X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-opensaml.git;a=blobdiff_plain;f=samlsign%2Fsamlsign.cpp;h=a86fdeb5d3366069e15b4ab03ad4c3111ce087de;hp=d20f2562eed6a3c6a42a32de2bd7fb2a54c6e2ee;hb=HEAD;hpb=3bcd7ae2e728772e0ecaa47b083efcb15d9912a8

diff --git a/samlsign/samlsign.cpp b/samlsign/samlsign.cpp
index d20f256..a86fdeb 100644
--- a/samlsign/samlsign.cpp
+++ b/samlsign/samlsign.cpp
@@ -1,26 +1,28 @@
-/*
- *  Copyright 2001-2007 Internet2
- * 
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
+/**
+ * Licensed to the University Corporation for Advanced Internet
+ * Development, Inc. (UCAID) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for
+ * additional information regarding copyright ownership.
  *
- *     http://www.apache.org/licenses/LICENSE-2.0
+ * UCAID licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the
+ * License at
  *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the License.
  */
 
-/* siterefresh.cpp - command-line tool to refresh and verify metadata
-
-   Scott Cantor
-   5/12/03
-
-   $Id:siterefresh.cpp 2252 2007-05-20 20:20:57Z cantor $
-*/
+/**
+ * samlsign.cpp
+ *
+ * Command-line tool to sign and verify objects.
+ */
 
 #if defined (_MSC_VER) || defined(__BORLANDC__)
 # include "config_win32.h"
@@ -37,18 +39,20 @@
 #include <saml/saml2/metadata/Metadata.h>
 #include <saml/saml2/metadata/MetadataProvider.h>
 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
+#include <saml/signature/ContentReference.h>
 #include <saml/signature/SignatureProfileValidator.h>
 #include <saml/util/SAMLConstants.h>
 #include <xmltooling/logging.h>
 #include <xmltooling/XMLToolingConfig.h>
+#include <xmltooling/security/Credential.h>
 #include <xmltooling/security/SignatureTrustEngine.h>
 #include <xmltooling/signature/Signature.h>
 #include <xmltooling/signature/SignatureValidator.h>
+#include <xmltooling/util/ParserPool.h>
 #include <xmltooling/util/XMLHelper.h>
 
 #include <fstream>
 #include <xercesc/framework/LocalFileInputSource.hpp>
-#include <xercesc/framework/URLInputSource.hpp>
 #include <xercesc/framework/StdInInputSource.hpp>
 #include <xercesc/framework/Wrapper4InputSource.hpp>
 
@@ -67,9 +71,9 @@ template<class T> T* buildPlugin(const char* path, PluginManager<T,string,const
     ifstream in(path);
     DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
     XercesJanitor<DOMDocument> janitor(doc);
-    
+
     static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e);
-    auto_ptr_char type(doc->getDocumentElement()->getAttributeNS(NULL,_type));
+    auto_ptr_char type(doc->getDocumentElement()->getAttributeNS(nullptr,_type));
     if (type.get() && *type.get())
         return mgr.newPlugin(type.get(), doc->getDocumentElement());
     throw XMLToolingException("Missing type in plugin configuration.");
@@ -83,14 +87,14 @@ CredentialResolver* buildSimpleResolver(const char* key, const char* cert)
 
     DOMDocument* doc = XMLToolingConfig::getConfig().getParser().newDocument();
     XercesJanitor<DOMDocument> janitor(doc);
-    DOMElement* root = doc->createElementNS(NULL, _CredentialResolver);
+    DOMElement* root = doc->createElementNS(nullptr, _CredentialResolver);
     if (key) {
         auto_ptr_XMLCh widenit(key);
-        root->setAttributeNS(NULL, _key, widenit.get());
+        root->setAttributeNS(nullptr, _key, widenit.get());
     }
     if (cert) {
         auto_ptr_XMLCh widenit(cert);
-        root->setAttributeNS(NULL, _certificate, widenit.get());
+        root->setAttributeNS(nullptr, _certificate, widenit.get());
     }
 
     return XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER, root);
@@ -101,34 +105,36 @@ class DummyCredentialResolver : public CredentialResolver
 public:
     DummyCredentialResolver() {}
     ~DummyCredentialResolver() {}
-    
+
     Lockable* lock() {return this;}
     void unlock() {}
-    
-    const Credential* resolve(const CredentialCriteria* criteria=NULL) const {return NULL;}
+
+    const Credential* resolve(const CredentialCriteria* criteria=nullptr) const {return nullptr;}
     vector<const Credential*>::size_type resolve(
-        vector<const Credential*>& results, const CredentialCriteria* criteria=NULL
+        vector<const Credential*>& results, const CredentialCriteria* criteria=nullptr
         ) const {return 0;}
 };
 
 int main(int argc,char* argv[])
 {
-    bool verify=true;
-    char* url_param=NULL;
-    char* path_param=NULL;
-    char* key_param=NULL;
-    char* cert_param=NULL;
-    char* cr_param=NULL;
-    char* t_param=NULL;
-    char* id_param=NULL;
+    bool verify=true,validate=false;
+    char* url_param=nullptr;
+    char* path_param=nullptr;
+    char* key_param=nullptr;
+    char* cert_param=nullptr;
+    char* cr_param=nullptr;
+    char* t_param=nullptr;
+    char* id_param=nullptr;
+    char* alg_param=nullptr;
+    char* dig_param=nullptr;
 
     // metadata lookup options
-    char* m_param=NULL;
-    char* issuer=NULL;
-    char* prot = NULL;
-    const XMLCh* protocol = NULL;
-    char* rname = NULL;
-    char* rns = NULL;
+    char* m_param=nullptr;
+    char* issuer=nullptr;
+    char* prot = nullptr;
+    const XMLCh* protocol = nullptr;
+    const char* rname = nullptr;
+    char* rns = nullptr;
 
     for (int i=1; i<argc; i++) {
         if (!strcmp(argv[i],"-u") && i+1<argc)
@@ -155,8 +161,14 @@ int main(int argc,char* argv[])
             prot=argv[++i];
         else if (!strcmp(argv[i],"-r") && i+1<argc)
             rname=argv[++i];
+        else if (!strcmp(argv[i],"-V"))
+            validate = true;
         else if (!strcmp(argv[i],"-ns") && i+1<argc)
             rns=argv[++i];
+        else if (!strcmp(argv[i],"-alg") && i+1<argc)
+            alg_param=argv[++i];
+        else if (!strcmp(argv[i],"-dig") && i+1<argc)
+            dig_param=argv[++i];
         else if (!strcmp(argv[i],"-saml10"))
             protocol=samlconstants::SAML10_PROTOCOL_ENUM;
         else if (!strcmp(argv[i],"-saml11"))
@@ -182,35 +194,47 @@ int main(int argc,char* argv[])
         return -1;
     }
 
+    XMLToolingConfig& xmlconf = XMLToolingConfig::getConfig();
+    xmlconf.log_config(getenv("OPENSAML_LOG_CONFIG"));
+    if (getenv("OPENSAML_SCHEMAS"))
+        xmlconf.catalog_path = getenv("OPENSAML_SCHEMAS");
     SAMLConfig& conf=SAMLConfig::getConfig();
     if (!conf.init())
         return -2;
-    XMLToolingConfig& xmlconf = XMLToolingConfig::getConfig();
     Category& log = Category::getInstance("OpenSAML.Utility.SAMLSign");
 
     int ret = 0;
 
     try {
         // Parse the specified document.
-        static XMLCh base[]={chLatin_f, chLatin_i, chLatin_l, chLatin_e, chColon, chForwardSlash, chForwardSlash, chForwardSlash, chNull};
-        DOMDocument* doc=NULL;
+        DOMDocument* doc=nullptr;
         if (url_param) {
-            URLInputSource src(base,url_param);
+            auto_ptr_XMLCh wideurl(url_param);
+            URLInputSource src(wideurl.get());
             Wrapper4InputSource dsrc(&src,false);
-            doc=xmlconf.getParser().parse(dsrc);
+            if (validate)
+                doc = xmlconf.getValidatingParser().parse(dsrc);
+            else
+                doc = xmlconf.getParser().parse(dsrc);
         }
         else if (path_param) {
             auto_ptr_XMLCh widenit(path_param);
-            LocalFileInputSource src(base,widenit.get());
+            LocalFileInputSource src(widenit.get());
             Wrapper4InputSource dsrc(&src,false);
-            doc=xmlconf.getParser().parse(dsrc);
+            if (validate)
+                doc = xmlconf.getValidatingParser().parse(dsrc);
+            else
+                doc = xmlconf.getParser().parse(dsrc);
         }
         else {
             StdInInputSource src;
             Wrapper4InputSource dsrc(&src,false);
-            doc=xmlconf.getParser().parse(dsrc);
+            if (validate)
+                doc = xmlconf.getValidatingParser().parse(dsrc);
+            else
+                doc = xmlconf.getParser().parse(dsrc);
         }
-    
+
         // Unmarshall it.
         XercesJanitor<DOMDocument> jan(doc);
         auto_ptr<XMLObject> sourcewrapper(XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(), true));
@@ -240,13 +264,13 @@ int main(int argc,char* argv[])
             if (cert_param || cr_param) {
                 // Build a resolver to supply trusted credentials.
                 auto_ptr<CredentialResolver> cr(
-                    cr_param ? buildPlugin(cr_param, xmlconf.CredentialResolverManager) : buildSimpleResolver(NULL, cert_param)
+                    cr_param ? buildPlugin(cr_param, xmlconf.CredentialResolverManager) : buildSimpleResolver(nullptr, cert_param)
                     );
                 Locker locker(cr.get());
 
                 // Set up criteria.
                 CredentialCriteria cc;
-                cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
+                cc.setUsage(Credential::SIGNING_CREDENTIAL);
                 cc.setSignature(*(signable->getSignature()), CredentialCriteria::KEYINFO_EXTRACTION_KEY);
                 if (issuer)
                     cc.setPeerName(issuer);
@@ -264,7 +288,8 @@ int main(int argc,char* argv[])
                             good = true;
                             break;
                         }
-                        catch (exception&) {
+                        catch (exception& e) {
+                            log.info("error trying verification key: %s", e.what());
                         }
                     }
                     if (!good)
@@ -279,47 +304,48 @@ int main(int argc,char* argv[])
                 auto_ptr<TrustEngine> trust(buildPlugin(t_param, xmlconf.TrustEngineManager));
                 SignatureTrustEngine* sigtrust = dynamic_cast<SignatureTrustEngine*>(trust.get());
                 if (m_param && rname && issuer) {
-                    if (!protocol) {
-                        if (prot)
-                            protocol = XMLString::transcode(prot);
-                    }
-                    if (!protocol) {
-                        conf.term();
-                        cerr << "use of metadata option requires a protocol option" << endl;
-                        return -1;
-                    }
+                    if (!protocol) {
+                        if (prot)
+                            protocol = XMLString::transcode(prot);
+                    }
+                    if (!protocol) {
+                        conf.term();
+                        cerr << "use of metadata option requires a protocol option" << endl;
+                        return -1;
+                    }
                     auto_ptr<MetadataProvider> metadata(buildPlugin(m_param, conf.MetadataProviderManager));
                     metadata->init();
-                    
+
+                    const XMLCh* ns = rns ? XMLString::transcode(rns) : samlconstants::SAML20MD_NS;
+                    auto_ptr_XMLCh n(rname);
+                    xmltooling::QName q(ns, n.get());
+
                     Locker locker(metadata.get());
-                    const EntityDescriptor* entity = metadata->getEntityDescriptor(issuer);
-                    if (!entity)
-                        throw MetadataException("no metadata found for ($1)", params(1, issuer));
-                    const XMLCh* ns = rns ? XMLString::transcode(rns) : samlconstants::SAML20MD_NS;
-                    auto_ptr_XMLCh n(rname);
-                    QName q(ns, n.get());
-                    const RoleDescriptor* role = entity->getRoleDescriptor(q, protocol);
-                    if (!role)
-                        throw MetadataException("compatible role $1 not found for ($2)", params(2, q.toString().c_str(), issuer));
-
-                    MetadataCredentialCriteria mcc(*role);
-                    if (sigtrust->validate(*signable->getSignature(), *metadata.get(), &mcc))
+                    MetadataProvider::Criteria mc(issuer, &q, protocol);
+                    pair<const EntityDescriptor*,const RoleDescriptor*> entity = metadata->getEntityDescriptor(mc);
+                    if (!entity.first)
+                        throw MetadataException("no metadata found for ($1)", params(1, issuer));
+                    else if (!entity.second)
+                        throw MetadataException("compatible role $1 not found for ($2)", params(2, q.toString().c_str(), issuer));
+
+                    MetadataCredentialCriteria mcc(*entity.second);
+                    if (sigtrust->validate(*signable->getSignature(), *metadata.get(), &mcc))
                         log.info("successful signature verification");
-                    else
-                        throw SignatureException("Unable to verify signature with TrustEngine and supplied metadata.");
+                    else
+                        throw SignatureException("Unable to verify signature with TrustEngine and supplied metadata.");
                 }
                 else {
                     // Set up criteria.
                     CredentialCriteria cc;
-                    cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
+                    cc.setUsage(Credential::SIGNING_CREDENTIAL);
                     cc.setSignature(*(signable->getSignature()), CredentialCriteria::KEYINFO_EXTRACTION_KEY);
                     if (issuer)
                         cc.setPeerName(issuer);
                     DummyCredentialResolver dummy;
-                    if (sigtrust->validate(*signable->getSignature(), dummy, &cc))
+                    if (sigtrust->validate(*signable->getSignature(), dummy, &cc))
                         log.info("successful signature verification");
-                    else
-                        throw SignatureException("Unable to verify signature with TrustEngine (no metadata supplied).");
+                    else
+                        throw SignatureException("Unable to verify signature with TrustEngine (no metadata supplied).");
                 }
             }
         }
@@ -330,7 +356,7 @@ int main(int argc,char* argv[])
                 );
             Locker locker(cr.get());
             CredentialCriteria cc;
-            cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
+            cc.setUsage(Credential::SIGNING_CREDENTIAL);
             const Credential* cred = cr->resolve(&cc);
             if (!cred)
                 throw XMLSecurityException("Unable to resolve a signing credential.");
@@ -338,21 +364,24 @@ int main(int argc,char* argv[])
             // Attach new signature.
             Signature* sig = SignatureBuilder::buildSignature();
             signable->setSignature(sig);
+            auto_ptr_XMLCh alg(alg_param);
+            if (alg.get()) {
+                sig->setSignatureAlgorithm(alg.get());
+            }
+            auto_ptr_XMLCh dig(dig_param);
+            if (dig.get()) {
+            	dynamic_cast<opensaml::ContentReference*>(sig->getContentReference())->setDigestAlgorithm(dig.get());
+            }
 
             // Sign response while re-marshalling.
             vector<Signature*> sigs(1,sig);
-            XMLHelper::serialize(signable->marshall((DOMDocument*)NULL,&sigs,cred), cout);
+            XMLHelper::serialize(signable->marshall((DOMDocument*)nullptr,&sigs,cred), cout);
         }
     }
     catch(exception& e) {
-        log.errorStream() << "caught an exception: " << e.what() << CategoryStream::ENDLINE;
+        log.errorStream() << "caught an exception: " << e.what() << logging::eol;
         ret=-10;
     }
-    catch(XMLException& e) {
-        auto_ptr_char temp(e.getMessage());
-        log.errorStream() << "caught a Xerces exception: " << temp.get() << CategoryStream::ENDLINE;
-        ret=-20;
-    }
 
     conf.term();
     return ret;