException("Unable to verify signature with TrustEngine and supplied metadata.");
\r
313 CredentialCriteria cc;
314 cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
315 cc.setSignature(*(signable->getSignature()), CredentialCriteria::KEYINFO_EXTRACTION_KEY);
317 cc.setPeerName(issuer);
318 DummyCredentialResolver dummy;
319 if (sigtrust->validate(*signable->getSignature(), dummy, &cc))
\r
320 log.info("successful signature verification");
322 throw SignatureException("Unable to verify signature with TrustEngine (no metadata supplied).");
\r
327 // Build a resolver to supply a credential.
328 auto_ptr<CredentialResolver> cr(
329 cr_param ? buildPlugin(cr_param, xmlconf.CredentialResolverManager) : buildSimpleResolver(key_param, cert_param)
331 Locker locker(cr.get());
332 CredentialCriteria cc;
333 cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
334 const Credential* cred = cr->resolve(&cc);
336 throw XMLSecurityException("Unable to resolve a signing credential.");
338 // Attach new signature.
339 Signature* sig = SignatureBuilder::buildSignature();
340 signable->setSignature(sig);
342 // Sign response while re-marshalling.
343 vector<Signature*> sigs(1,sig);
344 XMLHelper::serialize(signable->marshall((DOMDocument*)NULL,&sigs,cred), cout);
347 catch(exception& e) {
348 log.errorStream() << "caught an exception: " << e.what() << CategoryStream::ENDLINE;
351 catch(XMLException& e) {
352 auto_ptr_char temp(e.getMessage());
353 log.errorStream() << "caught a Xerces exception: " << temp.get() << CategoryStream::ENDLINE;