From a30857e2c0f4bcd1817aa2939ffdc0856e93a533 Mon Sep 17 00:00:00 2001 From: Scott Cantor Date: Sat, 18 Nov 2006 00:47:16 +0000 Subject: [PATCH] Merged trust engines back into a unified version, made metadata roles a "KeyInfoSource". --- .cdtproject | 2 - configure.ac | 23 -- saml/Makefile.am | 12 +- saml/SAMLConfig.cpp | 3 - saml/SAMLConfig.h | 4 - saml/binding/ClientCertAuthRule.h | 2 +- saml/binding/MessageDecoder.h | 1 - saml/binding/MessageFlowRule.h | 2 +- saml/binding/SecurityPolicy.h | 10 +- saml/binding/SecurityPolicyRule.h | 5 +- saml/binding/SimpleSigningRule.h | 2 +- saml/binding/XMLSigningRule.h | 2 +- saml/binding/impl/ClientCertAuthRule.cpp | 8 +- saml/binding/impl/MessageFlowRule.cpp | 2 +- saml/binding/impl/SimpleSigningRule.cpp | 3 +- saml/binding/impl/XMLSigningRule.cpp | 15 +- saml/saml.vcproj | 52 +-- saml/saml2/metadata/Metadata.h | 7 +- saml/saml2/metadata/MetadataKeyInfoIterator.h | 80 +++++ saml/saml2/metadata/impl/MetadataImpl.cpp | 18 + saml/security/AbstractPKIXTrustEngine.h | 157 --------- saml/security/ChainingTrustEngine.h | 108 ------ saml/security/MetadataKeyInfoIterator.h | 80 ----- saml/security/TrustEngine.h | 117 ------- saml/security/X509TrustEngine.h | 78 ----- saml/security/impl/AbstractPKIXTrustEngine.cpp | 420 ------------------------ saml/security/impl/ChainingTrustEngine.cpp | 116 ------- saml/security/impl/ExplicitKeyTrustEngine.cpp | 141 -------- saml/security/impl/TrustEngine.cpp | 40 --- samltest/binding.h | 9 +- samltest/security/AbstractPKIXTrustEngineTest.h | 8 +- samltest/security/ExplicitKeyTrustEngineTest.h | 8 +- 32 files changed, 153 insertions(+), 1382 deletions(-) create mode 100644 saml/saml2/metadata/MetadataKeyInfoIterator.h delete mode 100644 saml/security/AbstractPKIXTrustEngine.h delete mode 100644 saml/security/ChainingTrustEngine.h delete mode 100644 saml/security/MetadataKeyInfoIterator.h delete mode 100644 saml/security/TrustEngine.h delete mode 100644 saml/security/X509TrustEngine.h delete mode 100644 saml/security/impl/AbstractPKIXTrustEngine.cpp delete mode 100644 saml/security/impl/ChainingTrustEngine.cpp delete mode 100644 saml/security/impl/ExplicitKeyTrustEngine.cpp delete mode 100644 saml/security/impl/TrustEngine.cpp diff --git a/.cdtproject b/.cdtproject index 4dbb011..4fb4fe0 100644 --- a/.cdtproject +++ b/.cdtproject @@ -76,8 +76,6 @@ - - diff --git a/configure.ac b/configure.ac index 965037e..27d37e7 100644 --- a/configure.ac +++ b/configure.ac @@ -57,29 +57,6 @@ AC_CHECK_FUNCS([strchr strdup strstr]) AC_CHECK_SIZEOF(time_t) -# libcurl settings -AC_PATH_PROG(CURL_CONFIG,curl-config) -AC_ARG_WITH(curl, - AC_HELP_STRING([--with-curl=PATH], [where curl-config is installed]), - [ - CURL_CONFIG="${with_curl}" - if ! test -f "${CURL_CONFIG}" ; then - CURL_CONFIG="${with_curl}/bin/curl-config" - fi - ]) -if test -f "${CURL_CONFIG}" ; then - LDFLAGS="`${CURL_CONFIG} --libs` $LDFLAGS" - CPPFLAGS="`${CURL_CONFIG} --cflags` $CPPFLAGS" -else - AC_MSG_ERROR([curl-config not found, may need to use --with-curl option]) -fi -AC_CHECK_HEADER([curl/curl.h],,AC_MSG_ERROR([unable to find libcurl header files])) -AC_CHECK_LIB([curl],[curl_global_init],,AC_MSG_ERROR([unable to link with libcurl])) -AC_MSG_CHECKING([for CURLOPT_SSL_CTX_FUNCTION in curl.h]) -AC_EGREP_HEADER([CURLOPT_SSL_CTX_FUNCTION], [curl/curl.h], - [AC_MSG_RESULT(yes)], - [AC_MSG_ERROR([need libcurl that supports CURLOPT_SSL_CTX_FUNCTION])]) - # zlib settings AC_ARG_WITH(zlib, AC_HELP_STRING([--with-zlib=PATH], [where zlib is installed]), diff --git a/saml/Makefile.am b/saml/Makefile.am index c5f69ec..5a7e285 100644 --- a/saml/Makefile.am +++ b/saml/Makefile.am @@ -51,13 +51,6 @@ samlbindinclude_HEADERS = \ encinclude_HEADERS = \ encryption/EncryptedKeyResolver.h -secinclude_HEADERS = \ - security/AbstractPKIXTrustEngine.h \ - security/MetadataKeyInfoIterator.h \ - security/ChainingTrustEngine.h \ - security/TrustEngine.h \ - security/X509TrustEngine.h - siginclude_HEADERS = \ signature/ContentReference.h \ signature/SignableObject.h \ @@ -102,6 +95,7 @@ saml2mdinclude_HEADERS = \ saml2/metadata/ChainingMetadataProvider.h \ saml2/metadata/Metadata.h \ saml2/metadata/MetadataFilter.h \ + saml2/metadata/MetadataKeyInfoIterator.h \ saml2/metadata/MetadataProvider.h \ saml2/metadata/ObservableMetadataProvider.h @@ -158,10 +152,6 @@ libsaml_la_SOURCES = \ saml2/binding/impl/SAML2SOAPDecoder.cpp \ saml2/binding/impl/SAML2SOAPEncoder.cpp \ encryption/EncryptedKeyResolver.cpp \ - security/impl/TrustEngine.cpp \ - security/impl/AbstractPKIXTrustEngine.cpp \ - security/impl/ChainingTrustEngine.cpp \ - security/impl/ExplicitKeyTrustEngine.cpp \ signature/ContentReference.cpp \ signature/SignatureProfileValidator.cpp \ util/SAMLConstants.cpp diff --git a/saml/SAMLConfig.cpp b/saml/SAMLConfig.cpp index 5d34221..cfecf0c 100644 --- a/saml/SAMLConfig.cpp +++ b/saml/SAMLConfig.cpp @@ -34,7 +34,6 @@ #include "saml2/core/Protocols.h" #include "saml2/metadata/Metadata.h" #include "saml2/metadata/MetadataProvider.h" -#include "security/TrustEngine.h" #include "util/SAMLConstants.h" #include @@ -122,7 +121,6 @@ bool SAMLInternalConfig::init(bool initXMLTooling) saml2md::registerMetadataProviders(); saml2md::registerMetadataFilters(); registerSAMLArtifacts(); - registerTrustEngines(); registerMessageEncoders(); registerMessageDecoders(); registerSecurityPolicyRules(); @@ -142,7 +140,6 @@ void SAMLInternalConfig::term(bool termXMLTooling) MessageDecoderManager.deregisterFactories(); MessageEncoderManager.deregisterFactories(); - TrustEngineManager.deregisterFactories(); SecurityPolicyRuleManager.deregisterFactories(); SAMLArtifactManager.deregisterFactories(); MetadataFilterManager.deregisterFactories(); diff --git a/saml/SAMLConfig.h b/saml/SAMLConfig.h index b6f620a..17c6c5a 100644 --- a/saml/SAMLConfig.h +++ b/saml/SAMLConfig.h @@ -41,7 +41,6 @@ namespace opensaml { class SAML_API MessageDecoder; class SAML_API SAMLArtifact; class SAML_API SecurityPolicyRule; - class SAML_API TrustEngine; class SAML_API URLEncoder; namespace saml2md { @@ -177,9 +176,6 @@ namespace opensaml { /** Manages factories for SecurityPolicyRule plugins. */ xmltooling::PluginManager SecurityPolicyRuleManager; - /** Manages factories for TrustEngine plugins. */ - xmltooling::PluginManager TrustEngineManager; - /** Manages factories for MetadataProvider plugins. */ xmltooling::PluginManager MetadataProviderManager; diff --git a/saml/binding/ClientCertAuthRule.h b/saml/binding/ClientCertAuthRule.h index 154d27b..0b90bd7 100644 --- a/saml/binding/ClientCertAuthRule.h +++ b/saml/binding/ClientCertAuthRule.h @@ -38,7 +38,7 @@ namespace opensaml { const xmltooling::XMLObject& message, const saml2md::MetadataProvider* metadataProvider, const xmltooling::QName* role, - const TrustEngine* trustEngine + const xmltooling::TrustEngine* trustEngine ) const; protected: diff --git a/saml/binding/MessageDecoder.h b/saml/binding/MessageDecoder.h index ef69d61..80254ba 100644 --- a/saml/binding/MessageDecoder.h +++ b/saml/binding/MessageDecoder.h @@ -30,7 +30,6 @@ namespace opensaml { class SAML_API SAMLArtifact; - class SAML_API X509TrustEngine; namespace saml1p { class SAML_API Response; }; diff --git a/saml/binding/MessageFlowRule.h b/saml/binding/MessageFlowRule.h index 632f305..9e261c5 100644 --- a/saml/binding/MessageFlowRule.h +++ b/saml/binding/MessageFlowRule.h @@ -41,7 +41,7 @@ namespace opensaml { const xmltooling::XMLObject& message, const saml2md::MetadataProvider* metadataProvider, const xmltooling::QName* role, - const TrustEngine* trustEngine + const xmltooling::TrustEngine* trustEngine ) const; /** diff --git a/saml/binding/SecurityPolicy.h b/saml/binding/SecurityPolicy.h index 2074e79..8994179 100644 --- a/saml/binding/SecurityPolicy.h +++ b/saml/binding/SecurityPolicy.h @@ -61,7 +61,7 @@ namespace opensaml { SecurityPolicy( const saml2md::MetadataProvider* metadataProvider=NULL, const xmltooling::QName* role=NULL, - const TrustEngine* trustEngine=NULL + const xmltooling::TrustEngine* trustEngine=NULL ) : m_issuer(NULL), m_issuerRole(NULL), m_matchingPolicy(NULL), m_metadata(metadataProvider), m_role(role ? *role : xmltooling::QName()), m_trust(trustEngine) { } @@ -79,7 +79,7 @@ namespace opensaml { const std::vector& rules, const saml2md::MetadataProvider* metadataProvider=NULL, const xmltooling::QName* role=NULL, - const TrustEngine* trustEngine=NULL + const xmltooling::TrustEngine* trustEngine=NULL ) : m_issuer(NULL), m_issuerRole(NULL), m_matchingPolicy(NULL), m_rules(rules), m_metadata(metadataProvider), m_role(role ? *role : xmltooling::QName()), m_trust(trustEngine) { } @@ -109,7 +109,7 @@ namespace opensaml { * * @return the supplied TrustEngine or NULL */ - const TrustEngine* getTrustEngine() const { + const xmltooling::TrustEngine* getTrustEngine() const { return m_trust; } @@ -146,7 +146,7 @@ namespace opensaml { * * @param trust a TrustEngine or NULL */ - void setTrustEngine(const TrustEngine* trust) { + void setTrustEngine(const xmltooling::TrustEngine* trust) { m_trust = trust; } @@ -250,7 +250,7 @@ namespace opensaml { std::vector m_rules; const saml2md::MetadataProvider* m_metadata; xmltooling::QName m_role; - const TrustEngine* m_trust; + const xmltooling::TrustEngine* m_trust; }; }; diff --git a/saml/binding/SecurityPolicyRule.h b/saml/binding/SecurityPolicyRule.h index 427f5cc..517d4b4 100644 --- a/saml/binding/SecurityPolicyRule.h +++ b/saml/binding/SecurityPolicyRule.h @@ -25,10 +25,9 @@ #include #include +#include namespace opensaml { - class SAML_API TrustEngine; - namespace saml2 { class SAML_API Issuer; }; @@ -71,7 +70,7 @@ namespace opensaml { const xmltooling::XMLObject& message, const saml2md::MetadataProvider* metadataProvider, const xmltooling::QName* role, - const TrustEngine* trustEngine + const xmltooling::TrustEngine* trustEngine ) const=0; }; diff --git a/saml/binding/SimpleSigningRule.h b/saml/binding/SimpleSigningRule.h index 5a2659c..0219d9c 100644 --- a/saml/binding/SimpleSigningRule.h +++ b/saml/binding/SimpleSigningRule.h @@ -42,7 +42,7 @@ namespace opensaml { const xmltooling::XMLObject& message, const saml2md::MetadataProvider* metadataProvider, const xmltooling::QName* role, - const TrustEngine* trustEngine + const xmltooling::TrustEngine* trustEngine ) const; protected: diff --git a/saml/binding/XMLSigningRule.h b/saml/binding/XMLSigningRule.h index f4ff85e..ed499db 100644 --- a/saml/binding/XMLSigningRule.h +++ b/saml/binding/XMLSigningRule.h @@ -41,7 +41,7 @@ namespace opensaml { const xmltooling::XMLObject& message, const saml2md::MetadataProvider* metadataProvider, const xmltooling::QName* role, - const TrustEngine* trustEngine + const xmltooling::TrustEngine* trustEngine ) const; protected: diff --git a/saml/binding/impl/ClientCertAuthRule.cpp b/saml/binding/impl/ClientCertAuthRule.cpp index fc5be31..307a1d7 100644 --- a/saml/binding/impl/ClientCertAuthRule.cpp +++ b/saml/binding/impl/ClientCertAuthRule.cpp @@ -25,8 +25,8 @@ #include "binding/ClientCertAuthRule.h" #include "saml2/metadata/Metadata.h" #include "saml2/metadata/MetadataProvider.h" -#include "security/X509TrustEngine.h" +#include #include #include #include @@ -49,7 +49,7 @@ pair ClientCertAuthRule::evaluate( const XMLObject& message, const MetadataProvider* metadataProvider, const QName* role, - const opensaml::TrustEngine* trustEngine + const TrustEngine* trustEngine ) const { Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.ClientCertAuth"); @@ -57,8 +57,8 @@ pair ClientCertAuthRule::evaluate( pair ret = pair(NULL,NULL); - const opensaml::X509TrustEngine* x509trust; - if (!metadataProvider || !role || !(x509trust=dynamic_cast(trustEngine))) { + const X509TrustEngine* x509trust; + if (!metadataProvider || !role || !(x509trust=dynamic_cast(trustEngine))) { log.debug("ignoring message, no metadata or X509TrustEngine supplied"); return ret; } diff --git a/saml/binding/impl/MessageFlowRule.cpp b/saml/binding/impl/MessageFlowRule.cpp index 476ef69..9db7c4e 100644 --- a/saml/binding/impl/MessageFlowRule.cpp +++ b/saml/binding/impl/MessageFlowRule.cpp @@ -63,7 +63,7 @@ pair MessageFlowRule::evaluate( const XMLObject& message, const saml2md::MetadataProvider* metadataProvider, const QName* role, - const opensaml::TrustEngine* trustEngine + const TrustEngine* trustEngine ) const { Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.MessageFlow"); diff --git a/saml/binding/impl/SimpleSigningRule.cpp b/saml/binding/impl/SimpleSigningRule.cpp index 91e53fa..3a09638 100644 --- a/saml/binding/impl/SimpleSigningRule.cpp +++ b/saml/binding/impl/SimpleSigningRule.cpp @@ -27,7 +27,6 @@ #include "saml2/core/Protocols.h" #include "saml2/metadata/Metadata.h" #include "saml2/metadata/MetadataProvider.h" -#include "security/TrustEngine.h" #include #include @@ -73,7 +72,7 @@ pair SimpleSigningRule::evaluate( const XMLObject& message, const MetadataProvider* metadataProvider, const QName* role, - const opensaml::TrustEngine* trustEngine + const TrustEngine* trustEngine ) const { Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.SimpleSigning"); diff --git a/saml/binding/impl/XMLSigningRule.cpp b/saml/binding/impl/XMLSigningRule.cpp index d667cfd..6cc736d 100644 --- a/saml/binding/impl/XMLSigningRule.cpp +++ b/saml/binding/impl/XMLSigningRule.cpp @@ -28,7 +28,7 @@ #include "saml2/core/Protocols.h" #include "saml2/metadata/Metadata.h" #include "saml2/metadata/MetadataProvider.h" -#include "security/TrustEngine.h" +#include "signature/SignatureProfileValidator.h" #include #include @@ -52,7 +52,7 @@ pair XMLSigningRule::evaluate( const XMLObject& message, const MetadataProvider* metadataProvider, const QName* role, - const opensaml::TrustEngine* trustEngine + const TrustEngine* trustEngine ) const { Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.XMLSigning"); @@ -72,6 +72,17 @@ pair XMLSigningRule::evaluate( return ret; } + log.debug("validating signature profile"); + try { + SignatureProfileValidator sigval; + sigval.validate(signable->getSignature()); + } + catch (ValidationException& ve) { + log.error("signature profile failed to validate: %s", ve.what()); + return ret; + } + + log.debug("extracting issuer from message"); pair issuerInfo = getIssuerAndProtocol(message); diff --git a/saml/saml.vcproj b/saml/saml.vcproj index 3183249..0e5acb3 100644 --- a/saml/saml.vcproj +++ b/saml/saml.vcproj @@ -456,30 +456,6 @@ - - - - - - - - - - - - + + @@ -778,30 +758,6 @@ - - - - - - - - - - - - + #include +#include #define DECL_SAML2MDOBJECTBUILDER(cname) \ DECL_XMLOBJECTBUILDER(SAML_API,cname,samlconstants::SAML20MD_NS,samlconstants::SAML20MD_PREFIX) @@ -156,8 +158,9 @@ namespace opensaml { static const XMLCh KEYTYPE_SIGNING[]; END_XMLOBJECT; - BEGIN_XMLOBJECT4(SAML_API,RoleDescriptor,xmltooling::AttributeExtensibleXMLObject,SignableObject, - CacheableSAMLObject,TimeBoundSAMLObject,SAML 2.0 RoleDescriptor abstract element); + BEGIN_XMLOBJECT5(SAML_API,RoleDescriptor,xmltooling::AttributeExtensibleXMLObject,SignableObject, + CacheableSAMLObject,TimeBoundSAMLObject,xmltooling::KeyInfoSource, + SAML 2.0 RoleDescriptor abstract element); DECL_STRING_ATTRIB(ID,ID); DECL_STRING_ATTRIB(ProtocolSupportEnumeration,PROTOCOLSUPPORTENUMERATION); /** Searches the ProtocolSupportEnumeration attribute for the indicated protocol. */ diff --git a/saml/saml2/metadata/MetadataKeyInfoIterator.h b/saml/saml2/metadata/MetadataKeyInfoIterator.h new file mode 100644 index 0000000..73197ff --- /dev/null +++ b/saml/saml2/metadata/MetadataKeyInfoIterator.h @@ -0,0 +1,80 @@ +/* + * Copyright 2001-2006 Internet2 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * MetadataKeyInfoIterator.h + * + * Adapter between SAML metadata and TrustEngine KeyInfoIterator interface. + */ + +#ifndef __saml_keyiter_h__ +#define __saml_keyiter_h__ + +#include + +namespace opensaml { + namespace saml2md { + + /** + * Adapter between SAML metadata and TrustEngine KeyInfoIterator interface. + */ + class SAML_API MetadataKeyInfoIterator : public xmltooling::KeyInfoIterator + { + const std::vector& m_keys; + std::vector::const_iterator m_iter; + + void advance() { + while (hasNext()) { + const XMLCh* use=(*m_iter)->getUse(); + if ((!use || !*use || XMLString::equals(use,KeyDescriptor::KEYTYPE_SIGNING)) && (*m_iter)->getKeyInfo()) + return; + m_iter++; + } + } + + public: + MetadataKeyInfoIterator(const RoleDescriptor& role) : m_keys(role.getKeyDescriptors()) { + m_iter=m_keys.begin(); + advance(); + } + + virtual ~MetadataKeyInfoIterator() {} + + /** + * Indicates whether additional KeyInfo objects are available. + * + * @return true iff another KeyInfo object can be fetched + */ + virtual bool hasNext() const { + return m_iter!=m_keys.end(); + } + + /** + * Returns the next KeyInfo object available. + * + * @return the next KeyInfo object, or NULL if none are left + */ + virtual const xmlsignature::KeyInfo* next() { + xmlsignature::KeyInfo* ret = (*m_iter)->getKeyInfo(); + m_iter++; + advance(); + return ret; + } + }; + }; +}; + +#endif /* __saml_keyiter_h__ */ diff --git a/saml/saml2/metadata/impl/MetadataImpl.cpp b/saml/saml2/metadata/impl/MetadataImpl.cpp index 372a34a..d2fea81 100644 --- a/saml/saml2/metadata/impl/MetadataImpl.cpp +++ b/saml/saml2/metadata/impl/MetadataImpl.cpp @@ -23,6 +23,7 @@ #include "internal.h" #include "exceptions.h" #include "saml2/metadata/Metadata.h" +#include "saml2/metadata/MetadataKeyInfoIterator.h" #include #include @@ -956,6 +957,23 @@ namespace opensaml { m_Signature->setContentReference(new opensaml::ContentReference(*this)); } + KeyInfoIterator* getKeyInfoIterator() const { + return new MetadataKeyInfoIterator(*this); + } + + std::string getName() const { + const EntityDescriptor* parent = dynamic_cast(getParent()); + if (parent) { + char* ch = toUTF8(parent->getEntityID()); + if (ch) { + string s(ch); + delete[] ch; + return s; + } + } + return ""; + } + IMPL_ID_ATTRIB(ID); IMPL_STRING_ATTRIB(ProtocolSupportEnumeration); IMPL_STRING_ATTRIB(ErrorURL); diff --git a/saml/security/AbstractPKIXTrustEngine.h b/saml/security/AbstractPKIXTrustEngine.h deleted file mode 100644 index 4df5422..0000000 --- a/saml/security/AbstractPKIXTrustEngine.h +++ /dev/null @@ -1,157 +0,0 @@ -/* - * Copyright 2001-2006 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/** - * @file saml/security/AbstractPKIXTrustEngine.h - * - * A trust engine that uses X.509 trust anchors and CRLs associated with a role - * to perform PKIX validation of signatures and certificates. - */ - -#ifndef __saml_pkixtrust_h__ -#define __saml_pkixtrust_h__ - -#include -#include - -namespace opensaml { - - /** - * A trust engine that uses X.509 trust anchors and CRLs associated with a role - * to perform PKIX validation of signatures and certificates. - */ - class SAML_API AbstractPKIXTrustEngine : public X509TrustEngine - { - protected: - /** - * Constructor. - * - * If a DOM is supplied, the following XML content is supported: - * - *
    - *
  • <KeyResolver> elements with a type attribute - *
- * - * XML namespaces are ignored in the processing of this content. - * - * @param e DOM to supply configuration for provider - */ - AbstractPKIXTrustEngine(const DOMElement* e=NULL); - - /** - * Checks that either the ID for the entity with the given role or the key names - * for the given role match the subject or subject alternate names - * of the entity's certificate. - * - * @param certEE the credential for the entity to validate - * @param role the descriptor of the role the entity is supposed to be acting in - * - * @return true the name check succeeds, false if not - */ - bool checkEntityNames(XSECCryptoX509* certEE, const saml2md::RoleDescriptor& role) const; - - /** An inline KeyResolver for extracting certificates out of a signature. */ - xmlsignature::KeyResolver* m_inlineResolver; - - public: - virtual ~AbstractPKIXTrustEngine(); - - virtual bool validate( - xmlsignature::Signature& sig, - const saml2md::RoleDescriptor& role, - const xmlsignature::KeyResolver* keyResolver=NULL - ) const; - - virtual bool validate( - const XMLCh* sigAlgorithm, - const char* sig, - xmlsignature::KeyInfo* keyInfo, - const char* in, - unsigned int in_len, - const saml2md::RoleDescriptor& role, - const xmlsignature::KeyResolver* keyResolver=NULL - ) const; - - virtual bool validate( - XSECCryptoX509* certEE, - const std::vector& certChain, - const saml2md::RoleDescriptor& role, - bool checkName=true, - const xmlsignature::KeyResolver* keyResolver=NULL - ) const; - - /** - * Stateful interface that supplies PKIX validation data to the trust engine. - * Applications can adapt this TrustEngine to their environment by returning - * implementations of this interface from the getPKIXValidationInfoIterator - * method. - */ - class SAML_API PKIXValidationInfoIterator { - MAKE_NONCOPYABLE(PKIXValidationInfoIterator); - protected: - PKIXValidationInfoIterator() {} - public: - virtual ~PKIXValidationInfoIterator() {} - - /** - * Advances to the next set of information, if any. - * - * @return true iff another set of information is available - */ - virtual bool next()=0; - - /** - * Returns the allowable trust chain verification depth for the - * validation data in the current position. - * - * @return allowable trust chain verification depth - */ - virtual int getVerificationDepth() const=0; - - /** - * Returns the set of trust anchors for the validation data in the - * current position. Keeping the certificates beyond the lifetime - * of the iterator or after advancing to the next position requires - * copying them. - * - * @return set of trust anchors - */ - virtual const std::vector& getTrustAnchors() const=0; - - /** - * Returns the set of CRLs for the validation data in the - * current position. Keeping the CRLs beyond the lifetime - * of the iterator or after advancing to the next position requires - * copying them. - * - * @return set of CRLs - */ - virtual const std::vector& getCRLs() const=0; - }; - - /** - * Provides access to the information necessary, for the given role, for - * PKIX validation of credentials. Each set of validation information returned - * will be tried, in turn, until one succeeds or no more remain. - * The caller must free the returned interface when finished with it. - * - * @return interface for obtaining validation data - */ - virtual PKIXValidationInfoIterator* getPKIXValidationInfoIterator(const saml2md::RoleDescriptor& role) const=0; - }; -}; - -#endif /* __saml_pkixtrust_h__ */ diff --git a/saml/security/ChainingTrustEngine.h b/saml/security/ChainingTrustEngine.h deleted file mode 100644 index b4f9c78..0000000 --- a/saml/security/ChainingTrustEngine.h +++ /dev/null @@ -1,108 +0,0 @@ -/* - * Copyright 2001-2006 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/** - * @file saml/security/ChainingTrustEngine.h - * - * X509TrustEngine that uses multiple engines in sequence. - */ - -#ifndef __saml_chaintrust_h__ -#define __saml_chaintrust_h__ - -#include - -namespace opensaml { - - /** - * X509TrustEngine that uses multiple engines in sequence. - */ - class SAML_API ChainingTrustEngine : public X509TrustEngine { - public: - /** - * Constructor. - * - * If a DOM is supplied, the following XML content is supported: - * - *
    - *
  • <TrustEngine> elements with a type attribute - *
- * - * XML namespaces are ignored in the processing of this content. - * - * @param e DOM to supply configuration for provider - */ - ChainingTrustEngine(const DOMElement* e=NULL); - - /** - * Destructor will delete any embedded engines. - */ - virtual ~ChainingTrustEngine(); - - /** - * Adds a trust engine for future calls. - * - * @param newEngine trust engine to add - */ - void addTrustEngine(X509TrustEngine* newEngine) { - m_engines.push_back(newEngine); - } - - /** - * Removes a trust engine. The caller must delete the engine if necessary. - * - * @param oldEngine trust engine to remove - * @return the old engine - */ - X509TrustEngine* removeTrustEngine(X509TrustEngine* oldEngine) { - for (std::vector::iterator i=m_engines.begin(); i!=m_engines.end(); i++) { - if (oldEngine==(*i)) { - m_engines.erase(i); - return oldEngine; - } - } - return NULL; - } - - virtual bool validate( - xmlsignature::Signature& sig, - const saml2md::RoleDescriptor& role, - const xmlsignature::KeyResolver* keyResolver=NULL - ) const; - virtual bool validate( - const XMLCh* sigAlgorithm, - const char* sig, - xmlsignature::KeyInfo* keyInfo, - const char* in, - unsigned int in_len, - const saml2md::RoleDescriptor& role, - const xmlsignature::KeyResolver* keyResolver=NULL - ) const; - virtual bool validate( - XSECCryptoX509* certEE, - const std::vector& certChain, - const saml2md::RoleDescriptor& role, - bool checkName=true, - const xmlsignature::KeyResolver* keyResolver=NULL - ) const; - - private: - std::vector m_engines; - }; - -}; - -#endif /* __saml_chaintrust_h__ */ diff --git a/saml/security/MetadataKeyInfoIterator.h b/saml/security/MetadataKeyInfoIterator.h deleted file mode 100644 index 98125c6..0000000 --- a/saml/security/MetadataKeyInfoIterator.h +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright 2001-2006 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/** - * MetadataKeyInfoIterator.h - * - * Adapter between SAML metadata and TrustEngine KeyInfoIterator interface. - */ - -#ifndef __saml_keyiter_h__ -#define __saml_keyiter_h__ - -#include - -#include - -namespace opensaml { - - /** - * Adapter between SAML metadata and TrustEngine KeyInfoIterator interface. - */ - class SAML_API MetadataKeyInfoIterator : public xmltooling::TrustEngine::KeyInfoIterator - { - const std::vector& m_keys; - std::vector::const_iterator m_iter; - - void advance() { - while (hasNext()) { - const XMLCh* use=(*m_iter)->getUse(); - if ((!use || !*use || XMLString::equals(use,saml2md::KeyDescriptor::KEYTYPE_SIGNING)) && (*m_iter)->getKeyInfo()) - return; - m_iter++; - } - } - - public: - MetadataKeyInfoIterator(const saml2md::RoleDescriptor& role) : m_keys(role.getKeyDescriptors()) { - m_iter=m_keys.begin(); - advance(); - } - - virtual ~MetadataKeyInfoIterator() {} - - /** - * Indicates whether additional KeyInfo objects are available. - * - * @return true iff another KeyInfo object can be fetched - */ - virtual bool hasNext() const { - return m_iter!=m_keys.end(); - } - - /** - * Returns the next KeyInfo object available. - * - * @return the next KeyInfo object, or NULL if none are left - */ - virtual const xmlsignature::KeyInfo* next() { - xmlsignature::KeyInfo* ret = (*m_iter)->getKeyInfo(); - m_iter++; - advance(); - return ret; - } - }; -}; - -#endif /* __saml_keyiter_h__ */ diff --git a/saml/security/TrustEngine.h b/saml/security/TrustEngine.h deleted file mode 100644 index aeb76d9..0000000 --- a/saml/security/TrustEngine.h +++ /dev/null @@ -1,117 +0,0 @@ -/* - * Copyright 2001-2006 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/** - * @file saml/security/TrustEngine.h - * - * SAML-specific TrustEngine API - */ - -#ifndef __saml_trust_h__ -#define __saml_trust_h__ - -#include -#include -#include - -namespace opensaml { - - /** - * Adapts SAML metadata as a source of KeyInfo for a TrustEngine - * and adds SAML-specific signature validation. - */ - class SAML_API TrustEngine { - MAKE_NONCOPYABLE(TrustEngine); - protected: - /** - * Constructor. - * - * If a DOM is supplied, the following XML content is supported: - * - *
    - *
  • <KeyResolver> elements with a type attribute - *
- * - * XML namespaces are ignored in the processing of this content. - * - * @param e DOM to supply configuration for provider - */ - TrustEngine(const DOMElement* e=NULL) {} - - public: - virtual ~TrustEngine() {} - - /** - * Determines whether a signed SAML object is correct and valid with respect - * to the information known about the issuer. - * - * A custom KeyResolver can be supplied from outside the TrustEngine. - * Alternatively, one may be specified to the plugin constructor. - * A non-caching, inline resolver will be used as a fallback. - * - * @param sig reference to a signature object to validate - * @param role metadata role supplying key information - * @param keyResolver optional externally supplied KeyResolver, or NULL - * @return true iff the signature validates - */ - virtual bool validate( - xmlsignature::Signature& sig, - const saml2md::RoleDescriptor& role, - const xmlsignature::KeyResolver* keyResolver=NULL - ) const=0; - - /** - * Determines whether a raw signature is correct and valid with respect to - * the information known about the signer. - * - *

A custom KeyResolver can be supplied from outside the TrustEngine. - * Alternatively, one may be specified to the plugin constructor. - * A non-caching, inline resolver will be used as a fallback. - * - * @param sigAlgorithm XML Signature identifier for the algorithm used - * @param sig null-terminated base64-encoded signature value - * @param keyInfo KeyInfo object accompanying the signature, if any - * @param in the input data over which the signature was created - * @param in_len size of input data in bytes - * @param role metadata role supplying key information - * @param keyResolver optional externally supplied KeyResolver, or NULL - * @return true iff the signature validates - */ - virtual bool validate( - const XMLCh* sigAlgorithm, - const char* sig, - xmlsignature::KeyInfo* keyInfo, - const char* in, - unsigned int in_len, - const saml2md::RoleDescriptor& role, - const xmlsignature::KeyResolver* keyResolver=NULL - ) const=0; - }; - - - /** - * Registers TrustEngine classes into the runtime. - */ - void SAML_API registerTrustEngines(); - - /** TrustEngine based on explicit key information resolved from metadata. */ - #define EXPLICIT_KEY_SAMLTRUSTENGINE "org.opensaml.security.ExplicitKeyTrustEngine" - - /** TrustEngine that tries multiple engines in sequence. */ - #define CHAINING_SAMLTRUSTENGINE "org.opensaml.security.ChainingTrustEngine" -}; - -#endif /* __saml_trust_h__ */ diff --git a/saml/security/X509TrustEngine.h b/saml/security/X509TrustEngine.h deleted file mode 100644 index 848e97f..0000000 --- a/saml/security/X509TrustEngine.h +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright 2001-2006 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/** - * @file saml/security/X509TrustEngine.h - * - * Extended TrustEngine interface that adds validation of X.509 credentials. - */ - -#ifndef __saml_x509trust_h__ -#define __saml_x509trust_h__ - -#include - -namespace opensaml { - - /** - * Extended TrustEngine interface that adds validation of X.509 credentials. - */ - class SAML_API X509TrustEngine : public TrustEngine { - protected: - /** - * Constructor. - * - * If a DOM is supplied, the following XML content is supported: - * - *

    - *
  • <KeyResolver> elements with a type attribute - *
- * - * XML namespaces are ignored in the processing of this content. - * - * @param e DOM to supply configuration for provider - */ - X509TrustEngine(const DOMElement* e=NULL) : TrustEngine(e) {} - - public: - virtual ~X509TrustEngine() {} - - /** - * Determines whether an X.509 credential is valid with respect - * to the information known about the peer. - * - * A custom KeyResolver can be supplied from outside the TrustEngine. - * Alternatively, one may be specified to the plugin constructor. - * A non-caching, inline resolver will be used as a fallback. - * - * @param certEE end-entity certificate to validate - * @param certChain the complete set of certificates presented for validation (includes certEE) - * @param role metadata role supplying key information - * @param checkName true iff certificate subject/name checking has NOT already occurred - * @param keyResolver optional externally supplied KeyResolver, or NULL - */ - virtual bool validate( - XSECCryptoX509* certEE, - const std::vector& certChain, - const saml2md::RoleDescriptor& role, - bool checkName=true, - const xmlsignature::KeyResolver* keyResolver=NULL - ) const=0; - }; - -}; - -#endif /* __saml_x509trust_h__ */ diff --git a/saml/security/impl/AbstractPKIXTrustEngine.cpp b/saml/security/impl/AbstractPKIXTrustEngine.cpp deleted file mode 100644 index 717c438..0000000 --- a/saml/security/impl/AbstractPKIXTrustEngine.cpp +++ /dev/null @@ -1,420 +0,0 @@ -/* - * Copyright 2006 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/** - * AbstractPKIXTrustEngine.cpp - * - * A trust engine that uses X.509 trust anchors and CRLs associated with a role - * to perform PKIX validation of signatures and certificates. - */ - -#include "internal.h" -#include "security/AbstractPKIXTrustEngine.h" -#include "signature/SignatureProfileValidator.h" - -#include -#include -#include -#include -#include -#include -#include - -using namespace opensaml::saml2md; -using namespace opensaml; -using namespace xmlsignature; -using namespace xmltooling; -using namespace log4cpp; -using namespace std; - -AbstractPKIXTrustEngine::AbstractPKIXTrustEngine(const DOMElement* e) : X509TrustEngine(e), m_inlineResolver(NULL) -{ - m_inlineResolver = XMLToolingConfig::getConfig().KeyResolverManager.newPlugin(INLINE_KEY_RESOLVER,NULL); -} - -AbstractPKIXTrustEngine::~AbstractPKIXTrustEngine() -{ - delete m_inlineResolver; -} - -namespace { - static int SAML_DLLLOCAL error_callback(int ok, X509_STORE_CTX* ctx) - { - if (!ok) - Category::getInstance("OpenSSL").error("path validation failure: %s", X509_verify_cert_error_string(ctx->error)); - return ok; - } - - static bool SAML_DLLLOCAL validate( - X509* EE, STACK_OF(X509)* untrusted, AbstractPKIXTrustEngine::PKIXValidationInfoIterator* pkixInfo - ) - { - Category& log=Category::getInstance(SAML_LOGCAT".TrustEngine"); - - // First we build a stack of CA certs. These objects are all referenced in place. - log.debug("building CA list from PKIX Validation information"); - - // We need this for CRL support. - X509_STORE* store=X509_STORE_new(); - if (!store) { - log_openssl(); - return false; - } - #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) - X509_STORE_set_flags(store,X509_V_FLAG_CRL_CHECK_ALL); - #endif - - STACK_OF(X509)* CAstack = sk_X509_new_null(); - - // This contains the state of the validate operation. - X509_STORE_CTX ctx; - - const vector& CAcerts = pkixInfo->getTrustAnchors(); - for (vector::const_iterator i=CAcerts.begin(); i!=CAcerts.end(); ++i) { - if ((*i)->getProviderName()==DSIGConstants::s_unicodeStrPROVOpenSSL) { - sk_X509_push(CAstack,static_cast(*i)->getOpenSSLX509()); - } - } - - const vector& crls = pkixInfo->getCRLs(); - for (vector::const_iterator j=crls.begin(); j!=crls.end(); ++j) { - if ((*j)->getProviderName()==DSIGConstants::s_unicodeStrPROVOpenSSL) { - // owned by store - X509_STORE_add_crl( - store, - X509_CRL_dup(static_cast(*j)->getOpenSSLX509CRL()) - ); - } - } - - // AFAICT, EE and untrusted are passed in but not owned by the ctx. - #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) - if (X509_STORE_CTX_init(&ctx,store,EE,untrusted)!=1) { - log_openssl(); - log.error("unable to initialize X509_STORE_CTX"); - sk_X509_free(CAstack); - X509_STORE_free(store); - return false; - } - #else - X509_STORE_CTX_init(&ctx,store,EE,untrusted); - #endif - - // Seems to be most efficient to just pass in the CA stack. - X509_STORE_CTX_trusted_stack(&ctx,CAstack); - X509_STORE_CTX_set_depth(&ctx,100); // we check the depth down below - X509_STORE_CTX_set_verify_cb(&ctx,error_callback); - - int ret=X509_verify_cert(&ctx); - if (ret==1) { - // Now see if the depth was acceptable by counting the number of intermediates. - int depth=sk_X509_num(ctx.chain)-2; - if (pkixInfo->getVerificationDepth() < depth) { - log.error( - "certificate chain was too long (%d intermediates, only %d allowed)", - (depth==-1) ? 0 : depth, - pkixInfo->getVerificationDepth() - ); - ret=0; - } - } - - // Clean up... - X509_STORE_CTX_cleanup(&ctx); - X509_STORE_free(store); - sk_X509_free(CAstack); - - if (ret==1) { - log.info("successfully validated certificate chain"); - return true; - } - - return false; - } -}; - -bool AbstractPKIXTrustEngine::checkEntityNames(XSECCryptoX509* certEE, const RoleDescriptor& role) const -{ - Category& log=Category::getInstance(SAML_LOGCAT".TrustEngine"); - - // Build a list of acceptable names. Transcode the possible key "names" to UTF-8. - // For some simple cases, this should handle UTF-8 encoded DNs in certificates. - vector keynames; - const vector& keydescs=role.getKeyDescriptors(); - for (vector::const_iterator kd_i=keydescs.begin(); kd_i!=keydescs.end(); ++kd_i) { - const XMLCh* use=(*kd_i)->getUse(); - const KeyInfo* keyInfo = (*kd_i)->getKeyInfo(); - if (keyInfo && use && XMLString::equals(use,KeyDescriptor::KEYTYPE_ENCRYPTION)) - continue; - const vector& knames=keyInfo->getKeyNames(); - for (vector::const_iterator kn_i=knames.begin(); kn_i!=knames.end(); ++kn_i) { - const XMLCh* n=(*kn_i)->getName(); - if (n && *n) { - char* kn=toUTF8(n); - keynames.push_back(kn); - delete[] kn; - } - } - } - - EntityDescriptor* parent=dynamic_cast(role.getParent()); - if (parent) { - const XMLCh* eid=parent->getEntityID(); - if (eid && *eid) { - char* kn=toUTF8(eid); - keynames.push_back(kn); - delete[] kn; - } - } - - char buf[256]; - X509* x=static_cast(certEE)->getOpenSSLX509(); - X509_NAME* subject=X509_get_subject_name(x); - if (subject) { - // One way is a direct match to the subject DN. - // Seems that the way to do the compare is to write the X509_NAME into a BIO. - BIO* b = BIO_new(BIO_s_mem()); - BIO* b2 = BIO_new(BIO_s_mem()); - BIO_set_mem_eof_return(b, 0); - BIO_set_mem_eof_return(b2, 0); - // The flags give us LDAP order instead of X.500, with a comma separator. - int len=X509_NAME_print_ex(b,subject,0,XN_FLAG_RFC2253); - string subjectstr,subjectstr2; - BIO_flush(b); - while ((len = BIO_read(b, buf, 255)) > 0) { - buf[len] = '\0'; - subjectstr+=buf; - } - log.infoStream() << "certificate subject: " << subjectstr << CategoryStream::ENDLINE; - // The flags give us LDAP order instead of X.500, with a comma plus space separator. - len=X509_NAME_print_ex(b2,subject,0,XN_FLAG_RFC2253 + XN_FLAG_SEP_CPLUS_SPC - XN_FLAG_SEP_COMMA_PLUS); - BIO_flush(b2); - while ((len = BIO_read(b2, buf, 255)) > 0) { - buf[len] = '\0'; - subjectstr2+=buf; - } - - // Check each keyname. - for (vector::const_iterator n=keynames.begin(); n!=keynames.end(); n++) { -#ifdef HAVE_STRCASECMP - if (!strcasecmp(n->c_str(),subjectstr.c_str()) || !strcasecmp(n->c_str(),subjectstr2.c_str())) { -#else - if (!stricmp(n->c_str(),subjectstr.c_str()) || !stricmp(n->c_str(),subjectstr2.c_str())) { -#endif - log.info("matched full subject DN to a key name (%s)", n->c_str()); - BIO_free(b); - BIO_free(b2); - return true; - } - } - BIO_free(b); - BIO_free(b2); - - log.debug("unable to match DN, trying TLS subjectAltName match"); - STACK_OF(GENERAL_NAME)* altnames=(STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); - if (altnames) { - int numalts = sk_GENERAL_NAME_num(altnames); - for (int an=0; antype==GEN_DNS || check->type==GEN_URI) { - const char* altptr = (char*)ASN1_STRING_data(check->d.ia5); - const int altlen = ASN1_STRING_length(check->d.ia5); - - for (vector::const_iterator n=keynames.begin(); n!=keynames.end(); n++) { -#ifdef HAVE_STRCASECMP - if ((check->type==GEN_DNS && !strncasecmp(altptr,n->c_str(),altlen)) -#else - if ((check->type==GEN_DNS && !strnicmp(altptr,n->c_str(),altlen)) -#endif - || (check->type==GEN_URI && !strncmp(altptr,n->c_str(),altlen))) { - log.info("matched DNS/URI subjectAltName to a key name (%s)", n->c_str()); - GENERAL_NAMES_free(altnames); - return true; - } - } - } - } - } - GENERAL_NAMES_free(altnames); - - log.debug("unable to match subjectAltName, trying TLS CN match"); - memset(buf,0,sizeof(buf)); - if (X509_NAME_get_text_by_NID(subject,NID_commonName,buf,255)>0) { - for (vector::const_iterator n=keynames.begin(); n!=keynames.end(); n++) { -#ifdef HAVE_STRCASECMP - if (!strcasecmp(buf,n->c_str())) { -#else - if (!stricmp(buf,n->c_str())) { -#endif - log.info("matched subject CN to a key name (%s)", n->c_str()); - return true; - } - } - } - else - log.warn("no common name in certificate subject"); - } - else - log.error("certificate has no subject?!"); - - return false; -} - -bool AbstractPKIXTrustEngine::validate( - XSECCryptoX509* certEE, - const vector& certChain, - const RoleDescriptor& role, - bool checkName, - const KeyResolver* keyResolver - ) const -{ -#ifdef _DEBUG - NDC ndc("validate"); -#endif - Category& log=Category::getInstance(SAML_LOGCAT".TrustEngine"); - - if (!certEE) { - log.error("X.509 credential was NULL, unable to perform validation"); - return false; - } - - if (checkName) { - log.debug("checking that the entity certificate name is acceptable"); - if (!checkEntityNames(certEE,role)) { - log.error("entity certificate name was not acceptable"); - return false; - } - } - - log.debug("performing certificate path validation..."); - - STACK_OF(X509)* untrusted=sk_X509_new_null(); - for (vector::const_iterator i=certChain.begin(); i!=certChain.end(); ++i) { - sk_X509_push(untrusted,static_cast(*i)->getOpenSSLX509()); - } - - auto_ptr pkix(getPKIXValidationInfoIterator(role)); - while (pkix->next()) { - if (::validate(static_cast(certEE)->getOpenSSLX509(),untrusted,pkix.get())) { - sk_X509_free(untrusted); - return true; - } - } - - sk_X509_free(untrusted); - log.error("failed to validate certificate chain using supplied PKIX information"); - return false; -} - -bool AbstractPKIXTrustEngine::validate(Signature& sig, const RoleDescriptor& role, const KeyResolver* keyResolver) const -{ -#ifdef _DEBUG - NDC ndc("validate"); -#endif - Category& log=Category::getInstance(SAML_LOGCAT".TrustEngine"); - - log.debug("attempting to validate signature profile"); - SignatureProfileValidator sigValidator; - try { - sigValidator.validate(&sig); - log.debug("signature profile validated"); - } - catch (ValidationException& e) { - if (log.isDebugEnabled()) { - log.debug("signature profile failed to validate: %s", e.what()); - } - return false; - } - - // Pull the certificate chain out of the signature using an inline KeyResolver. - KeyResolver::ResolvedCertificates certs; - if (0==m_inlineResolver->resolveCertificates(&sig, certs)) { - log.error("unable to perform PKIX validation, signature does not contain any certificates"); - return false; - } - - log.debug("validating signature using certificate from within the signature"); - - // Find and save off a pointer to the certificate that unlocks the object. - // Most of the time, this will be the first one anyway. - XSECCryptoX509* certEE=NULL; - SignatureValidator keyValidator; - for (vector::const_iterator i=certs.v().begin(); !certEE && i!=certs.v().end(); ++i) { - try { - keyValidator.setKey((*i)->clonePublicKey()); - keyValidator.validate(&sig); - log.info("signature verified with key inside signature, attempting certificate validation..."); - certEE=(*i); - } - catch (ValidationException&) { - // trap failures - } - } - - if (certEE) - return validate(certEE,certs.v(),role,true,keyResolver); - - log.error("failed to verify signature with embedded certificates"); - return false; -} - -bool AbstractPKIXTrustEngine::validate( - const XMLCh* sigAlgorithm, - const char* sig, - KeyInfo* keyInfo, - const char* in, - unsigned int in_len, - const RoleDescriptor& role, - const KeyResolver* keyResolver - ) const -{ -#ifdef _DEBUG - NDC ndc("validate"); -#endif - Category& log=Category::getInstance(SAML_LOGCAT".TrustEngine"); - - // Pull the certificate chain out of the KeyInfo using an inline KeyResolver. - KeyResolver::ResolvedCertificates certs; - if (!keyInfo || 0==m_inlineResolver->resolveCertificates(keyInfo, certs)) { - log.error("unable to perform PKIX validation, KeyInfo does not contain any certificates"); - return false; - } - - log.debug("validating signature using certificate from within KeyInfo"); - - // Find and save off a pointer to the certificate that unlocks the object. - // Most of the time, this will be the first one anyway. - XSECCryptoX509* certEE=NULL; - SignatureValidator keyValidator; - for (vector::const_iterator i=certs.v().begin(); !certEE && i!=certs.v().end(); ++i) { - try { - auto_ptr key((*i)->clonePublicKey()); - if (Signature::verifyRawSignature(key.get(), sigAlgorithm, sig, in, in_len)) { - log.info("signature verified with key inside signature, attempting certificate validation..."); - certEE=(*i); - } - } - catch (SignatureException&) { - // trap failures - } - } - - if (certEE) - return validate(certEE,certs.v(),role,true,keyResolver); - - log.error("failed to verify signature with embedded certificates"); - return false; -} diff --git a/saml/security/impl/ChainingTrustEngine.cpp b/saml/security/impl/ChainingTrustEngine.cpp deleted file mode 100644 index 4d61107..0000000 --- a/saml/security/impl/ChainingTrustEngine.cpp +++ /dev/null @@ -1,116 +0,0 @@ -/* - * Copyright 2001-2005 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/** - * ChainingTrustEngine.cpp - * - * TrustEngine that uses multiple engines in sequence. - */ - -#include "internal.h" -#include "exceptions.h" -#include "security/ChainingTrustEngine.h" - -using namespace opensaml::saml2md; -using namespace opensaml; -using namespace xmlsignature; -using namespace std; - -namespace opensaml { - TrustEngine* SAML_DLLLOCAL ChainingTrustEngineFactory(const DOMElement* const & e) - { - return new ChainingTrustEngine(e); - } -}; - -static const XMLCh GenericTrustEngine[] = UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e); -static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e); - -ChainingTrustEngine::ChainingTrustEngine(const DOMElement* e) { - try { - e = e ? xmltooling::XMLHelper::getFirstChildElement(e, GenericTrustEngine) : NULL; - while (e) { - xmltooling::auto_ptr_char temp(e->getAttributeNS(NULL,type)); - if (temp.get()) { - auto_ptr engine( - SAMLConfig::getConfig().TrustEngineManager.newPlugin(temp.get(), e) - ); - X509TrustEngine* x509 = dynamic_cast(engine.get()); - if (x509) { - m_engines.push_back(x509); - engine.release(); - } - else { - throw xmltooling::UnknownExtensionException("Embedded trust engine does not support required interface."); - } - } - e = xmltooling::XMLHelper::getNextSiblingElement(e, GenericTrustEngine); - } - } - catch (xmltooling::XMLToolingException&) { - for_each(m_engines.begin(), m_engines.end(), xmltooling::cleanup()); - throw; - } -} - -ChainingTrustEngine::~ChainingTrustEngine() { - for_each(m_engines.begin(), m_engines.end(), xmltooling::cleanup()); -} - -bool ChainingTrustEngine::validate( - Signature& sig, - const RoleDescriptor& role, - const KeyResolver* keyResolver - ) const -{ - for (vector::const_iterator i=m_engines.begin(); i!=m_engines.end(); ++i) { - if (static_cast(*i)->validate(sig,role,keyResolver)) - return true; - } - return false; -} - -bool ChainingTrustEngine::validate( - const XMLCh* sigAlgorithm, - const char* sig, - KeyInfo* keyInfo, - const char* in, - unsigned int in_len, - const RoleDescriptor& role, - const KeyResolver* keyResolver - ) const -{ - for (vector::const_iterator i=m_engines.begin(); i!=m_engines.end(); ++i) { - if (static_cast(*i)->validate(sigAlgorithm, sig, keyInfo, in, in_len, role, keyResolver)) - return true; - } - return false; -} - -bool ChainingTrustEngine::validate( - XSECCryptoX509* certEE, - const vector& certChain, - const RoleDescriptor& role, - bool checkName, - const KeyResolver* keyResolver - ) const -{ - for (vector::const_iterator i=m_engines.begin(); i!=m_engines.end(); ++i) { - if ((*i)->validate(certEE,certChain,role,checkName,keyResolver)) - return true; - } - return false; -} diff --git a/saml/security/impl/ExplicitKeyTrustEngine.cpp b/saml/security/impl/ExplicitKeyTrustEngine.cpp deleted file mode 100644 index 34219a6..0000000 --- a/saml/security/impl/ExplicitKeyTrustEngine.cpp +++ /dev/null @@ -1,141 +0,0 @@ -/* - * Copyright 2001-2005 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/** - * ExplicitKeyTrustEngine.cpp - * - * TrustEngine based on explicit knowledge of peer key information. - */ - -#include "internal.h" -#include "exceptions.h" -#include "security/MetadataKeyInfoIterator.h" -#include "security/X509TrustEngine.h" -#include "signature/SignatureProfileValidator.h" - -#include -#include -#include - -using namespace opensaml::saml2md; -using namespace opensaml; -using namespace xmlsignature; -using namespace log4cpp; -using namespace std; - -namespace opensaml { - class SAML_DLLLOCAL ExplicitKeyTrustEngine : public X509TrustEngine - { - public: - ExplicitKeyTrustEngine(const DOMElement* e) : X509TrustEngine(e), m_engine(NULL) { - auto_ptr engine( - xmltooling::XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(EXPLICIT_KEY_TRUSTENGINE, e) - ); - if (m_engine=dynamic_cast(engine.get())) - engine.release(); - else - throw xmltooling::UnknownExtensionException("Embedded trust engine does not support required interface."); - } - - virtual ~ExplicitKeyTrustEngine() { - delete m_engine; - } - - virtual bool validate( - Signature& sig, - const RoleDescriptor& role, - const KeyResolver* keyResolver=NULL - ) const; - virtual bool validate( - const XMLCh* sigAlgorithm, - const char* sig, - KeyInfo* keyInfo, - const char* in, - unsigned int in_len, - const RoleDescriptor& role, - const KeyResolver* keyResolver=NULL - ) const; - virtual bool validate( - XSECCryptoX509* certEE, - const vector& certChain, - const RoleDescriptor& role, - bool checkName=true, - const KeyResolver* keyResolver=NULL - ) const; - - private: - xmltooling::X509TrustEngine* m_engine; - }; - - TrustEngine* SAML_DLLLOCAL ExplicitKeyTrustEngineFactory(const DOMElement* const & e) - { - return new ExplicitKeyTrustEngine(e); - } -}; - -bool ExplicitKeyTrustEngine::validate( - Signature& sig, - const RoleDescriptor& role, - const KeyResolver* keyResolver - ) const -{ -#ifdef _DEBUG - xmltooling::NDC ndc("validate"); -#endif - Category& log=Category::getInstance(SAML_LOGCAT".TrustEngine"); - - log.debug("attempting to validate signature profile"); - SignatureProfileValidator sigValidator; - try { - sigValidator.validate(&sig); - log.debug("signature profile validated"); - } - catch (xmltooling::ValidationException& e) { - if (log.isDebugEnabled()) { - log.debug("signature profile failed to validate: %s", e.what()); - } - return false; - } - - MetadataKeyInfoIterator keys(role); - return static_cast(m_engine)->validate(sig,keys,keyResolver); -} - -bool ExplicitKeyTrustEngine::validate( - const XMLCh* sigAlgorithm, - const char* sig, - KeyInfo* keyInfo, - const char* in, - unsigned int in_len, - const RoleDescriptor& role, - const KeyResolver* keyResolver - ) const -{ - MetadataKeyInfoIterator keys(role); - return static_cast(m_engine)->validate(sigAlgorithm,sig,keyInfo,in,in_len,keys,keyResolver); -} - -bool ExplicitKeyTrustEngine::validate( - XSECCryptoX509* certEE, - const vector& certChain, - const RoleDescriptor& role, - bool checkName, - const KeyResolver* keyResolver - ) const -{ - MetadataKeyInfoIterator keys(role); - return m_engine->validate(certEE,certChain,keys,checkName,keyResolver); -} diff --git a/saml/security/impl/TrustEngine.cpp b/saml/security/impl/TrustEngine.cpp deleted file mode 100644 index e33f4b0..0000000 --- a/saml/security/impl/TrustEngine.cpp +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright 2001-2006 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/** - * TrustEngine.cpp - * - * Registration of factories for built-in engines - */ - -#include "internal.h" -#include "security/TrustEngine.h" - -using namespace opensaml; -using namespace xmltooling; -using namespace std; - -namespace opensaml { - SAML_DLLLOCAL PluginManager::Factory ExplicitKeyTrustEngineFactory; - SAML_DLLLOCAL PluginManager::Factory ChainingTrustEngineFactory; -}; - -void SAML_API opensaml::registerTrustEngines() -{ - SAMLConfig& conf=SAMLConfig::getConfig(); - conf.TrustEngineManager.registerFactory(EXPLICIT_KEY_SAMLTRUSTENGINE, ExplicitKeyTrustEngineFactory); - conf.TrustEngineManager.registerFactory(CHAINING_SAMLTRUSTENGINE, ChainingTrustEngineFactory); -} diff --git a/samltest/binding.h b/samltest/binding.h index 13638f1..b412be8 100644 --- a/samltest/binding.h +++ b/samltest/binding.h @@ -22,10 +22,11 @@ #include #include #include +#include #include -#include +#include -using namespace saml2md; +using namespace opensaml::saml2md; using namespace xmlsignature; class SAMLBindingBaseTestCase : public HTTPRequest, public HTTPResponse @@ -33,7 +34,7 @@ class SAMLBindingBaseTestCase : public HTTPRequest, public HTTPResponse protected: CredentialResolver* m_creds; MetadataProvider* m_metadata; - opensaml::TrustEngine* m_trust; + TrustEngine* m_trust; map m_fields; map m_headers; string m_method,m_url,m_query; @@ -75,7 +76,7 @@ public: FILESYSTEM_CREDENTIAL_RESOLVER,doc2->getDocumentElement() ); - m_trust = SAMLConfig::getConfig().TrustEngineManager.newPlugin(EXPLICIT_KEY_SAMLTRUSTENGINE, NULL); + m_trust = XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(EXPLICIT_KEY_TRUSTENGINE, NULL); m_rules.push_back(SAMLConfig::getConfig().SecurityPolicyRuleManager.newPlugin(MESSAGEFLOW_POLICY_RULE,NULL)); m_rules.push_back(SAMLConfig::getConfig().SecurityPolicyRuleManager.newPlugin(SIMPLESIGNING_POLICY_RULE,NULL)); diff --git a/samltest/security/AbstractPKIXTrustEngineTest.h b/samltest/security/AbstractPKIXTrustEngineTest.h index d27d2c0..422bf94 100644 --- a/samltest/security/AbstractPKIXTrustEngineTest.h +++ b/samltest/security/AbstractPKIXTrustEngineTest.h @@ -16,8 +16,9 @@ #include "internal.h" #include -#include +#include #include +#include using namespace opensaml::saml2; using namespace opensaml::saml2md; @@ -70,7 +71,8 @@ namespace { } }; - PKIXValidationInfoIterator* getPKIXValidationInfoIterator(const RoleDescriptor& role) const { + PKIXValidationInfoIterator* getPKIXValidationInfoIterator(const KeyInfoSource& keyInfoSource) const { + dynamic_cast(keyInfoSource); return new SampleIterator(); } }; @@ -110,7 +112,7 @@ public: } // Build trust engine. - auto_ptr trustEngine(new SampleTrustEngine()); + auto_ptr trustEngine(new SampleTrustEngine()); // Get signed assertion. config = data_path + "signature/SAML2Assertion.xml"; diff --git a/samltest/security/ExplicitKeyTrustEngineTest.h b/samltest/security/ExplicitKeyTrustEngineTest.h index ebb8e2f..78271bf 100644 --- a/samltest/security/ExplicitKeyTrustEngineTest.h +++ b/samltest/security/ExplicitKeyTrustEngineTest.h @@ -16,8 +16,10 @@ #include "internal.h" #include -#include +#include +#include #include +#include using namespace opensaml::saml2; using namespace opensaml::saml2md; @@ -57,8 +59,8 @@ public: } // Build trust engine. - auto_ptr trustEngine( - SAMLConfig::getConfig().TrustEngineManager.newPlugin(EXPLICIT_KEY_SAMLTRUSTENGINE, NULL) + auto_ptr trustEngine( + XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(EXPLICIT_KEY_TRUSTENGINE, NULL) ); // Get signed assertion. -- 2.1.4