import edu.internet2.middleware.shibboleth.common.RelyingParty;
import edu.internet2.middleware.shibboleth.common.ServiceProviderMapper;
import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
+import edu.internet2.middleware.shibboleth.common.ShibbolethTrust;
+import edu.internet2.middleware.shibboleth.common.Trust;
import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
import edu.internet2.middleware.shibboleth.metadata.Metadata;
import edu.internet2.middleware.shibboleth.metadata.MetadataException;
private AttributeResolver resolver;
private ArtifactMapper artifactMapper;
private Semaphore throttle;
+ private Trust trust = new ShibbolethTrust();
IdPProtocolSupport(IdPConfig config, Logger transactionLog, NameMapper nameMapper, ServiceProviderMapper spMapper,
ArpEngine arpEngine, AttributeResolver resolver, ArtifactMapper artifactMapper)
return artifactMapper;
}
+ public Trust getTrust() {
+
+ return trust;
+ }
+
private class Semaphore {
private int value;
package edu.internet2.middleware.shibboleth.idp.provider;
-import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
-import java.util.Collection;
-import java.util.Iterator;
-import java.util.List;
-import javax.security.auth.x500.X500Principal;
import javax.servlet.http.HttpServletRequest;
import org.apache.log4j.Logger;
-import org.apache.xml.security.exceptions.XMLSecurityException;
-import org.apache.xml.security.keys.KeyInfo;
import org.w3c.dom.Element;
import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
-import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
-import edu.internet2.middleware.shibboleth.metadata.KeyDescriptor;
-import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
/**
* @author Walter Hoehn
return null;
}
- protected static boolean isValidCredential(EntityDescriptor provider, X509Certificate certificate) {
-
- SPSSODescriptor sp = provider.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
- if (sp == null) {
- log.info("Inappropriate metadata for provider.");
- return false;
- }
-
- Iterator descriptors = sp.getKeyDescriptors();
- while (descriptors.hasNext()) {
- KeyInfo keyInfo = ((KeyDescriptor) descriptors.next()).getKeyInfo();
- for (int l = 0; keyInfo.lengthKeyName() > l; l++) {
- try {
-
- // First, try to match DN against metadata
- try {
- if (certificate.getSubjectX500Principal().getName(X500Principal.RFC2253).equals(
- new X500Principal(keyInfo.itemKeyName(l).getKeyName()).getName(X500Principal.RFC2253))) {
- log.debug("Matched against DN.");
- return true;
- }
- } catch (IllegalArgumentException iae) {
- // squelch this runtime exception, since
- // this might be a valid case
- }
-
- // If that doesn't work, we try matching against
- // some Subject Alt Names
- try {
- Collection altNames = certificate.getSubjectAlternativeNames();
- if (altNames != null) {
- for (Iterator nameIterator = altNames.iterator(); nameIterator.hasNext();) {
- List altName = (List) nameIterator.next();
- if (altName.get(0).equals(new Integer(2)) || altName.get(0).equals(new Integer(6))) {
- // 2 is DNS, 6 is URI
- if (altName.get(1).equals(keyInfo.itemKeyName(l).getKeyName())) {
- log.debug("Matched against SubjectAltName.");
- return true;
- }
- }
- }
- }
- } catch (CertificateParsingException e1) {
- log.error("Encountered an problem trying to extract Subject Alternate "
- + "Name from supplied certificate: " + e1);
- }
-
- // If that doesn't work, try to match using
- // SSL-style hostname matching
- if (getHostNameFromDN(certificate.getSubjectX500Principal()).equals(
- keyInfo.itemKeyName(l).getKeyName())) {
- log.debug("Matched against hostname.");
- return true;
- }
-
- } catch (XMLSecurityException e) {
- log.error("Encountered an error reading federation metadata: " + e);
- }
- }
- }
- log.info("Supplied credential not found in metadata.");
- return false;
- }
-
protected class InvalidProviderCredentialException extends Exception {
public InvalidProviderCredentialException(String message) {
import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
+import edu.internet2.middleware.shibboleth.metadata.KeyDescriptor;
+import edu.internet2.middleware.shibboleth.metadata.RoleDescriptor;
/**
* @author Walter Hoehn
log.info("No metadata found for provider: (" + mapping.getServiceProviderId() + ").");
throw new SAMLException(SAMLException.REQUESTER, "Invalid service provider.");
}
+ RoleDescriptor role = provider.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
+ if (role == null) {
+ log
+ .info("SPSSO role not found in metadata for provider: (" + mapping.getServiceProviderId()
+ + ").");
+ throw new SAMLException(SAMLException.REQUESTER, "Invalid service provider role.");
+ }
// Make sure that the suppplied credential is valid for the provider to which the artifact was issued
- if (!isValidCredential(provider, credential)) {
+ if (!support.getTrust().validate(role,
+ (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"),
+ KeyDescriptor.ENCRYPTION)) {
log.error("Supplied credential ("
+ credential.getSubjectX500Principal().getName(X500Principal.RFC2253)
+ ") is NOT valid for provider (" + mapping.getServiceProviderId()
import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
+import edu.internet2.middleware.shibboleth.metadata.KeyDescriptor;
+import edu.internet2.middleware.shibboleth.metadata.RoleDescriptor;
import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
/**
log.info("Treating remote provider as unauthenticated.");
return null;
}
+ RoleDescriptor role = provider.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
+ if (role == null) {
+ log.info("SPSSO role not found in metadata for provider: (" + relyingParty.getProviderId() + ").");
+ log.info("Treating remote provider as unauthenticated.");
+ return null;
+ }
// Make sure that the suppplied credential is valid for the
// selected relying party
- if (isValidCredential(provider, credential)) {
+ if (support.getTrust().validate(role,
+ (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate"),
+ KeyDescriptor.ENCRYPTION)) {
log.info("Supplied credential validated for this provider.");
log.info("Request from service provider: (" + relyingParty.getProviderId() + ").");
return relyingParty.getProviderId();
+
} else {
log.error("Supplied credential ("
+ credential.getSubjectX500Principal().getName(X500Principal.RFC2253)
projects / java-idp.git / commitdiff