log->debug("passing signed ADFS assertion to trust layer");
Trust t(app->getTrustProviders());
if (!t.validate(*assertion,role)) {
- log->error("unable to verify signed authentication assertion");
+ log->error("unable to verify signed ADFS assertion");
throw TrustException("unable to verify signed authentication assertion");
}
+ log->info("verified digital signature over ADFS assertion");
// Now dummy up the SAML profile response wrapper.
param=parser.get_value("wctx");
}
// It passes all our tests -- create a new session.
- log->info("creating new session");
// Are attributes present?
bool attributesPushed=false;
shib_request_config* rc=(shib_request_config*)ap_pcalloc(r->pool,sizeof(shib_request_config));
ap_set_module_config (r->request_config, &mod_shib, rc);
memset(rc, 0, sizeof(shib_request_config));
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r), "shib_init_rc\n");
+ //ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r), "shib_init_rc\n");
return rc;
}
static int shib_post_read(request_rec *r)
{
shib_request_config* rc = init_request_config(r);
-
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r), "shib_post_read");
+ //ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r), "shib_post_read");
#ifdef SHIB_DEFERRED_HEADERS
rc->hdr_out = ap_make_table(r->pool, 5);
if (dc->bOff==1 || dc->bUseEnvVars!=1)
return DECLINED;
- ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r), "shib_fixup(%d): ENTER", (int)getpid());
+ //ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(r), "shib_fixup(%d): ENTER", (int)getpid());
if (rc==NULL || rc->env==NULL || ap_is_empty_table(rc->env))
return DECLINED;
#endif
// It passes all our tests -- create a new session.
- log->info("creating new session");
// Are attributes present?
bool attributesPushed=false;
*/
static int verify_callback(X509_STORE_CTX* x509_ctx, void* arg)
{
- Category::getInstance("OpenSSL").debug("invoking default X509 verify callback");
+ Category& log = Category::getInstance("OpenSSL");
+ log.debug("invoking default X509 verify callback");
+
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
ShibHTTPHook::ShibHTTPHookCallContext* ctx = reinterpret_cast<ShibHTTPHook::ShibHTTPHookCallContext*>(arg);
#else
return 0;
}
+ log.info("verified server's TLS key/certificate");
+
// Signal success. Hopefully it doesn't matter what's actually in the structure now.
return 1;
}
m_response_post=new_responses.second;
m_responseCreated=time(NULL);
m_lastRetry=0;
- m_cache->log->debug("fetched and stored new response");
+ m_cache->log->info("stored new attribute response");
STConfig& stc=static_cast<STConfig&>(ShibTargetConfig::getConfig());
stc.getTransactionLog().infoStream() << "Successful attribute query for session (ID: " << m_id << ")";
stc.releaseTransactionLog();
m_cache->log->debug("retry interval exceeded, so trying again");
m_lastRetry=now;
- m_cache->log->info("trying to get new attributes for session (ID=%s)", m_id.c_str());
+ m_cache->log->debug("trying to get new attributes for session (ID=%s)", m_id.c_str());
// Transaction Logging
STConfig& stc=static_cast<STConfig&>(ShibTargetConfig::getConfig());
m_cache->log->error("unable to sign SAML 1.0 attribute query, only SAML 1.1 defines signing adequately");
}
- m_cache->log->debug("trying to query an AA...");
-
// Call context object
Trust t(application->getTrustProviders());
ShibHTTPHook::ShibHTTPHookCallContext ctx(credUse,AA);
if (r->isSigned()) {
if (!t.validate(*r,AA))
throw TrustException("Unable to verify signed response message.");
+ m_cache->log->info("verified digital signature over attribute response");
}
else if (!ctx.isAuthenticated() || XMLString::compareNString(ep->getLocation(),https,6))
throw TrustException("Response message was unauthenticated.");
continue;
// Check token signature.
- if (assertions[i]->isSigned() && !t.validate(*(assertions[i]),source)) {
- m_cache->log->warn("signed assertion failed to validate, removing it");
- r->removeAssertion(i);
- continue;
+ if (assertions[i]->isSigned()) {
+ if (t.validate(*(assertions[i]),source)) {
+ m_cache->log->info("verified digital signature over attribute assertion");
+ }
+ else {
+ m_cache->log->warn("signed assertion failed to validate, removing it");
+ r->removeAssertion(i);
+ continue;
+ }
}
i++;
}
log.debug("KeyDescriptor resolved into a key, trying it...");
try {
token.verify(key);
- log.info("signature verified with KeyDescriptor");
+ log.debug("signature verified with KeyDescriptor");
return true;
}
catch (SAMLException& e) {
TrustException ex("unable to verify signed profile response");
annotateException(&ex,role); // throws it
}
+ log.info("verified digital signature over SSO response");
}
// SSO assertion signed?
if (bpr.assertion->isSigned()) {
TrustException ex("unable to verify signed authentication assertion");
annotateException(&ex,role); // throws it
}
+ log.info("verified digital signature over SSO assertion");
}
// Finally, discard any assertions not issued by the same entity that issued the authn.
sk_X509_free(CAstack);
if (ret==1) {
- log.info("successfully validated certificate chain");
+ log.debug("successfully validated certificate chain");
return true;
}
buf[len] = '\0';
subjectstr+=buf;
}
- log.infoStream() << "certificate subject: " << subjectstr << logging::eol;
+ if (log.isDebugEnabled())
+ log.debugStream() << "certificate subject: " << subjectstr << logging::eol;
// The flags give us LDAP order instead of X.500, with a comma plus space separator.
len=X509_NAME_print_ex(b2,subject,0,XN_FLAG_RFC2253 + XN_FLAG_SEP_CPLUS_SPC - XN_FLAG_SEP_COMMA_PLUS);
BIO_flush(b2);
#else
if (!stricmp(n->c_str(),subjectstr.c_str()) || !stricmp(n->c_str(),subjectstr2.c_str())) {
#endif
- log.info("matched full subject DN to a key name (%s)", n->c_str());
+ log.debug("matched full subject DN to a key name (%s)", n->c_str());
checkName=false;
break;
}
if ((check->type==GEN_DNS && !strnicmp(altptr,n->c_str(),altlen))
#endif
|| (check->type==GEN_URI && !strncmp(altptr,n->c_str(),altlen))) {
- log.info("matched DNS/URI subjectAltName to a key name (%s)", n->c_str());
+ log.debug("matched DNS/URI subjectAltName to a key name (%s)", n->c_str());
checkName=false;
break;
}
#else
if (!stricmp(buf,n->c_str())) {
#endif
- log.info("matched subject CN to a key name (%s)", n->c_str());
+ log.debug("matched subject CN to a key name (%s)", n->c_str());
checkName=false;
break;
}
chain.push_back(static_cast<OpenSSLCryptoX509*>(c)->getOpenSSLX509());
if (!certEE) {
token.verify(*c);
- log.info("signature verified with key inside signature, attempting certificate validation...");
+ log.debug("signature verified with key inside signature, attempting certificate validation...");
certEE=static_cast<OpenSSLCryptoX509*>(c)->getOpenSSLX509();
}
}
%install
[ "$RPM_BUILD_ROOT" != "/" ] && %{__rm} -rf $RPM_BUILD_ROOT
-
%{__make} install DESTDIR=$RPM_BUILD_ROOT
%if "%{_vendor}" == "suse"
buf[len] = '\0';
subjectstr+=buf;
}
- log.infoStream() << "certificate subject: " << subjectstr << xmlproviders::logging::eol;
+ if (log.isDebugEnabled())
+ log.debugStream() << "certificate subject: " << subjectstr << xmlproviders::logging::eol;
// The flags give us LDAP order instead of X.500, with a comma plus space separator.
len=X509_NAME_print_ex(b2,subject,0,XN_FLAG_RFC2253 + XN_FLAG_SEP_CPLUS_SPC - XN_FLAG_SEP_COMMA_PLUS);
BIO_flush(b2);
#else
if (!stricmp(n->c_str(),subjectstr.c_str()) || !stricmp(n->c_str(),subjectstr2.c_str())) {
#endif
- log.info("matched full subject DN to a key name (%s)", n->c_str());
+ log.debug("matched full subject DN to a key name (%s)", n->c_str());
checkName=false;
break;
}
#else
if (!strnicmp(altptr,n->c_str(),altlen)) {
#endif
- log.info("matched DNS/URI subjectAltName to a key name (%s)", n->c_str());
+ log.debug("matched DNS/URI subjectAltName to a key name (%s)", n->c_str());
checkName=false;
break;
}
#else
if (!stricmp(buf,n->c_str())) {
#endif
- log.info("matched subject CN to a key name (%s)", n->c_str());
+ log.debug("matched subject CN to a key name (%s)", n->c_str());
checkName=false;
break;
}
kauth=*keyauths;
if (log.isInfoEnabled()) {
auto_ptr_char temp(*name);
- log.info("KeyAuthority match on %s",temp.get());
+ log.debug("KeyAuthority match on %s",temp.get());
}
}
}
X509_STORE_free(store);
if (ret==1) {
- log.info("successfully validated certificate chain");
+ log.debug("successfully validated certificate chain");
unlock();
return true;
}
KIL=*keybinds;
if (log.isInfoEnabled()) {
auto_ptr_char temp(*name);
- log.info("KeyInfo match on %s",temp.get());
+ log.debug("KeyInfo match on %s",temp.get());
}
}
}
try {
token.verify(key);
unlock();
- log.info("token verified with KeyInfo, nothing more to verify");
+ log.debug("token verified with KeyInfo, nothing more to verify");
return true;
}
catch (SAMLException& e) {