src/edu/internet2/middleware/shibboleth/common/provider/ShibbolethTrust.java

   1 /*
   2  * The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation for Advanced Internet Development, Inc.
   3  * All rights reserved Redistribution and use in source and binary forms, with or without modification, are permitted
   4  * provided that the following conditions are met: Redistributions of source code must retain the above copyright
   5  * notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above
   6  * copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials
   7  * provided with the distribution, if any, must include the following acknowledgment: "This product includes software
   8  * developed by the University Corporation for Advanced Internet Development <http://www.ucaid.edu> Internet2 Project.
   9  * Alternately, this acknowledegement may appear in the software itself, if and wherever such third-party
  10  * acknowledgments normally appear. Neither the name of Shibboleth nor the names of its contributors, nor Internet2, nor
  11  * the University Corporation for Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote
  12  * products derived from this software without specific prior written permission. For written permission, please contact
  13  * shibboleth@shibboleth.org Products derived from this software may not be called Shibboleth, Internet2, UCAID, or the
  14  * University Corporation for Advanced Internet Development, nor may Shibboleth appear in their name, without prior
  15  * written permission of the University Corporation for Advanced Internet Development. THIS SOFTWARE IS PROVIDED BY THE
  16  * COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  17  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE
  18  * DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE. IN NO
  19  * EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC.
  20  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  21  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  22  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
  23  * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  24  */
  25
  26 package edu.internet2.middleware.shibboleth.common.provider;
  27
  28 import java.io.ByteArrayInputStream;
  29 import java.security.GeneralSecurityException;
  30 import java.security.cert.CertPathBuilder;
  31 import java.security.cert.CertPathValidator;
  32 import java.security.cert.CertPathValidatorException;
  33 import java.security.cert.CertStore;
  34 import java.security.cert.CertificateFactory;
  35 import java.security.cert.CertificateParsingException;
  36 import java.security.cert.CollectionCertStoreParameters;
  37 import java.security.cert.PKIXBuilderParameters;
  38 import java.security.cert.PKIXCertPathBuilderResult;
  39 import java.security.cert.PKIXCertPathValidatorResult;
  40 import java.security.cert.TrustAnchor;
  41 import java.security.cert.X509CertSelector;
  42 import java.security.cert.X509Certificate;
  43 import java.util.ArrayList;
  44 import java.util.Arrays;
  45 import java.util.Collection;
  46 import java.util.HashSet;
  47 import java.util.Iterator;
  48 import java.util.List;
  49 import java.util.Set;
  50 import java.util.regex.Matcher;
  51 import java.util.regex.Pattern;
  52
  53 import javax.security.auth.x500.X500Principal;
  54
  55 import org.apache.log4j.Logger;
  56 import org.apache.xml.security.exceptions.XMLSecurityException;
  57 import org.apache.xml.security.keys.KeyInfo;
  58 import org.apache.xml.security.keys.content.KeyName;
  59 import org.apache.xml.security.keys.content.X509Data;
  60 import org.apache.xml.security.keys.content.x509.XMLX509CRL;
  61 import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
  62 import org.opensaml.SAMLException;
  63 import org.opensaml.SAMLSignedObject;
  64
  65 import edu.internet2.middleware.shibboleth.common.Trust;
  66 import edu.internet2.middleware.shibboleth.metadata.EntitiesDescriptor;
  67 import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
  68 import edu.internet2.middleware.shibboleth.metadata.ExtendedEntitiesDescriptor;
  69 import edu.internet2.middleware.shibboleth.metadata.ExtendedEntityDescriptor;
  70 import edu.internet2.middleware.shibboleth.metadata.KeyAuthority;
  71 import edu.internet2.middleware.shibboleth.metadata.KeyDescriptor;
  72 import edu.internet2.middleware.shibboleth.metadata.RoleDescriptor;
  73
  74 /**
  75  * <code>Trust</code> implementation that does PKIX validation against key authorities included in shibboleth-specific
  76  * extensions to SAML 2 metadata.
  77  *
  78  * @author Walter Hoehn
  79  */
  80 public class ShibbolethTrust extends BasicTrust implements Trust {
  81
  82         private static Logger log = Logger.getLogger(ShibbolethTrust.class.getName());
  83         private static Pattern regex = Pattern.compile(".*?CN=([^,/]+).*");
  84
  85     /*
  86      * @see edu.internet2.middleware.shibboleth.common.Trust#validate(java.security.cert.X509Certificate, java.security.cert.X509Certificate[], edu.internet2.middleware.shibboleth.metadata.RoleDescriptor)
  87      */
  88     public boolean validate(X509Certificate certificateEE, X509Certificate[] certificateChain, RoleDescriptor descriptor) {
  89         return validate(certificateEE, certificateChain, descriptor, true);
  90     }
  91
  92     /*
  93      * @see edu.internet2.middleware.shibboleth.common.Trust#validate(org.opensaml.SAMLSignedObject, edu.internet2.middleware.shibboleth.metadata.RoleDescriptor)
  94      */
  95     public boolean validate(SAMLSignedObject token, RoleDescriptor descriptor) {
  96                 if (super.validate(token,descriptor))
  97                         return true;
  98
  99                 /* Certificates supplied with the signed object */
 100                 ArrayList/*<X509Certificate>*/ certificates = new ArrayList/*<X509Certificate>*/();
 101                 X509Certificate certificateEE = null;
 102
 103                 /* Iterate to count the certificates, and look for the signer */
 104                 Iterator icertificates;
 105                 try {
 106                         icertificates = token.getX509Certificates();
 107                 } catch (SAMLException e1) {
 108                         return false;
 109                 }
 110                 while (icertificates.hasNext()) {
 111                         X509Certificate certificate = (X509Certificate) icertificates.next();
 112                         try {
 113                                 token.verify(certificate);
 114                                 // This is the certificate that signed the object
 115                                 certificateEE = certificate;
 116                                 certificates.add(certificate);
 117                         } catch (SAMLException e) {
 118                                 certificates.add(certificate);
 119                         }
 120                 }
 121
 122                 if (certificateEE==null)
 123                         return false; // No key validates the signature
 124
 125                 // With a count we can now build a typed array
 126                 X509Certificate[] certificateChain = new X509Certificate[certificates.size()];
 127                 int i=0;
 128                 for (icertificates = certificates.iterator();icertificates.hasNext();) {
 129                         certificateChain[i++]=(X509Certificate) icertificates.next();
 130                 }
 131                 return validate(certificateEE, certificateChain, descriptor);
 132     }
 133
 134     /*
 135      * @see edu.internet2.middleware.shibboleth.common.Trust#validate(java.security.cert.X509Certificate,
 136      *  java.security.cert.X509Certificate[], edu.internet2.middleware.shibboleth.metadata.RoleDescriptor, boolean)
 137      */
 138     public boolean validate(X509Certificate certificateEE, X509Certificate[] certificateChain, RoleDescriptor descriptor, boolean checkName) {
 139
 140                 // If we can successfully validate with an inline key, that's fine
 141                 boolean defaultValidation = super.validate(certificateEE, certificateChain, descriptor, checkName);
 142                 if (defaultValidation == true) { return true; }
 143
 144                 // Make sure we have the data we need
 145                 if (descriptor == null || certificateEE == null) {
 146                         log.error("Appropriate data was not supplied for trust evaluation.");
 147                         return false;
 148                 }
 149                 log.debug("Inline validation was unsuccessful.  Attmping PKIX...");
 150                 // If not, try PKIX validation against the shib-custom metadata extensions
 151
 152                 // First, we want to see if we can match a keyName from the metadata against the cert
 153                 // Iterator through all the keys in the metadata
 154         if (checkName) {
 155             Iterator keyDescriptors = descriptor.getKeyDescriptors();
 156                 while (checkName && keyDescriptors.hasNext()) {
 157                         // Look for a key descriptor with the right usage bits
 158                         KeyDescriptor keyDescriptor = (KeyDescriptor) keyDescriptors.next();
 159                         if (keyDescriptor.getUse() == KeyDescriptor.ENCRYPTION) {
 160                     log.debug("Skipping key descriptor with inappropriate usage indicator.");
 161                                 continue;
 162                         }
 163
 164                         // We found one, see if we can match the metadata's keyName against the cert
 165                         KeyInfo keyInfo = keyDescriptor.getKeyInfo();
 166                         if (keyInfo.containsKeyName()) {
 167                             for (int i = 0; i < keyInfo.lengthKeyName(); i++) {
 168                                 try {
 169                                     if (matchKeyName(certificateChain[0], keyInfo.itemKeyName(i))) {
 170                                         checkName = false;
 171                                 break;
 172                             }
 173                                         } catch (XMLSecurityException e) {
 174                                                 log.error("Problem retrieving key name from metadata: " + e);
 175                                         }
 176                                 }
 177                         }
 178                 }
 179         }
 180
 181         if (checkName) {
 182             log.error("cannot match certificate subject against acceptable key names based on KeyDescriptors");
 183             return false;
 184         }
 185
 186         if (pkixValidate(certificateEE, certificateChain, descriptor.getEntityDescriptor())) { return true; }
 187         return false;
 188         }
 189
 190         private boolean pkixValidate(X509Certificate certEE, X509Certificate[] certChain, EntityDescriptor entity) {
 191
 192                 if (entity instanceof ExtendedEntityDescriptor) {
 193                         Iterator keyAuthorities = ((ExtendedEntityDescriptor) entity).getKeyAuthorities();
 194                         // if we have any key authorities, construct a flat list of trust anchors representing each and attempt to
 195                         // validate against them in turn
 196                         while (keyAuthorities.hasNext()) {
 197                                 if (pkixValidate(certEE, certChain, (KeyAuthority) keyAuthorities.next())) { return true; }
 198                         }
 199                 }
 200
 201                 // We couldn't do path validation based on metadata attached to the entity, we now need to walk up the chain of
 202                 // nested entities and attempt to validate at each group level
 203                 EntitiesDescriptor group = entity.getEntitiesDescriptor();
 204                 if (group != null) {
 205                         if (pkixValidate(certEE, certChain, group)) { return true; }
 206                 }
 207
 208                 // We've walked the entire metadata chain with no success, so fail
 209                 return false;
 210         }
 211
 212         private boolean pkixValidate(X509Certificate certEE, X509Certificate[] certChain, EntitiesDescriptor group) {
 213
 214                 log.debug("Attemping to validate against parent group.");
 215                 if (group instanceof ExtendedEntitiesDescriptor) {
 216                         Iterator keyAuthorities = ((ExtendedEntitiesDescriptor) group).getKeyAuthorities();
 217                         // if we have any key authorities, construct a flat list of trust anchors representing each and attempt to
 218                         // validate against them in turn
 219                         while (keyAuthorities.hasNext()) {
 220                                 if (pkixValidate(certEE, certChain, (KeyAuthority) keyAuthorities.next())) { return true; }
 221                         }
 222                 }
 223
 224                 // If not, attempt to walk up the chain for validation
 225                 EntitiesDescriptor parent = group.getEntitiesDescriptor();
 226                 if (parent != null) {
 227                         if (pkixValidate(certEE, certChain, parent)) { return true; }
 228                 }
 229
 230                 return false;
 231         }
 232
 233         private boolean pkixValidate(X509Certificate certEE, X509Certificate[] certChain, KeyAuthority authority) {
 234
 235                 Set anchors = new HashSet();
 236                 Set crls = new HashSet();
 237                 Iterator keyInfos = authority.getKeyInfos();
 238                 while (keyInfos.hasNext()) {
 239                         KeyInfo keyInfo = (KeyInfo) keyInfos.next();
 240                         if (keyInfo.containsX509Data()) {
 241                                 try {
 242                                         //Add all certificates in the authority as trust anchors
 243                                         for (int i = 0; i < keyInfo.lengthX509Data(); i++) {
 244                                                 X509Data data = keyInfo.itemX509Data(i);
 245                                                 if (data.containsCertificate()) {
 246                                                         for (int j = 0; j < data.lengthCertificate(); j++) {
 247                                                                 XMLX509Certificate xmlCert = data.itemCertificate(j);
 248                                                                 anchors.add(new TrustAnchor(xmlCert.getX509Certificate(), null));
 249                                                         }
 250                                                 }
 251                                                 // Compile all CRLs in the authority
 252                                                 if (data.containsCRL()) {
 253                                                         for (int j = 0; j < data.lengthCRL(); j++) {
 254                                                                 XMLX509CRL xmlCrl = data.itemCRL(j);
 255                                                                 try {
 256                                                                         crls.add(CertificateFactory.getInstance("X.509").generateCRL(
 257                                                                                         new ByteArrayInputStream(xmlCrl.getCRLBytes())));
 258                                                                 } catch (GeneralSecurityException e) {
 259                                                                         log.error("Encountered an error parsing CRL from shibboleth metadata: " + e);
 260                                                                 }
 261                                                         }
 262                                                 }
 263                                         }
 264
 265                                 } catch (XMLSecurityException e) {
 266                                         log.error("Encountered an error constructing trust list from shibboleth metadata: " + e);
 267                                 }
 268                         }
 269                 }
 270
 271                 // alright, if we were able to create a trust list, attempt a pkix validation against the list
 272                 if (anchors.size() > 0) {
 273                         log.debug("Constructed a trust list from key authority.  Attempting path validation...");
 274                         try {
 275                                 CertPathValidator validator = CertPathValidator.getInstance("PKIX");
 276
 277                                 X509CertSelector selector = new X509CertSelector();
 278                                 selector.setCertificate(certEE);
 279                                 PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, selector);
 280                                 params.setMaxPathLength(authority.getVerifyDepth());
 281                                 List storeMaterial = new ArrayList(crls);
 282                                 storeMaterial.addAll(Arrays.asList(certChain));
 283                                 CertStore store = CertStore.getInstance("Collection", new CollectionCertStoreParameters(storeMaterial));
 284                                 List stores = new ArrayList();
 285                                 stores.add(store);
 286                                 params.setCertStores(stores);
 287                                 if (crls.size() > 0) {
 288                                         params.setRevocationEnabled(true);
 289                                 } else {
 290                                         params.setRevocationEnabled(false);
 291                                 }
 292
 293                                 CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
 294                                 PKIXCertPathBuilderResult buildResult = (PKIXCertPathBuilderResult) builder.build(params);
 295
 296                                 PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) validator.validate(buildResult
 297                                                 .getCertPath(), params);
 298                                 log.debug("Path successfully validated.");
 299                                 return true;
 300
 301                         } catch (CertPathValidatorException e) {
 302                                 log.debug("Path failed to validate: " + e);
 303                         } catch (GeneralSecurityException e) {
 304                                 log.error("Encountered an error during validation: " + e);
 305                         }
 306                 }
 307                 return false;
 308         }
 309
 310         private static boolean matchKeyName(X509Certificate certificate, KeyName keyName) {
 311
 312                 // First, try to match DN against metadata
 313                 try {
 314                         if (certificate.getSubjectX500Principal().getName(X500Principal.RFC2253).equals(
 315                                         new X500Principal(keyName.getKeyName()).getName(X500Principal.RFC2253))) {
 316                                 log.debug("Matched against DN.");
 317                                 return true;
 318                         }
 319                 } catch (IllegalArgumentException iae) {
 320                         // squelch this runtime exception, since
 321                         // this might be a valid case
 322                 }
 323
 324                 // If that doesn't work, we try matching against
 325                 // some Subject Alt Names
 326                 try {
 327                         Collection altNames = certificate.getSubjectAlternativeNames();
 328                         if (altNames != null) {
 329                                 for (Iterator nameIterator = altNames.iterator(); nameIterator.hasNext();) {
 330                                         List altName = (List) nameIterator.next();
 331                                         if (altName.get(0).equals(new Integer(2)) || altName.get(0).equals(new Integer(6))) {
 332                                                 // 2 is DNS, 6 is URI
 333                                                 if (altName.get(0).equals(keyName.getKeyName())) {
 334                                                         log.debug("Matched against SubjectAltName.");
 335                                                         return true;
 336                                                 }
 337                                         }
 338                                 }
 339                         }
 340                 } catch (CertificateParsingException e1) {
 341                         log.error("Encountered an problem trying to extract Subject Alternate "
 342                                         + "Name from supplied certificate: " + e1);
 343                 }
 344
 345                 // If that doesn't work, try to match using
 346                 // SSL-style hostname matching
 347                 if (getHostNameFromDN(certificate.getSubjectX500Principal()).equals(keyName.getKeyName())) {
 348                         log.debug("Matched against hostname.");
 349                         return true;
 350                 }
 351
 352                 return false;
 353         }
 354
 355         private static String getHostNameFromDN(X500Principal dn) {
 356
 357                 Matcher matches = regex.matcher(dn.getName(X500Principal.RFC2253));
 358                 if (!matches.find() || matches.groupCount() > 1) {
 359                         log.error("Unable to extract host name name from certificate subject DN.");
 360                         return null;
 361                 }
 362                 return matches.group(1);
 363         }
 364
 365 }