X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-opensaml.git;a=blobdiff_plain;f=saml%2Fsaml2%2Fmetadata%2Fimpl%2FSignatureMetadataFilter.cpp;h=da3e787c1c6cb1157b78f24423d3af494d061284;hp=4e67a8ef1c758f0f6104a97f648a79641161fb72;hb=208928133db000b055b99fcbabc245295adb0d48;hpb=4cf233af5d903d52b55ec41c3bad44361485a657 diff --git a/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp b/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp index 4e67a8e..da3e787 100644 --- a/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp +++ b/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp @@ -1,22 +1,26 @@ -/* - * Copyright 2001-2007 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at +/** + * Licensed to the University Corporation for Advanced Internet + * Development, Inc. (UCAID) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for + * additional information regarding copyright ownership. + * + * UCAID licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the + * License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, + * either express or implied. See the License for the specific + * language governing permissions and limitations under the License. */ /** * SignatureMetadataFilter.cpp - * + * * Filters out unsigned or mis-signed elements. */ @@ -26,10 +30,12 @@ #include "signature/SignatureProfileValidator.h" #include +#include #include #include #include #include +#include #include #include @@ -43,41 +49,26 @@ using namespace std; namespace opensaml { namespace saml2md { - class SAML_DLLLOCAL DummyCredentialResolver : public CredentialResolver - { - public: - DummyCredentialResolver() {} - ~DummyCredentialResolver() {} - - Lockable* lock() {return this;} - void unlock() {} - - const Credential* resolve(const CredentialCriteria* criteria=NULL) const {return NULL;} - vector::size_type resolve( - vector& results, const CredentialCriteria* criteria=NULL - ) const {return 0;} - }; - class SAML_DLLLOCAL SignatureMetadataFilter : public MetadataFilter { public: SignatureMetadataFilter(const DOMElement* e); - ~SignatureMetadataFilter() { - delete m_credResolver; - } - + ~SignatureMetadataFilter() {} + const char* getId() const { return SIGNATURE_METADATA_FILTER; } void doFilter(XMLObject& xmlObject) const; private: void doFilter(EntitiesDescriptor& entities, bool rootObject=false) const; + void doFilter(EntityDescriptor& entity, bool rootObject=false) const; void verifySignature(Signature* sig, const XMLCh* peerName) const; - - CredentialResolver* m_credResolver; - SignatureTrustEngine* m_trust; + + bool m_verifyRoles,m_verifyName; + auto_ptr m_credResolver,m_dummyResolver; + auto_ptr m_trust; SignatureProfileValidator m_profileValidator; Category& m_log; - }; + }; MetadataFilter* SAML_DLLLOCAL SignatureMetadataFilterFactory(const DOMElement* const & e) { @@ -93,34 +84,47 @@ static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e); static const XMLCh certificate[] = UNICODE_LITERAL_11(c,e,r,t,i,f,i,c,a,t,e); static const XMLCh Certificate[] = UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e); static const XMLCh Path[] = UNICODE_LITERAL_4(P,a,t,h); +static const XMLCh verifyRoles[] = UNICODE_LITERAL_11(v,e,r,i,f,y,R,o,l,e,s); +static const XMLCh verifyName[] = UNICODE_LITERAL_10(v,e,r,i,f,y,N,a,m,e); SignatureMetadataFilter::SignatureMetadataFilter(const DOMElement* e) - : m_credResolver(NULL), m_trust(NULL), m_log(Category::getInstance(SAML_LOGCAT".MetadataFilter.Signature")) + : m_verifyRoles(XMLHelper::getAttrBool(e, false, verifyRoles)), + m_verifyName(XMLHelper::getAttrBool(e, true, verifyName)), + m_log(Category::getInstance(SAML_LOGCAT".MetadataFilter.Signature")) { - if (e && e->hasAttributeNS(NULL,certificate)) { + if (e && e->hasAttributeNS(nullptr,certificate)) { // Use a file-based credential resolver rooted here. - m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER,e); + m_credResolver.reset(XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER, e)); return; } - DOMElement* sub = e ? XMLHelper::getFirstChildElement(e, _CredentialResolver) : NULL; - auto_ptr_char t(sub ? sub->getAttributeNS(NULL,type) : NULL); - if (t.get()) { - m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(t.get(),sub); - return; + DOMElement* sub = XMLHelper::getFirstChildElement(e, _CredentialResolver); + if (sub) { + string t = XMLHelper::getAttrString(sub, nullptr, type); + if (!t.empty()) { + m_credResolver.reset(XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(t.c_str(), sub)); + return; + } } - sub = e ? XMLHelper::getFirstChildElement(e, _TrustEngine) : NULL; - auto_ptr_char t2(sub ? sub->getAttributeNS(NULL,type) : NULL); - if (t2.get()) { - TrustEngine* trust = XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(t2.get(),sub); - if (!(m_trust = dynamic_cast(trust))) { - delete trust; - throw MetadataFilterException("TrustEngine-based SignatureMetadataFilter requires a SignatureTrustEngine plugin."); + sub = XMLHelper::getFirstChildElement(e, _TrustEngine); + if (sub) { + string t = XMLHelper::getAttrString(sub, nullptr, type); + if (!t.empty()) { + TrustEngine* trust = XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(t.c_str(), sub); + SignatureTrustEngine* sigTrust = dynamic_cast(trust); + if (!sigTrust) { + delete trust; + throw MetadataFilterException("TrustEngine-based SignatureMetadataFilter requires a SignatureTrustEngine plugin."); + } + m_trust.reset(sigTrust); + m_dummyResolver.reset(XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(DUMMY_CREDENTIAL_RESOLVER, nullptr)); + if (!m_dummyResolver.get()) + throw MetadataFilterException("Error creating dummy CredentialResolver."); + return; } - return; } - + throw MetadataFilterException("SignatureMetadataFilter configuration requires or element."); } @@ -129,32 +133,31 @@ void SignatureMetadataFilter::doFilter(XMLObject& xmlObject) const #ifdef _DEBUG NDC ndc("doFilter"); #endif - + try { EntitiesDescriptor& entities = dynamic_cast(xmlObject); doFilter(entities, true); return; } - catch (bad_cast) { + catch (bad_cast&) { } catch (exception& ex) { - m_log.warn("filtering out group at root of instance after failed signature check: ", ex.what()); + m_log.warn("filtering out group at root of instance after failed signature check: %s", ex.what()); throw MetadataFilterException("SignatureMetadataFilter unable to verify signature at root of metadata instance."); } try { EntityDescriptor& entity = dynamic_cast(xmlObject); - if (!entity.getSignature()) - throw MetadataFilterException("Root metadata element was unsigned."); - verifySignature(entity.getSignature(), entity.getEntityID()); + doFilter(entity, true); + return; } - catch (bad_cast) { + catch (bad_cast&) { } catch (exception& ex) { - m_log.warn("filtering out entity at root of instance after failed signature check: ", ex.what()); + m_log.warn("filtering out entity at root of instance after failed signature check: %s", ex.what()); throw MetadataFilterException("SignatureMetadataFilter unable to verify signature at root of metadata instance."); } - + throw MetadataFilterException("SignatureMetadataFilter was given an improper metadata instance to filter."); } @@ -164,34 +167,192 @@ void SignatureMetadataFilter::doFilter(EntitiesDescriptor& entities, bool rootOb if (!sig && rootObject) throw MetadataFilterException("Root metadata element was unsigned."); verifySignature(sig, entities.getName()); - - VectorOf(EntityDescriptor) v=entities.getEntityDescriptors(); - for (VectorOf(EntityDescriptor)::size_type i=0; igetSignature(), v[i]->getEntityID()); + doFilter(*(v[i])); i++; } catch (exception& e) { auto_ptr_char id(v[i]->getEntityID()); - m_log.warn("filtering out entity (%s) after failed signature check: ", id.get(), e.what()); + m_log.warn("filtering out entity (%s) after failed signature check: %s", id.get(), e.what()); v.erase(v.begin() + i); } } - - VectorOf(EntitiesDescriptor) w=entities.getEntitiesDescriptors(); - for (VectorOf(EntitiesDescriptor)::size_type j=0; jgetSignature(), w[j]->getName()); + doFilter(*w[j], false); j++; } catch (exception& e) { auto_ptr_char name(w[j]->getName()); - m_log.warn("filtering out group (%s) after failed signature check: ", name.get(), e.what()); + m_log.warn("filtering out group (%s) after failed signature check: %s", name.get(), e.what()); w.erase(w.begin() + j); } } } +void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject) const +{ + Signature* sig = entity.getSignature(); + if (!sig && rootObject) + throw MetadataFilterException("Root metadata element was unsigned."); + verifySignature(sig, entity.getEntityID()); + + if (!m_verifyRoles) + return; + + VectorOf(IDPSSODescriptor) idp = entity.getIDPSSODescriptors(); + for (VectorOf(IDPSSODescriptor)::size_type i = 0; i < idp.size(); ) { + try { + verifySignature(idp[i]->getSignature(), entity.getEntityID()); + i++; + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn( + "filtering out IDPSSODescriptor for entity (%s) after failed signature check: %s", id.get(), e.what() + ); + idp.erase(idp.begin() + i); + } + } + + VectorOf(SPSSODescriptor) sp = entity.getSPSSODescriptors(); + for (VectorOf(SPSSODescriptor)::size_type i = 0; i < sp.size(); ) { + try { + verifySignature(sp[i]->getSignature(), entity.getEntityID()); + i++; + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn( + "filtering out SPSSODescriptor for entity (%s) after failed signature check: %s", id.get(), e.what() + ); + sp.erase(sp.begin() + i); + } + } + + VectorOf(AuthnAuthorityDescriptor) authn = entity.getAuthnAuthorityDescriptors(); + for (VectorOf(AuthnAuthorityDescriptor)::size_type i = 0; i < authn.size(); ) { + try { + verifySignature(authn[i]->getSignature(), entity.getEntityID()); + i++; + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn( + "filtering out AuthnAuthorityDescriptor for entity (%s) after failed signature check: %s", id.get(), e.what() + ); + authn.erase(authn.begin() + i); + } + } + + VectorOf(AttributeAuthorityDescriptor) aa = entity.getAttributeAuthorityDescriptors(); + for (VectorOf(AttributeAuthorityDescriptor)::size_type i = 0; i < aa.size(); ) { + try { + verifySignature(aa[i]->getSignature(), entity.getEntityID()); + i++; + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn( + "filtering out AttributeAuthorityDescriptor for entity (%s) after failed signature check: %s", id.get(), e.what() + ); + aa.erase(aa.begin() + i); + } + } + + VectorOf(PDPDescriptor) pdp = entity.getPDPDescriptors(); + for (VectorOf(AuthnAuthorityDescriptor)::size_type i = 0; i < pdp.size(); ) { + try { + verifySignature(pdp[i]->getSignature(), entity.getEntityID()); + i++; + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn( + "filtering out PDPDescriptor for entity (%s) after failed signature check: %s", id.get(), e.what() + ); + pdp.erase(pdp.begin() + i); + } + } + + VectorOf(AuthnQueryDescriptorType) authnq = entity.getAuthnQueryDescriptorTypes(); + for (VectorOf(AuthnQueryDescriptorType)::size_type i = 0; i < authnq.size(); ) { + try { + verifySignature(authnq[i]->getSignature(), entity.getEntityID()); + i++; + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn( + "filtering out AuthnQueryDescriptorType for entity (%s) after failed signature check: %s", id.get(), e.what() + ); + authnq.erase(authnq.begin() + i); + } + } + + VectorOf(AttributeQueryDescriptorType) attrq = entity.getAttributeQueryDescriptorTypes(); + for (VectorOf(AttributeQueryDescriptorType)::size_type i = 0; i < attrq.size(); ) { + try { + verifySignature(attrq[i]->getSignature(), entity.getEntityID()); + i++; + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn( + "filtering out AttributeQueryDescriptorType for entity (%s) after failed signature check: %s", id.get(), e.what() + ); + attrq.erase(attrq.begin() + i); + } + } + + VectorOf(AuthzDecisionQueryDescriptorType) authzq = entity.getAuthzDecisionQueryDescriptorTypes(); + for (VectorOf(AuthzDecisionQueryDescriptorType)::size_type i = 0; i < authzq.size(); ) { + try { + verifySignature(authzq[i]->getSignature(), entity.getEntityID()); + i++; + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn( + "filtering out AuthzDecisionQueryDescriptorType for entity (%s) after failed signature check: %s", id.get(), e.what() + ); + authzq.erase(authzq.begin() + i); + } + } + + VectorOf(RoleDescriptor) v = entity.getRoleDescriptors(); + for (VectorOf(RoleDescriptor)::size_type i = 0; i < v.size(); ) { + try { + verifySignature(v[i]->getSignature(), entity.getEntityID()); + i++; + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn( + "filtering out role (%s) for entity (%s) after failed signature check: %s", + v[i]->getElementQName().toString().c_str(), id.get(), e.what() + ); + v.erase(v.begin() + i); + } + } + + if (entity.getAffiliationDescriptor()) { + try { + verifySignature(entity.getAffiliationDescriptor()->getSignature(), entity.getEntityID()); + } + catch (exception& e) { + auto_ptr_char id(entity.getEntityID()); + m_log.warn("filtering out affiliation from entity (%s) after failed signature check: %s", id.get(), e.what()); + entity.setAffiliationDescriptor(nullptr); + } + } +} + void SignatureMetadataFilter::verifySignature(Signature* sig, const XMLCh* peerName) const { if (!sig) @@ -203,13 +364,13 @@ void SignatureMetadataFilter::verifySignature(Signature* sig, const XMLCh* peerN CredentialCriteria cc; cc.setUsage(Credential::SIGNING_CREDENTIAL); cc.setSignature(*sig, CredentialCriteria::KEYINFO_EXTRACTION_KEY); - if (peerName) { - auto_ptr_char pname(peerName); - cc.setPeerName(pname.get()); - } - if (m_credResolver) { - Locker locker(m_credResolver); + if (m_credResolver.get()) { + if (peerName) { + auto_ptr_char pname(peerName); + cc.setPeerName(pname.get()); + } + Locker locker(m_credResolver.get()); vector creds; if (m_credResolver->resolve(creds,&cc)) { SignatureValidator sigValidator; @@ -222,15 +383,18 @@ void SignatureMetadataFilter::verifySignature(Signature* sig, const XMLCh* peerN catch (exception&) { } } - throw MetadataFilterException("CredentialResolver did not supply a successful verification key."); + throw MetadataFilterException("Unable to verify signature with supplied key(s)."); } else { - throw MetadataFilterException("CredentialResolver did not supply a successful verification key."); + throw MetadataFilterException("CredentialResolver did not supply any candidate keys."); } } - else if (m_trust) { - DummyCredentialResolver dummy; - if (m_trust->validate(*sig, dummy, &cc)) + else if (m_trust.get()) { + if (m_verifyName && peerName) { + auto_ptr_char pname(peerName); + cc.setPeerName(pname.get()); + } + if (m_trust->validate(*sig, *m_dummyResolver, &cc)) return; throw MetadataFilterException("TrustEngine unable to verify signature."); }