-/*
- * Copyright 2001-2007 Internet2
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
+/**
+ * Licensed to the University Corporation for Advanced Internet
+ * Development, Inc. (UCAID) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for
+ * additional information regarding copyright ownership.
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * UCAID licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the
+ * License at
*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the License.
*/
-/* siterefresh.cpp - command-line tool to refresh and verify metadata
-
- Scott Cantor
- 5/12/03
-
- $Id:siterefresh.cpp 2252 2007-05-20 20:20:57Z cantor $
-*/
+/**
+ * samlsign.cpp
+ *
+ * Command-line tool to sign and verify objects.
+ */
#if defined (_MSC_VER) || defined(__BORLANDC__)
# include "config_win32.h"
#include <saml/saml2/metadata/Metadata.h>
#include <saml/saml2/metadata/MetadataProvider.h>
#include <saml/saml2/metadata/MetadataCredentialCriteria.h>
+#include <saml/signature/ContentReference.h>
#include <saml/signature/SignatureProfileValidator.h>
#include <saml/util/SAMLConstants.h>
#include <xmltooling/logging.h>
#include <xmltooling/XMLToolingConfig.h>
+#include <xmltooling/security/Credential.h>
#include <xmltooling/security/SignatureTrustEngine.h>
#include <xmltooling/signature/Signature.h>
#include <xmltooling/signature/SignatureValidator.h>
+#include <xmltooling/util/ParserPool.h>
#include <xmltooling/util/XMLHelper.h>
#include <fstream>
#include <xercesc/framework/LocalFileInputSource.hpp>
-#include <xercesc/framework/URLInputSource.hpp>
#include <xercesc/framework/StdInInputSource.hpp>
#include <xercesc/framework/Wrapper4InputSource.hpp>
ifstream in(path);
DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
XercesJanitor<DOMDocument> janitor(doc);
-
+
static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e);
- auto_ptr_char type(doc->getDocumentElement()->getAttributeNS(NULL,_type));
+ auto_ptr_char type(doc->getDocumentElement()->getAttributeNS(nullptr,_type));
if (type.get() && *type.get())
return mgr.newPlugin(type.get(), doc->getDocumentElement());
throw XMLToolingException("Missing type in plugin configuration.");
DOMDocument* doc = XMLToolingConfig::getConfig().getParser().newDocument();
XercesJanitor<DOMDocument> janitor(doc);
- DOMElement* root = doc->createElementNS(NULL, _CredentialResolver);
+ DOMElement* root = doc->createElementNS(nullptr, _CredentialResolver);
if (key) {
auto_ptr_XMLCh widenit(key);
- root->setAttributeNS(NULL, _key, widenit.get());
+ root->setAttributeNS(nullptr, _key, widenit.get());
}
if (cert) {
auto_ptr_XMLCh widenit(cert);
- root->setAttributeNS(NULL, _certificate, widenit.get());
+ root->setAttributeNS(nullptr, _certificate, widenit.get());
}
return XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER, root);
public:
DummyCredentialResolver() {}
~DummyCredentialResolver() {}
-
+
Lockable* lock() {return this;}
void unlock() {}
-
- const Credential* resolve(const CredentialCriteria* criteria=NULL) const {return NULL;}
+
+ const Credential* resolve(const CredentialCriteria* criteria=nullptr) const {return nullptr;}
vector<const Credential*>::size_type resolve(
- vector<const Credential*>& results, const CredentialCriteria* criteria=NULL
+ vector<const Credential*>& results, const CredentialCriteria* criteria=nullptr
) const {return 0;}
};
int main(int argc,char* argv[])
{
- bool verify=true;
- char* url_param=NULL;
- char* path_param=NULL;
- char* key_param=NULL;
- char* cert_param=NULL;
- char* cr_param=NULL;
- char* t_param=NULL;
- char* id_param=NULL;
+ bool verify=true,validate=false;
+ char* url_param=nullptr;
+ char* path_param=nullptr;
+ char* key_param=nullptr;
+ char* cert_param=nullptr;
+ char* cr_param=nullptr;
+ char* t_param=nullptr;
+ char* id_param=nullptr;
+ char* alg_param=nullptr;
+ char* dig_param=nullptr;
// metadata lookup options
- char* m_param=NULL;
- char* issuer=NULL;
- char* prot = NULL;
- const XMLCh* protocol = NULL;
- char* rname = NULL;
- char* rns = NULL;
+ char* m_param=nullptr;
+ char* issuer=nullptr;
+ char* prot = nullptr;
+ const XMLCh* protocol = nullptr;
+ const char* rname = nullptr;
+ char* rns = nullptr;
for (int i=1; i<argc; i++) {
if (!strcmp(argv[i],"-u") && i+1<argc)
prot=argv[++i];
else if (!strcmp(argv[i],"-r") && i+1<argc)
rname=argv[++i];
+ else if (!strcmp(argv[i],"-V"))
+ validate = true;
else if (!strcmp(argv[i],"-ns") && i+1<argc)
rns=argv[++i];
+ else if (!strcmp(argv[i],"-alg") && i+1<argc)
+ alg_param=argv[++i];
+ else if (!strcmp(argv[i],"-dig") && i+1<argc)
+ dig_param=argv[++i];
else if (!strcmp(argv[i],"-saml10"))
protocol=samlconstants::SAML10_PROTOCOL_ENUM;
else if (!strcmp(argv[i],"-saml11"))
return -1;
}
+ XMLToolingConfig& xmlconf = XMLToolingConfig::getConfig();
+ xmlconf.log_config(getenv("OPENSAML_LOG_CONFIG"));
+ if (getenv("OPENSAML_SCHEMAS"))
+ xmlconf.catalog_path = getenv("OPENSAML_SCHEMAS");
SAMLConfig& conf=SAMLConfig::getConfig();
if (!conf.init())
return -2;
- XMLToolingConfig& xmlconf = XMLToolingConfig::getConfig();
Category& log = Category::getInstance("OpenSAML.Utility.SAMLSign");
int ret = 0;
try {
// Parse the specified document.
- static XMLCh base[]={chLatin_f, chLatin_i, chLatin_l, chLatin_e, chColon, chForwardSlash, chForwardSlash, chForwardSlash, chNull};
- DOMDocument* doc=NULL;
+ DOMDocument* doc=nullptr;
if (url_param) {
- URLInputSource src(base,url_param);
+ auto_ptr_XMLCh wideurl(url_param);
+ URLInputSource src(wideurl.get());
Wrapper4InputSource dsrc(&src,false);
- doc=xmlconf.getParser().parse(dsrc);
+ if (validate)
+ doc = xmlconf.getValidatingParser().parse(dsrc);
+ else
+ doc = xmlconf.getParser().parse(dsrc);
}
else if (path_param) {
auto_ptr_XMLCh widenit(path_param);
- LocalFileInputSource src(base,widenit.get());
+ LocalFileInputSource src(widenit.get());
Wrapper4InputSource dsrc(&src,false);
- doc=xmlconf.getParser().parse(dsrc);
+ if (validate)
+ doc = xmlconf.getValidatingParser().parse(dsrc);
+ else
+ doc = xmlconf.getParser().parse(dsrc);
}
else {
StdInInputSource src;
Wrapper4InputSource dsrc(&src,false);
- doc=xmlconf.getParser().parse(dsrc);
+ if (validate)
+ doc = xmlconf.getValidatingParser().parse(dsrc);
+ else
+ doc = xmlconf.getParser().parse(dsrc);
}
-
+
// Unmarshall it.
XercesJanitor<DOMDocument> jan(doc);
auto_ptr<XMLObject> sourcewrapper(XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(), true));
if (cert_param || cr_param) {
// Build a resolver to supply trusted credentials.
auto_ptr<CredentialResolver> cr(
- cr_param ? buildPlugin(cr_param, xmlconf.CredentialResolverManager) : buildSimpleResolver(NULL, cert_param)
+ cr_param ? buildPlugin(cr_param, xmlconf.CredentialResolverManager) : buildSimpleResolver(nullptr, cert_param)
);
Locker locker(cr.get());
// Set up criteria.
CredentialCriteria cc;
- cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
+ cc.setUsage(Credential::SIGNING_CREDENTIAL);
cc.setSignature(*(signable->getSignature()), CredentialCriteria::KEYINFO_EXTRACTION_KEY);
if (issuer)
cc.setPeerName(issuer);
good = true;
break;
}
- catch (exception&) {
+ catch (exception& e) {
+ log.info("error trying verification key: %s", e.what());
}
}
if (!good)
auto_ptr<TrustEngine> trust(buildPlugin(t_param, xmlconf.TrustEngineManager));
SignatureTrustEngine* sigtrust = dynamic_cast<SignatureTrustEngine*>(trust.get());
if (m_param && rname && issuer) {
- if (!protocol) {\r
- if (prot)\r
- protocol = XMLString::transcode(prot);\r
- }\r
- if (!protocol) {\r
- conf.term();\r
- cerr << "use of metadata option requires a protocol option" << endl;\r
- return -1;\r
- }\r
+ if (!protocol) {
+ if (prot)
+ protocol = XMLString::transcode(prot);
+ }
+ if (!protocol) {
+ conf.term();
+ cerr << "use of metadata option requires a protocol option" << endl;
+ return -1;
+ }
auto_ptr<MetadataProvider> metadata(buildPlugin(m_param, conf.MetadataProviderManager));
metadata->init();
-
+
+ const XMLCh* ns = rns ? XMLString::transcode(rns) : samlconstants::SAML20MD_NS;
+ auto_ptr_XMLCh n(rname);
+ xmltooling::QName q(ns, n.get());
+
Locker locker(metadata.get());
- const EntityDescriptor* entity = metadata->getEntityDescriptor(issuer);\r
- if (!entity)\r
- throw MetadataException("no metadata found for ($1)", params(1, issuer));\r
- const XMLCh* ns = rns ? XMLString::transcode(rns) : samlconstants::SAML20MD_NS;\r
- auto_ptr_XMLCh n(rname);\r
- QName q(ns, n.get());\r
- const RoleDescriptor* role = entity->getRoleDescriptor(q, protocol);\r
- if (!role)\r
- throw MetadataException("compatible role $1 not found for ($2)", params(2, q.toString().c_str(), issuer));\r
-\r
- MetadataCredentialCriteria mcc(*role);\r
- if (sigtrust->validate(*signable->getSignature(), *metadata.get(), &mcc))\r
+ MetadataProvider::Criteria mc(issuer, &q, protocol);
+ pair<const EntityDescriptor*,const RoleDescriptor*> entity = metadata->getEntityDescriptor(mc);
+ if (!entity.first)
+ throw MetadataException("no metadata found for ($1)", params(1, issuer));
+ else if (!entity.second)
+ throw MetadataException("compatible role $1 not found for ($2)", params(2, q.toString().c_str(), issuer));
+
+ MetadataCredentialCriteria mcc(*entity.second);
+ if (sigtrust->validate(*signable->getSignature(), *metadata.get(), &mcc))
log.info("successful signature verification");
- else\r
- throw SignatureException("Unable to verify signature with TrustEngine and supplied metadata.");\r
+ else
+ throw SignatureException("Unable to verify signature with TrustEngine and supplied metadata.");
}
else {
// Set up criteria.
CredentialCriteria cc;
- cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
+ cc.setUsage(Credential::SIGNING_CREDENTIAL);
cc.setSignature(*(signable->getSignature()), CredentialCriteria::KEYINFO_EXTRACTION_KEY);
if (issuer)
cc.setPeerName(issuer);
DummyCredentialResolver dummy;
- if (sigtrust->validate(*signable->getSignature(), dummy, &cc))\r
+ if (sigtrust->validate(*signable->getSignature(), dummy, &cc))
log.info("successful signature verification");
- else\r
- throw SignatureException("Unable to verify signature with TrustEngine (no metadata supplied).");\r
+ else
+ throw SignatureException("Unable to verify signature with TrustEngine (no metadata supplied).");
}
}
}
);
Locker locker(cr.get());
CredentialCriteria cc;
- cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
+ cc.setUsage(Credential::SIGNING_CREDENTIAL);
const Credential* cred = cr->resolve(&cc);
if (!cred)
throw XMLSecurityException("Unable to resolve a signing credential.");
// Attach new signature.
Signature* sig = SignatureBuilder::buildSignature();
signable->setSignature(sig);
+ auto_ptr_XMLCh alg(alg_param);
+ if (alg.get()) {
+ sig->setSignatureAlgorithm(alg.get());
+ }
+ auto_ptr_XMLCh dig(dig_param);
+ if (dig.get()) {
+ dynamic_cast<opensaml::ContentReference*>(sig->getContentReference())->setDigestAlgorithm(dig.get());
+ }
// Sign response while re-marshalling.
vector<Signature*> sigs(1,sig);
- XMLHelper::serialize(signable->marshall((DOMDocument*)NULL,&sigs,cred), cout);
+ XMLHelper::serialize(signable->marshall((DOMDocument*)nullptr,&sigs,cred), cout);
}
}
catch(exception& e) {
- log.errorStream() << "caught an exception: " << e.what() << CategoryStream::ENDLINE;
+ log.errorStream() << "caught an exception: " << e.what() << logging::eol;
ret=-10;
}
- catch(XMLException& e) {
- auto_ptr_char temp(e.getMessage());
- log.errorStream() << "caught a Xerces exception: " << temp.get() << CategoryStream::ENDLINE;
- ret=-20;
- }
conf.term();
return ret;
projects / shibboleth / cpp-opensaml.git / blobdiff