Author: dumindu
Date: Fri Jan 25 02:44:50 2008
New Revision: 12889
Log:
Adding validator code.
Modified:
trunk/solutions/identity/modules/mod-cspace/configure.ac
trunk/solutions/identity/modules/mod-cspace/cspace_config.c
trunk/solutions/identity/modules/mod-cspace/dummy_ppid_validator.c
trunk/solutions/identity/modules/mod-cspace/mod_cspace.c
trunk/solutions/identity/modules/mod-cspace/mod_cspace.h
trunk/solutions/identity/modules/mod-cspace/process_request.c
trunk/solutions/identity/modules/mod-cspace/process_request.h
trunk/solutions/identity/modules/mod-cspace/process_request_defines.h
trunk/solutions/identity/modules/mod-cspace/res/test.c
Modified: trunk/solutions/identity/modules/mod-cspace/configure.ac
==============================================================================
--- trunk/solutions/identity/modules/mod-cspace/configure.ac (original)
+++ trunk/solutions/identity/modules/mod-cspace/configure.ac Fri Jan 25
02:44:50 2008
@@ -47,9 +47,9 @@
dnl Checks for libraries.
AC_CHECK_LIB(dl, dlopen)
-CFLAGS="$CFLAGS -DSHARED_MODULE"
+CFLAGS="$CFLAGS -DCSPACE_DEBUG -DSHARED_MODULE"
if test "$GCC" = "yes"; then
- CFLAGS="-O2 $CFLAGS -ansi -Wall -Werror -Wno-implicit-function-declaration"
+ CFLAGS="-g -O0 $CFLAGS -ansi -Wall -Werror
-Wno-implicit-function-declaration"
fi
LDFLAGS="$LDFLAGS -lpthread"
LDFLAGS="$LDFLAGS"
Modified: trunk/solutions/identity/modules/mod-cspace/cspace_config.c
==============================================================================
--- trunk/solutions/identity/modules/mod-cspace/cspace_config.c (original)
+++ trunk/solutions/identity/modules/mod-cspace/cspace_config.c Fri Jan 25
02:44:50 2008
@@ -157,6 +157,21 @@
return NULL;
}
+static const char *cmd_validator(cmd_parms *cmd, void *mconfig, const char
*arg)
+{
+ return NULL;
+}
+
+static const char *cmd_ppid_val(cmd_parms *cmd, void *mconfig, const char *arg)
+{
+ return NULL;
+}
+
+static const char *cmd_cert_val(cmd_parms *cmd, void *mconfig, const char *arg)
+{
+ return NULL;
+}
+
const command_rec cspace_cmds[] = {
AP_INIT_NO_ARGS("UseCardSpaceAuth", cmd_use_cspace_auth, NULL, OR_ALL,
"should be used only if you want cardspace auth for the "
@@ -183,6 +198,12 @@
RSRC_CONF, "Time in seconds for a session to be expired"),
AP_INIT_FLAG("CardSpaceSingleSignOn", cmd_sso, NULL, OR_ALL,
"Enable Single Sign-On"),
+ AP_INIT_TAKE1("CardSpacePPIDValidator", cmd_ppid_val, NULL, OR_ALL,
+ "Path to PPID Validator DSO"),
+ AP_INIT_TAKE1("CardSpaceCertValidator", cmd_cert_val, NULL, OR_ALL,
+ "Path to Cert Validator DSO"),
+ AP_INIT_TAKE1("CardSpaceValidatorType", cmd_validator, NULL, OR_ALL,
+ "Type of validator being used"),
{NULL}
};
Modified: trunk/solutions/identity/modules/mod-cspace/dummy_ppid_validator.c
==============================================================================
--- trunk/solutions/identity/modules/mod-cspace/dummy_ppid_validator.c
(original)
+++ trunk/solutions/identity/modules/mod-cspace/dummy_ppid_validator.c Fri Jan
25 02:44:50 2008
@@ -1,5 +1,14 @@
+#include <openssl/x509.h>
+
+int find_ppid(char *x, char *y);
+int validate_cert(X509 *x, char *y);
+
int find_ppid(char *x, char *y)
{
return 1;
}
+int validate_cert(X509 *x, char *y)
+{
+ return 1;
+}
Modified: trunk/solutions/identity/modules/mod-cspace/mod_cspace.c
==============================================================================
--- trunk/solutions/identity/modules/mod-cspace/mod_cspace.c (original)
+++ trunk/solutions/identity/modules/mod-cspace/mod_cspace.c Fri Jan 25
02:44:50 2008
@@ -16,6 +16,11 @@
*/
#include <string.h>
+#include <openssl/x509.h>
+#include <openssl/sha.h>
+#include <openssl/hmac.h>
+#include <openssl/bio.h>
+#include <openssl/buffer.h>
#include "apr_tables.h"
#include "apr_strings.h"
#include "ap_config.h"
@@ -39,7 +44,17 @@
#define CARDSPACE_HEADER_PFX "cardspace_"
-static void cspace_log_error(const char *msg, pc_log_level_t level, void
*cb_ctx)
+#define CARDSPACE_HEADER_PPID
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier";
+
+
+static X509 *x509_create_with_buffer(unsigned char *input, int length);
+
+static int is_valid_cert(const char *cert, const char *uri, const char
*dso_filename,
+ apr_pool_t *p);
+
+
+static void cspace_log_error(const char *msg, pc_log_level_t level,
+ void *cb_ctx)
{
ap_log_error(APLOG_MARK, level, 0, (server_rec *)cb_ctx, msg);
}
@@ -419,15 +434,21 @@
return state;
}
-#define CARDSPACE_HEADER_PPID
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier";
-
-static int is_valid_ppid(const char *ppid, char *uri, char *dso_filename,
apr_pool_t *p)
+static int is_valid_ppid(const char *ppid, const char *uri, const char
*dso_filename,
+ apr_pool_t *p)
{
apr_status_t rv;
apr_dso_handle_sym_t sym = NULL;
apr_dso_handle_t *hand = NULL;
int (*func)(const char*, const char *); /*ppid, uri*/
+ char *fname = NULL;
+
+ if (!ppid || !dso_filename)
+ return FAIL;
+
+ apr_filepath_merge(&fname, NULL, dso_filename, 0, p);
+
rv = apr_dso_load(&hand, dso_filename, p);
if (rv)
{
@@ -437,7 +458,7 @@
return FAIL;
}
- rv = apr_dso_sym(&sym, hand, "find_ppid");
+ rv = apr_dso_sym(&sym, hand, "validate_ppid");
if (rv)
{
/*read error using: apr_dso_error(hand, char [128], 128)*/
@@ -455,16 +476,85 @@
return rv;
}
+static X509 *x509_create_with_buffer(unsigned char *input, int length)
+{
+ BIO *b64, *bmem;
+ X509 *x509 = NULL;
+ char *buffer = (char *)malloc(length);
+ memset(buffer, 0, length);
+
+ b64 = BIO_new(BIO_f_base64());
+ BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
+ bmem = BIO_new_mem_buf(input, length);
+ bmem = BIO_push(b64, bmem);
+
+ x509 = d2i_X509_bio(bmem, NULL);
+ BIO_free_all(bmem);
+ free(buffer);
+ return x509;
+}
+
+static int is_valid_cert(const char *cert, const char *uri, const char
*dso_filename,
+ apr_pool_t *p)
+{
+ X509 *x509;
+ apr_status_t rv;
+ apr_dso_handle_sym_t sym = NULL;
+ apr_dso_handle_t *hand = NULL;
+ int (*func)(X509 *, const char *); /*ppid, uri*/
+
+ char *fname = NULL;
+
+ if (!cert || !dso_filename)
+ return FAIL;
+
+ x509 = x509_create_with_buffer((unsigned char *)cert, strlen(cert));
+ if (!x509)
+ return FAIL;
+
+ apr_filepath_merge(&fname, NULL, dso_filename, 0, p);
+
+ rv = apr_dso_load(&hand, dso_filename, p);
+ if (rv)
+ {
+ /*read error using: apr_dso_error(hand, char [128], 128)*/
+ /*log error*/
+ apr_dso_unload(hand);
+ return FAIL;
+ }
+
+ rv = apr_dso_sym(&sym, hand, "validate_cert");
+ if (rv)
+ {
+ /*read error using: apr_dso_error(hand, char [128], 128)*/
+ /*log error*/
+ apr_dso_unload(hand);
+ return FAIL;
+ }
+
+ /*is it meaningful to do a if(func)?*/
+ func = (int (*)(X509 *, const char *))sym;
+ rv = (*func)(x509, uri);
+
+ apr_dso_unload(hand);
+
+ return rv;
+
+}
+
+#define DUMMY_VALIDATOR_PATH "/home/dummy/software/httpd-2.2.4/deploy/bin/" \
+ "dummy_ppid_validator.so"
+
static int handle_session_nosso(request_rec *r, cspace_dir_cfg *dir_cfg,
cspace_svr_cfg *svr_cfg)
{
+ int validate_using_ppid = 0;
char *session_id;
int valid_session;
int status;
char *buf = NULL;
int ret = -1;
const char *auth_state;
- const char *ppid;
char *cookies = NULL;
void *session_ctx = NULL;
@@ -515,20 +605,44 @@
(strcmp(auth_state,
CARDSPACE_STATE_SUCCESS) == 0)) {
- ppid = apr_table_get(r->subprocess_env,
- CARDSPACE_HEADER_PPID);
-
- if (is_valid_ppid(ppid, r->uri, "dummy_ppid_validator.so",
- r->pool)) {
- if (!gen_session(SESSION_ID_LEN, session_ctx,
- &session_id))
- return HTTP_INTERNAL_SERVER_ERROR;
-
- if (session_id)
- set_cookie(r, session_id);
- /*log success/failure of this*/
- return OK;
+ validate_using_ppid = 0; /*TODO: remove magic*/
+ if (validate_using_ppid) {
+ const char *ppid;
+
+ ppid = apr_table_get(r->subprocess_env,
+ CARDSPACE_HEADER_PPID);
+
+ if (is_valid_ppid(ppid, r->uri,
+ DUMMY_VALIDATOR_PATH, r->pool)) {
+ if (!gen_session(SESSION_ID_LEN, session_ctx,
+ &session_id))
+ return HTTP_INTERNAL_SERVER_ERROR;
+
+ if (session_id)
+ set_cookie(r, session_id);
+ /*log success/failure of this*/
+
+ return OK;
+ }
+ } else { /*do not check ppids*/
+ const char *cert;
+
+ cert = apr_table_get(r->subprocess_env,
+ CARDSPACE_HEADER_CERTIFICATE);
+ if (is_valid_cert(cert, r->uri,
+ DUMMY_VALIDATOR_PATH,
+ r->pool)) {
+ if (!gen_session(SESSION_ID_LEN, session_ctx,
+ &session_id))
+ return HTTP_INTERNAL_SERVER_ERROR;
+
+ if (session_id)
+ set_cookie(r, session_id);
+ /*log success/failure of this*/
+
+ return OK;
+ }
}
} else {
return UNAUTHORIZED_REDIRECT(r, NULL);
@@ -647,9 +761,28 @@
/* return UNAUTHORIZED_REDIRECT(r, NULL); */
}
+char data[] =
"MIIDRDCCAq2gAwIBAgIJAIhSvW2QQbDDMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYDVQQGEwJMSzEQMA4GA1UECBMHV2VzdGVybjEeMBwGA1UEChMVV1NPMiBMYW5rYSAoUHZ0KSBMdGQuMREwDwYDVQQLEwhTZWN1cml0eTEiMCAGA1UEAxMZV1NPMiBJZGVudGl0eSBTb2x1dGlvbiBDQTEkMCIGCSqGSIb3DQEJARYVaWRlbnRpdHktZGV2QHdzbzIub3JnMB4XDTA3MDkyODEyNTkzNloXDTI0MDMwMjEyNTkzNlowezELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDTALBgNVBAoTBFdTTzIxGjAYBgNVBAsTEUlkZW50aXR5IFNvbHV0aW9uMR0wGwYDVQQDExRpZGVudGl0eS5say53c28yLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwUgh+jegaVAoCBbYg9gsUzxlpoD7UeX3R39rMpqQpAsTtCC7Jks1CCpF1jFttyPcXagRoOL6xXAbpjKyyzU08DoC8Gsnzlmj8nyPw1n8hr5e1g+5ZMxf7S+P5Op7QzASoQUQhMyEOlM24KtombTsg+0YZV4g7YndauDckNSIGlUCAwEAAaOBrTCBqjAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUOq/5DXiozYJeuwbT8VFH3rHjoVYwHwYDVR0jBBgwFoAU2NAfBYUWO847BEWZGDwwBtsmB2swLwYJYIZIAYb4QgEEBCIWIGh0dHA6Ly9jYS5pcy53c28yLm9yZy9jYS1jcmwucGVtMA0GCSqGSIb3DQEBBQUAA4GBAANDXhknYtcrXReWSkvkUJgUvfEWlBnB93SUC8G5JYjojDCjGYeb3kSVJGtUqO3U4M3iXNFJHdoVD7ytrNSoR9KlbSsk5OXeK/zSIZ9Dj18NMeAXk6nIu8Zj4sbN6MIDhHBCpR9T3lUe4JmkgNp78l/eibH9btEq/e+mp5UXVcQ/";
+
+
static int cspace_post_config(apr_pool_t *pconf, apr_pool_t *plog,
apr_pool_t *ptemp, server_rec *s)
{
+ /**/
+ if (is_valid_cert(data, "10",
"/home/dummy/software/httpd-2.2.4/deploy/bin/dummy_ppid_validator.so", plog))
+ printf("valid cert\n");
+ else
+ printf("invalid cert\n");
+
+ if (is_valid_ppid("100", "10",
"/home/dummy/software/httpd-2.2.4/deploy/bin/dummy_ppid_validator.so", plog))
+ printf("valid ppid\n");
+ else
+ {
+ if (is_valid_ppid("100", "10",
"/home/dummy/software/httpd-2.2.4/deploy/bin/libdummy_ppid_validator.so",
plog))
+ printf("valid2\n");
+ else
+ printf("invalid ppid\n");
+ }
+ /**/
cspace_process_context_init();
return OK;
}
Modified: trunk/solutions/identity/modules/mod-cspace/mod_cspace.h
==============================================================================
--- trunk/solutions/identity/modules/mod-cspace/mod_cspace.h (original)
+++ trunk/solutions/identity/modules/mod-cspace/mod_cspace.h Fri Jan 25
02:44:50 2008
@@ -67,7 +67,7 @@
#define cfg_dir_printf(st, cfg, nl)
#endif
-const command_rec cspace_cmds[11];
+const command_rec cspace_cmds[14];
void *cspace_svr_cfg_create(apr_pool_t *p, server_rec *s);
Modified: trunk/solutions/identity/modules/mod-cspace/process_request.c
==============================================================================
--- trunk/solutions/identity/modules/mod-cspace/process_request.c
(original)
+++ trunk/solutions/identity/modules/mod-cspace/process_request.c Fri Jan
25 02:44:50 2008
@@ -50,6 +50,10 @@
/* "/saml:Assertion/dsig:Signature/dsig:KeyInfo/dsig:X509Data" */
#define XPATH_X509_DATA XPATH_KEY_INFO "/" DSIG_PFX ":" X509_DATA
+/* "/saml:Assertion/dsig:Signature/dsig:KeyInfo/dsig:X509Data/
+ * dsig:X509Certificate" */
+#define XPATH_X509_CERT XPATH_X509_DATA ":" X509_CERT
+
/* "/enc:EncryptedData" */
#define XPATH_ENC_DATA "/" ENC_PFX ":" ENCRYPTED_DATA
@@ -258,10 +262,14 @@
xmlXPathObject *attrs_obj = NULL;
xmlNode *attr_node = NULL;
xmlNode *text_node = NULL;
+
+ xmlXPathObject *x509_obj = NULL;
+ xmlNode *x509_node = NULL;
char *attr_name = NULL;
char *attr_val = NULL;
char *attr_ns = NULL;
+ char *x509_data = NULL;
attrs_obj = cspace_xpath_evaluate(doc, BAD_CAST XPATH_ATTRIBUTE);
if (!attrs_obj) {
@@ -269,7 +277,7 @@
}
for (i = 0; i < XPATH_OBJ_SIZE(attrs_obj); i++) {
-
+ attr_val = NULL;
attr_node = XPATH_OBJ_TO_NODE(attrs_obj, i);
attr_name = (char *) xmlGetProp(attr_node, BAD_CAST ATTRIBUTE_NAME);
attr_ns = (char *) xmlGetProp(attr_node, BAD_CAST ATTRIBUTE_NAMESPACE);
@@ -290,12 +298,31 @@
ctx->header_container, ctx->set_header_cb_ctx);
}
+
+ x509_obj = cspace_xpath_evaluate(doc, BAD_CAST XPATH_X509_CERT);
+ if (!x509_obj) {
+ goto done;
+ }
+
+ x509_node = XPATH_OBJ_TO_NODE(x509_obj, 0);
+ x509_node = x509_node->children; /*now it is the text node containing the
cert*/
+ if (x509_node && xmlNodeIsText(x509_node)) {
+ x509_data = cspace_strdup((char *)x509_node->content,
+ ctx->allocator);
+ }
+
+ (*ctx->set_header_fn)(NULL, cspace_strdup(CARDSPACE_HEADER_CERTIFICATE,
+ ctx->allocator), x509_data,
ctx->header_container,
+ ctx->set_header_cb_ctx);
res = SUCC;
done:
if (attrs_obj)
xmlXPathFreeObject(attrs_obj);
+
+ if (x509_obj)
+ xmlXPathFreeObject(x509_obj);
return res;
}
Modified: trunk/solutions/identity/modules/mod-cspace/process_request.h
==============================================================================
--- trunk/solutions/identity/modules/mod-cspace/process_request.h
(original)
+++ trunk/solutions/identity/modules/mod-cspace/process_request.h Fri Jan
25 02:44:50 2008
@@ -10,6 +10,8 @@
#define SUCC !(FAIL)
#endif
+#define CARDSPACE_HEADER_CERTIFICATE "certificate"
+
#define CARDSPACE_HEADER_STATE "auth_state"
#define CARDSPACE_STATE_SUCCESS "success"
#define CARDSPACE_STATE_FAIL "failure"
Modified: trunk/solutions/identity/modules/mod-cspace/process_request_defines.h
==============================================================================
--- trunk/solutions/identity/modules/mod-cspace/process_request_defines.h
(original)
+++ trunk/solutions/identity/modules/mod-cspace/process_request_defines.h
Fri Jan 25 02:44:50 2008
@@ -90,6 +90,7 @@
#define MODULUS "Modulus"
#define EXPONENT "Exponent"
#define X509_DATA "X509Data"
+#define X509_CERT "X509Certificate"
static int cspace_strlen(const char *str)
{
Modified: trunk/solutions/identity/modules/mod-cspace/res/test.c
==============================================================================
--- trunk/solutions/identity/modules/mod-cspace/res/test.c (original)
+++ trunk/solutions/identity/modules/mod-cspace/res/test.c Fri Jan 25
02:44:50 2008
@@ -25,7 +25,7 @@
}
cspace_process_context_free(ctx);
- ctx = cspace_process_context_create_default();
+ /*ctx = cspace_process_context_create_default();
cspace_process_context_set_key_file(ctx, "samplerp1.key");
cspace_process_context_set_header_callback(ctx,
@@ -37,7 +37,7 @@
printf("Verificatio FAILED!\n");
}
- cspace_process_context_free(ctx);
+ cspace_process_context_free(ctx); */
cspace_process_context_halt();
return 0;
_______________________________________________
Identity-dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/identity-dev
