<pathentry excluding="impl/" kind="src" path="saml/saml2/binding"/>\r
<pathentry kind="src" path="saml/saml2/binding/impl"/>\r
<pathentry kind="src" path="saml/encryption"/>\r
-<pathentry excluding="impl/" kind="src" path="saml/security"/>\r
-<pathentry kind="src" path="saml/security/impl"/>\r
<pathentry kind="src" path="saml/signature"/>\r
<pathentry kind="src" path="saml/util"/>\r
<pathentry kind="src" path="samltest/signature"/>\r
AC_CHECK_SIZEOF(time_t)
-# libcurl settings
-AC_PATH_PROG(CURL_CONFIG,curl-config)
-AC_ARG_WITH(curl,
- AC_HELP_STRING([--with-curl=PATH], [where curl-config is installed]),
- [
- CURL_CONFIG="${with_curl}"
- if ! test -f "${CURL_CONFIG}" ; then
- CURL_CONFIG="${with_curl}/bin/curl-config"
- fi
- ])
-if test -f "${CURL_CONFIG}" ; then
- LDFLAGS="`${CURL_CONFIG} --libs` $LDFLAGS"
- CPPFLAGS="`${CURL_CONFIG} --cflags` $CPPFLAGS"
-else
- AC_MSG_ERROR([curl-config not found, may need to use --with-curl option])
-fi
-AC_CHECK_HEADER([curl/curl.h],,AC_MSG_ERROR([unable to find libcurl header files]))
-AC_CHECK_LIB([curl],[curl_global_init],,AC_MSG_ERROR([unable to link with libcurl]))
-AC_MSG_CHECKING([for CURLOPT_SSL_CTX_FUNCTION in curl.h])
-AC_EGREP_HEADER([CURLOPT_SSL_CTX_FUNCTION], [curl/curl.h],
- [AC_MSG_RESULT(yes)],
- [AC_MSG_ERROR([need libcurl that supports CURLOPT_SSL_CTX_FUNCTION])])
-
# zlib settings
AC_ARG_WITH(zlib,
AC_HELP_STRING([--with-zlib=PATH], [where zlib is installed]),
encinclude_HEADERS = \
encryption/EncryptedKeyResolver.h
-secinclude_HEADERS = \
- security/AbstractPKIXTrustEngine.h \
- security/MetadataKeyInfoIterator.h \
- security/ChainingTrustEngine.h \
- security/TrustEngine.h \
- security/X509TrustEngine.h
-
siginclude_HEADERS = \
signature/ContentReference.h \
signature/SignableObject.h \
saml2/metadata/ChainingMetadataProvider.h \
saml2/metadata/Metadata.h \
saml2/metadata/MetadataFilter.h \
+ saml2/metadata/MetadataKeyInfoIterator.h \
saml2/metadata/MetadataProvider.h \
saml2/metadata/ObservableMetadataProvider.h
saml2/binding/impl/SAML2SOAPDecoder.cpp \
saml2/binding/impl/SAML2SOAPEncoder.cpp \
encryption/EncryptedKeyResolver.cpp \
- security/impl/TrustEngine.cpp \
- security/impl/AbstractPKIXTrustEngine.cpp \
- security/impl/ChainingTrustEngine.cpp \
- security/impl/ExplicitKeyTrustEngine.cpp \
signature/ContentReference.cpp \
signature/SignatureProfileValidator.cpp \
util/SAMLConstants.cpp
#include "saml2/core/Protocols.h"
#include "saml2/metadata/Metadata.h"
#include "saml2/metadata/MetadataProvider.h"
-#include "security/TrustEngine.h"
#include "util/SAMLConstants.h"
#include <xmltooling/XMLToolingConfig.h>
saml2md::registerMetadataProviders();
saml2md::registerMetadataFilters();
registerSAMLArtifacts();
- registerTrustEngines();
registerMessageEncoders();
registerMessageDecoders();
registerSecurityPolicyRules();
MessageDecoderManager.deregisterFactories();
MessageEncoderManager.deregisterFactories();
- TrustEngineManager.deregisterFactories();
SecurityPolicyRuleManager.deregisterFactories();
SAMLArtifactManager.deregisterFactories();
MetadataFilterManager.deregisterFactories();
class SAML_API MessageDecoder;
class SAML_API SAMLArtifact;
class SAML_API SecurityPolicyRule;
- class SAML_API TrustEngine;
class SAML_API URLEncoder;
namespace saml2md {
/** Manages factories for SecurityPolicyRule plugins. */
xmltooling::PluginManager<SecurityPolicyRule,const DOMElement*> SecurityPolicyRuleManager;
- /** Manages factories for TrustEngine plugins. */
- xmltooling::PluginManager<TrustEngine,const DOMElement*> TrustEngineManager;
-
/** Manages factories for MetadataProvider plugins. */
xmltooling::PluginManager<saml2md::MetadataProvider,const DOMElement*> MetadataProviderManager;
const xmltooling::XMLObject& message,
const saml2md::MetadataProvider* metadataProvider,
const xmltooling::QName* role,
- const TrustEngine* trustEngine
+ const xmltooling::TrustEngine* trustEngine
) const;
protected:
namespace opensaml {
class SAML_API SAMLArtifact;
- class SAML_API X509TrustEngine;
namespace saml1p {
class SAML_API Response;
};
const xmltooling::XMLObject& message,
const saml2md::MetadataProvider* metadataProvider,
const xmltooling::QName* role,
- const TrustEngine* trustEngine
+ const xmltooling::TrustEngine* trustEngine
) const;
/**
SecurityPolicy(
const saml2md::MetadataProvider* metadataProvider=NULL,
const xmltooling::QName* role=NULL,
- const TrustEngine* trustEngine=NULL
+ const xmltooling::TrustEngine* trustEngine=NULL
) : m_issuer(NULL), m_issuerRole(NULL), m_matchingPolicy(NULL), m_metadata(metadataProvider),
m_role(role ? *role : xmltooling::QName()), m_trust(trustEngine) {
}
const std::vector<const SecurityPolicyRule*>& rules,
const saml2md::MetadataProvider* metadataProvider=NULL,
const xmltooling::QName* role=NULL,
- const TrustEngine* trustEngine=NULL
+ const xmltooling::TrustEngine* trustEngine=NULL
) : m_issuer(NULL), m_issuerRole(NULL), m_matchingPolicy(NULL), m_rules(rules), m_metadata(metadataProvider),
m_role(role ? *role : xmltooling::QName()), m_trust(trustEngine) {
}
*
* @return the supplied TrustEngine or NULL
*/
- const TrustEngine* getTrustEngine() const {
+ const xmltooling::TrustEngine* getTrustEngine() const {
return m_trust;
}
*
* @param trust a TrustEngine or NULL
*/
- void setTrustEngine(const TrustEngine* trust) {
+ void setTrustEngine(const xmltooling::TrustEngine* trust) {
m_trust = trust;
}
std::vector<const SecurityPolicyRule*> m_rules;
const saml2md::MetadataProvider* m_metadata;
xmltooling::QName m_role;
- const TrustEngine* m_trust;
+ const xmltooling::TrustEngine* m_trust;
};
};
#include <saml/binding/GenericRequest.h>
#include <xmltooling/XMLObject.h>
+#include <xmltooling/security/TrustEngine.h>
namespace opensaml {
- class SAML_API TrustEngine;
-
namespace saml2 {
class SAML_API Issuer;
};
const xmltooling::XMLObject& message,
const saml2md::MetadataProvider* metadataProvider,
const xmltooling::QName* role,
- const TrustEngine* trustEngine
+ const xmltooling::TrustEngine* trustEngine
) const=0;
};
const xmltooling::XMLObject& message,
const saml2md::MetadataProvider* metadataProvider,
const xmltooling::QName* role,
- const TrustEngine* trustEngine
+ const xmltooling::TrustEngine* trustEngine
) const;
protected:
const xmltooling::XMLObject& message,
const saml2md::MetadataProvider* metadataProvider,
const xmltooling::QName* role,
- const TrustEngine* trustEngine
+ const xmltooling::TrustEngine* trustEngine
) const;
protected:
#include "binding/ClientCertAuthRule.h"
#include "saml2/metadata/Metadata.h"
#include "saml2/metadata/MetadataProvider.h"
-#include "security/X509TrustEngine.h"
+#include <xmltooling/security/X509TrustEngine.h>
#include <xmltooling/util/NDC.h>
#include <xmltooling/util/ReplayCache.h>
#include <log4cpp/Category.hh>
const XMLObject& message,
const MetadataProvider* metadataProvider,
const QName* role,
- const opensaml::TrustEngine* trustEngine
+ const TrustEngine* trustEngine
) const
{
Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.ClientCertAuth");
pair<saml2::Issuer*,const RoleDescriptor*> ret = pair<saml2::Issuer*,const RoleDescriptor*>(NULL,NULL);
- const opensaml::X509TrustEngine* x509trust;
- if (!metadataProvider || !role || !(x509trust=dynamic_cast<const opensaml::X509TrustEngine*>(trustEngine))) {
+ const X509TrustEngine* x509trust;
+ if (!metadataProvider || !role || !(x509trust=dynamic_cast<const X509TrustEngine*>(trustEngine))) {
log.debug("ignoring message, no metadata or X509TrustEngine supplied");
return ret;
}
const XMLObject& message,
const saml2md::MetadataProvider* metadataProvider,
const QName* role,
- const opensaml::TrustEngine* trustEngine
+ const TrustEngine* trustEngine
) const
{
Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.MessageFlow");
#include "saml2/core/Protocols.h"
#include "saml2/metadata/Metadata.h"
#include "saml2/metadata/MetadataProvider.h"
-#include "security/TrustEngine.h"
#include <log4cpp/Category.hh>
#include <xmltooling/util/NDC.h>
const XMLObject& message,
const MetadataProvider* metadataProvider,
const QName* role,
- const opensaml::TrustEngine* trustEngine
+ const TrustEngine* trustEngine
) const
{
Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.SimpleSigning");
#include "saml2/core/Protocols.h"
#include "saml2/metadata/Metadata.h"
#include "saml2/metadata/MetadataProvider.h"
-#include "security/TrustEngine.h"
+#include "signature/SignatureProfileValidator.h"
#include <xmltooling/util/NDC.h>
#include <xmltooling/util/ReplayCache.h>
const XMLObject& message,
const MetadataProvider* metadataProvider,
const QName* role,
- const opensaml::TrustEngine* trustEngine
+ const TrustEngine* trustEngine
) const
{
Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.XMLSigning");
return ret;
}
+ log.debug("validating signature profile");
+ try {
+ SignatureProfileValidator sigval;
+ sigval.validate(signable->getSignature());
+ }
+ catch (ValidationException& ve) {
+ log.error("signature profile failed to validate: %s", ve.what());
+ return ret;
+ }
+
+
log.debug("extracting issuer from message");
pair<saml2::Issuer*,const XMLCh*> issuerInfo = getIssuerAndProtocol(message);
</File>\r
</Filter>\r
<Filter\r
- Name="security"\r
- >\r
- <Filter\r
- Name="impl"\r
- >\r
- <File\r
- RelativePath=".\security\impl\AbstractPKIXTrustEngine.cpp"\r
- >\r
- </File>\r
- <File\r
- RelativePath=".\security\impl\ChainingTrustEngine.cpp"\r
- >\r
- </File>\r
- <File\r
- RelativePath=".\security\impl\ExplicitKeyTrustEngine.cpp"\r
- >\r
- </File>\r
- <File\r
- RelativePath=".\security\impl\TrustEngine.cpp"\r
- >\r
- </File>\r
- </Filter>\r
- </Filter>\r
- <Filter\r
Name="binding"\r
>\r
<Filter\r
>\r
</File>\r
<File\r
+ RelativePath=".\security\MetadataKeyInfoIterator.h"\r
+ >\r
+ </File>\r
+ <File\r
RelativePath=".\saml2\metadata\MetadataProvider.h"\r
>\r
</File>\r
</File>\r
</Filter>\r
<Filter\r
- Name="security"\r
- >\r
- <File\r
- RelativePath=".\security\AbstractPKIXTrustEngine.h"\r
- >\r
- </File>\r
- <File\r
- RelativePath=".\security\ChainingTrustEngine.h"\r
- >\r
- </File>\r
- <File\r
- RelativePath=".\security\MetadataKeyInfoIterator.h"\r
- >\r
- </File>\r
- <File\r
- RelativePath=".\security\TrustEngine.h"\r
- >\r
- </File>\r
- <File\r
- RelativePath=".\security\X509TrustEngine.h"\r
- >\r
- </File>\r
- </Filter>\r
- <Filter\r
Name="binding"\r
>\r
<File\r
#define __saml2_metadata_h__
#include <saml/saml2/core/Assertions.h>
+
#include <ctime>
+#include <xmltooling/security/KeyInfoSource.h>
#define DECL_SAML2MDOBJECTBUILDER(cname) \
DECL_XMLOBJECTBUILDER(SAML_API,cname,samlconstants::SAML20MD_NS,samlconstants::SAML20MD_PREFIX)
static const XMLCh KEYTYPE_SIGNING[];
END_XMLOBJECT;
- BEGIN_XMLOBJECT4(SAML_API,RoleDescriptor,xmltooling::AttributeExtensibleXMLObject,SignableObject,
- CacheableSAMLObject,TimeBoundSAMLObject,SAML 2.0 RoleDescriptor abstract element);
+ BEGIN_XMLOBJECT5(SAML_API,RoleDescriptor,xmltooling::AttributeExtensibleXMLObject,SignableObject,
+ CacheableSAMLObject,TimeBoundSAMLObject,xmltooling::KeyInfoSource,
+ SAML 2.0 RoleDescriptor abstract element);
DECL_STRING_ATTRIB(ID,ID);
DECL_STRING_ATTRIB(ProtocolSupportEnumeration,PROTOCOLSUPPORTENUMERATION);
/** Searches the ProtocolSupportEnumeration attribute for the indicated protocol. */
--- /dev/null
+/*
+ * Copyright 2001-2006 Internet2
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * MetadataKeyInfoIterator.h
+ *
+ * Adapter between SAML metadata and TrustEngine KeyInfoIterator interface.
+ */
+
+#ifndef __saml_keyiter_h__
+#define __saml_keyiter_h__
+
+#include <saml/saml2/metadata/Metadata.h>
+
+namespace opensaml {
+ namespace saml2md {
+
+ /**
+ * Adapter between SAML metadata and TrustEngine KeyInfoIterator interface.
+ */
+ class SAML_API MetadataKeyInfoIterator : public xmltooling::KeyInfoIterator
+ {
+ const std::vector<KeyDescriptor*>& m_keys;
+ std::vector<KeyDescriptor*>::const_iterator m_iter;
+
+ void advance() {
+ while (hasNext()) {
+ const XMLCh* use=(*m_iter)->getUse();
+ if ((!use || !*use || XMLString::equals(use,KeyDescriptor::KEYTYPE_SIGNING)) && (*m_iter)->getKeyInfo())
+ return;
+ m_iter++;
+ }
+ }
+
+ public:
+ MetadataKeyInfoIterator(const RoleDescriptor& role) : m_keys(role.getKeyDescriptors()) {
+ m_iter=m_keys.begin();
+ advance();
+ }
+
+ virtual ~MetadataKeyInfoIterator() {}
+
+ /**
+ * Indicates whether additional KeyInfo objects are available.
+ *
+ * @return true iff another KeyInfo object can be fetched
+ */
+ virtual bool hasNext() const {
+ return m_iter!=m_keys.end();
+ }
+
+ /**
+ * Returns the next KeyInfo object available.
+ *
+ * @return the next KeyInfo object, or NULL if none are left
+ */
+ virtual const xmlsignature::KeyInfo* next() {
+ xmlsignature::KeyInfo* ret = (*m_iter)->getKeyInfo();
+ m_iter++;
+ advance();
+ return ret;
+ }
+ };
+ };
+};
+
+#endif /* __saml_keyiter_h__ */
#include "internal.h"
#include "exceptions.h"
#include "saml2/metadata/Metadata.h"
+#include "saml2/metadata/MetadataKeyInfoIterator.h"
#include <xmltooling/AbstractComplexElement.h>
#include <xmltooling/AbstractElementProxy.h>
m_Signature->setContentReference(new opensaml::ContentReference(*this));
}
+ KeyInfoIterator* getKeyInfoIterator() const {
+ return new MetadataKeyInfoIterator(*this);
+ }
+
+ std::string getName() const {
+ const EntityDescriptor* parent = dynamic_cast<const EntityDescriptor*>(getParent());
+ if (parent) {
+ char* ch = toUTF8(parent->getEntityID());
+ if (ch) {
+ string s(ch);
+ delete[] ch;
+ return s;
+ }
+ }
+ return "";
+ }
+
IMPL_ID_ATTRIB(ID);
IMPL_STRING_ATTRIB(ProtocolSupportEnumeration);
IMPL_STRING_ATTRIB(ErrorURL);
+++ /dev/null
-/*
- * Copyright 2001-2006 Internet2
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/**
- * @file saml/security/AbstractPKIXTrustEngine.h
- *
- * A trust engine that uses X.509 trust anchors and CRLs associated with a role
- * to perform PKIX validation of signatures and certificates.
- */
-
-#ifndef __saml_pkixtrust_h__
-#define __saml_pkixtrust_h__
-
-#include <saml/security/X509TrustEngine.h>
-#include <xmltooling/security/XSECCryptoX509CRL.h>
-
-namespace opensaml {
-
- /**
- * A trust engine that uses X.509 trust anchors and CRLs associated with a role
- * to perform PKIX validation of signatures and certificates.
- */
- class SAML_API AbstractPKIXTrustEngine : public X509TrustEngine
- {
- protected:
- /**
- * Constructor.
- *
- * If a DOM is supplied, the following XML content is supported:
- *
- * <ul>
- * <li><KeyResolver> elements with a type attribute
- * </ul>
- *
- * XML namespaces are ignored in the processing of this content.
- *
- * @param e DOM to supply configuration for provider
- */
- AbstractPKIXTrustEngine(const DOMElement* e=NULL);
-
- /**
- * Checks that either the ID for the entity with the given role or the key names
- * for the given role match the subject or subject alternate names
- * of the entity's certificate.
- *
- * @param certEE the credential for the entity to validate
- * @param role the descriptor of the role the entity is supposed to be acting in
- *
- * @return true the name check succeeds, false if not
- */
- bool checkEntityNames(XSECCryptoX509* certEE, const saml2md::RoleDescriptor& role) const;
-
- /** An inline KeyResolver for extracting certificates out of a signature. */
- xmlsignature::KeyResolver* m_inlineResolver;
-
- public:
- virtual ~AbstractPKIXTrustEngine();
-
- virtual bool validate(
- xmlsignature::Signature& sig,
- const saml2md::RoleDescriptor& role,
- const xmlsignature::KeyResolver* keyResolver=NULL
- ) const;
-
- virtual bool validate(
- const XMLCh* sigAlgorithm,
- const char* sig,
- xmlsignature::KeyInfo* keyInfo,
- const char* in,
- unsigned int in_len,
- const saml2md::RoleDescriptor& role,
- const xmlsignature::KeyResolver* keyResolver=NULL
- ) const;
-
- virtual bool validate(
- XSECCryptoX509* certEE,
- const std::vector<XSECCryptoX509*>& certChain,
- const saml2md::RoleDescriptor& role,
- bool checkName=true,
- const xmlsignature::KeyResolver* keyResolver=NULL
- ) const;
-
- /**
- * Stateful interface that supplies PKIX validation data to the trust engine.
- * Applications can adapt this TrustEngine to their environment by returning
- * implementations of this interface from the getPKIXValidationInfoIterator
- * method.
- */
- class SAML_API PKIXValidationInfoIterator {
- MAKE_NONCOPYABLE(PKIXValidationInfoIterator);
- protected:
- PKIXValidationInfoIterator() {}
- public:
- virtual ~PKIXValidationInfoIterator() {}
-
- /**
- * Advances to the next set of information, if any.
- *
- * @return true iff another set of information is available
- */
- virtual bool next()=0;
-
- /**
- * Returns the allowable trust chain verification depth for the
- * validation data in the current position.
- *
- * @return allowable trust chain verification depth
- */
- virtual int getVerificationDepth() const=0;
-
- /**
- * Returns the set of trust anchors for the validation data in the
- * current position. Keeping the certificates beyond the lifetime
- * of the iterator or after advancing to the next position requires
- * copying them.
- *
- * @return set of trust anchors
- */
- virtual const std::vector<XSECCryptoX509*>& getTrustAnchors() const=0;
-
- /**
- * Returns the set of CRLs for the validation data in the
- * current position. Keeping the CRLs beyond the lifetime
- * of the iterator or after advancing to the next position requires
- * copying them.
- *
- * @return set of CRLs
- */
- virtual const std::vector<xmltooling::XSECCryptoX509CRL*>& getCRLs() const=0;
- };
-
- /**
- * Provides access to the information necessary, for the given role, for
- * PKIX validation of credentials. Each set of validation information returned
- * will be tried, in turn, until one succeeds or no more remain.
- * The caller must free the returned interface when finished with it.
- *
- * @return interface for obtaining validation data
- */
- virtual PKIXValidationInfoIterator* getPKIXValidationInfoIterator(const saml2md::RoleDescriptor& role) const=0;
- };
-};
-
-#endif /* __saml_pkixtrust_h__ */
+++ /dev/null
-/*
- * Copyright 2001-2006 Internet2
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/**
- * @file saml/security/ChainingTrustEngine.h
- *
- * X509TrustEngine that uses multiple engines in sequence.
- */
-
-#ifndef __saml_chaintrust_h__
-#define __saml_chaintrust_h__
-
-#include <saml/security/X509TrustEngine.h>
-
-namespace opensaml {
-
- /**
- * X509TrustEngine that uses multiple engines in sequence.
- */
- class SAML_API ChainingTrustEngine : public X509TrustEngine {
- public:
- /**
- * Constructor.
- *
- * If a DOM is supplied, the following XML content is supported:
- *
- * <ul>
- * <li><TrustEngine> elements with a type attribute
- * </ul>
- *
- * XML namespaces are ignored in the processing of this content.
- *
- * @param e DOM to supply configuration for provider
- */
- ChainingTrustEngine(const DOMElement* e=NULL);
-
- /**
- * Destructor will delete any embedded engines.
- */
- virtual ~ChainingTrustEngine();
-
- /**
- * Adds a trust engine for future calls.
- *
- * @param newEngine trust engine to add
- */
- void addTrustEngine(X509TrustEngine* newEngine) {
- m_engines.push_back(newEngine);
- }
-
- /**
- * Removes a trust engine. The caller must delete the engine if necessary.
- *
- * @param oldEngine trust engine to remove
- * @return the old engine
- */
- X509TrustEngine* removeTrustEngine(X509TrustEngine* oldEngine) {
- for (std::vector<X509TrustEngine*>::iterator i=m_engines.begin(); i!=m_engines.end(); i++) {
- if (oldEngine==(*i)) {
- m_engines.erase(i);
- return oldEngine;
- }
- }
- return NULL;
- }
-
- virtual bool validate(
- xmlsignature::Signature& sig,
- const saml2md::RoleDescriptor& role,
- const xmlsignature::KeyResolver* keyResolver=NULL
- ) const;
- virtual bool validate(
- const XMLCh* sigAlgorithm,
- const char* sig,
- xmlsignature::KeyInfo* keyInfo,
- const char* in,
- unsigned int in_len,
- const saml2md::RoleDescriptor& role,
- const xmlsignature::KeyResolver* keyResolver=NULL
- ) const;
- virtual bool validate(
- XSECCryptoX509* certEE,
- const std::vector<XSECCryptoX509*>& certChain,
- const saml2md::RoleDescriptor& role,
- bool checkName=true,
- const xmlsignature::KeyResolver* keyResolver=NULL
- ) const;
-
- private:
- std::vector<X509TrustEngine*> m_engines;
- };
-
-};
-
-#endif /* __saml_chaintrust_h__ */
+++ /dev/null
-/*
- * Copyright 2001-2006 Internet2
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/**
- * MetadataKeyInfoIterator.h
- *
- * Adapter between SAML metadata and TrustEngine KeyInfoIterator interface.
- */
-
-#ifndef __saml_keyiter_h__
-#define __saml_keyiter_h__
-
-#include <saml/saml2/metadata/Metadata.h>
-
-#include <xmltooling/security/TrustEngine.h>
-
-namespace opensaml {
-
- /**
- * Adapter between SAML metadata and TrustEngine KeyInfoIterator interface.
- */
- class SAML_API MetadataKeyInfoIterator : public xmltooling::TrustEngine::KeyInfoIterator
- {
- const std::vector<saml2md::KeyDescriptor*>& m_keys;
- std::vector<saml2md::KeyDescriptor*>::const_iterator m_iter;
-
- void advance() {
- while (hasNext()) {
- const XMLCh* use=(*m_iter)->getUse();
- if ((!use || !*use || XMLString::equals(use,saml2md::KeyDescriptor::KEYTYPE_SIGNING)) && (*m_iter)->getKeyInfo())
- return;
- m_iter++;
- }
- }
-
- public:
- MetadataKeyInfoIterator(const saml2md::RoleDescriptor& role) : m_keys(role.getKeyDescriptors()) {
- m_iter=m_keys.begin();
- advance();
- }
-
- virtual ~MetadataKeyInfoIterator() {}
-
- /**
- * Indicates whether additional KeyInfo objects are available.
- *
- * @return true iff another KeyInfo object can be fetched
- */
- virtual bool hasNext() const {
- return m_iter!=m_keys.end();
- }
-
- /**
- * Returns the next KeyInfo object available.
- *
- * @return the next KeyInfo object, or NULL if none are left
- */
- virtual const xmlsignature::KeyInfo* next() {
- xmlsignature::KeyInfo* ret = (*m_iter)->getKeyInfo();
- m_iter++;
- advance();
- return ret;
- }
- };
-};
-
-#endif /* __saml_keyiter_h__ */
+++ /dev/null
-/*
- * Copyright 2001-2006 Internet2
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/**
- * @file saml/security/TrustEngine.h
- *
- * SAML-specific TrustEngine API
- */
-
-#ifndef __saml_trust_h__
-#define __saml_trust_h__
-
-#include <saml/base.h>
-#include <saml/saml2/metadata/Metadata.h>
-#include <xmltooling/signature/KeyResolver.h>
-
-namespace opensaml {
-
- /**
- * Adapts SAML metadata as a source of KeyInfo for a TrustEngine
- * and adds SAML-specific signature validation.
- */
- class SAML_API TrustEngine {
- MAKE_NONCOPYABLE(TrustEngine);
- protected:
- /**
- * Constructor.
- *
- * If a DOM is supplied, the following XML content is supported:
- *
- * <ul>
- * <li><KeyResolver> elements with a type attribute
- * </ul>
- *
- * XML namespaces are ignored in the processing of this content.
- *
- * @param e DOM to supply configuration for provider
- */
- TrustEngine(const DOMElement* e=NULL) {}
-
- public:
- virtual ~TrustEngine() {}
-
- /**
- * Determines whether a signed SAML object is correct and valid with respect
- * to the information known about the issuer.
- *
- * A custom KeyResolver can be supplied from outside the TrustEngine.
- * Alternatively, one may be specified to the plugin constructor.
- * A non-caching, inline resolver will be used as a fallback.
- *
- * @param sig reference to a signature object to validate
- * @param role metadata role supplying key information
- * @param keyResolver optional externally supplied KeyResolver, or NULL
- * @return true iff the signature validates
- */
- virtual bool validate(
- xmlsignature::Signature& sig,
- const saml2md::RoleDescriptor& role,
- const xmlsignature::KeyResolver* keyResolver=NULL
- ) const=0;
-
- /**
- * Determines whether a raw signature is correct and valid with respect to
- * the information known about the signer.
- *
- * <p>A custom KeyResolver can be supplied from outside the TrustEngine.
- * Alternatively, one may be specified to the plugin constructor.
- * A non-caching, inline resolver will be used as a fallback.
- *
- * @param sigAlgorithm XML Signature identifier for the algorithm used
- * @param sig null-terminated base64-encoded signature value
- * @param keyInfo KeyInfo object accompanying the signature, if any
- * @param in the input data over which the signature was created
- * @param in_len size of input data in bytes
- * @param role metadata role supplying key information
- * @param keyResolver optional externally supplied KeyResolver, or NULL
- * @return true iff the signature validates
- */
- virtual bool validate(
- const XMLCh* sigAlgorithm,
- const char* sig,
- xmlsignature::KeyInfo* keyInfo,
- const char* in,
- unsigned int in_len,
- const saml2md::RoleDescriptor& role,
- const xmlsignature::KeyResolver* keyResolver=NULL
- ) const=0;
- };
-
-
- /**
- * Registers TrustEngine classes into the runtime.
- */
- void SAML_API registerTrustEngines();
-
- /** TrustEngine based on explicit key information resolved from metadata. */
- #define EXPLICIT_KEY_SAMLTRUSTENGINE "org.opensaml.security.ExplicitKeyTrustEngine"
-
- /** TrustEngine that tries multiple engines in sequence. */
- #define CHAINING_SAMLTRUSTENGINE "org.opensaml.security.ChainingTrustEngine"
-};
-
-#endif /* __saml_trust_h__ */
+++ /dev/null
-/*
- * Copyright 2001-2006 Internet2
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/**
- * @file saml/security/X509TrustEngine.h
- *
- * Extended TrustEngine interface that adds validation of X.509 credentials.
- */
-
-#ifndef __saml_x509trust_h__
-#define __saml_x509trust_h__
-
-#include <saml/security/TrustEngine.h>
-
-namespace opensaml {
-
- /**
- * Extended TrustEngine interface that adds validation of X.509 credentials.
- */
- class SAML_API X509TrustEngine : public TrustEngine {
- protected:
- /**
- * Constructor.
- *
- * If a DOM is supplied, the following XML content is supported:
- *
- * <ul>
- * <li><KeyResolver> elements with a type attribute
- * </ul>
- *
- * XML namespaces are ignored in the processing of this content.
- *
- * @param e DOM to supply configuration for provider
- */
- X509TrustEngine(const DOMElement* e=NULL) : TrustEngine(e) {}
-
- public:
- virtual ~X509TrustEngine() {}
-
- /**
- * Determines whether an X.509 credential is valid with respect
- * to the information known about the peer.
- *
- * A custom KeyResolver can be supplied from outside the TrustEngine.
- * Alternatively, one may be specified to the plugin constructor.
- * A non-caching, inline resolver will be used as a fallback.
- *
- * @param certEE end-entity certificate to validate
- * @param certChain the complete set of certificates presented for validation (includes certEE)
- * @param role metadata role supplying key information
- * @param checkName true iff certificate subject/name checking has <b>NOT</b> already occurred
- * @param keyResolver optional externally supplied KeyResolver, or NULL
- */
- virtual bool validate(
- XSECCryptoX509* certEE,
- const std::vector<XSECCryptoX509*>& certChain,
- const saml2md::RoleDescriptor& role,
- bool checkName=true,
- const xmlsignature::KeyResolver* keyResolver=NULL
- ) const=0;
- };
-
-};
-
-#endif /* __saml_x509trust_h__ */
+++ /dev/null
-/*
- * Copyright 2006 Internet2
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/**
- * AbstractPKIXTrustEngine.cpp
- *
- * A trust engine that uses X.509 trust anchors and CRLs associated with a role
- * to perform PKIX validation of signatures and certificates.
- */
-
-#include "internal.h"
-#include "security/AbstractPKIXTrustEngine.h"
-#include "signature/SignatureProfileValidator.h"
-
-#include <openssl/x509_vfy.h>
-#include <openssl/x509v3.h>
-#include <xmltooling/security/OpenSSLCryptoX509CRL.h>
-#include <xmltooling/signature/SignatureValidator.h>
-#include <xmltooling/util/NDC.h>
-#include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
-#include <log4cpp/Category.hh>
-
-using namespace opensaml::saml2md;
-using namespace opensaml;
-using namespace xmlsignature;
-using namespace xmltooling;
-using namespace log4cpp;
-using namespace std;
-
-AbstractPKIXTrustEngine::AbstractPKIXTrustEngine(const DOMElement* e) : X509TrustEngine(e), m_inlineResolver(NULL)
-{
- m_inlineResolver = XMLToolingConfig::getConfig().KeyResolverManager.newPlugin(INLINE_KEY_RESOLVER,NULL);
-}
-
-AbstractPKIXTrustEngine::~AbstractPKIXTrustEngine()
-{
- delete m_inlineResolver;
-}
-
-namespace {
- static int SAML_DLLLOCAL error_callback(int ok, X509_STORE_CTX* ctx)
- {
- if (!ok)
- Category::getInstance("OpenSSL").error("path validation failure: %s", X509_verify_cert_error_string(ctx->error));
- return ok;
- }
-
- static bool SAML_DLLLOCAL validate(
- X509* EE, STACK_OF(X509)* untrusted, AbstractPKIXTrustEngine::PKIXValidationInfoIterator* pkixInfo
- )
- {
- Category& log=Category::getInstance(SAML_LOGCAT".TrustEngine");
-
- // First we build a stack of CA certs. These objects are all referenced in place.
- log.debug("building CA list from PKIX Validation information");
-
- // We need this for CRL support.
- X509_STORE* store=X509_STORE_new();
- if (!store) {
- log_openssl();
- return false;
- }
- #if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
- X509_STORE_set_flags(store,X509_V_FLAG_CRL_CHECK_ALL);
- #endif
-
- STACK_OF(X509)* CAstack = sk_X509_new_null();
-
- // This contains the state of the validate operation.
- X509_STORE_CTX ctx;
-
- const vector<XSECCryptoX509*>& CAcerts = pkixInfo->getTrustAnchors();
- for (vector<XSECCryptoX509*>::const_iterator i=CAcerts.begin(); i!=CAcerts.end(); ++i) {
- if ((*i)->getProviderName()==DSIGConstants::s_unicodeStrPROVOpenSSL) {
- sk_X509_push(CAstack,static_cast<OpenSSLCryptoX509*>(*i)->getOpenSSLX509());
- }
- }
-
- const vector<XSECCryptoX509CRL*>& crls = pkixInfo->getCRLs();
- for (vector<XSECCryptoX509CRL*>::const_iterator j=crls.begin(); j!=crls.end(); ++j) {
- if ((*j)->getProviderName()==DSIGConstants::s_unicodeStrPROVOpenSSL) {
- // owned by store
- X509_STORE_add_crl(
- store,
- X509_CRL_dup(static_cast<OpenSSLCryptoX509CRL*>(*j)->getOpenSSLX509CRL())
- );
- }
- }
-
- // AFAICT, EE and untrusted are passed in but not owned by the ctx.
- #if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
- if (X509_STORE_CTX_init(&ctx,store,EE,untrusted)!=1) {
- log_openssl();
- log.error("unable to initialize X509_STORE_CTX");
- sk_X509_free(CAstack);
- X509_STORE_free(store);
- return false;
- }
- #else
- X509_STORE_CTX_init(&ctx,store,EE,untrusted);
- #endif
-
- // Seems to be most efficient to just pass in the CA stack.
- X509_STORE_CTX_trusted_stack(&ctx,CAstack);
- X509_STORE_CTX_set_depth(&ctx,100); // we check the depth down below
- X509_STORE_CTX_set_verify_cb(&ctx,error_callback);
-
- int ret=X509_verify_cert(&ctx);
- if (ret==1) {
- // Now see if the depth was acceptable by counting the number of intermediates.
- int depth=sk_X509_num(ctx.chain)-2;
- if (pkixInfo->getVerificationDepth() < depth) {
- log.error(
- "certificate chain was too long (%d intermediates, only %d allowed)",
- (depth==-1) ? 0 : depth,
- pkixInfo->getVerificationDepth()
- );
- ret=0;
- }
- }
-
- // Clean up...
- X509_STORE_CTX_cleanup(&ctx);
- X509_STORE_free(store);
- sk_X509_free(CAstack);
-
- if (ret==1) {
- log.info("successfully validated certificate chain");
- return true;
- }
-
- return false;
- }
-};
-
-bool AbstractPKIXTrustEngine::checkEntityNames(XSECCryptoX509* certEE, const RoleDescriptor& role) const
-{
- Category& log=Category::getInstance(SAML_LOGCAT".TrustEngine");
-
- // Build a list of acceptable names. Transcode the possible key "names" to UTF-8.
- // For some simple cases, this should handle UTF-8 encoded DNs in certificates.
- vector<string> keynames;
- const vector<KeyDescriptor*>& keydescs=role.getKeyDescriptors();
- for (vector<KeyDescriptor*>::const_iterator kd_i=keydescs.begin(); kd_i!=keydescs.end(); ++kd_i) {
- const XMLCh* use=(*kd_i)->getUse();
- const KeyInfo* keyInfo = (*kd_i)->getKeyInfo();
- if (keyInfo && use && XMLString::equals(use,KeyDescriptor::KEYTYPE_ENCRYPTION))
- continue;
- const vector<KeyName*>& knames=keyInfo->getKeyNames();
- for (vector<KeyName*>::const_iterator kn_i=knames.begin(); kn_i!=knames.end(); ++kn_i) {
- const XMLCh* n=(*kn_i)->getName();
- if (n && *n) {
- char* kn=toUTF8(n);
- keynames.push_back(kn);
- delete[] kn;
- }
- }
- }
-
- EntityDescriptor* parent=dynamic_cast<EntityDescriptor*>(role.getParent());
- if (parent) {
- const XMLCh* eid=parent->getEntityID();
- if (eid && *eid) {
- char* kn=toUTF8(eid);
- keynames.push_back(kn);
- delete[] kn;
- }
- }
-
- char buf[256];
- X509* x=static_cast<OpenSSLCryptoX509*>(certEE)->getOpenSSLX509();
- X509_NAME* subject=X509_get_subject_name(x);
- if (subject) {
- // One way is a direct match to the subject DN.
- // Seems that the way to do the compare is to write the X509_NAME into a BIO.
- BIO* b = BIO_new(BIO_s_mem());
- BIO* b2 = BIO_new(BIO_s_mem());
- BIO_set_mem_eof_return(b, 0);
- BIO_set_mem_eof_return(b2, 0);
- // The flags give us LDAP order instead of X.500, with a comma separator.
- int len=X509_NAME_print_ex(b,subject,0,XN_FLAG_RFC2253);
- string subjectstr,subjectstr2;
- BIO_flush(b);
- while ((len = BIO_read(b, buf, 255)) > 0) {
- buf[len] = '\0';
- subjectstr+=buf;
- }
- log.infoStream() << "certificate subject: " << subjectstr << CategoryStream::ENDLINE;
- // The flags give us LDAP order instead of X.500, with a comma plus space separator.
- len=X509_NAME_print_ex(b2,subject,0,XN_FLAG_RFC2253 + XN_FLAG_SEP_CPLUS_SPC - XN_FLAG_SEP_COMMA_PLUS);
- BIO_flush(b2);
- while ((len = BIO_read(b2, buf, 255)) > 0) {
- buf[len] = '\0';
- subjectstr2+=buf;
- }
-
- // Check each keyname.
- for (vector<string>::const_iterator n=keynames.begin(); n!=keynames.end(); n++) {
-#ifdef HAVE_STRCASECMP
- if (!strcasecmp(n->c_str(),subjectstr.c_str()) || !strcasecmp(n->c_str(),subjectstr2.c_str())) {
-#else
- if (!stricmp(n->c_str(),subjectstr.c_str()) || !stricmp(n->c_str(),subjectstr2.c_str())) {
-#endif
- log.info("matched full subject DN to a key name (%s)", n->c_str());
- BIO_free(b);
- BIO_free(b2);
- return true;
- }
- }
- BIO_free(b);
- BIO_free(b2);
-
- log.debug("unable to match DN, trying TLS subjectAltName match");
- STACK_OF(GENERAL_NAME)* altnames=(STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
- if (altnames) {
- int numalts = sk_GENERAL_NAME_num(altnames);
- for (int an=0; an<numalts; an++) {
- const GENERAL_NAME* check = sk_GENERAL_NAME_value(altnames, an);
- if (check->type==GEN_DNS || check->type==GEN_URI) {
- const char* altptr = (char*)ASN1_STRING_data(check->d.ia5);
- const int altlen = ASN1_STRING_length(check->d.ia5);
-
- for (vector<string>::const_iterator n=keynames.begin(); n!=keynames.end(); n++) {
-#ifdef HAVE_STRCASECMP
- if ((check->type==GEN_DNS && !strncasecmp(altptr,n->c_str(),altlen))
-#else
- if ((check->type==GEN_DNS && !strnicmp(altptr,n->c_str(),altlen))
-#endif
- || (check->type==GEN_URI && !strncmp(altptr,n->c_str(),altlen))) {
- log.info("matched DNS/URI subjectAltName to a key name (%s)", n->c_str());
- GENERAL_NAMES_free(altnames);
- return true;
- }
- }
- }
- }
- }
- GENERAL_NAMES_free(altnames);
-
- log.debug("unable to match subjectAltName, trying TLS CN match");
- memset(buf,0,sizeof(buf));
- if (X509_NAME_get_text_by_NID(subject,NID_commonName,buf,255)>0) {
- for (vector<string>::const_iterator n=keynames.begin(); n!=keynames.end(); n++) {
-#ifdef HAVE_STRCASECMP
- if (!strcasecmp(buf,n->c_str())) {
-#else
- if (!stricmp(buf,n->c_str())) {
-#endif
- log.info("matched subject CN to a key name (%s)", n->c_str());
- return true;
- }
- }
- }
- else
- log.warn("no common name in certificate subject");
- }
- else
- log.error("certificate has no subject?!");
-
- return false;
-}
-
-bool AbstractPKIXTrustEngine::validate(
- XSECCryptoX509* certEE,
- const vector<XSECCryptoX509*>& certChain,
- const RoleDescriptor& role,
- bool checkName,
- const KeyResolver* keyResolver
- ) const
-{
-#ifdef _DEBUG
- NDC ndc("validate");
-#endif
- Category& log=Category::getInstance(SAML_LOGCAT".TrustEngine");
-
- if (!certEE) {
- log.error("X.509 credential was NULL, unable to perform validation");
- return false;
- }
-
- if (checkName) {
- log.debug("checking that the entity certificate name is acceptable");
- if (!checkEntityNames(certEE,role)) {
- log.error("entity certificate name was not acceptable");
- return false;
- }
- }
-
- log.debug("performing certificate path validation...");
-
- STACK_OF(X509)* untrusted=sk_X509_new_null();
- for (vector<XSECCryptoX509*>::const_iterator i=certChain.begin(); i!=certChain.end(); ++i) {
- sk_X509_push(untrusted,static_cast<OpenSSLCryptoX509*>(*i)->getOpenSSLX509());
- }
-
- auto_ptr<PKIXValidationInfoIterator> pkix(getPKIXValidationInfoIterator(role));
- while (pkix->next()) {
- if (::validate(static_cast<OpenSSLCryptoX509*>(certEE)->getOpenSSLX509(),untrusted,pkix.get())) {
- sk_X509_free(untrusted);
- return true;
- }
- }
-
- sk_X509_free(untrusted);
- log.error("failed to validate certificate chain using supplied PKIX information");
- return false;
-}
-
-bool AbstractPKIXTrustEngine::validate(Signature& sig, const RoleDescriptor& role, const KeyResolver* keyResolver) const
-{
-#ifdef _DEBUG
- NDC ndc("validate");
-#endif
- Category& log=Category::getInstance(SAML_LOGCAT".TrustEngine");
-
- log.debug("attempting to validate signature profile");
- SignatureProfileValidator sigValidator;
- try {
- sigValidator.validate(&sig);
- log.debug("signature profile validated");
- }
- catch (ValidationException& e) {
- if (log.isDebugEnabled()) {
- log.debug("signature profile failed to validate: %s", e.what());
- }
- return false;
- }
-
- // Pull the certificate chain out of the signature using an inline KeyResolver.
- KeyResolver::ResolvedCertificates certs;
- if (0==m_inlineResolver->resolveCertificates(&sig, certs)) {
- log.error("unable to perform PKIX validation, signature does not contain any certificates");
- return false;
- }
-
- log.debug("validating signature using certificate from within the signature");
-
- // Find and save off a pointer to the certificate that unlocks the object.
- // Most of the time, this will be the first one anyway.
- XSECCryptoX509* certEE=NULL;
- SignatureValidator keyValidator;
- for (vector<XSECCryptoX509*>::const_iterator i=certs.v().begin(); !certEE && i!=certs.v().end(); ++i) {
- try {
- keyValidator.setKey((*i)->clonePublicKey());
- keyValidator.validate(&sig);
- log.info("signature verified with key inside signature, attempting certificate validation...");
- certEE=(*i);
- }
- catch (ValidationException&) {
- // trap failures
- }
- }
-
- if (certEE)
- return validate(certEE,certs.v(),role,true,keyResolver);
-
- log.error("failed to verify signature with embedded certificates");
- return false;
-}
-
-bool AbstractPKIXTrustEngine::validate(
- const XMLCh* sigAlgorithm,
- const char* sig,
- KeyInfo* keyInfo,
- const char* in,
- unsigned int in_len,
- const RoleDescriptor& role,
- const KeyResolver* keyResolver
- ) const
-{
-#ifdef _DEBUG
- NDC ndc("validate");
-#endif
- Category& log=Category::getInstance(SAML_LOGCAT".TrustEngine");
-
- // Pull the certificate chain out of the KeyInfo using an inline KeyResolver.
- KeyResolver::ResolvedCertificates certs;
- if (!keyInfo || 0==m_inlineResolver->resolveCertificates(keyInfo, certs)) {
- log.error("unable to perform PKIX validation, KeyInfo does not contain any certificates");
- return false;
- }
-
- log.debug("validating signature using certificate from within KeyInfo");
-
- // Find and save off a pointer to the certificate that unlocks the object.
- // Most of the time, this will be the first one anyway.
- XSECCryptoX509* certEE=NULL;
- SignatureValidator keyValidator;
- for (vector<XSECCryptoX509*>::const_iterator i=certs.v().begin(); !certEE && i!=certs.v().end(); ++i) {
- try {
- auto_ptr<XSECCryptoKey> key((*i)->clonePublicKey());
- if (Signature::verifyRawSignature(key.get(), sigAlgorithm, sig, in, in_len)) {
- log.info("signature verified with key inside signature, attempting certificate validation...");
- certEE=(*i);
- }
- }
- catch (SignatureException&) {
- // trap failures
- }
- }
-
- if (certEE)
- return validate(certEE,certs.v(),role,true,keyResolver);
-
- log.error("failed to verify signature with embedded certificates");
- return false;
-}
+++ /dev/null
-/*
- * Copyright 2001-2005 Internet2
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/**
- * ChainingTrustEngine.cpp
- *
- * TrustEngine that uses multiple engines in sequence.
- */
-
-#include "internal.h"
-#include "exceptions.h"
-#include "security/ChainingTrustEngine.h"
-
-using namespace opensaml::saml2md;
-using namespace opensaml;
-using namespace xmlsignature;
-using namespace std;
-
-namespace opensaml {
- TrustEngine* SAML_DLLLOCAL ChainingTrustEngineFactory(const DOMElement* const & e)
- {
- return new ChainingTrustEngine(e);
- }
-};
-
-static const XMLCh GenericTrustEngine[] = UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e);
-static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e);
-
-ChainingTrustEngine::ChainingTrustEngine(const DOMElement* e) {
- try {
- e = e ? xmltooling::XMLHelper::getFirstChildElement(e, GenericTrustEngine) : NULL;
- while (e) {
- xmltooling::auto_ptr_char temp(e->getAttributeNS(NULL,type));
- if (temp.get()) {
- auto_ptr<TrustEngine> engine(
- SAMLConfig::getConfig().TrustEngineManager.newPlugin(temp.get(), e)
- );
- X509TrustEngine* x509 = dynamic_cast<X509TrustEngine*>(engine.get());
- if (x509) {
- m_engines.push_back(x509);
- engine.release();
- }
- else {
- throw xmltooling::UnknownExtensionException("Embedded trust engine does not support required interface.");
- }
- }
- e = xmltooling::XMLHelper::getNextSiblingElement(e, GenericTrustEngine);
- }
- }
- catch (xmltooling::XMLToolingException&) {
- for_each(m_engines.begin(), m_engines.end(), xmltooling::cleanup<X509TrustEngine>());
- throw;
- }
-}
-
-ChainingTrustEngine::~ChainingTrustEngine() {
- for_each(m_engines.begin(), m_engines.end(), xmltooling::cleanup<X509TrustEngine>());
-}
-
-bool ChainingTrustEngine::validate(
- Signature& sig,
- const RoleDescriptor& role,
- const KeyResolver* keyResolver
- ) const
-{
- for (vector<X509TrustEngine*>::const_iterator i=m_engines.begin(); i!=m_engines.end(); ++i) {
- if (static_cast<TrustEngine*>(*i)->validate(sig,role,keyResolver))
- return true;
- }
- return false;
-}
-
-bool ChainingTrustEngine::validate(
- const XMLCh* sigAlgorithm,
- const char* sig,
- KeyInfo* keyInfo,
- const char* in,
- unsigned int in_len,
- const RoleDescriptor& role,
- const KeyResolver* keyResolver
- ) const
-{
- for (vector<X509TrustEngine*>::const_iterator i=m_engines.begin(); i!=m_engines.end(); ++i) {
- if (static_cast<TrustEngine*>(*i)->validate(sigAlgorithm, sig, keyInfo, in, in_len, role, keyResolver))
- return true;
- }
- return false;
-}
-
-bool ChainingTrustEngine::validate(
- XSECCryptoX509* certEE,
- const vector<XSECCryptoX509*>& certChain,
- const RoleDescriptor& role,
- bool checkName,
- const KeyResolver* keyResolver
- ) const
-{
- for (vector<X509TrustEngine*>::const_iterator i=m_engines.begin(); i!=m_engines.end(); ++i) {
- if ((*i)->validate(certEE,certChain,role,checkName,keyResolver))
- return true;
- }
- return false;
-}
+++ /dev/null
-/*
- * Copyright 2001-2005 Internet2
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/**
- * ExplicitKeyTrustEngine.cpp
- *
- * TrustEngine based on explicit knowledge of peer key information.
- */
-
-#include "internal.h"
-#include "exceptions.h"
-#include "security/MetadataKeyInfoIterator.h"
-#include "security/X509TrustEngine.h"
-#include "signature/SignatureProfileValidator.h"
-
-#include <log4cpp/Category.hh>
-#include <xmltooling/security/X509TrustEngine.h>
-#include <xmltooling/util/NDC.h>
-
-using namespace opensaml::saml2md;
-using namespace opensaml;
-using namespace xmlsignature;
-using namespace log4cpp;
-using namespace std;
-
-namespace opensaml {
- class SAML_DLLLOCAL ExplicitKeyTrustEngine : public X509TrustEngine
- {
- public:
- ExplicitKeyTrustEngine(const DOMElement* e) : X509TrustEngine(e), m_engine(NULL) {
- auto_ptr<xmltooling::TrustEngine> engine(
- xmltooling::XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(EXPLICIT_KEY_TRUSTENGINE, e)
- );
- if (m_engine=dynamic_cast<xmltooling::X509TrustEngine*>(engine.get()))
- engine.release();
- else
- throw xmltooling::UnknownExtensionException("Embedded trust engine does not support required interface.");
- }
-
- virtual ~ExplicitKeyTrustEngine() {
- delete m_engine;
- }
-
- virtual bool validate(
- Signature& sig,
- const RoleDescriptor& role,
- const KeyResolver* keyResolver=NULL
- ) const;
- virtual bool validate(
- const XMLCh* sigAlgorithm,
- const char* sig,
- KeyInfo* keyInfo,
- const char* in,
- unsigned int in_len,
- const RoleDescriptor& role,
- const KeyResolver* keyResolver=NULL
- ) const;
- virtual bool validate(
- XSECCryptoX509* certEE,
- const vector<XSECCryptoX509*>& certChain,
- const RoleDescriptor& role,
- bool checkName=true,
- const KeyResolver* keyResolver=NULL
- ) const;
-
- private:
- xmltooling::X509TrustEngine* m_engine;
- };
-
- TrustEngine* SAML_DLLLOCAL ExplicitKeyTrustEngineFactory(const DOMElement* const & e)
- {
- return new ExplicitKeyTrustEngine(e);
- }
-};
-
-bool ExplicitKeyTrustEngine::validate(
- Signature& sig,
- const RoleDescriptor& role,
- const KeyResolver* keyResolver
- ) const
-{
-#ifdef _DEBUG
- xmltooling::NDC ndc("validate");
-#endif
- Category& log=Category::getInstance(SAML_LOGCAT".TrustEngine");
-
- log.debug("attempting to validate signature profile");
- SignatureProfileValidator sigValidator;
- try {
- sigValidator.validate(&sig);
- log.debug("signature profile validated");
- }
- catch (xmltooling::ValidationException& e) {
- if (log.isDebugEnabled()) {
- log.debug("signature profile failed to validate: %s", e.what());
- }
- return false;
- }
-
- MetadataKeyInfoIterator keys(role);
- return static_cast<xmltooling::TrustEngine*>(m_engine)->validate(sig,keys,keyResolver);
-}
-
-bool ExplicitKeyTrustEngine::validate(
- const XMLCh* sigAlgorithm,
- const char* sig,
- KeyInfo* keyInfo,
- const char* in,
- unsigned int in_len,
- const RoleDescriptor& role,
- const KeyResolver* keyResolver
- ) const
-{
- MetadataKeyInfoIterator keys(role);
- return static_cast<xmltooling::TrustEngine*>(m_engine)->validate(sigAlgorithm,sig,keyInfo,in,in_len,keys,keyResolver);
-}
-
-bool ExplicitKeyTrustEngine::validate(
- XSECCryptoX509* certEE,
- const vector<XSECCryptoX509*>& certChain,
- const RoleDescriptor& role,
- bool checkName,
- const KeyResolver* keyResolver
- ) const
-{
- MetadataKeyInfoIterator keys(role);
- return m_engine->validate(certEE,certChain,keys,checkName,keyResolver);
-}
+++ /dev/null
-/*
- * Copyright 2001-2006 Internet2
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/**
- * TrustEngine.cpp
- *
- * Registration of factories for built-in engines
- */
-
-#include "internal.h"
-#include "security/TrustEngine.h"
-
-using namespace opensaml;
-using namespace xmltooling;
-using namespace std;
-
-namespace opensaml {
- SAML_DLLLOCAL PluginManager<TrustEngine,const DOMElement*>::Factory ExplicitKeyTrustEngineFactory;
- SAML_DLLLOCAL PluginManager<TrustEngine,const DOMElement*>::Factory ChainingTrustEngineFactory;
-};
-
-void SAML_API opensaml::registerTrustEngines()
-{
- SAMLConfig& conf=SAMLConfig::getConfig();
- conf.TrustEngineManager.registerFactory(EXPLICIT_KEY_SAMLTRUSTENGINE, ExplicitKeyTrustEngineFactory);
- conf.TrustEngineManager.registerFactory(CHAINING_SAMLTRUSTENGINE, ChainingTrustEngineFactory);
-}
#include <saml/binding/MessageDecoder.h>\r
#include <saml/binding/MessageEncoder.h>\r
#include <saml/binding/URLEncoder.h>\r
+#include <saml/saml2/metadata/Metadata.h>\r
#include <saml/saml2/metadata/MetadataProvider.h>\r
-#include <saml/security/TrustEngine.h>\r
+#include <xmltooling/security/TrustEngine.h>\r
\r
-using namespace saml2md;\r
+using namespace opensaml::saml2md;\r
using namespace xmlsignature;\r
\r
class SAMLBindingBaseTestCase : public HTTPRequest, public HTTPResponse\r
protected:\r
CredentialResolver* m_creds; \r
MetadataProvider* m_metadata;\r
- opensaml::TrustEngine* m_trust;\r
+ TrustEngine* m_trust;\r
map<string,string> m_fields;\r
map<string,string> m_headers;\r
string m_method,m_url,m_query;\r
FILESYSTEM_CREDENTIAL_RESOLVER,doc2->getDocumentElement()\r
);\r
\r
- m_trust = SAMLConfig::getConfig().TrustEngineManager.newPlugin(EXPLICIT_KEY_SAMLTRUSTENGINE, NULL);\r
+ m_trust = XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(EXPLICIT_KEY_TRUSTENGINE, NULL);\r
\r
m_rules.push_back(SAMLConfig::getConfig().SecurityPolicyRuleManager.newPlugin(MESSAGEFLOW_POLICY_RULE,NULL));\r
m_rules.push_back(SAMLConfig::getConfig().SecurityPolicyRuleManager.newPlugin(SIMPLESIGNING_POLICY_RULE,NULL));\r
#include "internal.h"
#include <saml/SAMLConfig.h>
-#include <saml/security/AbstractPKIXTrustEngine.h>
+#include <saml/saml2/metadata/Metadata.h>
#include <saml/saml2/metadata/MetadataProvider.h>
+#include <xmltooling/security/AbstractPKIXTrustEngine.h>
using namespace opensaml::saml2;
using namespace opensaml::saml2md;
}
};
- PKIXValidationInfoIterator* getPKIXValidationInfoIterator(const RoleDescriptor& role) const {
+ PKIXValidationInfoIterator* getPKIXValidationInfoIterator(const KeyInfoSource& keyInfoSource) const {
+ dynamic_cast<const RoleDescriptor&>(keyInfoSource);
return new SampleIterator();
}
};
}
// Build trust engine.
- auto_ptr<opensaml::TrustEngine> trustEngine(new SampleTrustEngine());
+ auto_ptr<TrustEngine> trustEngine(new SampleTrustEngine());
// Get signed assertion.
config = data_path + "signature/SAML2Assertion.xml";
#include "internal.h"
#include <saml/SAMLConfig.h>
-#include <saml/security/TrustEngine.h>
+#include <saml/saml2/core/Assertions.h>
+#include <saml/saml2/metadata/Metadata.h>
#include <saml/saml2/metadata/MetadataProvider.h>
+#include <xmltooling/security/TrustEngine.h>
using namespace opensaml::saml2;
using namespace opensaml::saml2md;
}
// Build trust engine.
- auto_ptr<opensaml::TrustEngine> trustEngine(
- SAMLConfig::getConfig().TrustEngineManager.newPlugin(EXPLICIT_KEY_SAMLTRUSTENGINE, NULL)
+ auto_ptr<TrustEngine> trustEngine(
+ XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(EXPLICIT_KEY_TRUSTENGINE, NULL)
);
// Get signed assertion.