X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-opensaml.git;a=blobdiff_plain;f=saml%2Fsaml2%2Fmetadata%2Fimpl%2FSignatureMetadataFilter.cpp;h=e87ba5ef72b5c49d104f94a5afc6b414ce4fb0bd;hp=f73692323d8f056a17aee3bf3ea85131fae7d9fa;hb=1462057b3b9ae7e165d34d988e30b14c213672ca;hpb=d32e79ee96d146f3fd1a384ddb1675e048a75f20 diff --git a/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp b/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp index f736923..e87ba5e 100644 --- a/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp +++ b/saml/saml2/metadata/impl/SignatureMetadataFilter.cpp @@ -1,17 +1,21 @@ -/* - * Copyright 2001-2008 Internet2 +/** + * Licensed to the University Corporation for Advanced Internet + * Development, Inc. (UCAID) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for + * additional information regarding copyright ownership. * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at + * UCAID licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the + * License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, + * either express or implied. See the License for the specific + * language governing permissions and limitations under the License. */ /** @@ -26,10 +30,12 @@ #include "signature/SignatureProfileValidator.h" #include +#include #include #include #include #include +#include #include #include @@ -43,29 +49,11 @@ using namespace std; namespace opensaml { namespace saml2md { - class SAML_DLLLOCAL DummyCredentialResolver : public CredentialResolver - { - public: - DummyCredentialResolver() {} - ~DummyCredentialResolver() {} - - Lockable* lock() {return this;} - void unlock() {} - - const Credential* resolve(const CredentialCriteria* criteria=NULL) const {return NULL;} - vector::size_type resolve( - vector& results, const CredentialCriteria* criteria=NULL - ) const {return 0;} - }; - class SAML_DLLLOCAL SignatureMetadataFilter : public MetadataFilter { public: SignatureMetadataFilter(const DOMElement* e); - ~SignatureMetadataFilter() { - delete m_credResolver; - delete m_trust; - } + ~SignatureMetadataFilter() {} const char* getId() const { return SIGNATURE_METADATA_FILTER; } void doFilter(XMLObject& xmlObject) const; @@ -75,9 +63,9 @@ namespace opensaml { void doFilter(EntityDescriptor& entity, bool rootObject=false) const; void verifySignature(Signature* sig, const XMLCh* peerName) const; - bool m_verifyRoles; - CredentialResolver* m_credResolver; - SignatureTrustEngine* m_trust; + bool m_verifyRoles,m_verifyName; + auto_ptr m_credResolver,m_dummyResolver; + auto_ptr m_trust; SignatureProfileValidator m_profileValidator; Category& m_log; }; @@ -97,35 +85,44 @@ static const XMLCh certificate[] = UNICODE_LITERAL_11(c,e,r,t,i,f,i,c,a static const XMLCh Certificate[] = UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e); static const XMLCh Path[] = UNICODE_LITERAL_4(P,a,t,h); static const XMLCh verifyRoles[] = UNICODE_LITERAL_11(v,e,r,i,f,y,R,o,l,e,s); +static const XMLCh verifyName[] = UNICODE_LITERAL_10(v,e,r,i,f,y,N,a,m,e); SignatureMetadataFilter::SignatureMetadataFilter(const DOMElement* e) - : m_verifyRoles(false), m_credResolver(NULL), m_trust(NULL), m_log(Category::getInstance(SAML_LOGCAT".MetadataFilter.Signature")) + : m_verifyRoles(XMLHelper::getAttrBool(e, false, verifyRoles)), + m_verifyName(XMLHelper::getAttrBool(e, true, verifyName)), + m_log(Category::getInstance(SAML_LOGCAT ".MetadataFilter.Signature")) { - const XMLCh* flag = e ? e->getAttributeNS(NULL,verifyRoles) : NULL; - m_verifyRoles = (flag && (*flag == chLatin_t || *flag == chDigit_1)); - - if (e && e->hasAttributeNS(NULL,certificate)) { + if (e && e->hasAttributeNS(nullptr,certificate)) { // Use a file-based credential resolver rooted here. - m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER,e); + m_credResolver.reset(XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER, e)); return; } - DOMElement* sub = e ? XMLHelper::getFirstChildElement(e, _CredentialResolver) : NULL; - auto_ptr_char t(sub ? sub->getAttributeNS(NULL,type) : NULL); - if (t.get()) { - m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(t.get(),sub); - return; + DOMElement* sub = XMLHelper::getFirstChildElement(e, _CredentialResolver); + if (sub) { + string t = XMLHelper::getAttrString(sub, nullptr, type); + if (!t.empty()) { + m_credResolver.reset(XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(t.c_str(), sub)); + return; + } } - sub = e ? XMLHelper::getFirstChildElement(e, _TrustEngine) : NULL; - auto_ptr_char t2(sub ? sub->getAttributeNS(NULL,type) : NULL); - if (t2.get()) { - TrustEngine* trust = XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(t2.get(),sub); - if (!(m_trust = dynamic_cast(trust))) { - delete trust; - throw MetadataFilterException("TrustEngine-based SignatureMetadataFilter requires a SignatureTrustEngine plugin."); + sub = XMLHelper::getFirstChildElement(e, _TrustEngine); + if (sub) { + string t = XMLHelper::getAttrString(sub, nullptr, type); + if (!t.empty()) { + TrustEngine* trust = XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(t.c_str(), sub); + SignatureTrustEngine* sigTrust = dynamic_cast(trust); + if (!sigTrust) { + delete trust; + throw MetadataFilterException("TrustEngine-based SignatureMetadataFilter requires a SignatureTrustEngine plugin."); + } + m_trust.reset(sigTrust); + m_dummyResolver.reset(XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(DUMMY_CREDENTIAL_RESOLVER, nullptr)); + if (!m_dummyResolver.get()) + throw MetadataFilterException("Error creating dummy CredentialResolver."); + return; } - return; } throw MetadataFilterException("SignatureMetadataFilter configuration requires or element."); @@ -142,7 +139,7 @@ void SignatureMetadataFilter::doFilter(XMLObject& xmlObject) const doFilter(entities, true); return; } - catch (bad_cast) { + catch (bad_cast&) { } catch (exception& ex) { m_log.warn("filtering out group at root of instance after failed signature check: %s", ex.what()); @@ -154,7 +151,7 @@ void SignatureMetadataFilter::doFilter(XMLObject& xmlObject) const doFilter(entity, true); return; } - catch (bad_cast) { + catch (bad_cast&) { } catch (exception& ex) { m_log.warn("filtering out entity at root of instance after failed signature check: %s", ex.what()); @@ -171,8 +168,8 @@ void SignatureMetadataFilter::doFilter(EntitiesDescriptor& entities, bool rootOb throw MetadataFilterException("Root metadata element was unsigned."); verifySignature(sig, entities.getName()); - VectorOf(EntityDescriptor) v=entities.getEntityDescriptors(); - for (VectorOf(EntityDescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -223,8 +220,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(SPSSODescriptor) sp=entity.getSPSSODescriptors(); - for (VectorOf(SPSSODescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -238,8 +235,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(AuthnAuthorityDescriptor) authn=entity.getAuthnAuthorityDescriptors(); - for (VectorOf(AuthnAuthorityDescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -253,8 +250,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(AttributeAuthorityDescriptor) aa=entity.getAttributeAuthorityDescriptors(); - for (VectorOf(AttributeAuthorityDescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -268,8 +265,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(PDPDescriptor) pdp=entity.getPDPDescriptors(); - for (VectorOf(AuthnAuthorityDescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -283,8 +280,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(AuthnQueryDescriptorType) authnq=entity.getAuthnQueryDescriptorTypes(); - for (VectorOf(AuthnQueryDescriptorType)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -298,8 +295,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(AttributeQueryDescriptorType) attrq=entity.getAttributeQueryDescriptorTypes(); - for (VectorOf(AttributeQueryDescriptorType)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -313,8 +310,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(AuthzDecisionQueryDescriptorType) authzq=entity.getAuthzDecisionQueryDescriptorTypes(); - for (VectorOf(AuthzDecisionQueryDescriptorType)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -328,8 +325,8 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject } } - VectorOf(RoleDescriptor) v=entity.getRoleDescriptors(); - for (VectorOf(RoleDescriptor)::size_type i=0; igetSignature(), entity.getEntityID()); i++; @@ -351,7 +348,7 @@ void SignatureMetadataFilter::doFilter(EntityDescriptor& entity, bool rootObject catch (exception& e) { auto_ptr_char id(entity.getEntityID()); m_log.warn("filtering out affiliation from entity (%s) after failed signature check: %s", id.get(), e.what()); - entity.setAffiliationDescriptor(NULL); + entity.setAffiliationDescriptor(nullptr); } } } @@ -367,13 +364,13 @@ void SignatureMetadataFilter::verifySignature(Signature* sig, const XMLCh* peerN CredentialCriteria cc; cc.setUsage(Credential::SIGNING_CREDENTIAL); cc.setSignature(*sig, CredentialCriteria::KEYINFO_EXTRACTION_KEY); - if (peerName) { - auto_ptr_char pname(peerName); - cc.setPeerName(pname.get()); - } - if (m_credResolver) { - Locker locker(m_credResolver); + if (m_credResolver.get()) { + if (peerName) { + auto_ptr_char pname(peerName); + cc.setPeerName(pname.get()); + } + Locker locker(m_credResolver.get()); vector creds; if (m_credResolver->resolve(creds,&cc)) { SignatureValidator sigValidator; @@ -386,15 +383,18 @@ void SignatureMetadataFilter::verifySignature(Signature* sig, const XMLCh* peerN catch (exception&) { } } - throw MetadataFilterException("CredentialResolver did not supply a successful verification key."); + throw MetadataFilterException("Unable to verify signature with supplied key(s)."); } else { - throw MetadataFilterException("CredentialResolver did not supply a successful verification key."); + throw MetadataFilterException("CredentialResolver did not supply any candidate keys."); } } - else if (m_trust) { - DummyCredentialResolver dummy; - if (m_trust->validate(*sig, dummy, &cc)) + else if (m_trust.get()) { + if (m_verifyName && peerName) { + auto_ptr_char pname(peerName); + cc.setPeerName(pname.get()); + } + if (m_trust->validate(*sig, *m_dummyResolver, &cc)) return; throw MetadataFilterException("TrustEngine unable to verify signature."); }