X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-opensaml.git;a=blobdiff_plain;f=saml%2Fbinding%2Fimpl%2FXMLSigningRule.cpp;h=4597894b062f141cc4f08840506a8027ed10437f;hp=fab79bcd825c804e70eb9868ea4e09f8a5da4b95;hb=1462057b3b9ae7e165d34d988e30b14c213672ca;hpb=daf3f79d9624614fb13ca7f618c9fe5742392a3e diff --git a/saml/binding/impl/XMLSigningRule.cpp b/saml/binding/impl/XMLSigningRule.cpp index fab79bc..4597894 100644 --- a/saml/binding/impl/XMLSigningRule.cpp +++ b/saml/binding/impl/XMLSigningRule.cpp @@ -1,39 +1,47 @@ -/* - * Copyright 2001-2007 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at +/** + * Licensed to the University Corporation for Advanced Internet + * Development, Inc. (UCAID) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for + * additional information regarding copyright ownership. * - * http://www.apache.org/licenses/LICENSE-2.0 + * UCAID licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the + * License at * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, + * either express or implied. See the License for the specific + * language governing permissions and limitations under the License. */ /** * XMLSigningRule.cpp * - * XML Signature checking SecurityPolicyRule + * XML Signature checking SecurityPolicyRule. */ #include "internal.h" #include "exceptions.h" +#include "binding/SecurityPolicy.h" #include "binding/SecurityPolicyRule.h" #include "saml2/core/Assertions.h" #include "saml2/metadata/Metadata.h" +#include "saml2/metadata/MetadataCredentialCriteria.h" #include "saml2/metadata/MetadataProvider.h" #include "signature/SignatureProfileValidator.h" -#include +#include +#include +#include using namespace opensaml::saml2md; using namespace opensaml; +using namespace xmltooling::logging; using namespace xmltooling; -using namespace log4cpp; using namespace std; using xmlsignature::SignatureException; @@ -45,10 +53,13 @@ namespace opensaml { XMLSigningRule(const DOMElement* e); virtual ~XMLSigningRule() {} - void evaluate(const xmltooling::XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const; + const char* getType() const { + return XMLSIGNING_POLICY_RULE; + } + bool evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const; private: - bool m_errorsFatal; + bool m_errorFatal; }; SecurityPolicyRule* SAML_DLLLOCAL XMLSigningRuleFactory(const DOMElement* const & e) @@ -56,36 +67,31 @@ namespace opensaml { return new XMLSigningRule(e); } - static const XMLCh errorsFatal[] = UNICODE_LITERAL_11(e,r,r,o,r,s,F,a,t,a,l); + static const XMLCh errorFatal[] = UNICODE_LITERAL_10(e,r,r,o,r,F,a,t,a,l); }; -XMLSigningRule::XMLSigningRule(const DOMElement* e) : m_errorsFatal(false) +XMLSigningRule::XMLSigningRule(const DOMElement* e) : m_errorFatal(XMLHelper::getAttrBool(e, false, errorFatal)) { - if (e) { - const XMLCh* flag = e->getAttributeNS(NULL, errorsFatal); - m_errorsFatal = (flag && (*flag==chLatin_t || *flag==chDigit_1)); - } } -void XMLSigningRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const +bool XMLSigningRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const { - Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.XMLSigning"); - log.debug("evaluating message signing policy"); + Category& log=Category::getInstance(SAML_LOGCAT ".SecurityPolicyRule.XMLSigning"); if (!policy.getIssuerMetadata()) { log.debug("ignoring message, no issuer metadata supplied"); - return; + return false; } - else if (!policy.getTrustEngine()) { - log.debug("ignoring message, no TrustEngine supplied"); - return; + + const SignatureTrustEngine* sigtrust; + if (!(sigtrust=dynamic_cast(policy.getTrustEngine()))) { + log.debug("ignoring message, no SignatureTrustEngine supplied"); + return false; } const SignableObject* signable = dynamic_cast(&message); - if (!signable || !signable->getSignature()) { - log.debug("ignoring unsigned or unrecognized message"); - return; - } + if (!signable || !signable->getSignature()) + return false; log.debug("validating signature profile"); try { @@ -94,20 +100,22 @@ void XMLSigningRule::evaluate(const XMLObject& message, const GenericRequest* re } catch (ValidationException& ve) { log.error("signature profile failed to validate: %s", ve.what()); - if (m_errorsFatal) + if (m_errorFatal) throw; - return; + return false; } - if (!policy.getTrustEngine()->validate( - *(signable->getSignature()), *(policy.getIssuerMetadata()), policy.getMetadataProvider()->getKeyResolver() - )) { + // Set up criteria object. + MetadataCredentialCriteria cc(*(policy.getIssuerMetadata())); + + if (!sigtrust->validate(*(signable->getSignature()), *(policy.getMetadataProvider()), &cc)) { log.error("unable to verify message signature with supplied trust engine"); - if (m_errorsFatal) - throw SignatureException("Message was signed, but signature could not be verified."); - return; + if (m_errorFatal) + throw SecurityPolicyException("Message was signed, but signature could not be verified."); + return false; } log.debug("signature verified against message issuer"); - policy.setSecure(true); + policy.setAuthenticated(true); + return true; }