2 * The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation for Advanced Internet Development, Inc.
3 * All rights reserved Redistribution and use in source and binary forms, with or without modification, are permitted
4 * provided that the following conditions are met: Redistributions of source code must retain the above copyright
5 * notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above
6 * copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials
7 * provided with the distribution, if any, must include the following acknowledgment: "This product includes software
8 * developed by the University Corporation for Advanced Internet Development <http://www.ucaid.edu> Internet2 Project.
9 * Alternately, this acknowledegement may appear in the software itself, if and wherever such third-party
10 * acknowledgments normally appear. Neither the name of Shibboleth nor the names of its contributors, nor Internet2, nor
11 * the University Corporation for Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote
12 * products derived from this software without specific prior written permission. For written permission, please contact
13 * shibboleth@shibboleth.org Products derived from this software may not be called Shibboleth, Internet2, UCAID, or the
14 * University Corporation for Advanced Internet Development, nor may Shibboleth appear in their name, without prior
15 * written permission of the University Corporation for Advanced Internet Development. THIS SOFTWARE IS PROVIDED BY THE
16 * COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE
18 * DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE. IN NO
19 * EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC.
20 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
21 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
23 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 package edu.internet2.middleware.shibboleth.common.provider;
28 import java.io.ByteArrayInputStream;
29 import java.security.GeneralSecurityException;
30 import java.security.cert.CertPathBuilder;
31 import java.security.cert.CertPathValidator;
32 import java.security.cert.CertPathValidatorException;
33 import java.security.cert.CertStore;
34 import java.security.cert.CertificateFactory;
35 import java.security.cert.CertificateParsingException;
36 import java.security.cert.CollectionCertStoreParameters;
37 import java.security.cert.PKIXBuilderParameters;
38 import java.security.cert.PKIXCertPathBuilderResult;
39 import java.security.cert.PKIXCertPathValidatorResult;
40 import java.security.cert.TrustAnchor;
41 import java.security.cert.X509CRL;
42 import java.security.cert.X509CertSelector;
43 import java.security.cert.X509Certificate;
44 import java.util.ArrayList;
45 import java.util.Arrays;
46 import java.util.Collection;
47 import java.util.HashSet;
48 import java.util.Iterator;
49 import java.util.List;
51 import java.util.regex.Matcher;
52 import java.util.regex.Pattern;
54 import javax.security.auth.x500.X500Principal;
56 import org.apache.log4j.Logger;
57 import org.apache.xml.security.exceptions.XMLSecurityException;
58 import org.apache.xml.security.keys.KeyInfo;
59 import org.apache.xml.security.keys.content.KeyName;
60 import org.apache.xml.security.keys.content.X509Data;
61 import org.apache.xml.security.keys.content.x509.XMLX509CRL;
62 import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
63 import org.opensaml.SAMLException;
64 import org.opensaml.SAMLSignedObject;
66 import edu.internet2.middleware.shibboleth.common.Trust;
67 import edu.internet2.middleware.shibboleth.metadata.EntitiesDescriptor;
68 import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
69 import edu.internet2.middleware.shibboleth.metadata.ExtendedEntitiesDescriptor;
70 import edu.internet2.middleware.shibboleth.metadata.ExtendedEntityDescriptor;
71 import edu.internet2.middleware.shibboleth.metadata.KeyAuthority;
72 import edu.internet2.middleware.shibboleth.metadata.KeyDescriptor;
73 import edu.internet2.middleware.shibboleth.metadata.RoleDescriptor;
76 * <code>Trust</code> implementation that does PKIX validation against key authorities included in shibboleth-specific
77 * extensions to SAML 2 metadata.
79 * @author Walter Hoehn
81 public class ShibbolethTrust extends BasicTrust implements Trust {
83 private static Logger log = Logger.getLogger(ShibbolethTrust.class.getName());
84 private static Pattern regex = Pattern.compile(".*?CN=([^,/]+).*");
87 * @see edu.internet2.middleware.shibboleth.common.Trust#validate(java.security.cert.X509Certificate,
88 * java.security.cert.X509Certificate[], edu.internet2.middleware.shibboleth.metadata.RoleDescriptor)
90 public boolean validate(X509Certificate certificateEE, X509Certificate[] certificateChain, RoleDescriptor descriptor) {
92 return validate(certificateEE, certificateChain, descriptor, true);
96 * @see edu.internet2.middleware.shibboleth.common.Trust#validate(org.opensaml.SAMLSignedObject,
97 * edu.internet2.middleware.shibboleth.metadata.RoleDescriptor)
99 public boolean validate(SAMLSignedObject token, RoleDescriptor descriptor) {
101 if (super.validate(token, descriptor)) return true;
103 /* Certificates supplied with the signed object */
104 ArrayList/* <X509Certificate> */certificates = new ArrayList/* <X509Certificate> */();
105 X509Certificate certificateEE = null;
107 /* Iterate to count the certificates, and look for the signer */
108 Iterator icertificates;
110 icertificates = token.getX509Certificates();
111 } catch (SAMLException e1) {
114 while (icertificates.hasNext()) {
115 X509Certificate certificate = (X509Certificate) icertificates.next();
117 token.verify(certificate);
118 // This is the certificate that signed the object
119 certificateEE = certificate;
120 certificates.add(certificate);
121 } catch (SAMLException e) {
122 certificates.add(certificate);
126 if (certificateEE == null) return false; // No key validates the signature
128 // With a count we can now build a typed array
129 X509Certificate[] certificateChain = new X509Certificate[certificates.size()];
131 for (icertificates = certificates.iterator(); icertificates.hasNext();) {
132 certificateChain[i++] = (X509Certificate) icertificates.next();
134 return validate(certificateEE, certificateChain, descriptor);
138 * @see edu.internet2.middleware.shibboleth.common.Trust#validate(java.security.cert.X509Certificate,
139 * java.security.cert.X509Certificate[], edu.internet2.middleware.shibboleth.metadata.RoleDescriptor, boolean)
141 public boolean validate(X509Certificate certificateEE, X509Certificate[] certificateChain,
142 RoleDescriptor descriptor, boolean checkName) {
144 // If we can successfully validate with an inline key, that's fine
145 boolean defaultValidation = super.validate(certificateEE, certificateChain, descriptor, checkName);
146 if (defaultValidation == true) { return true; }
148 // Make sure we have the data we need
149 if (descriptor == null || certificateEE == null) {
150 log.error("Appropriate data was not supplied for trust evaluation.");
153 log.debug("Inline validation was unsuccessful. Attmping PKIX...");
154 // If not, try PKIX validation against the shib-custom metadata extensions
156 // First, we want to see if we can match a keyName from the metadata against the cert
157 // Iterator through all the keys in the metadata
160 if (matchProviderId(certificateChain[0], descriptor.getEntityDescriptor().getId())) {
164 Iterator keyDescriptors = descriptor.getKeyDescriptors();
165 while (checkName && keyDescriptors.hasNext()) {
166 // Look for a key descriptor with the right usage bits
167 KeyDescriptor keyDescriptor = (KeyDescriptor) keyDescriptors.next();
168 if (keyDescriptor.getUse() == KeyDescriptor.ENCRYPTION) {
169 log.debug("Skipping key descriptor with inappropriate usage indicator.");
173 // We found one, see if we can match the metadata's keyName against the cert
174 KeyInfo keyInfo = keyDescriptor.getKeyInfo();
175 if (keyInfo.containsKeyName()) {
176 for (int i = 0; i < keyInfo.lengthKeyName(); i++) {
178 if (matchKeyName(certificateChain[0], keyInfo.itemKeyName(i))) {
182 } catch (XMLSecurityException e) {
183 log.error("Problem retrieving key name from metadata: " + e);
192 log.error("cannot match certificate subject against acceptable key names based on the "
193 + "metadata entityId or KeyDescriptors");
197 if (pkixValidate(certificateEE, certificateChain, descriptor.getEntityDescriptor())) { return true; }
201 private boolean pkixValidate(X509Certificate certEE, X509Certificate[] certChain, EntityDescriptor entity) {
203 if (entity instanceof ExtendedEntityDescriptor) {
204 Iterator keyAuthorities = ((ExtendedEntityDescriptor) entity).getKeyAuthorities();
205 // if we have any key authorities, construct a flat list of trust anchors representing each and attempt to
206 // validate against them in turn
207 while (keyAuthorities.hasNext()) {
208 if (pkixValidate(certEE, certChain, (KeyAuthority) keyAuthorities.next())) { return true; }
212 // We couldn't do path validation based on metadata attached to the entity, we now need to walk up the chain of
213 // nested entities and attempt to validate at each group level
214 EntitiesDescriptor group = entity.getEntitiesDescriptor();
216 if (pkixValidate(certEE, certChain, group)) { return true; }
219 // We've walked the entire metadata chain with no success, so fail
223 private boolean pkixValidate(X509Certificate certEE, X509Certificate[] certChain, EntitiesDescriptor group) {
225 log.debug("Attemping to validate against parent group.");
226 if (group instanceof ExtendedEntitiesDescriptor) {
227 Iterator keyAuthorities = ((ExtendedEntitiesDescriptor) group).getKeyAuthorities();
228 // if we have any key authorities, construct a flat list of trust anchors representing each and attempt to
229 // validate against them in turn
230 while (keyAuthorities.hasNext()) {
231 if (pkixValidate(certEE, certChain, (KeyAuthority) keyAuthorities.next())) { return true; }
235 // If not, attempt to walk up the chain for validation
236 EntitiesDescriptor parent = group.getEntitiesDescriptor();
237 if (parent != null) {
238 if (pkixValidate(certEE, certChain, parent)) { return true; }
244 private boolean pkixValidate(X509Certificate certEE, X509Certificate[] certChain, KeyAuthority authority) {
246 Set anchors = new HashSet();
247 Set crls = new HashSet();
248 Iterator keyInfos = authority.getKeyInfos();
249 while (keyInfos.hasNext()) {
250 KeyInfo keyInfo = (KeyInfo) keyInfos.next();
251 if (keyInfo.containsX509Data()) {
253 // Add all certificates in the authority as trust anchors
254 for (int i = 0; i < keyInfo.lengthX509Data(); i++) {
255 X509Data data = keyInfo.itemX509Data(i);
256 if (data.containsCertificate()) {
257 for (int j = 0; j < data.lengthCertificate(); j++) {
258 XMLX509Certificate xmlCert = data.itemCertificate(j);
259 anchors.add(new TrustAnchor(xmlCert.getX509Certificate(), null));
262 // Compile all CRLs in the authority
263 if (data.containsCRL()) {
264 for (int j = 0; j < data.lengthCRL(); j++) {
265 XMLX509CRL xmlCrl = data.itemCRL(j);
267 X509CRL crl = (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(
268 new ByteArrayInputStream(xmlCrl.getCRLBytes()));
269 if (crl.getRevokedCertificates() != null && crl.getRevokedCertificates().size() > 0) {
272 } catch (GeneralSecurityException e) {
273 log.error("Encountered an error parsing CRL from shibboleth metadata: " + e);
279 } catch (XMLSecurityException e) {
280 log.error("Encountered an error constructing trust list from shibboleth metadata: " + e);
285 // alright, if we were able to create a trust list, attempt a pkix validation against the list
286 if (anchors.size() > 0) {
287 log.debug("Constructed a trust list from key authority. Attempting path validation...");
289 CertPathValidator validator = CertPathValidator.getInstance("PKIX");
291 X509CertSelector selector = new X509CertSelector();
292 selector.setCertificate(certEE);
293 PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, selector);
294 params.setMaxPathLength(authority.getVerifyDepth());
295 List storeMaterial = new ArrayList(crls);
296 storeMaterial.addAll(Arrays.asList(certChain));
297 CertStore store = CertStore.getInstance("Collection", new CollectionCertStoreParameters(storeMaterial));
298 List stores = new ArrayList();
300 params.setCertStores(stores);
301 if (crls.size() > 0) {
302 params.setRevocationEnabled(true);
304 params.setRevocationEnabled(false);
306 // System.err.println(params.toString());
307 CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
308 PKIXCertPathBuilderResult buildResult = (PKIXCertPathBuilderResult) builder.build(params);
310 PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) validator.validate(buildResult
311 .getCertPath(), params);
312 log.debug("Path successfully validated.");
315 } catch (CertPathValidatorException e) {
316 log.debug("Path failed to validate: " + e);
317 } catch (GeneralSecurityException e) {
318 log.error("Encountered an error during validation: " + e);
324 private static boolean matchKeyName(X509Certificate certificate, KeyName keyName) {
326 // First, try to match DN against metadata
328 if (certificate.getSubjectX500Principal().getName(X500Principal.RFC2253).equals(
329 new X500Principal(keyName.getKeyName()).getName(X500Principal.RFC2253))) {
330 log.debug("Matched against DN.");
333 } catch (IllegalArgumentException iae) {
334 // squelch this runtime exception, since
335 // this might be a valid case
338 // If that doesn't work, we try matching against
339 // some Subject Alt Names
341 Collection altNames = certificate.getSubjectAlternativeNames();
342 if (altNames != null) {
343 for (Iterator nameIterator = altNames.iterator(); nameIterator.hasNext();) {
344 List altName = (List) nameIterator.next();
345 if (altName.get(0).equals(new Integer(2)) || altName.get(0).equals(new Integer(6))) {
346 // 2 is DNS, 6 is URI
347 if (altName.get(0).equals(keyName.getKeyName())) {
348 log.debug("Matched against SubjectAltName.");
354 } catch (CertificateParsingException e1) {
355 log.error("Encountered an problem trying to extract Subject Alternate "
356 + "Name from supplied certificate: " + e1);
359 // If that doesn't work, try to match using
360 // SSL-style hostname matching
361 if (getHostNameFromDN(certificate.getSubjectX500Principal()).equals(keyName.getKeyName())) {
362 log.debug("Matched against hostname.");
369 private static boolean matchProviderId(X509Certificate certificate, String id) {
371 // Try matching against URI Subject Alt Names
373 Collection altNames = certificate.getSubjectAlternativeNames();
374 if (altNames != null) {
375 for (Iterator nameIterator = altNames.iterator(); nameIterator.hasNext();) {
376 List altName = (List) nameIterator.next();
377 if (altName.get(0).equals(new Integer(6))) { // 6 is URI
378 if (altName.get(0).equals(id)) {
379 log.debug("Entity ID matched against SubjectAltName.");
385 } catch (CertificateParsingException e1) {
386 log.error("Encountered an problem trying to extract Subject Alternate "
387 + "Name from supplied certificate: " + e1);
390 // If that doesn't work, try to match using
391 // SSL-style hostname matching
392 if (getHostNameFromDN(certificate.getSubjectX500Principal()).equals(id)) {
393 log.debug("Entity ID matched against hostname.");
400 private static String getHostNameFromDN(X500Principal dn) {
402 Matcher matches = regex.matcher(dn.getName(X500Principal.RFC2253));
403 if (!matches.find() || matches.groupCount() > 1) {
404 log.error("Unable to extract host name name from certificate subject DN.");
407 return matches.group(1);
projects / java-idp.git / blob