saml2/metadata/ChainingMetadataProvider.h \
saml2/metadata/EndpointManager.h \
saml2/metadata/Metadata.h \
+ saml2/metadata/MetadataCredentialCriteria.h \
saml2/metadata/MetadataFilter.h \
- saml2/metadata/MetadataKeyInfoIterator.h \
saml2/metadata/MetadataProvider.h \
saml2/metadata/ObservableMetadataProvider.h
#include "saml1/core/Protocols.h"
#include "saml2/core/Protocols.h"
#include "saml2/metadata/Metadata.h"
+#include "saml2/metadata/MetadataFilter.h"
#include "saml2/metadata/MetadataProvider.h"
#include "util/SAMLConstants.h"
#include <istream>
#include <xmltooling/XMLObject.h>
-#include <xmltooling/security/CredentialResolver.h>
+#include <xmltooling/security/Credential.h>
namespace opensaml {
* @param destination destination URL for message
* @param recipientID optional entityID of message recipient
* @param relayState optional RelayState value to accompany message
- * @param credResolver optional CredentialResolver instance to supply signing material
+ * @param credential optional Credential to supply signing key
* @param sigAlgorithm optional signature algorithm identifier
*/
virtual long encode(
const char* destination,
const char* recipientID=NULL,
const char* relayState=NULL,
- const xmltooling::CredentialResolver* credResolver=NULL,
+ const xmltooling::Credential* credential=NULL,
const XMLCh* sigAlgorithm=NULL
) const=0;
protected:
MessageEncoder() : m_artifactGenerator(NULL) {}
- /**
- * Helper function to build a new XML Signature with KeyInfo, based
- * on the supplied CredentialResolver.
- *
- * @param credResolver CredentialResolver instance to supply signing material
- * @param sigAlgorithm optional signature algorithm identifier
- * @return a new Signature object
- */
- xmlsignature::Signature* buildSignature(
- const xmltooling::CredentialResolver* credResolver,
- const XMLCh* sigAlgorithm=NULL
- ) const;
-
/** Pointer to an ArtifactGenerator implementation. */
const ArtifactGenerator* m_artifactGenerator;
};
#define __saml_soap11client_h__
#include <saml/binding/SecurityPolicy.h>
+#include <saml/saml2/metadata/MetadataCredentialCriteria.h>
#include <xmltooling/soap/SOAPClient.h>
namespace opensaml {
* @param validating controls schema validation
*/
SOAPClient(SecurityPolicy& policy)
- : soap11::SOAPClient(policy.getValidating()), m_policy(policy), m_force(true), m_peer(NULL) {}
+ : soap11::SOAPClient(policy.getValidating()), m_policy(policy), m_force(true), m_peer(NULL), m_criteria(NULL) {
+ }
- virtual ~SOAPClient() {}
+ virtual ~SOAPClient() {
+ }
/**
* Controls whether to force transport/peer authentication via an X509TrustEngine.
}
/**
- * Override prepares the SecurityPolicy by clearing Issuer identity, in case the policy
- * is reused.
+ * SAML-specific method uses a RoleDescriptor to determine the peer name and prepare the
+ * transport layer with peer credential information. The SecurityPolicy is also reset,
+ * in case the policy is reused.
*
* @param env SOAP envelope to send
- * @param peer peer to send message to, expressed in TrustEngine terms
+ * @param peer peer to send message to, expressed in metadata criteria terms
* @param endpoint URL of endpoint to recieve message
*/
- void send(const soap11::Envelope& env, const xmltooling::KeyInfoSource& peer, const char* endpoint);
+ void send(const soap11::Envelope& env, saml2md::MetadataCredentialCriteria& peer, const char* endpoint);
/**
* Override applies SecurityPolicy to envelope before returning it.
/** Metadata-based peer identity. */
const saml2md::RoleDescriptor* m_peer;
+
+ /** Metadata-based CredentialCriteria for supplying credentials to TrustEngine. */
+ saml2md::MetadataCredentialCriteria* m_criteria;
};
};
#include "exceptions.h"
#include "binding/SecurityPolicyRule.h"
#include "saml2/metadata/Metadata.h"
+#include "saml2/metadata/MetadataCredentialCriteria.h"
#include "saml2/metadata/MetadataProvider.h"
#include <xmltooling/security/X509TrustEngine.h>
if (chain.empty())
return;
- if (!x509trust->validate(chain.front(), chain, *(policy.getIssuerMetadata()), true,
- policy.getMetadataProvider()->getKeyResolver())) {
+ // Set up criteria object, including peer name to enforce cert name checking.
+ MetadataCredentialCriteria cc(*(policy.getIssuerMetadata()));
+ auto_ptr_char pn(policy.getIssuer()->getName());
+ cc.setPeerName(pn.get());
+ cc.setUsage(CredentialCriteria::TLS_CREDENTIAL);
+
+ if (!x509trust->validate(chain.front(), chain, *(policy.getMetadataProvider()), &cc)) {
log.error("unable to verify certificate chain with supplied trust engine");
return;
}
conf.MessageEncoderManager.registerFactory(samlconstants::SAML20_BINDING_HTTP_REDIRECT, saml2p::SAML2RedirectEncoderFactory);
conf.MessageEncoderManager.registerFactory(samlconstants::SAML20_BINDING_SOAP, saml2p::SAML2SOAPEncoderFactory);
}
-
-namespace {
- class SAML_DLLLOCAL _addcert : public binary_function<X509Data*,XSECCryptoX509*,void> {
- public:
- void operator()(X509Data* bag, XSECCryptoX509* cert) const {
- safeBuffer& buf=cert->getDEREncodingSB();
- X509Certificate* x=X509CertificateBuilder::buildX509Certificate();
- x->setValue(buf.sbStrToXMLCh());
- bag->getX509Certificates().push_back(x);
- }
- };
-};
-
-Signature* MessageEncoder::buildSignature(const CredentialResolver* credResolver, const XMLCh* sigAlgorithm) const
-{
- // Build a Signature.
- Signature* sig = SignatureBuilder::buildSignature();
- if (sigAlgorithm)
- sig->setSignatureAlgorithm(sigAlgorithm);
- sig->setSigningKey(credResolver->getKey());
-
- // Build KeyInfo.
- const vector<XSECCryptoX509*>& certs = credResolver->getCertificates();
- if (!certs.empty()) {
- KeyInfo* keyInfo=KeyInfoBuilder::buildKeyInfo();
- X509Data* x509Data=X509DataBuilder::buildX509Data();
- keyInfo->getX509Datas().push_back(x509Data);
- for_each(certs.begin(),certs.end(),bind1st(_addcert(),x509Data));
- sig->setKeyInfo(keyInfo);
- }
-
- return sig;
-}
using namespace xmltooling;
using namespace std;
-void SOAPClient::send(const soap11::Envelope& env, const KeyInfoSource& peer, const char* endpoint)
+void SOAPClient::send(const soap11::Envelope& env, MetadataCredentialCriteria& peer, const char* endpoint)
{
// Clear policy.
m_policy.reset();
+
+ m_criteria = &peer;
+ m_peer = &(peer.getRole());
- if (!m_peer)
- m_peer = dynamic_cast<const RoleDescriptor*>(&peer);
- if (m_peer) {
- const QName& role = m_peer->getElementQName();
- if (XMLString::equals(role.getLocalPart(),RoleDescriptor::LOCAL_NAME))
- m_policy.setRole(m_peer->getSchemaType());
- else
- m_policy.setRole(&role);
- }
-
- soap11::SOAPClient::send(env, peer, endpoint);
+ const QName& role = m_peer->getElementQName();
+ if (XMLString::equals(role.getLocalPart(),RoleDescriptor::LOCAL_NAME))
+ m_policy.setRole(m_peer->getSchemaType());
+ else
+ m_policy.setRole(&role);
+
+ auto_ptr_char pn(dynamic_cast<const EntityDescriptor*>(m_peer->getParent())->getEntityID());
+ soap11::SOAPClient::send(env, pn.get(), endpoint);
}
void SOAPClient::prepareTransport(xmltooling::SOAPTransport& transport)
const X509TrustEngine* engine = dynamic_cast<const X509TrustEngine*>(m_policy.getTrustEngine());
if (engine) {
- const MetadataProvider* metadata = m_policy.getMetadataProvider();
- if (!transport.setTrustEngine(engine, m_force, metadata ? metadata->getKeyResolver() : NULL))
+ if (!transport.setTrustEngine(engine, m_policy.getMetadataProvider(), m_criteria, m_force))
throw BindingException("Unable to install X509TrustEngine into SOAPTransport.");
}
}
if (env.get()) {
if (m_peer && m_transport->isSecure()) {
// Set issuer based on peer identity.
- EntityDescriptor* parent = dynamic_cast<EntityDescriptor*>(m_peer->getParent());
- if (parent) {
- m_policy.setIssuer(parent->getEntityID());
- m_policy.setIssuerMetadata(m_peer);
- m_policy.setSecure(true);
- }
+ m_policy.setIssuer(dynamic_cast<EntityDescriptor*>(m_peer->getParent())->getEntityID());
+ m_policy.setIssuerMetadata(m_peer);
+ m_policy.setSecure(true);
}
m_policy.evaluate(*(env.get()));
}
void SOAPClient::reset()
{
+ m_criteria = NULL;
m_peer = NULL;
soap11::SOAPClient::reset();
m_policy.reset();
#include "binding/SecurityPolicyRule.h"
#include "saml2/core/Assertions.h"
#include "saml2/metadata/Metadata.h"
+#include "saml2/metadata/MetadataCredentialCriteria.h"
#include "saml2/metadata/MetadataProvider.h"
#include <log4cpp/Category.hh>
auto_ptr<KeyInfo> kjanitor(keyInfo);
auto_ptr_XMLCh alg(sigAlgorithm);
-
- if (!policy.getTrustEngine()->validate(
- alg.get(), signature, keyInfo, input.c_str(), input.length(),
- *(policy.getIssuerMetadata()), policy.getMetadataProvider()->getKeyResolver()
- )) {
+
+ // Set up criteria object, including peer name to enforce cert name checking.
+ MetadataCredentialCriteria cc(*(policy.getIssuerMetadata()));
+ auto_ptr_char pn(policy.getIssuer()->getName());
+ cc.setPeerName(pn.get());
+ cc.setKeyAlgorithm(sigAlgorithm);
+
+ if (!policy.getTrustEngine()->validate(alg.get(), signature, keyInfo, input.c_str(), input.length(), *(policy.getMetadataProvider()), &cc)) {
log.error("unable to verify message signature with supplied trust engine");
if (m_errorsFatal)
throw SignatureException("Message was signed, but signature could not be verified.");
#include "binding/SecurityPolicyRule.h"
#include "saml2/core/Assertions.h"
#include "saml2/metadata/Metadata.h"
+#include "saml2/metadata/MetadataCredentialCriteria.h"
#include "saml2/metadata/MetadataProvider.h"
#include "signature/SignatureProfileValidator.h"
return;
}
- if (!policy.getTrustEngine()->validate(
- *(signable->getSignature()), *(policy.getIssuerMetadata()), policy.getMetadataProvider()->getKeyResolver()
- )) {
+ // Set up criteria object, including peer name to enforce cert name checking.
+ MetadataCredentialCriteria cc(*(policy.getIssuerMetadata()));
+ auto_ptr_char pn(policy.getIssuer()->getName());
+ cc.setPeerName(pn.get());
+
+ if (!policy.getTrustEngine()->validate(*(signable->getSignature()), *(policy.getMetadataProvider()), &cc)) {
log.error("unable to verify message signature with supplied trust engine");
if (m_errorsFatal)
throw SignatureException("Message was signed, but signature could not be verified.");
#include "internal.h"
#include "encryption/EncryptedKeyResolver.h"
+#include "saml2/core/Assertions.h"
using namespace xmlencryption;
using namespace std;
-EncryptedKey* opensaml::EncryptedKeyResolver::resolveKey(EncryptedData& encryptedData) const
+const EncryptedKey* opensaml::EncryptedKeyResolver::resolveKey(const EncryptedData& encryptedData, const XMLCh* recipient) const
{
const vector<EncryptedKey*>& keys=m_ref.getEncryptedKeys();
for (vector<EncryptedKey*>::const_iterator i=keys.begin(); i!=keys.end(); i++) {
- if (XMLString::equals(m_recipient,(*i)->getRecipient()))
+ if (XMLString::equals(recipient,(*i)->getRecipient()))
return (*i);
}
return NULL;
#define __saml_enckeyres_h__
#include <saml/base.h>
-#include <saml/saml2/core/Assertions.h>
#include <xmltooling/encryption/EncryptedKeyResolver.h>
namespace opensaml {
+ namespace saml2 {
+ class SAML_API EncryptedElementType;
+ };
+
/**
* SAML-specific encrypted key resolver.
*
class SAML_API EncryptedKeyResolver : public xmlencryption::EncryptedKeyResolver
{
public:
- EncryptedKeyResolver(const saml2::EncryptedElementType& ref, const XMLCh* recipient=NULL)
- : m_ref(ref), m_recipient(XMLString::replicate(recipient)) {
+ EncryptedKeyResolver(const saml2::EncryptedElementType& ref) : m_ref(ref) {
}
- virtual ~EncryptedKeyResolver() {
- XMLString::release(&m_recipient);
- }
+ virtual ~EncryptedKeyResolver() {}
- xmlencryption::EncryptedKey* resolveKey(xmlencryption::EncryptedData& encryptedData) const;
+ const xmlencryption::EncryptedKey* resolveKey(const xmlencryption::EncryptedData& encryptedData, const XMLCh* recipient=NULL) const;
protected:
const saml2::EncryptedElementType& m_ref;
- XMLCh* m_recipient;
};
};
>\r
</File>\r
<File\r
- RelativePath=".\saml2\metadata\MetadataFilter.h"\r
+ RelativePath=".\saml2\metadata\MetadataCredentialCriteria.h"\r
>\r
</File>\r
<File\r
- RelativePath=".\saml2\metadata\MetadataKeyInfoIterator.h"\r
+ RelativePath=".\saml2\metadata\MetadataFilter.h"\r
>\r
</File>\r
<File\r
#include <saml/binding/SOAPClient.h>
namespace opensaml {
+
namespace saml1p {
class SAML_API Request;
* <p>The request will be freed by the client object regardless of the outcome.
*
* @param request SAML request to send
- * @param peer peer to send message to, expressed in metadata terms
+ * @param peer peer to send message to, expressed in metadata criteria terms
* @param endpoint URL of endpoint to recieve message
*/
- virtual void sendSAML(Request* request, const saml2md::RoleDescriptor& peer, const char* endpoint);
+ virtual void sendSAML(Request* request, saml2md::MetadataCredentialCriteria& peer, const char* endpoint);
/**
* Specialized method for receiving SAML 1.x responses. The SOAP layer will be
long encode(
GenericResponse& genericResponse,
- xmltooling::XMLObject* xmlObject,
+ XMLObject* xmlObject,
const char* destination,
const char* recipientID=NULL,
const char* relayState=NULL,
- const xmltooling::CredentialResolver* credResolver=NULL,
+ const Credential* credential=NULL,
const XMLCh* sigAlgorithm=NULL
) const;
};
const char* destination,
const char* recipientID,
const char* relayState,
- const CredentialResolver* credResolver,
+ const Credential* credential,
const XMLCh* sigAlgorithm
) const
{
long encode(
GenericResponse& genericResponse,
- xmltooling::XMLObject* xmlObject,
+ XMLObject* xmlObject,
const char* destination,
const char* recipientID=NULL,
const char* relayState=NULL,
- const xmltooling::CredentialResolver* credResolver=NULL,
+ const Credential* credential=NULL,
const XMLCh* sigAlgorithm=NULL
) const;
protected:
/** Pathname of HTML template for transmission of message via POST. */
- std::string m_template;
+ string m_template;
};
MessageEncoder* SAML_DLLLOCAL SAML1POSTEncoderFactory(const DOMElement* const & e)
const char* destination,
const char* recipientID,
const char* relayState,
- const CredentialResolver* credResolver,
+ const Credential* credential,
const XMLCh* sigAlgorithm
) const
{
throw BindingException("SAML 1.x POST Encoder requires relay state (TARGET) value.");
DOMElement* rootElement = NULL;
- if (credResolver) {
+ if (credential) {
// Signature based on native XML signing.
if (response->getSignature()) {
log.debug("response already signed, skipping signature operation");
log.debug("signing and marshalling the response");
// Build a Signature.
- Signature* sig = buildSignature(credResolver, sigAlgorithm);
+ Signature* sig = SignatureBuilder::buildSignature();
response->setSignature(sig);
+ if (sigAlgorithm)
+ sig->setSignatureAlgorithm(sigAlgorithm);
// Sign response while marshalling.
vector<Signature*> sigs(1,sig);
- rootElement = response->marshall((DOMDocument*)NULL,&sigs);
+ rootElement = response->marshall((DOMDocument*)NULL,&sigs,credential);
}
}
else {
using namespace log4cpp;
using namespace std;
-void SAML1SOAPClient::sendSAML(Request* request, const RoleDescriptor& peer, const char* endpoint)
+void SAML1SOAPClient::sendSAML(Request* request, MetadataCredentialCriteria& peer, const char* endpoint)
{
auto_ptr<Envelope> env(EnvelopeBuilder::buildEnvelope());
Body* body = BodyBuilder::buildBody();
long encode(
GenericResponse& genericResponse,
- xmltooling::XMLObject* xmlObject,
+ XMLObject* xmlObject,
const char* destination,
const char* recipientID=NULL,
const char* relayState=NULL,
- const xmltooling::CredentialResolver* credResolver=NULL,
+ const Credential* credential=NULL,
const XMLCh* sigAlgorithm=NULL
) const;
};
const char* destination,
const char* recipientID,
const char* relayState,
- const CredentialResolver* credResolver,
+ const Credential* credential,
const XMLCh* sigAlgorithm
) const
{
Body* body = BodyBuilder::buildBody();
env->setBody(body);
body->getUnknownXMLObjects().push_back(response);
- if (credResolver ) {
+ if (credential) {
if (response->getSignature()) {
log.debug("response already signed, skipping signature operation");
rootElement = env->marshall();
log.debug("signing and marshalling the response");
// Build a Signature.
- Signature* sig = buildSignature(credResolver, sigAlgorithm);
- response->setSignature(sig);
+ Signature* sig = SignatureBuilder::buildSignature();
+ response->setSignature(sig);
+ if (sigAlgorithm)
+ sig->setSignatureAlgorithm(sigAlgorithm);
// Sign response while marshalling.
vector<Signature*> sigs(1,sig);
- rootElement = env->marshall((DOMDocument*)NULL,&sigs);
+ rootElement = env->marshall((DOMDocument*)NULL,&sigs,credential);
}
}
else {
#include <saml/binding/SOAPClient.h>
namespace opensaml {
+
namespace saml2p {
class SAML_API RequestAbstractType;
* <p>The request will be freed by the client object regardless of the outcome.
*
* @param request SAML request to send
- * @param peer peer to send message to, expressed in metadata terms
+ * @param peer peer to send message to, expressed in metadata criteria terms
* @param endpoint URL of endpoint to recieve message
*/
- virtual void sendSAML(RequestAbstractType* request, const saml2md::RoleDescriptor& peer, const char* endpoint);
+ virtual void sendSAML(RequestAbstractType* request, saml2md::MetadataCredentialCriteria& peer, const char* endpoint);
/**
* Specialized method for receiving SAML 2.0 responses. The SOAP layer will be
long encode(
GenericResponse& genericResponse,
- xmltooling::XMLObject* xmlObject,
+ XMLObject* xmlObject,
const char* destination,
const char* recipientID=NULL,
const char* relayState=NULL,
- const xmltooling::CredentialResolver* credResolver=NULL,
+ const Credential* credential=NULL,
const XMLCh* sigAlgorithm=NULL
) const;
private:
- std::string m_template;
+ string m_template;
};
MessageEncoder* SAML_DLLLOCAL SAML2ArtifactEncoderFactory(const DOMElement* const & e)
long SAML2ArtifactEncoder::encode(
GenericResponse& genericResponse,
- xmltooling::XMLObject* xmlObject,
+ XMLObject* xmlObject,
const char* destination,
const char* recipientID,
const char* relayState,
- const CredentialResolver* credResolver,
+ const Credential* credential,
const XMLCh* sigAlgorithm
) const
{
log.debug("obtaining new artifact for relying party (%s)", recipientID ? recipientID : "unknown");
auto_ptr<SAMLArtifact> artifact(m_artifactGenerator->generateSAML2Artifact(recipientID));
- if (credResolver) {
+ if (credential) {
// Signature based on native XML signing.
if (request ? request->getSignature() : response->getSignature()) {
log.debug("message already signed, skipping signature operation");
log.debug("signing the message");
// Build a Signature.
- Signature* sig = buildSignature(credResolver, sigAlgorithm);
-
- // Append Signature.
+ Signature* sig = SignatureBuilder::buildSignature();
request ? request->setSignature(sig) : response->setSignature(sig);
-
+ if (sigAlgorithm)
+ sig->setSignatureAlgorithm(sigAlgorithm);
+
// Sign response while marshalling.
vector<Signature*> sigs(1,sig);
- xmlObject->marshall((DOMDocument*)NULL,&sigs);
+ xmlObject->marshall((DOMDocument*)NULL,&sigs,credential);
}
}
long encode(
GenericResponse& genericResponse,
- xmltooling::XMLObject* xmlObject,
+ XMLObject* xmlObject,
const char* destination,
const char* recipientID=NULL,
const char* relayState=NULL,
- const xmltooling::CredentialResolver* credResolver=NULL,
+ const Credential* credential=NULL,
const XMLCh* sigAlgorithm=NULL
) const;
private:
- std::string m_template;
+ string m_template;
bool m_simple;
};
const char* destination,
const char* recipientID,
const char* relayState,
- const CredentialResolver* credResolver,
+ const Credential* credential,
const XMLCh* sigAlgorithm
) const
{
}
DOMElement* rootElement = NULL;
- vector<Signature*> sigs;
- if (credResolver && !m_simple) {
+ if (credential && !m_simple) {
// Signature based on native XML signing.
if (request ? request->getSignature() : response->getSignature()) {
log.debug("message already signed, skipping signature operation");
log.debug("signing and marshalling the message");
// Build a Signature.
- Signature* sig = buildSignature(credResolver, sigAlgorithm);
-
- // Append Signature.
+ Signature* sig = SignatureBuilder::buildSignature();
request ? request->setSignature(sig) : response->setSignature(sig);
-
+ if (sigAlgorithm)
+ sig->setSignatureAlgorithm(sigAlgorithm);
+
// Sign response while marshalling.
- sigs.push_back(sig);
+ vector<Signature*> sigs(1,sig);
+ rootElement = xmlObject->marshall((DOMDocument*)NULL,&sigs,credential);
}
}
else {
log.debug("marshalling the message");
+ rootElement = xmlObject->marshall((DOMDocument*)NULL);
}
- rootElement = xmlObject->marshall((DOMDocument*)NULL,&sigs);
-
// Start tracking data.
TemplateEngine::TemplateParameters pmap;
if (relayState)
XMLHelper::serialize(rootElement, msg);
// SimpleSign.
- if (credResolver && m_simple) {
+ if (credential && m_simple) {
log.debug("applying simple signature to message data");
string input = (request ? "SAMLRequest=" : "SAMLResponse=") + msg;
if (relayState)
char sigbuf[1024];
memset(sigbuf,0,sizeof(sigbuf));
- auto_ptr<XSECCryptoKey> key(credResolver->getKey());
- Signature::createRawSignature(key.get(), sigAlgorithm, input.c_str(), input.length(), sigbuf, sizeof(sigbuf)-1);
+ Signature::createRawSignature(credential->getPrivateKey(), sigAlgorithm, input.c_str(), input.length(), sigbuf, sizeof(sigbuf)-1);
pmap.m_map["Signature"] = sigbuf;
}
long encode(
GenericResponse& genericResponse,
- xmltooling::XMLObject* xmlObject,
+ XMLObject* xmlObject,
const char* destination,
const char* recipientID=NULL,
const char* relayState=NULL,
- const xmltooling::CredentialResolver* credResolver=NULL,
+ const Credential* credential=NULL,
const XMLCh* sigAlgorithm=NULL
) const;
};
const char* destination,
const char* recipientID,
const char* relayState,
- const CredentialResolver* credResolver,
+ const Credential* credential,
const XMLCh* sigAlgorithm
) const
{
if (relayState)
xmlbuf = xmlbuf + "&RelayState=" + escaper->encode(relayState);
- if (credResolver) {
+ if (credential) {
// Sign the query string after adding the algorithm.
if (!sigAlgorithm)
sigAlgorithm = DSIGConstants::s_unicodeStrURIRSA_SHA1;
char sigbuf[1024];
memset(sigbuf,0,sizeof(sigbuf));
- auto_ptr<XSECCryptoKey> key(credResolver->getKey());
- Signature::createRawSignature(key.get(), sigAlgorithm, xmlbuf.c_str(), xmlbuf.length(), sigbuf, sizeof(sigbuf)-1);
+ Signature::createRawSignature(credential->getPrivateKey(), sigAlgorithm, xmlbuf.c_str(), xmlbuf.length(), sigbuf, sizeof(sigbuf)-1);
xmlbuf = xmlbuf + "&Signature=" + escaper->encode(sigbuf);
}
using namespace log4cpp;
using namespace std;
-void SAML2SOAPClient::sendSAML(RequestAbstractType* request, const RoleDescriptor& peer, const char* endpoint)
+void SAML2SOAPClient::sendSAML(RequestAbstractType* request, MetadataCredentialCriteria& peer, const char* endpoint)
{
auto_ptr<Envelope> env(EnvelopeBuilder::buildEnvelope());
Body* body = BodyBuilder::buildBody();
long encode(
GenericResponse& genericResponse,
- xmltooling::XMLObject* xmlObject,
+ XMLObject* xmlObject,
const char* destination,
const char* recipientID=NULL,
const char* relayState=NULL,
- const xmltooling::CredentialResolver* credResolver=NULL,
+ const Credential* credential=NULL,
const XMLCh* sigAlgorithm=NULL
) const;
};
const char* destination,
const char* recipientID,
const char* relayState,
- const CredentialResolver* credResolver,
+ const Credential* credential,
const XMLCh* sigAlgorithm
) const
{
Body* body = BodyBuilder::buildBody();
env->setBody(body);
body->getUnknownXMLObjects().push_back(response);
- if (credResolver ) {
+ if (credential) {
if (response->getSignature()) {
log.debug("response already signed, skipping signature operation");
rootElement = env->marshall();
log.debug("signing and marshalling the response");
// Build a Signature.
- Signature* sig = buildSignature(credResolver, sigAlgorithm);
- response->setSignature(sig);
+ Signature* sig = SignatureBuilder::buildSignature();
+ response->setSignature(sig);
+ if (sigAlgorithm)
+ sig->setSignatureAlgorithm(sigAlgorithm);
// Sign response while marshalling.
vector<Signature*> sigs(1,sig);
- rootElement = env->marshall((DOMDocument*)NULL,&sigs);
+ rootElement = env->marshall((DOMDocument*)NULL,&sigs,credential);
}
}
else {
#include <xmltooling/XMLObjectBuilder.h>
#include <xmltooling/encryption/Encryption.h>
+#include <xmltooling/security/CredentialCriteria.h>
#include <xmltooling/security/CredentialResolver.h>
#include <xmltooling/signature/Signature.h>
#include <xmltooling/util/DateTime.h>
static const XMLCh TYPE_NAME[];
/**
- * Decrypts the element using a standard approach based on a wrapped decryption key
- * inside the message. The key decryption key should be supplied using the provided
- * resolver. The recipient name may be used when multiple encrypted keys are found.
- * The object returned will be unmarshalled around the decrypted DOM element, but the
+ * Decrypts the element using the supplied CredentialResolver.
+ *
+ * <p>The object returned will be unmarshalled around the decrypted DOM element, but the
* DOM itself will be released.
*
- * @param KEKresolver locked resolver supplying key decryption key
+ * @param credResolver locked resolver supplying decryption keys
* @param recipient identifier naming the recipient (the entity performing the decryption)
+ * @param criteria optional external criteria to use with resolver
* @return the decrypted and unmarshalled object
*/
- virtual xmltooling::XMLObject* decrypt(const xmltooling::CredentialResolver* KEKresolver, const XMLCh* recipient) const=0;
+ virtual xmltooling::XMLObject* decrypt(
+ const xmltooling::CredentialResolver& credResolver, const XMLCh* recipient, xmltooling::CredentialCriteria* criteria=NULL
+ ) const=0;
END_XMLOBJECT;
BEGIN_XMLOBJECT(SAML_API,EncryptedID,EncryptedElementType,SAML 2.0 EncryptedID element);
}
}
- XMLObject* decrypt(const CredentialResolver* KEKresolver, const XMLCh* recipient) const
+ XMLObject* decrypt(const CredentialResolver& credResolver, const XMLCh* recipient, CredentialCriteria* criteria) const
{
if (!m_EncryptedData)
throw DecryptionException("No encrypted data present.");
- EncryptedKeyResolver ekr(*this, recipient);
- Decrypter decrypter(KEKresolver, &ekr);
- DOMDocumentFragment* frag = decrypter.decryptData(*m_EncryptedData);
+ EncryptedKeyResolver ekr(*this);
+ Decrypter decrypter(&credResolver, criteria, &ekr);
+ DOMDocumentFragment* frag = decrypter.decryptData(*m_EncryptedData, recipient);
if (frag->hasChildNodes() && frag->getFirstChild()==frag->getLastChild()) {
DOMNode* plaintext=frag->getFirstChild();
if (plaintext->getNodeType()==DOMNode::ELEMENT_NODE) {
}
}
- XMLObject* decrypt(const CredentialResolver* KEKresolver, const XMLCh* recipient) const
+ XMLObject* decrypt(const CredentialResolver& credResolver, const XMLCh* recipient, CredentialCriteria* criteria) const
{
if (!m_EncryptedData)
throw DecryptionException("No encrypted data present.");
- EncryptedKeyResolver ekr(*this, recipient);
- Decrypter decrypter(KEKresolver, &ekr);
- DOMDocumentFragment* frag = decrypter.decryptData(*m_EncryptedData);
+ EncryptedKeyResolver ekr(*this);
+ Decrypter decrypter(&credResolver, criteria, &ekr);
+ DOMDocumentFragment* frag = decrypter.decryptData(*m_EncryptedData, recipient);
if (frag->hasChildNodes() && frag->getFirstChild()==frag->getLastChild()) {
DOMNode* plaintext=frag->getFirstChild();
if (plaintext->getNodeType()==DOMNode::ELEMENT_NODE) {
#include <saml/saml2/metadata/ObservableMetadataProvider.h>
-namespace opensaml {
+#include <xmltooling/security/Credential.h>
+#include <xmltooling/security/CredentialCriteria.h>
+#include <xmltooling/util/Threads.h>
+namespace opensaml {
namespace saml2md {
+ class SAML_API MetadataFilter;
+
/**
* Base class for caching metadata providers.
*/
* Constructor.
*
* If a DOM is supplied, a set of default logic will be used to identify
- * and build a KeyResolver plugin and install it into the provider.
+ * and build a KeyInfoResolver plugin and install it into the provider.
*
* The following XML content is supported:
*
* <ul>
- * <li><KeyResolver> elements with a type attribute
+ * <li><KeyInfoResolver> elements with a type attribute
* </ul>
*
* XML namespaces are ignored in the processing of these elements.
*/
AbstractMetadataProvider(const DOMElement* e=NULL);
- void emitChangeEvent();
-
public:
virtual ~AbstractMetadataProvider();
- virtual const xmltooling::KeyResolver* getKeyResolver() const {
- return m_resolver;
- }
-
- virtual const EntityDescriptor* getEntityDescriptor(const char* id, bool requireValidMetadata=true) const;
- virtual const EntityDescriptor* getEntityDescriptor(const SAMLArtifact* artifact) const;
- virtual const EntitiesDescriptor* getEntitiesDescriptor(const char* name, bool requireValidMetadata=true) const;
+ void emitChangeEvent();
+ const EntityDescriptor* getEntityDescriptor(const char* id, bool requireValidMetadata=true) const;
+ const EntityDescriptor* getEntityDescriptor(const SAMLArtifact* artifact) const;
+ const EntitiesDescriptor* getEntitiesDescriptor(const char* name, bool requireValidMetadata=true) const;
+ const xmltooling::Credential* resolve(const xmltooling::CredentialCriteria* criteria=NULL) const;
+ std::vector<const xmltooling::Credential*>::size_type resolve(
+ std::vector<const xmltooling::Credential*>& results, const xmltooling::CredentialCriteria* criteria=NULL
+ ) const;
protected:
- /** Embedded KeyResolver instance. */
- xmltooling::KeyResolver* m_resolver;
+ /** Embedded KeyInfoResolver instance. */
+ xmltooling::KeyInfoResolver* m_resolver;
/**
* Loads an entity into the cache for faster lookup. This includes
* Clear the cache of known entities and groups.
*/
virtual void clearDescriptorIndex();
+
+ /**
+ * Returns true iff the Credential matches the criteria supplied, if any.
+ *
+ * @param cred Credential plus KeyDescriptor usage information
+ * @param criteria criteria for Credential selection
+ * @return true iff the Credential applies
+ */
+ virtual bool matches(
+ const std::pair<const XMLCh*,xmltooling::Credential*>& cred, const xmltooling::CredentialCriteria* criteria
+ ) const;
private:
- std::vector<MetadataFilter*> m_filters;
-
typedef std::multimap<std::string,const EntityDescriptor*> sitemap_t;
typedef std::multimap<std::string,const EntitiesDescriptor*> groupmap_t;
sitemap_t m_sites;
sitemap_t m_sources;
groupmap_t m_groups;
+
+ mutable xmltooling::Mutex* m_credentialLock;
+ typedef std::map<const RoleDescriptor*, std::vector< std::pair<const XMLCh*,xmltooling::Credential*> > > credmap_t;
+ mutable credmap_t m_credentialMap;
+ const credmap_t::mapped_type& resolveCredentials(const RoleDescriptor& role) const;
};
};
namespace opensaml {
namespace saml2md {
-
+
+#if defined (_MSC_VER)
+ #pragma warning( push )
+ #pragma warning( disable : 4251 )
+#endif
+
/**
* MetadataProvider that uses multiple providers in sequence.
*/
xmltooling::Lockable* lock();
void unlock();
void init();
- const xmltooling::KeyResolver* getKeyResolver() const;
const xmltooling::XMLObject* getMetadata() const;
const EntitiesDescriptor* getEntitiesDescriptor(const char* name, bool requireValidMetadata=true) const;
const EntityDescriptor* getEntityDescriptor(const char* id, bool requireValidMetadata=true) const;
const EntityDescriptor* getEntityDescriptor(const SAMLArtifact* artifact) const;
void onEvent(MetadataProvider& provider);
+ const xmltooling::Credential* resolve(const xmltooling::CredentialCriteria* criteria=NULL) const;
+ std::vector<const xmltooling::Credential*>::size_type resolve(
+ std::vector<const xmltooling::Credential*>& results, const xmltooling::CredentialCriteria* criteria=NULL
+ ) const;
+
private:
xmltooling::ThreadKey* m_tlsKey;
std::vector<MetadataProvider*> m_providers;
};
- };
+
+#if defined (_MSC_VER)
+ #pragma warning( pop )
+#endif
+
+ };
};
#endif /* __saml_chainmeta_h__ */
#include <saml/saml2/core/Assertions.h>
#include <ctime>
-#include <xmltooling/security/KeyInfoSource.h>
#define DECL_SAML2MDOBJECTBUILDER(cname) \
DECL_XMLOBJECTBUILDER(SAML_API,cname,samlconstants::SAML20MD_NS,samlconstants::SAML20MD_PREFIX)
static const XMLCh KEYTYPE_SIGNING[];
END_XMLOBJECT;
- BEGIN_XMLOBJECT5(SAML_API,RoleDescriptor,xmltooling::AttributeExtensibleXMLObject,SignableObject,
- CacheableSAMLObject,TimeBoundSAMLObject,xmltooling::KeyInfoSource,
- SAML 2.0 RoleDescriptor abstract element);
+ BEGIN_XMLOBJECT4(SAML_API,RoleDescriptor,xmltooling::AttributeExtensibleXMLObject,SignableObject,
+ CacheableSAMLObject,TimeBoundSAMLObject,SAML 2.0 RoleDescriptor abstract element);
DECL_STRING_ATTRIB(ID,ID);
DECL_STRING_ATTRIB(ProtocolSupportEnumeration,PROTOCOLSUPPORTENUMERATION);
/** Searches the ProtocolSupportEnumeration attribute for the indicated protocol. */
--- /dev/null
+/*
+ * Copyright 2001-2007 Internet2
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @file saml/saml2/metadata/MetadataCredentialCriteria.h
+ *
+ * Metadata-based CredentialCriteria subclass.
+ */
+
+#ifndef __saml_metacred_h__
+#define __saml_metacred_h__
+
+#include <saml/base.h>
+#include <xmltooling/security/CredentialCriteria.h>
+
+namespace opensaml {
+ namespace saml2md {
+
+ class SAML_API RoleDescriptor;
+
+ /**
+ * Metadata-based CredentialCriteria subclass.
+ */
+ class SAML_API MetadataCredentialCriteria : public xmltooling::CredentialCriteria
+ {
+ public:
+ /*
+ * Constructor.
+ *
+ * @param role source of metadata-supplied credentials
+ */
+ MetadataCredentialCriteria(const RoleDescriptor& role) : m_role(role) {}
+
+ virtual ~MetadataCredentialCriteria() {}
+
+ /**
+ * Return the metadata role associated with the credentials.
+ *
+ * @return the associated metadata role
+ */
+ const RoleDescriptor& getRole() const {
+ return m_role;
+ }
+
+ private:
+ const RoleDescriptor& m_role;
+ };
+ };
+};
+
+#endif /* __saml_metacred_h__ */
#include <saml/base.h>
#include <saml/exceptions.h>
+#include <saml/saml2/metadata/MetadataProvider.h>
+
#include <xmltooling/XMLObject.h>
#ifndef __saml2_metadatafilt_h__
/** MetadataFilter that verifies signatures and filters out any that don't pass. */
#define SIGNATURE_METADATA_FILTER "Signature"
- DECL_XMLTOOLING_EXCEPTION(MetadataException,SAML_EXCEPTIONAPI(SAML_API),opensaml::saml2md,xmltooling::XMLToolingException,Exceptions related to metadata use);
DECL_XMLTOOLING_EXCEPTION(MetadataFilterException,SAML_EXCEPTIONAPI(SAML_API),opensaml::saml2md,MetadataException,Exceptions related to metadata filtering);
};
};
+++ /dev/null
-/*
- * Copyright 2001-2007 Internet2
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/**
- * MetadataKeyInfoIterator.h
- *
- * Adapter between SAML metadata and TrustEngine KeyInfoIterator interface.
- */
-
-#ifndef __saml_keyiter_h__
-#define __saml_keyiter_h__
-
-#include <saml/saml2/metadata/Metadata.h>
-
-namespace opensaml {
- namespace saml2md {
-
- /**
- * Adapter between SAML metadata and TrustEngine KeyInfoIterator interface.
- */
- class SAML_API MetadataKeyInfoIterator : public xmltooling::KeyInfoIterator
- {
- const std::vector<KeyDescriptor*>& m_keys;
- std::vector<KeyDescriptor*>::const_iterator m_iter;
-
- void advance() {
- while (hasNext()) {
- const XMLCh* use=(*m_iter)->getUse();
- if ((!use || !*use || XMLString::equals(use,KeyDescriptor::KEYTYPE_SIGNING)) && (*m_iter)->getKeyInfo())
- return;
- m_iter++;
- }
- }
-
- public:
- MetadataKeyInfoIterator(const RoleDescriptor& role) : m_keys(role.getKeyDescriptors()) {
- m_iter=m_keys.begin();
- advance();
- }
-
- virtual ~MetadataKeyInfoIterator() {}
-
- /**
- * Indicates whether additional KeyInfo objects are available.
- *
- * @return true iff another KeyInfo object can be fetched
- */
- virtual bool hasNext() const {
- return m_iter!=m_keys.end();
- }
-
- /**
- * Returns the next KeyInfo object available.
- *
- * @return the next KeyInfo object, or NULL if none are left
- */
- virtual const xmlsignature::KeyInfo* next() {
- xmlsignature::KeyInfo* ret = (*m_iter)->getKeyInfo();
- m_iter++;
- advance();
- return ret;
- }
- };
- };
-};
-
-#endif /* __saml_keyiter_h__ */
#ifndef __saml2_metadataprov_h__
#define __saml2_metadataprov_h__
-#include <saml/saml2/metadata/MetadataFilter.h>
-
-#include <xmltooling/Lockable.h>
-#include <xmltooling/security/KeyResolver.h>
+#include <xmltooling/XMLObject.h>
+#include <xmltooling/security/CredentialResolver.h>
namespace opensaml {
class SAML_API EntityDescriptor;
class SAML_API EntitiesDescriptor;
-
+ class SAML_API RoleDescriptor;
+ class SAML_API MetadataCredentialResolver;
+ class SAML_API MetadataFilter;
+
+#if defined (_MSC_VER)
+ #pragma warning( push )
+ #pragma warning( disable : 4251 )
+#endif
+
/**
* Supplies an individual source of metadata.
*
* dynamic lookup, can include local caching, etc. Providers
* <strong>MUST</strong> be locked before any lookup operations.
*/
- class SAML_API MetadataProvider : public virtual xmltooling::Lockable
+ class SAML_API MetadataProvider : public virtual xmltooling::CredentialResolver
{
MAKE_NONCOPYABLE(MetadataProvider);
-
protected:
/**
* Constructor.
virtual void init()=0;
/**
- * Returns a KeyResolver associated with this metadata provider, if any.
- *
- * @return an associated KeyResolver, or NULL
- */
- virtual const xmltooling::KeyResolver* getKeyResolver() const=0;
-
- /**
* Gets the entire metadata tree, after the registered filter has been applied.
* The caller MUST unlock the provider when finished with the data.
*
private:
std::vector<MetadataFilter*> m_filters;
};
-
+
+#if defined (_MSC_VER)
+ #pragma warning( pop )
+#endif
+
/**
* Registers MetadataProvider classes into the runtime.
*/
/** MetadataProvider that wraps a sequence of metadata providers. */
#define CHAINING_METADATA_PROVIDER "Chaining"
+
+ DECL_XMLTOOLING_EXCEPTION(MetadataException,SAML_EXCEPTIONAPI(SAML_API),opensaml::saml2md,xmltooling::XMLToolingException,Exceptions related to metadata use);
};
};
namespace saml2md {
+#if defined (_MSC_VER)
+ #pragma warning( push )
+ #pragma warning( disable : 4251 )
+#endif
/**
* A metadata provider that notifies interested parties of changes.
*/
private:
std::vector<Observer*> m_observers;
};
+
+#if defined (_MSC_VER)
+ #pragma warning( pop )
+#endif
+
};
};
#include "binding/SAMLArtifact.h"
#include "saml2/metadata/Metadata.h"
#include "saml2/metadata/AbstractMetadataProvider.h"
+#include "saml2/metadata/MetadataCredentialCriteria.h"
#include <xercesc/util/XMLUniDefs.hpp>
-#include <xmltooling/security/CachingKeyResolver.h>
+#include <xmltooling/security/KeyInfoResolver.h>
#include <xmltooling/util/XMLHelper.h>
using namespace opensaml::saml2md;
-using namespace opensaml;
using namespace xmltooling;
using namespace std;
+using opensaml::SAMLArtifact;
-static const XMLCh _KeyResolver[] = UNICODE_LITERAL_11(K,e,y,R,e,s,o,l,v,e,r);
-static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e);
+static const XMLCh _KeyInfoResolver[] = UNICODE_LITERAL_15(K,e,y,I,n,f,o,R,e,s,o,l,v,e,r);
+static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e);
-AbstractMetadataProvider::AbstractMetadataProvider(const DOMElement* e) : ObservableMetadataProvider(e), m_resolver(NULL)
+AbstractMetadataProvider::AbstractMetadataProvider(const DOMElement* e)
+ : ObservableMetadataProvider(e), m_resolver(NULL), m_credentialLock(NULL)
{
- e = e ? XMLHelper::getFirstChildElement(e, _KeyResolver) : NULL;
+ e = e ? XMLHelper::getFirstChildElement(e, _KeyInfoResolver) : NULL;
if (e) {
auto_ptr_char t(e->getAttributeNS(NULL,type));
if (t.get())
- m_resolver = XMLToolingConfig::getConfig().KeyResolverManager.newPlugin(t.get(),e);
+ m_resolver = XMLToolingConfig::getConfig().KeyInfoResolverManager.newPlugin(t.get(),e);
else
- throw UnknownExtensionException("<KeyResolver> element found with no type attribute");
- }
-
- if (!m_resolver) {
- m_resolver = XMLToolingConfig::getConfig().KeyResolverManager.newPlugin(INLINE_KEY_RESOLVER, NULL);
+ throw UnknownExtensionException("<KeyInfoResolver> element found with no type attribute");
}
+ m_credentialLock = Mutex::create();
}
AbstractMetadataProvider::~AbstractMetadataProvider()
{
+ for (credmap_t::iterator c = m_credentialMap.begin(); c!=m_credentialMap.end(); ++c)
+ for_each(c->second.begin(), c->second.end(), cleanup_pair<const XMLCh*,Credential>());
+ delete m_credentialLock;
delete m_resolver;
}
void AbstractMetadataProvider::emitChangeEvent()
{
- CachingKeyResolver* ckr=dynamic_cast<CachingKeyResolver*>(m_resolver);
- if (ckr)
- ckr->clearCache();
- ObservableMetadataProvider::emitChangeEvent();
+ for (credmap_t::iterator c = m_credentialMap.begin(); c!=m_credentialMap.end(); ++c)
+ for_each(c->second.begin(), c->second.end(), cleanup_pair<const XMLCh*,Credential>());
+ m_credentialMap.clear();
+ ObservableMetadataProvider::emitChangeEvent();
}
void AbstractMetadataProvider::index(EntityDescriptor* site, time_t validUntil)
return NULL;
}
+
+const Credential* AbstractMetadataProvider::resolve(const CredentialCriteria* criteria) const
+{
+ const MetadataCredentialCriteria* metacrit = dynamic_cast<const MetadataCredentialCriteria*>(criteria);
+ if (!metacrit)
+ throw MetadataException("Cannot resolve credentials without a MetadataCredentialCriteria object.");
+
+ Lock lock(m_credentialLock);
+ const credmap_t::mapped_type& creds = resolveCredentials(metacrit->getRole());
+
+ for (credmap_t::mapped_type::const_iterator c = creds.begin(); c!=creds.end(); ++c)
+ if (matches(*c,criteria))
+ return c->second;
+ return NULL;
+}
+
+vector<const Credential*>::size_type AbstractMetadataProvider::resolve(
+ vector<const Credential*>& results, const CredentialCriteria* criteria
+ ) const
+{
+ const MetadataCredentialCriteria* metacrit = dynamic_cast<const MetadataCredentialCriteria*>(criteria);
+ if (!metacrit)
+ throw MetadataException("Cannot resolve credentials without a MetadataCredentialCriteria object.");
+
+ Lock lock(m_credentialLock);
+ const credmap_t::mapped_type& creds = resolveCredentials(metacrit->getRole());
+
+ for (credmap_t::mapped_type::const_iterator c = creds.begin(); c!=creds.end(); ++c)
+ if (matches(*c,criteria))
+ results.push_back(c->second);
+ return results.size();
+}
+
+const AbstractMetadataProvider::credmap_t::mapped_type& AbstractMetadataProvider::resolveCredentials(const RoleDescriptor& role) const
+{
+ credmap_t::const_iterator i = m_credentialMap.find(&role);
+ if (i!=m_credentialMap.end())
+ return i->second;
+
+ const KeyInfoResolver* resolver = m_resolver ? m_resolver : XMLToolingConfig::getConfig().getKeyInfoResolver();
+ const vector<KeyDescriptor*>& keys = role.getKeyDescriptors();
+ AbstractMetadataProvider::credmap_t::mapped_type& resolved = m_credentialMap[&role];
+ for (vector<KeyDescriptor*>::const_iterator k = keys.begin(); k!=keys.end(); ++k) {
+ if ((*k)->getKeyInfo()) {
+ Credential* c = resolver->resolve((*k)->getKeyInfo());
+ resolved.push_back(make_pair((*k)->getUse(), c));
+ }
+ }
+ return resolved;
+}
+
+bool AbstractMetadataProvider::matches(const pair<const XMLCh*,Credential*>& cred, const CredentialCriteria* criteria) const
+{
+ if (criteria) {
+ // Check for a usage mismatch.
+ if ((criteria->getUsage()==CredentialCriteria::SIGNING_CREDENTIAL || criteria->getUsage()==CredentialCriteria::TLS_CREDENTIAL) &&
+ XMLString::equals(cred.first,KeyDescriptor::KEYTYPE_ENCRYPTION))
+ return false;
+ else if (criteria->getUsage()==CredentialCriteria::ENCRYPTION_CREDENTIAL && XMLString::equals(cred.first,KeyDescriptor::KEYTYPE_SIGNING))
+ return false;
+
+ if (cred.second->getPublicKey()) {
+ // See if we have to match a specific key.
+ auto_ptr<Credential> critcred(
+ XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(*criteria,Credential::RESOLVE_KEYS)
+ );
+ if (critcred.get())
+ if (!critcred->isEqual(*(cred.second->getPublicKey())))
+ return false;
+ }
+ }
+ return true;
+}
void ChainingMetadataProvider::init()
{
- for_each(m_providers.begin(), m_providers.end(), mem_fun<void,MetadataProvider>(&MetadataProvider::init));
+ for_each(m_providers.begin(), m_providers.end(), mem_fun(&MetadataProvider::init));
}
Lockable* ChainingMetadataProvider::lock()
}
}
-const KeyResolver* ChainingMetadataProvider::getKeyResolver() const
-{
- // Check for a locked provider.
- void* ptr=m_tlsKey->getData();
- return ptr ? reinterpret_cast<MetadataProvider*>(ptr)->getKeyResolver() : NULL;
-
-}
-
const XMLObject* ChainingMetadataProvider::getMetadata() const
{
throw XMLToolingException("getMetadata operation not implemented on this provider.");
return NULL;
}
+
+const Credential* ChainingMetadataProvider::resolve(const CredentialCriteria* criteria) const
+{
+ // Check for a locked provider.
+ void* ptr=m_tlsKey->getData();
+ if (!ptr)
+ throw MetadataException("No locked MetadataProvider, where did the role object come from?");
+
+ return reinterpret_cast<MetadataProvider*>(ptr)->resolve(criteria);
+}
+
+vector<const Credential*>::size_type ChainingMetadataProvider::resolve(
+ vector<const Credential*>& results, const CredentialCriteria* criteria
+ ) const
+{
+ // Check for a locked provider.
+ void* ptr=m_tlsKey->getData();
+ if (!ptr)
+ throw MetadataException("No locked MetadataProvider, where did the role object come from?");
+
+ return reinterpret_cast<MetadataProvider*>(ptr)->resolve(results, criteria);
+}
#include "internal.h"
#include "exceptions.h"
#include "saml2/metadata/Metadata.h"
-#include "saml2/metadata/MetadataKeyInfoIterator.h"
#include <xmltooling/AbstractComplexElement.h>
#include <xmltooling/AbstractSimpleElement.h>
m_Signature->setContentReference(new opensaml::ContentReference(*this));
}
- KeyInfoIterator* getKeyInfoIterator() const {
- return new MetadataKeyInfoIterator(*this);
- }
-
- std::string getName() const {
- const EntityDescriptor* parent = dynamic_cast<const EntityDescriptor*>(getParent());
- if (parent) {
- char* ch = toUTF8(parent->getEntityID());
- if (ch) {
- string s(ch);
- delete[] ch;
- return s;
- }
- }
- return "";
- }
-
IMPL_ID_ATTRIB(ID);
IMPL_STRING_ATTRIB(ProtocolSupportEnumeration);
IMPL_STRING_ATTRIB(ErrorURL);
*/
#include "internal.h"
+#include "saml2/metadata/MetadataFilter.h"
#include "saml2/metadata/MetadataProvider.h"
#include <log4cpp/Category.hh>
#include <log4cpp/Category.hh>
-#include <xmltooling/util/NDC.h>
+#include <xmltooling/security/Credential.h>
+#include <xmltooling/security/CredentialCriteria.h>
+#include <xmltooling/security/CredentialResolver.h>
#include <xmltooling/signature/SignatureValidator.h>
+#include <xmltooling/util/NDC.h>
using namespace opensaml::saml2md;
using namespace opensaml;
public:
SignatureMetadataFilter(const DOMElement* e);
~SignatureMetadataFilter() {
- delete m_sigValidator;
+ delete m_credResolver;
}
const char* getId() const { return SIGNATURE_METADATA_FILTER; }
void verifySignature(Signature* sig) const {
if (sig) {
m_profileValidator.validate(sig);
- m_sigValidator->validate(sig);
+ m_sigValidator.validate(sig);
}
}
+ CredentialResolver* m_credResolver;
SignatureProfileValidator m_profileValidator;
- SignatureValidator* m_sigValidator;
+ mutable SignatureValidator m_sigValidator;
};
MetadataFilter* SAML_DLLLOCAL SignatureMetadataFilterFactory(const DOMElement* const & e)
};
};
-static const XMLCh GenericKeyResolver[] = UNICODE_LITERAL_11(K,e,y,R,e,s,o,l,v,e,r);
+static const XMLCh _CredentialResolver[] = UNICODE_LITERAL_18(C,r,e,d,e,n,t,i,a,l,R,e,s,o,l,v,e,r);
static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e);
-SignatureMetadataFilter::SignatureMetadataFilter(const DOMElement* e) : m_sigValidator(NULL)
+SignatureMetadataFilter::SignatureMetadataFilter(const DOMElement* e) : m_credResolver(NULL)
{
- e = XMLHelper::getFirstChildElement(e, GenericKeyResolver);
+ e = XMLHelper::getFirstChildElement(e, _CredentialResolver);
auto_ptr_char t(e ? e->getAttributeNS(NULL,type) : NULL);
if (t.get()) {
- auto_ptr<KeyResolver> kr(XMLToolingConfig::getConfig().KeyResolverManager.newPlugin(t.get(),e));
- m_sigValidator = new SignatureValidator(kr.get());
- kr.release();
+ m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(t.get(),e);
}
else
- throw MetadataFilterException("missing <KeyResolver> element, or no type attribute found");
+ throw MetadataFilterException("Missing <CredentialResolver> element, or no type attribute found");
}
void SignatureMetadataFilter::doFilter(XMLObject& xmlObject) const
NDC ndc("doFilter");
#endif
+ CredentialCriteria cc;
+ cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
+ Locker locker(m_credResolver);
+ m_sigValidator.setCredential(m_credResolver->resolve(&cc));
+
try {
EntitiesDescriptor& entities = dynamic_cast<EntitiesDescriptor&>(xmlObject);
doFilter(entities, true);
#include "internal.h"
#include "saml2/metadata/Metadata.h"
+#include "saml2/metadata/MetadataFilter.h"
#include "saml2/metadata/AbstractMetadataProvider.h"
#include <log4cpp/Category.hh>
--- /dev/null
+
+MD5 Fingerprint=E8:E6:70:BC:CF:50:67:7A:B3:27:69:81:AF:C2:4D:B1
+
+-----BEGIN CERTIFICATE-----
+MIIFsjCCBJqgAwIBAgIBIDANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJVUzEc
+MBoGA1UEChMTSW5Db21tb24gRmVkZXJhdGlvbjEpMCcGA1UEAxMgSW5Db21tb24g
+Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDUwMzI5MTUwMTM2WhcNMDYwMzI5
+MTUwMTM2WjBSMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSW5Db21tb24gRmVkZXJh
+dGlvbjElMCMGA1UEAxMcZmVkb3AuaW5jb21tb25mZWRlcmF0aW9uLm9yZzCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANAoXZK5/nRuWY+S91CMPsXloDc5
+vGo8O/xcqkUNUow+C34NlgnZX4zq2BjZ1WTAk3yLaF00qYOK18R0LMpHjYmEbtvt
+NrjEvtaZwalo83TyRNKHfqvBG3bxOkoYpo8jZ9MkHxskCgjXWLnPu+TCB7GiDgBL
+Q2VEk/UneKHlNc0Y1drBr1HfiRR73lAIUXNG/iRGXyBLqvyyFPasZv/oBWmsJZqI
+2T8jlmdSZbMG66yWGMp9dKoJyb44fYGVlyo5j8arxyiXAEz4QIdoFhmm1k1wSQnJ
+DHtYaxwpf72wywps9P6GLqGkg8z+sxPWEgP8QqZWhwNJqAtVbNh+TDkBpXsCAwEA
+AaOCAo0wggKJMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQW
+MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQU5ij9YLU5zQ6K75kPgVpy
+Q2N/lPswfgYDVR0jBHcwdYAUky3IYRitY+ObZbOd3Y2TuufKY0WhWqRYMFYxCzAJ
+BgNVBAYTAlVTMRwwGgYDVQQKExNJbkNvbW1vbiBGZWRlcmF0aW9uMSkwJwYDVQQD
+EyBJbkNvbW1vbiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIBADCBugYIKwYBBQUH
+AQEEga0wgaowgacGCCsGAQUFBzAChoGaaHR0cDovL2luY29tbW9uY2ExLmluY29t
+bW9uZmVkZXJhdGlvbi5vcmcvYnJpZGdlL2NlcnRzL2NhLWNlcnRzLnA3YgoJCUNB
+IElzc3VlcnMgLSBVUkk6aHR0cDovL2luY29tbW9uY2EyLmluY29tbW9uZmVkZXJh
+dGlvbi5vcmcvYnJpZGdlL2NlcnRzL2NhLWNlcnRzLnA3YjCBjQYDVR0fBIGFMIGC
+MD+gPaA7hjlodHRwOi8vaW5jb21tb25jcmwxLmluY29tbW9uZmVkZXJhdGlvbi5v
+cmcvY3JsL2VlY3Jscy5jcmwwP6A9oDuGOWh0dHA6Ly9pbmNvbW1vbmNybDIuaW5j
+b21tb25mZWRlcmF0aW9uLm9yZy9jcmwvZWVjcmxzLmNybDBeBgNVHSAEVzBVMFMG
+CysGAQQBriMBBAEBMEQwQgYIKwYBBQUHAgEWNmh0dHA6Ly9pbmNvbW1vbmNhLmlu
+Y29tbW9uZmVkZXJhdGlvbi5vcmcvcHJhY3RpY2VzLnBkZjANBgkqhkiG9w0BAQUF
+AAOCAQEAemwo7fVSkdlClp7lFXVX1wmANoBAmAOf5F6zEAxTR9zbwEvcT5WwzSOD
+ikRKHBkP3A2qKJjuPNg46xpX2EFFdcqFc0KBD0KvBsROGwDwLWZZDwW4MFqDLkNa
+6AM0OW1o6zn8J5KapRTRZ8SKf1r8rPYWwvyigo+ECHREmJWgTqExVW03MTbuIXFG
+o3djIpXUplL91mni06UuefyOY6BQqVcesLf8ncwG2P3gHSLRmoIej7oUXpKkejEI
+S1DTdX1OcjEeFlY3hXPx1uN95u5reoa78inWVjmJMDnF0oz7YF0TOIzz8dS+LUKR
+TcKnG6jJL2KcSpgsqN/MxV3laz52hg==
+-----END CERTIFICATE-----
<?xml version="1.0" encoding="UTF-8"?>
<FilesystemMetadataProvider path="../samltest/data/saml2/metadata/InCommon-metadata.xml" validate="0">
<SignatureMetadataFilter>
- <KeyResolver type="Inline"/>
+ <CredentialResolver type="File">
+ <Certificate>
+ <Path>../samltest/data/incommon.pem</Path>
+ </Certificate>
+ </CredentialResolver>
</SignatureMetadataFilter>
</FilesystemMetadataProvider>
<?xml version="1.0" encoding="UTF-8"?>
-<FilesystemKeyResolver>
+<FilesystemCredentialResolver>
<Certificate>
<Path>../samltest/data/cert.pem</Path>
</Certificate>
-</FilesystemKeyResolver>
+</FilesystemCredentialResolver>
<ds:SignatureValue>AA5098JC4gfdAf2bvPQRZ9Ld/VehXAB3uhp0r4js4i6fMB3hGMs4VnE9iEJEsPDD
0Kj4cfewxHij/kHrWcxpKMMqIgGlqKYZhuQHfFt8GzDeeFIgu1R675jcN4uCOoWl
3aRVd9hgPRsXzf7/RkMiXHIsU/NjUPRKf7GjNt2jNT0=</ds:SignatureValue>
-<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
+<ds:KeyInfo><ds:KeyName>sp.example.org</ds:KeyName><ds:X509Data><ds:X509Certificate>MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
b3JnMB4XDTA1MDYyMDE1NDgzNFoXDTMyMTEwNTE1NDgzNFowOjELMAkGA1UEBhMC
VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
<ds:SignatureValue>UE5p832pLFYvMloRofN3y0rrFY7B8zOcF7+CHYyxFn6pqgPeEYGqkbUWlV15/tJ5
wXJ3LiLQroYQI3XHPvKRSV4OtF9ZFm4QDK7RNd6gnUmHed6Zje//e6z2ekA0UzTl
IeWCuD84mWemMJzRAhSFKcnqJDBHA61Krvg1kf/2c2E=</ds:SignatureValue>
-<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
+<ds:KeyInfo><ds:KeyName>sp.example.org</ds:KeyName><ds:X509Data><ds:X509Certificate>MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
b3JnMB4XDTA1MDYyMDE1NDgzNFoXDTMyMTEwNTE1NDgzNFowOjELMAkGA1UEBhMC
VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
-<ds:DigestValue>58F0tbYfjW1fw6qvD3SFvhQlg/o=</ds:DigestValue>
+<ds:DigestValue>TfMZL9tjX6BFJb1whHodLQw94aE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
-<ds:SignatureValue>C9U3y5+GJYi+e2kHn2VBYFuE0L/CVDMxiRygammXuDiOo3jQslf8GifLDxinnI33
-+sky4f/Kv5mjVFd6aYs9ad3JANzuDF6zdMBVnQkrCAkfzKXjif1coXZWIcDc0To9
-qp6fegEuvFJrJyEJw9xyKkc93Mk6+gXLyxe1oynOkkI=</ds:SignatureValue>
-<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
+<ds:SignatureValue>SvahDxYpqSJI16CjJt2YWQO6DHvrtL9aNCsxwpEG4rRjkUshipwUHMngulnQHyX6
+BiJ5NrdAWd2HMaUOIiwg1e0Xi/H5BGwdyPPOM7kA05EOdnNO2wWcWgjRSUTa7f9g
+a3SHSk63QckMJBkm1neUijbktD2sk0yX6Zm0oyKWlYI=</ds:SignatureValue>
+<ds:KeyInfo><ds:KeyName>sp.example.org</ds:KeyName><ds:X509Data><ds:X509Certificate>MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
b3JnMB4XDTA1MDYyMDE1NDgzNFoXDTMyMTEwNTE1NDgzNFowOjELMAkGA1UEBhMC
VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
<ds:SignatureValue>d4SsRgDSjboTRA2YUD68TPp+17AqRmxbY/LrWJhueIC/JY+Ct7+Fd6bugUXliIeD
NVRDACsEB7PqYWZ99+Ecf8XAmQYCw5elj8mWxPp0o+UVHtBZOR2bC+/YjNitSM+x
G/F3JgZqfunUcg7mcj6WEAUt4pjKhjaTY8Z7QJltdKc=</ds:SignatureValue>
-<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
+<ds:KeyInfo><ds:KeyName>sp.example.org</ds:KeyName><ds:X509Data><ds:X509Certificate>MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
b3JnMB4XDTA1MDYyMDE1NDgzNFoXDTMyMTEwNTE1NDgzNFowOjELMAkGA1UEBhMC
VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
<ds:SignatureValue>zgKU42nQKyB9m8RkDz1I2r7h0N9pc5ys9kve7oN9/Dugrn583/3bMgQBfk1rw4Pq
BfztAZNcf2lstzvgpVB9fVTsTUuEDtT0mhc+f5t8kbCkABGu0SrfCnDjbYpmEeLC
j8rJO4aSZIV4tN21aAkQyys28l4oB3KGTTDASjEPVgQ=</ds:SignatureValue>
-<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
+<ds:KeyInfo><ds:KeyName>sp.example.org</ds:KeyName><ds:X509Data><ds:X509Certificate>MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
b3JnMB4XDTA1MDYyMDE1NDgzNFoXDTMyMTEwNTE1NDgzNFowOjELMAkGA1UEBhMC
VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
using namespace opensaml::saml1p;\r
using namespace opensaml::saml1;\r
\r
-namespace {\r
- class SAML_DLLLOCAL _addcert : public binary_function<X509Data*,XSECCryptoX509*,void> {\r
- public:\r
- void operator()(X509Data* bag, XSECCryptoX509* cert) const {\r
- safeBuffer& buf=cert->getDEREncodingSB();\r
- X509Certificate* x=X509CertificateBuilder::buildX509Certificate();\r
- x->setValue(buf.sbStrToXMLCh());\r
- bag->getX509Certificates().push_back(x);\r
- }\r
- };\r
-};\r
-\r
class SAML1ArtifactTest : public CxxTest::TestSuite,\r
public SAMLBindingBaseTestCase, public MessageEncoder::ArtifactGenerator, public MessageDecoder::ArtifactResolver {\r
public:\r
);\r
janitor.release();\r
\r
+ CredentialCriteria cc;\r
+ cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);\r
+ Locker clocker(m_creds);\r
+ const Credential* cred = m_creds->resolve(&cc);\r
+ TSM_ASSERT("Retrieved credential was null", cred!=NULL);\r
+\r
// Encode message.\r
auto_ptr<MessageEncoder> encoder(\r
SAMLConfig::getConfig().MessageEncoderManager.newPlugin(samlconstants::SAML1_PROFILE_BROWSER_ARTIFACT, NULL)\r
);\r
encoder->setArtifactGenerator(this);\r
- encoder->encode(*this,toSend.get(),"https://sp.example.org/SAML/SSO","https://sp.example.org/","state",m_creds);\r
+ encoder->encode(*this,toSend.get(),"https://sp.example.org/SAML/SSO","https://sp.example.org/","state",cred);\r
toSend.release();\r
\r
// Decode message.\r
throw BindingException("Not implemented.");\r
}\r
\r
- Signature* buildSignature(const CredentialResolver* credResolver) const\r
- {\r
- // Build a Signature.\r
- Signature* sig = SignatureBuilder::buildSignature();\r
- sig->setSigningKey(credResolver->getKey());\r
-\r
- // Build KeyInfo.\r
- const vector<XSECCryptoX509*>& certs = credResolver->getCertificates();\r
- if (!certs.empty()) {\r
- KeyInfo* keyInfo=KeyInfoBuilder::buildKeyInfo();\r
- X509Data* x509Data=X509DataBuilder::buildX509Data();\r
- keyInfo->getX509Datas().push_back(x509Data);\r
- for_each(certs.begin(),certs.end(),bind1st(_addcert(),x509Data));\r
- sig->setKeyInfo(keyInfo);\r
- }\r
- \r
- return sig;\r
- }\r
-\r
Response* resolve(\r
const vector<SAMLArtifact*>& artifacts,\r
const IDPSSODescriptor& idpDescriptor,\r
StatusCode* sc = StatusCodeBuilder::buildStatusCode();\r
status->setStatusCode(sc);\r
sc->setValue(&StatusCode::SUCCESS);\r
- response->setSignature(buildSignature(m_creds));\r
+ response->setSignature(SignatureBuilder::buildSignature());\r
vector<Signature*> sigs(1,response->getSignature());\r
- response->marshall((DOMDocument*)NULL,&sigs);\r
+ CredentialCriteria cc;\r
+ cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);\r
+ Locker clocker(m_creds);\r
+ const Credential* cred = m_creds->resolve(&cc);\r
+ TSM_ASSERT("Retrieved credential was null", cred!=NULL);\r
+ response->marshall((DOMDocument*)NULL,&sigs,cred);\r
SchemaValidators.validate(response.get());\r
policy.evaluate(*(response.get()), this);\r
return response.release();\r
);
janitor.release();
+ CredentialCriteria cc;\r
+ cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);\r
+ Locker clocker(m_creds);\r
+ const Credential* cred = m_creds->resolve(&cc);\r
+ TSM_ASSERT("Retrieved credential was null", cred!=NULL);\r
+
// Freshen timestamp and ID.
toSend->setIssueInstant(time(NULL));
toSend->setResponseID(NULL);
samlconstants::SAML1_PROFILE_BROWSER_POST, encoder_config->getDocumentElement()
)
);
- encoder->encode(*this,toSend.get(),"https://sp.example.org/SAML/SSO","https://sp.example.org/","state",m_creds);
+ encoder->encode(*this,toSend.get(),"https://sp.example.org/SAML/SSO","https://sp.example.org/","state",cred);
toSend.release();
// Decode message.
);\r
janitor.release();\r
\r
+ CredentialCriteria cc;\r
+ cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);\r
+ Locker clocker(m_creds);\r
+ const Credential* cred = m_creds->resolve(&cc);\r
+ TSM_ASSERT("Retrieved credential was null", cred!=NULL);\r
+\r
// Freshen timestamp.\r
toSend->setIssueInstant(time(NULL));\r
\r
SAMLConfig::getConfig().MessageEncoderManager.newPlugin(samlconstants::SAML20_BINDING_HTTP_ARTIFACT, NULL)\r
);\r
encoder->setArtifactGenerator(this);\r
- encoder->encode(*this,toSend.get(),"https://sp.example.org/SAML/SSO","https://sp.example.org/","state",m_creds);\r
+ encoder->encode(*this,toSend.get(),"https://sp.example.org/SAML/SSO","https://sp.example.org/","state",cred);\r
toSend.release();\r
\r
// Decode message.\r
);
janitor.release();
+ CredentialCriteria cc;\r
+ cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);\r
+ Locker clocker(m_creds);\r
+ const Credential* cred = m_creds->resolve(&cc);\r
+ TSM_ASSERT("Retrieved credential was null", cred!=NULL);\r
+
// Freshen timestamp and ID.
toSend->setIssueInstant(time(NULL));
toSend->setID(NULL);
samlconstants::SAML20_BINDING_HTTP_POST, encoder_config->getDocumentElement()
)
);
- encoder->encode(*this,toSend.get(),"https://sp.example.org/SAML/SSO","https://sp.example.org/","state",m_creds);
+ encoder->encode(*this,toSend.get(),"https://sp.example.org/SAML/SSO","https://sp.example.org/","state",cred);
toSend.release();
// Decode message.
);
janitor.release();
+ CredentialCriteria cc;\r
+ cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);\r
+ Locker clocker(m_creds);\r
+ const Credential* cred = m_creds->resolve(&cc);\r
+ TSM_ASSERT("Retrieved credential was null", cred!=NULL);\r
+
// Freshen timestamp and ID.
toSend->setIssueInstant(time(NULL));
toSend->setID(NULL);
samlconstants::SAML20_BINDING_HTTP_POST_SIMPLESIGN, encoder_config->getDocumentElement()
)
);
- encoder->encode(*this,toSend.get(),"https://sp.example.org/SAML/SSO","https://sp.example.org/","state",m_creds);
+ encoder->encode(*this,toSend.get(),"https://sp.example.org/SAML/SSO","https://sp.example.org/","state",cred);
toSend.release();
// Decode message.
);
janitor.release();
+ CredentialCriteria cc;\r
+ cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);\r
+ Locker clocker(m_creds);\r
+ const Credential* cred = m_creds->resolve(&cc);\r
+ TSM_ASSERT("Retrieved credential was null", cred!=NULL);\r
+
// Freshen timestamp and ID.
toSend->setIssueInstant(time(NULL));
toSend->setID(NULL);
auto_ptr<MessageEncoder> encoder(
SAMLConfig::getConfig().MessageEncoderManager.newPlugin(samlconstants::SAML20_BINDING_HTTP_REDIRECT, NULL)
);
- encoder->encode(*this,toSend.get(),"https://sp.example.org/SAML/SSO","https://sp.example.org/","state",m_creds);
+ encoder->encode(*this,toSend.get(),"https://sp.example.org/SAML/SSO","https://sp.example.org/","state",cred);
toSend.release();
// Decode message.
#include "internal.h"
#include <saml/SAMLConfig.h>
#include <saml/saml2/metadata/Metadata.h>
+#include <saml/saml2/metadata/MetadataCredentialCriteria.h>
#include <saml/saml2/metadata/MetadataProvider.h>
#include <xmltooling/security/AbstractPKIXTrustEngine.h>
+#include <xmltooling/security/X509Credential.h>
using namespace opensaml::saml2;
using namespace opensaml::saml2md;
~SampleTrustEngine() {}
class SampleIterator : public PKIXValidationInfoIterator {
- vector<XSECCryptoX509CRL*> m_crls;
- KeyResolver::ResolvedCertificates m_certs;
- KeyResolver* m_resolver;
+ CredentialResolver* m_resolver;
+ mutable vector<XSECCryptoX509CRL*> m_crls;
bool m_done;
public:
- SampleIterator(const KeyResolver& keyResolver)
- : PKIXValidationInfoIterator(keyResolver), m_resolver(NULL), m_done(false) {
- string config = data_path + "security/FilesystemKeyResolver.xml";
+ SampleIterator() : m_resolver(NULL), m_done(false) {
+ string config = data_path + "security/FilesystemCredentialResolver.xml";
ifstream in(config.c_str());
DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
XercesJanitor<DOMDocument> janitor(doc);
- m_resolver = XMLToolingConfig::getConfig().KeyResolverManager.newPlugin(
- FILESYSTEM_KEY_RESOLVER,doc->getDocumentElement()
+ m_resolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(
+ FILESYSTEM_CREDENTIAL_RESOLVER,doc->getDocumentElement()
);
- m_resolver->resolveCertificates((KeyInfo*)NULL,m_certs);
+ m_resolver->lock();
}
~SampleIterator() {
+ m_resolver->unlock();
delete m_resolver;
}
}
const vector<XSECCryptoX509*>& getTrustAnchors() const {
- return m_certs.v();
+ return dynamic_cast<const X509Credential*>(m_resolver->resolve())->getEntityCertificateChain();
}
const vector<XSECCryptoX509CRL*>& getCRLs() const {
+ XSECCryptoX509CRL* crl = dynamic_cast<const X509Credential*>(m_resolver->resolve())->getCRL();
+ if (crl)
+ m_crls.push_back(crl);
return m_crls;
}
};
PKIXValidationInfoIterator* getPKIXValidationInfoIterator(
- const KeyInfoSource& keyInfoSource,
- const KeyResolver& keyResolver
+ const CredentialResolver& credResolver, CredentialCriteria* criteria=NULL, const KeyInfoResolver* keyInfoResolver=NULL
) const {
- dynamic_cast<const RoleDescriptor&>(keyInfoSource);
- return new SampleIterator(keyResolver);
+ dynamic_cast<const MetadataCredentialCriteria*>(criteria);
+ return new SampleIterator();
}
};
};
SAMLObjectBaseTestCase::tearDown();
}
- void testExplicitKeyTrustEngine() {
+ void testAbstractPKIXTrustEngine() {
string config = data_path + "security/XMLMetadataProvider.xml";
ifstream in(config.c_str());
DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
Signature* sig=assertion->getSignature();
TSM_ASSERT("Signature not present", sig!=NULL);
- TSM_ASSERT("Signature failed to validate.", trustEngine->validate(*sig, *role, metadataProvider->getKeyResolver()));
+
+ MetadataCredentialCriteria cc(*role);
+ cc.setPeerName("https://idp.example.org");
+ TSM_ASSERT("Signature failed to validate.", trustEngine->validate(*sig, *metadataProvider, &cc));
descriptor = metadataProvider->getEntityDescriptor("https://idp2.example.org");
TSM_ASSERT("Retrieved entity descriptor was null", descriptor!=NULL);
role=descriptor->getIDPSSODescriptors().front();
TSM_ASSERT("Role not present", role!=NULL);
- TSM_ASSERT("Signature validated.", !trustEngine->validate(*sig, *role, metadataProvider->getKeyResolver()));
+ MetadataCredentialCriteria cc2(*role);
+ cc2.setPeerName("https://idp2.example.org");
+ TSM_ASSERT("Signature validated.", !trustEngine->validate(*sig, *metadataProvider, &cc2));
}
};
#include <saml/SAMLConfig.h>
#include <saml/saml2/core/Assertions.h>
#include <saml/saml2/metadata/Metadata.h>
+#include <saml/saml2/metadata/MetadataCredentialCriteria.h>
#include <saml/saml2/metadata/MetadataProvider.h>
#include <xmltooling/security/TrustEngine.h>
Signature* sig=assertion->getSignature();
TSM_ASSERT("Signature not present", sig!=NULL);
- TSM_ASSERT("Signature failed to validate.", trustEngine->validate(*sig, *role, metadataProvider->getKeyResolver()));
+
+ MetadataCredentialCriteria cc(*role);
+ cc.setPeerName("https://idp.example.org");
+ TSM_ASSERT("Signature failed to validate.", trustEngine->validate(*sig, *metadataProvider, &cc));
descriptor = metadataProvider->getEntityDescriptor("https://idp2.example.org");
TSM_ASSERT("Retrieved entity descriptor was null", descriptor!=NULL);
role=descriptor->getIDPSSODescriptors().front();
TSM_ASSERT("Role not present", role!=NULL);
- TSM_ASSERT("Signature validated.", !trustEngine->validate(*sig, *role, metadataProvider->getKeyResolver()));
+ MetadataCredentialCriteria cc2(*role);
+ cc2.setPeerName("https://idp2.example.org");
+ TSM_ASSERT("Signature validated.", !trustEngine->validate(*sig, *metadataProvider, &cc2));
}
};
// Append a Signature.
Signature* sig=SignatureBuilder::buildSignature();
assertion->setSignature(sig);
- Locker locker(m_resolver);
- sig->setSigningKey(m_resolver->getKey());
-
- // Build KeyInfo.
- KeyInfo* keyInfo=KeyInfoBuilder::buildKeyInfo();
- X509Data* x509Data=X509DataBuilder::buildX509Data();
- keyInfo->getX509Datas().push_back(x509Data);
- for_each(m_resolver->getCertificates().begin(),m_resolver->getCertificates().end(),bind1st(_addcert(),x509Data));
- sig->setKeyInfo(keyInfo);
// Sign while marshalling.
vector<Signature*> sigs(1,sig);
+ CredentialCriteria cc;
+ cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
+ Locker locker(m_resolver);
+ const Credential* cred = m_resolver->resolve(&cc);
+ TSM_ASSERT("Retrieved credential was null", cred!=NULL);
+
DOMElement* rootElement = NULL;
try {
- rootElement=assertion->marshall((DOMDocument*)NULL,&sigs);
+ rootElement=assertion->marshall((DOMDocument*)NULL,&sigs,cred);
}
catch (XMLToolingException& e) {
TS_TRACE(e.what());
try {
opensaml::SignatureProfileValidator spv;
- SignatureValidator sv(new KeyResolver(m_resolver->getKey()));
+ SignatureValidator sv(cred);
spv.validate(dynamic_cast<Assertion*>(assertion2.get())->getSignature());
sv.validate(dynamic_cast<Assertion*>(assertion2.get())->getSignature());
}
// Append a Signature.
Signature* sig=SignatureBuilder::buildSignature();
request->setSignature(sig);
- Locker locker(m_resolver);
- sig->setSigningKey(m_resolver->getKey());
-
- // Build KeyInfo.
- KeyInfo* keyInfo=KeyInfoBuilder::buildKeyInfo();
- X509Data* x509Data=X509DataBuilder::buildX509Data();
- keyInfo->getX509Datas().push_back(x509Data);
- for_each(m_resolver->getCertificates().begin(),m_resolver->getCertificates().end(),bind1st(_addcert(),x509Data));
- sig->setKeyInfo(keyInfo);
// Sign while marshalling.
vector<Signature*> sigs(1,sig);
+ CredentialCriteria cc;
+ cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
+ Locker locker(m_resolver);
+ const Credential* cred = m_resolver->resolve(&cc);
+ TSM_ASSERT("Retrieved credential was null", cred!=NULL);
+
DOMElement* rootElement = NULL;
try {
- rootElement=request->marshall((DOMDocument*)NULL,&sigs);
+ rootElement=request->marshall((DOMDocument*)NULL,&sigs,cred);
}
catch (XMLToolingException& e) {
TS_TRACE(e.what());
try {
opensaml::SignatureProfileValidator spv;
- SignatureValidator sv(new KeyResolver(m_resolver->getKey()));
+ SignatureValidator sv(cred);
spv.validate(dynamic_cast<Request*>(request2.get())->getSignature());
sv.validate(dynamic_cast<Request*>(request2.get())->getSignature());
}
// Append a Signature.
assertion->setSignature(SignatureBuilder::buildSignature());
- Locker locker(m_resolver);
- assertion->getSignature()->setSigningKey(m_resolver->getKey());
-
- // Build KeyInfo.
- KeyInfo* keyInfo=KeyInfoBuilder::buildKeyInfo();
- X509Data* x509Data=X509DataBuilder::buildX509Data();
- keyInfo->getX509Datas().push_back(x509Data);
- for_each(m_resolver->getCertificates().begin(),m_resolver->getCertificates().end(),bind1st(_addcert(),x509Data));
- assertion->getSignature()->setKeyInfo(keyInfo);
// Sign assertion while marshalling.
vector<Signature*> sigs(1,assertion->getSignature());
+ CredentialCriteria cc;
+ cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
+ Locker locker(m_resolver);
+ const Credential* cred = m_resolver->resolve(&cc);
+ TSM_ASSERT("Retrieved credential was null", cred!=NULL);
+
DOMElement* rootElement = NULL;
try {
- rootElement=assertion->marshall((DOMDocument*)NULL,&sigs);
+ rootElement=assertion->marshall((DOMDocument*)NULL,&sigs,cred);
}
catch (XMLToolingException& e) {
TS_TRACE(e.what());
response->setStatus(status);
response->getAssertions().push_back(assertion);
response->setSignature(SignatureBuilder::buildSignature());
- response->getSignature()->setSigningKey(m_resolver->getKey());
- response->getSignature()->setKeyInfo(keyInfo->cloneKeyInfo());
// Sign response while marshalling.
sigs.clear();
sigs.push_back(response->getSignature());
rootElement = NULL;
try {
- rootElement=response->marshall((DOMDocument*)NULL,&sigs);
+ rootElement=response->marshall((DOMDocument*)NULL,&sigs,cred);
}
catch (XMLToolingException& e) {
TS_TRACE(e.what());
spv.validate(dynamic_cast<Response*>(response2.get())->getAssertions().front()->getSignature());
spv.validate(dynamic_cast<Response*>(response2.get())->getSignature());
- SignatureValidator sv(new KeyResolver(m_resolver->getKey()));
+ SignatureValidator sv(cred);
sv.validate(dynamic_cast<Response*>(response2.get())->getAssertions().front()->getSignature());
sv.validate(dynamic_cast<Response*>(response2.get())->getSignature());
}
// Append a Signature.
Signature* sig=SignatureBuilder::buildSignature();
assertion->setSignature(sig);
- Locker locker(m_resolver);
- sig->setSigningKey(m_resolver->getKey());
-
- // Build KeyInfo.
- KeyInfo* keyInfo=KeyInfoBuilder::buildKeyInfo();
- X509Data* x509Data=X509DataBuilder::buildX509Data();
- keyInfo->getX509Datas().push_back(x509Data);
- for_each(m_resolver->getCertificates().begin(),m_resolver->getCertificates().end(),bind1st(_addcert(),x509Data));
- sig->setKeyInfo(keyInfo);
// Sign while marshalling.
vector<Signature*> sigs(1,sig);
+ CredentialCriteria cc;
+ cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
+ Locker locker(m_resolver);
+ const Credential* cred = m_resolver->resolve(&cc);
+ TSM_ASSERT("Retrieved credential was null", cred!=NULL);
+
DOMElement* rootElement = NULL;
try {
- rootElement=assertion->marshall((DOMDocument*)NULL,&sigs);
+ rootElement=assertion->marshall((DOMDocument*)NULL,&sigs,cred);
}
catch (XMLToolingException& e) {
TS_TRACE(e.what());
try {
opensaml::SignatureProfileValidator spv;
- SignatureValidator sv(new KeyResolver(m_resolver->getKey()));
+ SignatureValidator sv(cred);
spv.validate(dynamic_cast<Assertion*>(assertion2.get())->getSignature());
sv.validate(dynamic_cast<Assertion*>(assertion2.get())->getSignature());
}
#include "internal.h"
#include <saml/signature/SignatureProfileValidator.h>
+#include <xmltooling/security/CredentialCriteria.h>
#include <xmltooling/security/CredentialResolver.h>
#include <xmltooling/signature/KeyInfo.h>
#include <xmltooling/signature/SignatureValidator.h>
using namespace xmlsignature;
-class _addcert : public std::binary_function<X509Data*,XSECCryptoX509*,void> {
-public:
- void operator()(X509Data* bag, XSECCryptoX509* cert) const {
- safeBuffer& buf=cert->getDEREncodingSB();
- X509Certificate* x=X509CertificateBuilder::buildX509Certificate();
- x->setValue(buf.sbStrToXMLCh());
- bag->getX509Certificates().push_back(x);
- }
-};
-
class SAMLSignatureTestBase : public SAMLObjectBaseTestCase {
protected:
CredentialResolver* m_resolver;