1 /**
2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
6 *
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
10 * License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
19 */
20
21 /**
22 * samlsign.cpp
23 *
24 * Command-line tool to sign and verify objects.
25 */
26
27 #if defined (_MSC_VER) || defined(__BORLANDC__)
28 # include "config_win32.h"
29 #else
30 # include "config.h"
31 #endif
32
33 #ifdef WIN32
34 # define _CRT_NONSTDC_NO_DEPRECATE 1
35 # define _CRT_SECURE_NO_DEPRECATE 1
36 #endif
37
38 #include <saml/SAMLConfig.h>
39 #include <saml/saml2/metadata/Metadata.h>
40 #include <saml/saml2/metadata/MetadataProvider.h>
41 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
42 #include <saml/signature/ContentReference.h>
43 #include <saml/signature/SignatureProfileValidator.h>
44 #include <saml/util/SAMLConstants.h>
45 #include <xmltooling/logging.h>
46 #include <xmltooling/XMLToolingConfig.h>
47 #include <xmltooling/security/Credential.h>
48 #include <xmltooling/security/SignatureTrustEngine.h>
49 #include <xmltooling/signature/Signature.h>
50 #include <xmltooling/signature/SignatureValidator.h>
51 #include <xmltooling/util/ParserPool.h>
52 #include <xmltooling/util/XMLHelper.h>
53
54 #include <fstream>
55 #include <xercesc/framework/LocalFileInputSource.hpp>
56 #include <xercesc/framework/StdInInputSource.hpp>
57 #include <xercesc/framework/Wrapper4InputSource.hpp>
58 #include <boost/scoped_ptr.hpp>
59
60 using namespace xmlsignature;
61 using namespace xmlconstants;
62 using namespace xmltooling::logging;
63 using namespace xmltooling;
64 using namespace samlconstants;
65 using namespace opensaml::saml2md;
66 using namespace opensaml;
67 using namespace xercesc;
68 using namespace std;
69
70 using boost::scoped_ptr;
71
buildPlugin(const char * path,PluginManager<T,string,const DOMElement * > & mgr)72 template<class T> T* buildPlugin(const char* path, PluginManager<T,string,const DOMElement*>& mgr)
73 {
74 ifstream in(path);
75 DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
76 XercesJanitor<DOMDocument> janitor(doc);
77
78 static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e);
79 auto_ptr_char type(doc->getDocumentElement()->getAttributeNS(nullptr,_type));
80 if (type.get() && *type.get())
81 return mgr.newPlugin(type.get(), doc->getDocumentElement(), false);
82 throw XMLToolingException("Missing type in plugin configuration.");
83 }
84
buildSimpleResolver(const char * key,const char * cert)85 CredentialResolver* buildSimpleResolver(const char* key, const char* cert)
86 {
87 static const XMLCh _CredentialResolver[] = UNICODE_LITERAL_18(C,r,e,d,e,n,t,i,a,l,R,e,s,o,l,v,e,r);
88 static const XMLCh _certificate[] = UNICODE_LITERAL_11(c,e,r,t,i,f,i,c,a,t,e);
89 static const XMLCh _key[] = UNICODE_LITERAL_3(k,e,y);
90
91 DOMDocument* doc = XMLToolingConfig::getConfig().getParser().newDocument();
92 XercesJanitor<DOMDocument> janitor(doc);
93 DOMElement* root = doc->createElementNS(nullptr, _CredentialResolver);
94 if (key) {
95 auto_ptr_XMLCh widenit(key);
96 root->setAttributeNS(nullptr, _key, widenit.get());
97 }
98 if (cert) {
99 auto_ptr_XMLCh widenit(cert);
100 root->setAttributeNS(nullptr, _certificate, widenit.get());
101 }
102
103 return XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER, root, false);
104 }
105
106 class DummyCredentialResolver : public CredentialResolver
107 {
108 public:
DummyCredentialResolver()109 DummyCredentialResolver() {}
~DummyCredentialResolver()110 ~DummyCredentialResolver() {}
111
lock()112 Lockable* lock() {return this;}
unlock()113 void unlock() {}
114
resolve(const CredentialCriteria * criteria=nullptr) const115 const Credential* resolve(const CredentialCriteria* criteria=nullptr) const {return nullptr;}
resolve(vector<const Credential * > & results,const CredentialCriteria * criteria=nullptr) const116 vector<const Credential*>::size_type resolve(
117 vector<const Credential*>& results, const CredentialCriteria* criteria=nullptr
118 ) const {return 0;}
119 };
120
main(int argc,char * argv[])121 int main(int argc,char* argv[])
122 {
123 bool verify=true,validate=false;
124 char* url_param=nullptr;
125 char* path_param=nullptr;
126 char* key_param=nullptr;
127 char* cert_param=nullptr;
128 char* cr_param=nullptr;
129 char* t_param=nullptr;
130 char* id_param=nullptr;
131 char* alg_param=nullptr;
132 char* dig_param=nullptr;
133
134 // metadata lookup options
135 char* m_param=nullptr;
136 char* issuer=nullptr;
137 char* prot = nullptr;
138 const XMLCh* protocol = nullptr;
139 const char* rname = nullptr;
140 char* rns = nullptr;
141
142 for (int i=1; i<argc; i++) {
143 if (!strcmp(argv[i],"-u") && i+1<argc)
144 url_param=argv[++i];
145 else if (!strcmp(argv[i],"-f") && i+1<argc)
146 path_param=argv[++i];
147 else if (!strcmp(argv[i],"-id") && i+1<argc)
148 id_param=argv[++i];
149 else if (!strcmp(argv[i],"-s"))
150 verify=false;
151 else if (!strcmp(argv[i],"-k") && i+1<argc)
152 key_param=argv[++i];
153 else if (!strcmp(argv[i],"-c") && i+1<argc)
154 cert_param=argv[++i];
155 else if (!strcmp(argv[i],"-R") && i+1<argc)
156 cr_param=argv[++i];
157 else if (!strcmp(argv[i],"-T") && i+1<argc)
158 t_param=argv[++i];
159 else if (!strcmp(argv[i],"-M") && i+1<argc)
160 m_param=argv[++i];
161 else if (!strcmp(argv[i],"-i") && i+1<argc)
162 issuer=argv[++i];
163 else if (!strcmp(argv[i],"-p") && i+1<argc)
164 prot=argv[++i];
165 else if (!strcmp(argv[i],"-r") && i+1<argc)
166 rname=argv[++i];
167 else if (!strcmp(argv[i],"-V"))
168 validate = true;
169 else if (!strcmp(argv[i],"-ns") && i+1<argc)
170 rns=argv[++i];
171 else if (!strcmp(argv[i],"-alg") && i+1<argc)
172 alg_param=argv[++i];
173 else if (!strcmp(argv[i],"-dig") && i+1<argc)
174 dig_param=argv[++i];
175 else if (!strcmp(argv[i],"-saml10"))
176 protocol=samlconstants::SAML10_PROTOCOL_ENUM;
177 else if (!strcmp(argv[i],"-saml11"))
178 protocol=samlconstants::SAML11_PROTOCOL_ENUM;
179 else if (!strcmp(argv[i],"-saml2"))
180 protocol=samlconstants::SAML20P_NS;
181 else if (!strcmp(argv[i],"-idp"))
182 rname="IDPSSODescriptor";
183 else if (!strcmp(argv[i],"-aa"))
184 rname="AttributeAuthorityDescriptor";
185 else if (!strcmp(argv[i],"-pdp"))
186 rname="PDPDescriptor";
187 else if (!strcmp(argv[i],"-sp"))
188 rname="SPSSODescriptor";
189 }
190
191 if (verify && !cert_param && !cr_param && !t_param) {
192 cerr << "either -c or -R or -T option required when verifiying, see documentation for usage" << endl;
193 return -1;
194 }
195 else if (!verify && !key_param && !cr_param) {
196 cerr << "either -k or -R option required when signing, see documentation for usage" << endl;
197 return -1;
198 }
199
200 XMLToolingConfig& xmlconf = XMLToolingConfig::getConfig();
201 xmlconf.log_config(getenv("OPENSAML_LOG_CONFIG"));
202 SAMLConfig& conf=SAMLConfig::getConfig();
203 if (!conf.init())
204 return -2;
205
206 if (getenv("OPENSAML_SCHEMAS"))
207 xmlconf.getValidatingParser().loadCatalogs(getenv("OPENSAML_SCHEMAS"));
208
209 Category& log = Category::getInstance("OpenSAML.Utility.SAMLSign");
210
211 int ret = 0;
212
213 try {
214 // Parse the specified document.
215 DOMDocument* doc=nullptr;
216 if (url_param) {
217 auto_ptr_XMLCh wideurl(url_param);
218 URLInputSource src(wideurl.get());
219 Wrapper4InputSource dsrc(&src,false);
220 if (validate)
221 doc = xmlconf.getValidatingParser().parse(dsrc);
222 else
223 doc = xmlconf.getParser().parse(dsrc);
224 }
225 else if (path_param) {
226 auto_ptr_XMLCh widenit(path_param);
227 LocalFileInputSource src(widenit.get());
228 Wrapper4InputSource dsrc(&src,false);
229 if (validate)
230 doc = xmlconf.getValidatingParser().parse(dsrc);
231 else
232 doc = xmlconf.getParser().parse(dsrc);
233 }
234 else {
235 StdInInputSource src;
236 Wrapper4InputSource dsrc(&src,false);
237 if (validate)
238 doc = xmlconf.getValidatingParser().parse(dsrc);
239 else
240 doc = xmlconf.getParser().parse(dsrc);
241 }
242
243 // Unmarshall it.
244 XercesJanitor<DOMDocument> jan(doc);
245 scoped_ptr<XMLObject> sourcewrapper(XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(), true));
246 jan.release();
247
248 // Navigate to the selected node, or use the root if no ID specified.
249 // Then make sure it's a SignableSAMLObject.
250 XMLObject* source = sourcewrapper.get();
251 if (id_param) {
252 auto_ptr_XMLCh widenit(id_param);
253 source = XMLHelper::getXMLObjectById(*source, widenit.get());
254 if (!source)
255 throw XMLToolingException("Element with ID ($1) not found.", params(1,id_param));
256 }
257 SignableObject* signable = dynamic_cast<SignableObject*>(source);
258 if (!signable)
259 throw XMLToolingException("Input is not a signable SAML object.");
260
261 if (verify) {
262 if (!signable->getSignature())
263 throw SignatureException("Cannot verify unsigned object.");
264
265 // Check the profile.
266 SignatureProfileValidator sigval;
267 sigval.validate(signable->getSignature());
268
269 if (cert_param || cr_param) {
270 // Build a resolver to supply trusted credentials.
271 auto_ptr<CredentialResolver> cr(
272 cr_param ? buildPlugin(cr_param, xmlconf.CredentialResolverManager) : buildSimpleResolver(nullptr, cert_param)
273 );
274 Locker locker(cr.get());
275
276 // Set up criteria.
277 CredentialCriteria cc;
278 cc.setUsage(Credential::SIGNING_CREDENTIAL);
279 cc.setSignature(*(signable->getSignature()), CredentialCriteria::KEYINFO_EXTRACTION_KEY);
280 if (issuer)
281 cc.setPeerName(issuer);
282
283 // Try every credential we can find.
284 vector<const Credential*> creds;
285 if (cr->resolve(creds, &cc)) {
286 bool good=false;
287 SignatureValidator sigValidator;
288 for (vector<const Credential*>::const_iterator i = creds.begin(); i != creds.end(); ++i) {
289 try {
290 sigValidator.setCredential(*i);
291 sigValidator.validate(signable->getSignature());
292 log.info("successful signature verification");
293 good = true;
294 break;
295 }
296 catch (exception& e) {
297 log.info("error trying verification key: %s", e.what());
298 }
299 }
300 if (!good)
301 throw SignatureException("CredentialResolver did not supply a successful verification key.");
302 }
303 else {
304 throw SignatureException("CredentialResolver did not supply any verification keys.");
305 }
306 }
307 else {
308 // TrustEngine-based verification, so try and build the plugins.
309 auto_ptr<TrustEngine> trust(buildPlugin(t_param, xmlconf.TrustEngineManager));
310 SignatureTrustEngine* sigtrust = dynamic_cast<SignatureTrustEngine*>(trust.get());
311 if (m_param && rname && issuer) {
312 if (!protocol) {
313 if (prot)
314 protocol = XMLString::transcode(prot);
315 }
316 if (!protocol) {
317 conf.term();
318 cerr << "use of metadata option requires a protocol option" << endl;
319 return -1;
320 }
321 scoped_ptr<MetadataProvider> metadata(buildPlugin(m_param, conf.MetadataProviderManager));
322 metadata->init();
323
324 const XMLCh* ns = rns ? XMLString::transcode(rns) : samlconstants::SAML20MD_NS;
325 auto_ptr_XMLCh n(rname);
326 xmltooling::QName q(ns, n.get());
327
328 Locker locker(metadata.get());
329 MetadataProvider::Criteria mc(issuer, &q, protocol);
330 pair<const EntityDescriptor*,const RoleDescriptor*> entity = metadata->getEntityDescriptor(mc);
331 if (!entity.first)
332 throw MetadataException("no metadata found for ($1)", params(1, issuer));
333 else if (!entity.second)
334 throw MetadataException("compatible role $1 not found for ($2)", params(2, q.toString().c_str(), issuer));
335
336 MetadataCredentialCriteria mcc(*entity.second);
337 if (sigtrust->validate(*signable->getSignature(), *metadata.get(), &mcc))
338 log.info("successful signature verification");
339 else
340 throw SignatureException("Unable to verify signature with TrustEngine and supplied metadata.");
341 }
342 else {
343 // Set up criteria.
344 CredentialCriteria cc;
345 cc.setUsage(Credential::SIGNING_CREDENTIAL);
346 cc.setSignature(*(signable->getSignature()), CredentialCriteria::KEYINFO_EXTRACTION_KEY);
347 if (issuer)
348 cc.setPeerName(issuer);
349 DummyCredentialResolver dummy;
350 if (sigtrust->validate(*signable->getSignature(), dummy, &cc))
351 log.info("successful signature verification");
352 else
353 throw SignatureException("Unable to verify signature with TrustEngine (no metadata supplied).");
354 }
355 }
356 }
357 else {
358 // Build a resolver to supply a credential.
359 scoped_ptr<CredentialResolver> cr(
360 cr_param ? buildPlugin(cr_param, xmlconf.CredentialResolverManager) : buildSimpleResolver(key_param, cert_param)
361 );
362 Locker locker(cr.get());
363 CredentialCriteria cc;
364 cc.setUsage(Credential::SIGNING_CREDENTIAL);
365 const Credential* cred = cr->resolve(&cc);
366 if (!cred)
367 throw XMLSecurityException("Unable to resolve a signing credential.");
368
369 // Attach new signature.
370 Signature* sig = SignatureBuilder::buildSignature();
371 signable->setSignature(sig);
372 auto_ptr_XMLCh alg(alg_param);
373 if (alg.get()) {
374 sig->setSignatureAlgorithm(alg.get());
375 }
376 auto_ptr_XMLCh dig(dig_param);
377 if (dig.get()) {
378 dynamic_cast<opensaml::ContentReference*>(sig->getContentReference())->setDigestAlgorithm(dig.get());
379 }
380
381 // Sign response while re-marshalling.
382 vector<Signature*> sigs(1,sig);
383 XMLHelper::serialize(signable->marshall((DOMDocument*)nullptr,&sigs,cred), cout);
384 }
385 }
386 catch(exception& e) {
387 log.errorStream() << "caught an exception: " << e.what() << logging::eol;
388 ret=-10;
389 }
390
391 conf.term();
392 return ret;
393 }
394