X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-opensaml.git;a=blobdiff_plain;f=saml%2Fsaml2%2Fmetadata%2Fimpl%2FSignatureMetadataFilter.cpp;h=4e162cb7cbbb5a23840313276c27aa632b3a8dbc;hp=64c43f869789a3ec9e78d0aa42efda3cb0e22b98;hb=e654827690e0477ac0ca54e80640d81c561a6118;hpb=a1fc8349ebc40c9dae9f50ca264efad71071bda8 diff --git a/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp b/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp index 64c43f8..4e162cb 100644 --- a/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp +++ b/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp @@ -1,5 +1,5 @@ /* - * Copyright 2001-2006 Internet2 + * Copyright 2001-2008 Internet2 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -15,36 +15,55 @@ */ /** - * BlacklistMetadataFilter.cpp + * SignatureMetadataFilter.cpp * - * Removes blacklisted entities from a metadata instance + * Filters out unsigned or mis-signed elements. */ #include "internal.h" +#include "saml2/metadata/Metadata.h" #include "saml2/metadata/MetadataFilter.h" #include "signature/SignatureProfileValidator.h" -#include - -#include +#include +#include +#include +#include +#include #include +#include using namespace opensaml::saml2md; using namespace opensaml; using namespace xmlsignature; +using namespace xmltooling::logging; using namespace xmltooling; -using namespace log4cpp; using namespace std; namespace opensaml { namespace saml2md { - + + class SAML_DLLLOCAL DummyCredentialResolver : public CredentialResolver + { + public: + DummyCredentialResolver() {} + ~DummyCredentialResolver() {} + + Lockable* lock() {return this;} + void unlock() {} + + const Credential* resolve(const CredentialCriteria* criteria=NULL) const {return NULL;} + vector::size_type resolve( + vector& results, const CredentialCriteria* criteria=NULL + ) const {return 0;} + }; + class SAML_DLLLOCAL SignatureMetadataFilter : public MetadataFilter { public: SignatureMetadataFilter(const DOMElement* e); ~SignatureMetadataFilter() { - delete m_sigValidator; + delete m_credResolver; } const char* getId() const { return SIGNATURE_METADATA_FILTER; } @@ -52,15 +71,13 @@ namespace opensaml { private: void doFilter(EntitiesDescriptor& entities, bool rootObject=false) const; - void verifySignature(Signature* sig) const { - if (sig) { - m_profileValidator.validate(sig); - m_sigValidator->validate(sig); - } - } + void doFilter(EntityDescriptor& entity, bool rootObject=false) const; + void verifySignature(Signature* sig, const XMLCh* peerName) const; + CredentialResolver* m_credResolver; + SignatureTrustEngine* m_trust; SignatureProfileValidator m_profileValidator; - SignatureValidator* m_sigValidator; + Category& m_log; }; MetadataFilter* SAML_DLLLOCAL SignatureMetadataFilterFactory(const DOMElement* const & e) @@ -71,20 +88,41 @@ namespace opensaml { }; }; -static const XMLCh GenericKeyResolver[] = UNICODE_LITERAL_11(K,e,y,R,e,s,o,l,v,e,r); +static const XMLCh _TrustEngine[] = UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e); +static const XMLCh _CredentialResolver[] = UNICODE_LITERAL_18(C,r,e,d,e,n,t,i,a,l,R,e,s,o,l,v,e,r); static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e); +static const XMLCh certificate[] = UNICODE_LITERAL_11(c,e,r,t,i,f,i,c,a,t,e); +static const XMLCh Certificate[] = UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e); +static const XMLCh Path[] = UNICODE_LITERAL_4(P,a,t,h); -SignatureMetadataFilter::SignatureMetadataFilter(const DOMElement* e) : m_sigValidator(NULL) +SignatureMetadataFilter::SignatureMetadataFilter(const DOMElement* e) + : m_credResolver(NULL), m_trust(NULL), m_log(Category::getInstance(SAML_LOGCAT".MetadataFilter.Signature")) { - e = XMLHelper::getFirstChildElement(e, GenericKeyResolver); - auto_ptr_char t(e ? e->getAttributeNS(NULL,type) : NULL); + if (e && e->hasAttributeNS(NULL,certificate)) { + // Use a file-based credential resolver rooted here. + m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER,e); + return; + } + + DOMElement* sub = e ? XMLHelper::getFirstChildElement(e, _CredentialResolver) : NULL; + auto_ptr_char t(sub ? sub->getAttributeNS(NULL,type) : NULL); if (t.get()) { - auto_ptr kr(XMLToolingConfig::getConfig().KeyResolverManager.newPlugin(t.get(),e)); - m_sigValidator = new SignatureValidator(kr.get()); - kr.release(); + m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(t.get(),sub); + return; } - else - throw MetadataFilterException("missing element, or no type attribute found"); + + sub = e ? XMLHelper::getFirstChildElement(e, _TrustEngine) : NULL; + auto_ptr_char t2(sub ? sub->getAttributeNS(NULL,type) : NULL); + if (t2.get()) { + TrustEngine* trust = XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(t2.get(),sub); + if (!(m_trust = dynamic_cast(trust))) { + delete trust; + throw MetadataFilterException("TrustEngine-based SignatureMetadataFilter requires a SignatureTrustEngine plugin."); + } + return; + } + + throw MetadataFilterException("SignatureMetadataFilter configuration requires or element."); } void SignatureMetadataFilter::doFilter(XMLObject& xmlObject) const @@ -100,37 +138,42 @@ void SignatureMetadataFilter::doFilter(XMLObject& xmlObject) const } catch (bad_cast) { } + catch (exception& ex) { + m_log.warn("filtering out group at root of instance after failed signature check: %s", ex.what()); + throw MetadataFilterException("SignatureMetadataFilter unable to verify signature at root of metadata instance."); + } try { EntityDescriptor& entity = dynamic_cast(xmlObject); - if (!entity.getSignature()) - throw MetadataFilterException("Root metadata element was unsigned."); - verifySignature(entity.getSignature()); + doFilter(entity, true); + return; } catch (bad_cast) { } + catch (exception& ex) { + m_log.warn("filtering out entity at root of instance after failed signature check: %s", ex.what()); + throw MetadataFilterException("SignatureMetadataFilter unable to verify signature at root of metadata instance."); + } throw MetadataFilterException("SignatureMetadataFilter was given an improper metadata instance to filter."); } void SignatureMetadataFilter::doFilter(EntitiesDescriptor& entities, bool rootObject) const { - Category& log=Category::getInstance(SAML_LOGCAT".Metadata"); - Signature* sig = entities.getSignature(); if (!sig && rootObject) throw MetadataFilterException("Root metadata element was unsigned."); - verifySignature(sig); + verifySignature(sig, entities.getName()); VectorOf(EntityDescriptor) v=entities.getEntityDescriptors(); for (VectorOf(EntityDescriptor)::size_type i=0; igetSignature()); + doFilter(*(v[i])); i++; } - catch (XMLToolingException& e) { + catch (exception& e) { auto_ptr_char id(v[i]->getEntityID()); - log.info("filtering out entity (%s) after failed signature check: ", id.get(), e.what()); + m_log.warn("filtering out entity (%s) after failed signature check: %s", id.get(), e.what()); v.erase(v.begin() + i); } } @@ -138,13 +181,94 @@ void SignatureMetadataFilter::doFilter(EntitiesDescriptor& entities, bool rootOb VectorOf(EntitiesDescriptor) w=entities.getEntitiesDescriptors(); for (VectorOf(EntitiesDescriptor)::size_type j=0; jgetSignature()); + doFilter(*w[j], false); j++; } - catch (XMLToolingException& e) { + catch (exception& e) { auto_ptr_char name(w[j]->getName()); - log.info("filtering out group (%s) after failed signature check: ", name.get(), e.what()); + m_log.warn("filtering out group (%s) after failed signature check: %s", name.get(), e.what()); w.erase(w.begin() + j); } } } + +void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject) const +{ + Signature* sig = entity.getSignature(); + if (!sig && rootObject) + throw MetadataFilterException("Root metadata element was unsigned."); + verifySignature(sig, entity.getEntityID()); + + VectorOf(RoleDescriptor) v=entity.getRoleDescriptors(); + for (VectorOf(RoleDescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); + i++; + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn( + "filtering out role (%s) for entity (%s) after failed signature check: %s", + v[i]->getElementQName().toString().c_str(), id.get(), e.what() + ); + v.erase(v.begin() + i); + } + } + + if (entity.getAffiliationDescriptor()) { + try { + verifySignature(entity.getAffiliationDescriptor()->getSignature(), entity.getEntityID()); + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn("filtering out affiliation from entity (%s) after failed signature check: %s", id.get(), e.what()); + entity.setAffiliationDescriptor(NULL); + } + } +} + +void SignatureMetadataFilter::verifySignature(Signature* sig, const XMLCh* peerName) const +{ + if (!sig) + return; + + m_profileValidator.validate(sig); + + // Set up criteria. + CredentialCriteria cc; + cc.setUsage(Credential::SIGNING_CREDENTIAL); + cc.setSignature(*sig, CredentialCriteria::KEYINFO_EXTRACTION_KEY); + if (peerName) { + auto_ptr_char pname(peerName); + cc.setPeerName(pname.get()); + } + + if (m_credResolver) { + Locker locker(m_credResolver); + vector creds; + if (m_credResolver->resolve(creds,&cc)) { + SignatureValidator sigValidator; + for (vector::const_iterator i = creds.begin(); i != creds.end(); ++i) { + try { + sigValidator.setCredential(*i); + sigValidator.validate(sig); + return; // success! + } + catch (exception&) { + } + } + throw MetadataFilterException("CredentialResolver did not supply a successful verification key."); + } + else { + throw MetadataFilterException("CredentialResolver did not supply a successful verification key."); + } + } + else if (m_trust) { + DummyCredentialResolver dummy; + if (m_trust->validate(*sig, dummy, &cc)) + return; + throw MetadataFilterException("TrustEngine unable to verify signature."); + } + + throw MetadataFilterException("Unable to verify signature."); +}