Dump remaining old code
authorlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Wed, 11 Apr 2007 12:52:14 +0000 (12:52 +0000)
committerlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Wed, 11 Apr 2007 12:52:14 +0000 (12:52 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@2171 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

220 files changed:
ant.sh [moved from ant with 100% similarity]
resolvertest [deleted file]
resolvertest.bat [deleted file]
src/edu/internet2/middleware/shibboleth/idp/GeneralProtocolSupport.java [deleted file]
src/edu/internet2/middleware/shibboleth/idp/IdPConfig.java [deleted file]
src/edu/internet2/middleware/shibboleth/idp/IdPProtocolHandler.java [deleted file]
src/edu/internet2/middleware/shibboleth/idp/IdPProtocolSupport.java [deleted file]
src/edu/internet2/middleware/shibboleth/idp/InvalidClientDataException.java [deleted file]
src/edu/internet2/middleware/shibboleth/idp/ProtocolHandlerFactory.java [deleted file]
src/edu/internet2/middleware/shibboleth/idp/RequestHandlingException.java [deleted file]
src/edu/internet2/middleware/shibboleth/idp/RequestSpecificProtocolSupport.java [deleted file]
src/edu/internet2/middleware/shibboleth/idp/provider/ADFS_SSOHandler.java [deleted file]
src/edu/internet2/middleware/shibboleth/idp/provider/BaseHandler.java [deleted file]
src/edu/internet2/middleware/shibboleth/idp/provider/BaseServiceHandler.java [deleted file]
src/edu/internet2/middleware/shibboleth/idp/provider/SAMLv1_1ArtifactQueryHandler.java [deleted file]
src/edu/internet2/middleware/shibboleth/idp/provider/SAMLv1_AttributeQueryHandler.java [deleted file]
src/edu/internet2/middleware/shibboleth/idp/provider/SAMLv1_Base_QueryHandler.java [deleted file]
src/edu/internet2/middleware/shibboleth/idp/provider/SSOHandler.java [deleted file]
src/edu/internet2/middleware/shibboleth/idp/provider/ShibbolethV1SSOHandler.java [deleted file]
src/edu/internet2/middleware/shibboleth/idp/provider/Shibboleth_StatusHandler.java [deleted file]
src/edu/internet2/middleware/shibboleth/utils/Base32.java [deleted file]
src/edu/internet2/middleware/shibboleth/utils/ClientCertTrustFilter.java [deleted file]
src/edu/internet2/middleware/shibboleth/utils/HandleRepositorySecretGenerator.java [deleted file]
src/edu/internet2/middleware/shibboleth/utils/KerberosPrincipalFilter.java [deleted file]
src/edu/internet2/middleware/shibboleth/utils/ResolverTest.java [deleted file]
src/edu/internet2/middleware/shibboleth/utils/SAML1_0to1_1ConversionFilter.java [deleted file]
tests/conf/ca-bundle.crt [deleted file]
tests/conf/keystore.jks [deleted file]
tests/conf/log4j.properties [deleted file]
tests/conf/test.dsa.derkey [deleted file]
tests/conf/test.dsa.enc.pemkey [deleted file]
tests/conf/test.dsa.pemcrt [deleted file]
tests/conf/test.dsa.pemkey [deleted file]
tests/conf/test.dsa.pkcs8.pemkey [deleted file]
tests/conf/test.endonly.pemcrt [deleted file]
tests/conf/test.incompletechain.pemcrt [deleted file]
tests/conf/test.pemcrt [deleted file]
tests/conf/test.pkcs1.derkey [deleted file]
tests/conf/test.pkcs1.enc.des.pemkey [deleted file]
tests/conf/test.pkcs1.enc.pemkey [deleted file]
tests/conf/test.pkcs1.pemkey [deleted file]
tests/conf/test.pkcs8.derkey [deleted file]
tests/conf/test.pkcs8.enc.derkey [deleted file]
tests/conf/test.pkcs8.enc.pemkey [deleted file]
tests/conf/test.pkcs8.pemkey [deleted file]
tests/conf/test.single.2.pemcrt [deleted file]
tests/conf/test.single.3.pemcrt [deleted file]
tests/conf/test.single.pemcrt [deleted file]
tests/data/AttributePushAssertion.xml [deleted file]
tests/data/arp.site.xml [deleted file]
tests/data/arp.user.test.xml [deleted file]
tests/data/arp1.xml [deleted file]
tests/data/arp2.xml [deleted file]
tests/data/arp6.xml [deleted file]
tests/data/arp7.xml [deleted file]
tests/data/attr-composite.datafile.1 [deleted file]
tests/data/attr-composite.output.1 [deleted file]
tests/data/attr-composite.resolver.1.xml [deleted file]
tests/data/attr-format.datafile.1 [deleted file]
tests/data/attr-format.datafile.2 [deleted file]
tests/data/attr-format.output.1 [deleted file]
tests/data/attr-format.output.2 [deleted file]
tests/data/attr-format.resolver.1.xml [deleted file]
tests/data/attr-format.resolver.2.xml [deleted file]
tests/data/attr-mapped.datafile.1 [deleted file]
tests/data/attr-mapped.datafile.2 [deleted file]
tests/data/attr-mapped.output.1 [deleted file]
tests/data/attr-mapped.output.2 [deleted file]
tests/data/attr-mapped.resolver.1.xml [deleted file]
tests/data/attr-mapped.resolver.2.xml [deleted file]
tests/data/attr-regex.datafile.1 [deleted file]
tests/data/attr-regex.output.1 [deleted file]
tests/data/attr-regex.resolver.1.xml [deleted file]
tests/data/attribute1.xml [deleted file]
tests/data/cnextract.jks [deleted file]
tests/data/credentials1.xml [deleted file]
tests/data/credentials10.xml [deleted file]
tests/data/credentials11.xml [deleted file]
tests/data/credentials12.xml [deleted file]
tests/data/credentials13.xml [deleted file]
tests/data/credentials14.xml [deleted file]
tests/data/credentials15.xml [deleted file]
tests/data/credentials16.xml [deleted file]
tests/data/credentials17.xml [deleted file]
tests/data/credentials18.xml [deleted file]
tests/data/credentials2.xml [deleted file]
tests/data/credentials3.xml [deleted file]
tests/data/credentials4.xml [deleted file]
tests/data/credentials5.xml [deleted file]
tests/data/credentials6.xml [deleted file]
tests/data/credentials7.xml [deleted file]
tests/data/credentials8.xml [deleted file]
tests/data/credentials9.xml [deleted file]
tests/data/example1.xml [deleted file]
tests/data/example10.xml [deleted file]
tests/data/example11.xml [deleted file]
tests/data/example12.xml [deleted file]
tests/data/example13.xml [deleted file]
tests/data/example2.xml [deleted file]
tests/data/example3.xml [deleted file]
tests/data/example4.xml [deleted file]
tests/data/example5.xml [deleted file]
tests/data/example6.xml [deleted file]
tests/data/example7.xml [deleted file]
tests/data/example8.xml [deleted file]
tests/data/example9.xml [deleted file]
tests/data/handle.jks [deleted file]
tests/data/idp/blackbox/aa/request01.txt [deleted file]
tests/data/idp/blackbox/aa/request02.txt [deleted file]
tests/data/idp/blackbox/aa/request03.txt [deleted file]
tests/data/idp/blackbox/aa/request04.txt [deleted file]
tests/data/idp/blackbox/aa/request05.txt [deleted file]
tests/data/idp/blackbox/aa/request06.txt [deleted file]
tests/data/idp/blackbox/aa/request07.txt [deleted file]
tests/data/idp/blackbox/aa/response01.txt [deleted file]
tests/data/idp/blackbox/aa/response02.txt [deleted file]
tests/data/idp/blackbox/aa/response03.txt [deleted file]
tests/data/idp/blackbox/aa/response04.txt [deleted file]
tests/data/idp/blackbox/aa/response06.txt [deleted file]
tests/data/idp/blackbox/aa/response08.txt [deleted file]
tests/data/idp/blackbox/aa/response09.txt [deleted file]
tests/data/idp/blackbox/conf/SPRelyingParty/arps/arp.site.xml [deleted file]
tests/data/idp/blackbox/conf/SPRelyingParty/idp.xml [deleted file]
tests/data/idp/blackbox/conf/SPRelyingParty/metadata.xml [deleted file]
tests/data/idp/blackbox/conf/SPRelyingParty/resolver.xml [deleted file]
tests/data/idp/blackbox/conf/SPRelyingParty/schemas.properties [deleted file]
tests/data/idp/blackbox/conf/SPRelyingParty/server.crt [deleted file]
tests/data/idp/blackbox/conf/SPRelyingParty/server.key [deleted file]
tests/data/idp/blackbox/conf/constraints/arps/arp.site.xml [deleted file]
tests/data/idp/blackbox/conf/constraints/idp.xml [deleted file]
tests/data/idp/blackbox/conf/constraints/metadata.xml [deleted file]
tests/data/idp/blackbox/conf/constraints/resolver.xml [deleted file]
tests/data/idp/blackbox/conf/constraints/schemas.properties [deleted file]
tests/data/idp/blackbox/conf/constraints/server.crt [deleted file]
tests/data/idp/blackbox/conf/constraints/server.key [deleted file]
tests/data/idp/blackbox/conf/groupRelyingParty/arps/arp.site.xml [deleted file]
tests/data/idp/blackbox/conf/groupRelyingParty/idp.xml [deleted file]
tests/data/idp/blackbox/conf/groupRelyingParty/metadata.xml [deleted file]
tests/data/idp/blackbox/conf/groupRelyingParty/resolver.xml [deleted file]
tests/data/idp/blackbox/conf/groupRelyingParty/schemas.properties [deleted file]
tests/data/idp/blackbox/conf/groupRelyingParty/server.crt [deleted file]
tests/data/idp/blackbox/conf/groupRelyingParty/server.key [deleted file]
tests/data/idp/blackbox/conf/multipleNameMappers/arps/arp.site.xml [deleted file]
tests/data/idp/blackbox/conf/multipleNameMappers/idp.xml [deleted file]
tests/data/idp/blackbox/conf/multipleNameMappers/metadata.xml [deleted file]
tests/data/idp/blackbox/conf/multipleNameMappers/resolver.xml [deleted file]
tests/data/idp/blackbox/conf/multipleNameMappers/schemas.properties [deleted file]
tests/data/idp/blackbox/conf/multipleNameMappers/server.crt [deleted file]
tests/data/idp/blackbox/conf/multipleNameMappers/server.key [deleted file]
tests/data/idp/blackbox/conf/passThruErrors/arps/arp.site.xml [deleted file]
tests/data/idp/blackbox/conf/passThruErrors/idp.xml [deleted file]
tests/data/idp/blackbox/conf/passThruErrors/metadata.xml [deleted file]
tests/data/idp/blackbox/conf/passThruErrors/resolver.xml [deleted file]
tests/data/idp/blackbox/conf/passThruErrors/schemas.properties [deleted file]
tests/data/idp/blackbox/conf/passThruErrors/server.crt [deleted file]
tests/data/idp/blackbox/conf/passThruErrors/server.key [deleted file]
tests/data/idp/blackbox/conf/signAssertions/arps/arp.site.xml [deleted file]
tests/data/idp/blackbox/conf/signAssertions/idp.xml [deleted file]
tests/data/idp/blackbox/conf/signAssertions/metadata.xml [deleted file]
tests/data/idp/blackbox/conf/signAssertions/resolver.xml [deleted file]
tests/data/idp/blackbox/conf/signAssertions/schemas.properties [deleted file]
tests/data/idp/blackbox/conf/signAssertions/server.crt [deleted file]
tests/data/idp/blackbox/conf/signAssertions/server.key [deleted file]
tests/data/idp/blackbox/conf/ssoPost/arps/arp.site.xml [deleted file]
tests/data/idp/blackbox/conf/ssoPost/idp.xml [deleted file]
tests/data/idp/blackbox/conf/ssoPost/metadata.xml [deleted file]
tests/data/idp/blackbox/conf/ssoPost/resolver.xml [deleted file]
tests/data/idp/blackbox/conf/ssoPost/schemas.properties [deleted file]
tests/data/idp/blackbox/conf/ssoPost/server.crt [deleted file]
tests/data/idp/blackbox/conf/ssoPost/server.key [deleted file]
tests/data/idp/blackbox/conf/standard/arps/arp.site.xml [deleted file]
tests/data/idp/blackbox/conf/standard/idp.xml [deleted file]
tests/data/idp/blackbox/conf/standard/metadata.xml [deleted file]
tests/data/idp/blackbox/conf/standard/resolver.xml [deleted file]
tests/data/idp/blackbox/conf/standard/schemas.properties [deleted file]
tests/data/idp/blackbox/conf/standard/server.crt [deleted file]
tests/data/idp/blackbox/conf/standard/server.key [deleted file]
tests/data/idp/blackbox/sp-bad.crt [deleted file]
tests/data/idp/blackbox/sp.crt [deleted file]
tests/data/idp/blackbox/sso/response [deleted file]
tests/data/idp/blackbox/sso/response.txt [deleted file]
tests/data/idp/blackbox/sso/response01.txt [deleted file]
tests/data/idp/blackbox/sso/response02.txt [deleted file]
tests/data/idp/blackbox/sso/response03.txt [deleted file]
tests/data/metadata1.xml [deleted file]
tests/data/metadata10.xml [deleted file]
tests/data/metadata11.xml [deleted file]
tests/data/metadata12.xml [deleted file]
tests/data/metadata13.xml [deleted file]
tests/data/metadata2.xml [deleted file]
tests/data/metadata3.xml [deleted file]
tests/data/metadata4.xml [deleted file]
tests/data/metadata5.xml [deleted file]
tests/data/metadata6.xml [deleted file]
tests/data/metadata7.xml [deleted file]
tests/data/metadata8.xml [deleted file]
tests/data/metadata9.xml [deleted file]
tests/data/relyingParty-metadata.xml [deleted file]
tests/data/relyingPartyMapper1.xml [deleted file]
tests/data/relyingPartyMapper2.xml [deleted file]
tests/data/relyingPartyMapper3.xml [deleted file]
tests/data/resolver1.xml [deleted file]
tests/data/resolver10.xml [deleted file]
tests/data/resolver11.xml [deleted file]
tests/data/resolver12.xml [deleted file]
tests/data/resolver2.xml [deleted file]
tests/data/resolver3.xml [deleted file]
tests/data/resolver4.xml [deleted file]
tests/data/resolver5.xml [deleted file]
tests/data/resolver6.xml [deleted file]
tests/data/resolver7.xml [deleted file]
tests/data/resolver8.xml [deleted file]
tests/data/resolver9.xml [deleted file]
tests/data/secure.war [deleted file]
tests/data/sites1.xml [deleted file]
tests/data/trusttest.jks [deleted file]
tests/edu/internet2/middleware/shibboleth/idp/AATest.java [deleted file]
tests/edu/internet2/middleware/shibboleth/idp/IdpTestCase.java [deleted file]
tests/edu/internet2/middleware/shibboleth/idp/SSOTest.java [deleted file]
tests/edu/internet2/middleware/shibboleth/idp/provider/DNHostNameExtractionTests.java [deleted file]

diff --git a/ant b/ant.sh
similarity index 100%
rename from ant
rename to ant.sh
diff --git a/resolvertest b/resolvertest
deleted file mode 100755 (executable)
index 6fee538..0000000
+++ /dev/null
@@ -1,56 +0,0 @@
-#!/bin/sh
-
-##We need a JVM
-if [ ! -n "$JAVA_HOME" ] ; then
-  echo "Error: JAVA_HOME is not defined."
-  exit
-fi
-
-if [ ! -n "$JAVACMD" ] ; then
-  JAVACMD=$JAVA_HOME/bin/java
-fi
-
-if [ ! -x "$JAVACMD" ] ; then
-  echo "Error: JAVA_HOME is not defined correctly."
-  echo "Cannot execute $JAVACMD"
-  exit
-fi
-
-
-##Find the shibboleth components
-if [ ! -n "$IDP_HOME" ] ; then
-  echo "Error: IDP_HOME is not defined."
-  exit
-fi
-
-if [ ! \( -f "$IDP_HOME/lib/shib-util.jar" -a -r "$IDP_HOME/lib/shib-util.jar" \) ] ; then
-  echo "Error: Cannot find the shibboleth jar (shib-util.jar)."
-  echo "       If you downloaded the shibboleth source, you need to run \"ant build-util\""
-  exit
-fi
-
-ENDORSED=$IDP_HOME/endorsed/
-
-##Grab all the dependencies
-if [ -n "$CLASSPATH" ] ; then
-  SHIB_UTIL_CLASSPATH=$CLASSPATH
-fi
-
-DIRLIBS=${IDP_HOME}/lib/*.jar
-for i in ${DIRLIBS}
-do
-    # if the directory is empty, then it will return the input string
-    # this is stupid, so case for it
-    if [ "$i" != "${DIRLIBS}" ] ; then
-      if [ -z "$SHIB_UTIL_CLASSPATH" ] ; then
-        SHIB_UTIL_CLASSPATH=$i
-      else
-        SHIB_UTIL_CLASSPATH="$i":$SHIB_UTIL_CLASSPATH
-      fi
-    fi
-done
-
-SHIB_UTIL_CLASSPATH=$SHIB_UTIL_CLASSPATH:"$IDP_HOME"
-
-##Here we go
-$JAVACMD -Djava.endorsed.dirs="$ENDORSED" -cp $SHIB_UTIL_CLASSPATH  edu.internet2.middleware.shibboleth.utils.ResolverTest "$@"
diff --git a/resolvertest.bat b/resolvertest.bat
deleted file mode 100644 (file)
index 830ed49..0000000
+++ /dev/null
@@ -1,45 +0,0 @@
-@echo off
-setlocal
-
-REM We need a JVM
-if not defined JAVA_HOME  (
-  echo Error: JAVA_HOME is not defined.
-  exit /b
-)
-
-if not defined JAVACMD (
-  set JAVACMD="%JAVA_HOME%\bin\java.exe"
-)
-
-if not exist %JAVACMD% (
-  echo Error: JAVA_HOME is not defined correctly.
-  echo Cannot execute %JAVACMD%
-  exit /b
-)
-
-REM The root of the Shibboleth package tree, relative to the run directory
-if not defined IDP_HOME (
-  echo Error: IDP_HOME is not defined.
-  exit /b
-)
-
-set ENDORSED=%IDP_HOME%\endorsed
-
-if not exist %IDP_HOME%\lib\shib-util.jar (
-  echo Error: Cannot find shib-util.jar
-  echo                 If you downloaded the shibboleth source, you need to run "ant build-util"
-  exit /b
-)
-
-REM Grab all the dependencies
-if defined CLASSPATH (
-  set LOCALCLASSPATH=%CLASSPATH%
-)
-
-REM add in the dependency .jar files
-for %%i in (%IDP_HOME%\lib\*.jar) do (
-       call %IDP_HOME%\bin\cpappend.bat %%i
-)
-
-REM Here we go
-%JAVACMD% -Djava.endorsed.dirs="%ENDORSED%" -cp "%LOCALCLASSPATH%" edu.internet2.middleware.shibboleth.utils.ResolverTest %*
diff --git a/src/edu/internet2/middleware/shibboleth/idp/GeneralProtocolSupport.java b/src/edu/internet2/middleware/shibboleth/idp/GeneralProtocolSupport.java
deleted file mode 100644 (file)
index bf5b412..0000000
+++ /dev/null
@@ -1,336 +0,0 @@
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.] Licensed under the Apache License,
- * Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy
- * of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in
- * writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
- * OF ANY KIND, either express or implied. See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp;
-
-import java.net.URI;
-import java.security.Principal;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import javax.xml.namespace.QName;
-
-import org.apache.log4j.Logger;
-import org.apache.xml.security.signature.XMLSignature;
-import org.opensaml.InvalidCryptoException;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLAttribute;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLResponse;
-import org.opensaml.saml2.metadata.EntitiesDescriptor;
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.RoleDescriptor;
-import org.opensaml.saml2.metadata.provider.ChainingMetadataProvider;
-import org.opensaml.saml2.metadata.provider.MetadataFilter;
-import org.opensaml.saml2.metadata.provider.MetadataProvider;
-import org.opensaml.saml2.metadata.provider.MetadataProviderException;
-import org.opensaml.security.TrustEngine;
-import org.opensaml.security.X509EntityCredential;
-import org.opensaml.xml.XMLObject;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.aa.AAAttribute;
-import edu.internet2.middleware.shibboleth.aa.AAException;
-import edu.internet2.middleware.shibboleth.aa.arp.ArpEngine;
-import edu.internet2.middleware.shibboleth.aa.arp.ArpProcessingException;
-import edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver;
-import edu.internet2.middleware.shibboleth.artifact.ArtifactMapper;
-import edu.internet2.middleware.shibboleth.common.Credential;
-import edu.internet2.middleware.shibboleth.common.RelyingParty;
-import edu.internet2.middleware.shibboleth.common.RelyingPartyMapper;
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrustEngine;
-import edu.internet2.middleware.shibboleth.metadata.MetadataProviderFactory;
-
-/**
- * IdPProtocolSupport implementation that offers functionality that is not specific to a particular request.
- * 
- * @author Walter Hoehn
- */
-public class GeneralProtocolSupport implements IdPProtocolSupport, MetadataProvider {
-
-       private static Logger log = Logger.getLogger(GeneralProtocolSupport.class.getName());
-       private Logger transactionLog;
-       private IdPConfig config;
-       private RelyingPartyMapper rpMapper;
-       private ArpEngine arpEngine;
-       private AttributeResolver resolver;
-       private ArtifactMapper artifactMapper;
-       private Semaphore throttle;
-       private TrustEngine<X509Credential> trust = new ShibbolethTrustEngine();
-       private ChainingMetadataProvider wrappedMetadataProvider = new ChainingMetadataProvider();
-
-       GeneralProtocolSupport(IdPConfig config, Logger transactionLog, RelyingPartyMapper spMapper, ArpEngine arpEngine,
-                       AttributeResolver resolver, ArtifactMapper artifactMapper) throws ShibbolethConfigurationException {
-
-               this.transactionLog = transactionLog;
-               this.config = config;
-               this.rpMapper = spMapper;
-               spMapper.setMetadata(this);
-               this.arpEngine = arpEngine;
-               this.resolver = resolver;
-               this.artifactMapper = artifactMapper;
-
-               // Load a semaphore that throttles how many requests the IdP will handle at once
-               throttle = new Semaphore(config.getMaxThreads());
-       }
-
-       public Logger getTransactionLog() {
-
-               return transactionLog;
-       }
-
-       public IdPConfig getIdPConfig() {
-
-               return config;
-       }
-
-       public RelyingPartyMapper getRelyingPartyMapper() {
-
-               return rpMapper;
-       }
-
-       public void signAssertions(SAMLAssertion[] assertions, RelyingParty relyingParty) throws InvalidCryptoException,
-                       SAMLException {
-
-               if (relyingParty.getIdentityProvider().getSigningCredential() == null
-                               || relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() == null) { throw new InvalidCryptoException(
-                               SAMLException.RESPONDER, "Invalid signing credential."); }
-
-               for (int i = 0; i < assertions.length; i++) {
-                       String assertionAlgorithm;
-                       if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.RSA) {
-                               assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
-                       } else if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.DSA) {
-                               assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
-                       } else {
-                               throw new InvalidCryptoException(SAMLException.RESPONDER,
-                                               "The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
-                       }
-
-                       try {
-                               throttle.enter();
-                               assertions[i].sign(assertionAlgorithm, relyingParty.getIdentityProvider().getSigningCredential()
-                                               .getPrivateKey(), Arrays.asList(relyingParty.getIdentityProvider().getSigningCredential()
-                                               .getX509CertificateChain()));
-                       } finally {
-                               throttle.exit();
-                       }
-               }
-       }
-
-       public void signResponse(SAMLResponse response, RelyingParty relyingParty) throws SAMLException {
-
-               // Make sure we have an appropriate credential
-               if (relyingParty.getIdentityProvider().getSigningCredential() == null
-                               || relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() == null) { throw new InvalidCryptoException(
-                               SAMLException.RESPONDER, "Invalid signing credential."); }
-
-               // Sign the response
-               String responseAlgorithm;
-               if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.RSA) {
-                       responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
-               } else if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.DSA) {
-                       responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
-               } else {
-                       throw new InvalidCryptoException(SAMLException.RESPONDER,
-                                       "The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
-               }
-               try {
-                       throttle.enter();
-                       response.sign(responseAlgorithm, relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey(),
-                                       Arrays.asList(relyingParty.getIdentityProvider().getSigningCredential().getX509CertificateChain()));
-               } finally {
-                       throttle.exit();
-               }
-       }
-
-       public void addMetadataProvider(Element element) {
-
-               log.debug("Found Metadata Provider configuration element.");
-               if (!element.getTagName().equals("MetadataProvider")) {
-                       log.error("Error while attemtping to load Metadata Provider.  Malformed provider specificaion.");
-                       return;
-               }
-
-               try {
-                       wrappedMetadataProvider.addMetadataProvider(MetadataProviderFactory.loadProvider(element));
-               } catch (MetadataProviderException e) {
-                       log.error("Unable to load Metadata Provider.  Skipping...");
-               }
-
-       }
-
-       public Collection<? extends SAMLAttribute> getReleaseAttributes(Principal principal, RelyingParty relyingParty,
-                       String requester) throws AAException {
-
-               try {
-                       Collection<URI> potentialAttributes = arpEngine.listPossibleReleaseAttributes(principal, requester);
-                       return getReleaseAttributes(principal, relyingParty, requester, potentialAttributes);
-
-               } catch (ArpProcessingException e) {
-                       log.error("An error occurred while processing the ARPs for principal (" + principal.getName() + ") :"
-                                       + e.getMessage());
-                       throw new AAException("Error retrieving data for principal.");
-               }
-       }
-
-       public Collection<? extends SAMLAttribute> getReleaseAttributes(Principal principal, RelyingParty relyingParty,
-                       String requester, Collection<URI> attributeNames) throws AAException {
-
-               try {
-                       Map<String, AAAttribute> attributes = new HashMap<String, AAAttribute>();
-                       for (URI name : attributeNames) {
-
-                               AAAttribute attribute = new AAAttribute(name.toString(), false);
-                               attributes.put(attribute.getName(), attribute);
-                       }
-
-                       Collection<URI> constraintAttributes = arpEngine.listRequiredConstraintAttributes(principal, requester,
-                                       attributeNames);
-                       for (URI name : constraintAttributes) {
-                               if (!attributes.containsKey(name.toString())) {
-                                       // don't care about schema hack since these attributes won't be returned to SP
-                                       AAAttribute attribute = new AAAttribute(name.toString(), false);
-                                       attributes.put(attribute.getName(), attribute);
-                               }
-                       }
-
-                       return resolveAttributes(principal, requester, relyingParty.getIdentityProvider().getProviderId(),
-                                       attributes);
-
-               } catch (SAMLException e) {
-                       log.error("An error occurred while creating attributes for principal (" + principal.getName() + ") :"
-                                       + e.getMessage());
-                       throw new AAException("Error retrieving data for principal.");
-
-               } catch (ArpProcessingException e) {
-                       log.error("An error occurred while processing the ARPs for principal (" + principal.getName() + ") :"
-                                       + e.getMessage());
-                       throw new AAException("Error retrieving data for principal.");
-               }
-       }
-
-       public Collection<? extends SAMLAttribute> resolveAttributes(Principal principal, String requester,
-                       String responder, Map<String, AAAttribute> attributeSet) throws ArpProcessingException {
-
-               resolver.resolveAttributes(principal, requester, responder, attributeSet);
-               arpEngine.filterAttributes(attributeSet.values(), principal, requester);
-               return attributeSet.values();
-       }
-
-       public Collection<? extends SAMLAttribute> resolveAttributesNoPolicies(Principal principal, String requester,
-                       String responder, Map<String, AAAttribute> attributeSet) {
-
-               resolver.resolveAttributes(principal, requester, responder, attributeSet);
-               return attributeSet.values();
-       }
-
-       /**
-        * Cleanup resources that won't be released when this object is garbage-collected
-        */
-       public void destroy() {
-
-               resolver.destroy();
-               arpEngine.destroy();
-       }
-
-       public ArtifactMapper getArtifactMapper() {
-
-               return artifactMapper;
-       }
-
-       public TrustEngine<X509Credential> getTrustEngine() {
-
-               return trust;
-       }
-
-       public boolean requireValidMetadata() {
-
-               return wrappedMetadataProvider.requireValidMetadata();
-       }
-
-       public void setRequireValidMetadata(boolean requireValidMetadata) {
-
-               wrappedMetadataProvider.setRequireValidMetadata(requireValidMetadata);
-       }
-
-       public MetadataFilter getMetadataFilter() {
-
-               return wrappedMetadataProvider.getMetadataFilter();
-       }
-
-       public void setMetadataFilter(MetadataFilter newFilter) throws MetadataProviderException {
-
-               wrappedMetadataProvider.setMetadataFilter(newFilter);
-       }
-
-       public XMLObject getMetadata() throws MetadataProviderException {
-
-               return wrappedMetadataProvider.getMetadata();
-       }
-
-       public EntitiesDescriptor getEntitiesDescriptor(String name) throws MetadataProviderException {
-
-               return wrappedMetadataProvider.getEntitiesDescriptor(name);
-       }
-
-       public EntityDescriptor getEntityDescriptor(String entityID) throws MetadataProviderException {
-
-               return wrappedMetadataProvider.getEntityDescriptor(entityID);
-       }
-
-       public List<RoleDescriptor> getRole(String entityID, QName roleName) throws MetadataProviderException {
-
-               return wrappedMetadataProvider.getRole(entityID, roleName);
-       }
-
-       public RoleDescriptor getRole(String entityID, QName roleName, String supportedProtocol)
-                       throws MetadataProviderException {
-
-               return wrappedMetadataProvider.getRole(entityID, roleName, supportedProtocol);
-       }
-
-       public int providerCount() {
-
-               return wrappedMetadataProvider.getProviders().size();
-       }
-
-       private class Semaphore {
-
-               private int value;
-
-               public Semaphore(int value) {
-
-                       this.value = value;
-               }
-
-               public synchronized void enter() {
-
-                       --value;
-                       if (value < 0) {
-                               try {
-                                       wait();
-                               } catch (InterruptedException e) {
-                                       // squelch and continue
-                               }
-                       }
-               }
-
-               public synchronized void exit() {
-
-                       ++value;
-                       notify();
-               }
-       }
-
-}
\ No newline at end of file
diff --git a/src/edu/internet2/middleware/shibboleth/idp/IdPConfig.java b/src/edu/internet2/middleware/shibboleth/idp/IdPConfig.java
deleted file mode 100644 (file)
index d181399..0000000
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp;
-
-import org.apache.log4j.Logger;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-
-/**
- * @author Walter Hoehn
- */
-public class IdPConfig {
-
-       // TODO re-evaluate whether or not we need this class... most of it has gone away anyway
-
-       public static final String configNameSpace = "urn:mace:shibboleth:idp:config:1.0";
-       private String resolverConfig = "/conf/resolver.xml";
-
-       private int maxThreads = 30;
-
-       private static Logger log = Logger.getLogger(IdPConfig.class.getName());
-
-       public IdPConfig(Element config) throws ShibbolethConfigurationException {
-
-               if (!config.getTagName().equals("IdPConfig")) { throw new ShibbolethConfigurationException(
-                               "Unexpected configuration data.  <IdPConfig/> is needed."); }
-
-               log.debug("Loading global configuration properties.");
-
-               // Attribute resolver config file location
-               String rawResolverConfig = ((Element) config).getAttribute("resolverConfig");
-               if (rawResolverConfig != null && !rawResolverConfig.equals("")) {
-                       resolverConfig = rawResolverConfig;
-               }
-
-               String attribute = ((Element) config).getAttribute("maxSigningThreads");
-               if (attribute != null && !attribute.equals("")) {
-                       try {
-                               maxThreads = Integer.parseInt(attribute);
-                       } catch (NumberFormatException e) {
-                               log.error("(maxSigningThreads) attribute to is not a valid integer.");
-                               throw new ShibbolethConfigurationException("Configuration is invalid.");
-                       }
-               }
-
-               attribute = ((Element) config).getAttribute("authHeaderName");
-
-               log.debug("Global IdP config: (maxSigningThreads) = (" + getMaxThreads() + ").");
-
-               log.debug("Global IdP config: (resolverConfig) = (" + getResolverConfigLocation() + ").");
-
-       }
-
-       public String getResolverConfigLocation() {
-
-               return resolverConfig;
-       }
-
-       public int getMaxThreads() {
-
-               return maxThreads;
-       }
-
-}
\ No newline at end of file
diff --git a/src/edu/internet2/middleware/shibboleth/idp/IdPProtocolHandler.java b/src/edu/internet2/middleware/shibboleth/idp/IdPProtocolHandler.java
deleted file mode 100644 (file)
index 3bb9a01..0000000
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-/**
- * Defines the processing for an IdP-supported protocol. A particular <code>IdPProtocolHandler</code> implementation
- * is registered to process requests delivered from one or more URL locations. Core IdP functionality is delivered
- * through the <code>IdPProtocolSupport</code> class.
- * 
- * @author Walter Hoehn
- */
-public interface IdPProtocolHandler {
-
-       /**
-        * Retreives a textual name for the handler for display purposes.
-        */
-       public String getHandlerName();
-
-       /**
-        * Runs the protocol-specific request processing. Responsible for updating the <code>HttpServletResponse</code>.
-        * 
-        * @throws RequestHandlingException
-        *             if the handler is unable to successfully respond with a successfull protocol exchange or a
-        *             protocol-defined error message
-        */
-       public void processRequest(HttpServletRequest request, HttpServletResponse response, IdPProtocolSupport support)
-                       throws RequestHandlingException, ServletException;
-
-       /**
-        * Returns the locations for which this handler should process requests.
-        */
-       public String[] getLocations();
-}
\ No newline at end of file
diff --git a/src/edu/internet2/middleware/shibboleth/idp/IdPProtocolSupport.java b/src/edu/internet2/middleware/shibboleth/idp/IdPProtocolSupport.java
deleted file mode 100644 (file)
index 015b391..0000000
+++ /dev/null
@@ -1,97 +0,0 @@
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.] Licensed under the Apache License,
- * Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy
- * of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in
- * writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
- * OF ANY KIND, either express or implied. See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp;
-
-import java.net.URI;
-import java.security.Principal;
-import java.util.Collection;
-import java.util.Map;
-
-import org.apache.log4j.Logger;
-import org.opensaml.InvalidCryptoException;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLAttribute;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLResponse;
-import org.opensaml.saml2.metadata.provider.MetadataProvider;
-import org.opensaml.security.TrustEngine;
-import org.opensaml.security.X509EntityCredential;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.aa.AAAttribute;
-import edu.internet2.middleware.shibboleth.aa.AAException;
-import edu.internet2.middleware.shibboleth.aa.arp.ArpProcessingException;
-import edu.internet2.middleware.shibboleth.artifact.ArtifactMapper;
-import edu.internet2.middleware.shibboleth.common.RelyingParty;
-import edu.internet2.middleware.shibboleth.common.RelyingPartyMapper;
-
-/**
- * Delivers core IdP functionality (Attribute resolution, ARP filtering, Metadata lookup, Signing, Mapping between local &
- * SAML identifiers, etc.) to components that process protocol-specific requests.
- * 
- * @author Walter Hoehn
- */
-public interface IdPProtocolSupport extends MetadataProvider {
-
-       /**
-        * Facility for logging transaction information. Should be used by most Protocol Hanlder implementations.
-        */
-       public Logger getTransactionLog();
-
-       /**
-        * Access to system-wide configuration.
-        */
-       public IdPConfig getIdPConfig();
-
-       /**
-        * Access to relying party-specific configuration.
-        */
-       public RelyingPartyMapper getRelyingPartyMapper();
-
-       public void signAssertions(SAMLAssertion[] assertions, RelyingParty relyingParty) throws InvalidCryptoException,
-                       SAMLException;
-
-       public void signResponse(SAMLResponse response, RelyingParty relyingParty) throws SAMLException;
-
-       /**
-        * Registered a metadata provider based on supplied XML configuration.
-        */
-       public void addMetadataProvider(Element element);
-
-       public Collection<? extends SAMLAttribute> getReleaseAttributes(Principal principal, RelyingParty relyingParty,
-                       String requester) throws AAException;
-
-       public Collection<? extends SAMLAttribute> getReleaseAttributes(Principal principal, RelyingParty relyingParty,
-                       String requester, Collection<URI> attributeNames) throws AAException;
-
-       public Collection<? extends SAMLAttribute> resolveAttributes(Principal principal, String requester,
-                       String responder, Map<String, AAAttribute> attributeSet) throws ArpProcessingException;
-
-       public Collection<? extends SAMLAttribute> resolveAttributesNoPolicies(Principal principal, String requester,
-                       String responder, Map<String, AAAttribute> attributeSet);
-
-       /**
-        * Cleanup resources that won't be released when this object is garbage-collected
-        */
-       public void destroy();
-
-       public ArtifactMapper getArtifactMapper();
-
-       /**
-        * Returns an OpenSAML2 Trust Engine implementation.
-        */
-       public TrustEngine<X509Credential> getTrustEngine();
-
-       /**
-        * Returns the number of active Metadata Providers.
-        */
-       public int providerCount();
-
-}
\ No newline at end of file
diff --git a/src/edu/internet2/middleware/shibboleth/idp/InvalidClientDataException.java b/src/edu/internet2/middleware/shibboleth/idp/InvalidClientDataException.java
deleted file mode 100644 (file)
index 75f2dd7..0000000
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp;
-
-/**
- * @author Walter Hoehn
- */
-public class InvalidClientDataException extends Exception {
-
-       public InvalidClientDataException(String message) {
-
-               super(message);
-       }
-
-}
diff --git a/src/edu/internet2/middleware/shibboleth/idp/ProtocolHandlerFactory.java b/src/edu/internet2/middleware/shibboleth/idp/ProtocolHandlerFactory.java
deleted file mode 100644 (file)
index 44a6a70..0000000
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp;
-
-import java.lang.reflect.Constructor;
-import java.lang.reflect.InvocationTargetException;
-
-import org.apache.log4j.Logger;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-
-/**
- * Factory class for loading <code>ProtocolHandler</code> implementations based on xml configuration.
- * 
- * @author Walter Hoehn
- */
-public class ProtocolHandlerFactory {
-
-       private static Logger log = Logger.getLogger(ProtocolHandlerFactory.class.getName());
-
-       public static IdPProtocolHandler getInstance(Element config) throws ShibbolethConfigurationException {
-
-               String implementation = config.getAttribute("implementation");
-               if (implementation == null || implementation.equals("")) {
-                       log.error("No Protocol Handler implementation specified.  Attribute (implementation) is "
-                                       + "required with element <ProtocolHandler/>.");
-                       throw new ShibbolethConfigurationException("Invalid configuration data supplied.");
-
-               } else {
-
-                       try {
-                               log.debug("Loading Protocol Handler implementation: (" + implementation + ").");
-                               Class implClass = Class.forName(implementation);
-                               Constructor constructor = implClass.getConstructor(new Class[]{Element.class});
-                               Object rawImpl = constructor.newInstance(new Object[]{config});
-
-                               if (rawImpl instanceof IdPProtocolHandler) {
-                                       return (IdPProtocolHandler) rawImpl;
-                               } else {
-                                       log.error("Invalid configuration, supplied implementation class for the Protocol Handler "
-                                                       + "does not properly implement the required IdPProtocolHandler interface.");
-                                       throw new ShibbolethConfigurationException("Invalid configuration data supplied.");
-                               }
-
-                       } catch (ClassNotFoundException e) {
-                               log.error("Invalid configuration, supplied implementation class for the Protocol Handler "
-                                               + "could not be found: " + e.getMessage());
-                               throw new ShibbolethConfigurationException("Invalid configuration data supplied.");
-
-                       } catch (NoSuchMethodException e) {
-                               log.error("Invalid configuration, supplied implementation class for the Protocol Handler is "
-                                               + "not valid.  A DOM Element constructor is required: " + e.getMessage());
-                               throw new ShibbolethConfigurationException("Invalid configuration data supplied.");
-
-                       } catch (InvocationTargetException e) {
-                               Throwable cause = e.getCause();
-                               if (cause != null) {
-                                       log.error(cause.getMessage());
-                               }
-                               log.error("Invalid configuration, supplied implementation class for the Protocol Handler"
-                                               + " could not be loaded: " + e.getMessage());
-                               throw new ShibbolethConfigurationException("Invalid configuration data supplied.");
-                       } catch (Exception e) {
-                               log.error("Invalid configuration, supplied implementation class for the Protocol Handler"
-                                               + " could not be loaded: " + e.getMessage());
-                               throw new ShibbolethConfigurationException("Invalid configuration data supplied.");
-                       }
-               }
-       }
-
-}
\ No newline at end of file
diff --git a/src/edu/internet2/middleware/shibboleth/idp/RequestHandlingException.java b/src/edu/internet2/middleware/shibboleth/idp/RequestHandlingException.java
deleted file mode 100644 (file)
index 9c9057d..0000000
+++ /dev/null
@@ -1,14 +0,0 @@
-
-package edu.internet2.middleware.shibboleth.idp;
-
-/**
- * Signals that an IdPProtocolHandler was unable to respond appropriately to a request.
- */
-public class RequestHandlingException extends Exception {
-
-       public RequestHandlingException(String message) {
-
-               super(message);
-       }
-
-}
diff --git a/src/edu/internet2/middleware/shibboleth/idp/RequestSpecificProtocolSupport.java b/src/edu/internet2/middleware/shibboleth/idp/RequestSpecificProtocolSupport.java
deleted file mode 100644 (file)
index d0dadd4..0000000
+++ /dev/null
@@ -1,188 +0,0 @@
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp;
-
-import java.net.URI;
-import java.security.Principal;
-import java.util.Collection;
-import java.util.List;
-import java.util.Map;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.xml.namespace.QName;
-
-import org.apache.log4j.Logger;
-import org.opensaml.InvalidCryptoException;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLAttribute;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLResponse;
-import org.opensaml.saml2.metadata.EntitiesDescriptor;
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.RoleDescriptor;
-import org.opensaml.saml2.metadata.provider.MetadataFilter;
-import org.opensaml.saml2.metadata.provider.MetadataProviderException;
-import org.opensaml.security.TrustEngine;
-import org.opensaml.security.X509EntityCredential;
-import org.opensaml.xml.XMLObject;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.aa.AAAttribute;
-import edu.internet2.middleware.shibboleth.aa.AAException;
-import edu.internet2.middleware.shibboleth.aa.arp.ArpProcessingException;
-import edu.internet2.middleware.shibboleth.artifact.ArtifactMapper;
-import edu.internet2.middleware.shibboleth.common.RelyingParty;
-import edu.internet2.middleware.shibboleth.common.RelyingPartyMapper;
-
-/**
- * IdPProtocolSupport implementation that offers functionality that is specific to a particular request.
- * 
- * @author Walter Hoehn
- */
-public class RequestSpecificProtocolSupport implements IdPProtocolSupport {
-
-       IdPProtocolSupport wrapped;
-
-       RequestSpecificProtocolSupport(GeneralProtocolSupport generalSupport, HttpServletRequest request,
-                       HttpServletResponse response) {
-
-               wrapped = generalSupport;
-       }
-
-       public void addMetadataProvider(Element element) {
-
-               wrapped.addMetadataProvider(element);
-       }
-
-       public void destroy() {
-
-               wrapped.destroy();
-       }
-
-       public ArtifactMapper getArtifactMapper() {
-
-               return wrapped.getArtifactMapper();
-       }
-
-       public IdPConfig getIdPConfig() {
-
-               return wrapped.getIdPConfig();
-       }
-
-       public Collection<? extends SAMLAttribute> getReleaseAttributes(Principal principal, RelyingParty relyingParty,
-                       String requester) throws AAException {
-
-               return wrapped.getReleaseAttributes(principal, relyingParty, requester);
-       }
-
-       public Collection<? extends SAMLAttribute> getReleaseAttributes(Principal principal, RelyingParty relyingParty,
-                       String requester, Collection<URI> attributeNames) throws AAException {
-
-               return wrapped.getReleaseAttributes(principal, relyingParty, requester, attributeNames);
-       }
-
-       public RelyingPartyMapper getRelyingPartyMapper() {
-
-               return wrapped.getRelyingPartyMapper();
-       }
-
-       public Logger getTransactionLog() {
-
-               return wrapped.getTransactionLog();
-       }
-
-       public TrustEngine<X509Credential> getTrustEngine() {
-
-               return wrapped.getTrustEngine();
-       }
-
-       public int providerCount() {
-
-               return wrapped.providerCount();
-       }
-
-       public Collection<? extends SAMLAttribute> resolveAttributes(Principal principal, String requester,
-                       String responder, Map<String, AAAttribute> attributeSet) throws ArpProcessingException {
-
-               return wrapped.resolveAttributes(principal, requester, responder, attributeSet);
-       }
-
-       public Collection<? extends SAMLAttribute> resolveAttributesNoPolicies(Principal principal, String requester,
-                       String responder, Map<String, AAAttribute> attributeSet) {
-
-               return wrapped.resolveAttributesNoPolicies(principal, requester, responder, attributeSet);
-       }
-
-       public void signAssertions(SAMLAssertion[] assertions, RelyingParty relyingParty) throws InvalidCryptoException,
-                       SAMLException {
-
-               wrapped.signAssertions(assertions, relyingParty);
-       }
-
-       public void signResponse(SAMLResponse response, RelyingParty relyingParty) throws SAMLException {
-
-               wrapped.signResponse(response, relyingParty);
-       }
-
-       public EntitiesDescriptor getEntitiesDescriptor(String name) throws MetadataProviderException {
-
-               return wrapped.getEntitiesDescriptor(name);
-       }
-
-       public EntityDescriptor getEntityDescriptor(String entityID) throws MetadataProviderException {
-
-               return wrapped.getEntityDescriptor(entityID);
-       }
-
-       public XMLObject getMetadata() throws MetadataProviderException {
-
-               return wrapped.getMetadata();
-       }
-
-       public MetadataFilter getMetadataFilter() {
-
-               return wrapped.getMetadataFilter();
-       }
-
-       public List<RoleDescriptor> getRole(String entityID, QName roleName) throws MetadataProviderException {
-
-               return wrapped.getRole(entityID, roleName);
-       }
-
-       public RoleDescriptor getRole(String entityID, QName roleName, String supportedProtocol)
-                       throws MetadataProviderException {
-
-               return wrapped.getRole(entityID, roleName, supportedProtocol);
-       }
-
-       public boolean requireValidMetadata() {
-
-               return wrapped.requireValidMetadata();
-       }
-
-       public void setMetadataFilter(MetadataFilter newFilter) throws MetadataProviderException {
-
-               wrapped.setMetadataFilter(newFilter);
-       }
-
-       public void setRequireValidMetadata(boolean requireValidMetadata) {
-
-               wrapped.setRequireValidMetadata(requireValidMetadata);
-       }
-
-}
diff --git a/src/edu/internet2/middleware/shibboleth/idp/provider/ADFS_SSOHandler.java b/src/edu/internet2/middleware/shibboleth/idp/provider/ADFS_SSOHandler.java
deleted file mode 100644 (file)
index cac6e0f..0000000
+++ /dev/null
@@ -1,466 +0,0 @@
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.] Licensed under the Apache License,
- * Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy
- * of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in
- * writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
- * OF ANY KIND, either express or implied. See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp.provider;
-
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Date;
-import java.util.List;
-import java.util.Vector;
-
-import javax.servlet.RequestDispatcher;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.commons.codec.binary.Base64;
-import org.apache.log4j.Logger;
-import org.apache.xml.security.c14n.CanonicalizationException;
-import org.apache.xml.security.c14n.Canonicalizer;
-import org.apache.xml.security.c14n.InvalidCanonicalizerException;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLAttribute;
-import org.opensaml.SAMLAttributeStatement;
-import org.opensaml.SAMLAudienceRestrictionCondition;
-import org.opensaml.SAMLAuthenticationStatement;
-import org.opensaml.SAMLCondition;
-import org.opensaml.SAMLConfig;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLNameIdentifier;
-import org.opensaml.SAMLStatement;
-import org.opensaml.SAMLSubject;
-import org.opensaml.SAMLSubjectStatement;
-import org.opensaml.XML;
-import org.opensaml.saml2.metadata.AssertionConsumerService;
-import org.opensaml.saml2.metadata.Endpoint;
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.SPSSODescriptor;
-import org.opensaml.saml2.metadata.provider.MetadataProviderException;
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.aa.AAException;
-import edu.internet2.middleware.shibboleth.common.LocalPrincipal;
-import edu.internet2.middleware.shibboleth.common.NameIdentifierMappingException;
-import edu.internet2.middleware.shibboleth.common.RelyingParty;
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
-import edu.internet2.middleware.shibboleth.idp.InvalidClientDataException;
-import edu.internet2.middleware.shibboleth.idp.RequestHandlingException;
-
-/**
- * <code>ProtocolHandler</code> implementation that responds to ADFS SSO flows as specified in "WS-Federation: Passive
- * Requestor Interoperability Profiles".
- * 
- * @author Walter Hoehn
- */
-public class ADFS_SSOHandler extends SSOHandler implements IdPProtocolHandler {
-
-       private static Logger log = Logger.getLogger(ADFS_SSOHandler.class.getName());
-       private static final String WA = "wsignin1.0";
-       private static final String WS_FED_PROTOCOL_ENUM = "http://schemas.xmlsoap.org/ws/2003/07/secext";
-       private static final Collection SUPPORTED_IDENTIFIER_FORMATS = Arrays.asList(new String[]{
-                       "urn:oasis:names:tc:SAML:1.1nameid-format:emailAddress", "http://schemas.xmlsoap.org/claims/UPN",
-                       "http://schemas.xmlsoap.org/claims/CommonName"});
-       private static final String CLAIMS_URI = "http://schemas.xmlsoap.org/claims";
-
-       /**
-        * Required DOM-based constructor.
-        */
-       public ADFS_SSOHandler(Element config) throws ShibbolethConfigurationException {
-
-               super(config);
-       }
-
-       /*
-        * @see edu.internet2.middleware.shibboleth.idp.IdPResponder.ProtocolHandler#processRequest(javax.servlet.http.HttpServletRequest,
-        *      javax.servlet.http.HttpServletResponse)
-        */
-       public void processRequest(HttpServletRequest request, HttpServletResponse response, IdPProtocolSupport support)
-                       throws RequestHandlingException, ServletException {
-
-               // Set attributes that are needed by the jsp
-               // ADFS spec says always send (wa)
-               request.setAttribute("wa", ADFS_SSOHandler.WA);
-               // Passthru (wctx) if we get one
-               if (request.getParameter("wctx") != null && !request.getParameter("wctx").equals("")) {
-                       request.setAttribute("wctx", request.getParameter("wctx"));
-               }
-
-               try {
-                       // Ensure that we have the required data from the servlet container
-                       validateEngineData(request);
-                       validateAdfsSpecificData(request);
-
-                       // Get the authN info
-                       String username = support.getIdPConfig().getAuthHeaderName().equalsIgnoreCase("REMOTE_USER") ? request
-                                       .getRemoteUser() : request.getHeader(support.getIdPConfig().getAuthHeaderName());
-                       if ((username == null) || (username.equals(""))) { throw new InvalidClientDataException(
-                                       "Unauthenticated principal. This protocol handler requires that authentication information be "
-                                                       + "provided from the servlet container."); }
-                       LocalPrincipal principal = new LocalPrincipal(username);
-
-                       // Select the appropriate Relying Party configuration for the request
-                       String remoteProviderId = request.getParameter("wtrealm");
-                       log.debug("Remote provider has identified itself as: (" + remoteProviderId + ").");
-                       RelyingParty relyingParty = support.getServiceProviderMapper().getRelyingParty(remoteProviderId);
-
-                       // Grab the metadata for the provider
-                       EntityDescriptor descriptor = null;
-                       try {
-                               descriptor = support.getEntityDescriptor(relyingParty.getProviderId());
-                       } catch (MetadataProviderException e1) {
-                               log.error("Encountered an error while looking up metadata: " + e1);
-                       }
-
-                       if (descriptor == null) {
-                               log.info("No metadata found for provider: (" + relyingParty.getProviderId() + ").");
-                               throw new InvalidClientDataException(
-                                               "The specified Service Provider is unkown to this Identity Provider.");
-                       }
-
-                       // Make sure we have proper WS-Fed metadata
-                       SPSSODescriptor sp = descriptor.getSPSSODescriptor(ADFS_SSOHandler.WS_FED_PROTOCOL_ENUM);
-                       if (sp == null) {
-                               log.info("Inappropriate metadata for provider: no WS-Federation binding.");
-                               throw new InvalidClientDataException(
-                                               "Unable to communicate with the specified Service Provider via this protocol.");
-                       }
-
-                       // If an acceptance URL was supplied, validate it
-                       String acceptanceURL = request.getParameter("wreply");
-                       if (acceptanceURL != null && !acceptanceURL.equals("")) {
-                               if (isValidAssertionConsumerURL(sp, acceptanceURL)) {
-                                       log.info("Supplied consumer URL validated for this provider.");
-                               } else {
-                                       log.error("Assertion consumer service URL (" + acceptanceURL + ") is NOT valid for provider ("
-                                                       + relyingParty.getProviderId() + ").");
-                                       throw new InvalidClientDataException("Invalid assertion consumer service URL.");
-                               }
-                               // if none was supplied, pull one from the metadata
-
-                       } else {
-                               Endpoint endpoint = lookupAssertionConsumerService(sp);
-                               if (endpoint == null || endpoint.getLocation() == null) {
-                                       log.error("No Assertion consumer service URL is available for provider ("
-                                                       + relyingParty.getProviderId() + ") via request the SSO request or the metadata.");
-                                       throw new InvalidClientDataException("Unable to determine assertion consumer service URL.");
-                               }
-                               acceptanceURL = endpoint.getLocation();
-                       }
-                       // Needed for the form
-                       request.setAttribute("wreply", acceptanceURL);
-
-                       // Create SAML Name Identifier & Subject
-                       SAMLNameIdentifier nameId;
-                       try {
-                               nameId = getNameIdentifier(support.getNameMapper(), principal, relyingParty, descriptor);
-                               // ADFS spec limits which name identifier formats can be used
-                               if (!ADFS_SSOHandler.SUPPORTED_IDENTIFIER_FORMATS.contains(nameId.getFormat())) {
-                                       log.error("SAML Name Identifier format (" + nameId.getFormat()
-                                                       + ") is inappropriate for use with ADFS provider.");
-                                       throw new InvalidClientDataException(
-                                                       "Error converting principal to SAML Name Identifier: Invalid ADFS Name Identifier format.");
-                               }
-
-                       } catch (NameIdentifierMappingException e) {
-                               log.error("Error converting principal to SAML Name Identifier: " + e);
-                               throw new InvalidClientDataException("Error converting principal to SAML Name Identifier.");
-                       }
-
-                       // ADFS profile requires an authentication method
-                       String authenticationMethod = request.getHeader("SAMLAuthenticationMethod");
-                       if (authenticationMethod == null || authenticationMethod.equals("")) {
-                               authenticationMethod = relyingParty.getDefaultAuthMethod().toString();
-                               log.debug("User was authenticated via the default method for this relying party ("
-                                               + authenticationMethod + ").");
-                       } else {
-                               log.debug("User was authenticated via the method (" + authenticationMethod + ").");
-                       }
-
-                       SAMLSubject authNSubject = new SAMLSubject(nameId, null, null, null);
-
-                       // We always do POST with ADFS
-                       respondWithPOST(request, response, support, principal, relyingParty, descriptor, acceptanceURL, nameId,
-                                       authenticationMethod, authNSubject);
-
-               } catch (InvalidClientDataException e) {
-                       throw new RequestHandlingException("Unable to handle request.  Client data is invalid: " + e);
-               } catch (SecurityTokenResponseException e) {
-                       log.error("Error creating security token response: " + e);
-                       throw new RequestHandlingException("Unable to handle request.  Error creating security token response.");
-               } catch (SAMLException e) {
-                       log.error("Error creating SAML security token: " + e);
-                       throw new RequestHandlingException("Unable to handle request.  Error creating SAML security token.");
-               }
-       }
-
-       private Endpoint lookupAssertionConsumerService(SPSSODescriptor sp) {
-
-               // Grab the first endpoin we find with an ADFS protocol binding
-               List<AssertionConsumerService> acs = sp.getAssertionConsumerServices();
-               for (AssertionConsumerService service : acs) {
-                       if (ADFS_SSOHandler.WS_FED_PROTOCOL_ENUM.equals(service.getBinding())) { return service; }
-               }
-
-               return null;
-       }
-
-       private void respondWithPOST(HttpServletRequest request, HttpServletResponse response, IdPProtocolSupport support,
-                       LocalPrincipal principal, RelyingParty relyingParty, EntityDescriptor descriptor, String acceptanceURL,
-                       SAMLNameIdentifier nameId, String authenticationMethod, SAMLSubject authNSubject) throws SAMLException,
-                       ServletException, SecurityTokenResponseException {
-
-               try {
-                       // We should always send a single token (SAML assertion)
-                       SAMLAssertion assertion = generateAssertion(request, relyingParty, descriptor, nameId,
-                                       authenticationMethod, getAuthNTime(request), authNSubject);
-
-                       generateAttributes(support, principal, relyingParty, assertion, request);
-
-                       // ADFS spec says assertions should always be signed
-                       support.signAssertions((SAMLAssertion[]) new SAMLAssertion[]{assertion}, relyingParty);
-
-                       // Wrap assertion in security token response and create form
-                       createPOSTForm(request, response, new SecurityTokenResponse(assertion, relyingParty.getProviderId()));
-
-                       // Make transaction log entry
-                       support.getTransactionLog().info(
-                                       "ADFS security token issued to provider (" + relyingParty.getProviderId()
-                                                       + ") on behalf of principal (" + principal.getName() + ").");
-
-               } catch (IOException e) {
-                       throw new SAMLException(SAMLException.RESPONDER, e);
-               }
-       }
-
-       private void generateAttributes(IdPProtocolSupport support, LocalPrincipal principal, RelyingParty relyingParty,
-                       SAMLAssertion assertion, HttpServletRequest request) throws SAMLException {
-
-               try {
-                       Collection<? extends SAMLAttribute> attributes = support.getReleaseAttributes(principal, relyingParty,
-                                       relyingParty.getProviderId());
-                       log.info("Found " + attributes.size() + " attribute(s) for " + principal.getName());
-
-                       // Bail if we didn't get any attributes
-                       if (attributes == null || attributes.size() < 1) {
-                               log.info("No attributes resolved.");
-                               return;
-                       }
-
-                       // The ADFS spec recommends that all attributes have this URI, but it doesn't require it
-                       for (SAMLAttribute attribute : attributes) {
-                               if (!attribute.getNamespace().equals(CLAIMS_URI)) {
-                                       log.warn("It is recommended that all attributes sent via the ADFS SSO handler "
-                                                       + "have a namespace of (" + CLAIMS_URI + ").  The attribute (" + attribute.getName()
-                                                       + ") has a namespace of (" + attribute.getNamespace() + ").");
-                               }
-                       }
-
-                       // Reference requested subject
-                       SAMLSubject attrSubject = (SAMLSubject) ((SAMLSubjectStatement) assertion.getStatements().next())
-                                       .getSubject().clone();
-
-                       // ADFS spec says to include authN and attribute statements in the same assertion
-                       log.debug("Merging attributes into existing authn assertion");
-                       assertion.addStatement(new SAMLAttributeStatement(attrSubject, attributes));
-
-                       if (log.isDebugEnabled()) {
-                               log.debug("Dumping combined Assertion:" + System.getProperty("line.separator") + assertion.toString());
-                       }
-
-               } catch (AAException e) {
-                       log.error("An error was encountered while generating assertion for attribute push: " + e);
-                       throw new SAMLException(SAMLException.RESPONDER, "General error processing request.");
-               } catch (CloneNotSupportedException e) {
-                       log.error("An error was encountered while generating assertion for attribute push: " + e);
-                       throw new SAMLException(SAMLException.RESPONDER, "General error processing request.");
-               }
-       }
-
-       private SAMLAssertion generateAssertion(HttpServletRequest request, RelyingParty relyingParty,
-                       EntityDescriptor descriptor, SAMLNameIdentifier nameId, String authenticationMethod, Date authTime,
-                       SAMLSubject subject) throws SAMLException, IOException {
-
-               // Bearer method is recommended by the ADFS spec
-               subject.addConfirmationMethod(SAMLSubject.CONF_BEARER);
-
-               // ADFS spec requires a single audience of the SP
-               ArrayList<String> audiences = new ArrayList<String>();
-               if (relyingParty.getProviderId() != null) {
-                       audiences.add(relyingParty.getProviderId());
-               }
-               Vector<SAMLCondition> conditions = new Vector<SAMLCondition>(1);
-               if (audiences != null && audiences.size() > 0) conditions.add(new SAMLAudienceRestrictionCondition(audiences));
-
-               // Determine the correct issuer
-               String issuer = relyingParty.getIdentityProvider().getProviderId();
-
-               // Create the assertion
-               // NOTE the ADFS spec says not to specify a locality
-               SAMLStatement[] statements = {new SAMLAuthenticationStatement(subject, authenticationMethod, authTime, null,
-                               null, null)};
-
-               // Package attributes
-               log.info("Resolving attributes.");
-
-               SAMLAssertion assertion = new SAMLAssertion(issuer, new Date(System.currentTimeMillis()), new Date(System
-                               .currentTimeMillis() + 300000), conditions, null, Arrays.asList(statements));
-
-               if (log.isDebugEnabled()) {
-                       log.debug("Dumping generated Assertion:" + System.getProperty("line.separator") + assertion.toString());
-               }
-
-               return assertion;
-       }
-
-       /*
-        * @see edu.internet2.middleware.shibboleth.idp.IdPResponder.ProtocolHandler#getHandlerName()
-        */
-       public String getHandlerName() {
-
-               return "ADFS SSO Handler";
-       }
-
-       private void validateAdfsSpecificData(HttpServletRequest request) throws InvalidClientDataException {
-
-               // Required by spec, must have the constant value
-               if (request.getParameter("wa") == null || !request.getParameter("wa").equals(ADFS_SSOHandler.WA)) { throw new InvalidClientDataException(
-                               "Invalid data from Service Provider: missing or invalid (wa) parameter."); }
-
-               // Required by spec
-               if ((request.getParameter("wtrealm") == null) || (request.getParameter("wtrealm").equals(""))) { throw new InvalidClientDataException(
-                               "Invalid data from Service Provider:missing or invalid (wtrealm) parameter."); }
-       }
-
-       private static void createPOSTForm(HttpServletRequest req, HttpServletResponse res,
-                       SecurityTokenResponse tokenResponse) throws ServletException, SecurityTokenResponseException {
-
-               req.setAttribute("wresult", tokenResponse.toXmlString());
-
-               if (log.isDebugEnabled()) {
-                       log.debug("Dumping generated Security Token Response:" + System.getProperty("line.separator")
-                                       + tokenResponse.toXmlString());
-               }
-
-               RequestDispatcher rd = req.getRequestDispatcher("/adfs.jsp");
-               try {
-                       rd.forward(req, res);
-               } catch (IOException e) {
-                       log.error("Error sending redirect: " + e);
-                       throw new ServletException();
-               }
-       }
-
-       /**
-        * Boolean indication of whethere or not a given assertion consumer URL is valid for a given SP.
-        */
-       private static boolean isValidAssertionConsumerURL(SPSSODescriptor descriptor, String shireURL)
-                       throws InvalidClientDataException {
-
-               List<AssertionConsumerService> endpoints = descriptor.getAssertionConsumerServices();
-               for (AssertionConsumerService acs : endpoints) {
-                       if (shireURL.equals(acs.getLocation())) { return true; }
-               }
-
-               log.info("Supplied consumer URL not found in metadata.");
-               return false;
-       }
-
-}
-
-class SecurityTokenResponse {
-
-       private static Logger log = Logger.getLogger(SecurityTokenResponse.class.getName());
-       private static SAMLConfig config = SAMLConfig.instance();
-       private static String WS_TRUST_SCHEMA = "http://schemas.xmlsoap.org/ws/2005/02/trust";
-       private static String WS_POLICY_SCHEMA = "http://schemas.xmlsoap.org/ws/2004/09/policy";
-       private static String WS_ADDRESSING_SCHEMA = "http://schemas.xmlsoap.org/ws/2004/08/addressing";
-       private Document response;
-
-       SecurityTokenResponse(SAMLAssertion assertion, String remoteProviderId) throws SecurityTokenResponseException,
-                       SAMLException {
-
-               response = XML.parserPool.newDocument();
-
-               // Create root response element
-               Element root = response.createElementNS(WS_TRUST_SCHEMA, "RequestSecurityTokenResponse");
-               root.setAttributeNS(XML.XMLNS_NS, "xmlns", WS_TRUST_SCHEMA);
-               response.appendChild(root);
-
-               // Tie to remote endpoint
-               Element appliesTo = response.createElementNS(WS_POLICY_SCHEMA, "AppliesTo");
-               appliesTo.setAttributeNS(XML.XMLNS_NS, "xmlns", WS_POLICY_SCHEMA);
-               root.appendChild(appliesTo);
-               Element endpointRef = response.createElementNS(WS_ADDRESSING_SCHEMA, "EndpointReference");
-               endpointRef.setAttributeNS(XML.XMLNS_NS, "xmlns", WS_ADDRESSING_SCHEMA);
-               appliesTo.appendChild(endpointRef);
-               Element address = response.createElementNS(WS_ADDRESSING_SCHEMA, "Address");
-               address.appendChild(response.createTextNode(remoteProviderId));
-               endpointRef.appendChild(address);
-
-               // Add security token
-               Element token = response.createElementNS(WS_TRUST_SCHEMA, "RequestedSecurityToken");
-
-               token.appendChild(assertion.toDOM(response));
-               root.appendChild(token);
-
-       }
-
-       public byte[] toBase64() throws SecurityTokenResponseException {
-
-               try {
-                       Canonicalizer canonicalizier = Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
-                       byte[] canonicalized = canonicalizier.canonicalizeSubtree(response, config
-                                       .getProperty("org.opensaml.inclusive-namespace-prefixes"));
-
-                       return Base64.encodeBase64Chunked(canonicalized);
-               } catch (InvalidCanonicalizerException e) {
-                       log.error("Error Canonicalizing Security Token Response: " + e);
-                       throw new SecurityTokenResponseException(e.getMessage());
-               }
-
-               catch (CanonicalizationException e) {
-                       log.error("Error Canonicalizing Security Token Response: " + e);
-                       throw new SecurityTokenResponseException(e.getMessage());
-               }
-       }
-
-       public String toXmlString() throws SecurityTokenResponseException {
-
-               try {
-                       Canonicalizer canonicalizier = Canonicalizer.getInstance(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
-                       byte[] canonicalized = canonicalizier.canonicalizeSubtree(response, config
-                                       .getProperty("org.opensaml.inclusive-namespace-prefixes"));
-                       return new String(canonicalized);
-
-               } catch (InvalidCanonicalizerException e) {
-                       log.error("Error Canonicalizing Security Token Response: " + e);
-                       throw new SecurityTokenResponseException(e.getMessage());
-               }
-
-               catch (CanonicalizationException e) {
-                       log.error("Error Canonicalizing Security Token Response: " + e);
-                       throw new SecurityTokenResponseException(e.getMessage());
-               }
-       }
-
-}
-
-class SecurityTokenResponseException extends Exception {
-
-       SecurityTokenResponseException(String message) {
-
-               super(message);
-       }
-}
\ No newline at end of file
diff --git a/src/edu/internet2/middleware/shibboleth/idp/provider/BaseHandler.java b/src/edu/internet2/middleware/shibboleth/idp/provider/BaseHandler.java
deleted file mode 100644 (file)
index b7bef56..0000000
+++ /dev/null
@@ -1,169 +0,0 @@
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp.provider;
-
-import java.io.IOException;
-import java.security.cert.CertificateParsingException;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-
-import javax.security.auth.x500.X500Principal;
-
-import org.apache.log4j.Logger;
-import org.bouncycastle.asn1.ASN1InputStream;
-import org.bouncycastle.asn1.DERObject;
-import org.bouncycastle.asn1.DERObjectIdentifier;
-import org.bouncycastle.asn1.DERSequence;
-import org.bouncycastle.asn1.DERSet;
-import org.bouncycastle.asn1.DERString;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-import org.w3c.dom.NodeList;
-
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.idp.IdPConfig;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
-
-/**
- * Functionality common to all <code>IdPProtocolHandler</code> implementation.
- * 
- * @author Walter Hoehn
- */
-public abstract class BaseHandler implements IdPProtocolHandler {
-
-       private static Logger log = Logger.getLogger(BaseHandler.class.getName());
-       private static final String CN_OID = "2.5.4.3";
-       private HashSet<String> locations = new HashSet<String>();
-
-       /**
-        * Required DOM-based constructor.
-        */
-       public BaseHandler(Element config) throws ShibbolethConfigurationException {
-
-               // Make sure we have at least one location
-               NodeList locations = config.getElementsByTagNameNS(IdPConfig.configNameSpace, "Location");
-               if (locations.getLength() < 1) {
-                       log.error("The <ProtocolHandler/> element must contain at least one <Location/> element.");
-                       throw new ShibbolethConfigurationException("Unable to load ProtocolHandler.");
-               }
-
-               // Parse the locations
-               for (int i = 0; i < locations.getLength(); i++) {
-                       Node tnode = ((Element) locations.item(i)).getFirstChild();
-                       if (tnode != null && tnode.getNodeType() == Node.TEXT_NODE) {
-                               String rawURI = tnode.getNodeValue();
-
-                               if (rawURI == null || rawURI.equals("")) {
-                                       log.error("The <Location/> element inside the <ProtocolHandler/> element must "
-                                                       + "contain a URI or regular expressions.");
-                                       throw new ShibbolethConfigurationException("Unable to load ProtocolHandler.");
-                               }
-                               this.locations.add(rawURI);
-
-                       } else {
-                               log.error("The <Location/> element inside the <ProtocolHandler/> element must contain a "
-                                               + "URI or regular expression.");
-                               throw new ShibbolethConfigurationException("Unable to load ProtocolHandler.");
-                       }
-               }
-       }
-
-       /*
-        * @see edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler#getLocations()
-        */
-       public String[] getLocations() {
-
-               return (String[]) locations.toArray(new String[0]);
-       }
-
-       protected static String getHostNameFromDN(X500Principal dn) {
-
-               // Parse the ASN.1 representation of the dn and grab the last CN component that we find
-               // We used to do this with the dn string, but the JDK's default parsing caused problems with some DNs
-               try {
-                       ASN1InputStream asn1Stream = new ASN1InputStream(dn.getEncoded());
-                       DERObject parent = asn1Stream.readObject();
-
-                       if (!(parent instanceof DERSequence)) {
-                               log.error("Unable to extract host name name from certificate subject DN: incorrect ASN.1 encoding.");
-                               return null;
-                       }
-
-                       String cn = null;
-                       for (int i = 0; i < ((DERSequence) parent).size(); i++) {
-                               DERObject dnComponent = ((DERSequence) parent).getObjectAt(i).getDERObject();
-                               if (!(dnComponent instanceof DERSet)) {
-                                       log.debug("No DN components.");
-                                       continue;
-                               }
-
-                               // Each DN component is a set
-                               for (int j = 0; j < ((DERSet) dnComponent).size(); j++) {
-                                       DERObject grandChild = ((DERSet) dnComponent).getObjectAt(j).getDERObject();
-
-                                       if (((DERSequence) grandChild).getObjectAt(0) != null
-                                                       && ((DERSequence) grandChild).getObjectAt(0).getDERObject() instanceof DERObjectIdentifier) {
-                                               DERObjectIdentifier componentId = (DERObjectIdentifier) ((DERSequence) grandChild).getObjectAt(
-                                                               0).getDERObject();
-
-                                               if (CN_OID.equals(componentId.getId())) {
-                                                       // OK, this dn component is actually a cn attribute
-                                                       if (((DERSequence) grandChild).getObjectAt(1) != null
-                                                                       && ((DERSequence) grandChild).getObjectAt(1).getDERObject() instanceof DERString) {
-                                                               cn = ((DERString) ((DERSequence) grandChild).getObjectAt(1).getDERObject()).getString();
-                                                       }
-                                               }
-                                       }
-                               }
-                       }
-                       asn1Stream.close();
-                       return cn;
-
-               } catch (IOException e) {
-                       log.error("Unable to extract host name name from certificate subject DN: ASN.1 parsing failed: " + e);
-                       return null;
-               }
-       }
-
-       protected static String[] getCredentialNames(X509Certificate cert) {
-
-               ArrayList<String> names = new ArrayList<String>();
-               names.add(cert.getSubjectX500Principal().getName(X500Principal.RFC2253));
-               try {
-                       Collection altNames = cert.getSubjectAlternativeNames();
-                       if (altNames != null) {
-                               for (Iterator nameIterator = altNames.iterator(); nameIterator.hasNext();) {
-                                       List altName = (List) nameIterator.next();
-                                       if (altName.get(0).equals(new Integer(2)) && altName.get(1) instanceof String) { // 2 is DNS
-                                               names.add((String) altName.get(1));
-                                       } else if (altName.get(0).equals(new Integer(6)) && altName.get(1) instanceof String) { // 6 is URI
-                                               names.add((String) altName.get(1));
-                                       }
-                               }
-                       }
-               } catch (CertificateParsingException e1) {
-                       log.error("Encountered an problem trying to extract Subject Alternate "
-                                       + "Name from supplied certificate: " + e1);
-               }
-               names.add(getHostNameFromDN(cert.getSubjectX500Principal()));
-               return (String[]) names.toArray(new String[1]);
-       }
-}
\ No newline at end of file
diff --git a/src/edu/internet2/middleware/shibboleth/idp/provider/BaseServiceHandler.java b/src/edu/internet2/middleware/shibboleth/idp/provider/BaseServiceHandler.java
deleted file mode 100644 (file)
index c6873eb..0000000
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp.provider;
-
-import java.security.cert.X509Certificate;
-
-import javax.servlet.http.HttpServletRequest;
-
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
-
-/**
- * @author Walter Hoehn
- */
-public abstract class BaseServiceHandler extends BaseHandler implements IdPProtocolHandler {
-
-       /**
-        * Required DOM-based constructor.
-        */
-       public BaseServiceHandler(Element config) throws ShibbolethConfigurationException {
-
-               super(config);
-       }
-
-       protected static X509Certificate getCredentialFromProvider(HttpServletRequest req) {
-
-               X509Certificate[] certArray = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
-               if (certArray != null && certArray.length > 0) { return certArray[0]; }
-               return null;
-       }
-
-       protected class InvalidProviderCredentialException extends Exception {
-
-               public InvalidProviderCredentialException(String message) {
-
-                       super(message);
-               }
-       }
-}
\ No newline at end of file
diff --git a/src/edu/internet2/middleware/shibboleth/idp/provider/SAMLv1_1ArtifactQueryHandler.java b/src/edu/internet2/middleware/shibboleth/idp/provider/SAMLv1_1ArtifactQueryHandler.java
deleted file mode 100644 (file)
index fa64b0d..0000000
+++ /dev/null
@@ -1,202 +0,0 @@
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp.provider;
-
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Iterator;
-
-import javax.security.auth.x500.X500Principal;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.log4j.Logger;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLBinding;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLRequest;
-import org.opensaml.SAMLResponse;
-import org.opensaml.XML;
-import org.opensaml.artifact.Artifact;
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.SPSSODescriptor;
-import org.opensaml.saml2.metadata.provider.MetadataProviderException;
-import org.opensaml.security.impl.HttpX509EntityCredential;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.artifact.ArtifactMapping;
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
-import edu.internet2.middleware.shibboleth.idp.RequestHandlingException;
-
-/**
- * @author Walter Hoehn
- */
-public class SAMLv1_1ArtifactQueryHandler extends SAMLv1_Base_QueryHandler implements IdPProtocolHandler {
-
-       private static Logger log = Logger.getLogger(SAMLv1_1ArtifactQueryHandler.class.getName());
-       private SAMLBinding binding;
-
-       public SAMLv1_1ArtifactQueryHandler(Element config) throws ShibbolethConfigurationException {
-
-               super(config);
-       }
-
-       /*
-        * @see edu.internet2.middleware.shibboleth.idp.ProtocolHandler#getHandlerName()
-        */
-       public String getHandlerName() {
-
-               return "SAML v1.1 Artifact Query";
-       }
-
-       /*
-        * @see edu.internet2.middleware.shibboleth.idp.ProtocolHandler#processRequest(javax.servlet.http.HttpServletRequest,
-        *      javax.servlet.http.HttpServletResponse, edu.internet2.middleware.shibboleth.idp.ProtocolSupport)
-        */
-       public void processRequest(HttpServletRequest request, HttpServletResponse response, IdPProtocolSupport support)
-                       throws RequestHandlingException, ServletException {
-
-               log.info("Received a request to dereference assertion artifacts.");
-
-               SAMLRequest samlRequest = parseSAMLRequest(request);
-
-               try {
-
-                       // Pull credential from request
-                       X509Certificate[] chain = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
-                       if (chain == null || chain.length == 0
-                                       || chain[0].getSubjectX500Principal().getName(X500Principal.RFC2253).equals("")) {
-                               // The spec says that mutual authentication is required for the
-                               // artifact profile
-                               if (samlRequest.isSigned()) {
-                                       log.info("Request is signed, will authenticate it later.");
-                               } else {
-                                       log.info("Request is from an unauthenticated serviceprovider.");
-                                       throw new SAMLException(SAMLException.REQUESTER,
-                                                       "SAML Artifacts cannot be dereferenced for unauthenticated requesters.");
-                               }
-                       } else {
-                               log.info("Request contains TLS credential: ("
-                                               + chain[0].getSubjectX500Principal().getName(X500Principal.RFC2253) + ").");
-                       }
-                       ArrayList<SAMLAssertion> assertions = new ArrayList<SAMLAssertion>();
-                       Iterator artifacts = samlRequest.getArtifacts();
-
-                       if (!artifacts.hasNext()) {
-                               log.error("Protocol Handler received a SAML Request, but is unable to handle it.  No "
-                                               + "artifacts were included in the request.");
-                               throw new SAMLException(SAMLException.REQUESTER, "General error processing request.");
-                       }
-
-                       int queriedArtifacts = 0;
-                       // for transaction log
-                       StringBuffer dereferencedArtifacts = new StringBuffer();
-
-                       while (artifacts.hasNext()) {
-                               queriedArtifacts++;
-                               Artifact artifact = (Artifact) artifacts.next();
-                               log.info("Dereferencing artifact: (" + artifact.encode() + ").");
-                               ArtifactMapping mapping = support.getArtifactMapper().recoverAssertion(artifact);
-
-                               if (mapping == null) {
-                                       log.info("Could not map artifact to a SAML Assertion.");
-
-                               } else if (mapping.isExpired()) {
-                                       log.error("Artifact is expired.  Skipping...");
-
-                               } else {
-                                       SAMLAssertion assertion = mapping.getAssertion();
-                                       // See if we have metadata for this provider
-                                       EntityDescriptor provider = null;
-                                       try {
-                                               provider = support.getEntityDescriptor(mapping.getServiceProviderId());
-                                       } catch (MetadataProviderException e) {
-                                               log.error("Metadata lookup for provider (" + mapping.getServiceProviderId()
-                                                               + ") encountered an error: " + e);
-                                       }
-                                       if (provider == null) {
-                                               log.info("No metadata found for provider: (" + mapping.getServiceProviderId() + ").");
-                                               throw new SAMLException(SAMLException.REQUESTER, "Invalid service provider.");
-                                       }
-                                       SPSSODescriptor role = provider.getSPSSODescriptor(XML.SAML11_PROTOCOL_ENUM);
-                                       if (role == null) {
-                                               log.info("SPSSO role not found in metadata for provider: (" + mapping.getServiceProviderId()
-                                                               + ").");
-                                               throw new SAMLException(SAMLException.REQUESTER, "Invalid service provider role.");
-                                       }
-
-                                       boolean authenticated = false;
-
-                                       // Make sure that the suppplied credential is valid for the provider to which the artifact was
-                                       // issued
-                                       if (chain != null && chain.length > 0) {
-                                               if (!support.getTrustEngine().validate(new HttpX509EntityCredential(request), role)) {
-                                                       log.error("Supplied TLS credential ("
-                                                                       + chain[0].getSubjectX500Principal().getName(X500Principal.RFC2253)
-                                                                       + ") is NOT valid for provider (" + mapping.getServiceProviderId()
-                                                                       + "), to whom this artifact was issued.");
-                                                       throw new SAMLException(SAMLException.REQUESTER, "Invalid credential.");
-                                               }
-                                               authenticated = true;
-                                       }
-                                       if (samlRequest.isSigned()) {
-
-                                               if (!support.getTrustEngine().validate(samlRequest, role)) {
-                                                       log.error("Signed SAML request message did NOT contain a valid signature from provider ("
-                                                                       + mapping.getServiceProviderId() + "), to whom this artifact was issued.");
-                                                       throw new SAMLException(SAMLException.REQUESTER, "Invalid signature.");
-                                               }
-                                               authenticated = true;
-                                       }
-                                       if (!authenticated) {
-                                               log.info("Request could not be authenticated.");
-                                               throw new SAMLException(SAMLException.REQUESTER,
-                                                               "SAML Artifacts cannot be dereferenced for unauthenticated requesters.");
-                                       }
-                                       log.debug("Supplied credentials validated for the provider to which this artifact was issued.");
-                                       assertions.add(assertion);
-                                       dereferencedArtifacts.append("(" + artifact.encode() + ")");
-                               }
-                       }
-
-                       // The spec requires that if any artifacts are dereferenced, they must
-                       // all be dereferenced
-                       if (assertions.size() > 0 && assertions.size() != queriedArtifacts) { throw new SAMLException(
-                                       SAMLException.REQUESTER, "Unable to successfully dereference all artifacts."); }
-
-                       // Create and send response
-                       // The spec says that we should send "success" in the case where no artifacts match
-                       SAMLResponse samlResponse = new SAMLResponse(samlRequest.getId(), null, assertions, null);
-                       if (log.isDebugEnabled()) {
-                               log.debug("Dumping generated SAML Response:" + System.getProperty("line.separator")
-                                               + samlResponse.toString());
-                       }
-
-                       support.getTransactionLog().info(
-                                       "Succesfully dereferenced the following artifacts: " + dereferencedArtifacts.toString());
-
-                       binding.respond(response, samlResponse, null);
-
-               } catch (SAMLException e) {
-                       respondWithError(response, samlRequest, e);
-               }
-       }
-
-}
\ No newline at end of file
diff --git a/src/edu/internet2/middleware/shibboleth/idp/provider/SAMLv1_AttributeQueryHandler.java b/src/edu/internet2/middleware/shibboleth/idp/provider/SAMLv1_AttributeQueryHandler.java
deleted file mode 100644 (file)
index 1da0a4c..0000000
+++ /dev/null
@@ -1,413 +0,0 @@
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp.provider;
-
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.security.Principal;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Date;
-import java.util.Iterator;
-
-import javax.security.auth.x500.X500Principal;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.log4j.Logger;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLAttribute;
-import org.opensaml.SAMLAttributeDesignator;
-import org.opensaml.SAMLAttributeQuery;
-import org.opensaml.SAMLAttributeStatement;
-import org.opensaml.SAMLAudienceRestrictionCondition;
-import org.opensaml.SAMLCondition;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLNameIdentifier;
-import org.opensaml.SAMLRequest;
-import org.opensaml.SAMLResponse;
-import org.opensaml.SAMLStatement;
-import org.opensaml.SAMLSubject;
-import org.opensaml.XML;
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.RoleDescriptor;
-import org.opensaml.saml2.metadata.SPSSODescriptor;
-import org.opensaml.saml2.metadata.provider.MetadataProviderException;
-import org.opensaml.security.X509EntityCredential;
-import org.opensaml.security.impl.HttpX509EntityCredential;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.aa.AAException;
-import edu.internet2.middleware.shibboleth.common.InvalidNameIdentifierException;
-import edu.internet2.middleware.shibboleth.common.NameIdentifierMapping;
-import edu.internet2.middleware.shibboleth.common.NameIdentifierMappingException;
-import edu.internet2.middleware.shibboleth.common.RelyingParty;
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
-import edu.internet2.middleware.shibboleth.idp.RequestHandlingException;
-
-/**
- * @author Walter Hoehn
- */
-public class SAMLv1_AttributeQueryHandler extends SAMLv1_Base_QueryHandler implements IdPProtocolHandler {
-
-       static Logger log = Logger.getLogger(SAMLv1_AttributeQueryHandler.class.getName());
-
-       /**
-        * Required DOM-based constructor.
-        */
-       public SAMLv1_AttributeQueryHandler(Element config) throws ShibbolethConfigurationException {
-
-               super(config);
-       }
-
-       /*
-        * @see edu.internet2.middleware.shibboleth.idp.ProtocolHandler#getHandlerName()
-        */
-       public String getHandlerName() {
-
-               return "SAML v1.1 Attribute Query";
-       }
-
-       private String authenticateAs(String assertedId, X509Credential credential, IdPProtocolSupport support)
-                       throws InvalidProviderCredentialException {
-
-               // See if we have metadata for this provider
-               EntityDescriptor provider = null;
-               try {
-                       provider = support.getEntityDescriptor(assertedId);
-               } catch (MetadataProviderException e) {
-                       log.error("Encountered an error while looking up metadata: " + e);
-               }
-               if (provider == null) {
-                       log.info("No metadata found for providerId: (" + assertedId + ").");
-                       return null;
-               } else {
-                       log.info("Metadata found for providerId: (" + assertedId + ").");
-               }
-               // TODO pulled this code out for now because we don't have an extension interface to support it.
-               // Need to add it back with current draft profile as of release time.
-               /*
-                * RoleDescriptor ar_role = provider.getAttributeRequesterDescriptor(XML.SAML11_PROTOCOL_ENUM);
-                */
-               RoleDescriptor ar_role = null;
-               SPSSODescriptor sp_role = provider.getSPSSODescriptor(XML.SAML11_PROTOCOL_ENUM);
-               if (ar_role == null && sp_role == null) {
-                       log.info("SPSSO and Stand-Alone Requester roles not found in metadata for provider: (" + assertedId + ").");
-                       return null;
-               }
-
-               // Make sure that the supplied credential is valid for the selected provider role.
-               if ((ar_role != null && support.getTrustEngine().validate(credential, ar_role))
-                               || (sp_role != null && support.getTrustEngine().validate(credential, sp_role))) {
-                       log.info("Supplied credentials validated for this provider.");
-                       return assertedId;
-               } else {
-                       log.error("Supplied credentials ("
-                                       + credential.getEntityCertificate().getSubjectX500Principal().getName(X500Principal.RFC2253)
-                                       + ") are NOT valid for provider (" + assertedId + ").");
-                       throw new InvalidProviderCredentialException("Invalid credentials.");
-               }
-       }
-
-       /*
-        * @see edu.internet2.middleware.shibboleth.idp.ProtocolHandler#processRequest(javax.servlet.http.HttpServletRequest,
-        *      javax.servlet.http.HttpServletResponse, org.opensaml.SAMLRequest,
-        *      edu.internet2.middleware.shibboleth.idp.ProtocolSupport)
-        */
-       public void processRequest(HttpServletRequest request, HttpServletResponse response, IdPProtocolSupport support)
-                       throws RequestHandlingException, ServletException {
-
-               SAMLRequest samlRequest = parseSAMLRequest(request);
-
-               if (samlRequest == null || samlRequest.getQuery() == null
-                               || !(samlRequest.getQuery() instanceof SAMLAttributeQuery)) {
-                       log.error("Protocol Handler can only respond to SAML Attribute Queries.");
-                       respondWithError(response, samlRequest, new SAMLException("General error processing request."));
-                       return;
-               }
-
-               RelyingParty relyingParty = null;
-               SAMLAttributeQuery attributeQuery = (SAMLAttributeQuery) samlRequest.getQuery();
-
-               // This is the requester name that will be passed to subsystems
-               String effectiveName = null;
-
-               // Log the physical credential supplied, if any.
-               X509Certificate[] credentials = (X509Certificate[]) request
-                               .getAttribute("javax.servlet.request.X509Certificate");
-               if (credentials == null || credentials.length == 0
-                               || credentials[0].getSubjectX500Principal().getName(X500Principal.RFC2253).equals("")) {
-                       log.info("Request contained no credentials, treating as an unauthenticated service provider.");
-               } else {
-                       log.info("Request contains credentials: ("
-                                       + credentials[0].getSubjectX500Principal().getName(X500Principal.RFC2253) + ").");
-
-                       // Try and authenticate the requester as any of the potentially relevant identifiers we know.
-                       try {
-                               if (attributeQuery.getResource() != null) {
-                                       log.info("Remote provider has identified itself as: (" + attributeQuery.getResource() + ").");
-                                       effectiveName = authenticateAs(attributeQuery.getResource(), new HttpX509EntityCredential(request),
-                                                       support);
-                               }
-
-                               if (effectiveName == null) {
-                                       log.info("Remote provider not yet identified, attempting to "
-                                                       + "derive requesting provider from credentials.");
-
-                                       // Try the additional candidates.
-                                       String[] candidateNames = getCredentialNames(credentials[0]);
-                                       for (int c = 0; effectiveName == null && c < candidateNames.length; c++) {
-                                               effectiveName = authenticateAs(candidateNames[c], new HttpX509EntityCredential(request),
-                                                               support);
-                                       }
-                               }
-                       } catch (InvalidProviderCredentialException ipc) {
-                               respondWithError(response, samlRequest, new SAMLException(SAMLException.REQUESTER,
-                                               "Invalid credentials for request."));
-                               return;
-                       }
-               }
-
-               if (effectiveName == null) {
-                       log.info("Unable to locate metadata about provider, treating as an unauthenticated service provider.");
-                       relyingParty = support.getServiceProviderMapper().getRelyingParty(null);
-                       if (log.isDebugEnabled()) {
-                               log.debug("Using default Relying Party, " + relyingParty.getName() + " for unauthenticated provider.");
-                       }
-               } else {
-                       // Identify a Relying Party
-                       log.debug("Mapping authenticated provider (" + effectiveName + ") to Relying Party.");
-                       relyingParty = support.getServiceProviderMapper().getRelyingParty(effectiveName);
-               }
-
-               // Fail if we can't honor SAML Subject Confirmation unless the only one supplied is
-               // bearer, in which case this is probably a Shib 1.1 query, and we'll let it slide for now.
-               boolean hasConfirmationMethod = false;
-               Iterator iterator = attributeQuery.getSubject().getConfirmationMethods();
-               while (iterator.hasNext()) {
-                       String method = (String) iterator.next();
-                       log.info("Request contains SAML Subject Confirmation method: (" + method + ").");
-                       hasConfirmationMethod = true;
-               }
-               if (hasConfirmationMethod) {
-                       respondWithError(
-                                       response,
-                                       samlRequest,
-                                       new SAMLException(SAMLException.REQUESTER,
-                                                       "This SAML authority cannot honor requests containing the supplied SAML Subject Confirmation Method(s)."));
-                       return;
-               }
-
-               try {
-                       // Map Subject to local principal
-                       Principal principal = null;
-
-                       SAMLNameIdentifier nameId = attributeQuery.getSubject().getNameIdentifier();
-                       log.debug("Name Identifier format: (" + nameId.getFormat() + ").");
-                       NameIdentifierMapping mapping = null;
-                       try {
-                               mapping = support.getNameMapper().getNameIdentifierMapping(new URI(nameId.getFormat()));
-                       } catch (URISyntaxException e) {
-                               log.error("Invalid Name Identifier format.");
-                       }
-                       if (mapping == null) { throw new NameIdentifierMappingException("Name Identifier format not registered."); }
-
-                       // Don't honor the request if the active relying party configuration does not contain a mapping with the
-                       // name identifier format from the request
-                       if (!Arrays.asList(relyingParty.getNameMapperIds()).contains(mapping.getId())) { throw new NameIdentifierMappingException(
-                                       "Name Identifier format not valid for this relying party."); }
-
-                       principal = mapping.getPrincipal(nameId, relyingParty, relyingParty.getIdentityProvider());
-                       log.info("Request is for principal (" + principal.getName() + ").");
-
-                       // Get attributes from resolver
-                       Collection<? extends SAMLAttribute> attrs;
-                       Iterator requestedAttrsIterator = attributeQuery.getDesignators();
-                       if (requestedAttrsIterator.hasNext()) {
-                               log.info("Request designates specific attributes, resolving this set.");
-                               ArrayList<URI> requestedAttrs = new ArrayList<URI>();
-                               while (requestedAttrsIterator.hasNext()) {
-                                       SAMLAttributeDesignator attribute = (SAMLAttributeDesignator) requestedAttrsIterator.next();
-                                       try {
-                                               log.debug("Designated attribute: (" + attribute.getName() + ")");
-                                               requestedAttrs.add(new URI(attribute.getName()));
-                                       } catch (URISyntaxException use) {
-                                               log.error("Request designated an attribute name that does not conform "
-                                                               + "to the required URI syntax (" + attribute.getName() + ").  Ignoring this attribute");
-                                       }
-                               }
-
-                               attrs = support.getReleaseAttributes(principal, relyingParty, effectiveName, requestedAttrs);
-                       } else {
-                               log.info("Request does not designate specific attributes, resolving all available.");
-                               attrs = support.getReleaseAttributes(principal, relyingParty, effectiveName);
-                       }
-
-                       log.info("Found " + attrs.size() + " attribute(s) for " + principal.getName());
-
-                       // Put attributes names in the transaction log when it is set to DEBUG
-                       if (support.getTransactionLog().isDebugEnabled() && attrs.size() > 0) {
-                               StringBuffer attrNameBuffer = new StringBuffer();
-                               for (SAMLAttribute attr : attrs) {
-                                       attrNameBuffer.append("(" + attr.getName() + ")");
-                               }
-                               support.getTransactionLog()
-                                               .debug(
-                                                               "Attribute assertion generated for provider (" + effectiveName
-                                                                               + ") on behalf of principal (" + principal.getName()
-                                                                               + ") with the following attributes: " + attrNameBuffer.toString());
-                       }
-
-                       SAMLResponse samlResponse = null;
-
-                       if (attrs == null || attrs.size() == 0) {
-                               // No attribute found
-                               samlResponse = new SAMLResponse(samlRequest.getId(), null, null, null);
-
-                       } else {
-                               // Reference requested subject
-                               SAMLSubject rSubject = (SAMLSubject) attributeQuery.getSubject().clone();
-
-                               ArrayList<String> audiences = new ArrayList<String>();
-                               if (relyingParty.getProviderId() != null) {
-                                       audiences.add(relyingParty.getProviderId());
-                               }
-                               if (relyingParty.getName() != null && !relyingParty.getName().equals(relyingParty.getProviderId())) {
-                                       audiences.add(relyingParty.getName());
-                               }
-
-                               SAMLCondition condition = new SAMLAudienceRestrictionCondition(audiences);
-
-                               // Put all attributes into an assertion
-                               SAMLStatement statement = new SAMLAttributeStatement(rSubject, attrs);
-
-                               // Set assertion expiration to longest attribute expiration
-                               long max = 0;
-                               for (SAMLAttribute attr : attrs) {
-                                       if (max < attr.getLifetime()) {
-                                               max = attr.getLifetime();
-                                       }
-                               }
-                               Date now = new Date();
-                               Date then = new Date(now.getTime() + (max * 1000)); // max is in
-                               // seconds
-
-                               SAMLAssertion sAssertion = new SAMLAssertion(relyingParty.getIdentityProvider().getProviderId(), now,
-                                               then, Collections.singleton(condition), null, Collections.singleton(statement));
-
-                               // Sign the assertions, if necessary
-                               boolean metaDataIndicatesSignAssertions = false;
-                               EntityDescriptor descriptor = support.getEntityDescriptor((relyingParty.getProviderId()));
-                               if (descriptor != null) {
-                                       // TODO pulled this code out for now because we don't have an extension interface to support it.
-                                       // Need to add it back with current draft profile as of release time.
-                                       /*
-                                        * AttributeRequesterDescriptor ar = descriptor
-                                        * .getAttributeRequesterDescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM); if (ar != null) { if
-                                        * (ar.getWantAssertionsSigned()) { metaDataIndicatesSignAssertions = true; } }
-                                        */
-                                       if (!metaDataIndicatesSignAssertions) {
-                                               SPSSODescriptor sp = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
-                                               if (sp != null) {
-                                                       if (sp.getWantAssertionsSigned()) {
-                                                               metaDataIndicatesSignAssertions = true;
-                                                       }
-                                               }
-                                       }
-                               }
-                               if (relyingParty.wantsAssertionsSigned() || metaDataIndicatesSignAssertions) {
-                                       support.signAssertions(new SAMLAssertion[]{sAssertion}, relyingParty);
-                               }
-
-                               samlResponse = new SAMLResponse(samlRequest.getId(), null, Collections.singleton(sAssertion), null);
-                       }
-
-                       if (log.isDebugEnabled()) { // This takes some processing, so only do it if we need to
-                               log.debug("Dumping generated SAML Response:" + System.getProperty("line.separator")
-                                               + samlResponse.toString());
-                       }
-
-                       log.info("Successfully created response for principal (" + principal.getName() + ").");
-
-                       if (effectiveName == null) {
-                               support.getTransactionLog().info(
-                                               "Attribute assertion issued to anonymous provider at (" + request.getRemoteAddr()
-                                                               + ") on behalf of principal (" + principal.getName() + ").");
-                       } else {
-                               support.getTransactionLog().info(
-                                               "Attribute assertion issued to provider (" + effectiveName + ") on behalf of principal ("
-                                                               + principal.getName() + ").");
-                       }
-
-                       binding.respond(response, samlResponse, null);
-
-               } catch (SAMLException e) {
-                       if (relyingParty.passThruErrors()) {
-                               respondWithError(response, samlRequest, new SAMLException("General error processing request.", e));
-                       } else {
-                               respondWithError(response, samlRequest, new SAMLException("General error processing request."));
-                       }
-               } catch (MetadataProviderException e) {
-                       log.error("Encountered an error while looking up metadata: " + e);
-                       if (relyingParty.passThruErrors()) {
-                               respondWithError(response, samlRequest, new SAMLException("General error processing request.", e));
-                       } else {
-                               respondWithError(response, samlRequest, new SAMLException("General error processing request."));
-                       }
-
-               } catch (InvalidNameIdentifierException e) {
-                       log.error("Could not associate the request's subject with a principal: " + e);
-                       if (relyingParty.passThruErrors()) {
-                               respondWithError(response, samlRequest, new SAMLException(Arrays.asList(e.getSAMLErrorCodes()),
-                                               "The supplied Subject was unrecognized.", e));
-                       } else {
-                               respondWithError(response, samlRequest, new SAMLException(Arrays.asList(e.getSAMLErrorCodes()),
-                                               "The supplied Subject was unrecognized."));
-                       }
-
-               } catch (NameIdentifierMappingException e) {
-                       log.error("Encountered an error while mapping the name identifier from the request: " + e);
-                       if (relyingParty.passThruErrors()) {
-                               respondWithError(response, samlRequest, new SAMLException("General error processing request.", e));
-                       } else {
-                               respondWithError(response, samlRequest, new SAMLException("General error processing request."));
-                       }
-
-               } catch (AAException e) {
-                       log.error("Encountered an error while resolving resolving attributes: " + e);
-                       if (relyingParty.passThruErrors()) {
-                               respondWithError(response, samlRequest, new SAMLException("General error processing request.", e));
-                       } else {
-                               respondWithError(response, samlRequest, new SAMLException("General error processing request."));
-                       }
-
-               } catch (CloneNotSupportedException e) {
-                       log.error("Encountered an error while cloning request subject for use in response: " + e);
-                       if (relyingParty.passThruErrors()) {
-                               respondWithError(response, samlRequest, new SAMLException("General error processing request.", e));
-                       } else {
-                               respondWithError(response, samlRequest, new SAMLException("General error processing request."));
-                       }
-               }
-       }
-}
\ No newline at end of file
diff --git a/src/edu/internet2/middleware/shibboleth/idp/provider/SAMLv1_Base_QueryHandler.java b/src/edu/internet2/middleware/shibboleth/idp/provider/SAMLv1_Base_QueryHandler.java
deleted file mode 100644 (file)
index 4346be7..0000000
+++ /dev/null
@@ -1,80 +0,0 @@
-
-package edu.internet2.middleware.shibboleth.idp.provider;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.log4j.Logger;
-import org.opensaml.NoSuchProviderException;
-import org.opensaml.SAMLBinding;
-import org.opensaml.SAMLBindingFactory;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLRequest;
-import org.opensaml.SAMLResponse;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.idp.RequestHandlingException;
-
-public abstract class SAMLv1_Base_QueryHandler extends BaseServiceHandler {
-
-       private static Logger log = Logger.getLogger(SAMLv1_Base_QueryHandler.class.getName());
-       protected SAMLBinding binding;
-
-       protected SAMLv1_Base_QueryHandler(Element config) throws ShibbolethConfigurationException {
-
-               super(config);
-
-               try {
-                       binding = SAMLBindingFactory.getInstance(SAMLBinding.SOAP);
-               } catch (NoSuchProviderException e) {
-                       log.error("Unable to initialize SAML SOAP binding:" + e);
-                       throw new ShibbolethConfigurationException("Couldn't initialize " + getHandlerName() + " handler.");
-               }
-       }
-
-       protected SAMLRequest parseSAMLRequest(HttpServletRequest request) throws RequestHandlingException {
-
-               // Parse SOAP request and marshall SAML request object
-               SAMLRequest samlRequest = null;
-               try {
-                       samlRequest = binding.receive(request, 1);
-               } catch (SAMLException e) {
-                       log.error("Unable to parse request: " + e);
-                       throw new RequestHandlingException("Invalid request data.");
-               }
-
-               // If we have DEBUG logging turned on, dump out the request to the log
-               // This takes some processing, so only do it if we need to
-               if (log.isDebugEnabled()) {
-                       log
-                                       .debug("Dumping generated SAML Request:" + System.getProperty("line.separator")
-                                                       + samlRequest.toString());
-               }
-               return samlRequest;
-       }
-
-       protected void respondWithError(HttpServletResponse response, SAMLRequest samlRequest, SAMLException e)
-                       throws RequestHandlingException {
-
-               log.error("Error while processing request: " + e);
-               try {
-                       SAMLResponse samlResponse = new SAMLResponse((samlRequest != null) ? samlRequest.getId() : null, null,
-                                       null, e);
-                       if (log.isDebugEnabled()) {
-                               log.debug("Dumping generated SAML Error Response:" + System.getProperty("line.separator")
-                                               + samlResponse.toString());
-                       }
-                       binding.respond(response, samlResponse, null);
-                       log.debug("Returning SAML Error Response.");
-               } catch (SAMLException se) {
-                       try {
-                               binding.respond(response, null, e);
-                       } catch (SAMLException e1) {
-                               log.error("Caught exception while responding to requester: " + e.getMessage());
-                               throw new RequestHandlingException(e1.getMessage());
-                       }
-               }
-       }
-
-}
\ No newline at end of file
diff --git a/src/edu/internet2/middleware/shibboleth/idp/provider/SSOHandler.java b/src/edu/internet2/middleware/shibboleth/idp/provider/SSOHandler.java
deleted file mode 100644 (file)
index cbf7921..0000000
+++ /dev/null
@@ -1,131 +0,0 @@
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp.provider;
-
-import java.text.ParseException;
-import java.text.SimpleDateFormat;
-import java.util.Date;
-import java.util.List;
-
-import javax.servlet.http.HttpServletRequest;
-
-import org.apache.log4j.Logger;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLNameIdentifier;
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.NameIDFormat;
-import org.opensaml.saml2.metadata.SPSSODescriptor;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.common.LocalPrincipal;
-import edu.internet2.middleware.shibboleth.common.NameIdentifierMapping;
-import edu.internet2.middleware.shibboleth.common.NameIdentifierMappingException;
-import edu.internet2.middleware.shibboleth.common.NameMapper;
-import edu.internet2.middleware.shibboleth.common.RelyingParty;
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
-import edu.internet2.middleware.shibboleth.idp.InvalidClientDataException;
-
-/**
- * @author Walter Hoehn
- */
-public abstract class SSOHandler extends BaseHandler implements IdPProtocolHandler {
-
-       private static Logger log = Logger.getLogger(BaseHandler.class.getName());
-
-       /**
-        * Required DOM-based constructor.
-        */
-       public SSOHandler(Element config) throws ShibbolethConfigurationException {
-
-               super(config);
-
-       }
-
-       public static void validateEngineData(HttpServletRequest req) throws InvalidClientDataException {
-
-               if ((req.getRemoteAddr() == null) || (req.getRemoteAddr().equals(""))) { throw new InvalidClientDataException(
-                               "Unable to obtain client address."); }
-       }
-
-       protected Date getAuthNTime(HttpServletRequest request) throws SAMLException {
-
-               // Determine, if possible, when the authentication actually happened
-               String suppliedAuthNInstant = request.getHeader("SAMLAuthenticationInstant");
-               if (suppliedAuthNInstant != null && !suppliedAuthNInstant.equals("")) {
-                       try {
-                               return new SimpleDateFormat().parse(suppliedAuthNInstant);
-                       } catch (ParseException e) {
-                               log.error("An error was encountered while receiving authentication "
-                                               + "instant from authentication mechanism: " + e);
-                               throw new SAMLException(SAMLException.RESPONDER, "General error processing request.");
-                       }
-               } else {
-                       return new Date(System.currentTimeMillis());
-               }
-       }
-
-       /**
-        * Constructs a SAML Name Identifier of a given principal that is most appropriate to the relying party.
-        * 
-        * @param mapper
-        *            name mapping facility
-        * @param principal
-        *            the principal represented by the name identifier
-        * @param relyingParty
-        *            the party that will consume the name identifier
-        * @param descriptor
-        *            metadata descriptor for the party that will consume the name identifier
-        * @return the SAML Name identifier
-        * @throws NameIdentifierMappingException
-        *             if a name identifier could not be created
-        */
-       protected SAMLNameIdentifier getNameIdentifier(NameMapper mapper, LocalPrincipal principal,
-                       RelyingParty relyingParty, EntityDescriptor descriptor) throws NameIdentifierMappingException {
-
-               String[] availableMappings = relyingParty.getNameMapperIds();
-
-               // If we have preferred Name Identifier formats from the metadata, see if the we can find one that is configured
-               // for this relying party
-               SPSSODescriptor role;
-               if (descriptor != null && (role = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM)) != null) {
-                       List<NameIDFormat> spPreferredFormats = role.getNameIDFormats();
-                       for (NameIDFormat preferredFormat : spPreferredFormats) {
-                               for (int i = 0; availableMappings != null && i < availableMappings.length; i++) {
-                                       NameIdentifierMapping mapping = mapper.getNameIdentifierMappingById(availableMappings[i]);
-                                       if (mapping != null
-                                                       && preferredFormat.getFormat().equals(mapping.getNameIdentifierFormat().toString())) {
-                                               log.debug("Found a supported name identifier format that "
-                                                               + "matches the metadata for the relying party: ("
-                                                               + mapping.getNameIdentifierFormat().toString() + ").");
-                                               return mapping.getNameIdentifier(principal, relyingParty, relyingParty.getIdentityProvider());
-                                       }
-                               }
-                       }
-               }
-
-               // If we didn't find any matches, then just use the default for the relying party
-               String defaultNameMapping = null;
-               if (availableMappings != null && availableMappings.length > 0) {
-                       defaultNameMapping = availableMappings[0];
-               }
-               SAMLNameIdentifier nameId = mapper.getNameIdentifier(defaultNameMapping, principal, relyingParty, relyingParty
-                               .getIdentityProvider());
-               log.debug("Using the default name identifier format for this relying party: (" + nameId.getFormat() + ").");
-               return nameId;
-       }
-}
\ No newline at end of file
diff --git a/src/edu/internet2/middleware/shibboleth/idp/provider/ShibbolethV1SSOHandler.java b/src/edu/internet2/middleware/shibboleth/idp/provider/ShibbolethV1SSOHandler.java
deleted file mode 100644 (file)
index cd91d9b..0000000
+++ /dev/null
@@ -1,589 +0,0 @@
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp.provider;
-
-import java.io.IOException;
-import java.io.UnsupportedEncodingException;
-import java.net.URLEncoder;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Date;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Vector;
-
-import javax.servlet.RequestDispatcher;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.log4j.Logger;
-import org.bouncycastle.util.encoders.Base64;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLAttribute;
-import org.opensaml.SAMLAttributeStatement;
-import org.opensaml.SAMLAudienceRestrictionCondition;
-import org.opensaml.SAMLAuthenticationStatement;
-import org.opensaml.SAMLAuthorityBinding;
-import org.opensaml.SAMLBrowserProfile;
-import org.opensaml.SAMLCondition;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLNameIdentifier;
-import org.opensaml.SAMLResponse;
-import org.opensaml.SAMLStatement;
-import org.opensaml.SAMLSubject;
-import org.opensaml.SAMLSubjectStatement;
-import org.opensaml.artifact.Artifact;
-import org.opensaml.saml2.metadata.AssertionConsumerService;
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.SPSSODescriptor;
-import org.opensaml.saml2.metadata.provider.MetadataProviderException;
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.aa.AAException;
-import edu.internet2.middleware.shibboleth.common.LocalPrincipal;
-import edu.internet2.middleware.shibboleth.common.NameIdentifierMappingException;
-import edu.internet2.middleware.shibboleth.common.RelyingParty;
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
-import edu.internet2.middleware.shibboleth.idp.InvalidClientDataException;
-import edu.internet2.middleware.shibboleth.idp.RequestHandlingException;
-
-/**
- * <code>ProtocolHandler</code> implementation that responds to SSO flows as specified in "Shibboleth Architecture:
- * Protocols and Profiles".
- * 
- * @author Walter Hoehn
- */
-public class ShibbolethV1SSOHandler extends SSOHandler implements IdPProtocolHandler {
-
-       private static Logger log = Logger.getLogger(ShibbolethV1SSOHandler.class.getName());
-
-       /**
-        * Required DOM-based constructor.
-        */
-       public ShibbolethV1SSOHandler(Element config) throws ShibbolethConfigurationException {
-
-               super(config);
-       }
-
-       /*
-        * @see edu.internet2.middleware.shibboleth.idp.IdPResponder.ProtocolHandler#processRequest(javax.servlet.http.HttpServletRequest,
-        *      javax.servlet.http.HttpServletResponse)
-        */
-       public void processRequest(HttpServletRequest request, HttpServletResponse response, IdPProtocolSupport support)
-                       throws RequestHandlingException, ServletException {
-
-               try {
-
-                       // Set attributes that are needed by the jsp
-                       request.setAttribute("shire", request.getParameter("shire"));
-                       request.setAttribute("target", request.getParameter("target"));
-
-                       // Ensure that we have the required data from the servlet container
-                       validateEngineData(request);
-                       validateShibSpecificData(request);
-
-                       // Get the authN info
-                       String username = support.getIdPConfig().getAuthHeaderName().equalsIgnoreCase("REMOTE_USER") ? request
-                                       .getRemoteUser() : request.getHeader(support.getIdPConfig().getAuthHeaderName());
-                       if ((username == null) || (username.equals(""))) { throw new InvalidClientDataException(
-                                       "Unauthenticated principal. This protocol handler requires that authentication information be "
-                                                       + "provided from the servlet container."); }
-                       LocalPrincipal principal = new LocalPrincipal(username);
-
-                       // Select the appropriate Relying Party configuration for the request
-                       RelyingParty relyingParty = null;
-                       String remoteProviderId = request.getParameter("providerId");
-                       // If the SP did not send a Provider Id, then assume it is a Shib
-                       // 1.1 or older SP
-                       if (remoteProviderId == null || remoteProviderId.equals("")) {
-                               throw new InvalidClientDataException("Invalid or missing service provider id.");
-                       } else {
-                               log.debug("Remote provider has identified itself as: (" + remoteProviderId + ").");
-                               relyingParty = support.getServiceProviderMapper().getRelyingParty(remoteProviderId);
-                       }
-
-                       // Grab the metadata for the provider
-                       EntityDescriptor descriptor = null;
-                       try {
-                               descriptor = support.getEntityDescriptor(relyingParty.getProviderId());
-                       } catch (MetadataProviderException e1) {
-                               log.error("Metadata lookup for provider (" + relyingParty.getProviderId() + ") encountered an error: "
-                                               + e1);
-                       }
-
-                       // Make sure that the selected relying party configuration is appropriate for this
-                       // acceptance URL
-                       String acceptanceURL = request.getParameter("shire");
-
-                       if (descriptor == null) {
-                               log.info("No metadata found for provider: (" + relyingParty.getProviderId() + ").");
-                               relyingParty = support.getServiceProviderMapper().getRelyingParty(null);
-
-                       } else {
-                               if (isValidAssertionConsumerURL(descriptor, acceptanceURL)) {
-                                       log.info("Supplied consumer URL validated for this provider.");
-                               } else {
-                                       log.error("Assertion consumer service URL (" + acceptanceURL + ") is NOT valid for provider ("
-                                                       + relyingParty.getProviderId() + ").");
-                                       throw new InvalidClientDataException("Invalid assertion consumer service URL.");
-                               }
-                       }
-
-                       // Create SAML Name Identifier & Subject
-                       SAMLNameIdentifier nameId;
-
-                       nameId = getNameIdentifier(support.getNameMapper(), principal, relyingParty, descriptor);
-
-                       String authenticationMethod = request.getHeader("SAMLAuthenticationMethod");
-                       if (authenticationMethod == null || authenticationMethod.equals("")) {
-                               authenticationMethod = relyingParty.getDefaultAuthMethod().toString();
-                               log.debug("User was authenticated via the default method for this relying party ("
-                                               + authenticationMethod + ").");
-                       } else {
-                               log.debug("User was authenticated via the method (" + authenticationMethod + ").");
-                       }
-
-                       SAMLSubject authNSubject = new SAMLSubject(nameId, null, null, null);
-
-                       // Is this artifact or POST?
-                       boolean artifactProfile = useArtifactProfile(descriptor, acceptanceURL, relyingParty);
-
-                       // SAML Artifact profile - don't even attempt this for legacy providers (they don't support it)
-                       if (artifactProfile) {
-                               respondWithArtifact(request, response, support, principal, relyingParty, descriptor, acceptanceURL,
-                                               nameId, authenticationMethod, authNSubject);
-
-                               // SAML POST profile
-                       } else {
-                               respondWithPOST(request, response, support, principal, relyingParty, descriptor, acceptanceURL, nameId,
-                                               authenticationMethod, authNSubject);
-                       }
-               } catch (InvalidClientDataException e) {
-                       throw new RequestHandlingException("Unable to handle request.  Client data is invalid: " + e);
-               } catch (NameIdentifierMappingException e) {
-                       log.error("Error converting principal to SAML Name Identifier: " + e);
-                       throw new RequestHandlingException("Unable to handle request.  Error recognizing principal.");
-               } catch (SAMLException e) {
-                       log.error("Error creating SAML Response: " + e);
-                       throw new RequestHandlingException("Unalbe to handle request.  Error creating SAML Response.");
-               }
-       }
-
-       private void respondWithArtifact(HttpServletRequest request, HttpServletResponse response,
-                       IdPProtocolSupport support, LocalPrincipal principal, RelyingParty relyingParty,
-                       EntityDescriptor descriptor, String acceptanceURL, SAMLNameIdentifier nameId, String authenticationMethod,
-                       SAMLSubject authNSubject) throws SAMLException, ServletException, RequestHandlingException {
-
-               log.debug("Responding with Artifact profile.");
-               ArrayList<SAMLAssertion> assertions = new ArrayList<SAMLAssertion>();
-
-               authNSubject.addConfirmationMethod(SAMLSubject.CONF_ARTIFACT);
-               assertions.add(generateAuthNAssertion(request, relyingParty, descriptor, nameId, authenticationMethod,
-                               getAuthNTime(request), authNSubject));
-
-               // Package attributes for push, if necessary.
-               if (pushAttributes(true, relyingParty)) {
-                       log.info("Resolving attributes for push.");
-                       generateAttributes(support, principal, relyingParty, assertions, request);
-               }
-
-               // Sign the assertions, if necessary
-               boolean metaDataIndicatesSignAssertions = false;
-               if (descriptor != null) {
-                       SPSSODescriptor sp = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
-                       if (sp != null) {
-                               if (sp.getWantAssertionsSigned()) {
-                                       metaDataIndicatesSignAssertions = true;
-                               }
-                       }
-               }
-               if (relyingParty.wantsAssertionsSigned() || metaDataIndicatesSignAssertions) {
-                       support.signAssertions((SAMLAssertion[]) assertions.toArray(new SAMLAssertion[0]), relyingParty);
-               }
-
-               // Create artifacts for each assertion
-               ArrayList<Artifact> artifacts = new ArrayList<Artifact>();
-               for (int i = 0; i < assertions.size(); i++) {
-                       SAMLAssertion assertion = (SAMLAssertion) assertions.get(i);
-                       Artifact artifact = support.getArtifactMapper().generateArtifact(assertion, relyingParty);
-                       artifacts.add(artifact);
-
-                       // Put attributes names in the transaction log when it is set to DEBUG
-                       if (support.getTransactionLog().isDebugEnabled()) {
-                               Iterator statements = assertion.getStatements();
-                               while (statements.hasNext()) {
-                                       SAMLStatement statement = (SAMLStatement) statements.next();
-                                       if (statement instanceof SAMLAttributeStatement) {
-                                               Iterator attributes = ((SAMLAttributeStatement) statement).getAttributes();
-                                               StringBuffer attributeBuffer = new StringBuffer();
-                                               while (attributes.hasNext()) {
-                                                       SAMLAttribute attribute = (SAMLAttribute) attributes.next();
-                                                       attributeBuffer.append("(" + attribute.getName() + ")");
-                                                       support.getTransactionLog().debug(
-                                                                       "Artifact (" + artifact.encode() + ") created with the following attributes: "
-                                                                                       + attributeBuffer.toString());
-                                               }
-                                       }
-                               }
-                       }
-               }
-
-               try {
-                       // Assemble the query string
-                       StringBuffer destination = new StringBuffer(acceptanceURL);
-                       destination.append("?TARGET=");
-
-                       destination.append(URLEncoder.encode(request.getParameter("target"), "UTF-8"));
-
-                       Iterator iterator = artifacts.iterator();
-                       StringBuffer artifactBuffer = new StringBuffer(); // Buffer for the transaction log
-
-                       // Construct the artifact query parameter
-                       while (iterator.hasNext()) {
-                               Artifact artifact = (Artifact) iterator.next();
-                               artifactBuffer.append("(" + artifact.encode() + ")");
-                               destination.append("&SAMLart=");
-                               destination.append(URLEncoder.encode(artifact.encode(), "UTF-8"));
-                       }
-
-                       log.debug("Redirecting to (" + destination.toString() + ").");
-
-                       response.sendRedirect(destination.toString());
-
-                       // Redirect to the artifact receiver
-                       support.getTransactionLog().info(
-                                       "Assertion artifact(s) (" + artifactBuffer.toString() + ") issued to provider ("
-                                                       + relyingParty.getProviderId() + ") on behalf of principal (" + principal.getName()
-                                                       + "). Name Identifier: (" + nameId.getName() + "). Name Identifier Format: ("
-                                                       + nameId.getFormat() + ").");
-               } catch (UnsupportedEncodingException e) {
-                       log.error("Error encoding URL: " + e);
-                       throw new RequestHandlingException("Unable to handle request.  URL Encoder malfuntion.");
-               } catch (IOException e) {
-                       log.error("Error issuing redirect: " + e);
-                       throw new ServletException(e);
-               }
-       }
-
-       public static boolean pushAttributeDefault = false;
-
-       private void respondWithPOST(HttpServletRequest request, HttpServletResponse response, IdPProtocolSupport support,
-                       LocalPrincipal principal, RelyingParty relyingParty, EntityDescriptor descriptor, String acceptanceURL,
-                       SAMLNameIdentifier nameId, String authenticationMethod, SAMLSubject authNSubject) throws SAMLException,
-                       ServletException {
-
-               log.debug("Responding with POST profile.");
-               ArrayList<SAMLAssertion> assertions = new ArrayList<SAMLAssertion>();
-               authNSubject.addConfirmationMethod(SAMLSubject.CONF_BEARER);
-               assertions.add(generateAuthNAssertion(request, relyingParty, descriptor, nameId, authenticationMethod,
-                               getAuthNTime(request), authNSubject));
-
-               // Package attributes for push, if necessary.
-               if (pushAttributes(pushAttributeDefault, relyingParty)) {
-                       log.info("Resolving attributes for push.");
-                       generateAttributes(support, principal, relyingParty, assertions, request);
-               }
-
-               // Sign the assertions, if necessary
-               boolean metaDataIndicatesSignAssertions = false;
-               if (descriptor != null) {
-                       SPSSODescriptor sp = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
-                       if (sp != null) {
-                               if (sp.getWantAssertionsSigned()) {
-                                       metaDataIndicatesSignAssertions = true;
-                               }
-                       }
-               }
-               if (relyingParty.wantsAssertionsSigned() || metaDataIndicatesSignAssertions) {
-                       support.signAssertions((SAMLAssertion[]) assertions.toArray(new SAMLAssertion[0]), relyingParty);
-               }
-
-               // Set attributes needed by form
-               request.setAttribute("acceptanceURL", acceptanceURL);
-               request.setAttribute("target", request.getParameter("target"));
-
-               SAMLResponse samlResponse = new SAMLResponse(null, acceptanceURL, assertions, null);
-
-               support.signResponse(samlResponse, relyingParty);
-
-               try {
-                       createPOSTForm(request, response, samlResponse.toBase64());
-               } catch (IOException e) {
-                       log.error("Error creating POST Form: " + e);
-                       throw new ServletException(e);
-               }
-
-               // Make transaction log entry
-               support.getTransactionLog().info(
-                               "Authentication assertion issued to provider (" + relyingParty.getProviderId()
-                                               + ") on behalf of principal (" + principal.getName() + "). Name Identifier: ("
-                                               + nameId.getName() + "). Name Identifier Format: (" + nameId.getFormat() + ").");
-
-       }
-
-       private void generateAttributes(IdPProtocolSupport support, LocalPrincipal principal, RelyingParty relyingParty,
-                       ArrayList<SAMLAssertion> assertions, HttpServletRequest request) throws SAMLException {
-
-               try {
-                       Collection<? extends SAMLAttribute> attributes = support.getReleaseAttributes(principal, relyingParty,
-                                       relyingParty.getProviderId());
-                       log.info("Found " + attributes.size() + " attribute(s) for " + principal.getName());
-
-                       // Bail if we didn't get any attributes
-                       if (attributes == null || attributes.size() < 1) {
-                               log.info("No attributes resolved.");
-                               return;
-                       }
-
-                       // Reference requested subject
-                       SAMLSubject attrSubject = (SAMLSubject) ((SAMLSubjectStatement) ((SAMLAssertion) assertions.get(0))
-                                       .getStatements().next()).getSubject().clone();
-
-                       // May be one assertion or two.
-                       if (relyingParty.singleAssertion()) {
-                               log.debug("merging attributes into existing authn assertion");
-                               // Put all attributes into an assertion
-                               ((SAMLAssertion) assertions.get(0)).addStatement(new SAMLAttributeStatement(attrSubject, Arrays
-                                               .asList(attributes)));
-
-                               if (log.isDebugEnabled()) {
-                                       log.debug("Dumping combined Assertion:" + System.getProperty("line.separator")
-                                                       + assertions.get(0).toString());
-                               }
-                       } else {
-                               ArrayList<String> audiences = new ArrayList<String>();
-                               if (relyingParty.getProviderId() != null) {
-                                       audiences.add(relyingParty.getProviderId());
-                               }
-                               if (relyingParty.getName() != null && !relyingParty.getName().equals(relyingParty.getProviderId())) {
-                                       audiences.add(relyingParty.getName());
-                               }
-                               String remoteProviderId = request.getParameter("providerId");
-                               if (remoteProviderId != null && !remoteProviderId.equals("") && !audiences.contains(remoteProviderId)) {
-                                       audiences.add(remoteProviderId);
-                               }
-
-                               SAMLCondition condition = new SAMLAudienceRestrictionCondition(audiences);
-
-                               // Put all attributes into an assertion
-                               SAMLStatement statement = new SAMLAttributeStatement(attrSubject, attributes);
-
-                               // Set assertion expiration to longest attribute expiration
-                               long max = 0;
-                               for (SAMLAttribute attribute : attributes) {
-                                       if (max < attribute.getLifetime()) {
-                                               max = attribute.getLifetime();
-                                       }
-                               }
-                               Date now = new Date();
-                               Date then = new Date(now.getTime() + (max * 1000)); // max is in seconds
-
-                               SAMLAssertion attrAssertion = new SAMLAssertion(relyingParty.getIdentityProvider().getProviderId(),
-                                               now, then, Collections.singleton(condition), null, Collections.singleton(statement));
-                               assertions.add(attrAssertion);
-
-                               if (log.isDebugEnabled()) {
-                                       log.debug("Dumping generated Attribute Assertion:" + System.getProperty("line.separator")
-                                                       + attrAssertion.toString());
-                               }
-                       }
-               } catch (AAException e) {
-                       log.error("An error was encountered while generating assertion for attribute push: " + e);
-                       throw new SAMLException(SAMLException.RESPONDER, "General error processing request.");
-               } catch (CloneNotSupportedException e) {
-                       log.error("An error was encountered while generating assertion for attribute push: " + e);
-                       throw new SAMLException(SAMLException.RESPONDER, "General error processing request.");
-               }
-       }
-
-       private SAMLAssertion generateAuthNAssertion(HttpServletRequest request, RelyingParty relyingParty,
-                       EntityDescriptor descriptor, SAMLNameIdentifier nameId, String authenticationMethod, Date authTime,
-                       SAMLSubject subject) throws SAMLException {
-
-               // Determine the correct audiences
-               ArrayList<String> audiences = new ArrayList<String>();
-               if (relyingParty.getProviderId() != null) {
-                       audiences.add(relyingParty.getProviderId());
-               }
-               if (relyingParty.getName() != null && !relyingParty.getName().equals(relyingParty.getProviderId())) {
-                       audiences.add(relyingParty.getName());
-               }
-               String remoteProviderId = request.getParameter("providerId");
-               if (remoteProviderId != null && !remoteProviderId.equals("") && !audiences.contains(remoteProviderId)) {
-                       audiences.add(remoteProviderId);
-               }
-
-               // Determine the correct issuer
-               String issuer = relyingParty.getIdentityProvider().getProviderId();
-
-               ArrayList<SAMLAuthorityBinding> bindings = new ArrayList<SAMLAuthorityBinding>();
-
-               // Create the assertion
-               Vector<SAMLCondition> conditions = new Vector<SAMLCondition>(1);
-               if (audiences != null && audiences.size() > 0) conditions.add(new SAMLAudienceRestrictionCondition(audiences));
-
-               SAMLStatement[] statements = {new SAMLAuthenticationStatement(subject, authenticationMethod, authTime, request
-                               .getRemoteAddr(), null, bindings)};
-
-               SAMLAssertion assertion = new SAMLAssertion(issuer, new Date(System.currentTimeMillis()), new Date(System
-                               .currentTimeMillis() + 300000), conditions, null, Arrays.asList(statements));
-
-               if (log.isDebugEnabled()) {
-                       log.debug("Dumping generated AuthN Assertion:" + System.getProperty("line.separator")
-                                       + assertion.toString());
-               }
-
-               return assertion;
-       }
-
-       /*
-        * @see edu.internet2.middleware.shibboleth.idp.IdPResponder.ProtocolHandler#getHandlerName()
-        */
-       public String getHandlerName() {
-
-               return "Shibboleth v1.x SSO";
-       }
-
-       private void validateShibSpecificData(HttpServletRequest request) throws InvalidClientDataException {
-
-               if (request.getParameter("target") == null || request.getParameter("target").equals("")) { throw new InvalidClientDataException(
-                               "Invalid data from Service Provider: no target URL received."); }
-               if ((request.getParameter("shire") == null) || (request.getParameter("shire").equals(""))) { throw new InvalidClientDataException(
-                               "Invalid data from Service Provider: No acceptance URL received."); }
-       }
-
-       private static void createPOSTForm(HttpServletRequest req, HttpServletResponse res, byte[] buf) throws IOException,
-                       ServletException {
-
-               // Hardcoded to ASCII to ensure Base64 encoding compatibility
-               req.setAttribute("assertion", new String(buf, "ASCII"));
-
-               if (log.isDebugEnabled()) {
-                       log.debug("Dumping generated SAML Response:" + System.getProperty("line.separator")
-                                       + new String(Base64.decode(buf)));
-               }
-
-               RequestDispatcher rd = req.getRequestDispatcher("/IdP.jsp");
-               rd.forward(req, res);
-       }
-
-       /**
-        * Boolean indication of which browser profile is in effect. "true" indicates Artifact and "false" indicates POST.
-        */
-       private static boolean useArtifactProfile(EntityDescriptor descriptor, String acceptanceURL,
-                       RelyingParty relyingParty) {
-
-               boolean artifactMeta = false;
-               boolean postMeta = false;
-
-               // Look at the metadata bindings, if we can find them
-               if (descriptor != null) {
-                       SPSSODescriptor sp = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
-
-                       if (sp != null) {
-
-                               // See if this is the default endpoint location.
-                               AssertionConsumerService defaultEndpoint = sp.getDefaultAssertionConsumerService();
-                               if (defaultEndpoint != null && defaultEndpoint.getLocation().equals(acceptanceURL)) {
-                                       // If we recognize the default binding, this is the one to use.
-                                       if (defaultEndpoint.getBinding().equals(SAMLBrowserProfile.PROFILE_POST_URI)) return false;
-                                       else if (defaultEndpoint.getBinding().equals(SAMLBrowserProfile.PROFILE_ARTIFACT_URI)) return true;
-                               }
-                               // If not, look through everything we have
-                               List<AssertionConsumerService> endpoints = sp.getAssertionConsumerServices();
-                               for (AssertionConsumerService ep : endpoints) {
-                                       if (acceptanceURL.equals(ep.getLocation())
-                                                       && SAMLBrowserProfile.PROFILE_POST_URI.equals(ep.getBinding())) {
-                                               log.debug("Metadata indicates support for POST profile.");
-                                               postMeta = true;
-                                               continue;
-                                       }
-                               }
-
-                               endpoints = sp.getAssertionConsumerServices();
-                               for (AssertionConsumerService ep : endpoints) {
-                                       if (acceptanceURL.equals(ep.getLocation())
-                                                       && SAMLBrowserProfile.PROFILE_ARTIFACT_URI.equals(ep.getBinding())) {
-                                               log.debug("Metadata indicates support for Artifact profile.");
-                                               artifactMeta = true;
-                                               continue;
-                                       }
-                               }
-                       }
-               }
-
-               // If we have metadata for both, use the relying party default
-               if (!(artifactMeta && postMeta)) {
-
-                       // If we only have metadata for one, use it
-                       if (artifactMeta) { return true; }
-                       if (postMeta) { return false; }
-
-               }
-
-               // If we have missing or incomplete metadata, use relying party default
-               if (relyingParty.defaultToPOSTProfile()) {
-                       return false;
-               } else {
-                       return true;
-               }
-       }
-
-       /**
-        * Boolean indication of whether an assertion containing an attribute statement should be bundled in the response
-        * with the assertion containing the AuthN statement.
-        */
-       private static boolean pushAttributes(boolean artifactProfile, RelyingParty relyingParty) {
-
-               // By default push for Artifact and don't push for POST
-               // This can be overriden at the level of the relying party
-               if (relyingParty.forceAttributePush()) {
-                       return true;
-               } else if (relyingParty.forceAttributeNoPush()) {
-                       return false;
-               } else if (artifactProfile) {
-                       return true;
-               } else {
-                       return false;
-               }
-       }
-
-       /**
-        * Boolean indication of whethere or not a given assertion consumer URL is valid for a given SP.
-        */
-       private static boolean isValidAssertionConsumerURL(EntityDescriptor descriptor, String shireURL)
-                       throws InvalidClientDataException {
-
-               SPSSODescriptor sp = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
-               if (sp == null) {
-                       log.info("Inappropriate metadata for provider.");
-                       return false;
-               }
-
-               List<AssertionConsumerService> endpoints = sp.getAssertionConsumerServices();
-               for (AssertionConsumerService endpoint : endpoints) {
-                       if (shireURL.equals(endpoint.getLocation())) { return true; }
-               }
-               log.info("Supplied consumer URL not found in metadata.");
-               return false;
-       }
-}
\ No newline at end of file
diff --git a/src/edu/internet2/middleware/shibboleth/idp/provider/Shibboleth_StatusHandler.java b/src/edu/internet2/middleware/shibboleth/idp/provider/Shibboleth_StatusHandler.java
deleted file mode 100644 (file)
index 384ef47..0000000
+++ /dev/null
@@ -1,68 +0,0 @@
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.idp.provider;
-
-import java.io.IOException;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.w3c.dom.Element;
-
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
-import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
-import edu.internet2.middleware.shibboleth.idp.RequestHandlingException;
-
-/**
- * Special handler that allows one to "ping" the IdP to make sure it is alive
- * 
- * @author Walter Hoehn
- */
-public class Shibboleth_StatusHandler extends BaseHandler implements IdPProtocolHandler {
-
-       public Shibboleth_StatusHandler(Element config) throws ShibbolethConfigurationException {
-
-               super(config);
-       }
-
-       /**
-        * @see edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler#getHandlerName()
-        */
-       public String getHandlerName() {
-
-               return "Shibboleth Status";
-       }
-
-       /**
-        * @see edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler#processRequest(javax.servlet.http.HttpServletRequest,
-        *      javax.servlet.http.HttpServletResponse, org.opensaml.SAMLRequest,
-        *      edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport)
-        */
-       public void processRequest(HttpServletRequest request, HttpServletResponse response, IdPProtocolSupport support)
-                       throws RequestHandlingException, ServletException {
-
-               try {
-                       response.setContentType("text/plain");
-                       response.getWriter().println("AVAILABLE");
-               } catch (IOException e) {
-                       throw new ServletException(e);
-               }
-       }
-
-}
diff --git a/src/edu/internet2/middleware/shibboleth/utils/Base32.java b/src/edu/internet2/middleware/shibboleth/utils/Base32.java
deleted file mode 100644 (file)
index 9abcae7..0000000
+++ /dev/null
@@ -1,278 +0,0 @@
-/* (PD) 2001 The Bitzi Corporation
- * Please see http://bitzi.com/publicdomain for more info.
- *
- * Base32.java
- *
- */
-
-package edu.internet2.middleware.shibboleth.utils;
-
-/**
- * Base32 - encodes and decodes 'Canonical' Base32
- *
- * @author  Robert Kaye & Gordon Mohr
- */
-public class Base32 {
-
-       /* lookup table used to encode() groups of 5 bits of data */
-       private static final String base32Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
-
-       /* lookup table used to decode() characters in Base32 strings */
-       private static final byte[] base32Lookup =
-               { 26,27,28,29,30,31,-1,-1,-1,-1,-1,-1,-1,-1,       //   23456789:;<=>?
-                 -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,10,11,12,13,14, // @ABCDEFGHIJKLMNO
-                 15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1, // PQRSTUVWXYZ[\]^_
-                 -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,10,11,12,13,14, // `abcdefghijklmno
-                 15,16,17,18,19,20,21,22,23,24,25                 // pqrstuvwxyz
-               };
-
-       /* Messsages for Illegal Parameter Exceptions in decode() */
-       private static final String errorCanonicalLength = "non canonical Base32 string length";
-       private static final String errorCanonicalEnd    = "non canonical bits at end of Base32 string";
-       private static final String errorInvalidChar     = "invalid character in Base32 string";
-
-       /**
-        * Encode an array of binary bytes into a Base32 string.
-        * Should not fail (the only possible exception is that the
-        * returned string cannot be allocated in memory)
-        */    
-       static public String encode(final byte[] bytes) {
-    
-               StringBuffer base32 = new StringBuffer((bytes.length * 8 + 4) / 5);
-               int currByte, digit, i = 0;
-
-               while (i < bytes.length) {
-               
-                       // INVARIANTS FOR EACH STEP n in [0..5[; digit in [0..31[; 
-                       // The remaining n bits are already aligned on top positions
-                       // of the 5 least bits of digit, the other bits are 0.
-                       
-                       // STEP n = 0; insert new 5 bits, leave 3 bits
-                       currByte = bytes[i++] & 255;
-                       base32.append(base32Chars.charAt(currByte >> 3));
-                       digit = (currByte & 7) << 2;
-                       if (i >= bytes.length) { // put the last 3 bits
-                               base32.append(base32Chars.charAt(digit));
-                               break;
-                       }
-            
-
-                       // STEP n = 3: insert 2 new bits, then 5 bits, leave 1 bit
-                       currByte = bytes[i++] & 255;
-                       base32.append(base32Chars.charAt(digit | (currByte >> 6)));
-                       base32.append(base32Chars.charAt((currByte >> 1) & 31));
-                       digit = (currByte & 1) << 4;
-                       if (i >= bytes.length) { // put the last 1 bit
-                               base32.append(base32Chars.charAt(digit));
-                               break;
-                       }
-
-                       // STEP n = 1: insert 4 new bits, leave 4 bit
-                       currByte = bytes[i++] & 255;
-                       base32.append(base32Chars.charAt(digit | (currByte >> 4)));
-                       digit = (currByte & 15) << 1;
-                       if (i >= bytes.length) { // put the last 4 bits
-                               base32.append(base32Chars.charAt(digit));
-                               break;
-                       }
-
-                       // STEP n = 4: insert 1 new bit, then 5 bits, leave 2 bits
-                       currByte = bytes[i++] & 255;
-                       base32.append(base32Chars.charAt(digit | (currByte >> 7)));
-                       base32.append(base32Chars.charAt((currByte >> 2) & 31));
-                       digit = (currByte & 3) << 3;
-                       if (i >= bytes.length) { // put the last 2 bits
-                               base32.append(base32Chars.charAt(digit));
-                               break;
-                       }
-
-                       // STEP n = 2: insert 3 new bits, then 5 bits, leave 0 bit
-                       currByte = bytes[i++] & 255;
-                       base32.append(base32Chars.charAt(digit | (currByte >> 5)));
-                       base32.append(base32Chars.charAt(currByte & 31));
-                       //// This point is reached for bytes.length multiple of 5
-               }
-       
-               return base32.toString();
-       }
-
-   
-       /**
-        * Decode a Base32 string into an array of binary bytes.
-        * May fail if the parameter is a non canonical Base32 string   
-        * (the only other possible exception is that the
-        * returned array cannot be allocated in memory)
-        */    
-       static public byte[] decode(final String base32) throws IllegalArgumentException {
-
-       // Note that the code below detects could detect non canonical
-       // Base32 length within the loop. However canonical Base32 length
-       // can be tested before entering the loop.
-       // A canonical Base32 length modulo 8 cannot be:
-       // 1 (aborts discarding 5 bits at STEP n=0 which produces no byte),
-       // 3 (aborts discarding 7 bits at STEP n=2 which produces no byte),
-       // 6 (aborts discarding 6 bits at STEP n=1 which produces no byte)
-       // So these tests could be avoided within the loop.
-       switch (base32.length() % 8) { // test the length of last subblock
-
-               case 1: //  5 bits in subblock:  0 useful bits but 5 discarded
-               case 3: // 15 bits in subblock:  8 useful bits but 7 discarded
-               case 6: // 30 bits in subblock: 24 useful bits but 6 discarded
-          
-               throw new IllegalArgumentException(errorCanonicalLength);
-       }
-
-       byte[] bytes = new byte[base32.length() * 5 / 8];
-       int offset = 0, i = 0, lookup;
-       byte nextByte, digit;
-
-       // Also the code below does test that other discarded bits
-       // (1 to 4 bits at end) are effectively 0.
-       while (i < base32.length()) {
-               // Read the 1st char in a 8-chars subblock
-               // check that chars are not outside the lookup table and valid
-               lookup = base32.charAt(i++) - '2';
-               if (lookup < 0 || lookup >= base32Lookup.length) {
-                       throw new IllegalArgumentException(errorInvalidChar);
-               }
-               digit = base32Lookup[lookup];
-               if (digit == -1) {
-                       throw new IllegalArgumentException(errorInvalidChar);
-               }
-
-               // STEP n = 0: leave 5 bits
-               nextByte = (byte)(digit << 3);
-               // Assert(i < base32.length) // tested before loop
-               // Read the 2nd char in a 8-chars subblock
-               // Check that chars are not outside the lookup table and valid
-               lookup = base32.charAt(i++) - '2';
-               if (lookup < 0 || lookup >= base32Lookup.length) {
-                       throw new IllegalArgumentException(errorInvalidChar);
-               }
-               digit = base32Lookup[lookup];
-               if (digit == -1) {
-                       throw new IllegalArgumentException(errorInvalidChar);
-               }
-
-               // STEP n = 5: insert 3 bits, leave 2 bits
-               bytes[offset++] = (byte)(nextByte | (digit >> 2));
-               nextByte = (byte)((digit & 3) << 6);
-               if (i >= base32.length()) {
-                       if (nextByte != (byte)0) {
-                               throw new IllegalArgumentException(errorCanonicalEnd);
-                       }
-                       break; // discard the remaining 2 bits
-               }
-
-               // Read the 3rd char in a 8-chars subblock
-               // Check that chars are not outside the lookup table and valid
-               lookup = base32.charAt(i++) - '2';
-               if (lookup < 0 || lookup >= base32Lookup.length) {
-                       throw new IllegalArgumentException(errorInvalidChar);
-               }
-               digit = base32Lookup[lookup];
-               if (digit == -1) {
-                       throw new IllegalArgumentException(errorInvalidChar);
-               }
-
-               // STEP n = 2: leave 7 bits
-               nextByte |= (byte)(digit << 1);
-               // Assert(i < base32.length) // tested before loop
-               // Read the 4th char in a 8-chars subblock
-               // Check that chars are not outside the lookup table and valid
-               lookup = base32.charAt(i++) - '2';
-               if (lookup < 0 || lookup >= base32Lookup.length) {
-                       throw new IllegalArgumentException(errorInvalidChar);
-               }
-               digit = base32Lookup[lookup];
-               if (digit == -1) {
-                       throw new IllegalArgumentException(errorInvalidChar);
-               }
-
-               // STEP n = 7: insert 1 bit, leave 4 bits
-               bytes[offset++] = (byte)(nextByte | (digit >> 4));
-               nextByte = (byte)((digit & 15) << 4);
-               if (i >= base32.length()) {
-                       if (nextByte != (byte)0) {
-                               throw new IllegalArgumentException(errorCanonicalEnd);
-                       }
-                       break; // discard the remaining 4 bits
-               }
-
-               // Read the 5th char in a 8-chars subblock
-               // Assert that chars are not outside the lookup table and valid
-               lookup = base32.charAt(i++) - '2';
-               if (lookup < 0 || lookup >= base32Lookup.length) {
-                       throw new IllegalArgumentException(errorInvalidChar);
-               }
-               digit = base32Lookup[lookup];
-               if (digit == -1) {
-                       throw new IllegalArgumentException(errorInvalidChar);
-               }
-
-               // STEP n = 4: insert 4 bits, leave 1 bit
-               bytes[offset++] = (byte)(nextByte | (digit >> 1));
-               nextByte = (byte)((digit & 1) << 7);
-               if (i >= base32.length()) {
-                       if (nextByte != (byte)0) {
-                               throw new IllegalArgumentException(errorCanonicalEnd);
-                       }
-                       break; // discard the remaining 1 bit
-               }
-
-               // Read the 6th char in a 8-chars subblock
-               // Check that chars are not outside the lookup table and valid
-               lookup = base32.charAt(i++) - '2';
-               if (lookup < 0 || lookup >= base32Lookup.length) {
-                       throw new IllegalArgumentException(errorInvalidChar);
-               }
-               digit = base32Lookup[lookup];
-               if (digit == -1) {
-                       throw new IllegalArgumentException(errorInvalidChar);
-               }
-
-               // STEP n = 1: leave 6 bits
-               nextByte |= (byte)(digit << 2);
-               // Assert(i < base32.length) // tested before loop
-               // Read the 7th char in a 8-chars subblock
-               // Check that chars are not outside the lookup table and valid
-               lookup = base32.charAt(i++) - '2';
-               if (lookup < 0 || lookup >= base32Lookup.length) {
-                       throw new IllegalArgumentException(errorInvalidChar);
-               }
-               digit = base32Lookup[lookup];
-               if (digit == -1) {
-                       throw new IllegalArgumentException(errorInvalidChar);
-               }
-
-               // STEP n = 6: insert 2 bits, leave 3 bits
-               bytes[offset++] = (byte)(nextByte | (digit >> 3));
-               nextByte = (byte)((digit & 7) << 5);
-               if (i >= base32.length()) {
-                       if (nextByte != (byte)0) {
-                               throw new IllegalArgumentException(errorCanonicalEnd);
-                       }
-                       break; // discard the remaining 3 bits
-               }
-        
-               // Read the 8th char in a 8-chars subblock
-               // Check that chars are not outside the lookup table and valid
-               lookup = base32.charAt(i++) - '2';
-               if (lookup < 0 || lookup >= base32Lookup.length) {
-                       throw new IllegalArgumentException(errorInvalidChar);
-               }
-               digit = base32Lookup[lookup];
-               if (digit == -1) {
-                       throw new IllegalArgumentException(errorInvalidChar);
-               }
-
-               // STEP n = 3: insert 5 bits, leave 0 bit
-               bytes[offset++] = (byte)(nextByte | digit);
-               // possible end of string here with no trailing bits
-       }
-
-               // On loop exit, discard trialing n bits.
-               return bytes;
-       }
-}
-
diff --git a/src/edu/internet2/middleware/shibboleth/utils/ClientCertTrustFilter.java b/src/edu/internet2/middleware/shibboleth/utils/ClientCertTrustFilter.java
deleted file mode 100644 (file)
index 51f42d9..0000000
+++ /dev/null
@@ -1,171 +0,0 @@
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.utils;
-
-import java.io.IOException;
-import java.security.Principal;
-import java.security.cert.X509Certificate;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-import java.util.regex.PatternSyntaxException;
-
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.log4j.Logger;
-import org.apache.log4j.MDC;
-
-import edu.internet2.middleware.shibboleth.common.LocalPrincipal;
-
-/**
- * Simple Servlet Filter that populates the ServletRequest with data from a client certificate. Relies on external
- * mechanisms to properly authorize the certificate.
- * 
- * @author Walter Hoehn
- */
-public class ClientCertTrustFilter implements Filter {
-
-       private static Logger log = Logger.getLogger(ClientCertTrustFilter.class.getName());
-       protected Pattern regex = Pattern.compile(".*CN=([^,/]+).*");
-       protected int matchGroup = 1;
-
-       /**
-        * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
-        */
-       public void init(FilterConfig config) throws ServletException {
-
-               if (config.getInitParameter("regex") != null) {
-                       try {
-                               regex = Pattern.compile(config.getInitParameter("regex"));
-                       } catch (PatternSyntaxException e) {
-                               throw new ServletException(
-                                               "Failed to start ClientCertTrustFilter: supplied regular expression fails to compile.");
-                       }
-               }
-
-               if (config.getInitParameter("matchGroup") != null) {
-                       try {
-                               matchGroup = Integer.parseInt(config.getInitParameter("matchGroup"));
-                       } catch (NumberFormatException e) {
-                               throw new ServletException(
-                                               "Failed to start ClientCertTrustFilter: supplied matchGroup is not an integer.");
-                       }
-               }
-       }
-
-       /**
-        * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse,
-        *      javax.servlet.FilterChain)
-        */
-       public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
-                       ServletException {
-
-               MDC.put("serviceId", "[Client Cert Trust Filter]");
-
-               if (!(request instanceof HttpServletRequest) || !(response instanceof HttpServletResponse)) {
-                       log.error("Only HTTP(s) requests are supported by the ClientCertTrustFilter.");
-                       return;
-               }
-               HttpServletRequest httpRequest = (HttpServletRequest) request;
-               HttpServletResponse httpResponse = (HttpServletResponse) response;
-
-               log.debug("Using regex: (" + regex.pattern() + ").");
-               log.debug("Using matchGroup of (" + matchGroup + ")");
-
-               X509Certificate[] certs = (X509Certificate[]) httpRequest.getAttribute("javax.servlet.request.X509Certificate");
-               if (certs == null) {
-                       log.error("Processed a request that did not contain a client certificate.");
-                       httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Client certificate required.");
-                       return;
-               }
-
-               log.debug("Attempting to extract principal name from Subjet: (" + certs[0].getSubjectDN().getName() + ").");
-               Matcher matches = regex.matcher(certs[0].getSubjectDN().getName());
-               if (!matches.find()) {
-                       log.error("Principal could not be extracted from Certificate Subject.");
-                       httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN,
-                                       "Client certificate does not contain required data.");
-                       return;
-               }
-               String principalName;
-               try {
-                       principalName = matches.group(matchGroup);
-               } catch (IndexOutOfBoundsException e) {
-                       log.error("Principal could not be extracted from Certificate Subject: matchGroup out of bounds.");
-                       httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN,
-                                       "Client certificate does not contain required data.");
-                       return;
-               }
-               log.debug("Extracted principal name (" + principalName + ") from Subject.");
-               chain.doFilter(new ClientCertTrustWrapper(httpRequest, new LocalPrincipal(principalName)), response);
-       }
-
-       /**
-        * @see javax.servlet.Filter#destroy()
-        */
-       public void destroy() {
-
-       // required by interface
-       // no resources to clean
-       }
-
-       /**
-        * <code>HttpServletRequest</code> wrapper class. Returns a locally specified principal and hardcoded authType.
-        */
-       private class ClientCertTrustWrapper extends HttpServletRequestWrapper {
-
-               private Principal principal;
-
-               private ClientCertTrustWrapper(HttpServletRequest request, Principal principal) {
-
-                       super(request);
-                       this.principal = principal;
-               }
-
-               /**
-                * @see javax.servlet.http.HttpServletRequest#getAuthType()
-                */
-               public String getAuthType() {
-
-                       return HttpServletRequest.CLIENT_CERT_AUTH;
-               }
-
-               /**
-                * @see javax.servlet.http.HttpServletRequest#getRemoteUser()
-                */
-               public String getRemoteUser() {
-
-                       return principal.getName();
-               }
-
-               /**
-                * @see javax.servlet.http.HttpServletRequest#getUserPrincipal()
-                */
-               public Principal getUserPrincipal() {
-
-                       return principal;
-               }
-       }
-
-}
\ No newline at end of file
diff --git a/src/edu/internet2/middleware/shibboleth/utils/HandleRepositorySecretGenerator.java b/src/edu/internet2/middleware/shibboleth/utils/HandleRepositorySecretGenerator.java
deleted file mode 100755 (executable)
index 7afb04a..0000000
+++ /dev/null
@@ -1,113 +0,0 @@
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.utils;
-
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.security.GeneralSecurityException;
-import java.security.KeyStore;
-import java.security.SecureRandom;
-
-import javax.crypto.SecretKey;
-import javax.crypto.SecretKeyFactory;
-import javax.crypto.spec.DESedeKeySpec;
-
-import org.apache.tools.ant.BuildException;
-import org.apache.tools.ant.Task;
-
-/**
- * Generates a Triple DES key and sticks it in the default location for use by the <code>CryptoHandleRepository</code>
- * 
- * @author Walter Hoehn (wassa@columbia.edu)
- */
-public class HandleRepositorySecretGenerator extends Task {
-
-       private File keyStorePath;
-       private String keyStorePassword;
-       private String keyStoreKeyAlias;
-       private String keyStoreKeyPassword;
-
-       public void execute() throws BuildException {
-
-               try {
-                       if (keyStorePath == null || keyStorePassword == null || keyStoreKeyAlias == null
-                                       || keyStoreKeyPassword == null) { throw new BuildException("Missing required parameter."); }
-                       log("Generating secret.");
-                       SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DESede");
-                       byte[] pseudoRand = new byte[24];
-                       new SecureRandom().nextBytes(pseudoRand);
-                       SecretKey secret = keyFactory.generateSecret(new DESedeKeySpec(pseudoRand));
-
-                       log("Writing keystore.");
-                       KeyStore keyStore = KeyStore.getInstance("JCEKS");
-                       keyStore.load(null, keyStorePassword.toCharArray());
-                       keyStore.setKeyEntry(keyStoreKeyAlias, secret, keyStoreKeyPassword.toCharArray(), null);
-                       keyStore.store(new FileOutputStream(keyStorePath), keyStorePassword.toCharArray());
-
-               } catch (GeneralSecurityException e) {
-                       throw new BuildException("Unable to generate secret: " + e);
-               } catch (IOException e) {
-                       throw new BuildException("Unable to store secret in keystore: " + e);
-               }
-       }
-
-       /**
-        * Sets the keyStoreKeyAlias.
-        * 
-        * @param keyStoreKeyAlias
-        *            The keyStoreKeyAlias to set
-        */
-       public void setKeyStoreKeyAlias(String keyStoreKeyAlias) {
-
-               this.keyStoreKeyAlias = keyStoreKeyAlias;
-       }
-
-       /**
-        * Sets the keyStoreKeyPassword.
-        * 
-        * @param keyStoreKeyPassword
-        *            The keyStoreKeyPassword to set
-        */
-       public void setKeyStoreKeyPassword(String keyStoreKeyPassword) {
-
-               this.keyStoreKeyPassword = keyStoreKeyPassword;
-       }
-
-       /**
-        * Sets the keyStorePassword.
-        * 
-        * @param keyStorePassword
-        *            The keyStorePassword to set
-        */
-       public void setKeyStorePassword(String keyStorePassword) {
-
-               this.keyStorePassword = keyStorePassword;
-       }
-
-       /**
-        * Sets the keyStorePath.
-        * 
-        * @param keyStorePath
-        *            The keyStorePath to set
-        */
-       public void setKeyStorePath(File keyStorePath) {
-
-               this.keyStorePath = keyStorePath;
-       }
-
-}
diff --git a/src/edu/internet2/middleware/shibboleth/utils/KerberosPrincipalFilter.java b/src/edu/internet2/middleware/shibboleth/utils/KerberosPrincipalFilter.java
deleted file mode 100644 (file)
index 20e64df..0000000
+++ /dev/null
@@ -1,145 +0,0 @@
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.utils;
-
-import java.io.IOException;
-import java.security.Principal;
-
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.log4j.Logger;
-import org.apache.log4j.MDC;
-
-/**
- * Simple Servlet Filter that strips realm information from Kerberos authenticated container-managed security
- * 
- * @author Scott Cantor
- */
-public class KerberosPrincipalFilter implements Filter {
-
-       private static Logger log = Logger.getLogger(KerberosPrincipalFilter.class.getName());
-
-       /**
-        * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
-        */
-       public void init(FilterConfig config) throws ServletException {
-
-       }
-
-       /**
-        * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse,
-        *      javax.servlet.FilterChain)
-        */
-       public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
-                       ServletException {
-
-               if (!(request instanceof HttpServletRequest) || !(response instanceof HttpServletResponse)) {
-                       MDC.put("serviceId", "[Kerberos Principal Filter]");
-                       log.error("Only HTTP(s) requests are supported by the KerberosPrincipalFilter.");
-                       return;
-               }
-               HttpServletRequest httpRequest = (HttpServletRequest) request;
-
-               String name = httpRequest.getRemoteUser();
-               if (name != null) {
-                       int split = name.indexOf('@');
-                       if (split > -1) {
-                               name = name.substring(0, split);
-                               chain.doFilter(new KerberosPrincipalWrapper(httpRequest, new PrincipalImpl(name)), response);
-                               return;
-                       }
-               }
-               chain.doFilter(request, response);
-       }
-
-       /**
-        * @see javax.servlet.Filter#destroy()
-        */
-       public void destroy() {
-
-       }
-
-       class KerberosPrincipalWrapper extends HttpServletRequestWrapper {
-
-               Principal principal;
-
-               KerberosPrincipalWrapper(HttpServletRequest request, Principal principal) {
-
-                       super(request);
-                       this.principal = principal;
-               }
-
-               /**
-                * @see javax.servlet.http.HttpServletRequest#getRemoteUser()
-                */
-               public String getRemoteUser() {
-
-                       return principal.getName();
-               }
-
-               /**
-                * @see javax.servlet.http.HttpServletRequest#getUserPrincipal()
-                */
-               public Principal getUserPrincipal() {
-
-                       return principal;
-               }
-       }
-
-       class PrincipalImpl implements Principal {
-
-               private String name = null;
-
-               PrincipalImpl(String name) {
-
-                       this.name = name;
-               }
-
-               /**
-                * @see java.security.Principal#getName()
-                */
-               public String getName() {
-
-                       return name;
-               }
-
-               /**
-                * @see java.lang.Object#equals(java.lang.Object)
-                */
-               public boolean equals(Object obj) {
-
-                       return name.equals(obj);
-               }
-
-               /**
-                * @see java.lang.Object#toString()
-                */
-               public String toString() {
-
-                       return name;
-               }
-
-       }
-}
diff --git a/src/edu/internet2/middleware/shibboleth/utils/ResolverTest.java b/src/edu/internet2/middleware/shibboleth/utils/ResolverTest.java
deleted file mode 100644 (file)
index 36feebe..0000000
+++ /dev/null
@@ -1,297 +0,0 @@
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.utils;
-
-import jargs.gnu.CmdLineParser;
-
-import java.io.PrintStream;
-import java.io.PrintWriter;
-import java.io.StringWriter;
-import java.security.Principal;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.Map;
-
-import javax.xml.transform.OutputKeys;
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.dom.DOMSource;
-import javax.xml.transform.stream.StreamResult;
-
-import org.apache.log4j.ConsoleAppender;
-import org.apache.log4j.Level;
-import org.apache.log4j.Logger;
-import org.apache.log4j.PatternLayout;
-import org.opensaml.SAMLException;
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-import org.w3c.dom.NodeList;
-
-import edu.internet2.middleware.shibboleth.aa.AAAttribute;
-import edu.internet2.middleware.shibboleth.aa.arp.ArpEngine;
-import edu.internet2.middleware.shibboleth.aa.arp.ArpException;
-import edu.internet2.middleware.shibboleth.aa.arp.ArpProcessingException;
-import edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver;
-import edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolverException;
-import edu.internet2.middleware.shibboleth.common.LocalPrincipal;
-import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
-import edu.internet2.middleware.shibboleth.idp.IdPConfig;
-import edu.internet2.middleware.shibboleth.idp.IdPConfigLoader;
-
-/**
- * Utility for testing an Attribute Resolver configuration.
- * 
- * @author Walter Hoehn
- * @author Noah Levitt
- */
-public class ResolverTest {
-
-       private static boolean debug = false;
-       private static String resolverxml = null;
-       private static String idpXml = null;
-       private static String requester = null;
-       private static String responder = null;
-       private static String user = null;
-       private static AttributeResolver resolver = null;
-       private static ArpEngine arpEngine = null;
-
-       public static void main(String[] args) {
-
-               parseCommandLine(args);
-               initializeResolver();
-               Map<String, AAAttribute> attributeSet = createAttributeSet();
-               resolveAttributes(attributeSet);
-
-               System.out.println("Received the following from the Attribute Resolver:");
-               System.out.println();
-               printAttributes(System.out, attributeSet.values());
-       }
-
-       private static void resolveAttributes(Map<String, AAAttribute> attributeSet) {
-
-               Principal principal = new LocalPrincipal(user);
-
-               resolver.resolveAttributes(principal, requester, responder, attributeSet);
-
-               try {
-                       if (arpEngine != null) {
-                               arpEngine.filterAttributes(attributeSet.values(), principal, requester);
-                       }
-               } catch (ArpProcessingException e) {
-                       System.err.println("Error applying Attribute Release Policy: " + e.getMessage());
-                       System.exit(1);
-               }
-       }
-
-       private static void parseCommandLine(String[] args) {
-
-               CmdLineParser parser = new CmdLineParser();
-
-               CmdLineParser.Option helpOption = parser.addBooleanOption('h', "help");
-               CmdLineParser.Option debugOption = parser.addBooleanOption('d', "debug");
-               CmdLineParser.Option idpXmlOption = parser.addStringOption('\u0000', "idpXml");
-               CmdLineParser.Option userOption = parser.addStringOption('u', "user");
-               CmdLineParser.Option requesterOption = parser.addStringOption('r', "requester");
-               CmdLineParser.Option responderOption = parser.addStringOption('i', "responder");
-               CmdLineParser.Option resolverxmlOption = parser.addStringOption('\u0000', "resolverxml");
-               CmdLineParser.Option fileOption = parser.addStringOption('f', "file"); // deprecated
-
-               try {
-                       parser.parse(args);
-               } catch (CmdLineParser.OptionException e) {
-                       System.out.println(e.getMessage());
-                       printUsage(System.out);
-                       System.exit(1);
-               }
-
-               Boolean helpEnabled = (Boolean) parser.getOptionValue(helpOption);
-               if (helpEnabled != null && helpEnabled.booleanValue()) {
-                       printUsage(System.out);
-                       System.exit(0);
-               }
-
-               Boolean debugEnabled = ((Boolean) parser.getOptionValue(debugOption));
-               if (debugEnabled != null) {
-                       debug = debugEnabled.booleanValue();
-               }
-
-               // if --resolverxml and --file both specified, silently use --resolverxml
-               resolverxml = (String) parser.getOptionValue(resolverxmlOption);
-               if (resolverxml == null) {
-                       resolverxml = (String) parser.getOptionValue(fileOption);
-               }
-
-               idpXml = (String) parser.getOptionValue(idpXmlOption);
-
-               user = (String) parser.getOptionValue(userOption);
-               requester = (String) parser.getOptionValue(requesterOption);
-               responder = (String) parser.getOptionValue(responderOption);
-
-               configureLogging(debug);
-               checkRequired();
-       }
-
-       /**
-        * Ensures that all required parameters were specified and successfully parsed.
-        */
-       private static void checkRequired() {
-
-               if (user == null) {
-                       System.out.println("Missing required parameter --user.");
-                       System.out.println();
-                       printUsage(System.out);
-                       System.exit(1);
-               }
-               if ((resolverxml == null && idpXml == null) || (resolverxml != null && idpXml != null)) {
-                       System.out.println("Exactly one of --idpXml and --resolverxml is required.");
-                       System.out.println();
-                       printUsage(System.out);
-                       System.exit(1);
-               }
-       }
-
-       private static Map<String, AAAttribute> createAttributeSet() {
-
-               Collection<String> attributes = resolver.listRegisteredAttributeDefinitionPlugIns();
-               Map<String, AAAttribute> attributeSet = new HashMap<String, AAAttribute>();
-
-               for (String attrName : attributes) {
-                       try {
-                               attributeSet.put(attrName, new AAAttribute(attrName));
-                       } catch (SAMLException e) {
-                               System.err.println("Error creating AAAttribute (" + attrName + "): " + e.getMessage());
-                               System.exit(1);
-                       }
-               }
-
-               return attributeSet;
-       }
-
-       private static void initializeResolver() {
-
-               if (idpXml != null) {
-                       try {
-                               Document idpConfig = IdPConfigLoader.getIdPConfig(idpXml);
-                               IdPConfig configuration = new IdPConfig(idpConfig.getDocumentElement());
-
-                               resolver = new AttributeResolver(configuration);
-
-                               NodeList itemElements = idpConfig.getDocumentElement().getElementsByTagNameNS(
-                                               IdPConfig.configNameSpace, "ReleasePolicyEngine");
-
-                               if (itemElements.getLength() > 1) {
-                                       System.err
-                                                       .println("Warning: encountered multiple <ReleasePolicyEngine> configuration elements in ("
-                                                                       + idpXml + "). Using first...");
-                               }
-
-                               if (itemElements.getLength() < 1) {
-                                       arpEngine = new ArpEngine();
-                               } else {
-                                       arpEngine = new ArpEngine((Element) itemElements.item(0));
-                               }
-
-                       } catch (ShibbolethConfigurationException e) {
-                               System.err.println("Error loading IdP configuration file (" + idpXml + "): " + e.getMessage());
-                               System.exit(1);
-                       } catch (AttributeResolverException e) {
-                               System.err.println("Error initializing the Attribute Resolver: " + e.getMessage());
-                               System.exit(1);
-                       } catch (ArpException e) {
-                               System.err.println("Error initializing the ARP Engine: " + e.getMessage());
-                               System.exit(1);
-                       }
-               } else {
-                       try {
-                               resolver = new AttributeResolver(resolverxml);
-                       } catch (AttributeResolverException e) {
-                               System.err.println("Error initializing the Attribute Resolver: " + e.getMessage());
-                               System.exit(1);
-                       }
-               }
-       }
-
-       private static void printAttributes(PrintStream out, Collection<AAAttribute> attributeSet) {
-
-               try {
-                       for (Iterator<AAAttribute> iterator = attributeSet.iterator(); iterator.hasNext();) {
-                               AAAttribute attribute = iterator.next();
-                               Node node = attribute.toDOM();
-
-                               if (!(node instanceof Element)) {
-                                       System.err.println("Received bad Element data from SAML library.");
-                                       System.exit(1);
-                               }
-
-                               TransformerFactory factory = TransformerFactory.newInstance();
-                               DOMSource source = new DOMSource(node);
-                               Transformer transformer = factory.newTransformer();
-                               transformer.setOutputProperty(OutputKeys.INDENT, "yes");
-                               StringWriter stringWriter = new StringWriter();
-                               StreamResult result = new StreamResult(stringWriter);
-                               transformer.transform(source, result);
-                               out.println(stringWriter.toString());
-
-                               out.println();
-                       }
-               } catch (Exception e) {
-                       System.err.println("Error creating SAML attribute: " + e.getMessage());
-                       System.exit(1);
-               }
-       }
-
-       private static void configureLogging(boolean debugEnabled) {
-
-               ConsoleAppender rootAppender = new ConsoleAppender();
-               rootAppender.setWriter(new PrintWriter(System.out));
-               rootAppender.setName("stdout");
-               Logger.getRootLogger().addAppender(rootAppender);
-
-               if (debugEnabled) {
-                       Logger.getRootLogger().setLevel(Level.DEBUG);
-                       rootAppender.setLayout(new PatternLayout("%-5p %-41X{serviceId} %d{ISO8601} (%c:%L) - %m%n"));
-               } else {
-                       Logger.getRootLogger().setLevel(Level.INFO);
-                       Logger.getLogger("edu.internet2.middleware.shibboleth.aa.attrresolv").setLevel(Level.WARN);
-                       rootAppender.setLayout(new PatternLayout(PatternLayout.TTCC_CONVERSION_PATTERN));
-               }
-               Logger.getLogger("org.apache.xml.security").setLevel(Level.OFF);
-       }
-
-       private static void printUsage(PrintStream out) {
-
-               // out.println("Tests an AA Attribute Resolver configuration.");
-               out.println("Usage: resolvertest --user=USER {--idpXml=URL|--resolverxml=URL} [OPTION...]");
-               out.println();
-               out.println("Options:");
-               out.println("  -h, --help                Print usage information");
-               out.println("  -d, --debug               Run in debug mode");
-               out.println("  --idpXml=FILEURL          URL of the IdP configuration file. Attributes");
-               out.println("                              will be filtered according to the Attribute Release");
-               out.println("                              Policy (ARP) specified in the configuration file");
-               out.println("  --resolverxml=FILEURL     URL of the resolver configuration file. No ARP");
-               out.println("                              filtering will be done");
-               out.println("  --user=USER               User for whom attributes should be resolved");
-               out.println("  --requester=REQUESTER     Name of the requester (SP). Emulates");
-               out.println("                              unauthenticated requester if not specified");
-               out.println("  --responder=RESPONDER     Name of the responder (IdP).");
-               out.println("  --resource=URL            URL of the resource. Only attributes available");
-               out.println("                              to any resource will be returned if not specified");
-       }
-}
diff --git a/src/edu/internet2/middleware/shibboleth/utils/SAML1_0to1_1ConversionFilter.java b/src/edu/internet2/middleware/shibboleth/utils/SAML1_0to1_1ConversionFilter.java
deleted file mode 100644 (file)
index b05584b..0000000
+++ /dev/null
@@ -1,533 +0,0 @@
-/*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package edu.internet2.middleware.shibboleth.utils;
-
-import java.io.BufferedReader;
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.DataOutputStream;
-import java.io.IOException;
-import java.io.InputStreamReader;
-import java.io.OutputStream;
-import java.io.PrintWriter;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletInputStream;
-import javax.servlet.ServletOutputStream;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpServletResponseWrapper;
-
-import org.apache.log4j.Logger;
-import org.apache.log4j.MDC;
-import org.opensaml.SAMLConfig;
-import org.opensaml.SAMLException;
-import org.opensaml.SAMLIdentifier;
-
-/**
- * Servlet filter that intercepts incoming SAML 1.0 requests, converts them to SAML 1.1, and then reverses the
- * conversion for the subsequent response.
- * 
- * @author Walter Hoehn
- */
-public class SAML1_0to1_1ConversionFilter implements Filter {
-
-       private static Logger log = Logger.getLogger(SAML1_0to1_1ConversionFilter.class.getName());
-       private SAMLIdentifier idgen = SAMLConfig.instance().getDefaultIDProvider();
-
-       /*
-        * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
-        */
-       public void init(FilterConfig config) throws ServletException {
-
-       }
-
-       /*
-        * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse,
-        *      javax.servlet.FilterChain)
-        */
-       public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
-                       ServletException {
-
-               MDC.put("serviceId", "[SAML Conversion Filter]");
-               if (!(request instanceof HttpServletRequest) || !(response instanceof HttpServletResponse)) {
-                       log.error("Only HTTP(s) requests are supported by the ClientCertTrustFilter.");
-                       return;
-               }
-               HttpServletRequest httpRequest = (HttpServletRequest) request;
-               HttpServletResponse httpResponse = (HttpServletResponse) response;
-
-               if (!httpRequest.getMethod().equals("POST")) {
-                       log.debug("Skipping SAML conversion because request method is not (POST).");
-                       chain.doFilter(httpRequest, httpResponse);
-               }
-
-               log.debug("Added SAML conversion wrapper to request.");
-
-               StringBuffer stringBuffer = new StringBuffer();
-               BufferedReader reader = request.getReader();
-               for (String line = reader.readLine(); line != null; line = reader.readLine()) {
-                       stringBuffer.append(line);
-               }
-               reader.reset();
-
-               String input = stringBuffer.toString();
-
-               if (!isSAML1_0(input)) {
-                       log.debug("Skipping SAML conversion because the input does not contain a SAML 1.0 request.");
-                       chain.doFilter(new NoConversionRequestWrapper(httpRequest, input), httpResponse);
-                       return;
-               }
-
-               ConversionRequestWrapper requestWrapper = new ConversionRequestWrapper(httpRequest, input);
-               ConversionResponseWrapper responseWrapper = new ConversionResponseWrapper(httpResponse, requestWrapper
-                               .getOriginalRequestId());
-               chain.doFilter(requestWrapper, responseWrapper);
-
-               responseWrapper.localFlush();
-       }
-
-       /**
-        * @param input
-        */
-       private boolean isSAML1_0(String input) {
-
-               Pattern majorRegex = Pattern.compile("<(.+:)?Request[^>]+(MajorVersion=['\"]1['\"])");
-               Pattern minorRegex = Pattern.compile("<(.+:)?Request[^>]+(MinorVersion=['\"]0['\"])");
-               Matcher majorMatcher = majorRegex.matcher(input);
-               Matcher minorMatcher = minorRegex.matcher(input);
-
-               if (!minorMatcher.find() || !majorMatcher.find()) { return false; }
-               return true;
-       }
-
-       /*
-        * @see javax.servlet.Filter#destroy()
-        */
-       public void destroy() {
-
-       }
-
-       private class ConversionResponseWrapper extends HttpServletResponseWrapper {
-
-               private ByteArrayOutputStream output = new ByteArrayOutputStream();
-               private String originalRequestId;
-
-               private ConversionResponseWrapper(HttpServletResponse response, String originalRequestId) {
-
-                       super(response);
-                       this.originalRequestId = originalRequestId;
-               }
-
-               private void localFlush() throws IOException {
-
-                       String result = output.toString();
-
-                       // Fail if we encounter XML Dsig, since the conversion would break it anyway
-                       Pattern regex = Pattern.compile("<(.+:)?Signature");
-                       Matcher matcher = regex.matcher(result);
-                       if (matcher.find()) {
-                               log.error("Unable to convert SAML request from 1.0 to 1.1.");
-                               throw new IOException("Unable to auto-convert SAML messages containing digital signatures.");
-                       }
-
-                       // Update SAML minor verion on Response and assertions
-                       regex = Pattern.compile("<(.+:)?Response[^>]+(MinorVersion=['\"]1['\"])");
-                       matcher = regex.matcher(result);
-                       if (matcher.find()) {
-                               StringBuffer buff = new StringBuffer();
-                               int start = matcher.start(2);
-                               int end = matcher.end(2);
-                               buff.append(result.subSequence(0, start));
-                               buff.append("MinorVersion=\"0\"");
-                               buff.append(result.substring(end));
-                               result = buff.toString();
-                       }
-
-                       regex = Pattern.compile("<(.+:)?Assertion[^>]+(MinorVersion=['\"]1['\"])");
-                       matcher = regex.matcher(result);
-                       StringBuffer buff = new StringBuffer();
-                       int end = 0;
-                       while (matcher.find()) {
-                               int start = matcher.start(2);
-                               buff.append(result.subSequence(end, start));
-                               end = matcher.end(2);
-                               buff.append("MinorVersion=\"0\"");
-                       }
-                       if (buff.length() > 0) {
-                               buff.append(result.substring(end));
-                               result = buff.toString();
-                       }
-
-                       // Substitue in the real identifier from the original request
-                       regex = Pattern.compile("<(.+:)?Response[^>]+InResponseTo=['\"]([^\"]+)['\"]");
-                       matcher = regex.matcher(result);
-                       if (matcher.find()) {
-                               buff = new StringBuffer();
-                               int start = matcher.start(2);
-                               end = matcher.end(2);
-                               buff.append(result.subSequence(0, start));
-                               buff.append(originalRequestId);
-                               buff.append(result.substring(end));
-                               result = buff.toString();
-                       }
-
-                       // Replace deprecated artifact confirmation method
-                       regex = Pattern
-                                       .compile("<(.+:)?ConfirmationMethod>(urn:oasis:names:tc:SAML:1.0:cm:artifact)</(.+:)?ConfirmationMethod>");
-                       matcher = regex.matcher(result);
-                       buff = new StringBuffer();
-                       end = 0;
-                       while (matcher.find()) {
-                               int start = matcher.start(2);
-                               buff.append(result.subSequence(end, start));
-                               end = matcher.end(2);
-                               buff.append("urn:oasis:names:tc:SAML:1.0:cm:artifact-01");
-                       }
-                       if (buff.length() > 0) {
-                               buff.append(result.substring(end));
-                               result = buff.toString();
-                       }
-
-                       super.getOutputStream().write(result.getBytes());
-                       output.reset();
-               }
-
-               public ServletOutputStream getOutputStream() {
-
-                       return new ModifiableOutputStream(output);
-               }
-
-               public PrintWriter getWriter() {
-
-                       return new PrintWriter(getOutputStream(), true);
-               }
-
-               public void reset() {
-
-                       super.reset();
-                       output.reset();
-               }
-
-               public void resetBuffer() {
-
-                       output.reset();
-               }
-
-               public void flushBuffer() throws IOException {
-
-                       localFlush();
-                       super.flushBuffer();
-               }
-
-               private class ModifiableOutputStream extends ServletOutputStream {
-
-                       private DataOutputStream stream;
-
-                       public ModifiableOutputStream(OutputStream output) {
-
-                               stream = new DataOutputStream(output);
-                       }
-
-                       public void write(int b) throws IOException {
-
-                               stream.write(b);
-                       }
-
-                       public void write(byte[] b) throws IOException {
-
-                               stream.write(b);
-                       }
-
-                       public void write(byte[] b, int off, int len) throws IOException {
-
-                               stream.write(b, off, len);
-                       }
-
-               }
-       }
-
-       private class ConversionRequestWrapper extends HttpServletRequestWrapper {
-
-               private ServletInputStream stream;
-               private boolean accessed = false;
-               private String method;
-               private String originalRequestId;
-               private int newLength;
-
-               private ConversionRequestWrapper(HttpServletRequest request, String input) throws IOException {
-
-                       super(request);
-
-                       // Fail if we encounter XML Dsig, since the conversion would break it anyway
-                       Pattern regex = Pattern.compile("<(.+:)?Signature");
-                       Matcher matcher = regex.matcher(input);
-                       if (matcher.find()) {
-                               log.error("Unable to convert SAML request from 1.0 to 1.1.");
-                               throw new IOException("Unable to auto-convert SAML messages containing digital signatures.");
-                       }
-
-                       // Update SAML minor verion on Request
-                       regex = Pattern.compile("<(.+:)?Request[^>]+(MinorVersion=['\"]0['\"])");
-                       matcher = regex.matcher(input);
-                       if (matcher.find()) {
-                               StringBuffer buff = new StringBuffer();
-                               int start = matcher.start(2);
-                               int end = matcher.end(2);
-                               buff.append(input.subSequence(0, start));
-                               buff.append("MinorVersion=\"1\"");
-                               buff.append(input.substring(end));
-                               input = buff.toString();
-                       }
-
-                       // Substitute in a fake request id that is valid in SAML 1.1, but save the original so that we can put it
-                       // back later
-                       regex = Pattern.compile("<(.+:)?Request[^>]+RequestID=['\"]([^'\"]+)['\"]");
-                       matcher = regex.matcher(input);
-                       if (matcher.find()) {
-                               StringBuffer buff = new StringBuffer();
-                               originalRequestId = matcher.group(2);
-                               int start = matcher.start(2);
-                               int end = matcher.end(2);
-                               buff.append(input.subSequence(0, start));
-                               try {
-                                       buff.append(idgen.getIdentifier());
-                               } catch (SAMLException e) {
-                                       throw new IOException("Unable to obtain a new SAML message ID from provider");
-                               }
-                               buff.append(input.substring(end));
-                               input = buff.toString();
-                       }
-
-                       newLength = input.length();
-                       stream = new ModifiedInputStream(new ByteArrayInputStream(input.getBytes()));
-               }
-
-               /*
-                * (non-Javadoc)
-                * 
-                * @see javax.servlet.ServletRequest#getInputStream()
-                */
-               public ServletInputStream getInputStream() throws IOException {
-
-                       if (accessed) { throw new IllegalStateException(method + " has already been called for this request"); }
-                       accessed = true;
-                       method = "getInputStream()";
-                       return stream;
-               }
-
-               /*
-                * (non-Javadoc)
-                * 
-                * @see javax.servlet.ServletRequest#getReader()
-                */
-               public BufferedReader getReader() throws IOException {
-
-                       if (accessed) { throw new IllegalStateException(method + " has already been called for this request"); }
-                       accessed = true;
-                       method = "getReader()";
-                       return new BufferedReader(new InputStreamReader(stream));
-               }
-
-               private String getOriginalRequestId() {
-
-                       return originalRequestId;
-
-               }
-
-               /*
-                * (non-Javadoc)
-                * 
-                * @see javax.servlet.ServletRequest#getContentLength()
-                */
-               public int getContentLength() {
-
-                       return newLength;
-               }
-
-       }
-
-       private class NoConversionRequestWrapper extends HttpServletRequestWrapper {
-
-               private ServletInputStream stream;
-               private boolean accessed = false;
-               private String method;
-
-               private NoConversionRequestWrapper(HttpServletRequest request, String input) {
-
-                       super(request);
-                       stream = new ModifiedInputStream(new ByteArrayInputStream(input.getBytes()));
-               }
-
-               /*
-                * (non-Javadoc)
-                * 
-                * @see javax.servlet.ServletRequest#getInputStream()
-                */
-               public ServletInputStream getInputStream() throws IOException {
-
-                       if (accessed) { throw new IllegalStateException(method + " has already been called for this request"); }
-                       accessed = true;
-                       method = "getInputStream()";
-                       return stream;
-               }
-
-               /*
-                * (non-Javadoc)
-                * 
-                * @see javax.servlet.ServletRequest#getReader()
-                */
-               public BufferedReader getReader() throws IOException {
-
-                       if (accessed) { throw new IllegalStateException(method + " has already been called for this request"); }
-                       accessed = true;
-                       method = "getReader()";
-                       return new BufferedReader(new InputStreamReader(stream));
-               }
-
-       }
-
-       private class ModifiedInputStream extends ServletInputStream {
-
-               private ByteArrayInputStream stream;
-
-               private ModifiedInputStream(ByteArrayInputStream stream) {
-
-                       this.stream = stream;
-               }
-
-               /*
-                * (non-Javadoc)
-                * 
-                * @see javax.servlet.ServletInputStream#readLine(byte[], int, int)
-                */
-               public int readLine(byte[] b, int off, int len) throws IOException {
-
-                       if (len <= 0) { return 0; }
-                       int count = 0, c;
-
-                       while ((c = stream.read()) != -1) {
-                               b[off++] = (byte) c;
-                               count++;
-                               if (c == '\n' || count == len) {
-                                       break;
-                               }
-                       }
-                       return count > 0 ? count : -1;
-               }
-
-               /*
-                * (non-Javadoc)
-                * 
-                * @see java.io.InputStream#available()
-                */
-               public int available() throws IOException {
-
-                       return stream.available();
-               }
-
-               /*
-                * (non-Javadoc)
-                * 
-                * @see java.io.InputStream#close()
-                */
-               public void close() throws IOException {
-
-                       stream.close();
-               }
-
-               /*
-                * (non-Javadoc)
-                * 
-                * @see java.io.InputStream#mark(int)
-                */
-               public synchronized void mark(int readlimit) {
-
-                       stream.mark(readlimit);
-               }
-
-               /*
-                * (non-Javadoc)
-                * 
-                * @see java.io.InputStream#markSupported()
-                */
-               public boolean markSupported() {
-
-                       return stream.markSupported();
-               }
-
-               /*
-                * (non-Javadoc)
-                * 
-                * @see java.io.InputStream#read(byte[], int, int)
-                */
-               public int read(byte[] b, int off, int len) throws IOException {
-
-                       return stream.read(b, off, len);
-               }
-
-               /*
-                * (non-Javadoc)
-                * 
-                * @see java.io.InputStream#read(byte[])
-                */
-               public int read(byte[] b) throws IOException {
-
-                       return stream.read(b);
-               }
-
-               /*
-                * (non-Javadoc)
-                * 
-                * @see java.io.InputStream#reset()
-                */
-               public synchronized void reset() throws IOException {
-
-                       stream.reset();
-               }
-
-               /*
-                * (non-Javadoc)
-                * 
-                * @see java.io.InputStream#skip(long)
-                */
-               public long skip(long n) throws IOException {
-
-                       return stream.skip(n);
-               }
-
-               /*
-                * (non-Javadoc)
-                * 
-                * @see java.io.InputStream#read()
-                */
-               public int read() throws IOException {
-
-                       return stream.read();
-               }
-
-       }
-
-}
\ No newline at end of file
diff --git a/tests/conf/ca-bundle.crt b/tests/conf/ca-bundle.crt
deleted file mode 100644 (file)
index a774afe..0000000
+++ /dev/null
@@ -1,4743 +0,0 @@
-<ca-bundle.crt#rev1.6> *Return to ca-bundle.crt <ca-bundle.crt#rev1.6>
-CVS log*       *Up to [Shibboleth] </cgi-bin/viewcvs.cgi/#dirlist> /
-shibboleth </cgi-bin/viewcvs.cgi/shibboleth/#dirlist> / c
-</cgi-bin/viewcvs.cgi/shibboleth/c/#dirlist> / configs
-</cgi-bin/viewcvs.cgi/shibboleth/c/configs/#dirlist>*
-
-------------------------------------------------------------------------
-File: [Shibboleth] </cgi-bin/viewcvs.cgi/#dirlist> / shibboleth
-</cgi-bin/viewcvs.cgi/shibboleth/#dirlist> / c
-</cgi-bin/viewcvs.cgi/shibboleth/c/#dirlist> / configs
-</cgi-bin/viewcvs.cgi/shibboleth/c/configs/#dirlist> / ca-bundle.crt
-</cgi-bin/viewcvs.cgi/shibboleth/c/configs/ca-bundle.crt#dirlist>
-(*download*
-</cgi-bin/viewcvs.cgi/*checkout*/shibboleth/c/configs/ca-bundle.crt?rev=1.6>)
-
-Revision: *1.6*, /Fri Sep 5 17:43:30 2003 UTC/ (2 months, 4 weeks ago)
-by /wassa/
-Branch: *MAIN*
-CVS Tags: *HEAD*
-Changes since *1.5: +6 -6 lines*
-
-Updated NSDL CA cert.
-
-------------------------------------------------------------------------
-
-##
-##  ca-bundle.crt -- Bundle of CA Root Certificates
-##  Last Modified: Thu Mar  2 09:32:46 CET 2000
-##
-##  This is a bundle of X.509 certificates of public
-##  Certificate Authorities (CA). These were automatically
-##  extracted from Netscape Communicator 4.72's certificate database
-##  (the file `cert7.db'). It contains the certificates in both
-##  plain text and PEM format and therefore can be directly used
-##  with an Apache+mod_ssl webserver for SSL client authentication.
-##  Just configure this file as the SSLCACertificateFile.
-##
-##  (SKIPME)
-##
-
-ABAecom (sub., Am. Bankers Assn.) Root CA
-=========================================
-MD5 Fingerprint: 82:12:F7:89:E1:0B:91:60:A4:B6:22:9F:94:68:11:92
-PEM Data:
------BEGIN CERTIFICATE-----
-MIID+DCCAuCgAwIBAgIRANAeQJAAACdLAAAAAQAAAAQwDQYJKoZIhvcNAQEFBQAw
-gYwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIEwRVdGFoMRcwFQYDVQQHEw5TYWx0IExh
-a2UgQ2l0eTEYMBYGA1UEChMPWGNlcnQgRVogYnkgRFNUMRgwFgYDVQQDEw9YY2Vy
-dCBFWiBieSBEU1QxITAfBgkqhkiG9w0BCQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTAe
-Fw05OTA3MTQxNjE0MThaFw0wOTA3MTExNjE0MThaMIGMMQswCQYDVQQGEwJVUzEN
-MAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxGDAWBgNVBAoT
-D1hjZXJ0IEVaIGJ5IERTVDEYMBYGA1UEAxMPWGNlcnQgRVogYnkgRFNUMSEwHwYJ
-KoZIhvcNAQkBFhJjYUBkaWdzaWd0cnVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
-A4IBDwAwggEKAoIBAQCtVBjetL/3reh0qu2LfI/C1HUa1YS5tmL8ie/kl2GS+x24
-4VpHNJ6eBiL70+o4y7iLB/caoBd3B1owHNQpOCDXJ0DYUJNDv9IYoil2BXKqa7Zp
-mKt5Hhxl9WqL/MUWqqJy2mDtTm4ZJXoKHTDjUJtCPETrobAgHtsCfv49H7/QAIrb
-QHamGKUVp1e2UsIBF5h3j4qBxhq0airmr6nWAKzP2BVJfNsbof6B+of505DBAsD5
-0ELpkWglX8a/hznplQBgKL+DLMDnXrbXNhbnYId26OcnsiUNi3rlqh3lWc3OCw5v
-xsic4xDZhTnTt5v6xrp8dNJddVardKSiUb9SfO5xAgMBAAGjUzBRMA8GA1UdEwEB
-/wQFMAMBAf8wHwYDVR0jBBgwFoAUCCBsZuuBCmxc1bWmPEHdHJaRJ3cwHQYDVR0O
-BBYEFAggbGbrgQpsXNW1pjxB3RyWkSd3MA0GCSqGSIb3DQEBBQUAA4IBAQBah1iP
-Lat2IWtUDNnxQfZOzSue4x+boy1/2St9WMhnpCn16ezVvZY/o3P4xFs2fNBjLDQ5
-m0i4PW/2FMWeY+anNG7T6DOzxzwYbiOuQ5KZP5jFaTDxNjutuTCC1rZZFpYCCykS
-YbQRifcML5SQhZgonFNsfmPdc/QZ/0qB0bJSI/08SjTOWhvgUIrtT4GV2GDn5MQN
-u1g+WPdOaG8+Z8nLepcWJ+xCYRR2uwDF6wg9FX9LtiJdhzuQ9PPA/jez6dliDMDD
-Wa9gvR8N26E0HzDEPYutsB0Ek+1f1eS/IDAE9EjpMwHRLpAnUrOb3jocq6mXf5vr
-wo3CbezcE9NGxXl8
------END CERTIFICATE-----
-Certificate Ingredients:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            d0:1e:40:90:00:00:27:4b:00:00:00:01:00:00:00:04
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, ST=Utah, L=Salt Lake City, O=Xcert EZ by DST, CN=Xcert EZ by DST/Email=ca@digsigtrust.com <mailto:ca@digsigtrust.com>
-        Validity
-            Not Before: Jul 14 16:14:18 1999 GMT
-            Not After : Jul 11 16:14:18 2009 GMT
-        Subject: C=US, ST=Utah, L=Salt Lake City, O=Xcert EZ by DST, CN=Xcert EZ by DST/Email=ca@digsigtrust.com <mailto:ca@digsigtrust.com>
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:ad:54:18:de:b4:bf:f7:ad:e8:74:aa:ed:8b:7c:
-                    8f:c2:d4:75:1a:d5:84:b9:b6:62:fc:89:ef:e4:97:
-                    61:92:fb:1d:b8:e1:5a:47:34:9e:9e:06:22:fb:d3:
-                    ea:38:cb:b8:8b:07:f7:1a:a0:17:77:07:5a:30:1c:
-                    d4:29:38:20:d7:27:40:d8:50:93:43:bf:d2:18:a2:
-                    29:76:05:72:aa:6b:b6:69:98:ab:79:1e:1c:65:f5:
-                    6a:8b:fc:c5:16:aa:a2:72:da:60:ed:4e:6e:19:25:
-                    7a:0a:1d:30:e3:50:9b:42:3c:44:eb:a1:b0:20:1e:
-                    db:02:7e:fe:3d:1f:bf:d0:00:8a:db:40:76:a6:18:
-                    a5:15:a7:57:b6:52:c2:01:17:98:77:8f:8a:81:c6:
-                    1a:b4:6a:2a:e6:af:a9:d6:00:ac:cf:d8:15:49:7c:
-                    db:1b:a1:fe:81:fa:87:f9:d3:90:c1:02:c0:f9:d0:
-                    42:e9:91:68:25:5f:c6:bf:87:39:e9:95:00:60:28:
-                    bf:83:2c:c0:e7:5e:b6:d7:36:16:e7:60:87:76:e8:
-                    e7:27:b2:25:0d:8b:7a:e5:aa:1d:e5:59:cd:ce:0b:
-                    0e:6f:c6:c8:9c:e3:10:d9:85:39:d3:b7:9b:fa:c6:
-                    ba:7c:74:d2:5d:75:56:ab:74:a4:a2:51:bf:52:7c:
-                    ee:71
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Authority Key Identifier: 
-                keyid:08:20:6C:66:EB:81:0A:6C:5C:D5:B5:A6:3C:41:DD:1C:96:91:27:77
-
-            X509v3 Subject Key Identifier: 
-                08:20:6C:66:EB:81:0A:6C:5C:D5:B5:A6:3C:41:DD:1C:96:91:27:77
-    Signature Algorithm: sha1WithRSAEncryption
-        5a:87:58:8f:2d:ab:76:21:6b:54:0c:d9:f1:41:f6:4e:cd:2b:
-        9e:e3:1f:9b:a3:2d:7f:d9:2b:7d:58:c8:67:a4:29:f5:e9:ec:
-        d5:bd:96:3f:a3:73:f8:c4:5b:36:7c:d0:63:2c:34:39:9b:48:
-        b8:3d:6f:f6:14:c5:9e:63:e6:a7:34:6e:d3:e8:33:b3:c7:3c:
-        18:6e:23:ae:43:92:99:3f:98:c5:69:30:f1:36:3b:ad:b9:30:
-        82:d6:b6:59:16:96:02:0b:29:12:61:b4:11:89:f7:0c:2f:94:
-        90:85:98:28:9c:53:6c:7e:63:dd:73:f4:19:ff:4a:81:d1:b2:
-        52:23:fd:3c:4a:34:ce:5a:1b:e0:50:8a:ed:4f:81:95:d8:60:
-        e7:e4:c4:0d:bb:58:3e:58:f7:4e:68:6f:3e:67:c9:cb:7a:97:
-        16:27:ec:42:61:14:76:bb:00:c5:eb:08:3d:15:7f:4b:b6:22:
-        5d:87:3b:90:f4:f3:c0:fe:37:b3:e9:d9:62:0c:c0:c3:59:af:
-        60:bd:1f:0d:db:a1:34:1f:30:c4:3d:8b:ad:b0:1d:04:93:ed:
-        5f:d5:e4:bf:20:30:04:f4:48:e9:33:01:d1:2e:90:27:52:b3:
-        9b:de:3a:1c:ab:a9:97:7f:9b:eb:c2:8d:c2:6d:ec:dc:13:d3:
-        46:c5:79:7c
-
-ANX Network CA by DST
-=====================
-MD5 Fingerprint: A8:ED:DE:EB:93:88:66:D8:2F:C3:BD:1D:BE:45:BE:4D
-PEM Data:
------BEGIN CERTIFICATE-----
-MIIDTTCCAragAwIBAgIENm6ibzANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJV
-UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMR0wGwYDVQQL
-ExREU1QgKEFOWCBOZXR3b3JrKSBDQTAeFw05ODEyMDkxNTQ2NDhaFw0xODEyMDkx
-NjE2NDhaMFIxCzAJBgNVBAYTAlVTMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVy
-ZSBUcnVzdCBDby4xHTAbBgNVBAsTFERTVCAoQU5YIE5ldHdvcmspIENBMIGdMA0G
-CSqGSIb3DQEBAQUAA4GLADCBhwKBgQC0SBGAWKDVpZkP9jcsRLZu0XzzKmueEbaI
-IwRccSWeahJ3EW6/aDllqPay9qIYsokVoGe3eowiSGv2hDQftsr3G3LL8ltI04ce
-InYTBLSsbJZ/5w4IyTJRMC3VgOghZ7rzXggkLAdZnZAa7kbJtaQelrRBkdR/0o04
-JrBvQ24JfQIBA6OCATAwggEsMBEGCWCGSAGG+EIBAQQEAwIABzB0BgNVHR8EbTBr
-MGmgZ6BlpGMwYTELMAkGA1UEBhMCVVMxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0
-dXJlIFRydXN0IENvLjEdMBsGA1UECxMURFNUIChBTlggTmV0d29yaykgQ0ExDTAL
-BgNVBAMTBENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMDkxNTQ2NDhagQ8yMDE4MTIw
-OTE1NDY0OFowCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFIwWVXDMFgpTZMKlhKqz
-ZBdDP4I2MB0GA1UdDgQWBBSMFlVwzBYKU2TCpYSqs2QXQz+CNjAMBgNVHRMEBTAD
-AQH/MBkGCSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqGSIb3DQEBBQUAA4GB
-AEklyWCxDF+pORDTxTRVfc95wynr3vnCQPnoVsXwL+z02exIUbhjOF6TbhiWhbnK
-UJykuOpmJmiThW9vTHHQvnoLPDG5975pnhDX0UDorBZxq66rOOFwscqSFuBdhaYY
-gAYAnOGmGEJRp2hoWe8mlF+tMQz+KR4XAYQ3W+gSMqNd
------END CERTIFICATE-----
-Certificate Ingredients:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 913220207 (0x366ea26f)
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, O=Digital Signature Trust Co., OU=DST (ANX Network) CA
-        Validity
-            Not Before: Dec  9 15:46:48 1998 GMT
-            Not After : Dec  9 16:16:48 2018 GMT
-        Subject: C=US, O=Digital Signature Trust Co., OU=DST (ANX Network) CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:b4:48:11:80:58:a0:d5:a5:99:0f:f6:37:2c:44:
-                    b6:6e:d1:7c:f3:2a:6b:9e:11:b6:88:23:04:5c:71:
-                    25:9e:6a:12:77:11:6e:bf:68:39:65:a8:f6:b2:f6:
-                    a2:18:b2:89:15:a0:67:b7:7a:8c:22:48:6b:f6:84:
-                    34:1f:b6:ca:f7:1b:72:cb:f2:5b:48:d3:87:1e:22:
-                    76:13:04:b4:ac:6c:96:7f:e7:0e:08:c9:32:51:30:
-                    2d:d5:80:e8:21:67:ba:f3:5e:08:24:2c:07:59:9d:
-                    90:1a:ee:46:c9:b5:a4:1e:96:b4:41:91:d4:7f:d2:
-                    8d:38:26:b0:6f:43:6e:09:7d
-                Exponent: 3 (0x3)
-        X509v3 extensions:
-            Netscape Cert Type: 
-                SSL CA, S/MIME CA, Object Signing CA
-            X509v3 CRL Distribution Points: 
-                DirName:/C=US/O=Digital Signature Trust Co./OU=DST (ANX Network) CA/CN=CRL1
-
-            X509v3 Private Key Usage Period: 
-                Not Before: Dec  9 15:46:48 1998 GMT, Not After: Dec  9 15:46:48 2018 GMT
-            X509v3 Key Usage: 
-                Certificate Sign, CRL Sign
-            X509v3 Authority Key Identifier: 
-                keyid:8C:16:55:70:CC:16:0A:53:64:C2:A5:84:AA:B3:64:17:43:3F:82:36
-
-            X509v3 Subject Key Identifier: 
-                8C:16:55:70:CC:16:0A:53:64:C2:A5:84:AA:B3:64:17:43:3F:82:36
-            X509v3 Basic Constraints: 
-                CA:TRUE
-            1.2.840.113533.7.65.0: 
-                0
-..V4.0....
-    Signature Algorithm: sha1WithRSAEncryption
-        49:25:c9:60:b1:0c:5f:a9:39:10:d3:c5:34:55:7d:cf:79:c3:
-        29:eb:de:f9:c2:40:f9:e8:56:c5:f0:2f:ec:f4:d9:ec:48:51:
-        b8:63:38:5e:93:6e:18:96:85:b9:ca:50:9c:a4:b8:ea:66:26:
-        68:93:85:6f:6f:4c:71:d0:be:7a:0b:3c:31:b9:f7:be:69:9e:
-        10:d7:d1:40:e8:ac:16:71:ab:ae:ab:38:e1:70:b1:ca:92:16:
-        e0:5d:85:a6:18:80:06:00:9c:e1:a6:18:42:51:a7:68:68:59:
-        ef:26:94:5f:ad:31:0c:fe:29:1e:17:01:84:37:5b:e8:12:32:
-        a3:5d
-
-American Express CA
-===================
-MD5 Fingerprint: 1C:D5:8E:82:BE:70:55:8E:39:61:DF:AD:51:DB:6B:A0
-PEM Data:
------BEGIN CERTIFICATE-----
-MIICkDCCAfkCAgCNMA0GCSqGSIb3DQEBBAUAMIGPMQswCQYDVQQGEwJVUzEnMCUG
-A1UEChMeQW1lcmljYW4gRXhwcmVzcyBDb21wYW55LCBJbmMuMSYwJAYDVQQLEx1B
-bWVyaWNhbiBFeHByZXNzIFRlY2hub2xvZ2llczEvMC0GA1UEAxMmQW1lcmljYW4g
-RXhwcmVzcyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNOTgwODE0MjIwMTAwWhcN
-MDYwODE0MjM1OTAwWjCBjzELMAkGA1UEBhMCVVMxJzAlBgNVBAoTHkFtZXJpY2Fu
-IEV4cHJlc3MgQ29tcGFueSwgSW5jLjEmMCQGA1UECxMdQW1lcmljYW4gRXhwcmVz
-cyBUZWNobm9sb2dpZXMxLzAtBgNVBAMTJkFtZXJpY2FuIEV4cHJlc3MgQ2VydGlm
-aWNhdGUgQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJ8kmS
-hcr9FSm1BrZE7PyIo/KGzv8UTyQckvnCI8HOQ99dNMi4FOzVKnCRSZXXVs2U8amT
-0Ggi3E19oApyKkfqJfCFAF82VGHPC/k3Wmed6R/pZD9wlWGn0DAC3iYopGYDBOkw
-+48zB/lvYYeictvzaHhjZlmpybdm4RWySDYs+QIDAQABMA0GCSqGSIb3DQEBBAUA
-A4GBAGgXYrhzi0xs60qlPqvlnS7SzYoHV/PGWZd2Fxf4Uo4nk9hY2Chs9KIEeorC
-diSxArTfKPL386infiNIYYj0EWiuJl32oUtTJWrYKhQCDuCHIG6eGVxzkAsj4jGX
-Iz/VIqLTBnvaN/XXtUFEF3pFAtmFRWbWjsfwegyZYiJpW+3S
------END CERTIFICATE-----
-Certificate Ingredients:
-    Data:
-        Version: 1 (0x0)
-        Serial Number: 141 (0x8d)
-        Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=US, O=American Express Company, Inc., OU=American Express Technologies, CN=American Express Certificate Authority
-        Validity
-            Not Before: Aug 14 22:01:00 1998 GMT
-            Not After : Aug 14 23:59:00 2006 GMT
-        Subject: C=US, O=American Express Company, Inc., OU=American Express Technologies, CN=American Express Certificate Authority
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:c9:f2:49:92:85:ca:fd:15:29:b5:06:b6:44:ec:
-                    fc:88:a3:f2:86:ce:ff:14:4f:24:1c:92:f9:c2:23:
-                    c1:ce:43:df:5d:34:c8:b8:14:ec:d5:2a:70:91:49:
-                    95:d7:56:cd:94:f1:a9:93:d0:68:22:dc:4d:7d:a0:
-                    0a:72:2a:47:ea:25:f0:85:00:5f:36:54:61:cf:0b:
-                    f9:37:5a:67:9d:e9:1f:e9:64:3f:70:95:61:a7:d0:
-                    30:02:de:26:28:a4:66:03:04:e9:30:fb:8f:33:07:
-                    f9:6f:61:87:a2:72:db:f3:68:78:63:66:59:a9:c9:
-                    b7:66:e1:15:b2:48:36:2c:f9
-                Exponent: 65537 (0x10001)
-    Signature Algorithm: md5WithRSAEncryption
-        68:17:62:b8:73:8b:4c:6c:eb:4a:a5:3e:ab:e5:9d:2e:d2:cd:
-        8a:07:57:f3:c6:59:97:76:17:17:f8:52:8e:27:93:d8:58:d8:
-        28:6c:f4:a2:04:7a:8a:c2:76:24:b1:02:b4:df:28:f2:f7:f3:
-        a8:a7:7e:23:48:61:88:f4:11:68:ae:26:5d:f6:a1:4b:53:25:
-        6a:d8:2a:14:02:0e:e0:87:20:6e:9e:19:5c:73:90:0b:23:e2:
-        31:97:23:3f:d5:22:a2:d3:06:7b:da:37:f5:d7:b5:41:44:17:
-        7a:45:02:d9:85:45:66:d6:8e:c7:f0:7a:0c:99:62:22:69:5b:
-        ed:d2
-
-American Express Global CA
-==========================
-MD5 Fingerprint: 63:1B:66:93:8C:F3:66:CB:3C:79:57:DC:05:49:EA:DB
-PEM Data:
------BEGIN CERTIFICATE-----
-MIIEBDCCAuygAwIBAgICAIUwDQYJKoZIhvcNAQEFBQAwgZYxCzAJBgNVBAYTAlVT
-MScwJQYDVQQKEx5BbWVyaWNhbiBFeHByZXNzIENvbXBhbnksIEluYy4xJjAkBgNV
-BAsTHUFtZXJpY2FuIEV4cHJlc3MgVGVjaG5vbG9naWVzMTYwNAYDVQQDEy1BbWVy
-aWNhbiBFeHByZXNzIEdsb2JhbCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNOTgw
-ODE0MTkwNjAwWhcNMTMwODE0MjM1OTAwWjCBljELMAkGA1UEBhMCVVMxJzAlBgNV
-BAoTHkFtZXJpY2FuIEV4cHJlc3MgQ29tcGFueSwgSW5jLjEmMCQGA1UECxMdQW1l
-cmljYW4gRXhwcmVzcyBUZWNobm9sb2dpZXMxNjA0BgNVBAMTLUFtZXJpY2FuIEV4
-cHJlc3MgR2xvYmFsIENlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAPAkJmYu++tKc3FTiUfLJjxTkpRMysKFtQ34w1e9
-Lyofahi3V68MABb6oLaQpvcaoS5mJsdoo4qTaWa1RlYtHYLqkAwKIsKJUI0F89Sr
-c0HwzxKsKLRvFJSWWUuekHWG3+JH6+HpT0N+h8onGGaetcFAZX38YW+tm3LPqV7Y
-8/nabpEQ+ky16n4g3qk5L/WI5IpvNcYgnCuGRjMK/DFVpWusFkDpzTVZbzIEw3u1
-D3t3cPNIuypSgs6vKW3xEW9t5gcAAe+a8yYNpnkTZ6/4qxx1rJG1a75AsN6cDLFp
-hRlxkRNFyt/R/eayypaDedvFuKpbepALeFY+xteflEgR9a0CAwEAAaNaMFgwEgYD
-VR0TAQH/BAgwBgEB/wIBBTAOBgNVHQ8BAf8EBAMCAQYwFwYDVR0gBBAwDjAMBgoq
-hkiG+Q8KAQUBMBkGA1UdDgQSBBBXRzV7NicRqAj8L0Yl6yRpMA0GCSqGSIb3DQEB
-BQUAA4IBAQDHYUWoinG5vjTpIXshzVYTmNUwY+kYqkuSFb8LHbvskmnFLsNhi+gw
-RcsQRsFzOFyLGdIr80DrfHKzLh4n43WVihybLsSVBYZy0FX0oZJSeVzb9Pjc5dcS
-sUDHPIbkMWVKyjfG3nZXGWlMRmn8Kq0WN3qTrPchSy3766lQy8HRQAjaA2mHpzde
-VcHF7cTjjgwml5tcV0ty4/IDBdACOyYDQJCevgtbSQx48dVMVSng9v1MA6lUAjLR
-V1qFrEPtWzsWX6C/NdtLnnvo/+cNPDuom0lBRvVzTv+SZSGDE1Vx60k8f4gawhIo
-JaFGS0E3l3/sjvHUoZbCILZerakcHhGg
------END CERTIFICATE-----
-Certificate Ingredients:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 133 (0x85)
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, O=American Express Company, Inc., OU=American Express Technologies, CN=American Express Global Certificate Authority
-        Validity
-            Not Before: Aug 14 19:06:00 1998 GMT
-            Not After : Aug 14 23:59:00 2013 GMT
-        Subject: C=US, O=American Express Company, Inc., OU=American Express Technologies, CN=American Express Global Certificate Authority
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:f0:24:26:66:2e:fb:eb:4a:73:71:53:89:47:cb:
-                    26:3c:53:92:94:4c:ca:c2:85:b5:0d:f8:c3:57:bd:
-                    2f:2a:1f:6a:18:b7:57:af:0c:00:16:fa:a0:b6:90:
-                    a6:f7:1a:a1:2e:66:26:c7:68:a3:8a:93:69:66:b5:
-                    46:56:2d:1d:82:ea:90:0c:0a:22:c2:89:50:8d:05:
-                    f3:d4:ab:73:41:f0:cf:12:ac:28:b4:6f:14:94:96:
-                    59:4b:9e:90:75:86:df:e2:47:eb:e1:e9:4f:43:7e:
-                    87:ca:27:18:66:9e:b5:c1:40:65:7d:fc:61:6f:ad:
-                    9b:72:cf:a9:5e:d8:f3:f9:da:6e:91:10:fa:4c:b5:
-                    ea:7e:20:de:a9:39:2f:f5:88:e4:8a:6f:35:c6:20:
-                    9c:2b:86:46:33:0a:fc:31:55:a5:6b:ac:16:40:e9:
-                    cd:35:59:6f:32:04:c3:7b:b5:0f:7b:77:70:f3:48:
-                    bb:2a:52:82:ce:af:29:6d:f1:11:6f:6d:e6:07:00:
-                    01:ef:9a:f3:26:0d:a6:79:13:67:af:f8:ab:1c:75:
-                    ac:91:b5:6b:be:40:b0:de:9c:0c:b1:69:85:19:71:
-                    91:13:45:ca:df:d1:fd:e6:b2:ca:96:83:79:db:c5:
-                    b8:aa:5b:7a:90:0b:78:56:3e:c6:d7:9f:94:48:11:
-                    f5:ad
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:5
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Certificate Policies: 
-                Policy: 1.2.840.113807.10.1.5.1
-
-            X509v3 Subject Key Identifier: 
-                57:47:35:7B:36:27:11:A8:08:FC:2F:46:25:EB:24:69
-    Signature Algorithm: sha1WithRSAEncryption
-        c7:61:45:a8:8a:71:b9:be:34:e9:21:7b:21:cd:56:13:98:d5:
-        30:63:e9:18:aa:4b:92:15:bf:0b:1d:bb:ec:92:69:c5:2e:c3:
-        61:8b:e8:30:45:cb:10:46:c1:73:38:5c:8b:19:d2:2b:f3:40:
-        eb:7c:72:b3:2e:1e:27:e3:75:95:8a:1c:9b:2e:c4:95:05:86:
-        72:d0:55:f4:a1:92:52:79:5c:db:f4:f8:dc:e5:d7:12:b1:40:
-        c7:3c:86:e4:31:65:4a:ca:37:c6:de:76:57:19:69:4c:46:69:
-        fc:2a:ad:16:37:7a:93:ac:f7:21:4b:2d:fb:eb:a9:50:cb:c1:
-        d1:40:08:da:03:69:87:a7:37:5e:55:c1:c5:ed:c4:e3:8e:0c:
-        26:97:9b:5c:57:4b:72:e3:f2:03:05:d0:02:3b:26:03:40:90:
-        9e:be:0b:5b:49:0c:78:f1:d5:4c:55:29:e0:f6:fd:4c:03:a9:
-        54:02:32:d1:57:5a:85:ac:43:ed:5b:3b:16:5f:a0:bf:35:db:
-        4b:9e:7b:e8:ff:e7:0d:3c:3b:a8:9b:49:41:46:f5:73:4e:ff:
-        92:65:21:83:13:55:71:eb:49:3c:7f:88:1a:c2:12:28:25:a1:
-        46:4b:41:37:97:7f:ec:8e:f1:d4:a1:96:c2:20:b6:5e:ad:a9:
-        1c:1e:11:a0
-
-BelSign Object Publishing CA
-============================
-MD5 Fingerprint: 8A:02:F8:DF:B8:E1:84:9F:5A:C2:60:24:65:D1:73:FB
-PEM Data:
------BEGIN CERTIFICATE-----
-MIIDAzCCAmygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBuzELMAkGA1UEBhMCQkUx
-ETAPBgNVBAcTCEJydXNzZWxzMRMwEQYDVQQKEwpCZWxTaWduIE5WMTgwNgYDVQQL
-Ey9CZWxTaWduIE9iamVjdCBQdWJsaXNoaW5nIENlcnRpZmljYXRlIEF1dGhvcml0
-eTElMCMGA1UEAxMcQmVsU2lnbiBPYmplY3QgUHVibGlzaGluZyBDQTEjMCEGCSqG
-SIb3DQEJARYUd2VibWFzdGVyQGJlbHNpZ24uYmUwHhcNOTcwOTE5MjIwMzAwWhcN
-MDcwOTE5MjIwMzAwWjCBuzELMAkGA1UEBhMCQkUxETAPBgNVBAcTCEJydXNzZWxz
-MRMwEQYDVQQKEwpCZWxTaWduIE5WMTgwNgYDVQQLEy9CZWxTaWduIE9iamVjdCBQ
-dWJsaXNoaW5nIENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGA1UEAxMcQmVsU2ln
-biBPYmplY3QgUHVibGlzaGluZyBDQTEjMCEGCSqGSIb3DQEJARYUd2VibWFzdGVy
-QGJlbHNpZ24uYmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMQuH7a/7oJA
-3fm3LkHVngWxWtAmfGJVA5v8y2HeS+/+6Jn+h7mIz5DaDwk8dt8Xl7bLPyVF/bS8
-WAC+sFq2FIeP7mdkrR2Ig7tnn2VhAFgIgFCfgMkx9iqQHC33SmwQ9iNDXTgJYIhX
-As0WbBj8zfuSKnfQnpOjXYhk0Mj4XVRRAgMBAAGjFTATMBEGCWCGSAGG+EIBAQQE
-AwIABzANBgkqhkiG9w0BAQQFAAOBgQBjdhd8lvBTpV0BHFPOKcJ+daxMDaIIc7Rq
-Mf0CBhSZ3FQEpL/IloafMUMyJVf2hfYluze+oXkjyVcGJXFrRU/49AJAFoIir1Tq
-Mij2De6ZuksIUQ9uhiMhTC0liIHELg7xEyw4ipUCJMM6lWPkk45IuwhHcl+u5jpa
-R9Zxxp6aUg==
------END CERTIFICATE-----
-Certificate Ingredients:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1 (0x1)
-        Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=BE, L=Brussels, O=BelSign NV, OU=BelSign Object Publishing Certificate Authority, CN=BelSign Object Publishing CA/Email=webmaster@belsign.be <mailto:webmaster@belsign.be>
-        Validity
-            Not Before: Sep 19 22:03:00 1997 GMT
-            Not After : Sep 19 22:03:00 2007 GMT
-        Subject: C=BE, L=Brussels, O=BelSign NV, OU=BelSign Object Publishing Certificate Authority, CN=BelSign Object Publishing CA/Email=webmaster@belsign.be <mailto:webmaster@belsign.be>
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:c4:2e:1f:b6:bf:ee:82:40:dd:f9:b7:2e:41:d5:
-                    9e:05:b1:5a:d0:26:7c:62:55:03:9b:fc:cb:61:de:
-                    4b:ef:fe:e8:99:fe:87:b9:88:cf:90:da:0f:09:3c:
-                    76:df:17:97:b6:cb:3f:25:45:fd:b4:bc:58:00:be:
-                    b0:5a:b6:14:87:8f:ee:67:64:ad:1d:88:83:bb:67:
-                    9f:65:61:00:58:08:80:50:9f:80:c9:31:f6:2a:90:
-                    1c:2d:f7:4a:6c:10:f6:23:43:5d:38:09:60:88:57:
-                    02:cd:16:6c:18:fc:cd:fb:92:2a:77:d0:9e:93:a3:
-                    5d:88:64:d0:c8:f8:5d:54:51
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            Netscape Cert Type: 
-                SSL CA, S/MIME CA, Object Signing CA
-    Signature Algorithm: md5WithRSAEncryption
-        63:76:17:7c:96:f0:53:a5:5d:01:1c:53:ce:29:c2:7e:75:ac:
-        4c:0d:a2:08:73:b4:6a:31:fd:02:06:14:99:dc:54:04:a4:bf:
-        c8:96:86:9f:31:43:32:25:57:f6:85:f6:25:bb:37:be:a1:79:
-        23:c9:57:06:25:71:6b:45:4f:f8:f4:02:40:16:82:22:af:54:
-        ea:32:28:f6:0d:ee:99:ba:4b:08:51:0f:6e:86:23:21:4c:2d:
-        25:88:81:c4:2e:0e:f1:13:2c:38:8a:95:02:24:c3:3a:95:63:
-        e4:93:8e:48:bb:08:47:72:5f:ae:e6:3a:5a:47:d6:71:c6:9e:
-        9a:52
-
-BelSign Secure Server CA
-========================
-MD5 Fingerprint: 3D:5E:82:C6:D9:AD:D9:8B:93:6B:0C:10:B9:49:0A:B1
-PEM Data:
------BEGIN CERTIFICATE-----
-MIIC8zCCAlygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBszELMAkGA1UEBhMCQkUx
-ETAPBgNVBAcTCEJydXNzZWxzMRMwEQYDVQQKEwpCZWxTaWduIE5WMTQwMgYDVQQL
-EytCZWxTaWduIFNlY3VyZSBTZXJ2ZXIgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSEw
-HwYDVQQDExhCZWxTaWduIFNlY3VyZSBTZXJ2ZXIgQ0ExIzAhBgkqhkiG9w0BCQEW
-FHdlYm1hc3RlckBiZWxzaWduLmJlMB4XDTk3MDcxNjIyMDA1NFoXDTA3MDcxNjIy
-MDA1NFowgbMxCzAJBgNVBAYTAkJFMREwDwYDVQQHEwhCcnVzc2VsczETMBEGA1UE
-ChMKQmVsU2lnbiBOVjE0MDIGA1UECxMrQmVsU2lnbiBTZWN1cmUgU2VydmVyIENl
-cnRpZmljYXRlIEF1dGhvcml0eTEhMB8GA1UEAxMYQmVsU2lnbiBTZWN1cmUgU2Vy
-dmVyIENBMSMwIQYJKoZIhvcNAQkBFhR3ZWJtYXN0ZXJAYmVsc2lnbi5iZTCBnzAN
-BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1gESeJL4BEJ/yccig/x8R3AwK0kLPjZA
-kCjaIXODU/LE0RZAwFP/rqbGJLMnbaWzPTl3XagG9ubpvGMRTgZlcAqdk/miQIt/
-SoQOjRax1swIZBIM4ChLyKWEkBf7EUYu1qeFGMsYrmOasFgG9ADP+MQJGjUMofnu
-Sv1t3v4mpTsCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgCgMA0GCSqGSIb3DQEB
-BAUAA4GBAGw9mcMF4h3K5S2qaIWLQDEgZhNo5lg6idCNdbLFYth9go/32TKBd/Y1
-W4UpzmeyubwrGXjP84f9RvGVdbIJVwMwwXrNckdxgMp9ncllPEcRIn36BwsoeKGT
-6AVFSOIyMko96FMcELfHc4wHUOH5yStTQfWDjeUJOUqOA2KqQGOL
------END CERTIFICATE-----
-Certificate Ingredients:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1 (0x1)
-        Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=BE, L=Brussels, O=BelSign NV, OU=BelSign Secure Server Certificate Authority, CN=BelSign Secure Server CA/Email=webmaster@belsign.be <mailto:webmaster@belsign.be>
-        Validity
-            Not Before: Jul 16 22:00:54 1997 GMT
-            Not After : Jul 16 22:00:54 2007 GMT
-        Subject: C=BE, L=Brussels, O=BelSign NV, OU=BelSign Secure Server Certificate Authority, CN=BelSign Secure Server CA/Email=webmaster@belsign.be <mailto:webmaster@belsign.be>
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:d6:01:12:78:92:f8:04:42:7f:c9:c7:22:83:fc:
-                    7c:47:70:30:2b:49:0b:3e:36:40:90:28:da:21:73:
-                    83:53:f2:c4:d1:16:40:c0:53:ff:ae:a6:c6:24:b3:
-                    27:6d:a5:b3:3d:39:77:5d:a8:06:f6:e6:e9:bc:63:
-                    11:4e:06:65:70:0a:9d:93:f9:a2:40:8b:7f:4a:84:
-                    0e:8d:16:b1:d6:cc:08:64:12:0c:e0:28:4b:c8:a5:
-                    84:90:17:fb:11:46:2e:d6:a7:85:18:cb:18:ae:63:
-                    9a:b0:58:06:f4:00:cf:f8:c4:09:1a:35:0c:a1:f9:
-                    ee:4a:fd:6d:de:fe:26:a5:3b
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            Netscape Cert Type: 
-                SSL Client, S/MIME
-    Signature Algorithm: md5WithRSAEncryption
-        6c:3d:99:c3:05:e2:1d:ca:e5:2d:aa:68:85:8b:40:31:20:66:
-        13:68:e6:58:3a:89:d0:8d:75:b2:c5:62:d8:7d:82:8f:f7:d9:
-        32:81:77:f6:35:5b:85:29:ce:67:b2:b9:bc:2b:19:78:cf:f3:
-        87:fd:46:f1:95:75:b2:09:57:03:30:c1:7a:cd:72:47:71:80:
-        ca:7d:9d:c9:65:3c:47:11:22:7d:fa:07:0b:28:78:a1:93:e8:
-        05:45:48:e2:32:32:4a:3d:e8:53:1c:10:b7:c7:73:8c:07:50:
-        e1:f9:c9:2b:53:41:f5:83:8d:e5:09:39:4a:8e:03:62:aa:40:
-        63:8b
-
-Deutsche Telekom AG Root CA
-===========================
-MD5 Fingerprint: 77:DE:04:94:77:D0:0C:5F:A7:B1:F4:30:18:87:FB:55
-PEM Data:
------BEGIN CERTIFICATE-----
-MIICjjCCAfegAwIBAgIBBjANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJERTEc
-MBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEdMBsGA1UECxMUVGVsZVNlYyBU
-cnVzdCBDZW50ZXIxITAfBgNVBAMTGERldXRzY2hlIFRlbGVrb20gUm9vdCBDQTAe
-Fw05ODEyMDkwOTExMDBaFw0wNDEyMDkyMzU5MDBaMG0xCzAJBgNVBAYTAkRFMRww
-GgYDVQQKExNEZXV0c2NoZSBUZWxla29tIEFHMR0wGwYDVQQLExRUZWxlU2VjIFRy
-dXN0IENlbnRlcjEhMB8GA1UEAxMYRGV1dHNjaGUgVGVsZWtvbSBSb290IENBMIGf
-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdBSz5BbO5EtdpcffqVjAIVxRDe7sa
-nG0vV2HX4vVEa+42QZb2ZM7hwbK5pBQEmFDocPiONZp9ScFhHVmu2gYYlX2tzuyp
-vtEYD0CRdiqj5f3+iRX0V/fgVdp1rQD0LME1zLRDJlViRC4BJZyKW/DB0AA1eP41
-3pRAZHiDocw5iQIDAQABoz4wPDAPBgNVHRMECDAGAQH/AgEFMA4GA1UdDwEB/wQE
-AwIBBjAZBgNVHQ4EEgQQLIdZH4sTgLL5hp0+En5YljANBgkqhkiG9w0BAQQFAAOB
-gQAP/nO1B4hvoAuJ6spQH5TelCsLJ15P9RyVJtqMllStGZE3Q12ryYuzzW+YOT3t
-3TXjcbftE5OD6IblKTMTE7w1e/0oL3BZ1dO0jSgTWTvI1XT5RcIHYKq4GFT5pWj/
-1wXVj7YFMS5BSvQQH2BHGguLGU2SVyDS71AZ6M3QcLy8Ng==
------END CERTIFICATE-----
-Certificate Ingredients:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 6 (0x6)
-        Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=DE, O=Deutsche Telekom AG, OU=TeleSec Trust Center, CN=Deutsche Telekom Root CA
-        Validity
-            Not Before: Dec  9 09:11:00 1998 GMT
-            Not After : Dec  9 23:59:00 2004 GMT
-        Subject: C=DE, O=Deutsche Telekom AG, OU=TeleSec Trust Center, CN=Deutsche Telekom Root CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:dd:05:2c:f9:05:b3:b9:12:d7:69:71:f7:ea:56:
-                    30:08:57:14:43:7b:bb:1a:9c:6d:2f:57:61:d7:e2:
-                    f5:44:6b:ee:36:41:96:f6:64:ce:e1:c1:b2:b9:a4:
-                    14:04:98:50:e8:70:f8:8e:35:9a:7d:49:c1:61:1d:
-                    59:ae:da:06:18:95:7d:ad:ce:ec:a9:be:d1:18:0f:
-                    40:91:76:2a:a3:e5:fd:fe:89:15:f4:57:f7:e0:55:
-                    da:75:ad:00:f4:2c:c1:35:cc:b4:43:26:55:62:44:
-                    2e:01:25:9c:8a:5b:f0:c1:d0:00:35:78:fe:35:de:
-                    94:40:64:78:83:a1:cc:39:89
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:TRUE, pathlen:5
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                2C:87:59:1F:8B:13:80:B2:F9:86:9D:3E:12:7E:58:96
-    Signature Algorithm: md5WithRSAEncryption
-        0f:fe:73:b5:07:88:6f:a0:0b:89:ea:ca:50:1f:94:de:94:2b:
-        0b:27:5e:4f:f5:1c:95:26:da:8c:96:54:ad:19:91:37:43:5d:
-        ab:c9:8b:b3:cd:6f:98:39:3d:ed:dd:35:e3:71:b7:ed:13:93:
-        83:e8:86:e5:29:33:13:13:bc:35:7b:fd:28:2f:70:59:d5:d3:
-        b4:8d:28:13:59:3b:c8:d5:74:f9:45:c2:07:60:aa:b8:18:54:
-        f9:a5:68:ff:d7:05:d5:8f:b6:05:31:2e:41:4a:f4:10:1f:60:
-        47:1a:0b:8b:19:4d:92:57:20:d2:ef:50:19:e8:cd:d0:70:bc:
-        bc:36
-
-Digital Signature Trust Co. Global CA 1
-=======================================
-MD5 Fingerprint: 25:7A:BA:83:2E:B6:A2:0B:DA:FE:F5:02:0F:08:D7:AD
-PEM Data:
------BEGIN CERTIFICATE-----
-MIIDKTCCApKgAwIBAgIENnAVljANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJV
-UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMREwDwYDVQQL
-EwhEU1RDQSBFMTAeFw05ODEyMTAxODEwMjNaFw0xODEyMTAxODQwMjNaMEYxCzAJ
-BgNVBAYTAlVTMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4x
-ETAPBgNVBAsTCERTVENBIEUxMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQCg
-bIGpzzQeJN3+hijM3oMv+V7UQtLodGBmE5gGHKlREmlvMVW5SXIACH7TpWJENySZ
-j9mDSI+ZbZUTu0M7LklOiDfBu1h//uG9+LthzfNHwJmm8fOR6Hh8AMthyUQncWlV
-Sn5JTe2io74CTADKAqjuAQIxZA9SLRN0dja1erQtcQIBA6OCASQwggEgMBEGCWCG
-SAGG+EIBAQQEAwIABzBoBgNVHR8EYTBfMF2gW6BZpFcwVTELMAkGA1UEBhMCVVMx
-JDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UECxMI
-RFNUQ0EgRTExDTALBgNVBAMTBENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMTAxODEw
-MjNagQ8yMDE4MTIxMDE4MTAyM1owCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFGp5
-fpFpRhgTCgJ3pVlbYJglDqL4MB0GA1UdDgQWBBRqeX6RaUYYEwoCd6VZW2CYJQ6i
-+DAMBgNVHRMEBTADAQH/MBkGCSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqG
-SIb3DQEBBQUAA4GBACIS2Hod3IEGtgllsofIH160L+nEHvI8wbsEkBFKg05+k7lN
-QseSJqBcNJo4cvj9axY+IO6CizEqkzaFI4iKPANo08kJD038bKTaKHKTDomAsH3+
-gG9lbRgzl4vCa4nuYD3Im+9/KzJic5PLPON74nZ4RbyhkwS7hp86W0N6w4pl
------END CERTIFICATE-----
-Certificate Ingredients:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 913315222 (0x36701596)
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, O=Digital Signature Trust Co., OU=DSTCA E1
-        Validity
-            Not Before: Dec 10 18:10:23 1998 GMT
-            Not After : Dec 10 18:40:23 2018 GMT
-        Subject: C=US, O=Digital Signature Trust Co., OU=DSTCA E1
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:a0:6c:81:a9:cf:34:1e:24:dd:fe:86:28:cc:de:
-                    83:2f:f9:5e:d4:42:d2:e8:74:60:66:13:98:06:1c:
-                    a9:51:12:69:6f:31:55:b9:49:72:00:08:7e:d3:a5:
-                    62:44:37:24:99:8f:d9:83:48:8f:99:6d:95:13:bb:
-                    43:3b:2e:49:4e:88:37:c1:bb:58:7f:fe:e1:bd:f8:
-                    bb:61:cd:f3:47:c0:99:a6:f1:f3:91:e8:78:7c:00:
-                    cb:61:c9:44:27:71:69:55:4a:7e:49:4d:ed:a2:a3:
-                    be:02:4c:00:ca:02:a8:ee:01:02:31:64:0f:52:2d:
-                    13:74:76:36:b5:7a:b4:2d:71
-                Exponent: 3 (0x3)
-        X509v3 extensions:
-            Netscape Cert Type: 
-                SSL CA, S/MIME CA, Object Signing CA
-            X509v3 CRL Distribution Points: 
-                DirName:/C=US/O=Digital Signature Trust Co./OU=DSTCA E1/CN=CRL1
-
-            X509v3 Private Key Usage Period: 
-                Not Before: Dec 10 18:10:23 1998 GMT, Not After: Dec 10 18:10:23 2018 GMT
-            X509v3 Key Usage: 
-                Certificate Sign, CRL Sign
-            X509v3 Authority Key Identifier: 
-                keyid:6A:79:7E:91:69:46:18:13:0A:02:77:A5:59:5B:60:98:25:0E:A2:F8
-
-            X509v3 Subject Key Identifier: 
-                6A:79:7E:91:69:46:18:13:0A:02:77:A5:59:5B:60:98:25:0E:A2:F8
-            X509v3 Basic Constraints: 
-                CA:TRUE
-            1.2.840.113533.7.65.0: 
-                0
-..V4.0....
-    Signature Algorithm: sha1WithRSAEncryption
-        22:12:d8:7a:1d:dc:81:06:b6:09:65:b2:87:c8:1f:5e:b4:2f:
-        e9:c4:1e:f2:3c:c1:bb:04:90:11:4a:83:4e:7e:93:b9:4d:42:
-        c7:92:26:a0:5c:34:9a:38:72:f8:fd:6b:16:3e:20:ee:82:8b:
-        31:2a:93:36:85:23:88:8a:3c:03:68:d3:c9:09:0f:4d:fc:6c:
-        a4:da:28:72:93:0e:89:80:b0:7d:fe:80:6f:65:6d:18:33:97:
-        8b:c2:6b:89:ee:60:3d:c8:9b:ef:7f:2b:32:62:73:93:cb:3c:
-        e3:7b:e2:76:78:45:bc:a1:93:04:bb:86:9f:3a:5b:43:7a:c3:
-        8a:65
-
-Digital Signature Trust Co. Global CA 2
-=======================================
-MD5 Fingerprint: 6C:C9:A7:6E:47:F1:0C:E3:53:3B:78:4C:4D:C2:6A:C5
-PEM Data:
------BEGIN CERTIFICATE-----
-MIID2DCCAsACEQDQHkCLAAACfAAAAAIAAAABMA0GCSqGSIb3DQEBBQUAMIGpMQsw
-CQYDVQQGEwJ1czENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENp
-dHkxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UE
-CxMIRFNUQ0EgWDExFjAUBgNVBAMTDURTVCBSb290Q0EgWDExITAfBgkqhkiG9w0B
-CQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTAeFw05ODEyMDExODE4NTVaFw0wODExMjgx
-ODE4NTVaMIGpMQswCQYDVQQGEwJ1czENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMO
-U2FsdCBMYWtlIENpdHkxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0
-IENvLjERMA8GA1UECxMIRFNUQ0EgWDExFjAUBgNVBAMTDURTVCBSb290Q0EgWDEx
-ITAfBgkqhkiG9w0BCQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBANLGJrbnpT3BxGjVUG9TxW9JEwm4ryxIjRRqoxdf
-WvnTLnUv2Chi0ZMv/E3Uq4flCMeZ55I/db3rJbQVwZsZPdJEjdd0IG03Ao9pk1uK
-xBmd9LIO/BZsubEFkoPRhSxglD5FVaDZqwgh5mDoO3TymVBRaNADLbGAvqPYUrBE
-zUNKcI5YhZXhTizWLUFv1oTnyJhEykfbLCSlaSbPa7gnYsP0yXqSI+0TZ4KuRS5F
-5X5yP4WdlGIQ5jyRoa13AOAV7POEgHJ6jm5gl8ckWRA0g1vhpaRptlc1HHhZxtMv
-OnNn7pTKBBMFYgZwI7P0fO5F2WQLW0mqpEPOJsREEmy43XkCAwEAATANBgkqhkiG
-9w0BAQUFAAOCAQEAojeyP2n714Z5VEkxlTMr89EJFEliYIalsBHiUMIdBlc+Legz
-ZL6bqq1fG03UmZWii5rJYnK1aerZWKs17RWiQ9a2vAd5ZWRzfdd5ynvVWlHG4VME
-lo04z6MXrDlxawHDi1M8Y+nuecDkvpIyZHqzH5eUYr3qsiAVlfuX8ngvYzZAOONG
-Dx3drJXK50uQe7FLqdTF65raqtWjlBRGjS0f8zrWkzr2Pnn86Oawde3uPclwx12q
-gUtGJRzHbBXjlU4PqjI3lAoXJJIThFjSY28r9+ZbYgsTF7ANUkz+/m9c4pFuHf2k
-Ytdo+o56T9II2pPc8JIRetDccpMMc5NihWjQ9A==
------END CERTIFICATE-----
-Certificate Ingredients:
-    Data:
-        Version: 1 (0x0)
-        Serial Number:
-            d0:1e:40:8b:00:00:02:7c:00:00:00:02:00:00:00:01
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co., OU=DSTCA X1, CN=DST RootCA X1/Email=ca@digsigtrust.com <mailto:ca@digsigtrust.com>
-        Validity
-            Not Before: Dec  1 18:18:55 1998 GMT
-            Not After : Nov 28 18:18:55 2008 GMT
-        Subject: C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co., OU=DSTCA X1, CN=DST RootCA X1/Email=ca@digsigtrust.com <mailto:ca@digsigtrust.com>
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:d2:c6:26:b6:e7:a5:3d:c1:c4:68:d5:50:6f:53:
-                    c5:6f:49:13:09:b8:af:2c:48:8d:14:6a:a3:17:5f:
-                    5a:f9:d3:2e:75:2f:d8:28:62:d1:93:2f:fc:4d:d4:
-                    ab:87:e5:08:c7:99:e7:92:3f:75:bd:eb:25:b4:15:
-                    c1:9b:19:3d:d2:44:8d:d7:74:20:6d:37:02:8f:69:
-                    93:5b:8a:c4:19:9d:f4:b2:0e:fc:16:6c:b9:b1:05:
-                    92:83:d1:85:2c:60:94:3e:45:55:a0:d9:ab:08:21:
-                    e6:60:e8:3b:74:f2:99:50:51:68:d0:03:2d:b1:80:
-                    be:a3:d8:52:b0:44:cd:43:4a:70:8e:58:85:95:e1:
-                    4e:2c:d6:2d:41:6f:d6:84:e7:c8:98:44:ca:47:db:
-                    2c:24:a5:69:26:cf:6b:b8:27:62:c3:f4:c9:7a:92:
-                    23:ed:13:67:82:ae:45:2e:45:e5:7e:72:3f:85:9d:
-                    94:62:10:e6:3c:91:a1:ad:77:00:e0:15:ec:f3:84:
-                    80:72:7a:8e:6e:60:97:c7:24:59:10:34:83:5b:e1:
-                    a5:a4:69:b6:57:35:1c:78:59:c6:d3:2f:3a:73:67:
-                    ee:94:ca:04:13:05:62:06:70:23:b3:f4:7c:ee:45:
-                    d9:64:0b:5b:49:aa:a4:43:ce:26:c4:44:12:6c:b8:
-                    dd:79
-                Exponent: 65537 (0x10001)
-    Signature Algorithm: sha1WithRSAEncryption
-        a2:37:b2:3f:69:fb:d7:86:79:54:49:31:95:33:2b:f3:d1:09:
-        14:49:62:60:86:a5:b0:11:e2:50:c2:1d:06:57:3e:2d:e8:33:
-        64:be:9b:aa:ad:5f:1b:4d:d4:99:95:a2:8b:9a:c9:62:72:b5:
-        69:ea:d9:58:ab:35:ed:15:a2:43:d6:b6:bc:07:79:65:64:73:
-        7d:d7:79:ca:7b:d5:5a:51:c6:e1:53:04:96:8d:38:cf:a3:17:
-        ac:39:71:6b:01:c3:8b:53:3c:63:e9:ee:79:c0:e4:be:92:32:
-        64:7a:b3:1f:97:94:62:bd:ea:b2:20:15:95:fb:97:f2:78:2f:
-        63:36:40:38:e3:46:0f:1d:dd:ac:95:ca:e7:4b:90:7b:b1:4b:
-        a9:d4:c5:eb:9a:da:aa:d5:a3:94:14:46:8d:2d:1f:f3:3a:d6:
-        93:3a:f6:3e:79:fc:e8:e6:b0:75:ed:ee:3d:c9:70:c7:5d:aa:
-        81:4b:46:25:1c:c7:6c:15:e3:95:4e:0f:aa:32:37:94:0a:17:
-        24:92:13:84:58:d2:63:6f:2b:f7:e6:5b:62:0b:13:17:b0:0d:
-        52:4c:fe:fe:6f:5c:e2:91:6e:1d:fd:a4:62:d7:68:fa:8e:7a:
-        4f:d2:08:da:93:dc:f0:92:11:7a:d0:dc:72:93:0c:73:93:62:
-        85:68:d0:f4
-
-Digital Signature Trust Co. Global CA 3
-=======================================
-MD5 Fingerprint: 93:C2:8E:11:7B:D4:F3:03:19:BD:28:75:13:4A:45:4A
-PEM Data:
------BEGIN CERTIFICATE-----
-MIIDKTCCApKgAwIBAgIENm7TzjANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJV
-UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMREwDwYDVQQL
-EwhEU1RDQSBFMjAeFw05ODEyMDkxOTE3MjZaFw0xODEyMDkxOTQ3MjZaMEYxCzAJ
-BgNVBAYTAlVTMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4x
-ETAPBgNVBAsTCERTVENBIEUyMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQC/
-k48Xku8zExjrEH9OFr//Bo8qhbxe+SSmJIi2A7fBw18DW9Fvrn5C6mYjuGODVvso
-LeE4i7TuqAHhzhy2iCoiRoX7n6dwqUcUP87eZfCocfdPJmyMvMa1795JJ/9IKn3o
-TQPMx7JSxhcxEzu1TdvIxPbDDyQq2gyd55FbgM2UnQIBA6OCASQwggEgMBEGCWCG
-SAGG+EIBAQQEAwIABzBoBgNVHR8EYTBfMF2gW6BZpFcwVTELMAkGA1UEBhMCVVMx
-JDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UECxMI
-RFNUQ0EgRTIxDTALBgNVBAMTBENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMDkxOTE3
-MjZagQ8yMDE4MTIwOTE5MTcyNlowCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFB6C
-TShlgDzJQW6sNS5ay97u+DlbMB0GA1UdDgQWBBQegk0oZYA8yUFurDUuWsve7vg5
-WzAMBgNVHRMEBTADAQH/MBkGCSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqG
-SIb3DQEBBQUAA4GBAEeNg61i8tuwnkUiBbmi1gMOOHLnnvx75pO2mqWilMg0HZHR
-xdf0CiUPPXiBng+xZ8SQTGPdXqfiup/1902lMXucKS1M/mQ+7LZT/uqb7YLbdHVL
-B3luHtgZg3Pe9T7Qtd7nS2h9Qy4qIOF+oHhEngj1mPnHfxsb1gYgAlihw6ID
------END CERTIFICATE-----
-Certificate Ingredients:
-    Data:
-        Version: 3 (0x2)