X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-opensaml.git;a=blobdiff_plain;f=saml%2Fsaml2%2Fmetadata%2Fimpl%2FSignatureMetadataFilter.cpp;fp=saml%2Fsaml2%2Fmetadata%2Fimpl%2FSignatureMetadataFilter.cpp;h=efc82ed80124cab4c15c921155bfd963a8816377;hp=b10879978a941dc72cf4be1f9133210033a47008;hb=daea239bdf6d776724c26803bea4ccc5028896e4;hpb=a0f7ddfb1954304a01b6a49580ce8d2603a60446 diff --git a/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp b/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp index b108799..efc82ed 100644 --- a/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp +++ b/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp @@ -29,6 +29,7 @@ #include #include #include +#include #include #include @@ -41,7 +42,22 @@ using namespace std; namespace opensaml { namespace saml2md { - + + class SAML_DLLLOCAL DummyCredentialResolver : public CredentialResolver + { + public: + DummyCredentialResolver() {} + ~DummyCredentialResolver() {} + + Lockable* lock() {return this;} + void unlock() {} + + const Credential* resolve(const CredentialCriteria* criteria=NULL) const {return NULL;} + vector::size_type resolve( + vector& results, const CredentialCriteria* criteria=NULL + ) const {return 0;} + }; + class SAML_DLLLOCAL SignatureMetadataFilter : public MetadataFilter { public: @@ -55,16 +71,11 @@ namespace opensaml { private: void doFilter(EntitiesDescriptor& entities, bool rootObject=false) const; - void verifySignature(Signature* sig) const { - if (sig) { - m_profileValidator.validate(sig); - m_sigValidator.validate(sig); - } - } + void verifySignature(Signature* sig, const XMLCh* peerName) const; CredentialResolver* m_credResolver; + SignatureTrustEngine* m_trust; SignatureProfileValidator m_profileValidator; - mutable SignatureValidator m_sigValidator; }; MetadataFilter* SAML_DLLLOCAL SignatureMetadataFilterFactory(const DOMElement* const & e) @@ -75,13 +86,14 @@ namespace opensaml { }; }; +static const XMLCh _TrustEngine[] = UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e); static const XMLCh _CredentialResolver[] = UNICODE_LITERAL_18(C,r,e,d,e,n,t,i,a,l,R,e,s,o,l,v,e,r); static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e); static const XMLCh certificate[] = UNICODE_LITERAL_11(c,e,r,t,i,f,i,c,a,t,e); static const XMLCh Certificate[] = UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e); static const XMLCh Path[] = UNICODE_LITERAL_4(P,a,t,h); -SignatureMetadataFilter::SignatureMetadataFilter(const DOMElement* e) : m_credResolver(NULL) +SignatureMetadataFilter::SignatureMetadataFilter(const DOMElement* e) : m_credResolver(NULL), m_trust(NULL) { if (e && e->hasAttributeNS(NULL,certificate)) { // Dummy up a file resolver. @@ -95,13 +107,25 @@ SignatureMetadataFilter::SignatureMetadataFilter(const DOMElement* e) : m_credRe return; } - e = e ? XMLHelper::getFirstChildElement(e, _CredentialResolver) : NULL; - auto_ptr_char t(e ? e->getAttributeNS(NULL,type) : NULL); + DOMElement* sub = e ? XMLHelper::getFirstChildElement(e, _CredentialResolver) : NULL; + auto_ptr_char t(sub ? sub->getAttributeNS(NULL,type) : NULL); if (t.get()) { - m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(t.get(),e); + m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(t.get(),sub); + return; } - else - throw MetadataFilterException("Missing element, or no type attribute found"); + + sub = e ? XMLHelper::getFirstChildElement(e, _TrustEngine) : NULL; + auto_ptr_char t2(sub ? sub->getAttributeNS(NULL,type) : NULL); + if (t2.get()) { + TrustEngine* trust = XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(t2.get(),sub); + if (!(m_trust = dynamic_cast(trust))) { + delete trust; + throw MetadataFilterException("TrustEngine-based SignatureMetadataFilter requires a SignatureTrustEngine plugin."); + } + return; + } + + throw MetadataFilterException("SignatureMetadataFilter configuration requires or element."); } void SignatureMetadataFilter::doFilter(XMLObject& xmlObject) const @@ -110,11 +134,6 @@ void SignatureMetadataFilter::doFilter(XMLObject& xmlObject) const NDC ndc("doFilter"); #endif - CredentialCriteria cc; - cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL); - Locker locker(m_credResolver); - m_sigValidator.setCredential(m_credResolver->resolve(&cc)); - try { EntitiesDescriptor& entities = dynamic_cast(xmlObject); doFilter(entities, true); @@ -127,7 +146,7 @@ void SignatureMetadataFilter::doFilter(XMLObject& xmlObject) const EntityDescriptor& entity = dynamic_cast(xmlObject); if (!entity.getSignature()) throw MetadataFilterException("Root metadata element was unsigned."); - verifySignature(entity.getSignature()); + verifySignature(entity.getSignature(), entity.getEntityID()); } catch (bad_cast) { } @@ -137,20 +156,20 @@ void SignatureMetadataFilter::doFilter(XMLObject& xmlObject) const void SignatureMetadataFilter::doFilter(EntitiesDescriptor& entities, bool rootObject) const { - Category& log=Category::getInstance(SAML_LOGCAT".Metadata"); + Category& log=Category::getInstance(SAML_LOGCAT".MetadataFilter.Signature"); Signature* sig = entities.getSignature(); if (!sig && rootObject) throw MetadataFilterException("Root metadata element was unsigned."); - verifySignature(sig); + verifySignature(sig, entities.getName()); VectorOf(EntityDescriptor) v=entities.getEntityDescriptors(); for (VectorOf(EntityDescriptor)::size_type i=0; igetSignature()); + verifySignature(v[i]->getSignature(), v[i]->getEntityID()); i++; } - catch (XMLToolingException& e) { + catch (exception& e) { auto_ptr_char id(v[i]->getEntityID()); log.info("filtering out entity (%s) after failed signature check: ", id.get(), e.what()); v.erase(v.begin() + i); @@ -160,13 +179,59 @@ void SignatureMetadataFilter::doFilter(EntitiesDescriptor& entities, bool rootOb VectorOf(EntitiesDescriptor) w=entities.getEntitiesDescriptors(); for (VectorOf(EntitiesDescriptor)::size_type j=0; jgetSignature()); + verifySignature(w[j]->getSignature(), w[j]->getName()); j++; } - catch (XMLToolingException& e) { + catch (exception& e) { auto_ptr_char name(w[j]->getName()); log.info("filtering out group (%s) after failed signature check: ", name.get(), e.what()); w.erase(w.begin() + j); } } } + +void SignatureMetadataFilter::verifySignature(Signature* sig, const XMLCh* peerName) const +{ + if (!sig) + return; + + m_profileValidator.validate(sig); + + // Set up criteria. + CredentialCriteria cc; + cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL); + cc.setSignature(*sig, CredentialCriteria::KEYINFO_EXTRACTION_KEY); + if (peerName) { + auto_ptr_char pname(peerName); + cc.setPeerName(pname.get()); + } + + if (m_credResolver) { + Locker locker(m_credResolver); + vector creds; + if (m_credResolver->resolve(creds,&cc)) { + SignatureValidator sigValidator; + for (vector::const_iterator i = creds.begin(); i != creds.end(); ++i) { + try { + sigValidator.setCredential(*i); + sigValidator.validate(sig); + return; // success! + } + catch (exception&) { + } + } + throw MetadataFilterException("CredentialResolver did not supply a successful verification key."); + } + else { + throw MetadataFilterException("CredentialResolver did not supply any verification keys."); + } + } + else if (m_trust) { + DummyCredentialResolver dummy; + if (m_trust->validate(*sig, dummy, &cc)) + return; + throw MetadataFilterException("TrustEngine unable to verify signature."); + } + + throw MetadataFilterException("Unable to verify signature."); +}