Messed up cast.
[java-idp.git] / src / edu / internet2 / middleware / shibboleth / common / provider / ShibbolethTrust.java
index e0bb0e9..f0175e2 100644 (file)
@@ -1,41 +1,36 @@
 /*
- * The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation for Advanced Internet Development, Inc.
- * All rights reserved Redistribution and use in source and binary forms, with or without modification, are permitted
- * provided that the following conditions are met: Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials
- * provided with the distribution, if any, must include the following acknowledgment: "This product includes software
- * developed by the University Corporation for Advanced Internet Development <http://www.ucaid.edu> Internet2 Project.
- * Alternately, this acknowledegement may appear in the software itself, if and wherever such third-party
- * acknowledgments normally appear. Neither the name of Shibboleth nor the names of its contributors, nor Internet2, nor
- * the University Corporation for Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote
- * products derived from this software without specific prior written permission. For written permission, please contact
- * shibboleth@shibboleth.org Products derived from this software may not be called Shibboleth, Internet2, UCAID, or the
- * University Corporation for Advanced Internet Development, nor may Shibboleth appear in their name, without prior
- * written permission of the University Corporation for Advanced Internet Development. THIS SOFTWARE IS PROVIDED BY THE
- * COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE
- * DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE. IN NO
- * EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC.
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
- * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 
 package edu.internet2.middleware.shibboleth.common.provider;
 
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.security.cert.CertPathBuilder;
 import java.security.cert.CertPathValidator;
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.CertStore;
+import java.security.cert.CertificateFactory;
 import java.security.cert.CertificateParsingException;
 import java.security.cert.CollectionCertStoreParameters;
 import java.security.cert.PKIXBuilderParameters;
 import java.security.cert.PKIXCertPathBuilderResult;
 import java.security.cert.PKIXCertPathValidatorResult;
 import java.security.cert.TrustAnchor;
+import java.security.cert.X509CRL;
 import java.security.cert.X509CertSelector;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
@@ -45,8 +40,6 @@ import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Set;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
 import javax.security.auth.x500.X500Principal;
 
@@ -55,8 +48,21 @@ import org.apache.xml.security.exceptions.XMLSecurityException;
 import org.apache.xml.security.keys.KeyInfo;
 import org.apache.xml.security.keys.content.KeyName;
 import org.apache.xml.security.keys.content.X509Data;
+import org.apache.xml.security.keys.content.x509.XMLX509CRL;
 import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
-
+import org.apache.xmlbeans.XmlException;
+import org.bouncycastle.asn1.ASN1InputStream;
+import org.bouncycastle.asn1.DERObject;
+import org.bouncycastle.asn1.DERObjectIdentifier;
+import org.bouncycastle.asn1.DERSequence;
+import org.bouncycastle.asn1.DERSet;
+import org.bouncycastle.asn1.DERString;
+import org.opensaml.SAMLException;
+import org.opensaml.SAMLSignedObject;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+
+import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
 import edu.internet2.middleware.shibboleth.common.Trust;
 import edu.internet2.middleware.shibboleth.metadata.EntitiesDescriptor;
 import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
@@ -65,23 +71,83 @@ import edu.internet2.middleware.shibboleth.metadata.ExtendedEntityDescriptor;
 import edu.internet2.middleware.shibboleth.metadata.KeyAuthority;
 import edu.internet2.middleware.shibboleth.metadata.KeyDescriptor;
 import edu.internet2.middleware.shibboleth.metadata.RoleDescriptor;
+import edu.internet2.middleware.shibboleth.serviceprovider.PluggableConfigurationComponent;
 
 /**
+ * <code>Trust</code> implementation that does PKIX validation against key authorities included in shibboleth-specific
+ * extensions to SAML 2 metadata.
+ * 
  * @author Walter Hoehn
  */
-public class ShibbolethTrust extends Trust {
+public class ShibbolethTrust extends BasicTrust implements Trust, PluggableConfigurationComponent {
 
        private static Logger log = Logger.getLogger(ShibbolethTrust.class.getName());
-       private static Pattern regex = Pattern.compile(".*?CN=([^,/]+).*");
+       private static final String CN_OID = "2.5.4.3";
+
+       /*
+        * @see edu.internet2.middleware.shibboleth.common.Trust#validate(java.security.cert.X509Certificate,
+        *      java.security.cert.X509Certificate[], edu.internet2.middleware.shibboleth.metadata.RoleDescriptor)
+        */
+       public boolean validate(X509Certificate certificateEE, X509Certificate[] certificateChain, RoleDescriptor descriptor) {
+
+               return validate(certificateEE, certificateChain, descriptor, true);
+       }
+
+       /*
+        * @see edu.internet2.middleware.shibboleth.common.Trust#validate(org.opensaml.SAMLSignedObject,
+        *      edu.internet2.middleware.shibboleth.metadata.RoleDescriptor)
+        */
+       public boolean validate(SAMLSignedObject token, RoleDescriptor descriptor) {
+
+               if (super.validate(token, descriptor)) return true;
+
+               /* Certificates supplied with the signed object */
+               ArrayList/* <X509Certificate> */certificates = new ArrayList/* <X509Certificate> */();
+               X509Certificate certificateEE = null;
+
+               /* Iterate to count the certificates, and look for the signer */
+               Iterator icertificates;
+               try {
+                       icertificates = token.getX509Certificates();
+               } catch (SAMLException e1) {
+                       return false;
+               }
+               while (icertificates.hasNext()) {
+                       X509Certificate certificate = (X509Certificate) icertificates.next();
+                       try {
+                               token.verify(certificate);
+                               // This is the certificate that signed the object
+                               certificateEE = certificate;
+                               certificates.add(certificate);
+                       } catch (SAMLException e) {
+                               certificates.add(certificate);
+                       }
+               }
 
-       public boolean validate(RoleDescriptor descriptor, X509Certificate[] certificateChain, int keyUse) {
+               if (certificateEE == null) return false; // No key validates the signature
+
+               // With a count we can now build a typed array
+               X509Certificate[] certificateChain = new X509Certificate[certificates.size()];
+               int i = 0;
+               for (icertificates = certificates.iterator(); icertificates.hasNext();) {
+                       certificateChain[i++] = (X509Certificate) icertificates.next();
+               }
+               return validate(certificateEE, certificateChain, descriptor);
+       }
+
+       /*
+        * @see edu.internet2.middleware.shibboleth.common.Trust#validate(java.security.cert.X509Certificate,
+        *      java.security.cert.X509Certificate[], edu.internet2.middleware.shibboleth.metadata.RoleDescriptor, boolean)
+        */
+       public boolean validate(X509Certificate certificateEE, X509Certificate[] certificateChain,
+                       RoleDescriptor descriptor, boolean checkName) {
 
                // If we can successfully validate with an inline key, that's fine
-               boolean defaultValidation = super.validate(descriptor, certificateChain, keyUse);
+               boolean defaultValidation = super.validate(certificateEE, certificateChain, descriptor, checkName);
                if (defaultValidation == true) { return true; }
 
                // Make sure we have the data we need
-               if (descriptor == null || certificateChain == null || certificateChain.length < 1) {
+               if (descriptor == null || certificateEE == null) {
                        log.error("Appropriate data was not supplied for trust evaluation.");
                        return false;
                }
@@ -90,42 +156,57 @@ public class ShibbolethTrust extends Trust {
 
                // First, we want to see if we can match a keyName from the metadata against the cert
                // Iterator through all the keys in the metadata
-               Iterator keyDescriptors = descriptor.getKeyDescriptors();
-               while (keyDescriptors.hasNext()) {
-                       // Look for a key descriptor with the right usage bits
-                       KeyDescriptor keyDescriptor = (KeyDescriptor) keyDescriptors.next();
-                       if (keyDescriptor.getUse() != KeyDescriptor.UNSPECIFIED && keyDescriptor.getUse() != keyUse) {
-                               log.debug("Role contains a key descriptor, but the usage specification is not valid for this action.");
-                               continue;
-                       }
+               if (checkName) {
+
+                       if (matchProviderId(certificateChain[0], descriptor.getEntityDescriptor().getId())) {
+                               checkName = false;
+                       } else {
+
+                               Iterator keyDescriptors = descriptor.getKeyDescriptors();
+                               while (checkName && keyDescriptors.hasNext()) {
+                                       // Look for a key descriptor with the right usage bits
+                                       KeyDescriptor keyDescriptor = (KeyDescriptor) keyDescriptors.next();
+                                       if (keyDescriptor.getUse() == KeyDescriptor.ENCRYPTION) {
+                                               log.debug("Skipping key descriptor with inappropriate usage indicator.");
+                                               continue;
+                                       }
 
-                       // We found one, see if we can match the metadata's keyName against the cert
-                       KeyInfo keyInfo = keyDescriptor.getKeyInfo();
-                       if (keyInfo.containsKeyName()) {
-                               for (int i = 0; i < keyInfo.lengthKeyName(); i++) {
-                                       try {
-                                               if (matchKeyName(certificateChain[0], keyInfo.itemKeyName(i))) {
-                                                       // If we find a match, try to do path validation against any key authorities we might have
-                                                       // in the metadata
-                                                       if (pkixValidate(certificateChain, descriptor.getEntityDescriptor())) { return true; }
+                                       // We found one, see if we can match the metadata's keyName against the cert
+                                       KeyInfo keyInfo = keyDescriptor.getKeyInfo();
+                                       if (keyInfo.containsKeyName()) {
+                                               for (int i = 0; i < keyInfo.lengthKeyName(); i++) {
+                                                       try {
+                                                               if (matchKeyName(certificateChain[0], keyInfo.itemKeyName(i))) {
+                                                                       checkName = false;
+                                                                       break;
+                                                               }
+                                                       } catch (XMLSecurityException e) {
+                                                               log.error("Problem retrieving key name from metadata: " + e);
+                                                       }
                                                }
-                                       } catch (XMLSecurityException e) {
-                                               log.error("Problem retrieving key name from metadata: " + e);
                                        }
                                }
                        }
                }
+
+               if (checkName) {
+                       log.error("cannot match certificate subject against acceptable key names based on the "
+                                       + "metadata entityId or KeyDescriptors");
+                       return false;
+               }
+
+               if (pkixValidate(certificateEE, certificateChain, descriptor.getEntityDescriptor())) { return true; }
                return false;
        }
 
-       private boolean pkixValidate(X509Certificate[] certChain, EntityDescriptor entity) {
+       private boolean pkixValidate(X509Certificate certEE, X509Certificate[] certChain, EntityDescriptor entity) {
 
                if (entity instanceof ExtendedEntityDescriptor) {
                        Iterator keyAuthorities = ((ExtendedEntityDescriptor) entity).getKeyAuthorities();
                        // if we have any key authorities, construct a flat list of trust anchors representing each and attempt to
                        // validate against them in turn
                        while (keyAuthorities.hasNext()) {
-                               if (pkixValidate(certChain, (KeyAuthority) keyAuthorities.next())) { return true; }
+                               if (pkixValidate(certEE, certChain, (KeyAuthority) keyAuthorities.next())) { return true; }
                        }
                }
 
@@ -133,14 +214,14 @@ public class ShibbolethTrust extends Trust {
                // nested entities and attempt to validate at each group level
                EntitiesDescriptor group = entity.getEntitiesDescriptor();
                if (group != null) {
-                       if (pkixValidate(certChain, group)) { return true; }
+                       if (pkixValidate(certEE, certChain, group)) { return true; }
                }
 
                // We've walked the entire metadata chain with no success, so fail
                return false;
        }
 
-       private boolean pkixValidate(X509Certificate[] certChain, EntitiesDescriptor group) {
+       private boolean pkixValidate(X509Certificate certEE, X509Certificate[] certChain, EntitiesDescriptor group) {
 
                log.debug("Attemping to validate against parent group.");
                if (group instanceof ExtendedEntitiesDescriptor) {
@@ -148,27 +229,29 @@ public class ShibbolethTrust extends Trust {
                        // if we have any key authorities, construct a flat list of trust anchors representing each and attempt to
                        // validate against them in turn
                        while (keyAuthorities.hasNext()) {
-                               if (pkixValidate(certChain, (KeyAuthority) keyAuthorities.next())) { return true; }
+                               if (pkixValidate(certEE, certChain, (KeyAuthority) keyAuthorities.next())) { return true; }
                        }
                }
 
                // If not, attempt to walk up the chain for validation
                EntitiesDescriptor parent = group.getEntitiesDescriptor();
                if (parent != null) {
-                       if (pkixValidate(certChain, parent)) { return true; }
+                       if (pkixValidate(certEE, certChain, parent)) { return true; }
                }
 
                return false;
        }
 
-       private boolean pkixValidate(X509Certificate[] certChain, KeyAuthority authority) {
+       private boolean pkixValidate(X509Certificate certEE, X509Certificate[] certChain, KeyAuthority authority) {
 
                Set anchors = new HashSet();
+               Set crls = new HashSet();
                Iterator keyInfos = authority.getKeyInfos();
                while (keyInfos.hasNext()) {
                        KeyInfo keyInfo = (KeyInfo) keyInfos.next();
                        if (keyInfo.containsX509Data()) {
                                try {
+                                       // Add all certificates in the authority as trust anchors
                                        for (int i = 0; i < keyInfo.lengthX509Data(); i++) {
                                                X509Data data = keyInfo.itemX509Data(i);
                                                if (data.containsCertificate()) {
@@ -177,7 +260,23 @@ public class ShibbolethTrust extends Trust {
                                                                anchors.add(new TrustAnchor(xmlCert.getX509Certificate(), null));
                                                        }
                                                }
+                                               // Compile all CRLs in the authority
+                                               if (data.containsCRL()) {
+                                                       for (int j = 0; j < data.lengthCRL(); j++) {
+                                                               XMLX509CRL xmlCrl = data.itemCRL(j);
+                                                               try {
+                                                                       X509CRL crl = (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(
+                                                                                       new ByteArrayInputStream(xmlCrl.getCRLBytes()));
+                                                                       if (crl.getRevokedCertificates() != null && crl.getRevokedCertificates().size() > 0) {
+                                                                               crls.add(crl);
+                                                                       }
+                                                               } catch (GeneralSecurityException e) {
+                                                                       log.error("Encountered an error parsing CRL from shibboleth metadata: " + e);
+                                                               }
+                                                       }
+                                               }
                                        }
+
                                } catch (XMLSecurityException e) {
                                        log.error("Encountered an error constructing trust list from shibboleth metadata: " + e);
                                }
@@ -191,17 +290,21 @@ public class ShibbolethTrust extends Trust {
                                CertPathValidator validator = CertPathValidator.getInstance("PKIX");
 
                                X509CertSelector selector = new X509CertSelector();
-                               selector.setCertificate(certChain[0]);
+                               selector.setCertificate(certEE);
                                PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, selector);
                                params.setMaxPathLength(authority.getVerifyDepth());
-                               CertStore store = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays
-                                               .asList(certChain)));
+                               List storeMaterial = new ArrayList(crls);
+                               storeMaterial.addAll(Arrays.asList(certChain));
+                               CertStore store = CertStore.getInstance("Collection", new CollectionCertStoreParameters(storeMaterial));
                                List stores = new ArrayList();
                                stores.add(store);
                                params.setCertStores(stores);
-                               //TODO hmm... what about revocation
-                               params.setRevocationEnabled(false);
-
+                               if (crls.size() > 0) {
+                                       params.setRevocationEnabled(true);
+                               } else {
+                                       params.setRevocationEnabled(false);
+                               }
+                               // System.err.println(params.toString());
                                CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
                                PKIXCertPathBuilderResult buildResult = (PKIXCertPathBuilderResult) builder.build(params);
 
@@ -264,14 +367,116 @@ public class ShibbolethTrust extends Trust {
                return false;
        }
 
-       private static String getHostNameFromDN(X500Principal dn) {
+       public static String[] getCredentialNames(X509Certificate certificate) {
+               ArrayList names = new ArrayList();
+               names.add(certificate.getSubjectX500Principal().getName(X500Principal.RFC2253));
+               try {
+                       Collection altNames = certificate.getSubjectAlternativeNames();
+                       if (altNames != null) {
+                               for (Iterator nameIterator = altNames.iterator(); nameIterator.hasNext();) {
+                                       List altName = (List) nameIterator.next();
+                                       if (altName.get(0).equals(new Integer(2))) { // 2 is DNS
+                                               names.add(altName.get(1));
+                                       }
+                                       else if (altName.get(0).equals(new Integer(6))) { // 6 is URI
+                                               names.add(altName.get(1));
+                                       }
+                               }
+                       }
+               } catch (CertificateParsingException e1) {
+                       log.error("Encountered an problem trying to extract Subject Alternate "
+                                       + "Name from supplied certificate: " + e1);
+               }
+               names.add(getHostNameFromDN(certificate.getSubjectX500Principal()));
+               return (String[]) names.toArray(new String[1]);
+       }
+       
+       private static boolean matchProviderId(X509Certificate certificate, String id) {
+
+               // Try matching against URI Subject Alt Names
+               try {
+                       Collection altNames = certificate.getSubjectAlternativeNames();
+                       if (altNames != null) {
+                               for (Iterator nameIterator = altNames.iterator(); nameIterator.hasNext();) {
+                                       List altName = (List) nameIterator.next();
+                                       if (altName.get(0).equals(new Integer(6))) { // 6 is URI
+                                               if (altName.get(1).equals(id)) {
+                                                       log.debug("Entity ID matched against SubjectAltName.");
+                                                       return true;
+                                               }
+                                       }
+                               }
+                       }
+               } catch (CertificateParsingException e1) {
+                       log.error("Encountered an problem trying to extract Subject Alternate "
+                                       + "Name from supplied certificate: " + e1);
+               }
+
+               // If that doesn't work, try to match using
+               // SSL-style hostname matching
+               if (getHostNameFromDN(certificate.getSubjectX500Principal()).equals(id)) {
+                       log.debug("Entity ID matched against hostname.");
+                       return true;
+               }
+
+               return false;
+       }
+
+       public static String getHostNameFromDN(X500Principal dn) {
+
+               // Parse the ASN.1 representation of the dn and grab the last CN component that we find
+               // We used to do this with the dn string, but the JDK's default parsing caused problems with some DNs
+               try {
+                       ASN1InputStream asn1Stream = new ASN1InputStream(dn.getEncoded());
+                       DERObject parent = asn1Stream.readObject();
+
+                       if (!(parent instanceof DERSequence)) {
+                               log.error("Unable to extract host name name from certificate subject DN: incorrect ASN.1 encoding.");
+                               return null;
+                       }
+
+                       String cn = null;
+                       for (int i = 0; i < ((DERSequence) parent).size(); i++) {
+                               DERObject dnComponent = ((DERSequence) parent).getObjectAt(i).getDERObject();
+                               if (!(dnComponent instanceof DERSet)) {
+                                       log.debug("No DN components.");
+                                       continue;
+                               }
+
+                               // Each DN component is a set
+                               for (int j = 0; j < ((DERSet) dnComponent).size(); j++) {
+                                       DERObject grandChild = ((DERSet) dnComponent).getObjectAt(j).getDERObject();
+
+                                       if (((DERSequence) grandChild).getObjectAt(0) != null
+                                                       && ((DERSequence) grandChild).getObjectAt(0).getDERObject() instanceof DERObjectIdentifier) {
+                                               DERObjectIdentifier componentId = (DERObjectIdentifier) ((DERSequence) grandChild).getObjectAt(
+                                                               0).getDERObject();
 
-               Matcher matches = regex.matcher(dn.getName(X500Principal.RFC2253));
-               if (!matches.find() || matches.groupCount() > 1) {
-                       log.error("Unable to extract host name name from certificate subject DN.");
+                                               if (CN_OID.equals(componentId.getId())) {
+                                                       // OK, this dn component is actually a cn attribute
+                                                       if (((DERSequence) grandChild).getObjectAt(1) != null
+                                                                       && ((DERSequence) grandChild).getObjectAt(1).getDERObject() instanceof DERString) {
+                                                               cn = ((DERString) ((DERSequence) grandChild).getObjectAt(1).getDERObject()).getString();
+                                                       }
+                                               }
+                                       }
+                               }
+                       }
+                       asn1Stream.close();
+                       return cn;
+
+               } catch (IOException e) {
+                       log.error("Unable to extract host name name from certificate subject DN: ASN.1 parsing failed: " + e);
                        return null;
                }
-               return matches.group(1);
+       }
+
+       public void initialize(Node dom) throws XmlException, ShibbolethConfigurationException {
+               
+       }
+
+       public void initialize(Element dom) throws SAMLException, XmlException, ShibbolethConfigurationException {
+               
        }
 
 }
\ No newline at end of file