+++ /dev/null
-#!/bin/sh
-
-##We need a JVM
-if [ ! -n "$JAVA_HOME" ] ; then
- echo "Error: JAVA_HOME is not defined."
- exit
-fi
-
-if [ ! -n "$JAVACMD" ] ; then
- JAVACMD=$JAVA_HOME/bin/java
-fi
-
-if [ ! -x "$JAVACMD" ] ; then
- echo "Error: JAVA_HOME is not defined correctly."
- echo "Cannot execute $JAVACMD"
- exit
-fi
-
-
-##Find the shibboleth components
-if [ ! -n "$IDP_HOME" ] ; then
- echo "Error: IDP_HOME is not defined."
- exit
-fi
-
-if [ ! \( -f "$IDP_HOME/lib/shib-util.jar" -a -r "$IDP_HOME/lib/shib-util.jar" \) ] ; then
- echo "Error: Cannot find the shibboleth jar (shib-util.jar)."
- echo " If you downloaded the shibboleth source, you need to run \"ant build-util\""
- exit
-fi
-
-ENDORSED=$IDP_HOME/endorsed/
-
-##Grab all the dependencies
-if [ -n "$CLASSPATH" ] ; then
- SHIB_UTIL_CLASSPATH=$CLASSPATH
-fi
-
-DIRLIBS=${IDP_HOME}/lib/*.jar
-for i in ${DIRLIBS}
-do
- # if the directory is empty, then it will return the input string
- # this is stupid, so case for it
- if [ "$i" != "${DIRLIBS}" ] ; then
- if [ -z "$SHIB_UTIL_CLASSPATH" ] ; then
- SHIB_UTIL_CLASSPATH=$i
- else
- SHIB_UTIL_CLASSPATH="$i":$SHIB_UTIL_CLASSPATH
- fi
- fi
-done
-
-SHIB_UTIL_CLASSPATH=$SHIB_UTIL_CLASSPATH:"$IDP_HOME"
-
-##Here we go
-$JAVACMD -Djava.endorsed.dirs="$ENDORSED" -cp $SHIB_UTIL_CLASSPATH edu.internet2.middleware.shibboleth.utils.ResolverTest "$@"
+++ /dev/null
-@echo off
-setlocal
-
-REM We need a JVM
-if not defined JAVA_HOME (
- echo Error: JAVA_HOME is not defined.
- exit /b
-)
-
-if not defined JAVACMD (
- set JAVACMD="%JAVA_HOME%\bin\java.exe"
-)
-
-if not exist %JAVACMD% (
- echo Error: JAVA_HOME is not defined correctly.
- echo Cannot execute %JAVACMD%
- exit /b
-)
-
-REM The root of the Shibboleth package tree, relative to the run directory
-if not defined IDP_HOME (
- echo Error: IDP_HOME is not defined.
- exit /b
-)
-
-set ENDORSED=%IDP_HOME%\endorsed
-
-if not exist %IDP_HOME%\lib\shib-util.jar (
- echo Error: Cannot find shib-util.jar
- echo If you downloaded the shibboleth source, you need to run "ant build-util"
- exit /b
-)
-
-REM Grab all the dependencies
-if defined CLASSPATH (
- set LOCALCLASSPATH=%CLASSPATH%
-)
-
-REM add in the dependency .jar files
-for %%i in (%IDP_HOME%\lib\*.jar) do (
- call %IDP_HOME%\bin\cpappend.bat %%i
-)
-
-REM Here we go
-%JAVACMD% -Djava.endorsed.dirs="%ENDORSED%" -cp "%LOCALCLASSPATH%" edu.internet2.middleware.shibboleth.utils.ResolverTest %*
+++ /dev/null
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.] Licensed under the Apache License,
- * Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy
- * of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in
- * writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
- * OF ANY KIND, either express or implied. See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp;
-
-import java.net.URI;
-import java.security.Principal;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import javax.xml.namespace.QName;
-
-import org.apache.log4j.Logger;
-import org.apache.xml.security.signature.XMLSignature;
-import org.opensaml.InvalidCryptoException;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLAttribute;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLResponse;
-import org.opensaml.saml2.metadata.EntitiesDescriptor;
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.RoleDescriptor;
-import org.opensaml.saml2.metadata.provider.ChainingMetadataProvider;
-import org.opensaml.saml2.metadata.provider.MetadataFilter;
-import org.opensaml.saml2.metadata.provider.MetadataProvider;
-import org.opensaml.saml2.metadata.provider.MetadataProviderException;
-import org.opensaml.security.TrustEngine;
-import org.opensaml.security.X509EntityCredential;
-import org.opensaml.xml.XMLObject;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.aa.AAAttribute;
-import edu.internet2.middleware.shibboleth.aa.AAException;
-import edu.internet2.middleware.shibboleth.aa.arp.ArpEngine;
-import edu.internet2.middleware.shibboleth.aa.arp.ArpProcessingException;
-import edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver;
-import edu.internet2.middleware.shibboleth.artifact.ArtifactMapper;
-import edu.internet2.middleware.shibboleth.common.Credential;
-import edu.internet2.middleware.shibboleth.common.RelyingParty;
-import edu.internet2.middleware.shibboleth.common.RelyingPartyMapper;
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrustEngine;
-import edu.internet2.middleware.shibboleth.metadata.MetadataProviderFactory;
-
-/**
- * IdPProtocolSupport implementation that offers functionality that is not specific to a particular request.
- *
- * @author Walter Hoehn
- */
-public class GeneralProtocolSupport implements IdPProtocolSupport, MetadataProvider {
-
- private static Logger log = Logger.getLogger(GeneralProtocolSupport.class.getName());
- private Logger transactionLog;
- private IdPConfig config;
- private RelyingPartyMapper rpMapper;
- private ArpEngine arpEngine;
- private AttributeResolver resolver;
- private ArtifactMapper artifactMapper;
- private Semaphore throttle;
- private TrustEngine<X509Credential> trust = new ShibbolethTrustEngine();
- private ChainingMetadataProvider wrappedMetadataProvider = new ChainingMetadataProvider();
-
- GeneralProtocolSupport(IdPConfig config, Logger transactionLog, RelyingPartyMapper spMapper, ArpEngine arpEngine,
- AttributeResolver resolver, ArtifactMapper artifactMapper) throws ShibbolethConfigurationException {
-
- this.transactionLog = transactionLog;
- this.config = config;
- this.rpMapper = spMapper;
- spMapper.setMetadata(this);
- this.arpEngine = arpEngine;
- this.resolver = resolver;
- this.artifactMapper = artifactMapper;
-
- // Load a semaphore that throttles how many requests the IdP will handle at once
- throttle = new Semaphore(config.getMaxThreads());
- }
-
- public Logger getTransactionLog() {
-
- return transactionLog;
- }
-
- public IdPConfig getIdPConfig() {
-
- return config;
- }
-
- public RelyingPartyMapper getRelyingPartyMapper() {
-
- return rpMapper;
- }
-
- public void signAssertions(SAMLAssertion[] assertions, RelyingParty relyingParty) throws InvalidCryptoException,
- SAMLException {
-
- if (relyingParty.getIdentityProvider().getSigningCredential() == null
- || relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() == null) { throw new InvalidCryptoException(
- SAMLException.RESPONDER, "Invalid signing credential."); }
-
- for (int i = 0; i < assertions.length; i++) {
- String assertionAlgorithm;
- if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.RSA) {
- assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
- } else if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.DSA) {
- assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
- } else {
- throw new InvalidCryptoException(SAMLException.RESPONDER,
- "The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
- }
-
- try {
- throttle.enter();
- assertions[i].sign(assertionAlgorithm, relyingParty.getIdentityProvider().getSigningCredential()
- .getPrivateKey(), Arrays.asList(relyingParty.getIdentityProvider().getSigningCredential()
- .getX509CertificateChain()));
- } finally {
- throttle.exit();
- }
- }
- }
-
- public void signResponse(SAMLResponse response, RelyingParty relyingParty) throws SAMLException {
-
- // Make sure we have an appropriate credential
- if (relyingParty.getIdentityProvider().getSigningCredential() == null
- || relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() == null) { throw new InvalidCryptoException(
- SAMLException.RESPONDER, "Invalid signing credential."); }
-
- // Sign the response
- String responseAlgorithm;
- if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.RSA) {
- responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
- } else if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.DSA) {
- responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
- } else {
- throw new InvalidCryptoException(SAMLException.RESPONDER,
- "The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
- }
- try {
- throttle.enter();
- response.sign(responseAlgorithm, relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey(),
- Arrays.asList(relyingParty.getIdentityProvider().getSigningCredential().getX509CertificateChain()));
- } finally {
- throttle.exit();
- }
- }
-
- public void addMetadataProvider(Element element) {
-
- log.debug("Found Metadata Provider configuration element.");
- if (!element.getTagName().equals("MetadataProvider")) {
- log.error("Error while attemtping to load Metadata Provider. Malformed provider specificaion.");
- return;
- }
-
- try {
- wrappedMetadataProvider.addMetadataProvider(MetadataProviderFactory.loadProvider(element));
- } catch (MetadataProviderException e) {
- log.error("Unable to load Metadata Provider. Skipping...");
- }
-
- }
-
- public Collection<? extends SAMLAttribute> getReleaseAttributes(Principal principal, RelyingParty relyingParty,
- String requester) throws AAException {
-
- try {
- Collection<URI> potentialAttributes = arpEngine.listPossibleReleaseAttributes(principal, requester);
- return getReleaseAttributes(principal, relyingParty, requester, potentialAttributes);
-
- } catch (ArpProcessingException e) {
- log.error("An error occurred while processing the ARPs for principal (" + principal.getName() + ") :"
- + e.getMessage());
- throw new AAException("Error retrieving data for principal.");
- }
- }
-
- public Collection<? extends SAMLAttribute> getReleaseAttributes(Principal principal, RelyingParty relyingParty,
- String requester, Collection<URI> attributeNames) throws AAException {
-
- try {
- Map<String, AAAttribute> attributes = new HashMap<String, AAAttribute>();
- for (URI name : attributeNames) {
-
- AAAttribute attribute = new AAAttribute(name.toString(), false);
- attributes.put(attribute.getName(), attribute);
- }
-
- Collection<URI> constraintAttributes = arpEngine.listRequiredConstraintAttributes(principal, requester,
- attributeNames);
- for (URI name : constraintAttributes) {
- if (!attributes.containsKey(name.toString())) {
- // don't care about schema hack since these attributes won't be returned to SP
- AAAttribute attribute = new AAAttribute(name.toString(), false);
- attributes.put(attribute.getName(), attribute);
- }
- }
-
- return resolveAttributes(principal, requester, relyingParty.getIdentityProvider().getProviderId(),
- attributes);
-
- } catch (SAMLException e) {
- log.error("An error occurred while creating attributes for principal (" + principal.getName() + ") :"
- + e.getMessage());
- throw new AAException("Error retrieving data for principal.");
-
- } catch (ArpProcessingException e) {
- log.error("An error occurred while processing the ARPs for principal (" + principal.getName() + ") :"
- + e.getMessage());
- throw new AAException("Error retrieving data for principal.");
- }
- }
-
- public Collection<? extends SAMLAttribute> resolveAttributes(Principal principal, String requester,
- String responder, Map<String, AAAttribute> attributeSet) throws ArpProcessingException {
-
- resolver.resolveAttributes(principal, requester, responder, attributeSet);
- arpEngine.filterAttributes(attributeSet.values(), principal, requester);
- return attributeSet.values();
- }
-
- public Collection<? extends SAMLAttribute> resolveAttributesNoPolicies(Principal principal, String requester,
- String responder, Map<String, AAAttribute> attributeSet) {
-
- resolver.resolveAttributes(principal, requester, responder, attributeSet);
- return attributeSet.values();
- }
-
- /**
- * Cleanup resources that won't be released when this object is garbage-collected
- */
- public void destroy() {
-
- resolver.destroy();
- arpEngine.destroy();
- }
-
- public ArtifactMapper getArtifactMapper() {
-
- return artifactMapper;
- }
-
- public TrustEngine<X509Credential> getTrustEngine() {
-
- return trust;
- }
-
- public boolean requireValidMetadata() {
-
- return wrappedMetadataProvider.requireValidMetadata();
- }
-
- public void setRequireValidMetadata(boolean requireValidMetadata) {
-
- wrappedMetadataProvider.setRequireValidMetadata(requireValidMetadata);
- }
-
- public MetadataFilter getMetadataFilter() {
-
- return wrappedMetadataProvider.getMetadataFilter();
- }
-
- public void setMetadataFilter(MetadataFilter newFilter) throws MetadataProviderException {
-
- wrappedMetadataProvider.setMetadataFilter(newFilter);
- }
-
- public XMLObject getMetadata() throws MetadataProviderException {
-
- return wrappedMetadataProvider.getMetadata();
- }
-
- public EntitiesDescriptor getEntitiesDescriptor(String name) throws MetadataProviderException {
-
- return wrappedMetadataProvider.getEntitiesDescriptor(name);
- }
-
- public EntityDescriptor getEntityDescriptor(String entityID) throws MetadataProviderException {
-
- return wrappedMetadataProvider.getEntityDescriptor(entityID);
- }
-
- public List<RoleDescriptor> getRole(String entityID, QName roleName) throws MetadataProviderException {
-
- return wrappedMetadataProvider.getRole(entityID, roleName);
- }
-
- public RoleDescriptor getRole(String entityID, QName roleName, String supportedProtocol)
- throws MetadataProviderException {
-
- return wrappedMetadataProvider.getRole(entityID, roleName, supportedProtocol);
- }
-
- public int providerCount() {
-
- return wrappedMetadataProvider.getProviders().size();
- }
-
- private class Semaphore {
-
- private int value;
-
- public Semaphore(int value) {
-
- this.value = value;
- }
-
- public synchronized void enter() {
-
- --value;
- if (value < 0) {
- try {
- wait();
- } catch (InterruptedException e) {
- // squelch and continue
- }
- }
- }
-
- public synchronized void exit() {
-
- ++value;
- notify();
- }
- }
-
-}
\ No newline at end of file
+++ /dev/null
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp;
-
-import org.apache.log4j.Logger;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-
-/**
- * @author Walter Hoehn
- */
-public class IdPConfig {
-
- // TODO re-evaluate whether or not we need this class... most of it has gone away anyway
-
- public static final String configNameSpace = "urn:mace:shibboleth:idp:config:1.0";
- private String resolverConfig = "/conf/resolver.xml";
-
- private int maxThreads = 30;
-
- private static Logger log = Logger.getLogger(IdPConfig.class.getName());
-
- public IdPConfig(Element config) throws ShibbolethConfigurationException {
-
- if (!config.getTagName().equals("IdPConfig")) { throw new ShibbolethConfigurationException(
- "Unexpected configuration data. <IdPConfig/> is needed."); }
-
- log.debug("Loading global configuration properties.");
-
- // Attribute resolver config file location
- String rawResolverConfig = ((Element) config).getAttribute("resolverConfig");
- if (rawResolverConfig != null && !rawResolverConfig.equals("")) {
- resolverConfig = rawResolverConfig;
- }
-
- String attribute = ((Element) config).getAttribute("maxSigningThreads");
- if (attribute != null && !attribute.equals("")) {
- try {
- maxThreads = Integer.parseInt(attribute);
- } catch (NumberFormatException e) {
- log.error("(maxSigningThreads) attribute to is not a valid integer.");
- throw new ShibbolethConfigurationException("Configuration is invalid.");
- }
- }
-
- attribute = ((Element) config).getAttribute("authHeaderName");
-
- log.debug("Global IdP config: (maxSigningThreads) = (" + getMaxThreads() + ").");
-
- log.debug("Global IdP config: (resolverConfig) = (" + getResolverConfigLocation() + ").");
-
- }
-
- public String getResolverConfigLocation() {
-
- return resolverConfig;
- }
-
- public int getMaxThreads() {
-
- return maxThreads;
- }
-
-}
\ No newline at end of file
+++ /dev/null
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-/**
- * Defines the processing for an IdP-supported protocol. A particular <code>IdPProtocolHandler</code> implementation
- * is registered to process requests delivered from one or more URL locations. Core IdP functionality is delivered
- * through the <code>IdPProtocolSupport</code> class.
- *
- * @author Walter Hoehn
- */
-public interface IdPProtocolHandler {
-
- /**
- * Retreives a textual name for the handler for display purposes.
- */
- public String getHandlerName();
-
- /**
- * Runs the protocol-specific request processing. Responsible for updating the <code>HttpServletResponse</code>.
- *
- * @throws RequestHandlingException
- * if the handler is unable to successfully respond with a successfull protocol exchange or a
- * protocol-defined error message
- */
- public void processRequest(HttpServletRequest request, HttpServletResponse response, IdPProtocolSupport support)
- throws RequestHandlingException, ServletException;
-
- /**
- * Returns the locations for which this handler should process requests.
- */
- public String[] getLocations();
-}
\ No newline at end of file
+++ /dev/null
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.] Licensed under the Apache License,
- * Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy
- * of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in
- * writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
- * OF ANY KIND, either express or implied. See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp;
-
-import java.net.URI;
-import java.security.Principal;
-import java.util.Collection;
-import java.util.Map;
-
-import org.apache.log4j.Logger;
-import org.opensaml.InvalidCryptoException;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLAttribute;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLResponse;
-import org.opensaml.saml2.metadata.provider.MetadataProvider;
-import org.opensaml.security.TrustEngine;
-import org.opensaml.security.X509EntityCredential;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.aa.AAAttribute;
-import edu.internet2.middleware.shibboleth.aa.AAException;
-import edu.internet2.middleware.shibboleth.aa.arp.ArpProcessingException;
-import edu.internet2.middleware.shibboleth.artifact.ArtifactMapper;
-import edu.internet2.middleware.shibboleth.common.RelyingParty;
-import edu.internet2.middleware.shibboleth.common.RelyingPartyMapper;
-
-/**
- * Delivers core IdP functionality (Attribute resolution, ARP filtering, Metadata lookup, Signing, Mapping between local &
- * SAML identifiers, etc.) to components that process protocol-specific requests.
- *
- * @author Walter Hoehn
- */
-public interface IdPProtocolSupport extends MetadataProvider {
-
- /**
- * Facility for logging transaction information. Should be used by most Protocol Hanlder implementations.
- */
- public Logger getTransactionLog();
-
- /**
- * Access to system-wide configuration.
- */
- public IdPConfig getIdPConfig();
-
- /**
- * Access to relying party-specific configuration.
- */
- public RelyingPartyMapper getRelyingPartyMapper();
-
- public void signAssertions(SAMLAssertion[] assertions, RelyingParty relyingParty) throws InvalidCryptoException,
- SAMLException;
-
- public void signResponse(SAMLResponse response, RelyingParty relyingParty) throws SAMLException;
-
- /**
- * Registered a metadata provider based on supplied XML configuration.
- */
- public void addMetadataProvider(Element element);
-
- public Collection<? extends SAMLAttribute> getReleaseAttributes(Principal principal, RelyingParty relyingParty,
- String requester) throws AAException;
-
- public Collection<? extends SAMLAttribute> getReleaseAttributes(Principal principal, RelyingParty relyingParty,
- String requester, Collection<URI> attributeNames) throws AAException;
-
- public Collection<? extends SAMLAttribute> resolveAttributes(Principal principal, String requester,
- String responder, Map<String, AAAttribute> attributeSet) throws ArpProcessingException;
-
- public Collection<? extends SAMLAttribute> resolveAttributesNoPolicies(Principal principal, String requester,
- String responder, Map<String, AAAttribute> attributeSet);
-
- /**
- * Cleanup resources that won't be released when this object is garbage-collected
- */
- public void destroy();
-
- public ArtifactMapper getArtifactMapper();
-
- /**
- * Returns an OpenSAML2 Trust Engine implementation.
- */
- public TrustEngine<X509Credential> getTrustEngine();
-
- /**
- * Returns the number of active Metadata Providers.
- */
- public int providerCount();
-
-}
\ No newline at end of file
+++ /dev/null
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp;
-
-/**
- * @author Walter Hoehn
- */
-public class InvalidClientDataException extends Exception {
-
- public InvalidClientDataException(String message) {
-
- super(message);
- }
-
-}
+++ /dev/null
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp;
-
-import java.lang.reflect.Constructor;
-import java.lang.reflect.InvocationTargetException;
-
-import org.apache.log4j.Logger;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-
-/**
- * Factory class for loading <code>ProtocolHandler</code> implementations based on xml configuration.
- *
- * @author Walter Hoehn
- */
-public class ProtocolHandlerFactory {
-
- private static Logger log = Logger.getLogger(ProtocolHandlerFactory.class.getName());
-
- public static IdPProtocolHandler getInstance(Element config) throws ShibbolethConfigurationException {
-
- String implementation = config.getAttribute("implementation");
- if (implementation == null || implementation.equals("")) {
- log.error("No Protocol Handler implementation specified. Attribute (implementation) is "
- + "required with element <ProtocolHandler/>.");
- throw new ShibbolethConfigurationException("Invalid configuration data supplied.");
-
- } else {
-
- try {
- log.debug("Loading Protocol Handler implementation: (" + implementation + ").");
- Class implClass = Class.forName(implementation);
- Constructor constructor = implClass.getConstructor(new Class[]{Element.class});
- Object rawImpl = constructor.newInstance(new Object[]{config});
-
- if (rawImpl instanceof IdPProtocolHandler) {
- return (IdPProtocolHandler) rawImpl;
- } else {
- log.error("Invalid configuration, supplied implementation class for the Protocol Handler "
- + "does not properly implement the required IdPProtocolHandler interface.");
- throw new ShibbolethConfigurationException("Invalid configuration data supplied.");
- }
-
- } catch (ClassNotFoundException e) {
- log.error("Invalid configuration, supplied implementation class for the Protocol Handler "
- + "could not be found: " + e.getMessage());
- throw new ShibbolethConfigurationException("Invalid configuration data supplied.");
-
- } catch (NoSuchMethodException e) {
- log.error("Invalid configuration, supplied implementation class for the Protocol Handler is "
- + "not valid. A DOM Element constructor is required: " + e.getMessage());
- throw new ShibbolethConfigurationException("Invalid configuration data supplied.");
-
- } catch (InvocationTargetException e) {
- Throwable cause = e.getCause();
- if (cause != null) {
- log.error(cause.getMessage());
- }
- log.error("Invalid configuration, supplied implementation class for the Protocol Handler"
- + " could not be loaded: " + e.getMessage());
- throw new ShibbolethConfigurationException("Invalid configuration data supplied.");
- } catch (Exception e) {
- log.error("Invalid configuration, supplied implementation class for the Protocol Handler"
- + " could not be loaded: " + e.getMessage());
- throw new ShibbolethConfigurationException("Invalid configuration data supplied.");
- }
- }
- }
-
-}
\ No newline at end of file
+++ /dev/null
-
-package edu.internet2.middleware.shibboleth.idp;
-
-/**
- * Signals that an IdPProtocolHandler was unable to respond appropriately to a request.
- */
-public class RequestHandlingException extends Exception {
-
- public RequestHandlingException(String message) {
-
- super(message);
- }
-
-}
+++ /dev/null
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp;
-
-import java.net.URI;
-import java.security.Principal;
-import java.util.Collection;
-import java.util.List;
-import java.util.Map;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.xml.namespace.QName;
-
-import org.apache.log4j.Logger;
-import org.opensaml.InvalidCryptoException;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLAttribute;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLResponse;
-import org.opensaml.saml2.metadata.EntitiesDescriptor;
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.RoleDescriptor;
-import org.opensaml.saml2.metadata.provider.MetadataFilter;
-import org.opensaml.saml2.metadata.provider.MetadataProviderException;
-import org.opensaml.security.TrustEngine;
-import org.opensaml.security.X509EntityCredential;
-import org.opensaml.xml.XMLObject;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.aa.AAAttribute;
-import edu.internet2.middleware.shibboleth.aa.AAException;
-import edu.internet2.middleware.shibboleth.aa.arp.ArpProcessingException;
-import edu.internet2.middleware.shibboleth.artifact.ArtifactMapper;
-import edu.internet2.middleware.shibboleth.common.RelyingParty;
-import edu.internet2.middleware.shibboleth.common.RelyingPartyMapper;
-
-/**
- * IdPProtocolSupport implementation that offers functionality that is specific to a particular request.
- *
- * @author Walter Hoehn
- */
-public class RequestSpecificProtocolSupport implements IdPProtocolSupport {
-
- IdPProtocolSupport wrapped;
-
- RequestSpecificProtocolSupport(GeneralProtocolSupport generalSupport, HttpServletRequest request,
- HttpServletResponse response) {
-
- wrapped = generalSupport;
- }
-
- public void addMetadataProvider(Element element) {
-
- wrapped.addMetadataProvider(element);
- }
-
- public void destroy() {
-
- wrapped.destroy();
- }
-
- public ArtifactMapper getArtifactMapper() {
-
- return wrapped.getArtifactMapper();
- }
-
- public IdPConfig getIdPConfig() {
-
- return wrapped.getIdPConfig();
- }
-
- public Collection<? extends SAMLAttribute> getReleaseAttributes(Principal principal, RelyingParty relyingParty,
- String requester) throws AAException {
-
- return wrapped.getReleaseAttributes(principal, relyingParty, requester);
- }
-
- public Collection<? extends SAMLAttribute> getReleaseAttributes(Principal principal, RelyingParty relyingParty,
- String requester, Collection<URI> attributeNames) throws AAException {
-
- return wrapped.getReleaseAttributes(principal, relyingParty, requester, attributeNames);
- }
-
- public RelyingPartyMapper getRelyingPartyMapper() {
-
- return wrapped.getRelyingPartyMapper();
- }
-
- public Logger getTransactionLog() {
-
- return wrapped.getTransactionLog();
- }
-
- public TrustEngine<X509Credential> getTrustEngine() {
-
- return wrapped.getTrustEngine();
- }
-
- public int providerCount() {
-
- return wrapped.providerCount();
- }
-
- public Collection<? extends SAMLAttribute> resolveAttributes(Principal principal, String requester,
- String responder, Map<String, AAAttribute> attributeSet) throws ArpProcessingException {
-
- return wrapped.resolveAttributes(principal, requester, responder, attributeSet);
- }
-
- public Collection<? extends SAMLAttribute> resolveAttributesNoPolicies(Principal principal, String requester,
- String responder, Map<String, AAAttribute> attributeSet) {
-
- return wrapped.resolveAttributesNoPolicies(principal, requester, responder, attributeSet);
- }
-
- public void signAssertions(SAMLAssertion[] assertions, RelyingParty relyingParty) throws InvalidCryptoException,
- SAMLException {
-
- wrapped.signAssertions(assertions, relyingParty);
- }
-
- public void signResponse(SAMLResponse response, RelyingParty relyingParty) throws SAMLException {
-
- wrapped.signResponse(response, relyingParty);
- }
-
- public EntitiesDescriptor getEntitiesDescriptor(String name) throws MetadataProviderException {
-
- return wrapped.getEntitiesDescriptor(name);
- }
-
- public EntityDescriptor getEntityDescriptor(String entityID) throws MetadataProviderException {
-
- return wrapped.getEntityDescriptor(entityID);
- }
-
- public XMLObject getMetadata() throws MetadataProviderException {
-
- return wrapped.getMetadata();
- }
-
- public MetadataFilter getMetadataFilter() {
-
- return wrapped.getMetadataFilter();
- }
-
- public List<RoleDescriptor> getRole(String entityID, QName roleName) throws MetadataProviderException {
-
- return wrapped.getRole(entityID, roleName);
- }
-
- public RoleDescriptor getRole(String entityID, QName roleName, String supportedProtocol)
- throws MetadataProviderException {
-
- return wrapped.getRole(entityID, roleName, supportedProtocol);
- }
-
- public boolean requireValidMetadata() {
-
- return wrapped.requireValidMetadata();
- }
-
- public void setMetadataFilter(MetadataFilter newFilter) throws MetadataProviderException {
-
- wrapped.setMetadataFilter(newFilter);
- }
-
- public void setRequireValidMetadata(boolean requireValidMetadata) {
-
- wrapped.setRequireValidMetadata(requireValidMetadata);
- }
-
-}
+++ /dev/null
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.] Licensed under the Apache License,
- * Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy
- * of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in
- * writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
- * OF ANY KIND, either express or implied. See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp.provider;
-
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Date;
-import java.util.List;
-import java.util.Vector;
-
-import javax.servlet.RequestDispatcher;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.commons.codec.binary.Base64;
-import org.apache.log4j.Logger;
-import org.apache.xml.security.c14n.CanonicalizationException;
-import org.apache.xml.security.c14n.Canonicalizer;
-import org.apache.xml.security.c14n.InvalidCanonicalizerException;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLAttribute;
-import org.opensaml.SAMLAttributeStatement;
-import org.opensaml.SAMLAudienceRestrictionCondition;
-import org.opensaml.SAMLAuthenticationStatement;
-import org.opensaml.SAMLCondition;
-import org.opensaml.SAMLConfig;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLNameIdentifier;
-import org.opensaml.SAMLStatement;
-import org.opensaml.SAMLSubject;
-import org.opensaml.SAMLSubjectStatement;
-import org.opensaml.XML;
-import org.opensaml.saml2.metadata.AssertionConsumerService;
-import org.opensaml.saml2.metadata.Endpoint;
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.SPSSODescriptor;
-import org.opensaml.saml2.metadata.provider.MetadataProviderException;
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.aa.AAException;
-import edu.internet2.middleware.shibboleth.common.LocalPrincipal;
-import edu.internet2.middleware.shibboleth.common.NameIdentifierMappingException;
-import edu.internet2.middleware.shibboleth.common.RelyingParty;
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
-import edu.internet2.middleware.shibboleth.idp.InvalidClientDataException;
-import edu.internet2.middleware.shibboleth.idp.RequestHandlingException;
-
-/**
- * <code>ProtocolHandler</code> implementation that responds to ADFS SSO flows as specified in "WS-Federation: Passive
- * Requestor Interoperability Profiles".
- *
- * @author Walter Hoehn
- */
-public class ADFS_SSOHandler extends SSOHandler implements IdPProtocolHandler {
-
- private static Logger log = Logger.getLogger(ADFS_SSOHandler.class.getName());
- private static final String WA = "wsignin1.0";
- private static final String WS_FED_PROTOCOL_ENUM = "http://schemas.xmlsoap.org/ws/2003/07/secext";
- private static final Collection SUPPORTED_IDENTIFIER_FORMATS = Arrays.asList(new String[]{
- "urn:oasis:names:tc:SAML:1.1nameid-format:emailAddress", "http://schemas.xmlsoap.org/claims/UPN",
- "http://schemas.xmlsoap.org/claims/CommonName"});
- private static final String CLAIMS_URI = "http://schemas.xmlsoap.org/claims";
-
- /**
- * Required DOM-based constructor.
- */
- public ADFS_SSOHandler(Element config) throws ShibbolethConfigurationException {
-
- super(config);
- }
-
- /*
- * @see edu.internet2.middleware.shibboleth.idp.IdPResponder.ProtocolHandler#processRequest(javax.servlet.http.HttpServletRequest,
- * javax.servlet.http.HttpServletResponse)
- */
- public void processRequest(HttpServletRequest request, HttpServletResponse response, IdPProtocolSupport support)
- throws RequestHandlingException, ServletException {
-
- // Set attributes that are needed by the jsp
- // ADFS spec says always send (wa)
- request.setAttribute("wa", ADFS_SSOHandler.WA);
- // Passthru (wctx) if we get one
- if (request.getParameter("wctx") != null && !request.getParameter("wctx").equals("")) {
- request.setAttribute("wctx", request.getParameter("wctx"));
- }
-
- try {
- // Ensure that we have the required data from the servlet container
- validateEngineData(request);
- validateAdfsSpecificData(request);
-
- // Get the authN info
- String username = support.getIdPConfig().getAuthHeaderName().equalsIgnoreCase("REMOTE_USER") ? request
- .getRemoteUser() : request.getHeader(support.getIdPConfig().getAuthHeaderName());
- if ((username == null) || (username.equals(""))) { throw new InvalidClientDataException(
- "Unauthenticated principal. This protocol handler requires that authentication information be "
- + "provided from the servlet container."); }
- LocalPrincipal principal = new LocalPrincipal(username);
-
- // Select the appropriate Relying Party configuration for the request
- String remoteProviderId = request.getParameter("wtrealm");
- log.debug("Remote provider has identified itself as: (" + remoteProviderId + ").");
- RelyingParty relyingParty = support.getServiceProviderMapper().getRelyingParty(remoteProviderId);
-
- // Grab the metadata for the provider
- EntityDescriptor descriptor = null;
- try {
- descriptor = support.getEntityDescriptor(relyingParty.getProviderId());
- } catch (MetadataProviderException e1) {
- log.error("Encountered an error while looking up metadata: " + e1);
- }
-
- if (descriptor == null) {
- log.info("No metadata found for provider: (" + relyingParty.getProviderId() + ").");
- throw new InvalidClientDataException(
- "The specified Service Provider is unkown to this Identity Provider.");
- }
-
- // Make sure we have proper WS-Fed metadata
- SPSSODescriptor sp = descriptor.getSPSSODescriptor(ADFS_SSOHandler.WS_FED_PROTOCOL_ENUM);
- if (sp == null) {
- log.info("Inappropriate metadata for provider: no WS-Federation binding.");
- throw new InvalidClientDataException(
- "Unable to communicate with the specified Service Provider via this protocol.");
- }
-
- // If an acceptance URL was supplied, validate it
- String acceptanceURL = request.getParameter("wreply");
- if (acceptanceURL != null && !acceptanceURL.equals("")) {
- if (isValidAssertionConsumerURL(sp, acceptanceURL)) {
- log.info("Supplied consumer URL validated for this provider.");
- } else {
- log.error("Assertion consumer service URL (" + acceptanceURL + ") is NOT valid for provider ("
- + relyingParty.getProviderId() + ").");
- throw new InvalidClientDataException("Invalid assertion consumer service URL.");
- }
- // if none was supplied, pull one from the metadata
-
- } else {
- Endpoint endpoint = lookupAssertionConsumerService(sp);
- if (endpoint == null || endpoint.getLocation() == null) {
- log.error("No Assertion consumer service URL is available for provider ("
- + relyingParty.getProviderId() + ") via request the SSO request or the metadata.");
- throw new InvalidClientDataException("Unable to determine assertion consumer service URL.");
- }
- acceptanceURL = endpoint.getLocation();
- }
- // Needed for the form
- request.setAttribute("wreply", acceptanceURL);
-
- // Create SAML Name Identifier & Subject
- SAMLNameIdentifier nameId;
- try {
- nameId = getNameIdentifier(support.getNameMapper(), principal, relyingParty, descriptor);
- // ADFS spec limits which name identifier formats can be used
- if (!ADFS_SSOHandler.SUPPORTED_IDENTIFIER_FORMATS.contains(nameId.getFormat())) {
- log.error("SAML Name Identifier format (" + nameId.getFormat()
- + ") is inappropriate for use with ADFS provider.");
- throw new InvalidClientDataException(
- "Error converting principal to SAML Name Identifier: Invalid ADFS Name Identifier format.");
- }
-
- } catch (NameIdentifierMappingException e) {
- log.error("Error converting principal to SAML Name Identifier: " + e);
- throw new InvalidClientDataException("Error converting principal to SAML Name Identifier.");
- }
-
- // ADFS profile requires an authentication method
- String authenticationMethod = request.getHeader("SAMLAuthenticationMethod");
- if (authenticationMethod == null || authenticationMethod.equals("")) {
- authenticationMethod = relyingParty.getDefaultAuthMethod().toString();
- log.debug("User was authenticated via the default method for this relying party ("
- + authenticationMethod + ").");
- } else {
- log.debug("User was authenticated via the method (" + authenticationMethod + ").");
- }
-
- SAMLSubject authNSubject = new SAMLSubject(nameId, null, null, null);
-
- // We always do POST with ADFS
- respondWithPOST(request, response, support, principal, relyingParty, descriptor, acceptanceURL, nameId,
- authenticationMethod, authNSubject);
-
- } catch (InvalidClientDataException e) {
- throw new RequestHandlingException("Unable to handle request. Client data is invalid: " + e);
- } catch (SecurityTokenResponseException e) {
- log.error("Error creating security token response: " + e);
- throw new RequestHandlingException("Unable to handle request. Error creating security token response.");
- } catch (SAMLException e) {
- log.error("Error creating SAML security token: " + e);
- throw new RequestHandlingException("Unable to handle request. Error creating SAML security token.");
- }
- }
-
- private Endpoint lookupAssertionConsumerService(SPSSODescriptor sp) {
-
- // Grab the first endpoin we find with an ADFS protocol binding
- List<AssertionConsumerService> acs = sp.getAssertionConsumerServices();
- for (AssertionConsumerService service : acs) {
- if (ADFS_SSOHandler.WS_FED_PROTOCOL_ENUM.equals(service.getBinding())) { return service; }
- }
-
- return null;
- }
-
- private void respondWithPOST(HttpServletRequest request, HttpServletResponse response, IdPProtocolSupport support,
- LocalPrincipal principal, RelyingParty relyingParty, EntityDescriptor descriptor, String acceptanceURL,
- SAMLNameIdentifier nameId, String authenticationMethod, SAMLSubject authNSubject) throws SAMLException,
- ServletException, SecurityTokenResponseException {
-
- try {
- // We should always send a single token (SAML assertion)
- SAMLAssertion assertion = generateAssertion(request, relyingParty, descriptor, nameId,
- authenticationMethod, getAuthNTime(request), authNSubject);
-
- generateAttributes(support, principal, relyingParty, assertion, request);
-
- // ADFS spec says assertions should always be signed
- support.signAssertions((SAMLAssertion[]) new SAMLAssertion[]{assertion}, relyingParty);
-
- // Wrap assertion in security token response and create form
- createPOSTForm(request, response, new SecurityTokenResponse(assertion, relyingParty.getProviderId()));
-
- // Make transaction log entry
- support.getTransactionLog().info(
- "ADFS security token issued to provider (" + relyingParty.getProviderId()
- + ") on behalf of principal (" + principal.getName() + ").");
-
- } catch (IOException e) {
- throw new SAMLException(SAMLException.RESPONDER, e);
- }
- }
-
- private void generateAttributes(IdPProtocolSupport support, LocalPrincipal principal, RelyingParty relyingParty,
- SAMLAssertion assertion, HttpServletRequest request) throws SAMLException {
-
- try {
- Collection<? extends SAMLAttribute> attributes = support.getReleaseAttributes(principal, relyingParty,
- relyingParty.getProviderId());
- log.info("Found " + attributes.size() + " attribute(s) for " + principal.getName());
-
- // Bail if we didn't get any attributes
- if (attributes == null || attributes.size() < 1) {
- log.info("No attributes resolved.");
- return;
- }
-
- // The ADFS spec recommends that all attributes have this URI, but it doesn't require it
- for (SAMLAttribute attribute : attributes) {
- if (!attribute.getNamespace().equals(CLAIMS_URI)) {
- log.warn("It is recommended that all attributes sent via the ADFS SSO handler "
- + "have a namespace of (" + CLAIMS_URI + "). The attribute (" + attribute.getName()
- + ") has a namespace of (" + attribute.getNamespace() + ").");
- }
- }
-
- // Reference requested subject
- SAMLSubject attrSubject = (SAMLSubject) ((SAMLSubjectStatement) assertion.getStatements().next())
- .getSubject().clone();
-
- // ADFS spec says to include authN and attribute statements in the same assertion
- log.debug("Merging attributes into existing authn assertion");
- assertion.addStatement(new SAMLAttributeStatement(attrSubject, attributes));
-
- if (log.isDebugEnabled()) {
- log.debug("Dumping combined Assertion:" + System.getProperty("line.separator") + assertion.toString());
- }
-
- } catch (AAException e) {
- log.error("An error was encountered while generating assertion for attribute push: " + e);
- throw new SAMLException(SAMLException.RESPONDER, "General error processing request.");
- } catch (CloneNotSupportedException e) {
- log.error("An error was encountered while generating assertion for attribute push: " + e);
- throw new SAMLException(SAMLException.RESPONDER, "General error processing request.");
- }
- }
-
- private SAMLAssertion generateAssertion(HttpServletRequest request, RelyingParty relyingParty,
- EntityDescriptor descriptor, SAMLNameIdentifier nameId, String authenticationMethod, Date authTime,
- SAMLSubject subject) throws SAMLException, IOException {
-
- // Bearer method is recommended by the ADFS spec
- subject.addConfirmationMethod(SAMLSubject.CONF_BEARER);
-
- // ADFS spec requires a single audience of the SP
- ArrayList<String> audiences = new ArrayList<String>();
- if (relyingParty.getProviderId() != null) {
- audiences.add(relyingParty.getProviderId());
- }
- Vector<SAMLCondition> conditions = new Vector<SAMLCondition>(1);
- if (audiences != null && audiences.size() > 0) conditions.add(new SAMLAudienceRestrictionCondition(audiences));
-
- // Determine the correct issuer
- String issuer = relyingParty.getIdentityProvider().getProviderId();
-
- // Create the assertion
- // NOTE the ADFS spec says not to specify a locality
- SAMLStatement[] statements = {new SAMLAuthenticationStatement(subject, authenticationMethod, authTime, null,
- null, null)};
-
- // Package attributes
- log.info("Resolving attributes.");
-
- SAMLAssertion assertion = new SAMLAssertion(issuer, new Date(System.currentTimeMillis()), new Date(System
- .currentTimeMillis() + 300000), conditions, null, Arrays.asList(statements));
-
- if (log.isDebugEnabled()) {
- log.debug("Dumping generated Assertion:" + System.getProperty("line.separator") + assertion.toString());
- }
-
- return assertion;
- }
-
- /*
- * @see edu.internet2.middleware.shibboleth.idp.IdPResponder.ProtocolHandler#getHandlerName()
- */
- public String getHandlerName() {
-
- return "ADFS SSO Handler";
- }
-
- private void validateAdfsSpecificData(HttpServletRequest request) throws InvalidClientDataException {
-
- // Required by spec, must have the constant value
- if (request.getParameter("wa") == null || !request.getParameter("wa").equals(ADFS_SSOHandler.WA)) { throw new InvalidClientDataException(
- "Invalid data from Service Provider: missing or invalid (wa) parameter."); }
-
- // Required by spec
- if ((request.getParameter("wtrealm") == null) || (request.getParameter("wtrealm").equals(""))) { throw new InvalidClientDataException(
- "Invalid data from Service Provider:missing or invalid (wtrealm) parameter."); }
- }
-
- private static void createPOSTForm(HttpServletRequest req, HttpServletResponse res,
- SecurityTokenResponse tokenResponse) throws ServletException, SecurityTokenResponseException {
-
- req.setAttribute("wresult", tokenResponse.toXmlString());
-
- if (log.isDebugEnabled()) {
- log.debug("Dumping generated Security Token Response:" + System.getProperty("line.separator")
- + tokenResponse.toXmlString());
- }
-
- RequestDispatcher rd = req.getRequestDispatcher("/adfs.jsp");
- try {
- rd.forward(req, res);
- } catch (IOException e) {
- log.error("Error sending redirect: " + e);
- throw new ServletException();
- }
- }
-
- /**
- * Boolean indication of whethere or not a given assertion consumer URL is valid for a given SP.
- */
- private static boolean isValidAssertionConsumerURL(SPSSODescriptor descriptor, String shireURL)
- throws InvalidClientDataException {
-
- List<AssertionConsumerService> endpoints = descriptor.getAssertionConsumerServices();
- for (AssertionConsumerService acs : endpoints) {
- if (shireURL.equals(acs.getLocation())) { return true; }
- }
-
- log.info("Supplied consumer URL not found in metadata.");
- return false;
- }
-
-}
-
-class SecurityTokenResponse {
-
- private static Logger log = Logger.getLogger(SecurityTokenResponse.class.getName());
- private static SAMLConfig config = SAMLConfig.instance();
- private static String WS_TRUST_SCHEMA = "http://schemas.xmlsoap.org/ws/2005/02/trust";
- private static String WS_POLICY_SCHEMA = "http://schemas.xmlsoap.org/ws/2004/09/policy";
- private static String WS_ADDRESSING_SCHEMA = "http://schemas.xmlsoap.org/ws/2004/08/addressing";
- private Document response;
-
- SecurityTokenResponse(SAMLAssertion assertion, String remoteProviderId) throws SecurityTokenResponseException,
- SAMLException {
-
- response = XML.parserPool.newDocument();
-
- // Create root response element
- Element root = response.createElementNS(WS_TRUST_SCHEMA, "RequestSecurityTokenResponse");
- root.setAttributeNS(XML.XMLNS_NS, "xmlns", WS_TRUST_SCHEMA);
- response.appendChild(root);
-
- // Tie to remote endpoint
- Element appliesTo = response.createElementNS(WS_POLICY_SCHEMA, "AppliesTo");
- appliesTo.setAttributeNS(XML.XMLNS_NS, "xmlns", WS_POLICY_SCHEMA);
- root.appendChild(appliesTo);
- Element endpointRef = response.createElementNS(WS_ADDRESSING_SCHEMA, "EndpointReference");
- endpointRef.setAttributeNS(XML.XMLNS_NS, "xmlns", WS_ADDRESSING_SCHEMA);
- appliesTo.appendChild(endpointRef);
- Element address = response.createElementNS(WS_ADDRESSING_SCHEMA, "Address");
- address.appendChild(response.createTextNode(remoteProviderId));
- endpointRef.appendChild(address);
-
- // Add security token
- Element token = response.createElementNS(WS_TRUST_SCHEMA, "RequestedSecurityToken");
-
- token.appendChild(assertion.toDOM(response));
- root.appendChild(token);
-
- }
-
- public byte[] toBase64() throws SecurityTokenResponseException {
-
- try {
- Canonicalizer canonicalizier = Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
- byte[] canonicalized = canonicalizier.canonicalizeSubtree(response, config
- .getProperty("org.opensaml.inclusive-namespace-prefixes"));
-
- return Base64.encodeBase64Chunked(canonicalized);
- } catch (InvalidCanonicalizerException e) {
- log.error("Error Canonicalizing Security Token Response: " + e);
- throw new SecurityTokenResponseException(e.getMessage());
- }
-
- catch (CanonicalizationException e) {
- log.error("Error Canonicalizing Security Token Response: " + e);
- throw new SecurityTokenResponseException(e.getMessage());
- }
- }
-
- public String toXmlString() throws SecurityTokenResponseException {
-
- try {
- Canonicalizer canonicalizier = Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
- byte[] canonicalized = canonicalizier.canonicalizeSubtree(response, config
- .getProperty("org.opensaml.inclusive-namespace-prefixes"));
- return new String(canonicalized);
-
- } catch (InvalidCanonicalizerException e) {
- log.error("Error Canonicalizing Security Token Response: " + e);
- throw new SecurityTokenResponseException(e.getMessage());
- }
-
- catch (CanonicalizationException e) {
- log.error("Error Canonicalizing Security Token Response: " + e);
- throw new SecurityTokenResponseException(e.getMessage());
- }
- }
-
-}
-
-class SecurityTokenResponseException extends Exception {
-
- SecurityTokenResponseException(String message) {
-
- super(message);
- }
-}
\ No newline at end of file
+++ /dev/null
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp.provider;
-
-import java.io.IOException;
-import java.security.cert.CertificateParsingException;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-
-import javax.security.auth.x500.X500Principal;
-
-import org.apache.log4j.Logger;
-import org.bouncycastle.asn1.ASN1InputStream;
-import org.bouncycastle.asn1.DERObject;
-import org.bouncycastle.asn1.DERObjectIdentifier;
-import org.bouncycastle.asn1.DERSequence;
-import org.bouncycastle.asn1.DERSet;
-import org.bouncycastle.asn1.DERString;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-import org.w3c.dom.NodeList;
-
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.idp.IdPConfig;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
-
-/**
- * Functionality common to all <code>IdPProtocolHandler</code> implementation.
- *
- * @author Walter Hoehn
- */
-public abstract class BaseHandler implements IdPProtocolHandler {
-
- private static Logger log = Logger.getLogger(BaseHandler.class.getName());
- private static final String CN_OID = "2.5.4.3";
- private HashSet<String> locations = new HashSet<String>();
-
- /**
- * Required DOM-based constructor.
- */
- public BaseHandler(Element config) throws ShibbolethConfigurationException {
-
- // Make sure we have at least one location
- NodeList locations = config.getElementsByTagNameNS(IdPConfig.configNameSpace, "Location");
- if (locations.getLength() < 1) {
- log.error("The <ProtocolHandler/> element must contain at least one <Location/> element.");
- throw new ShibbolethConfigurationException("Unable to load ProtocolHandler.");
- }
-
- // Parse the locations
- for (int i = 0; i < locations.getLength(); i++) {
- Node tnode = ((Element) locations.item(i)).getFirstChild();
- if (tnode != null && tnode.getNodeType() == Node.TEXT_NODE) {
- String rawURI = tnode.getNodeValue();
-
- if (rawURI == null || rawURI.equals("")) {
- log.error("The <Location/> element inside the <ProtocolHandler/> element must "
- + "contain a URI or regular expressions.");
- throw new ShibbolethConfigurationException("Unable to load ProtocolHandler.");
- }
- this.locations.add(rawURI);
-
- } else {
- log.error("The <Location/> element inside the <ProtocolHandler/> element must contain a "
- + "URI or regular expression.");
- throw new ShibbolethConfigurationException("Unable to load ProtocolHandler.");
- }
- }
- }
-
- /*
- * @see edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler#getLocations()
- */
- public String[] getLocations() {
-
- return (String[]) locations.toArray(new String[0]);
- }
-
- protected static String getHostNameFromDN(X500Principal dn) {
-
- // Parse the ASN.1 representation of the dn and grab the last CN component that we find
- // We used to do this with the dn string, but the JDK's default parsing caused problems with some DNs
- try {
- ASN1InputStream asn1Stream = new ASN1InputStream(dn.getEncoded());
- DERObject parent = asn1Stream.readObject();
-
- if (!(parent instanceof DERSequence)) {
- log.error("Unable to extract host name name from certificate subject DN: incorrect ASN.1 encoding.");
- return null;
- }
-
- String cn = null;
- for (int i = 0; i < ((DERSequence) parent).size(); i++) {
- DERObject dnComponent = ((DERSequence) parent).getObjectAt(i).getDERObject();
- if (!(dnComponent instanceof DERSet)) {
- log.debug("No DN components.");
- continue;
- }
-
- // Each DN component is a set
- for (int j = 0; j < ((DERSet) dnComponent).size(); j++) {
- DERObject grandChild = ((DERSet) dnComponent).getObjectAt(j).getDERObject();
-
- if (((DERSequence) grandChild).getObjectAt(0) != null
- && ((DERSequence) grandChild).getObjectAt(0).getDERObject() instanceof DERObjectIdentifier) {
- DERObjectIdentifier componentId = (DERObjectIdentifier) ((DERSequence) grandChild).getObjectAt(
- 0).getDERObject();
-
- if (CN_OID.equals(componentId.getId())) {
- // OK, this dn component is actually a cn attribute
- if (((DERSequence) grandChild).getObjectAt(1) != null
- && ((DERSequence) grandChild).getObjectAt(1).getDERObject() instanceof DERString) {
- cn = ((DERString) ((DERSequence) grandChild).getObjectAt(1).getDERObject()).getString();
- }
- }
- }
- }
- }
- asn1Stream.close();
- return cn;
-
- } catch (IOException e) {
- log.error("Unable to extract host name name from certificate subject DN: ASN.1 parsing failed: " + e);
- return null;
- }
- }
-
- protected static String[] getCredentialNames(X509Certificate cert) {
-
- ArrayList<String> names = new ArrayList<String>();
- names.add(cert.getSubjectX500Principal().getName(X500Principal.RFC2253));
- try {
- Collection altNames = cert.getSubjectAlternativeNames();
- if (altNames != null) {
- for (Iterator nameIterator = altNames.iterator(); nameIterator.hasNext();) {
- List altName = (List) nameIterator.next();
- if (altName.get(0).equals(new Integer(2)) && altName.get(1) instanceof String) { // 2 is DNS
- names.add((String) altName.get(1));
- } else if (altName.get(0).equals(new Integer(6)) && altName.get(1) instanceof String) { // 6 is URI
- names.add((String) altName.get(1));
- }
- }
- }
- } catch (CertificateParsingException e1) {
- log.error("Encountered an problem trying to extract Subject Alternate "
- + "Name from supplied certificate: " + e1);
- }
- names.add(getHostNameFromDN(cert.getSubjectX500Principal()));
- return (String[]) names.toArray(new String[1]);
- }
-}
\ No newline at end of file
+++ /dev/null
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp.provider;
-
-import java.security.cert.X509Certificate;
-
-import javax.servlet.http.HttpServletRequest;
-
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
-
-/**
- * @author Walter Hoehn
- */
-public abstract class BaseServiceHandler extends BaseHandler implements IdPProtocolHandler {
-
- /**
- * Required DOM-based constructor.
- */
- public BaseServiceHandler(Element config) throws ShibbolethConfigurationException {
-
- super(config);
- }
-
- protected static X509Certificate getCredentialFromProvider(HttpServletRequest req) {
-
- X509Certificate[] certArray = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
- if (certArray != null && certArray.length > 0) { return certArray[0]; }
- return null;
- }
-
- protected class InvalidProviderCredentialException extends Exception {
-
- public InvalidProviderCredentialException(String message) {
-
- super(message);
- }
- }
-}
\ No newline at end of file
+++ /dev/null
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp.provider;
-
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Iterator;
-
-import javax.security.auth.x500.X500Principal;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.log4j.Logger;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLBinding;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLRequest;
-import org.opensaml.SAMLResponse;
-import org.opensaml.XML;
-import org.opensaml.artifact.Artifact;
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.SPSSODescriptor;
-import org.opensaml.saml2.metadata.provider.MetadataProviderException;
-import org.opensaml.security.impl.HttpX509EntityCredential;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.artifact.ArtifactMapping;
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
-import edu.internet2.middleware.shibboleth.idp.RequestHandlingException;
-
-/**
- * @author Walter Hoehn
- */
-public class SAMLv1_1ArtifactQueryHandler extends SAMLv1_Base_QueryHandler implements IdPProtocolHandler {
-
- private static Logger log = Logger.getLogger(SAMLv1_1ArtifactQueryHandler.class.getName());
- private SAMLBinding binding;
-
- public SAMLv1_1ArtifactQueryHandler(Element config) throws ShibbolethConfigurationException {
-
- super(config);
- }
-
- /*
- * @see edu.internet2.middleware.shibboleth.idp.ProtocolHandler#getHandlerName()
- */
- public String getHandlerName() {
-
- return "SAML v1.1 Artifact Query";
- }
-
- /*
- * @see edu.internet2.middleware.shibboleth.idp.ProtocolHandler#processRequest(javax.servlet.http.HttpServletRequest,
- * javax.servlet.http.HttpServletResponse, edu.internet2.middleware.shibboleth.idp.ProtocolSupport)
- */
- public void processRequest(HttpServletRequest request, HttpServletResponse response, IdPProtocolSupport support)
- throws RequestHandlingException, ServletException {
-
- log.info("Received a request to dereference assertion artifacts.");
-
- SAMLRequest samlRequest = parseSAMLRequest(request);
-
- try {
-
- // Pull credential from request
- X509Certificate[] chain = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
- if (chain == null || chain.length == 0
- || chain[0].getSubjectX500Principal().getName(X500Principal.RFC2253).equals("")) {
- // The spec says that mutual authentication is required for the
- // artifact profile
- if (samlRequest.isSigned()) {
- log.info("Request is signed, will authenticate it later.");
- } else {
- log.info("Request is from an unauthenticated serviceprovider.");
- throw new SAMLException(SAMLException.REQUESTER,
- "SAML Artifacts cannot be dereferenced for unauthenticated requesters.");
- }
- } else {
- log.info("Request contains TLS credential: ("
- + chain[0].getSubjectX500Principal().getName(X500Principal.RFC2253) + ").");
- }
- ArrayList<SAMLAssertion> assertions = new ArrayList<SAMLAssertion>();
- Iterator artifacts = samlRequest.getArtifacts();
-
- if (!artifacts.hasNext()) {
- log.error("Protocol Handler received a SAML Request, but is unable to handle it. No "
- + "artifacts were included in the request.");
- throw new SAMLException(SAMLException.REQUESTER, "General error processing request.");
- }
-
- int queriedArtifacts = 0;
- // for transaction log
- StringBuffer dereferencedArtifacts = new StringBuffer();
-
- while (artifacts.hasNext()) {
- queriedArtifacts++;
- Artifact artifact = (Artifact) artifacts.next();
- log.info("Dereferencing artifact: (" + artifact.encode() + ").");
- ArtifactMapping mapping = support.getArtifactMapper().recoverAssertion(artifact);
-
- if (mapping == null) {
- log.info("Could not map artifact to a SAML Assertion.");
-
- } else if (mapping.isExpired()) {
- log.error("Artifact is expired. Skipping...");
-
- } else {
- SAMLAssertion assertion = mapping.getAssertion();
- // See if we have metadata for this provider
- EntityDescriptor provider = null;
- try {
- provider = support.getEntityDescriptor(mapping.getServiceProviderId());
- } catch (MetadataProviderException e) {
- log.error("Metadata lookup for provider (" + mapping.getServiceProviderId()
- + ") encountered an error: " + e);
- }
- if (provider == null) {
- log.info("No metadata found for provider: (" + mapping.getServiceProviderId() + ").");
- throw new SAMLException(SAMLException.REQUESTER, "Invalid service provider.");
- }
- SPSSODescriptor role = provider.getSPSSODescriptor(XML.SAML11_PROTOCOL_ENUM);
- if (role == null) {
- log.info("SPSSO role not found in metadata for provider: (" + mapping.getServiceProviderId()
- + ").");
- throw new SAMLException(SAMLException.REQUESTER, "Invalid service provider role.");
- }
-
- boolean authenticated = false;
-
- // Make sure that the suppplied credential is valid for the provider to which the artifact was
- // issued
- if (chain != null && chain.length > 0) {
- if (!support.getTrustEngine().validate(new HttpX509EntityCredential(request), role)) {
- log.error("Supplied TLS credential ("
- + chain[0].getSubjectX500Principal().getName(X500Principal.RFC2253)
- + ") is NOT valid for provider (" + mapping.getServiceProviderId()
- + "), to whom this artifact was issued.");
- throw new SAMLException(SAMLException.REQUESTER, "Invalid credential.");
- }
- authenticated = true;
- }
- if (samlRequest.isSigned()) {
-
- if (!support.getTrustEngine().validate(samlRequest, role)) {
- log.error("Signed SAML request message did NOT contain a valid signature from provider ("
- + mapping.getServiceProviderId() + "), to whom this artifact was issued.");
- throw new SAMLException(SAMLException.REQUESTER, "Invalid signature.");
- }
- authenticated = true;
- }
- if (!authenticated) {
- log.info("Request could not be authenticated.");
- throw new SAMLException(SAMLException.REQUESTER,
- "SAML Artifacts cannot be dereferenced for unauthenticated requesters.");
- }
- log.debug("Supplied credentials validated for the provider to which this artifact was issued.");
- assertions.add(assertion);
- dereferencedArtifacts.append("(" + artifact.encode() + ")");
- }
- }
-
- // The spec requires that if any artifacts are dereferenced, they must
- // all be dereferenced
- if (assertions.size() > 0 && assertions.size() != queriedArtifacts) { throw new SAMLException(
- SAMLException.REQUESTER, "Unable to successfully dereference all artifacts."); }
-
- // Create and send response
- // The spec says that we should send "success" in the case where no artifacts match
- SAMLResponse samlResponse = new SAMLResponse(samlRequest.getId(), null, assertions, null);
- if (log.isDebugEnabled()) {
- log.debug("Dumping generated SAML Response:" + System.getProperty("line.separator")
- + samlResponse.toString());
- }
-
- support.getTransactionLog().info(
- "Succesfully dereferenced the following artifacts: " + dereferencedArtifacts.toString());
-
- binding.respond(response, samlResponse, null);
-
- } catch (SAMLException e) {
- respondWithError(response, samlRequest, e);
- }
- }
-
-}
\ No newline at end of file
+++ /dev/null
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp.provider;
-
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.security.Principal;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Date;
-import java.util.Iterator;
-
-import javax.security.auth.x500.X500Principal;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.log4j.Logger;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLAttribute;
-import org.opensaml.SAMLAttributeDesignator;
-import org.opensaml.SAMLAttributeQuery;
-import org.opensaml.SAMLAttributeStatement;
-import org.opensaml.SAMLAudienceRestrictionCondition;
-import org.opensaml.SAMLCondition;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLNameIdentifier;
-import org.opensaml.SAMLRequest;
-import org.opensaml.SAMLResponse;
-import org.opensaml.SAMLStatement;
-import org.opensaml.SAMLSubject;
-import org.opensaml.XML;
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.RoleDescriptor;
-import org.opensaml.saml2.metadata.SPSSODescriptor;
-import org.opensaml.saml2.metadata.provider.MetadataProviderException;
-import org.opensaml.security.X509EntityCredential;
-import org.opensaml.security.impl.HttpX509EntityCredential;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.aa.AAException;
-import edu.internet2.middleware.shibboleth.common.InvalidNameIdentifierException;
-import edu.internet2.middleware.shibboleth.common.NameIdentifierMapping;
-import edu.internet2.middleware.shibboleth.common.NameIdentifierMappingException;
-import edu.internet2.middleware.shibboleth.common.RelyingParty;
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
-import edu.internet2.middleware.shibboleth.idp.RequestHandlingException;
-
-/**
- * @author Walter Hoehn
- */
-public class SAMLv1_AttributeQueryHandler extends SAMLv1_Base_QueryHandler implements IdPProtocolHandler {
-
- static Logger log = Logger.getLogger(SAMLv1_AttributeQueryHandler.class.getName());
-
- /**
- * Required DOM-based constructor.
- */
- public SAMLv1_AttributeQueryHandler(Element config) throws ShibbolethConfigurationException {
-
- super(config);
- }
-
- /*
- * @see edu.internet2.middleware.shibboleth.idp.ProtocolHandler#getHandlerName()
- */
- public String getHandlerName() {
-
- return "SAML v1.1 Attribute Query";
- }
-
- private String authenticateAs(String assertedId, X509Credential credential, IdPProtocolSupport support)
- throws InvalidProviderCredentialException {
-
- // See if we have metadata for this provider
- EntityDescriptor provider = null;
- try {
- provider = support.getEntityDescriptor(assertedId);
- } catch (MetadataProviderException e) {
- log.error("Encountered an error while looking up metadata: " + e);
- }
- if (provider == null) {
- log.info("No metadata found for providerId: (" + assertedId + ").");
- return null;
- } else {
- log.info("Metadata found for providerId: (" + assertedId + ").");
- }
- // TODO pulled this code out for now because we don't have an extension interface to support it.
- // Need to add it back with current draft profile as of release time.
- /*
- * RoleDescriptor ar_role = provider.getAttributeRequesterDescriptor(XML.SAML11_PROTOCOL_ENUM);
- */
- RoleDescriptor ar_role = null;
- SPSSODescriptor sp_role = provider.getSPSSODescriptor(XML.SAML11_PROTOCOL_ENUM);
- if (ar_role == null && sp_role == null) {
- log.info("SPSSO and Stand-Alone Requester roles not found in metadata for provider: (" + assertedId + ").");
- return null;
- }
-
- // Make sure that the supplied credential is valid for the selected provider role.
- if ((ar_role != null && support.getTrustEngine().validate(credential, ar_role))
- || (sp_role != null && support.getTrustEngine().validate(credential, sp_role))) {
- log.info("Supplied credentials validated for this provider.");
- return assertedId;
- } else {
- log.error("Supplied credentials ("
- + credential.getEntityCertificate().getSubjectX500Principal().getName(X500Principal.RFC2253)
- + ") are NOT valid for provider (" + assertedId + ").");
- throw new InvalidProviderCredentialException("Invalid credentials.");
- }
- }
-
- /*
- * @see edu.internet2.middleware.shibboleth.idp.ProtocolHandler#processRequest(javax.servlet.http.HttpServletRequest,
- * javax.servlet.http.HttpServletResponse, org.opensaml.SAMLRequest,
- * edu.internet2.middleware.shibboleth.idp.ProtocolSupport)
- */
- public void processRequest(HttpServletRequest request, HttpServletResponse response, IdPProtocolSupport support)
- throws RequestHandlingException, ServletException {
-
- SAMLRequest samlRequest = parseSAMLRequest(request);
-
- if (samlRequest == null || samlRequest.getQuery() == null
- || !(samlRequest.getQuery() instanceof SAMLAttributeQuery)) {
- log.error("Protocol Handler can only respond to SAML Attribute Queries.");
- respondWithError(response, samlRequest, new SAMLException("General error processing request."));
- return;
- }
-
- RelyingParty relyingParty = null;
- SAMLAttributeQuery attributeQuery = (SAMLAttributeQuery) samlRequest.getQuery();
-
- // This is the requester name that will be passed to subsystems
- String effectiveName = null;
-
- // Log the physical credential supplied, if any.
- X509Certificate[] credentials = (X509Certificate[]) request
- .getAttribute("javax.servlet.request.X509Certificate");
- if (credentials == null || credentials.length == 0
- || credentials[0].getSubjectX500Principal().getName(X500Principal.RFC2253).equals("")) {
- log.info("Request contained no credentials, treating as an unauthenticated service provider.");
- } else {
- log.info("Request contains credentials: ("
- + credentials[0].getSubjectX500Principal().getName(X500Principal.RFC2253) + ").");
-
- // Try and authenticate the requester as any of the potentially relevant identifiers we know.
- try {
- if (attributeQuery.getResource() != null) {
- log.info("Remote provider has identified itself as: (" + attributeQuery.getResource() + ").");
- effectiveName = authenticateAs(attributeQuery.getResource(), new HttpX509EntityCredential(request),
- support);
- }
-
- if (effectiveName == null) {
- log.info("Remote provider not yet identified, attempting to "
- + "derive requesting provider from credentials.");
-
- // Try the additional candidates.
- String[] candidateNames = getCredentialNames(credentials[0]);
- for (int c = 0; effectiveName == null && c < candidateNames.length; c++) {
- effectiveName = authenticateAs(candidateNames[c], new HttpX509EntityCredential(request),
- support);
- }
- }
- } catch (InvalidProviderCredentialException ipc) {
- respondWithError(response, samlRequest, new SAMLException(SAMLException.REQUESTER,
- "Invalid credentials for request."));
- return;
- }
- }
-
- if (effectiveName == null) {
- log.info("Unable to locate metadata about provider, treating as an unauthenticated service provider.");
- relyingParty = support.getServiceProviderMapper().getRelyingParty(null);
- if (log.isDebugEnabled()) {
- log.debug("Using default Relying Party, " + relyingParty.getName() + " for unauthenticated provider.");
- }
- } else {
- // Identify a Relying Party
- log.debug("Mapping authenticated provider (" + effectiveName + ") to Relying Party.");
- relyingParty = support.getServiceProviderMapper().getRelyingParty(effectiveName);
- }
-
- // Fail if we can't honor SAML Subject Confirmation unless the only one supplied is
- // bearer, in which case this is probably a Shib 1.1 query, and we'll let it slide for now.
- boolean hasConfirmationMethod = false;
- Iterator iterator = attributeQuery.getSubject().getConfirmationMethods();
- while (iterator.hasNext()) {
- String method = (String) iterator.next();
- log.info("Request contains SAML Subject Confirmation method: (" + method + ").");
- hasConfirmationMethod = true;
- }
- if (hasConfirmationMethod) {
- respondWithError(
- response,
- samlRequest,
- new SAMLException(SAMLException.REQUESTER,
- "This SAML authority cannot honor requests containing the supplied SAML Subject Confirmation Method(s)."));
- return;
- }
-
- try {
- // Map Subject to local principal
- Principal principal = null;
-
- SAMLNameIdentifier nameId = attributeQuery.getSubject().getNameIdentifier();
- log.debug("Name Identifier format: (" + nameId.getFormat() + ").");
- NameIdentifierMapping mapping = null;
- try {
- mapping = support.getNameMapper().getNameIdentifierMapping(new URI(nameId.getFormat()));
- } catch (URISyntaxException e) {
- log.error("Invalid Name Identifier format.");
- }
- if (mapping == null) { throw new NameIdentifierMappingException("Name Identifier format not registered."); }
-
- // Don't honor the request if the active relying party configuration does not contain a mapping with the
- // name identifier format from the request
- if (!Arrays.asList(relyingParty.getNameMapperIds()).contains(mapping.getId())) { throw new NameIdentifierMappingException(
- "Name Identifier format not valid for this relying party."); }
-
- principal = mapping.getPrincipal(nameId, relyingParty, relyingParty.getIdentityProvider());
- log.info("Request is for principal (" + principal.getName() + ").");
-
- // Get attributes from resolver
- Collection<? extends SAMLAttribute> attrs;
- Iterator requestedAttrsIterator = attributeQuery.getDesignators();
- if (requestedAttrsIterator.hasNext()) {
- log.info("Request designates specific attributes, resolving this set.");
- ArrayList<URI> requestedAttrs = new ArrayList<URI>();
- while (requestedAttrsIterator.hasNext()) {
- SAMLAttributeDesignator attribute = (SAMLAttributeDesignator) requestedAttrsIterator.next();
- try {
- log.debug("Designated attribute: (" + attribute.getName() + ")");
- requestedAttrs.add(new URI(attribute.getName()));
- } catch (URISyntaxException use) {
- log.error("Request designated an attribute name that does not conform "
- + "to the required URI syntax (" + attribute.getName() + "). Ignoring this attribute");
- }
- }
-
- attrs = support.getReleaseAttributes(principal, relyingParty, effectiveName, requestedAttrs);
- } else {
- log.info("Request does not designate specific attributes, resolving all available.");
- attrs = support.getReleaseAttributes(principal, relyingParty, effectiveName);
- }
-
- log.info("Found " + attrs.size() + " attribute(s) for " + principal.getName());
-
- // Put attributes names in the transaction log when it is set to DEBUG
- if (support.getTransactionLog().isDebugEnabled() && attrs.size() > 0) {
- StringBuffer attrNameBuffer = new StringBuffer();
- for (SAMLAttribute attr : attrs) {
- attrNameBuffer.append("(" + attr.getName() + ")");
- }
- support.getTransactionLog()
- .debug(
- "Attribute assertion generated for provider (" + effectiveName
- + ") on behalf of principal (" + principal.getName()
- + ") with the following attributes: " + attrNameBuffer.toString());
- }
-
- SAMLResponse samlResponse = null;
-
- if (attrs == null || attrs.size() == 0) {
- // No attribute found
- samlResponse = new SAMLResponse(samlRequest.getId(), null, null, null);
-
- } else {
- // Reference requested subject
- SAMLSubject rSubject = (SAMLSubject) attributeQuery.getSubject().clone();
-
- ArrayList<String> audiences = new ArrayList<String>();
- if (relyingParty.getProviderId() != null) {
- audiences.add(relyingParty.getProviderId());
- }
- if (relyingParty.getName() != null && !relyingParty.getName().equals(relyingParty.getProviderId())) {
- audiences.add(relyingParty.getName());
- }
-
- SAMLCondition condition = new SAMLAudienceRestrictionCondition(audiences);
-
- // Put all attributes into an assertion
- SAMLStatement statement = new SAMLAttributeStatement(rSubject, attrs);
-
- // Set assertion expiration to longest attribute expiration
- long max = 0;
- for (SAMLAttribute attr : attrs) {
- if (max < attr.getLifetime()) {
- max = attr.getLifetime();
- }
- }
- Date now = new Date();
- Date then = new Date(now.getTime() + (max * 1000)); // max is in
- // seconds
-
- SAMLAssertion sAssertion = new SAMLAssertion(relyingParty.getIdentityProvider().getProviderId(), now,
- then, Collections.singleton(condition), null, Collections.singleton(statement));
-
- // Sign the assertions, if necessary
- boolean metaDataIndicatesSignAssertions = false;
- EntityDescriptor descriptor = support.getEntityDescriptor((relyingParty.getProviderId()));
- if (descriptor != null) {
- // TODO pulled this code out for now because we don't have an extension interface to support it.
- // Need to add it back with current draft profile as of release time.
- /*
- * AttributeRequesterDescriptor ar = descriptor
- * .getAttributeRequesterDescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM); if (ar != null) { if
- * (ar.getWantAssertionsSigned()) { metaDataIndicatesSignAssertions = true; } }
- */
- if (!metaDataIndicatesSignAssertions) {
- SPSSODescriptor sp = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
- if (sp != null) {
- if (sp.getWantAssertionsSigned()) {
- metaDataIndicatesSignAssertions = true;
- }
- }
- }
- }
- if (relyingParty.wantsAssertionsSigned() || metaDataIndicatesSignAssertions) {
- support.signAssertions(new SAMLAssertion[]{sAssertion}, relyingParty);
- }
-
- samlResponse = new SAMLResponse(samlRequest.getId(), null, Collections.singleton(sAssertion), null);
- }
-
- if (log.isDebugEnabled()) { // This takes some processing, so only do it if we need to
- log.debug("Dumping generated SAML Response:" + System.getProperty("line.separator")
- + samlResponse.toString());
- }
-
- log.info("Successfully created response for principal (" + principal.getName() + ").");
-
- if (effectiveName == null) {
- support.getTransactionLog().info(
- "Attribute assertion issued to anonymous provider at (" + request.getRemoteAddr()
- + ") on behalf of principal (" + principal.getName() + ").");
- } else {
- support.getTransactionLog().info(
- "Attribute assertion issued to provider (" + effectiveName + ") on behalf of principal ("
- + principal.getName() + ").");
- }
-
- binding.respond(response, samlResponse, null);
-
- } catch (SAMLException e) {
- if (relyingParty.passThruErrors()) {
- respondWithError(response, samlRequest, new SAMLException("General error processing request.", e));
- } else {
- respondWithError(response, samlRequest, new SAMLException("General error processing request."));
- }
- } catch (MetadataProviderException e) {
- log.error("Encountered an error while looking up metadata: " + e);
- if (relyingParty.passThruErrors()) {
- respondWithError(response, samlRequest, new SAMLException("General error processing request.", e));
- } else {
- respondWithError(response, samlRequest, new SAMLException("General error processing request."));
- }
-
- } catch (InvalidNameIdentifierException e) {
- log.error("Could not associate the request's subject with a principal: " + e);
- if (relyingParty.passThruErrors()) {
- respondWithError(response, samlRequest, new SAMLException(Arrays.asList(e.getSAMLErrorCodes()),
- "The supplied Subject was unrecognized.", e));
- } else {
- respondWithError(response, samlRequest, new SAMLException(Arrays.asList(e.getSAMLErrorCodes()),
- "The supplied Subject was unrecognized."));
- }
-
- } catch (NameIdentifierMappingException e) {
- log.error("Encountered an error while mapping the name identifier from the request: " + e);
- if (relyingParty.passThruErrors()) {
- respondWithError(response, samlRequest, new SAMLException("General error processing request.", e));
- } else {
- respondWithError(response, samlRequest, new SAMLException("General error processing request."));
- }
-
- } catch (AAException e) {
- log.error("Encountered an error while resolving resolving attributes: " + e);
- if (relyingParty.passThruErrors()) {
- respondWithError(response, samlRequest, new SAMLException("General error processing request.", e));
- } else {
- respondWithError(response, samlRequest, new SAMLException("General error processing request."));
- }
-
- } catch (CloneNotSupportedException e) {
- log.error("Encountered an error while cloning request subject for use in response: " + e);
- if (relyingParty.passThruErrors()) {
- respondWithError(response, samlRequest, new SAMLException("General error processing request.", e));
- } else {
- respondWithError(response, samlRequest, new SAMLException("General error processing request."));
- }
- }
- }
-}
\ No newline at end of file
+++ /dev/null
-
-package edu.internet2.middleware.shibboleth.idp.provider;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.log4j.Logger;
-import org.opensaml.NoSuchProviderException;
-import org.opensaml.SAMLBinding;
-import org.opensaml.SAMLBindingFactory;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLRequest;
-import org.opensaml.SAMLResponse;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.idp.RequestHandlingException;
-
-public abstract class SAMLv1_Base_QueryHandler extends BaseServiceHandler {
-
- private static Logger log = Logger.getLogger(SAMLv1_Base_QueryHandler.class.getName());
- protected SAMLBinding binding;
-
- protected SAMLv1_Base_QueryHandler(Element config) throws ShibbolethConfigurationException {
-
- super(config);
-
- try {
- binding = SAMLBindingFactory.getInstance(SAMLBinding.SOAP);
- } catch (NoSuchProviderException e) {
- log.error("Unable to initialize SAML SOAP binding:" + e);
- throw new ShibbolethConfigurationException("Couldn't initialize " + getHandlerName() + " handler.");
- }
- }
-
- protected SAMLRequest parseSAMLRequest(HttpServletRequest request) throws RequestHandlingException {
-
- // Parse SOAP request and marshall SAML request object
- SAMLRequest samlRequest = null;
- try {
- samlRequest = binding.receive(request, 1);
- } catch (SAMLException e) {
- log.error("Unable to parse request: " + e);
- throw new RequestHandlingException("Invalid request data.");
- }
-
- // If we have DEBUG logging turned on, dump out the request to the log
- // This takes some processing, so only do it if we need to
- if (log.isDebugEnabled()) {
- log
- .debug("Dumping generated SAML Request:" + System.getProperty("line.separator")
- + samlRequest.toString());
- }
- return samlRequest;
- }
-
- protected void respondWithError(HttpServletResponse response, SAMLRequest samlRequest, SAMLException e)
- throws RequestHandlingException {
-
- log.error("Error while processing request: " + e);
- try {
- SAMLResponse samlResponse = new SAMLResponse((samlRequest != null) ? samlRequest.getId() : null, null,
- null, e);
- if (log.isDebugEnabled()) {
- log.debug("Dumping generated SAML Error Response:" + System.getProperty("line.separator")
- + samlResponse.toString());
- }
- binding.respond(response, samlResponse, null);
- log.debug("Returning SAML Error Response.");
- } catch (SAMLException se) {
- try {
- binding.respond(response, null, e);
- } catch (SAMLException e1) {
- log.error("Caught exception while responding to requester: " + e.getMessage());
- throw new RequestHandlingException(e1.getMessage());
- }
- }
- }
-
-}
\ No newline at end of file
+++ /dev/null
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp.provider;
-
-import java.text.ParseException;
-import java.text.SimpleDateFormat;
-import java.util.Date;
-import java.util.List;
-
-import javax.servlet.http.HttpServletRequest;
-
-import org.apache.log4j.Logger;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLNameIdentifier;
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.NameIDFormat;
-import org.opensaml.saml2.metadata.SPSSODescriptor;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.common.LocalPrincipal;
-import edu.internet2.middleware.shibboleth.common.NameIdentifierMapping;
-import edu.internet2.middleware.shibboleth.common.NameIdentifierMappingException;
-import edu.internet2.middleware.shibboleth.common.NameMapper;
-import edu.internet2.middleware.shibboleth.common.RelyingParty;
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
-import edu.internet2.middleware.shibboleth.idp.InvalidClientDataException;
-
-/**
- * @author Walter Hoehn
- */
-public abstract class SSOHandler extends BaseHandler implements IdPProtocolHandler {
-
- private static Logger log = Logger.getLogger(BaseHandler.class.getName());
-
- /**
- * Required DOM-based constructor.
- */
- public SSOHandler(Element config) throws ShibbolethConfigurationException {
-
- super(config);
-
- }
-
- public static void validateEngineData(HttpServletRequest req) throws InvalidClientDataException {
-
- if ((req.getRemoteAddr() == null) || (req.getRemoteAddr().equals(""))) { throw new InvalidClientDataException(
- "Unable to obtain client address."); }
- }
-
- protected Date getAuthNTime(HttpServletRequest request) throws SAMLException {
-
- // Determine, if possible, when the authentication actually happened
- String suppliedAuthNInstant = request.getHeader("SAMLAuthenticationInstant");
- if (suppliedAuthNInstant != null && !suppliedAuthNInstant.equals("")) {
- try {
- return new SimpleDateFormat().parse(suppliedAuthNInstant);
- } catch (ParseException e) {
- log.error("An error was encountered while receiving authentication "
- + "instant from authentication mechanism: " + e);
- throw new SAMLException(SAMLException.RESPONDER, "General error processing request.");
- }
- } else {
- return new Date(System.currentTimeMillis());
- }
- }
-
- /**
- * Constructs a SAML Name Identifier of a given principal that is most appropriate to the relying party.
- *
- * @param mapper
- * name mapping facility
- * @param principal
- * the principal represented by the name identifier
- * @param relyingParty
- * the party that will consume the name identifier
- * @param descriptor
- * metadata descriptor for the party that will consume the name identifier
- * @return the SAML Name identifier
- * @throws NameIdentifierMappingException
- * if a name identifier could not be created
- */
- protected SAMLNameIdentifier getNameIdentifier(NameMapper mapper, LocalPrincipal principal,
- RelyingParty relyingParty, EntityDescriptor descriptor) throws NameIdentifierMappingException {
-
- String[] availableMappings = relyingParty.getNameMapperIds();
-
- // If we have preferred Name Identifier formats from the metadata, see if the we can find one that is configured
- // for this relying party
- SPSSODescriptor role;
- if (descriptor != null && (role = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM)) != null) {
- List<NameIDFormat> spPreferredFormats = role.getNameIDFormats();
- for (NameIDFormat preferredFormat : spPreferredFormats) {
- for (int i = 0; availableMappings != null && i < availableMappings.length; i++) {
- NameIdentifierMapping mapping = mapper.getNameIdentifierMappingById(availableMappings[i]);
- if (mapping != null
- && preferredFormat.getFormat().equals(mapping.getNameIdentifierFormat().toString())) {
- log.debug("Found a supported name identifier format that "
- + "matches the metadata for the relying party: ("
- + mapping.getNameIdentifierFormat().toString() + ").");
- return mapping.getNameIdentifier(principal, relyingParty, relyingParty.getIdentityProvider());
- }
- }
- }
- }
-
- // If we didn't find any matches, then just use the default for the relying party
- String defaultNameMapping = null;
- if (availableMappings != null && availableMappings.length > 0) {
- defaultNameMapping = availableMappings[0];
- }
- SAMLNameIdentifier nameId = mapper.getNameIdentifier(defaultNameMapping, principal, relyingParty, relyingParty
- .getIdentityProvider());
- log.debug("Using the default name identifier format for this relying party: (" + nameId.getFormat() + ").");
- return nameId;
- }
-}
\ No newline at end of file
+++ /dev/null
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp.provider;
-
-import java.io.IOException;
-import java.io.UnsupportedEncodingException;
-import java.net.URLEncoder;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Date;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Vector;
-
-import javax.servlet.RequestDispatcher;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.log4j.Logger;
-import org.bouncycastle.util.encoders.Base64;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLAttribute;
-import org.opensaml.SAMLAttributeStatement;
-import org.opensaml.SAMLAudienceRestrictionCondition;
-import org.opensaml.SAMLAuthenticationStatement;
-import org.opensaml.SAMLAuthorityBinding;
-import org.opensaml.SAMLBrowserProfile;
-import org.opensaml.SAMLCondition;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLNameIdentifier;
-import org.opensaml.SAMLResponse;
-import org.opensaml.SAMLStatement;
-import org.opensaml.SAMLSubject;
-import org.opensaml.SAMLSubjectStatement;
-import org.opensaml.artifact.Artifact;
-import org.opensaml.saml2.metadata.AssertionConsumerService;
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.SPSSODescriptor;
-import org.opensaml.saml2.metadata.provider.MetadataProviderException;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.aa.AAException;
-import edu.internet2.middleware.shibboleth.common.LocalPrincipal;
-import edu.internet2.middleware.shibboleth.common.NameIdentifierMappingException;
-import edu.internet2.middleware.shibboleth.common.RelyingParty;
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
-import edu.internet2.middleware.shibboleth.idp.InvalidClientDataException;
-import edu.internet2.middleware.shibboleth.idp.RequestHandlingException;
-
-/**
- * <code>ProtocolHandler</code> implementation that responds to SSO flows as specified in "Shibboleth Architecture:
- * Protocols and Profiles".
- *
- * @author Walter Hoehn
- */
-public class ShibbolethV1SSOHandler extends SSOHandler implements IdPProtocolHandler {
-
- private static Logger log = Logger.getLogger(ShibbolethV1SSOHandler.class.getName());
-
- /**
- * Required DOM-based constructor.
- */
- public ShibbolethV1SSOHandler(Element config) throws ShibbolethConfigurationException {
-
- super(config);
- }
-
- /*
- * @see edu.internet2.middleware.shibboleth.idp.IdPResponder.ProtocolHandler#processRequest(javax.servlet.http.HttpServletRequest,
- * javax.servlet.http.HttpServletResponse)
- */
- public void processRequest(HttpServletRequest request, HttpServletResponse response, IdPProtocolSupport support)
- throws RequestHandlingException, ServletException {
-
- try {
-
- // Set attributes that are needed by the jsp
- request.setAttribute("shire", request.getParameter("shire"));
- request.setAttribute("target", request.getParameter("target"));
-
- // Ensure that we have the required data from the servlet container
- validateEngineData(request);
- validateShibSpecificData(request);
-
- // Get the authN info
- String username = support.getIdPConfig().getAuthHeaderName().equalsIgnoreCase("REMOTE_USER") ? request
- .getRemoteUser() : request.getHeader(support.getIdPConfig().getAuthHeaderName());
- if ((username == null) || (username.equals(""))) { throw new InvalidClientDataException(
- "Unauthenticated principal. This protocol handler requires that authentication information be "
- + "provided from the servlet container."); }
- LocalPrincipal principal = new LocalPrincipal(username);
-
- // Select the appropriate Relying Party configuration for the request
- RelyingParty relyingParty = null;
- String remoteProviderId = request.getParameter("providerId");
- // If the SP did not send a Provider Id, then assume it is a Shib
- // 1.1 or older SP
- if (remoteProviderId == null || remoteProviderId.equals("")) {
- throw new InvalidClientDataException("Invalid or missing service provider id.");
- } else {
- log.debug("Remote provider has identified itself as: (" + remoteProviderId + ").");
- relyingParty = support.getServiceProviderMapper().getRelyingParty(remoteProviderId);
- }
-
- // Grab the metadata for the provider
- EntityDescriptor descriptor = null;
- try {
- descriptor = support.getEntityDescriptor(relyingParty.getProviderId());
- } catch (MetadataProviderException e1) {
- log.error("Metadata lookup for provider (" + relyingParty.getProviderId() + ") encountered an error: "
- + e1);
- }
-
- // Make sure that the selected relying party configuration is appropriate for this
- // acceptance URL
- String acceptanceURL = request.getParameter("shire");
-
- if (descriptor == null) {
- log.info("No metadata found for provider: (" + relyingParty.getProviderId() + ").");
- relyingParty = support.getServiceProviderMapper().getRelyingParty(null);
-
- } else {
- if (isValidAssertionConsumerURL(descriptor, acceptanceURL)) {
- log.info("Supplied consumer URL validated for this provider.");
- } else {
- log.error("Assertion consumer service URL (" + acceptanceURL + ") is NOT valid for provider ("
- + relyingParty.getProviderId() + ").");
- throw new InvalidClientDataException("Invalid assertion consumer service URL.");
- }
- }
-
- // Create SAML Name Identifier & Subject
- SAMLNameIdentifier nameId;
-
- nameId = getNameIdentifier(support.getNameMapper(), principal, relyingParty, descriptor);
-
- String authenticationMethod = request.getHeader("SAMLAuthenticationMethod");
- if (authenticationMethod == null || authenticationMethod.equals("")) {
- authenticationMethod = relyingParty.getDefaultAuthMethod().toString();
- log.debug("User was authenticated via the default method for this relying party ("
- + authenticationMethod + ").");
- } else {
- log.debug("User was authenticated via the method (" + authenticationMethod + ").");
- }
-
- SAMLSubject authNSubject = new SAMLSubject(nameId, null, null, null);
-
- // Is this artifact or POST?
- boolean artifactProfile = useArtifactProfile(descriptor, acceptanceURL, relyingParty);
-
- // SAML Artifact profile - don't even attempt this for legacy providers (they don't support it)
- if (artifactProfile) {
- respondWithArtifact(request, response, support, principal, relyingParty, descriptor, acceptanceURL,
- nameId, authenticationMethod, authNSubject);
-
- // SAML POST profile
- } else {
- respondWithPOST(request, response, support, principal, relyingParty, descriptor, acceptanceURL, nameId,
- authenticationMethod, authNSubject);
- }
- } catch (InvalidClientDataException e) {
- throw new RequestHandlingException("Unable to handle request. Client data is invalid: " + e);
- } catch (NameIdentifierMappingException e) {
- log.error("Error converting principal to SAML Name Identifier: " + e);
- throw new RequestHandlingException("Unable to handle request. Error recognizing principal.");
- } catch (SAMLException e) {
- log.error("Error creating SAML Response: " + e);
- throw new RequestHandlingException("Unalbe to handle request. Error creating SAML Response.");
- }
- }
-
- private void respondWithArtifact(HttpServletRequest request, HttpServletResponse response,
- IdPProtocolSupport support, LocalPrincipal principal, RelyingParty relyingParty,
- EntityDescriptor descriptor, String acceptanceURL, SAMLNameIdentifier nameId, String authenticationMethod,
- SAMLSubject authNSubject) throws SAMLException, ServletException, RequestHandlingException {
-
- log.debug("Responding with Artifact profile.");
- ArrayList<SAMLAssertion> assertions = new ArrayList<SAMLAssertion>();
-
- authNSubject.addConfirmationMethod(SAMLSubject.CONF_ARTIFACT);
- assertions.add(generateAuthNAssertion(request, relyingParty, descriptor, nameId, authenticationMethod,
- getAuthNTime(request), authNSubject));
-
- // Package attributes for push, if necessary.
- if (pushAttributes(true, relyingParty)) {
- log.info("Resolving attributes for push.");
- generateAttributes(support, principal, relyingParty, assertions, request);
- }
-
- // Sign the assertions, if necessary
- boolean metaDataIndicatesSignAssertions = false;
- if (descriptor != null) {
- SPSSODescriptor sp = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
- if (sp != null) {
- if (sp.getWantAssertionsSigned()) {
- metaDataIndicatesSignAssertions = true;
- }
- }
- }
- if (relyingParty.wantsAssertionsSigned() || metaDataIndicatesSignAssertions) {
- support.signAssertions((SAMLAssertion[]) assertions.toArray(new SAMLAssertion[0]), relyingParty);
- }
-
- // Create artifacts for each assertion
- ArrayList<Artifact> artifacts = new ArrayList<Artifact>();
- for (int i = 0; i < assertions.size(); i++) {
- SAMLAssertion assertion = (SAMLAssertion) assertions.get(i);
- Artifact artifact = support.getArtifactMapper().generateArtifact(assertion, relyingParty);
- artifacts.add(artifact);
-
- // Put attributes names in the transaction log when it is set to DEBUG
- if (support.getTransactionLog().isDebugEnabled()) {
- Iterator statements = assertion.getStatements();
- while (statements.hasNext()) {
- SAMLStatement statement = (SAMLStatement) statements.next();
- if (statement instanceof SAMLAttributeStatement) {
- Iterator attributes = ((SAMLAttributeStatement) statement).getAttributes();
- StringBuffer attributeBuffer = new StringBuffer();
- while (attributes.hasNext()) {
- SAMLAttribute attribute = (SAMLAttribute) attributes.next();
- attributeBuffer.append("(" + attribute.getName() + ")");
- support.getTransactionLog().debug(
- "Artifact (" + artifact.encode() + ") created with the following attributes: "
- + attributeBuffer.toString());
- }
- }
- }
- }
- }
-
- try {
- // Assemble the query string
- StringBuffer destination = new StringBuffer(acceptanceURL);
- destination.append("?TARGET=");
-
- destination.append(URLEncoder.encode(request.getParameter("target"), "UTF-8"));
-
- Iterator iterator = artifacts.iterator();
- StringBuffer artifactBuffer = new StringBuffer(); // Buffer for the transaction log
-
- // Construct the artifact query parameter
- while (iterator.hasNext()) {
- Artifact artifact = (Artifact) iterator.next();
- artifactBuffer.append("(" + artifact.encode() + ")");
- destination.append("&SAMLart=");
- destination.append(URLEncoder.encode(artifact.encode(), "UTF-8"));
- }
-
- log.debug("Redirecting to (" + destination.toString() + ").");
-
- response.sendRedirect(destination.toString());
-
- // Redirect to the artifact receiver
- support.getTransactionLog().info(
- "Assertion artifact(s) (" + artifactBuffer.toString() + ") issued to provider ("
- + relyingParty.getProviderId() + ") on behalf of principal (" + principal.getName()
- + "). Name Identifier: (" + nameId.getName() + "). Name Identifier Format: ("
- + nameId.getFormat() + ").");
- } catch (UnsupportedEncodingException e) {
- log.error("Error encoding URL: " + e);
- throw new RequestHandlingException("Unable to handle request. URL Encoder malfuntion.");
- } catch (IOException e) {
- log.error("Error issuing redirect: " + e);
- throw new ServletException(e);
- }
- }
-
- public static boolean pushAttributeDefault = false;
-
- private void respondWithPOST(HttpServletRequest request, HttpServletResponse response, IdPProtocolSupport support,
- LocalPrincipal principal, RelyingParty relyingParty, EntityDescriptor descriptor, String acceptanceURL,
- SAMLNameIdentifier nameId, String authenticationMethod, SAMLSubject authNSubject) throws SAMLException,
- ServletException {
-
- log.debug("Responding with POST profile.");
- ArrayList<SAMLAssertion> assertions = new ArrayList<SAMLAssertion>();
- authNSubject.addConfirmationMethod(SAMLSubject.CONF_BEARER);
- assertions.add(generateAuthNAssertion(request, relyingParty, descriptor, nameId, authenticationMethod,
- getAuthNTime(request), authNSubject));
-
- // Package attributes for push, if necessary.
- if (pushAttributes(pushAttributeDefault, relyingParty)) {
- log.info("Resolving attributes for push.");
- generateAttributes(support, principal, relyingParty, assertions, request);
- }
-
- // Sign the assertions, if necessary
- boolean metaDataIndicatesSignAssertions = false;
- if (descriptor != null) {
- SPSSODescriptor sp = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
- if (sp != null) {
- if (sp.getWantAssertionsSigned()) {
- metaDataIndicatesSignAssertions = true;
- }
- }
- }
- if (relyingParty.wantsAssertionsSigned() || metaDataIndicatesSignAssertions) {
- support.signAssertions((SAMLAssertion[]) assertions.toArray(new SAMLAssertion[0]), relyingParty);
- }
-
- // Set attributes needed by form
- request.setAttribute("acceptanceURL", acceptanceURL);
- request.setAttribute("target", request.getParameter("target"));
-
- SAMLResponse samlResponse = new SAMLResponse(null, acceptanceURL, assertions, null);
-
- support.signResponse(samlResponse, relyingParty);
-
- try {
- createPOSTForm(request, response, samlResponse.toBase64());
- } catch (IOException e) {
- log.error("Error creating POST Form: " + e);
- throw new ServletException(e);
- }
-
- // Make transaction log entry
- support.getTransactionLog().info(
- "Authentication assertion issued to provider (" + relyingParty.getProviderId()
- + ") on behalf of principal (" + principal.getName() + "). Name Identifier: ("
- + nameId.getName() + "). Name Identifier Format: (" + nameId.getFormat() + ").");
-
- }
-
- private void generateAttributes(IdPProtocolSupport support, LocalPrincipal principal, RelyingParty relyingParty,
- ArrayList<SAMLAssertion> assertions, HttpServletRequest request) throws SAMLException {
-
- try {
- Collection<? extends SAMLAttribute> attributes = support.getReleaseAttributes(principal, relyingParty,
- relyingParty.getProviderId());
- log.info("Found " + attributes.size() + " attribute(s) for " + principal.getName());
-
- // Bail if we didn't get any attributes
- if (attributes == null || attributes.size() < 1) {
- log.info("No attributes resolved.");
- return;
- }
-
- // Reference requested subject
- SAMLSubject attrSubject = (SAMLSubject) ((SAMLSubjectStatement) ((SAMLAssertion) assertions.get(0))
- .getStatements().next()).getSubject().clone();
-
- // May be one assertion or two.
- if (relyingParty.singleAssertion()) {
- log.debug("merging attributes into existing authn assertion");
- // Put all attributes into an assertion
- ((SAMLAssertion) assertions.get(0)).addStatement(new SAMLAttributeStatement(attrSubject, Arrays
- .asList(attributes)));
-
- if (log.isDebugEnabled()) {
- log.debug("Dumping combined Assertion:" + System.getProperty("line.separator")
- + assertions.get(0).toString());
- }
- } else {
- ArrayList<String> audiences = new ArrayList<String>();
- if (relyingParty.getProviderId() != null) {
- audiences.add(relyingParty.getProviderId());
- }
- if (relyingParty.getName() != null && !relyingParty.getName().equals(relyingParty.getProviderId())) {
- audiences.add(relyingParty.getName());
- }
- String remoteProviderId = request.getParameter("providerId");
- if (remoteProviderId != null && !remoteProviderId.equals("") && !audiences.contains(remoteProviderId)) {
- audiences.add(remoteProviderId);
- }
-
- SAMLCondition condition = new SAMLAudienceRestrictionCondition(audiences);
-
- // Put all attributes into an assertion
- SAMLStatement statement = new SAMLAttributeStatement(attrSubject, attributes);
-
- // Set assertion expiration to longest attribute expiration
- long max = 0;
- for (SAMLAttribute attribute : attributes) {
- if (max < attribute.getLifetime()) {
- max = attribute.getLifetime();
- }
- }
- Date now = new Date();
- Date then = new Date(now.getTime() + (max * 1000)); // max is in seconds
-
- SAMLAssertion attrAssertion = new SAMLAssertion(relyingParty.getIdentityProvider().getProviderId(),
- now, then, Collections.singleton(condition), null, Collections.singleton(statement));
- assertions.add(attrAssertion);
-
- if (log.isDebugEnabled()) {
- log.debug("Dumping generated Attribute Assertion:" + System.getProperty("line.separator")
- + attrAssertion.toString());
- }
- }
- } catch (AAException e) {
- log.error("An error was encountered while generating assertion for attribute push: " + e);
- throw new SAMLException(SAMLException.RESPONDER, "General error processing request.");
- } catch (CloneNotSupportedException e) {
- log.error("An error was encountered while generating assertion for attribute push: " + e);
- throw new SAMLException(SAMLException.RESPONDER, "General error processing request.");
- }
- }
-
- private SAMLAssertion generateAuthNAssertion(HttpServletRequest request, RelyingParty relyingParty,
- EntityDescriptor descriptor, SAMLNameIdentifier nameId, String authenticationMethod, Date authTime,
- SAMLSubject subject) throws SAMLException {
-
- // Determine the correct audiences
- ArrayList<String> audiences = new ArrayList<String>();
- if (relyingParty.getProviderId() != null) {
- audiences.add(relyingParty.getProviderId());
- }
- if (relyingParty.getName() != null && !relyingParty.getName().equals(relyingParty.getProviderId())) {
- audiences.add(relyingParty.getName());
- }
- String remoteProviderId = request.getParameter("providerId");
- if (remoteProviderId != null && !remoteProviderId.equals("") && !audiences.contains(remoteProviderId)) {
- audiences.add(remoteProviderId);
- }
-
- // Determine the correct issuer
- String issuer = relyingParty.getIdentityProvider().getProviderId();
-
- ArrayList<SAMLAuthorityBinding> bindings = new ArrayList<SAMLAuthorityBinding>();
-
- // Create the assertion
- Vector<SAMLCondition> conditions = new Vector<SAMLCondition>(1);
- if (audiences != null && audiences.size() > 0) conditions.add(new SAMLAudienceRestrictionCondition(audiences));
-
- SAMLStatement[] statements = {new SAMLAuthenticationStatement(subject, authenticationMethod, authTime, request
- .getRemoteAddr(), null, bindings)};
-
- SAMLAssertion assertion = new SAMLAssertion(issuer, new Date(System.currentTimeMillis()), new Date(System
- .currentTimeMillis() + 300000), conditions, null, Arrays.asList(statements));
-
- if (log.isDebugEnabled()) {
- log.debug("Dumping generated AuthN Assertion:" + System.getProperty("line.separator")
- + assertion.toString());
- }
-
- return assertion;
- }
-
- /*
- * @see edu.internet2.middleware.shibboleth.idp.IdPResponder.ProtocolHandler#getHandlerName()
- */
- public String getHandlerName() {
-
- return "Shibboleth v1.x SSO";
- }
-
- private void validateShibSpecificData(HttpServletRequest request) throws InvalidClientDataException {
-
- if (request.getParameter("target") == null || request.getParameter("target").equals("")) { throw new InvalidClientDataException(
- "Invalid data from Service Provider: no target URL received."); }
- if ((request.getParameter("shire") == null) || (request.getParameter("shire").equals(""))) { throw new InvalidClientDataException(
- "Invalid data from Service Provider: No acceptance URL received."); }
- }
-
- private static void createPOSTForm(HttpServletRequest req, HttpServletResponse res, byte[] buf) throws IOException,
- ServletException {
-
- // Hardcoded to ASCII to ensure Base64 encoding compatibility
- req.setAttribute("assertion", new String(buf, "ASCII"));
-
- if (log.isDebugEnabled()) {
- log.debug("Dumping generated SAML Response:" + System.getProperty("line.separator")
- + new String(Base64.decode(buf)));
- }
-
- RequestDispatcher rd = req.getRequestDispatcher("/IdP.jsp");
- rd.forward(req, res);
- }
-
- /**
- * Boolean indication of which browser profile is in effect. "true" indicates Artifact and "false" indicates POST.
- */
- private static boolean useArtifactProfile(EntityDescriptor descriptor, String acceptanceURL,
- RelyingParty relyingParty) {
-
- boolean artifactMeta = false;
- boolean postMeta = false;
-
- // Look at the metadata bindings, if we can find them
- if (descriptor != null) {
- SPSSODescriptor sp = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
-
- if (sp != null) {
-
- // See if this is the default endpoint location.
- AssertionConsumerService defaultEndpoint = sp.getDefaultAssertionConsumerService();
- if (defaultEndpoint != null && defaultEndpoint.getLocation().equals(acceptanceURL)) {
- // If we recognize the default binding, this is the one to use.
- if (defaultEndpoint.getBinding().equals(SAMLBrowserProfile.PROFILE_POST_URI)) return false;
- else if (defaultEndpoint.getBinding().equals(SAMLBrowserProfile.PROFILE_ARTIFACT_URI)) return true;
- }
- // If not, look through everything we have
- List<AssertionConsumerService> endpoints = sp.getAssertionConsumerServices();
- for (AssertionConsumerService ep : endpoints) {
- if (acceptanceURL.equals(ep.getLocation())
- && SAMLBrowserProfile.PROFILE_POST_URI.equals(ep.getBinding())) {
- log.debug("Metadata indicates support for POST profile.");
- postMeta = true;
- continue;
- }
- }
-
- endpoints = sp.getAssertionConsumerServices();
- for (AssertionConsumerService ep : endpoints) {
- if (acceptanceURL.equals(ep.getLocation())
- && SAMLBrowserProfile.PROFILE_ARTIFACT_URI.equals(ep.getBinding())) {
- log.debug("Metadata indicates support for Artifact profile.");
- artifactMeta = true;
- continue;
- }
- }
- }
- }
-
- // If we have metadata for both, use the relying party default
- if (!(artifactMeta && postMeta)) {
-
- // If we only have metadata for one, use it
- if (artifactMeta) { return true; }
- if (postMeta) { return false; }
-
- }
-
- // If we have missing or incomplete metadata, use relying party default
- if (relyingParty.defaultToPOSTProfile()) {
- return false;
- } else {
- return true;
- }
- }
-
- /**
- * Boolean indication of whether an assertion containing an attribute statement should be bundled in the response
- * with the assertion containing the AuthN statement.
- */
- private static boolean pushAttributes(boolean artifactProfile, RelyingParty relyingParty) {
-
- // By default push for Artifact and don't push for POST
- // This can be overriden at the level of the relying party
- if (relyingParty.forceAttributePush()) {
- return true;
- } else if (relyingParty.forceAttributeNoPush()) {
- return false;
- } else if (artifactProfile) {
- return true;
- } else {
- return false;
- }
- }
-
- /**
- * Boolean indication of whethere or not a given assertion consumer URL is valid for a given SP.
- */
- private static boolean isValidAssertionConsumerURL(EntityDescriptor descriptor, String shireURL)
- throws InvalidClientDataException {
-
- SPSSODescriptor sp = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
- if (sp == null) {
- log.info("Inappropriate metadata for provider.");
- return false;
- }
-
- List<AssertionConsumerService> endpoints = sp.getAssertionConsumerServices();
- for (AssertionConsumerService endpoint : endpoints) {
- if (shireURL.equals(endpoint.getLocation())) { return true; }
- }
- log.info("Supplied consumer URL not found in metadata.");
- return false;
- }
-}
\ No newline at end of file
+++ /dev/null
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp.provider;
-
-import java.io.IOException;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
-import edu.internet2.middleware.shibboleth.idp.RequestHandlingException;
-
-/**
- * Special handler that allows one to "ping" the IdP to make sure it is alive
- *
- * @author Walter Hoehn
- */
-public class Shibboleth_StatusHandler extends BaseHandler implements IdPProtocolHandler {
-
- public Shibboleth_StatusHandler(Element config) throws ShibbolethConfigurationException {
-
- super(config);
- }
-
- /**
- * @see edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler#getHandlerName()
- */
- public String getHandlerName() {
-
- return "Shibboleth Status";
- }
-
- /**
- * @see edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler#processRequest(javax.servlet.http.HttpServletRequest,
- * javax.servlet.http.HttpServletResponse, org.opensaml.SAMLRequest,
- * edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport)
- */
- public void processRequest(HttpServletRequest request, HttpServletResponse response, IdPProtocolSupport support)
- throws RequestHandlingException, ServletException {
-
- try {
- response.setContentType("text/plain");
- response.getWriter().println("AVAILABLE");
- } catch (IOException e) {
- throw new ServletException(e);
- }
- }
-
-}
+++ /dev/null
-/* (PD) 2001 The Bitzi Corporation
- * Please see http://bitzi.com/publicdomain for more info.
- *
- * Base32.java
- *
- */
-
-package edu.internet2.middleware.shibboleth.utils;
-
-/**
- * Base32 - encodes and decodes 'Canonical' Base32
- *
- * @author Robert Kaye & Gordon Mohr
- */
-public class Base32 {
-
- /* lookup table used to encode() groups of 5 bits of data */
- private static final String base32Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
-
- /* lookup table used to decode() characters in Base32 strings */
- private static final byte[] base32Lookup =
- { 26,27,28,29,30,31,-1,-1,-1,-1,-1,-1,-1,-1, // 23456789:;<=>?
- -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,10,11,12,13,14, // @ABCDEFGHIJKLMNO
- 15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1, // PQRSTUVWXYZ[\]^_
- -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,10,11,12,13,14, // `abcdefghijklmno
- 15,16,17,18,19,20,21,22,23,24,25 // pqrstuvwxyz
- };
-
- /* Messsages for Illegal Parameter Exceptions in decode() */
- private static final String errorCanonicalLength = "non canonical Base32 string length";
- private static final String errorCanonicalEnd = "non canonical bits at end of Base32 string";
- private static final String errorInvalidChar = "invalid character in Base32 string";
-
- /**
- * Encode an array of binary bytes into a Base32 string.
- * Should not fail (the only possible exception is that the
- * returned string cannot be allocated in memory)
- */
- static public String encode(final byte[] bytes) {
-
- StringBuffer base32 = new StringBuffer((bytes.length * 8 + 4) / 5);
- int currByte, digit, i = 0;
-
- while (i < bytes.length) {
-
- // INVARIANTS FOR EACH STEP n in [0..5[; digit in [0..31[;
- // The remaining n bits are already aligned on top positions
- // of the 5 least bits of digit, the other bits are 0.
-
- // STEP n = 0; insert new 5 bits, leave 3 bits
- currByte = bytes[i++] & 255;
- base32.append(base32Chars.charAt(currByte >> 3));
- digit = (currByte & 7) << 2;
- if (i >= bytes.length) { // put the last 3 bits
- base32.append(base32Chars.charAt(digit));
- break;
- }
-
-
- // STEP n = 3: insert 2 new bits, then 5 bits, leave 1 bit
- currByte = bytes[i++] & 255;
- base32.append(base32Chars.charAt(digit | (currByte >> 6)));
- base32.append(base32Chars.charAt((currByte >> 1) & 31));
- digit = (currByte & 1) << 4;
- if (i >= bytes.length) { // put the last 1 bit
- base32.append(base32Chars.charAt(digit));
- break;
- }
-
- // STEP n = 1: insert 4 new bits, leave 4 bit
- currByte = bytes[i++] & 255;
- base32.append(base32Chars.charAt(digit | (currByte >> 4)));
- digit = (currByte & 15) << 1;
- if (i >= bytes.length) { // put the last 4 bits
- base32.append(base32Chars.charAt(digit));
- break;
- }
-
- // STEP n = 4: insert 1 new bit, then 5 bits, leave 2 bits
- currByte = bytes[i++] & 255;
- base32.append(base32Chars.charAt(digit | (currByte >> 7)));
- base32.append(base32Chars.charAt((currByte >> 2) & 31));
- digit = (currByte & 3) << 3;
- if (i >= bytes.length) { // put the last 2 bits
- base32.append(base32Chars.charAt(digit));
- break;
- }
-
- // STEP n = 2: insert 3 new bits, then 5 bits, leave 0 bit
- currByte = bytes[i++] & 255;
- base32.append(base32Chars.charAt(digit | (currByte >> 5)));
- base32.append(base32Chars.charAt(currByte & 31));
- //// This point is reached for bytes.length multiple of 5
- }
-
- return base32.toString();
- }
-
-
- /**
- * Decode a Base32 string into an array of binary bytes.
- * May fail if the parameter is a non canonical Base32 string
- * (the only other possible exception is that the
- * returned array cannot be allocated in memory)
- */
- static public byte[] decode(final String base32) throws IllegalArgumentException {
-
- // Note that the code below detects could detect non canonical
- // Base32 length within the loop. However canonical Base32 length
- // can be tested before entering the loop.
- // A canonical Base32 length modulo 8 cannot be:
- // 1 (aborts discarding 5 bits at STEP n=0 which produces no byte),
- // 3 (aborts discarding 7 bits at STEP n=2 which produces no byte),
- // 6 (aborts discarding 6 bits at STEP n=1 which produces no byte)
- // So these tests could be avoided within the loop.
- switch (base32.length() % 8) { // test the length of last subblock
-
- case 1: // 5 bits in subblock: 0 useful bits but 5 discarded
- case 3: // 15 bits in subblock: 8 useful bits but 7 discarded
- case 6: // 30 bits in subblock: 24 useful bits but 6 discarded
-
- throw new IllegalArgumentException(errorCanonicalLength);
- }
-
- byte[] bytes = new byte[base32.length() * 5 / 8];
- int offset = 0, i = 0, lookup;
- byte nextByte, digit;
-
- // Also the code below does test that other discarded bits
- // (1 to 4 bits at end) are effectively 0.
- while (i < base32.length()) {
- // Read the 1st char in a 8-chars subblock
- // check that chars are not outside the lookup table and valid
- lookup = base32.charAt(i++) - '2';
- if (lookup < 0 || lookup >= base32Lookup.length) {
- throw new IllegalArgumentException(errorInvalidChar);
- }
- digit = base32Lookup[lookup];
- if (digit == -1) {
- throw new IllegalArgumentException(errorInvalidChar);
- }
-
- // STEP n = 0: leave 5 bits
- nextByte = (byte)(digit << 3);
- // Assert(i < base32.length) // tested before loop
- // Read the 2nd char in a 8-chars subblock
- // Check that chars are not outside the lookup table and valid
- lookup = base32.charAt(i++) - '2';
- if (lookup < 0 || lookup >= base32Lookup.length) {
- throw new IllegalArgumentException(errorInvalidChar);
- }
- digit = base32Lookup[lookup];
- if (digit == -1) {
- throw new IllegalArgumentException(errorInvalidChar);
- }
-
- // STEP n = 5: insert 3 bits, leave 2 bits
- bytes[offset++] = (byte)(nextByte | (digit >> 2));
- nextByte = (byte)((digit & 3) << 6);
- if (i >= base32.length()) {
- if (nextByte != (byte)0) {
- throw new IllegalArgumentException(errorCanonicalEnd);
- }
- break; // discard the remaining 2 bits
- }
-
- // Read the 3rd char in a 8-chars subblock
- // Check that chars are not outside the lookup table and valid
- lookup = base32.charAt(i++) - '2';
- if (lookup < 0 || lookup >= base32Lookup.length) {
- throw new IllegalArgumentException(errorInvalidChar);
- }
- digit = base32Lookup[lookup];
- if (digit == -1) {
- throw new IllegalArgumentException(errorInvalidChar);
- }
-
- // STEP n = 2: leave 7 bits
- nextByte |= (byte)(digit << 1);
- // Assert(i < base32.length) // tested before loop
- // Read the 4th char in a 8-chars subblock
- // Check that chars are not outside the lookup table and valid
- lookup = base32.charAt(i++) - '2';
- if (lookup < 0 || lookup >= base32Lookup.length) {
- throw new IllegalArgumentException(errorInvalidChar);
- }
- digit = base32Lookup[lookup];
- if (digit == -1) {
- throw new IllegalArgumentException(errorInvalidChar);
- }
-
- // STEP n = 7: insert 1 bit, leave 4 bits
- bytes[offset++] = (byte)(nextByte | (digit >> 4));
- nextByte = (byte)((digit & 15) << 4);
- if (i >= base32.length()) {
- if (nextByte != (byte)0) {
- throw new IllegalArgumentException(errorCanonicalEnd);
- }
- break; // discard the remaining 4 bits
- }
-
- // Read the 5th char in a 8-chars subblock
- // Assert that chars are not outside the lookup table and valid
- lookup = base32.charAt(i++) - '2';
- if (lookup < 0 || lookup >= base32Lookup.length) {
- throw new IllegalArgumentException(errorInvalidChar);
- }
- digit = base32Lookup[lookup];
- if (digit == -1) {
- throw new IllegalArgumentException(errorInvalidChar);
- }
-
- // STEP n = 4: insert 4 bits, leave 1 bit
- bytes[offset++] = (byte)(nextByte | (digit >> 1));
- nextByte = (byte)((digit & 1) << 7);
- if (i >= base32.length()) {
- if (nextByte != (byte)0) {
- throw new IllegalArgumentException(errorCanonicalEnd);
- }
- break; // discard the remaining 1 bit
- }
-
- // Read the 6th char in a 8-chars subblock
- // Check that chars are not outside the lookup table and valid
- lookup = base32.charAt(i++) - '2';
- if (lookup < 0 || lookup >= base32Lookup.length) {
- throw new IllegalArgumentException(errorInvalidChar);
- }
- digit = base32Lookup[lookup];
- if (digit == -1) {
- throw new IllegalArgumentException(errorInvalidChar);
- }
-
- // STEP n = 1: leave 6 bits
- nextByte |= (byte)(digit << 2);
- // Assert(i < base32.length) // tested before loop
- // Read the 7th char in a 8-chars subblock
- // Check that chars are not outside the lookup table and valid
- lookup = base32.charAt(i++) - '2';
- if (lookup < 0 || lookup >= base32Lookup.length) {
- throw new IllegalArgumentException(errorInvalidChar);
- }
- digit = base32Lookup[lookup];
- if (digit == -1) {
- throw new IllegalArgumentException(errorInvalidChar);
- }
-
- // STEP n = 6: insert 2 bits, leave 3 bits
- bytes[offset++] = (byte)(nextByte | (digit >> 3));
- nextByte = (byte)((digit & 7) << 5);
- if (i >= base32.length()) {
- if (nextByte != (byte)0) {
- throw new IllegalArgumentException(errorCanonicalEnd);
- }
- break; // discard the remaining 3 bits
- }
-
- // Read the 8th char in a 8-chars subblock
- // Check that chars are not outside the lookup table and valid
- lookup = base32.charAt(i++) - '2';
- if (lookup < 0 || lookup >= base32Lookup.length) {
- throw new IllegalArgumentException(errorInvalidChar);
- }
- digit = base32Lookup[lookup];
- if (digit == -1) {
- throw new IllegalArgumentException(errorInvalidChar);
- }
-
- // STEP n = 3: insert 5 bits, leave 0 bit
- bytes[offset++] = (byte)(nextByte | digit);
- // possible end of string here with no trailing bits
- }
-
- // On loop exit, discard trialing n bits.
- return bytes;
- }
-}
-
+++ /dev/null
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.utils;
-
-import java.io.IOException;
-import java.security.Principal;
-import java.security.cert.X509Certificate;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-import java.util.regex.PatternSyntaxException;
-
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.log4j.Logger;
-import org.apache.log4j.MDC;
-
-import edu.internet2.middleware.shibboleth.common.LocalPrincipal;
-
-/**
- * Simple Servlet Filter that populates the ServletRequest with data from a client certificate. Relies on external
- * mechanisms to properly authorize the certificate.
- *
- * @author Walter Hoehn
- */
-public class ClientCertTrustFilter implements Filter {
-
- private static Logger log = Logger.getLogger(ClientCertTrustFilter.class.getName());
- protected Pattern regex = Pattern.compile(".*CN=([^,/]+).*");
- protected int matchGroup = 1;
-
- /**
- * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
- */
- public void init(FilterConfig config) throws ServletException {
-
- if (config.getInitParameter("regex") != null) {
- try {
- regex = Pattern.compile(config.getInitParameter("regex"));
- } catch (PatternSyntaxException e) {
- throw new ServletException(
- "Failed to start ClientCertTrustFilter: supplied regular expression fails to compile.");
- }
- }
-
- if (config.getInitParameter("matchGroup") != null) {
- try {
- matchGroup = Integer.parseInt(config.getInitParameter("matchGroup"));
- } catch (NumberFormatException e) {
- throw new ServletException(
- "Failed to start ClientCertTrustFilter: supplied matchGroup is not an integer.");
- }
- }
- }
-
- /**
- * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse,
- * javax.servlet.FilterChain)
- */
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
- ServletException {
-
- MDC.put("serviceId", "[Client Cert Trust Filter]");
-
- if (!(request instanceof HttpServletRequest) || !(response instanceof HttpServletResponse)) {
- log.error("Only HTTP(s) requests are supported by the ClientCertTrustFilter.");
- return;
- }
- HttpServletRequest httpRequest = (HttpServletRequest) request;
- HttpServletResponse httpResponse = (HttpServletResponse) response;
-
- log.debug("Using regex: (" + regex.pattern() + ").");
- log.debug("Using matchGroup of (" + matchGroup + ")");
-
- X509Certificate[] certs = (X509Certificate[]) httpRequest.getAttribute("javax.servlet.request.X509Certificate");
- if (certs == null) {
- log.error("Processed a request that did not contain a client certificate.");
- httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Client certificate required.");
- return;
- }
-
- log.debug("Attempting to extract principal name from Subjet: (" + certs[0].getSubjectDN().getName() + ").");
- Matcher matches = regex.matcher(certs[0].getSubjectDN().getName());
- if (!matches.find()) {
- log.error("Principal could not be extracted from Certificate Subject.");
- httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN,
- "Client certificate does not contain required data.");
- return;
- }
- String principalName;
- try {
- principalName = matches.group(matchGroup);
- } catch (IndexOutOfBoundsException e) {
- log.error("Principal could not be extracted from Certificate Subject: matchGroup out of bounds.");
- httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN,
- "Client certificate does not contain required data.");
- return;
- }
- log.debug("Extracted principal name (" + principalName + ") from Subject.");
- chain.doFilter(new ClientCertTrustWrapper(httpRequest, new LocalPrincipal(principalName)), response);
- }
-
- /**
- * @see javax.servlet.Filter#destroy()
- */
- public void destroy() {
-
- // required by interface
- // no resources to clean
- }
-
- /**
- * <code>HttpServletRequest</code> wrapper class. Returns a locally specified principal and hardcoded authType.
- */
- private class ClientCertTrustWrapper extends HttpServletRequestWrapper {
-
- private Principal principal;
-
- private ClientCertTrustWrapper(HttpServletRequest request, Principal principal) {
-
- super(request);
- this.principal = principal;
- }
-
- /**
- * @see javax.servlet.http.HttpServletRequest#getAuthType()
- */
- public String getAuthType() {
-
- return HttpServletRequest.CLIENT_CERT_AUTH;
- }
-
- /**
- * @see javax.servlet.http.HttpServletRequest#getRemoteUser()
- */
- public String getRemoteUser() {
-
- return principal.getName();
- }
-
- /**
- * @see javax.servlet.http.HttpServletRequest#getUserPrincipal()
- */
- public Principal getUserPrincipal() {
-
- return principal;
- }
- }
-
-}
\ No newline at end of file
+++ /dev/null
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.utils;
-
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.security.GeneralSecurityException;
-import java.security.KeyStore;
-import java.security.SecureRandom;
-
-import javax.crypto.SecretKey;
-import javax.crypto.SecretKeyFactory;
-import javax.crypto.spec.DESedeKeySpec;
-
-import org.apache.tools.ant.BuildException;
-import org.apache.tools.ant.Task;
-
-/**
- * Generates a Triple DES key and sticks it in the default location for use by the <code>CryptoHandleRepository</code>
- *
- * @author Walter Hoehn (wassa@columbia.edu)
- */
-public class HandleRepositorySecretGenerator extends Task {
-
- private File keyStorePath;
- private String keyStorePassword;
- private String keyStoreKeyAlias;
- private String keyStoreKeyPassword;
-
- public void execute() throws BuildException {
-
- try {
- if (keyStorePath == null || keyStorePassword == null || keyStoreKeyAlias == null
- || keyStoreKeyPassword == null) { throw new BuildException("Missing required parameter."); }
- log("Generating secret.");
- SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DESede");
- byte[] pseudoRand = new byte[24];
- new SecureRandom().nextBytes(pseudoRand);
- SecretKey secret = keyFactory.generateSecret(new DESedeKeySpec(pseudoRand));
-
- log("Writing keystore.");
- KeyStore keyStore = KeyStore.getInstance("JCEKS");
- keyStore.load(null, keyStorePassword.toCharArray());
- keyStore.setKeyEntry(keyStoreKeyAlias, secret, keyStoreKeyPassword.toCharArray(), null);
- keyStore.store(new FileOutputStream(keyStorePath), keyStorePassword.toCharArray());
-
- } catch (GeneralSecurityException e) {
- throw new BuildException("Unable to generate secret: " + e);
- } catch (IOException e) {
- throw new BuildException("Unable to store secret in keystore: " + e);
- }
- }
-
- /**
- * Sets the keyStoreKeyAlias.
- *
- * @param keyStoreKeyAlias
- * The keyStoreKeyAlias to set
- */
- public void setKeyStoreKeyAlias(String keyStoreKeyAlias) {
-
- this.keyStoreKeyAlias = keyStoreKeyAlias;
- }
-
- /**
- * Sets the keyStoreKeyPassword.
- *
- * @param keyStoreKeyPassword
- * The keyStoreKeyPassword to set
- */
- public void setKeyStoreKeyPassword(String keyStoreKeyPassword) {
-
- this.keyStoreKeyPassword = keyStoreKeyPassword;
- }
-
- /**
- * Sets the keyStorePassword.
- *
- * @param keyStorePassword
- * The keyStorePassword to set
- */
- public void setKeyStorePassword(String keyStorePassword) {
-
- this.keyStorePassword = keyStorePassword;
- }
-
- /**
- * Sets the keyStorePath.
- *
- * @param keyStorePath
- * The keyStorePath to set
- */
- public void setKeyStorePath(File keyStorePath) {
-
- this.keyStorePath = keyStorePath;
- }
-
-}
+++ /dev/null
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.utils;
-
-import java.io.IOException;
-import java.security.Principal;
-
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.log4j.Logger;
-import org.apache.log4j.MDC;
-
-/**
- * Simple Servlet Filter that strips realm information from Kerberos authenticated container-managed security
- *
- * @author Scott Cantor
- */
-public class KerberosPrincipalFilter implements Filter {
-
- private static Logger log = Logger.getLogger(KerberosPrincipalFilter.class.getName());
-
- /**
- * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
- */
- public void init(FilterConfig config) throws ServletException {
-
- }
-
- /**
- * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse,
- * javax.servlet.FilterChain)
- */
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
- ServletException {
-
- if (!(request instanceof HttpServletRequest) || !(response instanceof HttpServletResponse)) {
- MDC.put("serviceId", "[Kerberos Principal Filter]");
- log.error("Only HTTP(s) requests are supported by the KerberosPrincipalFilter.");
- return;
- }
- HttpServletRequest httpRequest = (HttpServletRequest) request;
-
- String name = httpRequest.getRemoteUser();
- if (name != null) {
- int split = name.indexOf('@');
- if (split > -1) {
- name = name.substring(0, split);
- chain.doFilter(new KerberosPrincipalWrapper(httpRequest, new PrincipalImpl(name)), response);
- return;
- }
- }
- chain.doFilter(request, response);
- }
-
- /**
- * @see javax.servlet.Filter#destroy()
- */
- public void destroy() {
-
- }
-
- class KerberosPrincipalWrapper extends HttpServletRequestWrapper {
-
- Principal principal;
-
- KerberosPrincipalWrapper(HttpServletRequest request, Principal principal) {
-
- super(request);
- this.principal = principal;
- }
-
- /**
- * @see javax.servlet.http.HttpServletRequest#getRemoteUser()
- */
- public String getRemoteUser() {
-
- return principal.getName();
- }
-
- /**
- * @see javax.servlet.http.HttpServletRequest#getUserPrincipal()
- */
- public Principal getUserPrincipal() {
-
- return principal;
- }
- }
-
- class PrincipalImpl implements Principal {
-
- private String name = null;
-
- PrincipalImpl(String name) {
-
- this.name = name;
- }
-
- /**
- * @see java.security.Principal#getName()
- */
- public String getName() {
-
- return name;
- }
-
- /**
- * @see java.lang.Object#equals(java.lang.Object)
- */
- public boolean equals(Object obj) {
-
- return name.equals(obj);
- }
-
- /**
- * @see java.lang.Object#toString()
- */
- public String toString() {
-
- return name;
- }
-
- }
-}
+++ /dev/null
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.utils;
-
-import jargs.gnu.CmdLineParser;
-
-import java.io.PrintStream;
-import java.io.PrintWriter;
-import java.io.StringWriter;
-import java.security.Principal;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.Map;
-
-import javax.xml.transform.OutputKeys;
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.dom.DOMSource;
-import javax.xml.transform.stream.StreamResult;
-
-import org.apache.log4j.ConsoleAppender;
-import org.apache.log4j.Level;
-import org.apache.log4j.Logger;
-import org.apache.log4j.PatternLayout;
-import org.opensaml.SAMLException;
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-import org.w3c.dom.NodeList;
-
-import edu.internet2.middleware.shibboleth.aa.AAAttribute;
-import edu.internet2.middleware.shibboleth.aa.arp.ArpEngine;
-import edu.internet2.middleware.shibboleth.aa.arp.ArpException;
-import edu.internet2.middleware.shibboleth.aa.arp.ArpProcessingException;
-import edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver;
-import edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolverException;
-import edu.internet2.middleware.shibboleth.common.LocalPrincipal;
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.idp.IdPConfig;
-import edu.internet2.middleware.shibboleth.idp.IdPConfigLoader;
-
-/**
- * Utility for testing an Attribute Resolver configuration.
- *
- * @author Walter Hoehn
- * @author Noah Levitt
- */
-public class ResolverTest {
-
- private static boolean debug = false;
- private static String resolverxml = null;
- private static String idpXml = null;
- private static String requester = null;
- private static String responder = null;
- private static String user = null;
- private static AttributeResolver resolver = null;
- private static ArpEngine arpEngine = null;
-
- public static void main(String[] args) {
-
- parseCommandLine(args);
- initializeResolver();
- Map<String, AAAttribute> attributeSet = createAttributeSet();
- resolveAttributes(attributeSet);
-
- System.out.println("Received the following from the Attribute Resolver:");
- System.out.println();
- printAttributes(System.out, attributeSet.values());
- }
-
- private static void resolveAttributes(Map<String, AAAttribute> attributeSet) {
-
- Principal principal = new LocalPrincipal(user);
-
- resolver.resolveAttributes(principal, requester, responder, attributeSet);
-
- try {
- if (arpEngine != null) {
- arpEngine.filterAttributes(attributeSet.values(), principal, requester);
- }
- } catch (ArpProcessingException e) {
- System.err.println("Error applying Attribute Release Policy: " + e.getMessage());
- System.exit(1);
- }
- }
-
- private static void parseCommandLine(String[] args) {
-
- CmdLineParser parser = new CmdLineParser();
-
- CmdLineParser.Option helpOption = parser.addBooleanOption('h', "help");
- CmdLineParser.Option debugOption = parser.addBooleanOption('d', "debug");
- CmdLineParser.Option idpXmlOption = parser.addStringOption('\u0000', "idpXml");
- CmdLineParser.Option userOption = parser.addStringOption('u', "user");
- CmdLineParser.Option requesterOption = parser.addStringOption('r', "requester");
- CmdLineParser.Option responderOption = parser.addStringOption('i', "responder");
- CmdLineParser.Option resolverxmlOption = parser.addStringOption('\u0000', "resolverxml");
- CmdLineParser.Option fileOption = parser.addStringOption('f', "file"); // deprecated
-
- try {
- parser.parse(args);
- } catch (CmdLineParser.OptionException e) {
- System.out.println(e.getMessage());
- printUsage(System.out);
- System.exit(1);
- }
-
- Boolean helpEnabled = (Boolean) parser.getOptionValue(helpOption);
- if (helpEnabled != null && helpEnabled.booleanValue()) {
- printUsage(System.out);
- System.exit(0);
- }
-
- Boolean debugEnabled = ((Boolean) parser.getOptionValue(debugOption));
- if (debugEnabled != null) {
- debug = debugEnabled.booleanValue();
- }
-
- // if --resolverxml and --file both specified, silently use --resolverxml
- resolverxml = (String) parser.getOptionValue(resolverxmlOption);
- if (resolverxml == null) {
- resolverxml = (String) parser.getOptionValue(fileOption);
- }
-
- idpXml = (String) parser.getOptionValue(idpXmlOption);
-
- user = (String) parser.getOptionValue(userOption);
- requester = (String) parser.getOptionValue(requesterOption);
- responder = (String) parser.getOptionValue(responderOption);
-
- configureLogging(debug);
- checkRequired();
- }
-
- /**
- * Ensures that all required parameters were specified and successfully parsed.
- */
- private static void checkRequired() {
-
- if (user == null) {
- System.out.println("Missing required parameter --user.");
- System.out.println();
- printUsage(System.out);
- System.exit(1);
- }
- if ((resolverxml == null && idpXml == null) || (resolverxml != null && idpXml != null)) {
- System.out.println("Exactly one of --idpXml and --resolverxml is required.");
- System.out.println();
- printUsage(System.out);
- System.exit(1);
- }
- }
-
- private static Map<String, AAAttribute> createAttributeSet() {
-
- Collection<String> attributes = resolver.listRegisteredAttributeDefinitionPlugIns();
- Map<String, AAAttribute> attributeSet = new HashMap<String, AAAttribute>();
-
- for (String attrName : attributes) {
- try {
- attributeSet.put(attrName, new AAAttribute(attrName));
- } catch (SAMLException e) {
- System.err.println("Error creating AAAttribute (" + attrName + "): " + e.getMessage());
- System.exit(1);
- }
- }
-
- return attributeSet;
- }
-
- private static void initializeResolver() {
-
- if (idpXml != null) {
- try {
- Document idpConfig = IdPConfigLoader.getIdPConfig(idpXml);
- IdPConfig configuration = new IdPConfig(idpConfig.getDocumentElement());
-
- resolver = new AttributeResolver(configuration);
-
- NodeList itemElements = idpConfig.getDocumentElement().getElementsByTagNameNS(
- IdPConfig.configNameSpace, "ReleasePolicyEngine");
-
- if (itemElements.getLength() > 1) {
- System.err
- .println("Warning: encountered multiple <ReleasePolicyEngine> configuration elements in ("
- + idpXml + "). Using first...");
- }
-
- if (itemElements.getLength() < 1) {
- arpEngine = new ArpEngine();
- } else {
- arpEngine = new ArpEngine((Element) itemElements.item(0));
- }
-
- } catch (ShibbolethConfigurationException e) {
- System.err.println("Error loading IdP configuration file (" + idpXml + "): " + e.getMessage());
- System.exit(1);
- } catch (AttributeResolverException e) {
- System.err.println("Error initializing the Attribute Resolver: " + e.getMessage());
- System.exit(1);
- } catch (ArpException e) {
- System.err.println("Error initializing the ARP Engine: " + e.getMessage());
- System.exit(1);
- }
- } else {
- try {
- resolver = new AttributeResolver(resolverxml);
- } catch (AttributeResolverException e) {
- System.err.println("Error initializing the Attribute Resolver: " + e.getMessage());
- System.exit(1);
- }
- }
- }
-
- private static void printAttributes(PrintStream out, Collection<AAAttribute> attributeSet) {
-
- try {
- for (Iterator<AAAttribute> iterator = attributeSet.iterator(); iterator.hasNext();) {
- AAAttribute attribute = iterator.next();
- Node node = attribute.toDOM();
-
- if (!(node instanceof Element)) {
- System.err.println("Received bad Element data from SAML library.");
- System.exit(1);
- }
-
- TransformerFactory factory = TransformerFactory.newInstance();
- DOMSource source = new DOMSource(node);
- Transformer transformer = factory.newTransformer();
- transformer.setOutputProperty(OutputKeys.INDENT, "yes");
- StringWriter stringWriter = new StringWriter();
- StreamResult result = new StreamResult(stringWriter);
- transformer.transform(source, result);
- out.println(stringWriter.toString());
-
- out.println();
- }
- } catch (Exception e) {
- System.err.println("Error creating SAML attribute: " + e.getMessage());
- System.exit(1);
- }
- }
-
- private static void configureLogging(boolean debugEnabled) {
-
- ConsoleAppender rootAppender = new ConsoleAppender();
- rootAppender.setWriter(new PrintWriter(System.out));
- rootAppender.setName("stdout");
- Logger.getRootLogger().addAppender(rootAppender);
-
- if (debugEnabled) {
- Logger.getRootLogger().setLevel(Level.DEBUG);
- rootAppender.setLayout(new PatternLayout("%-5p %-41X{serviceId} %d{ISO8601} (%c:%L) - %m%n"));
- } else {
- Logger.getRootLogger().setLevel(Level.INFO);
- Logger.getLogger("edu.internet2.middleware.shibboleth.aa.attrresolv").setLevel(Level.WARN);
- rootAppender.setLayout(new PatternLayout(PatternLayout.TTCC_CONVERSION_PATTERN));
- }
- Logger.getLogger("org.apache.xml.security").setLevel(Level.OFF);
- }
-
- private static void printUsage(PrintStream out) {
-
- // out.println("Tests an AA Attribute Resolver configuration.");
- out.println("Usage: resolvertest --user=USER {--idpXml=URL|--resolverxml=URL} [OPTION...]");
- out.println();
- out.println("Options:");
- out.println(" -h, --help Print usage information");
- out.println(" -d, --debug Run in debug mode");
- out.println(" --idpXml=FILEURL URL of the IdP configuration file. Attributes");
- out.println(" will be filtered according to the Attribute Release");
- out.println(" Policy (ARP) specified in the configuration file");
- out.println(" --resolverxml=FILEURL URL of the resolver configuration file. No ARP");
- out.println(" filtering will be done");
- out.println(" --user=USER User for whom attributes should be resolved");
- out.println(" --requester=REQUESTER Name of the requester (SP). Emulates");
- out.println(" unauthenticated requester if not specified");
- out.println(" --responder=RESPONDER Name of the responder (IdP).");
- out.println(" --resource=URL URL of the resource. Only attributes available");
- out.println(" to any resource will be returned if not specified");
- }
-}
+++ /dev/null
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.utils;
-
-import java.io.BufferedReader;
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.DataOutputStream;
-import java.io.IOException;
-import java.io.InputStreamReader;
-import java.io.OutputStream;
-import java.io.PrintWriter;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletInputStream;
-import javax.servlet.ServletOutputStream;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpServletResponseWrapper;
-
-import org.apache.log4j.Logger;
-import org.apache.log4j.MDC;
-import org.opensaml.SAMLConfig;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLIdentifier;
-
-/**
- * Servlet filter that intercepts incoming SAML 1.0 requests, converts them to SAML 1.1, and then reverses the
- * conversion for the subsequent response.
- *
- * @author Walter Hoehn
- */
-public class SAML1_0to1_1ConversionFilter implements Filter {
-
- private static Logger log = Logger.getLogger(SAML1_0to1_1ConversionFilter.class.getName());
- private SAMLIdentifier idgen = SAMLConfig.instance().getDefaultIDProvider();
-
- /*
- * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
- */
- public void init(FilterConfig config) throws ServletException {
-
- }
-
- /*
- * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse,
- * javax.servlet.FilterChain)
- */
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
- ServletException {
-
- MDC.put("serviceId", "[SAML Conversion Filter]");
- if (!(request instanceof HttpServletRequest) || !(response instanceof HttpServletResponse)) {
- log.error("Only HTTP(s) requests are supported by the ClientCertTrustFilter.");
- return;
- }
- HttpServletRequest httpRequest = (HttpServletRequest) request;
- HttpServletResponse httpResponse = (HttpServletResponse) response;
-
- if (!httpRequest.getMethod().equals("POST")) {
- log.debug("Skipping SAML conversion because request method is not (POST).");
- chain.doFilter(httpRequest, httpResponse);
- }
-
- log.debug("Added SAML conversion wrapper to request.");
-
- StringBuffer stringBuffer = new StringBuffer();
- BufferedReader reader = request.getReader();
- for (String line = reader.readLine(); line != null; line = reader.readLine()) {
- stringBuffer.append(line);
- }
- reader.reset();
-
- String input = stringBuffer.toString();
-
- if (!isSAML1_0(input)) {
- log.debug("Skipping SAML conversion because the input does not contain a SAML 1.0 request.");
- chain.doFilter(new NoConversionRequestWrapper(httpRequest, input), httpResponse);
- return;
- }
-
- ConversionRequestWrapper requestWrapper = new ConversionRequestWrapper(httpRequest, input);
- ConversionResponseWrapper responseWrapper = new ConversionResponseWrapper(httpResponse, requestWrapper
- .getOriginalRequestId());
- chain.doFilter(requestWrapper, responseWrapper);
-
- responseWrapper.localFlush();
- }
-
- /**
- * @param input
- */
- private boolean isSAML1_0(String input) {
-
- Pattern majorRegex = Pattern.compile("<(.+:)?Request[^>]+(MajorVersion=['\"]1['\"])");
- Pattern minorRegex = Pattern.compile("<(.+:)?Request[^>]+(MinorVersion=['\"]0['\"])");
- Matcher majorMatcher = majorRegex.matcher(input);
- Matcher minorMatcher = minorRegex.matcher(input);
-
- if (!minorMatcher.find() || !majorMatcher.find()) { return false; }
- return true;
- }
-
- /*
- * @see javax.servlet.Filter#destroy()
- */
- public void destroy() {
-
- }
-
- private class ConversionResponseWrapper extends HttpServletResponseWrapper {
-
- private ByteArrayOutputStream output = new ByteArrayOutputStream();
- private String originalRequestId;
-
- private ConversionResponseWrapper(HttpServletResponse response, String originalRequestId) {
-
- super(response);
- this.originalRequestId = originalRequestId;
- }
-
- private void localFlush() throws IOException {
-
- String result = output.toString();
-
- // Fail if we encounter XML Dsig, since the conversion would break it anyway
- Pattern regex = Pattern.compile("<(.+:)?Signature");
- Matcher matcher = regex.matcher(result);
- if (matcher.find()) {
- log.error("Unable to convert SAML request from 1.0 to 1.1.");
- throw new IOException("Unable to auto-convert SAML messages containing digital signatures.");
- }
-
- // Update SAML minor verion on Response and assertions
- regex = Pattern.compile("<(.+:)?Response[^>]+(MinorVersion=['\"]1['\"])");
- matcher = regex.matcher(result);
- if (matcher.find()) {
- StringBuffer buff = new StringBuffer();
- int start = matcher.start(2);
- int end = matcher.end(2);
- buff.append(result.subSequence(0, start));
- buff.append("MinorVersion=\"0\"");
- buff.append(result.substring(end));
- result = buff.toString();
- }
-
- regex = Pattern.compile("<(.+:)?Assertion[^>]+(MinorVersion=['\"]1['\"])");
- matcher = regex.matcher(result);
- StringBuffer buff = new StringBuffer();
- int end = 0;
- while (matcher.find()) {
- int start = matcher.start(2);
- buff.append(result.subSequence(end, start));
- end = matcher.end(2);
- buff.append("MinorVersion=\"0\"");
- }
- if (buff.length() > 0) {
- buff.append(result.substring(end));
- result = buff.toString();
- }
-
- // Substitue in the real identifier from the original request
- regex = Pattern.compile("<(.+:)?Response[^>]+InResponseTo=['\"]([^\"]+)['\"]");
- matcher = regex.matcher(result);
- if (matcher.find()) {
- buff = new StringBuffer();
- int start = matcher.start(2);
- end = matcher.end(2);
- buff.append(result.subSequence(0, start));
- buff.append(originalRequestId);
- buff.append(result.substring(end));
- result = buff.toString();
- }
-
- // Replace deprecated artifact confirmation method
- regex = Pattern
- .compile("<(.+:)?ConfirmationMethod>(urn:oasis:names:tc:SAML:1.0:cm:artifact)</(.+:)?ConfirmationMethod>");
- matcher = regex.matcher(result);
- buff = new StringBuffer();
- end = 0;
- while (matcher.find()) {
- int start = matcher.start(2);
- buff.append(result.subSequence(end, start));
- end = matcher.end(2);
- buff.append("urn:oasis:names:tc:SAML:1.0:cm:artifact-01");
- }
- if (buff.length() > 0) {
- buff.append(result.substring(end));
- result = buff.toString();
- }
-
- super.getOutputStream().write(result.getBytes());
- output.reset();
- }
-
- public ServletOutputStream getOutputStream() {
-
- return new ModifiableOutputStream(output);
- }
-
- public PrintWriter getWriter() {
-
- return new PrintWriter(getOutputStream(), true);
- }
-
- public void reset() {
-
- super.reset();
- output.reset();
- }
-
- public void resetBuffer() {
-
- output.reset();
- }
-
- public void flushBuffer() throws IOException {
-
- localFlush();
- super.flushBuffer();
- }
-
- private class ModifiableOutputStream extends ServletOutputStream {
-
- private DataOutputStream stream;
-
- public ModifiableOutputStream(OutputStream output) {
-
- stream = new DataOutputStream(output);
- }
-
- public void write(int b) throws IOException {
-
- stream.write(b);
- }
-
- public void write(byte[] b) throws IOException {
-
- stream.write(b);
- }
-
- public void write(byte[] b, int off, int len) throws IOException {
-
- stream.write(b, off, len);
- }
-
- }
- }
-
- private class ConversionRequestWrapper extends HttpServletRequestWrapper {
-
- private ServletInputStream stream;
- private boolean accessed = false;
- private String method;
- private String originalRequestId;
- private int newLength;
-
- private ConversionRequestWrapper(HttpServletRequest request, String input) throws IOException {
-
- super(request);
-
- // Fail if we encounter XML Dsig, since the conversion would break it anyway
- Pattern regex = Pattern.compile("<(.+:)?Signature");
- Matcher matcher = regex.matcher(input);
- if (matcher.find()) {
- log.error("Unable to convert SAML request from 1.0 to 1.1.");
- throw new IOException("Unable to auto-convert SAML messages containing digital signatures.");
- }
-
- // Update SAML minor verion on Request
- regex = Pattern.compile("<(.+:)?Request[^>]+(MinorVersion=['\"]0['\"])");
- matcher = regex.matcher(input);
- if (matcher.find()) {
- StringBuffer buff = new StringBuffer();
- int start = matcher.start(2);
- int end = matcher.end(2);
- buff.append(input.subSequence(0, start));
- buff.append("MinorVersion=\"1\"");
- buff.append(input.substring(end));
- input = buff.toString();
- }
-
- // Substitute in a fake request id that is valid in SAML 1.1, but save the original so that we can put it
- // back later
- regex = Pattern.compile("<(.+:)?Request[^>]+RequestID=['\"]([^'\"]+)['\"]");
- matcher = regex.matcher(input);
- if (matcher.find()) {
- StringBuffer buff = new StringBuffer();
- originalRequestId = matcher.group(2);
- int start = matcher.start(2);
- int end = matcher.end(2);
- buff.append(input.subSequence(0, start));
- try {
- buff.append(idgen.getIdentifier());
- } catch (SAMLException e) {
- throw new IOException("Unable to obtain a new SAML message ID from provider");
- }
- buff.append(input.substring(end));
- input = buff.toString();
- }
-
- newLength = input.length();
- stream = new ModifiedInputStream(new ByteArrayInputStream(input.getBytes()));
- }
-
- /*
- * (non-Javadoc)
- *
- * @see javax.servlet.ServletRequest#getInputStream()
- */
- public ServletInputStream getInputStream() throws IOException {
-
- if (accessed) { throw new IllegalStateException(method + " has already been called for this request"); }
- accessed = true;
- method = "getInputStream()";
- return stream;
- }
-
- /*
- * (non-Javadoc)
- *
- * @see javax.servlet.ServletRequest#getReader()
- */
- public BufferedReader getReader() throws IOException {
-
- if (accessed) { throw new IllegalStateException(method + " has already been called for this request"); }
- accessed = true;
- method = "getReader()";
- return new BufferedReader(new InputStreamReader(stream));
- }
-
- private String getOriginalRequestId() {
-
- return originalRequestId;
-
- }
-
- /*
- * (non-Javadoc)
- *
- * @see javax.servlet.ServletRequest#getContentLength()
- */
- public int getContentLength() {
-
- return newLength;
- }
-
- }
-
- private class NoConversionRequestWrapper extends HttpServletRequestWrapper {
-
- private ServletInputStream stream;
- private boolean accessed = false;
- private String method;
-
- private NoConversionRequestWrapper(HttpServletRequest request, String input) {
-
- super(request);
- stream = new ModifiedInputStream(new ByteArrayInputStream(input.getBytes()));
- }
-
- /*
- * (non-Javadoc)
- *
- * @see javax.servlet.ServletRequest#getInputStream()
- */
- public ServletInputStream getInputStream() throws IOException {
-
- if (accessed) { throw new IllegalStateException(method + " has already been called for this request"); }
- accessed = true;
- method = "getInputStream()";
- return stream;
- }
-
- /*
- * (non-Javadoc)
- *
- * @see javax.servlet.ServletRequest#getReader()
- */
- public BufferedReader getReader() throws IOException {
-
- if (accessed) { throw new IllegalStateException(method + " has already been called for this request"); }
- accessed = true;
- method = "getReader()";
- return new BufferedReader(new InputStreamReader(stream));
- }
-
- }
-
- private class ModifiedInputStream extends ServletInputStream {
-
- private ByteArrayInputStream stream;
-
- private ModifiedInputStream(ByteArrayInputStream stream) {
-
- this.stream = stream;
- }
-
- /*
- * (non-Javadoc)
- *
- * @see javax.servlet.ServletInputStream#readLine(byte[], int, int)
- */
- public int readLine(byte[] b, int off, int len) throws IOException {
-
- if (len <= 0) { return 0; }
- int count = 0, c;
-
- while ((c = stream.read()) != -1) {
- b[off++] = (byte) c;
- count++;
- if (c == '\n' || count == len) {
- break;
- }
- }
- return count > 0 ? count : -1;
- }
-
- /*
- * (non-Javadoc)
- *
- * @see java.io.InputStream#available()
- */
- public int available() throws IOException {
-
- return stream.available();
- }
-
- /*
- * (non-Javadoc)
- *
- * @see java.io.InputStream#close()
- */
- public void close() throws IOException {
-
- stream.close();
- }
-
- /*
- * (non-Javadoc)
- *
- * @see java.io.InputStream#mark(int)
- */
- public synchronized void mark(int readlimit) {
-
- stream.mark(readlimit);
- }
-
- /*
- * (non-Javadoc)
- *
- * @see java.io.InputStream#markSupported()
- */
- public boolean markSupported() {
-
- return stream.markSupported();
- }
-
- /*
- * (non-Javadoc)
- *
- * @see java.io.InputStream#read(byte[], int, int)
- */
- public int read(byte[] b, int off, int len) throws IOException {
-
- return stream.read(b, off, len);
- }
-
- /*
- * (non-Javadoc)
- *
- * @see java.io.InputStream#read(byte[])
- */
- public int read(byte[] b) throws IOException {
-
- return stream.read(b);
- }
-
- /*
- * (non-Javadoc)
- *
- * @see java.io.InputStream#reset()
- */
- public synchronized void reset() throws IOException {
-
- stream.reset();
- }
-
- /*
- * (non-Javadoc)
- *
- * @see java.io.InputStream#skip(long)
- */
- public long skip(long n) throws IOException {
-
- return stream.skip(n);
- }
-
- /*
- * (non-Javadoc)
- *
- * @see java.io.InputStream#read()
- */
- public int read() throws IOException {
-
- return stream.read();
- }
-
- }
-
-}
\ No newline at end of file
+++ /dev/null
-<ca-bundle.crt#rev1.6> *Return to ca-bundle.crt <ca-bundle.crt#rev1.6>
-CVS log* *Up to [Shibboleth] </cgi-bin/viewcvs.cgi/#dirlist> /
-shibboleth </cgi-bin/viewcvs.cgi/shibboleth/#dirlist> / c
-</cgi-bin/viewcvs.cgi/shibboleth/c/#dirlist> / configs
-</cgi-bin/viewcvs.cgi/shibboleth/c/configs/#dirlist>*
-
-------------------------------------------------------------------------
-File: [Shibboleth] </cgi-bin/viewcvs.cgi/#dirlist> / shibboleth
-</cgi-bin/viewcvs.cgi/shibboleth/#dirlist> / c
-</cgi-bin/viewcvs.cgi/shibboleth/c/#dirlist> / configs
-</cgi-bin/viewcvs.cgi/shibboleth/c/configs/#dirlist> / ca-bundle.crt
-</cgi-bin/viewcvs.cgi/shibboleth/c/configs/ca-bundle.crt#dirlist>
-(*download*
-</cgi-bin/viewcvs.cgi/*checkout*/shibboleth/c/configs/ca-bundle.crt?rev=1.6>)
-
-Revision: *1.6*, /Fri Sep 5 17:43:30 2003 UTC/ (2 months, 4 weeks ago)
-by /wassa/
-Branch: *MAIN*
-CVS Tags: *HEAD*
-Changes since *1.5: +6 -6 lines*
-
-Updated NSDL CA cert.
-
-------------------------------------------------------------------------
-
-##
-## ca-bundle.crt -- Bundle of CA Root Certificates
-## Last Modified: Thu Mar 2 09:32:46 CET 2000
-##
-## This is a bundle of X.509 certificates of public
-## Certificate Authorities (CA). These were automatically
-## extracted from Netscape Communicator 4.72's certificate database
-## (the file `cert7.db'). It contains the certificates in both
-## plain text and PEM format and therefore can be directly used
-## with an Apache+mod_ssl webserver for SSL client authentication.
-## Just configure this file as the SSLCACertificateFile.
-##
-## (SKIPME)
-##
-
-ABAecom (sub., Am. Bankers Assn.) Root CA
-=========================================
-MD5 Fingerprint: 82:12:F7:89:E1:0B:91:60:A4:B6:22:9F:94:68:11:92
-PEM Data:
------BEGIN CERTIFICATE-----
-MIID+DCCAuCgAwIBAgIRANAeQJAAACdLAAAAAQAAAAQwDQYJKoZIhvcNAQEFBQAw
-gYwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIEwRVdGFoMRcwFQYDVQQHEw5TYWx0IExh
-a2UgQ2l0eTEYMBYGA1UEChMPWGNlcnQgRVogYnkgRFNUMRgwFgYDVQQDEw9YY2Vy
-dCBFWiBieSBEU1QxITAfBgkqhkiG9w0BCQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTAe
-Fw05OTA3MTQxNjE0MThaFw0wOTA3MTExNjE0MThaMIGMMQswCQYDVQQGEwJVUzEN
-MAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxGDAWBgNVBAoT
-D1hjZXJ0IEVaIGJ5IERTVDEYMBYGA1UEAxMPWGNlcnQgRVogYnkgRFNUMSEwHwYJ
-KoZIhvcNAQkBFhJjYUBkaWdzaWd0cnVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
-A4IBDwAwggEKAoIBAQCtVBjetL/3reh0qu2LfI/C1HUa1YS5tmL8ie/kl2GS+x24
-4VpHNJ6eBiL70+o4y7iLB/caoBd3B1owHNQpOCDXJ0DYUJNDv9IYoil2BXKqa7Zp
-mKt5Hhxl9WqL/MUWqqJy2mDtTm4ZJXoKHTDjUJtCPETrobAgHtsCfv49H7/QAIrb
-QHamGKUVp1e2UsIBF5h3j4qBxhq0airmr6nWAKzP2BVJfNsbof6B+of505DBAsD5
-0ELpkWglX8a/hznplQBgKL+DLMDnXrbXNhbnYId26OcnsiUNi3rlqh3lWc3OCw5v
-xsic4xDZhTnTt5v6xrp8dNJddVardKSiUb9SfO5xAgMBAAGjUzBRMA8GA1UdEwEB
-/wQFMAMBAf8wHwYDVR0jBBgwFoAUCCBsZuuBCmxc1bWmPEHdHJaRJ3cwHQYDVR0O
-BBYEFAggbGbrgQpsXNW1pjxB3RyWkSd3MA0GCSqGSIb3DQEBBQUAA4IBAQBah1iP
-Lat2IWtUDNnxQfZOzSue4x+boy1/2St9WMhnpCn16ezVvZY/o3P4xFs2fNBjLDQ5
-m0i4PW/2FMWeY+anNG7T6DOzxzwYbiOuQ5KZP5jFaTDxNjutuTCC1rZZFpYCCykS
-YbQRifcML5SQhZgonFNsfmPdc/QZ/0qB0bJSI/08SjTOWhvgUIrtT4GV2GDn5MQN
-u1g+WPdOaG8+Z8nLepcWJ+xCYRR2uwDF6wg9FX9LtiJdhzuQ9PPA/jez6dliDMDD
-Wa9gvR8N26E0HzDEPYutsB0Ek+1f1eS/IDAE9EjpMwHRLpAnUrOb3jocq6mXf5vr
-wo3CbezcE9NGxXl8
------END CERTIFICATE-----
-Certificate Ingredients:
- Data:
- Version: 3 (0x2)
- Serial Number:
- d0:1e:40:90:00:00:27:4b:00:00:00:01:00:00:00:04
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=US, ST=Utah, L=Salt Lake City, O=Xcert EZ by DST, CN=Xcert EZ by DST/Email=ca@digsigtrust.com <mailto:ca@digsigtrust.com>
- Validity
- Not Before: Jul 14 16:14:18 1999 GMT
- Not After : Jul 11 16:14:18 2009 GMT
- Subject: C=US, ST=Utah, L=Salt Lake City, O=Xcert EZ by DST, CN=Xcert EZ by DST/Email=ca@digsigtrust.com <mailto:ca@digsigtrust.com>
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (2048 bit)
- Modulus (2048 bit):
- 00:ad:54:18:de:b4:bf:f7:ad:e8:74:aa:ed:8b:7c:
- 8f:c2:d4:75:1a:d5:84:b9:b6:62:fc:89:ef:e4:97:
- 61:92:fb:1d:b8:e1:5a:47:34:9e:9e:06:22:fb:d3:
- ea:38:cb:b8:8b:07:f7:1a:a0:17:77:07:5a:30:1c:
- d4:29:38:20:d7:27:40:d8:50:93:43:bf:d2:18:a2:
- 29:76:05:72:aa:6b:b6:69:98:ab:79:1e:1c:65:f5:
- 6a:8b:fc:c5:16:aa:a2:72:da:60:ed:4e:6e:19:25:
- 7a:0a:1d:30:e3:50:9b:42:3c:44:eb:a1:b0:20:1e:
- db:02:7e:fe:3d:1f:bf:d0:00:8a:db:40:76:a6:18:
- a5:15:a7:57:b6:52:c2:01:17:98:77:8f:8a:81:c6:
- 1a:b4:6a:2a:e6:af:a9:d6:00:ac:cf:d8:15:49:7c:
- db:1b:a1:fe:81:fa:87:f9:d3:90:c1:02:c0:f9:d0:
- 42:e9:91:68:25:5f:c6:bf:87:39:e9:95:00:60:28:
- bf:83:2c:c0:e7:5e:b6:d7:36:16:e7:60:87:76:e8:
- e7:27:b2:25:0d:8b:7a:e5:aa:1d:e5:59:cd:ce:0b:
- 0e:6f:c6:c8:9c:e3:10:d9:85:39:d3:b7:9b:fa:c6:
- ba:7c:74:d2:5d:75:56:ab:74:a4:a2:51:bf:52:7c:
- ee:71
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Authority Key Identifier:
- keyid:08:20:6C:66:EB:81:0A:6C:5C:D5:B5:A6:3C:41:DD:1C:96:91:27:77
-
- X509v3 Subject Key Identifier:
- 08:20:6C:66:EB:81:0A:6C:5C:D5:B5:A6:3C:41:DD:1C:96:91:27:77
- Signature Algorithm: sha1WithRSAEncryption
- 5a:87:58:8f:2d:ab:76:21:6b:54:0c:d9:f1:41:f6:4e:cd:2b:
- 9e:e3:1f:9b:a3:2d:7f:d9:2b:7d:58:c8:67:a4:29:f5:e9:ec:
- d5:bd:96:3f:a3:73:f8:c4:5b:36:7c:d0:63:2c:34:39:9b:48:
- b8:3d:6f:f6:14:c5:9e:63:e6:a7:34:6e:d3:e8:33:b3:c7:3c:
- 18:6e:23:ae:43:92:99:3f:98:c5:69:30:f1:36:3b:ad:b9:30:
- 82:d6:b6:59:16:96:02:0b:29:12:61:b4:11:89:f7:0c:2f:94:
- 90:85:98:28:9c:53:6c:7e:63:dd:73:f4:19:ff:4a:81:d1:b2:
- 52:23:fd:3c:4a:34:ce:5a:1b:e0:50:8a:ed:4f:81:95:d8:60:
- e7:e4:c4:0d:bb:58:3e:58:f7:4e:68:6f:3e:67:c9:cb:7a:97:
- 16:27:ec:42:61:14:76:bb:00:c5:eb:08:3d:15:7f:4b:b6:22:
- 5d:87:3b:90:f4:f3:c0:fe:37:b3:e9:d9:62:0c:c0:c3:59:af:
- 60:bd:1f:0d:db:a1:34:1f:30:c4:3d:8b:ad:b0:1d:04:93:ed:
- 5f:d5:e4:bf:20:30:04:f4:48:e9:33:01:d1:2e:90:27:52:b3:
- 9b:de:3a:1c:ab:a9:97:7f:9b:eb:c2:8d:c2:6d:ec:dc:13:d3:
- 46:c5:79:7c
-
-ANX Network CA by DST
-=====================
-MD5 Fingerprint: A8:ED:DE:EB:93:88:66:D8:2F:C3:BD:1D:BE:45:BE:4D
-PEM Data:
------BEGIN CERTIFICATE-----
-MIIDTTCCAragAwIBAgIENm6ibzANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJV
-UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMR0wGwYDVQQL
-ExREU1QgKEFOWCBOZXR3b3JrKSBDQTAeFw05ODEyMDkxNTQ2NDhaFw0xODEyMDkx
-NjE2NDhaMFIxCzAJBgNVBAYTAlVTMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVy
-ZSBUcnVzdCBDby4xHTAbBgNVBAsTFERTVCAoQU5YIE5ldHdvcmspIENBMIGdMA0G
-CSqGSIb3DQEBAQUAA4GLADCBhwKBgQC0SBGAWKDVpZkP9jcsRLZu0XzzKmueEbaI
-IwRccSWeahJ3EW6/aDllqPay9qIYsokVoGe3eowiSGv2hDQftsr3G3LL8ltI04ce
-InYTBLSsbJZ/5w4IyTJRMC3VgOghZ7rzXggkLAdZnZAa7kbJtaQelrRBkdR/0o04
-JrBvQ24JfQIBA6OCATAwggEsMBEGCWCGSAGG+EIBAQQEAwIABzB0BgNVHR8EbTBr
-MGmgZ6BlpGMwYTELMAkGA1UEBhMCVVMxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0
-dXJlIFRydXN0IENvLjEdMBsGA1UECxMURFNUIChBTlggTmV0d29yaykgQ0ExDTAL
-BgNVBAMTBENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMDkxNTQ2NDhagQ8yMDE4MTIw
-OTE1NDY0OFowCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFIwWVXDMFgpTZMKlhKqz
-ZBdDP4I2MB0GA1UdDgQWBBSMFlVwzBYKU2TCpYSqs2QXQz+CNjAMBgNVHRMEBTAD
-AQH/MBkGCSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqGSIb3DQEBBQUAA4GB
-AEklyWCxDF+pORDTxTRVfc95wynr3vnCQPnoVsXwL+z02exIUbhjOF6TbhiWhbnK
-UJykuOpmJmiThW9vTHHQvnoLPDG5975pnhDX0UDorBZxq66rOOFwscqSFuBdhaYY
-gAYAnOGmGEJRp2hoWe8mlF+tMQz+KR4XAYQ3W+gSMqNd
------END CERTIFICATE-----
-Certificate Ingredients:
- Data:
- Version: 3 (0x2)
- Serial Number: 913220207 (0x366ea26f)
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=US, O=Digital Signature Trust Co., OU=DST (ANX Network) CA
- Validity
- Not Before: Dec 9 15:46:48 1998 GMT
- Not After : Dec 9 16:16:48 2018 GMT
- Subject: C=US, O=Digital Signature Trust Co., OU=DST (ANX Network) CA
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (1024 bit)
- Modulus (1024 bit):
- 00:b4:48:11:80:58:a0:d5:a5:99:0f:f6:37:2c:44:
- b6:6e:d1:7c:f3:2a:6b:9e:11:b6:88:23:04:5c:71:
- 25:9e:6a:12:77:11:6e:bf:68:39:65:a8:f6:b2:f6:
- a2:18:b2:89:15:a0:67:b7:7a:8c:22:48:6b:f6:84:
- 34:1f:b6:ca:f7:1b:72:cb:f2:5b:48:d3:87:1e:22:
- 76:13:04:b4:ac:6c:96:7f:e7:0e:08:c9:32:51:30:
- 2d:d5:80:e8:21:67:ba:f3:5e:08:24:2c:07:59:9d:
- 90:1a:ee:46:c9:b5:a4:1e:96:b4:41:91:d4:7f:d2:
- 8d:38:26:b0:6f:43:6e:09:7d
- Exponent: 3 (0x3)
- X509v3 extensions:
- Netscape Cert Type:
- SSL CA, S/MIME CA, Object Signing CA
- X509v3 CRL Distribution Points:
- DirName:/C=US/O=Digital Signature Trust Co./OU=DST (ANX Network) CA/CN=CRL1
-
- X509v3 Private Key Usage Period:
- Not Before: Dec 9 15:46:48 1998 GMT, Not After: Dec 9 15:46:48 2018 GMT
- X509v3 Key Usage:
- Certificate Sign, CRL Sign
- X509v3 Authority Key Identifier:
- keyid:8C:16:55:70:CC:16:0A:53:64:C2:A5:84:AA:B3:64:17:43:3F:82:36
-
- X509v3 Subject Key Identifier:
- 8C:16:55:70:CC:16:0A:53:64:C2:A5:84:AA:B3:64:17:43:3F:82:36
- X509v3 Basic Constraints:
- CA:TRUE
- 1.2.840.113533.7.65.0:
- 0
-..V4.0....
- Signature Algorithm: sha1WithRSAEncryption
- 49:25:c9:60:b1:0c:5f:a9:39:10:d3:c5:34:55:7d:cf:79:c3:
- 29:eb:de:f9:c2:40:f9:e8:56:c5:f0:2f:ec:f4:d9:ec:48:51:
- b8:63:38:5e:93:6e:18:96:85:b9:ca:50:9c:a4:b8:ea:66:26:
- 68:93:85:6f:6f:4c:71:d0:be:7a:0b:3c:31:b9:f7:be:69:9e:
- 10:d7:d1:40:e8:ac:16:71:ab:ae:ab:38:e1:70:b1:ca:92:16:
- e0:5d:85:a6:18:80:06:00:9c:e1:a6:18:42:51:a7:68:68:59:
- ef:26:94:5f:ad:31:0c:fe:29:1e:17:01:84:37:5b:e8:12:32:
- a3:5d
-
-American Express CA
-===================
-MD5 Fingerprint: 1C:D5:8E:82:BE:70:55:8E:39:61:DF:AD:51:DB:6B:A0
-PEM Data:
------BEGIN CERTIFICATE-----
-MIICkDCCAfkCAgCNMA0GCSqGSIb3DQEBBAUAMIGPMQswCQYDVQQGEwJVUzEnMCUG
-A1UEChMeQW1lcmljYW4gRXhwcmVzcyBDb21wYW55LCBJbmMuMSYwJAYDVQQLEx1B
-bWVyaWNhbiBFeHByZXNzIFRlY2hub2xvZ2llczEvMC0GA1UEAxMmQW1lcmljYW4g
-RXhwcmVzcyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNOTgwODE0MjIwMTAwWhcN
-MDYwODE0MjM1OTAwWjCBjzELMAkGA1UEBhMCVVMxJzAlBgNVBAoTHkFtZXJpY2Fu
-IEV4cHJlc3MgQ29tcGFueSwgSW5jLjEmMCQGA1UECxMdQW1lcmljYW4gRXhwcmVz
-cyBUZWNobm9sb2dpZXMxLzAtBgNVBAMTJkFtZXJpY2FuIEV4cHJlc3MgQ2VydGlm
-aWNhdGUgQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJ8kmS
-hcr9FSm1BrZE7PyIo/KGzv8UTyQckvnCI8HOQ99dNMi4FOzVKnCRSZXXVs2U8amT
-0Ggi3E19oApyKkfqJfCFAF82VGHPC/k3Wmed6R/pZD9wlWGn0DAC3iYopGYDBOkw
-+48zB/lvYYeictvzaHhjZlmpybdm4RWySDYs+QIDAQABMA0GCSqGSIb3DQEBBAUA
-A4GBAGgXYrhzi0xs60qlPqvlnS7SzYoHV/PGWZd2Fxf4Uo4nk9hY2Chs9KIEeorC
-diSxArTfKPL386infiNIYYj0EWiuJl32oUtTJWrYKhQCDuCHIG6eGVxzkAsj4jGX
-Iz/VIqLTBnvaN/XXtUFEF3pFAtmFRWbWjsfwegyZYiJpW+3S
------END CERTIFICATE-----
-Certificate Ingredients:
- Data:
- Version: 1 (0x0)
- Serial Number: 141 (0x8d)
- Signature Algorithm: md5WithRSAEncryption
- Issuer: C=US, O=American Express Company, Inc., OU=American Express Technologies, CN=American Express Certificate Authority
- Validity
- Not Before: Aug 14 22:01:00 1998 GMT
- Not After : Aug 14 23:59:00 2006 GMT
- Subject: C=US, O=American Express Company, Inc., OU=American Express Technologies, CN=American Express Certificate Authority
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (1024 bit)
- Modulus (1024 bit):
- 00:c9:f2:49:92:85:ca:fd:15:29:b5:06:b6:44:ec:
- fc:88:a3:f2:86:ce:ff:14:4f:24:1c:92:f9:c2:23:
- c1:ce:43:df:5d:34:c8:b8:14:ec:d5:2a:70:91:49:
- 95:d7:56:cd:94:f1:a9:93:d0:68:22:dc:4d:7d:a0:
- 0a:72:2a:47:ea:25:f0:85:00:5f:36:54:61:cf:0b:
- f9:37:5a:67:9d:e9:1f:e9:64:3f:70:95:61:a7:d0:
- 30:02:de:26:28:a4:66:03:04:e9:30:fb:8f:33:07:
- f9:6f:61:87:a2:72:db:f3:68:78:63:66:59:a9:c9:
- b7:66:e1:15:b2:48:36:2c:f9
- Exponent: 65537 (0x10001)
- Signature Algorithm: md5WithRSAEncryption
- 68:17:62:b8:73:8b:4c:6c:eb:4a:a5:3e:ab:e5:9d:2e:d2:cd:
- 8a:07:57:f3:c6:59:97:76:17:17:f8:52:8e:27:93:d8:58:d8:
- 28:6c:f4:a2:04:7a:8a:c2:76:24:b1:02:b4:df:28:f2:f7:f3:
- a8:a7:7e:23:48:61:88:f4:11:68:ae:26:5d:f6:a1:4b:53:25:
- 6a:d8:2a:14:02:0e:e0:87:20:6e:9e:19:5c:73:90:0b:23:e2:
- 31:97:23:3f:d5:22:a2:d3:06:7b:da:37:f5:d7:b5:41:44:17:
- 7a:45:02:d9:85:45:66:d6:8e:c7:f0:7a:0c:99:62:22:69:5b:
- ed:d2
-
-American Express Global CA
-==========================
-MD5 Fingerprint: 63:1B:66:93:8C:F3:66:CB:3C:79:57:DC:05:49:EA:DB
-PEM Data:
------BEGIN CERTIFICATE-----
-MIIEBDCCAuygAwIBAgICAIUwDQYJKoZIhvcNAQEFBQAwgZYxCzAJBgNVBAYTAlVT
-MScwJQYDVQQKEx5BbWVyaWNhbiBFeHByZXNzIENvbXBhbnksIEluYy4xJjAkBgNV
-BAsTHUFtZXJpY2FuIEV4cHJlc3MgVGVjaG5vbG9naWVzMTYwNAYDVQQDEy1BbWVy
-aWNhbiBFeHByZXNzIEdsb2JhbCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNOTgw
-ODE0MTkwNjAwWhcNMTMwODE0MjM1OTAwWjCBljELMAkGA1UEBhMCVVMxJzAlBgNV
-BAoTHkFtZXJpY2FuIEV4cHJlc3MgQ29tcGFueSwgSW5jLjEmMCQGA1UECxMdQW1l
-cmljYW4gRXhwcmVzcyBUZWNobm9sb2dpZXMxNjA0BgNVBAMTLUFtZXJpY2FuIEV4
-cHJlc3MgR2xvYmFsIENlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAPAkJmYu++tKc3FTiUfLJjxTkpRMysKFtQ34w1e9
-Lyofahi3V68MABb6oLaQpvcaoS5mJsdoo4qTaWa1RlYtHYLqkAwKIsKJUI0F89Sr
-c0HwzxKsKLRvFJSWWUuekHWG3+JH6+HpT0N+h8onGGaetcFAZX38YW+tm3LPqV7Y
-8/nabpEQ+ky16n4g3qk5L/WI5IpvNcYgnCuGRjMK/DFVpWusFkDpzTVZbzIEw3u1
-D3t3cPNIuypSgs6vKW3xEW9t5gcAAe+a8yYNpnkTZ6/4qxx1rJG1a75AsN6cDLFp
-hRlxkRNFyt/R/eayypaDedvFuKpbepALeFY+xteflEgR9a0CAwEAAaNaMFgwEgYD
-VR0TAQH/BAgwBgEB/wIBBTAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgoq
-hkiG+Q8KAQUBMBkGA1UdDgQSBBBXRzV7NicRqAj8L0Yl6yRpMA0GCSqGSIb3DQEB
-BQUAA4IBAQDHYUWoinG5vjTpIXshzVYTmNUwY+kYqkuSFb8LHbvskmnFLsNhi+gw
-RcsQRsFzOFyLGdIr80DrfHKzLh4n43WVihybLsSVBYZy0FX0oZJSeVzb9Pjc5dcS
-sUDHPIbkMWVKyjfG3nZXGWlMRmn8Kq0WN3qTrPchSy3766lQy8HRQAjaA2mHpzde
-VcHF7cTjjgwml5tcV0ty4/IDBdACOyYDQJCevgtbSQx48dVMVSng9v1MA6lUAjLR
-V1qFrEPtWzsWX6C/NdtLnnvo/+cNPDuom0lBRvVzTv+SZSGDE1Vx60k8f4gawhIo
-JaFGS0E3l3/sjvHUoZbCILZerakcHhGg
------END CERTIFICATE-----
-Certificate Ingredients:
- Data:
- Version: 3 (0x2)
- Serial Number: 133 (0x85)
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=US, O=American Express Company, Inc., OU=American Express Technologies, CN=American Express Global Certificate Authority
- Validity
- Not Before: Aug 14 19:06:00 1998 GMT
- Not After : Aug 14 23:59:00 2013 GMT
- Subject: C=US, O=American Express Company, Inc., OU=American Express Technologies, CN=American Express Global Certificate Authority
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (2048 bit)
- Modulus (2048 bit):
- 00:f0:24:26:66:2e:fb:eb:4a:73:71:53:89:47:cb:
- 26:3c:53:92:94:4c:ca:c2:85:b5:0d:f8:c3:57:bd:
- 2f:2a:1f:6a:18:b7:57:af:0c:00:16:fa:a0:b6:90:
- a6:f7:1a:a1:2e:66:26:c7:68:a3:8a:93:69:66:b5:
- 46:56:2d:1d:82:ea:90:0c:0a:22:c2:89:50:8d:05:
- f3:d4:ab:73:41:f0:cf:12:ac:28:b4:6f:14:94:96:
- 59:4b:9e:90:75:86:df:e2:47:eb:e1:e9:4f:43:7e:
- 87:ca:27:18:66:9e:b5:c1:40:65:7d:fc:61:6f:ad:
- 9b:72:cf:a9:5e:d8:f3:f9:da:6e:91:10:fa:4c:b5:
- ea:7e:20:de:a9:39:2f:f5:88:e4:8a:6f:35:c6:20:
- 9c:2b:86:46:33:0a:fc:31:55:a5:6b:ac:16:40:e9:
- cd:35:59:6f:32:04:c3:7b:b5:0f:7b:77:70:f3:48:
- bb:2a:52:82:ce:af:29:6d:f1:11:6f:6d:e6:07:00:
- 01:ef:9a:f3:26:0d:a6:79:13:67:af:f8:ab:1c:75:
- ac:91:b5:6b:be:40:b0:de:9c:0c:b1:69:85:19:71:
- 91:13:45:ca:df:d1:fd:e6:b2:ca:96:83:79:db:c5:
- b8:aa:5b:7a:90:0b:78:56:3e:c6:d7:9f:94:48:11:
- f5:ad
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:TRUE, pathlen:5
- X509v3 Key Usage: critical
- Certificate Sign, CRL Sign
- X509v3 Certificate Policies:
- Policy: 1.2.840.113807.10.1.5.1
-
- X509v3 Subject Key Identifier:
- 57:47:35:7B:36:27:11:A8:08:FC:2F:46:25:EB:24:69
- Signature Algorithm: sha1WithRSAEncryption
- c7:61:45:a8:8a:71:b9:be:34:e9:21:7b:21:cd:56:13:98:d5:
- 30:63:e9:18:aa:4b:92:15:bf:0b:1d:bb:ec:92:69:c5:2e:c3:
- 61:8b:e8:30:45:cb:10:46:c1:73:38:5c:8b:19:d2:2b:f3:40:
- eb:7c:72:b3:2e:1e:27:e3:75:95:8a:1c:9b:2e:c4:95:05:86:
- 72:d0:55:f4:a1:92:52:79:5c:db:f4:f8:dc:e5:d7:12:b1:40:
- c7:3c:86:e4:31:65:4a:ca:37:c6:de:76:57:19:69:4c:46:69:
- fc:2a:ad:16:37:7a:93:ac:f7:21:4b:2d:fb:eb:a9:50:cb:c1:
- d1:40:08:da:03:69:87:a7:37:5e:55:c1:c5:ed:c4:e3:8e:0c:
- 26:97:9b:5c:57:4b:72:e3:f2:03:05:d0:02:3b:26:03:40:90:
- 9e:be:0b:5b:49:0c:78:f1:d5:4c:55:29:e0:f6:fd:4c:03:a9:
- 54:02:32:d1:57:5a:85:ac:43:ed:5b:3b:16:5f:a0:bf:35:db:
- 4b:9e:7b:e8:ff:e7:0d:3c:3b:a8:9b:49:41:46:f5:73:4e:ff:
- 92:65:21:83:13:55:71:eb:49:3c:7f:88:1a:c2:12:28:25:a1:
- 46:4b:41:37:97:7f:ec:8e:f1:d4:a1:96:c2:20:b6:5e:ad:a9:
- 1c:1e:11:a0
-
-BelSign Object Publishing CA
-============================
-MD5 Fingerprint: 8A:02:F8:DF:B8:E1:84:9F:5A:C2:60:24:65:D1:73:FB
-PEM Data:
------BEGIN CERTIFICATE-----
-MIIDAzCCAmygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBuzELMAkGA1UEBhMCQkUx
-ETAPBgNVBAcTCEJydXNzZWxzMRMwEQYDVQQKEwpCZWxTaWduIE5WMTgwNgYDVQQL
-Ey9CZWxTaWduIE9iamVjdCBQdWJsaXNoaW5nIENlcnRpZmljYXRlIEF1dGhvcml0
-eTElMCMGA1UEAxMcQmVsU2lnbiBPYmplY3QgUHVibGlzaGluZyBDQTEjMCEGCSqG
-SIb3DQEJARYUd2VibWFzdGVyQGJlbHNpZ24uYmUwHhcNOTcwOTE5MjIwMzAwWhcN
-MDcwOTE5MjIwMzAwWjCBuzELMAkGA1UEBhMCQkUxETAPBgNVBAcTCEJydXNzZWxz
-MRMwEQYDVQQKEwpCZWxTaWduIE5WMTgwNgYDVQQLEy9CZWxTaWduIE9iamVjdCBQ
-dWJsaXNoaW5nIENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGA1UEAxMcQmVsU2ln
-biBPYmplY3QgUHVibGlzaGluZyBDQTEjMCEGCSqGSIb3DQEJARYUd2VibWFzdGVy
-QGJlbHNpZ24uYmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMQuH7a/7oJA
-3fm3LkHVngWxWtAmfGJVA5v8y2HeS+/+6Jn+h7mIz5DaDwk8dt8Xl7bLPyVF/bS8
-WAC+sFq2FIeP7mdkrR2Ig7tnn2VhAFgIgFCfgMkx9iqQHC33SmwQ9iNDXTgJYIhX
-As0WbBj8zfuSKnfQnpOjXYhk0Mj4XVRRAgMBAAGjFTATMBEGCWCGSAGG+EIBAQQE
-AwIABzANBgkqhkiG9w0BAQQFAAOBgQBjdhd8lvBTpV0BHFPOKcJ+daxMDaIIc7Rq
-Mf0CBhSZ3FQEpL/IloafMUMyJVf2hfYluze+oXkjyVcGJXFrRU/49AJAFoIir1Tq
-Mij2De6ZuksIUQ9uhiMhTC0liIHELg7xEyw4ipUCJMM6lWPkk45IuwhHcl+u5jpa
-R9Zxxp6aUg==
------END CERTIFICATE-----
-Certificate Ingredients:
- Data:
- Version: 3 (0x2)
- Serial Number: 1 (0x1)
- Signature Algorithm: md5WithRSAEncryption
- Issuer: C=BE, L=Brussels, O=BelSign NV, OU=BelSign Object Publishing Certificate Authority, CN=BelSign Object Publishing CA/Email=webmaster@belsign.be <mailto:webmaster@belsign.be>
- Validity
- Not Before: Sep 19 22:03:00 1997 GMT
- Not After : Sep 19 22:03:00 2007 GMT
- Subject: C=BE, L=Brussels, O=BelSign NV, OU=BelSign Object Publishing Certificate Authority, CN=BelSign Object Publishing CA/Email=webmaster@belsign.be <mailto:webmaster@belsign.be>
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (1024 bit)
- Modulus (1024 bit):
- 00:c4:2e:1f:b6:bf:ee:82:40:dd:f9:b7:2e:41:d5:
- 9e:05:b1:5a:d0:26:7c:62:55:03:9b:fc:cb:61:de:
- 4b:ef:fe:e8:99:fe:87:b9:88:cf:90:da:0f:09:3c:
- 76:df:17:97:b6:cb:3f:25:45:fd:b4:bc:58:00:be:
- b0:5a:b6:14:87:8f:ee:67:64:ad:1d:88:83:bb:67:
- 9f:65:61:00:58:08:80:50:9f:80:c9:31:f6:2a:90:
- 1c:2d:f7:4a:6c:10:f6:23:43:5d:38:09:60:88:57:
- 02:cd:16:6c:18:fc:cd:fb:92:2a:77:d0:9e:93:a3:
- 5d:88:64:d0:c8:f8:5d:54:51
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- Netscape Cert Type:
- SSL CA, S/MIME CA, Object Signing CA
- Signature Algorithm: md5WithRSAEncryption
- 63:76:17:7c:96:f0:53:a5:5d:01:1c:53:ce:29:c2:7e:75:ac:
- 4c:0d:a2:08:73:b4:6a:31:fd:02:06:14:99:dc:54:04:a4:bf:
- c8:96:86:9f:31:43:32:25:57:f6:85:f6:25:bb:37:be:a1:79:
- 23:c9:57:06:25:71:6b:45:4f:f8:f4:02:40:16:82:22:af:54:
- ea:32:28:f6:0d:ee:99:ba:4b:08:51:0f:6e:86:23:21:4c:2d:
- 25:88:81:c4:2e:0e:f1:13:2c:38:8a:95:02:24:c3:3a:95:63:
- e4:93:8e:48:bb:08:47:72:5f:ae:e6:3a:5a:47:d6:71:c6:9e:
- 9a:52
-
-BelSign Secure Server CA
-========================
-MD5 Fingerprint: 3D:5E:82:C6:D9:AD:D9:8B:93:6B:0C:10:B9:49:0A:B1
-PEM Data:
------BEGIN CERTIFICATE-----
-MIIC8zCCAlygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBszELMAkGA1UEBhMCQkUx
-ETAPBgNVBAcTCEJydXNzZWxzMRMwEQYDVQQKEwpCZWxTaWduIE5WMTQwMgYDVQQL
-EytCZWxTaWduIFNlY3VyZSBTZXJ2ZXIgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSEw
-HwYDVQQDExhCZWxTaWduIFNlY3VyZSBTZXJ2ZXIgQ0ExIzAhBgkqhkiG9w0BCQEW
-FHdlYm1hc3RlckBiZWxzaWduLmJlMB4XDTk3MDcxNjIyMDA1NFoXDTA3MDcxNjIy
-MDA1NFowgbMxCzAJBgNVBAYTAkJFMREwDwYDVQQHEwhCcnVzc2VsczETMBEGA1UE
-ChMKQmVsU2lnbiBOVjE0MDIGA1UECxMrQmVsU2lnbiBTZWN1cmUgU2VydmVyIENl
-cnRpZmljYXRlIEF1dGhvcml0eTEhMB8GA1UEAxMYQmVsU2lnbiBTZWN1cmUgU2Vy
-dmVyIENBMSMwIQYJKoZIhvcNAQkBFhR3ZWJtYXN0ZXJAYmVsc2lnbi5iZTCBnzAN
-BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1gESeJL4BEJ/yccig/x8R3AwK0kLPjZA
-kCjaIXODU/LE0RZAwFP/rqbGJLMnbaWzPTl3XagG9ubpvGMRTgZlcAqdk/miQIt/
-SoQOjRax1swIZBIM4ChLyKWEkBf7EUYu1qeFGMsYrmOasFgG9ADP+MQJGjUMofnu
-Sv1t3v4mpTsCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgCgMA0GCSqGSIb3DQEB
-BAUAA4GBAGw9mcMF4h3K5S2qaIWLQDEgZhNo5lg6idCNdbLFYth9go/32TKBd/Y1
-W4UpzmeyubwrGXjP84f9RvGVdbIJVwMwwXrNckdxgMp9ncllPEcRIn36BwsoeKGT
-6AVFSOIyMko96FMcELfHc4wHUOH5yStTQfWDjeUJOUqOA2KqQGOL
------END CERTIFICATE-----
-Certificate Ingredients:
- Data:
- Version: 3 (0x2)
- Serial Number: 1 (0x1)
- Signature Algorithm: md5WithRSAEncryption
- Issuer: C=BE, L=Brussels, O=BelSign NV, OU=BelSign Secure Server Certificate Authority, CN=BelSign Secure Server CA/Email=webmaster@belsign.be <mailto:webmaster@belsign.be>
- Validity
- Not Before: Jul 16 22:00:54 1997 GMT
- Not After : Jul 16 22:00:54 2007 GMT
- Subject: C=BE, L=Brussels, O=BelSign NV, OU=BelSign Secure Server Certificate Authority, CN=BelSign Secure Server CA/Email=webmaster@belsign.be <mailto:webmaster@belsign.be>
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (1024 bit)
- Modulus (1024 bit):
- 00:d6:01:12:78:92:f8:04:42:7f:c9:c7:22:83:fc:
- 7c:47:70:30:2b:49:0b:3e:36:40:90:28:da:21:73:
- 83:53:f2:c4:d1:16:40:c0:53:ff:ae:a6:c6:24:b3:
- 27:6d:a5:b3:3d:39:77:5d:a8:06:f6:e6:e9:bc:63:
- 11:4e:06:65:70:0a:9d:93:f9:a2:40:8b:7f:4a:84:
- 0e:8d:16:b1:d6:cc:08:64:12:0c:e0:28:4b:c8:a5:
- 84:90:17:fb:11:46:2e:d6:a7:85:18:cb:18:ae:63:
- 9a:b0:58:06:f4:00:cf:f8:c4:09:1a:35:0c:a1:f9:
- ee:4a:fd:6d:de:fe:26:a5:3b
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- Netscape Cert Type:
- SSL Client, S/MIME
- Signature Algorithm: md5WithRSAEncryption
- 6c:3d:99:c3:05:e2:1d:ca:e5:2d:aa:68:85:8b:40:31:20:66:
- 13:68:e6:58:3a:89:d0:8d:75:b2:c5:62:d8:7d:82:8f:f7:d9:
- 32:81:77:f6:35:5b:85:29:ce:67:b2:b9:bc:2b:19:78:cf:f3:
- 87:fd:46:f1:95:75:b2:09:57:03:30:c1:7a:cd:72:47:71:80:
- ca:7d:9d:c9:65:3c:47:11:22:7d:fa:07:0b:28:78:a1:93:e8:
- 05:45:48:e2:32:32:4a:3d:e8:53:1c:10:b7:c7:73:8c:07:50:
- e1:f9:c9:2b:53:41:f5:83:8d:e5:09:39:4a:8e:03:62:aa:40:
- 63:8b
-
-Deutsche Telekom AG Root CA
-===========================
-MD5 Fingerprint: 77:DE:04:94:77:D0:0C:5F:A7:B1:F4:30:18:87:FB:55
-PEM Data:
------BEGIN CERTIFICATE-----
-MIICjjCCAfegAwIBAgIBBjANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJERTEc
-MBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEdMBsGA1UECxMUVGVsZVNlYyBU
-cnVzdCBDZW50ZXIxITAfBgNVBAMTGERldXRzY2hlIFRlbGVrb20gUm9vdCBDQTAe
-Fw05ODEyMDkwOTExMDBaFw0wNDEyMDkyMzU5MDBaMG0xCzAJBgNVBAYTAkRFMRww
-GgYDVQQKExNEZXV0c2NoZSBUZWxla29tIEFHMR0wGwYDVQQLExRUZWxlU2VjIFRy
-dXN0IENlbnRlcjEhMB8GA1UEAxMYRGV1dHNjaGUgVGVsZWtvbSBSb290IENBMIGf
-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdBSz5BbO5EtdpcffqVjAIVxRDe7sa
-nG0vV2HX4vVEa+42QZb2ZM7hwbK5pBQEmFDocPiONZp9ScFhHVmu2gYYlX2tzuyp
-vtEYD0CRdiqj5f3+iRX0V/fgVdp1rQD0LME1zLRDJlViRC4BJZyKW/DB0AA1eP41
-3pRAZHiDocw5iQIDAQABoz4wPDAPBgNVHRMECDAGAQH/AgEFMA4GA1UdDwEB/wQE
-AwIBBjAZBgNVHQ4EEgQQLIdZH4sTgLL5hp0+En5YljANBgkqhkiG9w0BAQQFAAOB
-gQAP/nO1B4hvoAuJ6spQH5TelCsLJ15P9RyVJtqMllStGZE3Q12ryYuzzW+YOT3t
-3TXjcbftE5OD6IblKTMTE7w1e/0oL3BZ1dO0jSgTWTvI1XT5RcIHYKq4GFT5pWj/
-1wXVj7YFMS5BSvQQH2BHGguLGU2SVyDS71AZ6M3QcLy8Ng==
------END CERTIFICATE-----
-Certificate Ingredients:
- Data:
- Version: 3 (0x2)
- Serial Number: 6 (0x6)
- Signature Algorithm: md5WithRSAEncryption
- Issuer: C=DE, O=Deutsche Telekom AG, OU=TeleSec Trust Center, CN=Deutsche Telekom Root CA
- Validity
- Not Before: Dec 9 09:11:00 1998 GMT
- Not After : Dec 9 23:59:00 2004 GMT
- Subject: C=DE, O=Deutsche Telekom AG, OU=TeleSec Trust Center, CN=Deutsche Telekom Root CA
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (1024 bit)
- Modulus (1024 bit):
- 00:dd:05:2c:f9:05:b3:b9:12:d7:69:71:f7:ea:56:
- 30:08:57:14:43:7b:bb:1a:9c:6d:2f:57:61:d7:e2:
- f5:44:6b:ee:36:41:96:f6:64:ce:e1:c1:b2:b9:a4:
- 14:04:98:50:e8:70:f8:8e:35:9a:7d:49:c1:61:1d:
- 59:ae:da:06:18:95:7d:ad:ce:ec:a9:be:d1:18:0f:
- 40:91:76:2a:a3:e5:fd:fe:89:15:f4:57:f7:e0:55:
- da:75:ad:00:f4:2c:c1:35:cc:b4:43:26:55:62:44:
- 2e:01:25:9c:8a:5b:f0:c1:d0:00:35:78:fe:35:de:
- 94:40:64:78:83:a1:cc:39:89
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:TRUE, pathlen:5
- X509v3 Key Usage: critical
- Certificate Sign, CRL Sign
- X509v3 Subject Key Identifier:
- 2C:87:59:1F:8B:13:80:B2:F9:86:9D:3E:12:7E:58:96
- Signature Algorithm: md5WithRSAEncryption
- 0f:fe:73:b5:07:88:6f:a0:0b:89:ea:ca:50:1f:94:de:94:2b:
- 0b:27:5e:4f:f5:1c:95:26:da:8c:96:54:ad:19:91:37:43:5d:
- ab:c9:8b:b3:cd:6f:98:39:3d:ed:dd:35:e3:71:b7:ed:13:93:
- 83:e8:86:e5:29:33:13:13:bc:35:7b:fd:28:2f:70:59:d5:d3:
- b4:8d:28:13:59:3b:c8:d5:74:f9:45:c2:07:60:aa:b8:18:54:
- f9:a5:68:ff:d7:05:d5:8f:b6:05:31:2e:41:4a:f4:10:1f:60:
- 47:1a:0b:8b:19:4d:92:57:20:d2:ef:50:19:e8:cd:d0:70:bc:
- bc:36
-
-Digital Signature Trust Co. Global CA 1
-=======================================
-MD5 Fingerprint: 25:7A:BA:83:2E:B6:A2:0B:DA:FE:F5:02:0F:08:D7:AD
-PEM Data:
------BEGIN CERTIFICATE-----
-MIIDKTCCApKgAwIBAgIENnAVljANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJV
-UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMREwDwYDVQQL
-EwhEU1RDQSBFMTAeFw05ODEyMTAxODEwMjNaFw0xODEyMTAxODQwMjNaMEYxCzAJ
-BgNVBAYTAlVTMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4x
-ETAPBgNVBAsTCERTVENBIEUxMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQCg
-bIGpzzQeJN3+hijM3oMv+V7UQtLodGBmE5gGHKlREmlvMVW5SXIACH7TpWJENySZ
-j9mDSI+ZbZUTu0M7LklOiDfBu1h//uG9+LthzfNHwJmm8fOR6Hh8AMthyUQncWlV
-Sn5JTe2io74CTADKAqjuAQIxZA9SLRN0dja1erQtcQIBA6OCASQwggEgMBEGCWCG
-SAGG+EIBAQQEAwIABzBoBgNVHR8EYTBfMF2gW6BZpFcwVTELMAkGA1UEBhMCVVMx
-JDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UECxMI
-RFNUQ0EgRTExDTALBgNVBAMTBENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMTAxODEw
-MjNagQ8yMDE4MTIxMDE4MTAyM1owCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFGp5
-fpFpRhgTCgJ3pVlbYJglDqL4MB0GA1UdDgQWBBRqeX6RaUYYEwoCd6VZW2CYJQ6i
-+DAMBgNVHRMEBTADAQH/MBkGCSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqG
-SIb3DQEBBQUAA4GBACIS2Hod3IEGtgllsofIH160L+nEHvI8wbsEkBFKg05+k7lN
-QseSJqBcNJo4cvj9axY+IO6CizEqkzaFI4iKPANo08kJD038bKTaKHKTDomAsH3+
-gG9lbRgzl4vCa4nuYD3Im+9/KzJic5PLPON74nZ4RbyhkwS7hp86W0N6w4pl
------END CERTIFICATE-----
-Certificate Ingredients:
- Data:
- Version: 3 (0x2)
- Serial Number: 913315222 (0x36701596)
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=US, O=Digital Signature Trust Co., OU=DSTCA E1
- Validity
- Not Before: Dec 10 18:10:23 1998 GMT
- Not After : Dec 10 18:40:23 2018 GMT
- Subject: C=US, O=Digital Signature Trust Co., OU=DSTCA E1
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (1024 bit)
- Modulus (1024 bit):
- 00:a0:6c:81:a9:cf:34:1e:24:dd:fe:86:28:cc:de:
- 83:2f:f9:5e:d4:42:d2:e8:74:60:66:13:98:06:1c:
- a9:51:12:69:6f:31:55:b9:49:72:00:08:7e:d3:a5:
- 62:44:37:24:99:8f:d9:83:48:8f:99:6d:95:13:bb:
- 43:3b:2e:49:4e:88:37:c1:bb:58:7f:fe:e1:bd:f8:
- bb:61:cd:f3:47:c0:99:a6:f1:f3:91:e8:78:7c:00:
- cb:61:c9:44:27:71:69:55:4a:7e:49:4d:ed:a2:a3:
- be:02:4c:00:ca:02:a8:ee:01:02:31:64:0f:52:2d:
- 13:74:76:36:b5:7a:b4:2d:71
- Exponent: 3 (0x3)
- X509v3 extensions:
- Netscape Cert Type:
- SSL CA, S/MIME CA, Object Signing CA
- X509v3 CRL Distribution Points:
- DirName:/C=US/O=Digital Signature Trust Co./OU=DSTCA E1/CN=CRL1
-
- X509v3 Private Key Usage Period:
- Not Before: Dec 10 18:10:23 1998 GMT, Not After: Dec 10 18:10:23 2018 GMT
- X509v3 Key Usage:
- Certificate Sign, CRL Sign
- X509v3 Authority Key Identifier:
- keyid:6A:79:7E:91:69:46:18:13:0A:02:77:A5:59:5B:60:98:25:0E:A2:F8
-
- X509v3 Subject Key Identifier:
- 6A:79:7E:91:69:46:18:13:0A:02:77:A5:59:5B:60:98:25:0E:A2:F8
- X509v3 Basic Constraints:
- CA:TRUE
- 1.2.840.113533.7.65.0:
- 0
-..V4.0....
- Signature Algorithm: sha1WithRSAEncryption
- 22:12:d8:7a:1d:dc:81:06:b6:09:65:b2:87:c8:1f:5e:b4:2f:
- e9:c4:1e:f2:3c:c1:bb:04:90:11:4a:83:4e:7e:93:b9:4d:42:
- c7:92:26:a0:5c:34:9a:38:72:f8:fd:6b:16:3e:20:ee:82:8b:
- 31:2a:93:36:85:23:88:8a:3c:03:68:d3:c9:09:0f:4d:fc:6c:
- a4:da:28:72:93:0e:89:80:b0:7d:fe:80:6f:65:6d:18:33:97:
- 8b:c2:6b:89:ee:60:3d:c8:9b:ef:7f:2b:32:62:73:93:cb:3c:
- e3:7b:e2:76:78:45:bc:a1:93:04:bb:86:9f:3a:5b:43:7a:c3:
- 8a:65
-
-Digital Signature Trust Co. Global CA 2
-=======================================
-MD5 Fingerprint: 6C:C9:A7:6E:47:F1:0C:E3:53:3B:78:4C:4D:C2:6A:C5
-PEM Data:
------BEGIN CERTIFICATE-----
-MIID2DCCAsACEQDQHkCLAAACfAAAAAIAAAABMA0GCSqGSIb3DQEBBQUAMIGpMQsw
-CQYDVQQGEwJ1czENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENp
-dHkxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UE
-CxMIRFNUQ0EgWDExFjAUBgNVBAMTDURTVCBSb290Q0EgWDExITAfBgkqhkiG9w0B
-CQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTAeFw05ODEyMDExODE4NTVaFw0wODExMjgx
-ODE4NTVaMIGpMQswCQYDVQQGEwJ1czENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMO
-U2FsdCBMYWtlIENpdHkxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0
-IENvLjERMA8GA1UECxMIRFNUQ0EgWDExFjAUBgNVBAMTDURTVCBSb290Q0EgWDEx
-ITAfBgkqhkiG9w0BCQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBANLGJrbnpT3BxGjVUG9TxW9JEwm4ryxIjRRqoxdf
-WvnTLnUv2Chi0ZMv/E3Uq4flCMeZ55I/db3rJbQVwZsZPdJEjdd0IG03Ao9pk1uK
-xBmd9LIO/BZsubEFkoPRhSxglD5FVaDZqwgh5mDoO3TymVBRaNADLbGAvqPYUrBE
-zUNKcI5YhZXhTizWLUFv1oTnyJhEykfbLCSlaSbPa7gnYsP0yXqSI+0TZ4KuRS5F
-5X5yP4WdlGIQ5jyRoa13AOAV7POEgHJ6jm5gl8ckWRA0g1vhpaRptlc1HHhZxtMv
-OnNn7pTKBBMFYgZwI7P0fO5F2WQLW0mqpEPOJsREEmy43XkCAwEAATANBgkqhkiG
-9w0BAQUFAAOCAQEAojeyP2n714Z5VEkxlTMr89EJFEliYIalsBHiUMIdBlc+Legz
-ZL6bqq1fG03UmZWii5rJYnK1aerZWKs17RWiQ9a2vAd5ZWRzfdd5ynvVWlHG4VME
-lo04z6MXrDlxawHDi1M8Y+nuecDkvpIyZHqzH5eUYr3qsiAVlfuX8ngvYzZAOONG
-Dx3drJXK50uQe7FLqdTF65raqtWjlBRGjS0f8zrWkzr2Pnn86Oawde3uPclwx12q
-gUtGJRzHbBXjlU4PqjI3lAoXJJIThFjSY28r9+ZbYgsTF7ANUkz+/m9c4pFuHf2k
-Ytdo+o56T9II2pPc8JIRetDccpMMc5NihWjQ9A==
------END CERTIFICATE-----
-Certificate Ingredients:
- Data:
- Version: 1 (0x0)
- Serial Number:
- d0:1e:40:8b:00:00:02:7c:00:00:00:02:00:00:00:01
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co., OU=DSTCA X1, CN=DST RootCA X1/Email=ca@digsigtrust.com <mailto:ca@digsigtrust.com>
- Validity
- Not Before: Dec 1 18:18:55 1998 GMT
- Not After : Nov 28 18:18:55 2008 GMT
- Subject: C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co., OU=DSTCA X1, CN=DST RootCA X1/Email=ca@digsigtrust.com <mailto:ca@digsigtrust.com>
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (2048 bit)
- Modulus (2048 bit):
- 00:d2:c6:26:b6:e7:a5:3d:c1:c4:68:d5:50:6f:53:
- c5:6f:49:13:09:b8:af:2c:48:8d:14:6a:a3:17:5f:
- 5a:f9:d3:2e:75:2f:d8:28:62:d1:93:2f:fc:4d:d4:
- ab:87:e5:08:c7:99:e7:92:3f:75:bd:eb:25:b4:15:
- c1:9b:19:3d:d2:44:8d:d7:74:20:6d:37:02:8f:69:
- 93:5b:8a:c4:19:9d:f4:b2:0e:fc:16:6c:b9:b1:05:
- 92:83:d1:85:2c:60:94:3e:45:55:a0:d9:ab:08:21:
- e6:60:e8:3b:74:f2:99:50:51:68:d0:03:2d:b1:80:
- be:a3:d8:52:b0:44:cd:43:4a:70:8e:58:85:95:e1:
- 4e:2c:d6:2d:41:6f:d6:84:e7:c8:98:44:ca:47:db:
- 2c:24:a5:69:26:cf:6b:b8:27:62:c3:f4:c9:7a:92:
- 23:ed:13:67:82:ae:45:2e:45:e5:7e:72:3f:85:9d:
- 94:62:10:e6:3c:91:a1:ad:77:00:e0:15:ec:f3:84:
- 80:72:7a:8e:6e:60:97:c7:24:59:10:34:83:5b:e1:
- a5:a4:69:b6:57:35:1c:78:59:c6:d3:2f:3a:73:67:
- ee:94:ca:04:13:05:62:06:70:23:b3:f4:7c:ee:45:
- d9:64:0b:5b:49:aa:a4:43:ce:26:c4:44:12:6c:b8:
- dd:79
- Exponent: 65537 (0x10001)
- Signature Algorithm: sha1WithRSAEncryption
- a2:37:b2:3f:69:fb:d7:86:79:54:49:31:95:33:2b:f3:d1:09:
- 14:49:62:60:86:a5:b0:11:e2:50:c2:1d:06:57:3e:2d:e8:33:
- 64:be:9b:aa:ad:5f:1b:4d:d4:99:95:a2:8b:9a:c9:62:72:b5:
- 69:ea:d9:58:ab:35:ed:15:a2:43:d6:b6:bc:07:79:65:64:73:
- 7d:d7:79:ca:7b:d5:5a:51:c6:e1:53:04:96:8d:38:cf:a3:17:
- ac:39:71:6b:01:c3:8b:53:3c:63:e9:ee:79:c0:e4:be:92:32:
- 64:7a:b3:1f:97:94:62:bd:ea:b2:20:15:95:fb:97:f2:78:2f:
- 63:36:40:38:e3:46:0f:1d:dd:ac:95:ca:e7:4b:90:7b:b1:4b:
- a9:d4:c5:eb:9a:da:aa:d5:a3:94:14:46:8d:2d:1f:f3:3a:d6:
- 93:3a:f6:3e:79:fc:e8:e6:b0:75:ed:ee:3d:c9:70:c7:5d:aa:
- 81:4b:46:25:1c:c7:6c:15:e3:95:4e:0f:aa:32:37:94:0a:17:
- 24:92:13:84:58:d2:63:6f:2b:f7:e6:5b:62:0b:13:17:b0:0d:
- 52:4c:fe:fe:6f:5c:e2:91:6e:1d:fd:a4:62:d7:68:fa:8e:7a:
- 4f:d2:08:da:93:dc:f0:92:11:7a:d0:dc:72:93:0c:73:93:62:
- 85:68:d0:f4
-
-Digital Signature Trust Co. Global CA 3
-=======================================
-MD5 Fingerprint: 93:C2:8E:11:7B:D4:F3:03:19:BD:28:75:13:4A:45:4A
-PEM Data:
------BEGIN CERTIFICATE-----
-MIIDKTCCApKgAwIBAgIENm7TzjANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJV
-UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMREwDwYDVQQL
-EwhEU1RDQSBFMjAeFw05ODEyMDkxOTE3MjZaFw0xODEyMDkxOTQ3MjZaMEYxCzAJ
-BgNVBAYTAlVTMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4x
-ETAPBgNVBAsTCERTVENBIEUyMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQC/
-k48Xku8zExjrEH9OFr//Bo8qhbxe+SSmJIi2A7fBw18DW9Fvrn5C6mYjuGODVvso
-LeE4i7TuqAHhzhy2iCoiRoX7n6dwqUcUP87eZfCocfdPJmyMvMa1795JJ/9IKn3o
-TQPMx7JSxhcxEzu1TdvIxPbDDyQq2gyd55FbgM2UnQIBA6OCASQwggEgMBEGCWCG
-SAGG+EIBAQQEAwIABzBoBgNVHR8EYTBfMF2gW6BZpFcwVTELMAkGA1UEBhMCVVMx
-JDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UECxMI
-RFNUQ0EgRTIxDTALBgNVBAMTBENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMDkxOTE3
-MjZagQ8yMDE4MTIwOTE5MTcyNlowCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFB6C
-TShlgDzJQW6sNS5ay97u+DlbMB0GA1UdDgQWBBQegk0oZYA8yUFurDUuWsve7vg5
-WzAMBgNVHRMEBTADAQH/MBkGCSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqG
-SIb3DQEBBQUAA4GBAEeNg61i8tuwnkUiBbmi1gMOOHLnnvx75pO2mqWilMg0HZHR
-xdf0CiUPPXiBng+xZ8SQTGPdXqfiup/1902lMXucKS1M/mQ+7LZT/uqb7YLbdHVL
-B3luHtgZg3Pe9T7Qtd7nS2h9Qy4qIOF+oHhEngj1mPnHfxsb1gYgAlihw6ID
------END CERTIFICATE-----
-Certificate Ingredients:
- Data:
- Version: 3 (0x2)
- Serial Number: 913232846 (0x366ed3ce)
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=US, O=Digital Signature Trust Co., OU=DSTCA E2
- Validity
- Not Before: Dec 9 19:17:26 1998 GMT
- Not After : Dec 9 19:47:26 2018 GMT
- Subject: C=US, O=Digital Signature Trust Co., OU=DSTCA E2
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (1024 bit)
- Modulus (1024 bit):
- 00:bf:93:8f:17:92:ef:33:13:18:eb:10:7f:4e:16:
- bf:ff:06:8f:2a:85:bc:5e:f9:24:a6:24:88:b6:03:
- b7:c1:c3:5f:03:5b:d1:6f:ae:7e:42:ea:66:23:b8:
- 63:83:56:fb:28:2d:e1:38:8b:b4:ee:a8:01:e1:ce:
- 1c:b6:88:2a:22:46:85:fb:9f:a7:70:a9:47:14:3f:
- ce:de:65:f0:a8:71:f7:4f:26:6c:8c:bc:c6:b5:ef:
- de:49:27:ff:48:2a:7d:e8:4d:03:cc:c7:b2:52:c6:
- 17:31:13:3b:b5:4d:db:c8:c4:f6:c3:0f:24:2a:da:
- 0c:9d:e7:91:5b:80:cd:94:9d
- Exponent: 3 (0x3)
- X509v3 extensions:
- Netscape Cert Type:
- SSL CA, S/MIME CA, Object Signing CA
- X509v3 CRL Distribution Points:
- DirName:/C=US/O=Digital Signature Trust Co./OU=DSTCA E2/CN=CRL1
-
- X509v3 Private Key Usage Period:
- Not Before