X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-opensaml.git;a=blobdiff_plain;f=saml%2Fsaml2%2Fmetadata%2Fimpl%2FSignatureMetadataFilter.cpp;h=3bebcd78b8f5c1389d57323118c0ebf6efffa358;hp=efc82ed80124cab4c15c921155bfd963a8816377;hb=dc27298af1428d1524f05aac0c56e17f3e8183e1;hpb=daea239bdf6d776724c26803bea4ccc5028896e4 diff --git a/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp b/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp index efc82ed..3bebcd7 100644 --- a/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp +++ b/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp @@ -1,6 +1,6 @@ /* - * Copyright 2001-2007 Internet2 - * + * Copyright 2001-2008 Internet2 + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -16,7 +16,7 @@ /** * SignatureMetadataFilter.cpp - * + * * Filters out unsigned or mis-signed elements. */ @@ -48,35 +48,39 @@ namespace opensaml { public: DummyCredentialResolver() {} ~DummyCredentialResolver() {} - + Lockable* lock() {return this;} void unlock() {} - + const Credential* resolve(const CredentialCriteria* criteria=NULL) const {return NULL;} vector::size_type resolve( vector& results, const CredentialCriteria* criteria=NULL ) const {return 0;} }; - + class SAML_DLLLOCAL SignatureMetadataFilter : public MetadataFilter { public: SignatureMetadataFilter(const DOMElement* e); ~SignatureMetadataFilter() { delete m_credResolver; + delete m_trust; } - + const char* getId() const { return SIGNATURE_METADATA_FILTER; } void doFilter(XMLObject& xmlObject) const; private: void doFilter(EntitiesDescriptor& entities, bool rootObject=false) const; + void doFilter(EntityDescriptor& entity, bool rootObject=false) const; void verifySignature(Signature* sig, const XMLCh* peerName) const; - + + bool m_verifyRoles,m_verifyName; CredentialResolver* m_credResolver; SignatureTrustEngine* m_trust; SignatureProfileValidator m_profileValidator; - }; + Category& m_log; + }; MetadataFilter* SAML_DLLLOCAL SignatureMetadataFilterFactory(const DOMElement* const & e) { @@ -92,18 +96,21 @@ static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e); static const XMLCh certificate[] = UNICODE_LITERAL_11(c,e,r,t,i,f,i,c,a,t,e); static const XMLCh Certificate[] = UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e); static const XMLCh Path[] = UNICODE_LITERAL_4(P,a,t,h); +static const XMLCh verifyRoles[] = UNICODE_LITERAL_11(v,e,r,i,f,y,R,o,l,e,s); +static const XMLCh verifyName[] = UNICODE_LITERAL_10(v,e,r,i,f,y,N,a,m,e); -SignatureMetadataFilter::SignatureMetadataFilter(const DOMElement* e) : m_credResolver(NULL), m_trust(NULL) +SignatureMetadataFilter::SignatureMetadataFilter(const DOMElement* e) + : m_verifyRoles(false), m_verifyName(true), m_credResolver(NULL), m_trust(NULL), m_log(Category::getInstance(SAML_LOGCAT".MetadataFilter.Signature")) { + const XMLCh* flag = e ? e->getAttributeNS(NULL,verifyRoles) : NULL; + m_verifyRoles = (flag && (*flag == chLatin_t || *flag == chDigit_1)); + + flag = e ? e->getAttributeNS(NULL,verifyName) : NULL; + m_verifyName = !(flag && (*flag == chLatin_f || *flag == chDigit_0)); + if (e && e->hasAttributeNS(NULL,certificate)) { - // Dummy up a file resolver. - DOMElement* dummy = e->getOwnerDocument()->createElementNS(NULL,_CredentialResolver); - DOMElement* child = e->getOwnerDocument()->createElementNS(NULL,Certificate); - dummy->appendChild(child); - DOMElement* path = e->getOwnerDocument()->createElementNS(NULL,Path); - child->appendChild(path); - path->appendChild(e->getOwnerDocument()->createTextNode(e->getAttributeNS(NULL,certificate))); - m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER,dummy); + // Use a file-based credential resolver rooted here. + m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER,e); return; } @@ -124,7 +131,7 @@ SignatureMetadataFilter::SignatureMetadataFilter(const DOMElement* e) : m_credRe } return; } - + throw MetadataFilterException("SignatureMetadataFilter configuration requires or element."); } @@ -133,7 +140,7 @@ void SignatureMetadataFilter::doFilter(XMLObject& xmlObject) const #ifdef _DEBUG NDC ndc("doFilter"); #endif - + try { EntitiesDescriptor& entities = dynamic_cast(xmlObject); doFilter(entities, true); @@ -141,55 +148,218 @@ void SignatureMetadataFilter::doFilter(XMLObject& xmlObject) const } catch (bad_cast) { } + catch (exception& ex) { + m_log.warn("filtering out group at root of instance after failed signature check: %s", ex.what()); + throw MetadataFilterException("SignatureMetadataFilter unable to verify signature at root of metadata instance."); + } try { EntityDescriptor& entity = dynamic_cast(xmlObject); - if (!entity.getSignature()) - throw MetadataFilterException("Root metadata element was unsigned."); - verifySignature(entity.getSignature(), entity.getEntityID()); + doFilter(entity, true); + return; } catch (bad_cast) { } - + catch (exception& ex) { + m_log.warn("filtering out entity at root of instance after failed signature check: %s", ex.what()); + throw MetadataFilterException("SignatureMetadataFilter unable to verify signature at root of metadata instance."); + } + throw MetadataFilterException("SignatureMetadataFilter was given an improper metadata instance to filter."); } void SignatureMetadataFilter::doFilter(EntitiesDescriptor& entities, bool rootObject) const { - Category& log=Category::getInstance(SAML_LOGCAT".MetadataFilter.Signature"); - Signature* sig = entities.getSignature(); if (!sig && rootObject) throw MetadataFilterException("Root metadata element was unsigned."); verifySignature(sig, entities.getName()); - + VectorOf(EntityDescriptor) v=entities.getEntityDescriptors(); for (VectorOf(EntityDescriptor)::size_type i=0; igetSignature(), v[i]->getEntityID()); + doFilter(*(v[i])); i++; } catch (exception& e) { auto_ptr_char id(v[i]->getEntityID()); - log.info("filtering out entity (%s) after failed signature check: ", id.get(), e.what()); + m_log.warn("filtering out entity (%s) after failed signature check: %s", id.get(), e.what()); v.erase(v.begin() + i); } } - + VectorOf(EntitiesDescriptor) w=entities.getEntitiesDescriptors(); for (VectorOf(EntitiesDescriptor)::size_type j=0; jgetSignature(), w[j]->getName()); + doFilter(*w[j], false); j++; } catch (exception& e) { auto_ptr_char name(w[j]->getName()); - log.info("filtering out group (%s) after failed signature check: ", name.get(), e.what()); + m_log.warn("filtering out group (%s) after failed signature check: %s", name.get(), e.what()); w.erase(w.begin() + j); } } } +void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject) const +{ + Signature* sig = entity.getSignature(); + if (!sig && rootObject) + throw MetadataFilterException("Root metadata element was unsigned."); + verifySignature(sig, entity.getEntityID()); + + if (!m_verifyRoles) + return; + + VectorOf(IDPSSODescriptor) idp=entity.getIDPSSODescriptors(); + for (VectorOf(IDPSSODescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); + i++; + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn( + "filtering out IDPSSODescriptor for entity (%s) after failed signature check: %s", id.get(), e.what() + ); + idp.erase(idp.begin() + i); + } + } + + VectorOf(SPSSODescriptor) sp=entity.getSPSSODescriptors(); + for (VectorOf(SPSSODescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); + i++; + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn( + "filtering out SPSSODescriptor for entity (%s) after failed signature check: %s", id.get(), e.what() + ); + sp.erase(sp.begin() + i); + } + } + + VectorOf(AuthnAuthorityDescriptor) authn=entity.getAuthnAuthorityDescriptors(); + for (VectorOf(AuthnAuthorityDescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); + i++; + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn( + "filtering out AuthnAuthorityDescriptor for entity (%s) after failed signature check: %s", id.get(), e.what() + ); + authn.erase(authn.begin() + i); + } + } + + VectorOf(AttributeAuthorityDescriptor) aa=entity.getAttributeAuthorityDescriptors(); + for (VectorOf(AttributeAuthorityDescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); + i++; + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn( + "filtering out AttributeAuthorityDescriptor for entity (%s) after failed signature check: %s", id.get(), e.what() + ); + aa.erase(aa.begin() + i); + } + } + + VectorOf(PDPDescriptor) pdp=entity.getPDPDescriptors(); + for (VectorOf(AuthnAuthorityDescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); + i++; + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn( + "filtering out PDPDescriptor for entity (%s) after failed signature check: %s", id.get(), e.what() + ); + pdp.erase(pdp.begin() + i); + } + } + + VectorOf(AuthnQueryDescriptorType) authnq=entity.getAuthnQueryDescriptorTypes(); + for (VectorOf(AuthnQueryDescriptorType)::size_type i=0; igetSignature(), entity.getEntityID()); + i++; + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn( + "filtering out AuthnQueryDescriptorType for entity (%s) after failed signature check: %s", id.get(), e.what() + ); + authnq.erase(authnq.begin() + i); + } + } + + VectorOf(AttributeQueryDescriptorType) attrq=entity.getAttributeQueryDescriptorTypes(); + for (VectorOf(AttributeQueryDescriptorType)::size_type i=0; igetSignature(), entity.getEntityID()); + i++; + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn( + "filtering out AttributeQueryDescriptorType for entity (%s) after failed signature check: %s", id.get(), e.what() + ); + attrq.erase(attrq.begin() + i); + } + } + + VectorOf(AuthzDecisionQueryDescriptorType) authzq=entity.getAuthzDecisionQueryDescriptorTypes(); + for (VectorOf(AuthzDecisionQueryDescriptorType)::size_type i=0; igetSignature(), entity.getEntityID()); + i++; + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn( + "filtering out AuthzDecisionQueryDescriptorType for entity (%s) after failed signature check: %s", id.get(), e.what() + ); + authzq.erase(authzq.begin() + i); + } + } + + VectorOf(RoleDescriptor) v=entity.getRoleDescriptors(); + for (VectorOf(RoleDescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); + i++; + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn( + "filtering out role (%s) for entity (%s) after failed signature check: %s", + v[i]->getElementQName().toString().c_str(), id.get(), e.what() + ); + v.erase(v.begin() + i); + } + } + + if (entity.getAffiliationDescriptor()) { + try { + verifySignature(entity.getAffiliationDescriptor()->getSignature(), entity.getEntityID()); + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn("filtering out affiliation from entity (%s) after failed signature check: %s", id.get(), e.what()); + entity.setAffiliationDescriptor(NULL); + } + } +} + void SignatureMetadataFilter::verifySignature(Signature* sig, const XMLCh* peerName) const { if (!sig) @@ -199,14 +369,14 @@ void SignatureMetadataFilter::verifySignature(Signature* sig, const XMLCh* peerN // Set up criteria. CredentialCriteria cc; - cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL); + cc.setUsage(Credential::SIGNING_CREDENTIAL); cc.setSignature(*sig, CredentialCriteria::KEYINFO_EXTRACTION_KEY); - if (peerName) { - auto_ptr_char pname(peerName); - cc.setPeerName(pname.get()); - } if (m_credResolver) { + if (peerName) { + auto_ptr_char pname(peerName); + cc.setPeerName(pname.get()); + } Locker locker(m_credResolver); vector creds; if (m_credResolver->resolve(creds,&cc)) { @@ -223,10 +393,14 @@ void SignatureMetadataFilter::verifySignature(Signature* sig, const XMLCh* peerN throw MetadataFilterException("CredentialResolver did not supply a successful verification key."); } else { - throw MetadataFilterException("CredentialResolver did not supply any verification keys."); + throw MetadataFilterException("CredentialResolver did not supply a successful verification key."); } } else if (m_trust) { + if (m_verifyName && peerName) { + auto_ptr_char pname(peerName); + cc.setPeerName(pname.get()); + } DummyCredentialResolver dummy; if (m_trust->validate(*sig, dummy, &cc)) return;