60c1f7c65828e4497ea75362db67e40e3c344345
[java-idp.git] / src / edu / internet2 / middleware / shibboleth / idp / provider / BaseServiceHandler.java
1 /*
2  * The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation for Advanced Internet Development, Inc.
3  * All rights reserved Redistribution and use in source and binary forms, with or without modification, are permitted
4  * provided that the following conditions are met: Redistributions of source code must retain the above copyright
5  * notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above
6  * copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials
7  * provided with the distribution, if any, must include the following acknowledgment: "This product includes software
8  * developed by the University Corporation for Advanced Internet Development <http://www.ucaid.edu> Internet2 Project.
9  * Alternately, this acknowledegement may appear in the software itself, if and wherever such third-party
10  * acknowledgments normally appear. Neither the name of Shibboleth nor the names of its contributors, nor Internet2, nor
11  * the University Corporation for Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote
12  * products derived from this software without specific prior written permission. For written permission, please contact
13  * shibboleth@shibboleth.org Products derived from this software may not be called Shibboleth, Internet2, UCAID, or the
14  * University Corporation for Advanced Internet Development, nor may Shibboleth appear in their name, without prior
15  * written permission of the University Corporation for Advanced Internet Development. THIS SOFTWARE IS PROVIDED BY THE
16  * COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE
18  * DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE. IN NO
19  * EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC.
20  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
21  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
23  * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25
26 package edu.internet2.middleware.shibboleth.idp.provider;
27
28 import java.security.cert.CertificateParsingException;
29 import java.security.cert.X509Certificate;
30 import java.util.Collection;
31 import java.util.Iterator;
32 import java.util.List;
33
34 import javax.security.auth.x500.X500Principal;
35 import javax.servlet.http.HttpServletRequest;
36
37 import org.apache.log4j.Logger;
38 import org.apache.xml.security.exceptions.XMLSecurityException;
39 import org.apache.xml.security.keys.KeyInfo;
40 import org.w3c.dom.Element;
41
42 import edu.internet2.middleware.shibboleth.common.ShibBrowserProfile;
43 import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
44 import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
45 import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
46 import edu.internet2.middleware.shibboleth.metadata.KeyDescriptor;
47 import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
48
49 /**
50  * @author Walter Hoehn
51  */
52 public abstract class BaseServiceHandler extends BaseHandler implements IdPProtocolHandler {
53
54         /**
55          * Required DOM-based constructor.
56          */
57         public BaseServiceHandler(Element config) throws ShibbolethConfigurationException {
58
59                 super(config);
60         }
61
62         private static Logger log = Logger.getLogger(BaseServiceHandler.class.getName());
63
64         protected static X509Certificate getCredentialFromProvider(HttpServletRequest req) {
65
66                 X509Certificate[] certArray = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
67                 if (certArray != null && certArray.length > 0) { return certArray[0]; }
68                 return null;
69         }
70
71         protected static boolean isValidCredential(EntityDescriptor provider, X509Certificate certificate) {
72
73                 SPSSODescriptor sp = provider.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
74                 if (sp == null) {
75                         log.info("Inappropriate metadata for provider.");
76                         return false;
77                 }
78                 // TODO figure out what to do about this role business here
79                 Iterator descriptors = sp.getKeyDescriptors();
80                 while (descriptors.hasNext()) {
81                         KeyInfo keyInfo = ((KeyDescriptor) descriptors.next()).getKeyInfo();
82                         for (int l = 0; keyInfo.lengthKeyName() > l; l++) {
83                                 try {
84
85                                         // First, try to match DN against metadata
86                                         try {
87                                                 if (certificate.getSubjectX500Principal().getName(X500Principal.RFC2253).equals(
88                                                                 new X500Principal(keyInfo.itemKeyName(l).getKeyName()).getName(X500Principal.RFC2253))) {
89                                                         log.debug("Matched against DN.");
90                                                         return true;
91                                                 }
92                                         } catch (IllegalArgumentException iae) {
93                                                 // squelch this runtime exception, since
94                                                 // this might be a valid case
95                                         }
96
97                                         // If that doesn't work, we try matching against
98                                         // some Subject Alt Names
99                                         try {
100                                                 Collection altNames = certificate.getSubjectAlternativeNames();
101                                                 if (altNames != null) {
102                                                         for (Iterator nameIterator = altNames.iterator(); nameIterator.hasNext();) {
103                                                                 List altName = (List) nameIterator.next();
104                                                                 if (altName.get(0).equals(new Integer(2)) || altName.get(0).equals(new Integer(6))) { // 2 is
105                                                                         // DNS,
106                                                                         // 6 is
107                                                                         // URI
108                                                                         if (altName.get(1).equals(keyInfo.itemKeyName(l).getKeyName())) {
109                                                                                 log.debug("Matched against SubjectAltName.");
110                                                                                 return true;
111                                                                         }
112                                                                 }
113                                                         }
114                                                 }
115                                         } catch (CertificateParsingException e1) {
116                                                 log
117                                                                 .error("Encountered an problem trying to extract Subject Alternate Name from supplied certificate: "
118                                                                                 + e1);
119                                         }
120
121                                         // If that doesn't work, try to match using
122                                         // SSL-style hostname matching
123
124                                         // TODO stop relying on this class
125                                         if (ShibBrowserProfile.getHostNameFromDN(certificate.getSubjectX500Principal()).equals(
126                                                         keyInfo.itemKeyName(l).getKeyName())) {
127                                                 log.debug("Matched against hostname.");
128                                                 return true;
129                                         }
130
131                                 } catch (XMLSecurityException e) {
132                                         log.error("Encountered an error reading federation metadata: " + e);
133                                 }
134                         }
135                 }
136                 log.info("Supplied credential not found in metadata.");
137                 return false;
138         }
139
140         protected class InvalidProviderCredentialException extends Exception {
141
142                 public InvalidProviderCredentialException(String message) {
143
144                         super(message);
145                 }
146         }
147 }