Author: dumindu
Date: Mon Feb 11 23:23:25 2008
New Revision: 13613
Log:
white list + few more fixes
Added:
trunk/solutions/identity/modules/mod-cspace/cspace_validator.c
trunk/solutions/identity/modules/mod-cspace/cspace_validator.h
Modified:
trunk/solutions/identity/modules/mod-cspace/build.sh
trunk/solutions/identity/modules/mod-cspace/mod_cspace.c
Modified: trunk/solutions/identity/modules/mod-cspace/build.sh
==============================================================================
--- trunk/solutions/identity/modules/mod-cspace/build.sh (original)
+++ trunk/solutions/identity/modules/mod-cspace/build.sh Mon Feb 11
23:23:25 2008
@@ -1,6 +1,6 @@
#!/bin/sh
sh autogen.sh
-#./configure --with-apxs2=/home/dummy/software/httpd-2.2.4/deploy/bin/apxs
-./configure --with-apxs2
-make
+#./configure --with-apxs2
+./configure --with-apxs2=/home/dumindu/software/httpd-2.2.8/deploy/bin/apxs
+make
Added: trunk/solutions/identity/modules/mod-cspace/cspace_validator.c
==============================================================================
--- (empty file)
+++ trunk/solutions/identity/modules/mod-cspace/cspace_validator.c Mon Feb
11 23:23:25 2008
@@ -0,0 +1,195 @@
+#include <openssl/ssl.h>
+#include "mod_cspace.h"
+#include "cspace_validator.h"
+
+/* In validating the saml token using xmlsec we anyway need the CA cert
+ * of the CA which signed the IdP's cert. Hence, the "promiscuous" and "cert"
+ * validators are the same (does nothing infact) in this module. Yet we include
+ * both these types for completeness.
+ */
+
+typedef enum {
+ VAL_TYPE_WHITE = 0,
+ VAL_TYPE_BLACK,
+ VAL_TYPE_CERT,
+ VAL_TYPE_PROMISCUOUS,
+ VAL_TYPE_USER,
+ VAL_TYPE_FAULT = -1
+} val_type;
+
+char *(val_name[5]) = {"white", "black", "cert", "promiscuous", "user"};
+
+static int white_list_validator(const char *uri, const char *issuer,
+ const char *ppid, const char *cert,
+ const char *w_list);
+static int black_list_validator(const char *uri, const char *issuer,
+ const char *ppid, const char *cert,
+ const char *b_list);
+static int cert_validator(const char *uri, const char *issuer,
+ const char *ppid, const char *cert);
+
+static int user_validator(const char *uri, const char *issuer,
+ const char *ppid, const char *cert,
+ const void *user_data);
+
+static int white_list_validator(const char *uri, const char *issuer,
+ const char *ppid, const char *cert,
+ const char *w_list)
+{
+ FILE *fp = NULL;
+ SSL_CTX *ctx = NULL;
+ X509 *needle = NULL;
+ X509 *search_cert = NULL;
+ X509_NAME *needle_name = NULL;
+ X509_STORE *haystack = NULL;
+ X509_OBJECT *search_obj = NULL;
+
+ if((fp = fopen (cert, "r"))) {
+ if(!(needle = d2i_X509_fp(fp, NULL))) {
+ fseek(fp, 0, SEEK_SET);
+ needle = PEM_read_X509( fp, NULL, NULL, NULL );
+ }
+ } else {
+ return FAIL;
+ }
+
+ if (needle && needle->cert_info) {
+ needle_name = needle->cert_info->subject;
+ }
+
+ ctx = SSL_CTX_new(NULL);
+ if (!ctx) {
+ return FAIL;
+ }
+
+ SSL_CTX_use_certificate_chain_file(ctx, w_list);
+
+ haystack = SSL_CTX_get_cert_store(ctx);
+
+ if(haystack && needle_name) {
+ search_obj = X509_OBJECT_retrieve_by_subject(haystack->objs,
+ X509_LU_X509,
+ needle_name);
+ }
+
+ if (search_obj) {
+ search_cert = (search_obj->data).x509;
+ if (search_cert &&
+ (M_ASN1_BIT_STRING_cmp(search_cert->signature,
+ needle->signature) == 0)) {
+
+ if (ctx) {
+ SSL_CTX_free(ctx);
+ }
+
+ if (needle) {
+ X509_free(needle);
+ }
+
+ fclose(fp);
+
+ return SUCC;
+ }
+ }
+
+ if (ctx) {
+ SSL_CTX_free(ctx);
+ }
+
+ if (needle) {
+ X509_free(needle);
+ }
+
+ fclose(fp);
+
+ /* FREE_CTX() */
+ return FAIL;
+}
+
+static int black_list_validator(const char *uri, const char *issuer,
+ const char *ppid, const char *cert,
+ const char *b_list)
+{
+ char line[5];
+ FILE *fp = NULL;
+
+ if ((fp = fopen(b_list, "r"))) {
+
+ while (fgets(line, 5, fp) != NULL)
+ {
+ /*strcmp with the cert's CN*/
+ }
+ } else {
+ return FAIL;
+ }
+ /* if no fopen error and not it black list then allow em*/
+ return SUCC;
+}
+
+static int cert_validator(const char *uri, const char *issuer,
+ const char *ppid, const char *cert)
+{
+ /* this validation is done at the cert verification */
+ return SUCC;
+}
+
+/* Allow all the requests in case of promiscuous */
+#define promiscuous_validator(a, b, c, d) SUCC
+
+static int user_validator(const char *uri, const char *issuer,
+ const char *ppid, const char *cert,
+ const void *user_data)
+{
+ return SUCC;
+}
+
+static val_type valstr2type(const char *validator)
+{
+ if (strcmp(validator, val_name[VAL_TYPE_WHITE]) == 0) {
+ return VAL_TYPE_WHITE;
+ } else if (strcmp(validator, val_name[VAL_TYPE_BLACK]) == 0) {
+ return VAL_TYPE_BLACK;
+ } else if (strcmp(validator, val_name[VAL_TYPE_CERT]) == 0) {
+ return VAL_TYPE_CERT;
+ } else if (strcmp(validator, val_name[VAL_TYPE_PROMISCUOUS]) == 0) {
+ return VAL_TYPE_PROMISCUOUS;
+ } else {
+ return VAL_TYPE_FAULT;
+ }
+}
+
+int validate_with_op_mode(const char *validator, const char *uri,
+ const char *issuer, const char *ppid,
+ const char *cert, const void *data)
+{
+ int flag = FAIL;
+
+ val_type v_type = valstr2type(validator);
+
+ switch (v_type) {
+ case VAL_TYPE_WHITE:
+ flag = white_list_validator(uri, NULL, NULL, cert, data);
+ break;
+
+ case VAL_TYPE_BLACK:
+ flag = black_list_validator(uri, issuer, NULL, cert, data);
+ break;
+
+ case VAL_TYPE_CERT:
+ flag = cert_validator(uri, NULL, NULL, cert);
+ break;
+
+ case VAL_TYPE_USER:
+ flag = user_validator(uri, issuer, ppid, cert, data);
+ break;
+
+ case VAL_TYPE_PROMISCUOUS:
+ flag = promiscuous_validator(NULL, NULL, NULL, NULL);
+ break;
+
+ default:
+ flag = FAIL;
+ }
+
+ return flag;
+}
Added: trunk/solutions/identity/modules/mod-cspace/cspace_validator.h
==============================================================================
--- (empty file)
+++ trunk/solutions/identity/modules/mod-cspace/cspace_validator.h Mon Feb
11 23:23:25 2008
@@ -0,0 +1,3 @@
+int validate_with_op_mode(const char *validator, const char *uri,
+ const char *issuer, const char *ppid,
+ const char *cert, const void *data);
Modified: trunk/solutions/identity/modules/mod-cspace/mod_cspace.c
==============================================================================
--- trunk/solutions/identity/modules/mod-cspace/mod_cspace.c (original)
+++ trunk/solutions/identity/modules/mod-cspace/mod_cspace.c Mon Feb 11
23:23:25 2008
@@ -549,8 +549,7 @@
}
#endif
-/*#define DUMMY_VALIDATOR_PATH "/home/dummy/software/httpd-2.2.4/deploy/bin/" \
- "dummy_ppid_validator.so"*/
+/*#define DUMMY_VALIDATOR_PATH "dummy_ppid_validator.so"*/
static int handle_session_nosso(request_rec *r, cspace_dir_cfg *dir_cfg,
cspace_svr_cfg *svr_cfg)
@@ -621,11 +620,17 @@
cert = apr_table_get(r->subprocess_env,
CARDSPACE_HEADER_CERTIFICATE);
+ if (!svr_cfg->validator) {
+ /* if the validator is not present assume cert by
default*/
+ svr_cfg->validator = "cert";
+ }
+
allowed_flag = validate_with_op_mode(svr_cfg->validator,
r->uri,
"TODO:ISSUER",
ppid,
- cert);
+ cert, NULL);
+
if (allowed_flag) {
return OK;
} else {
@@ -706,13 +711,13 @@
char *tmp = buf;
- /*remove any trailing params*/
- while (*tmp && *tmp != '&') {
+ /*remove any trailing params*/
+ while (*tmp && *tmp != '&') {
tmp++;
- }
- *tmp = '\0';
+ }
+ *tmp = '\0';
- cspace_decode_url((char *)buf);
+ cspace_decode_url((char *)buf);
state = process_token(buf, r, svr_cfg);
_______________________________________________
Identity-dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/identity-dev
