Metadata/Trust matching against CN now uses manual ASN.1 instead of relying on the...
[java-idp.git] / src / edu / internet2 / middleware / shibboleth / idp / provider / BaseHandler.java
1 /*
2  * The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation for Advanced Internet Development, Inc.
3  * All rights reserved Redistribution and use in source and binary forms, with or without modification, are permitted
4  * provided that the following conditions are met: Redistributions of source code must retain the above copyright
5  * notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above
6  * copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials
7  * provided with the distribution, if any, must include the following acknowledgment: "This product includes software
8  * developed by the University Corporation for Advanced Internet Development <http://www.ucaid.edu> Internet2 Project.
9  * Alternately, this acknowledegement may appear in the software itself, if and wherever such third-party
10  * acknowledgments normally appear. Neither the name of Shibboleth nor the names of its contributors, nor Internet2, nor
11  * the University Corporation for Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote
12  * products derived from this software without specific prior written permission. For written permission, please contact
13  * shibboleth@shibboleth.org Products derived from this software may not be called Shibboleth, Internet2, UCAID, or the
14  * University Corporation for Advanced Internet Development, nor may Shibboleth appear in their name, without prior
15  * written permission of the University Corporation for Advanced Internet Development. THIS SOFTWARE IS PROVIDED BY THE
16  * COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE
18  * DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE. IN NO
19  * EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC.
20  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
21  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
23  * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25
26 package edu.internet2.middleware.shibboleth.idp.provider;
27
28 import java.io.IOException;
29 import java.net.URI;
30 import java.net.URISyntaxException;
31 import java.util.HashSet;
32
33 import javax.security.auth.x500.X500Principal;
34
35 import org.apache.log4j.Logger;
36 import org.bouncycastle.asn1.ASN1InputStream;
37 import org.bouncycastle.asn1.DERObject;
38 import org.bouncycastle.asn1.DERObjectIdentifier;
39 import org.bouncycastle.asn1.DERPrintableString;
40 import org.bouncycastle.asn1.DERSequence;
41 import org.bouncycastle.asn1.DERSet;
42 import org.w3c.dom.Element;
43 import org.w3c.dom.Node;
44 import org.w3c.dom.NodeList;
45
46 import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
47 import edu.internet2.middleware.shibboleth.idp.IdPConfig;
48 import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
49
50 /**
51  * Functionality common to all <code>IdPProtocolHandler</code> implementation.
52  * 
53  * @author Walter Hoehn
54  */
55 public abstract class BaseHandler implements IdPProtocolHandler {
56
57         private static Logger log = Logger.getLogger(BaseHandler.class.getName());
58         private HashSet locations = new HashSet();
59         private static final String CN_OID = "2.5.4.3";
60
61         /**
62          * Required DOM-based constructor.
63          */
64         public BaseHandler(Element config) throws ShibbolethConfigurationException {
65
66                 // Make sure we have at least one location
67                 NodeList locations = config.getElementsByTagNameNS(IdPConfig.configNameSpace, "Location");
68                 if (locations.getLength() < 1) {
69                         log.error("The <ProtocolHandler/> element must contain at least one <Location/> element.");
70                         throw new ShibbolethConfigurationException("Unable to load ProtocolHandler.");
71                 }
72
73                 // Parse the locations
74                 for (int i = 0; i < locations.getLength(); i++) {
75                         Node tnode = ((Element) locations.item(i)).getFirstChild();
76                         if (tnode != null && tnode.getNodeType() == Node.TEXT_NODE) {
77                                 String rawURI = tnode.getNodeValue();
78
79                                 if (rawURI == null || rawURI.equals("")) {
80                                         log.error("The <Location/> element inside the <ProtocolHandler/> element must contain a URI.");
81                                         throw new ShibbolethConfigurationException("Unable to load ProtocolHandler.");
82                                 }
83
84                                 try {
85                                         URI location = new URI(rawURI);
86                                         this.locations.add(location);
87                                 } catch (URISyntaxException e) {
88                                         log.error("The <Location/> element inside the <ProtocolHandler/> element contains "
89                                                         + "an improperly formatted URI: " + e);
90                                         throw new ShibbolethConfigurationException("Unable to load ProtocolHandler.");
91                                 }
92
93                         } else {
94                                 log.error("The <Location/> element inside the <ProtocolHandler/> element must contain a URI.");
95                                 throw new ShibbolethConfigurationException("Unable to load ProtocolHandler.");
96                         }
97                 }
98         }
99
100         /*
101          * @see edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler#getLocations()
102          */
103         public URI[] getLocations() {
104
105                 return (URI[]) locations.toArray(new URI[0]);
106         }
107
108         protected static String getHostNameFromDN(X500Principal dn) {
109
110                 // Parse the ASN.1 representation of the dn and grab the last CN component that we find
111                 // We used to do this with the dn string, but the JDK's default parsing caused problems with some DNs
112
113                 try {
114                         ASN1InputStream asn1Stream = new ASN1InputStream(dn.getEncoded());
115                         DERObject parent = asn1Stream.readObject();
116
117                         if (!(parent instanceof DERSequence)) {
118                                 log.error("Unable to extract host name name from certificate subject DN: incorrect ASN.1 encoding.");
119                                 return null;
120                         }
121
122                         String cn = null;
123                         for (int i = 0; i < ((DERSequence) parent).size(); i++) {
124                                 DERObject dnComponent = ((DERSequence) parent).getObjectAt(i).getDERObject();
125                                 if (!(dnComponent instanceof DERSet)) {
126                                         continue;
127                                 }
128
129                                 // Each DN component is a set
130                                 for (int j = 0; j < ((DERSet) dnComponent).size(); j++) {
131                                         DERObject grandChild = ((DERSet) dnComponent).getObjectAt(j).getDERObject();
132
133                                         if (((DERSequence) grandChild).getObjectAt(0) != null
134                                                         && ((DERSequence) grandChild).getObjectAt(0).getDERObject() instanceof DERObjectIdentifier) {
135                                                 DERObjectIdentifier componentId = (DERObjectIdentifier) ((DERSequence) grandChild).getObjectAt(
136                                                                 0).getDERObject();
137
138                                                 if (CN_OID.equals(componentId.getId())) {
139                                                         // OK, this dn component is actually a cn attribute
140                                                         if (((DERSequence) grandChild).getObjectAt(1) != null
141                                                                         && ((DERSequence) grandChild).getObjectAt(1).getDERObject() instanceof DERPrintableString) {
142                                                                 cn = ((DERPrintableString) ((DERSequence) grandChild).getObjectAt(1).getDERObject())
143                                                                                 .getString();
144                                                         }
145                                                 }
146                                         }
147                                 }
148                         }
149                         asn1Stream.close();
150                         return cn;
151
152                 } catch (IOException e) {
153                         log.error("Unable to extract host name name from certificate subject DN: ASN.1 parsing failed: " + e);
154                         return null;
155                 }
156         }
157 }