public function runForCronTag($cronTag)
{
if (!$this->_isExecuteRequired($cronTag)) {
return array();
}
$cronLogger = new sspmod_janus_Cron_Logger();
try {
$janusConfig = SimpleSAML_Configuration::getConfig('module_janus.php');
$srConfig = SimpleSAML_Configuration::getConfig('module_janus.php');
$rootCertificatesFile = $srConfig->getString('ca_bundle_file');
$util = new sspmod_janus_AdminUtil();
$entities = $util->getEntities();
foreach ($entities as $partialEntity) {
try {
$entityController = new sspmod_janus_EntityController($janusConfig);
$eid = $partialEntity['eid'];
if (!$entityController->setEntity($eid)) {
$cronLogger->with($eid)->error("Failed import of entity. Wrong eid '{$eid}'.");
continue;
}
$entityController->loadEntity();
$entityId = $entityController->getEntity()->getEntityid();
$entityType = $entityController->getEntity()->getType();
try {
try {
$certificate = $entityController->getCertificate();
// @workaround
// Since getCertificate() returns false when certificate does not exist following check is required to skip validation
if (empty($certificate)) {
throw new Exception('No certificate found');
}
} catch (Exception $e) {
if ($entityType === 'saml20-sp') {
$cronLogger->with($entityId)->notice("SP does not have a certificate");
} else {
if ($entityType === 'saml20-idp') {
$cronLogger->with($entityId)->warn("Unable to create certificate object, certData missing?");
}
}
continue;
}
$validator = new sspmod_janus_OpenSsl_Certificate_Validator($certificate);
$validator->setIgnoreSelfSigned(true);
$validator->validate();
$validatorWarnings = $validator->getWarnings();
$validatorErrors = $validator->getErrors();
foreach ($validatorWarnings as $warning) {
$cronLogger->with($entityId)->warn($warning);
}
foreach ($validatorErrors as $error) {
$cronLogger->with($entityId)->error($error);
}
sspmod_janus_OpenSsl_Certificate_Chain_Factory::loadRootCertificatesFromFile($rootCertificatesFile);
$chain = sspmod_janus_OpenSsl_Certificate_Chain_Factory::createFromCertificateIssuerUrl($certificate);
$validator = new sspmod_janus_OpenSsl_Certificate_Chain_Validator($chain);
$validator->setIgnoreSelfSigned(true);
$validator->setTrustedRootCertificateAuthorityFile($rootCertificatesFile);
$validator->validate();
$validatorWarnings = $validator->getWarnings();
$validatorErrors = $validator->getErrors();
foreach ($validatorWarnings as $warning) {
$cronLogger->with($entityId)->warn($warning);
}
foreach ($validatorErrors as $error) {
$cronLogger->with($entityId)->error($error);
}
} catch (Exception $e) {
$cronLogger->with($entityId)->error($e->getMessage());
}
} catch (Exception $e) {
$cronLogger->error($e->getMessage() . $e->getTraceAsString());
}
}
} catch (Exception $e) {
$cronLogger->error($e->getMessage() . $e->getTraceAsString());
}
if ($cronLogger->hasErrors()) {
$this->_mailTechnicalContact($cronTag, $cronLogger);
}
return $cronLogger->getSummaryLines();
}
public function serve($entityId)
{
if (isset($this->_trustedRootCertificateAuthoritiesFile)) {
sspmod_janus_OpenSsl_Certificate_Chain_Factory::loadRootCertificatesFromFile($this->_trustedRootCertificateAuthoritiesFile);
}
$this->_loadEntityMetadata($entityId);
foreach ($this->_endpointMetadataFields as $endPointMetaKey) {
if (!isset($this->_entityMetadata[$endPointMetaKey])) {
// This entity does not have this binding
continue;
}
foreach ($this->_entityMetadata[$endPointMetaKey] as $index => $binding) {
$endpointResponse = new stdClass();
$endpointResponse->CertificateChain = array();
$endpointResponse->Errors = array();
$endpointResponse->Warnings = array();
$key = $endPointMetaKey . $index;
$this->_response->{$key} = $endpointResponse;
$endpointResponse =& $this->_response->{$key};
if (!isset($binding['Location']) || trim($binding['Location']) === "") {
$endpointResponse->Errors[] = "Binding has no Location?";
return $this->_sendResponse();
} else {
$endpointResponse->Url = $binding['Location'];
}
try {
$sslUrl = new sspmod_janus_OpenSsl_Url($binding['Location']);
} catch (Exception $e) {
$endpointResponse->Errors[] = "Endpoint is not a valid URL";
return $this->_sendResponse();
}
if (!$sslUrl->isHttps()) {
$endpointResponse->Errors[] = "Endpoint is not HTTPS";
return $this->_sendResponse();
}
$connectSuccess = $sslUrl->connect();
if (!$connectSuccess) {
$endpointResponse->Errors[] = "Endpoint is unreachable";
return $this->_sendResponse();
}
if (!$sslUrl->isCertificateValidForUrlHostname()) {
$urlHostName = $sslUrl->getHostName();
$validHostNames = $sslUrl->getServerCertificate()->getValidHostNames();
$endpointResponse->Errors[] = "Certificate does not match the hostname '{$urlHostName}' (instead it matches " . implode(', ', $validHostNames) . ")";
}
$urlChain = $sslUrl->getServerCertificateChain();
$certificates = $urlChain->getCertificates();
foreach ($certificates as $certificate) {
$certificateSubject = $certificate->getSubject();
$endpointResponse->CertificateChain[] = array('Subject' => array('DN' => $certificate->getSubjectDn(), 'CN' => isset($certificateSubject['CN']) ? $certificateSubject['CN'] : $certificateSubject['O']), 'SubjectAlternative' => array('DNS' => $certificate->getSubjectAltNames()), 'Issuer' => array('Dn' => $certificate->getIssuerDn()), 'NotBefore' => array('UnixTime' => $certificate->getValidFromUnixTime()), 'NotAfter' => array('UnixTime' => $certificate->getValidUntilUnixTime()), 'RootCa' => $certificate->getTrustedRootCertificateAuthority(), 'SelfSigned' => $certificate->isSelfSigned());
}
$urlChainValidator = new sspmod_janus_OpenSsl_Certificate_Chain_Validator($urlChain);
$urlChainValidator->validate();
$endpointResponse->Warnings = array_merge($endpointResponse->Warnings, $urlChainValidator->getWarnings());
$endpointResponse->Errors = array_merge($endpointResponse->Errors, $urlChainValidator->getErrors());
}
}
return $this->_sendResponse();
}
protected function _checkChainValidity()
{
$validator = new sspmod_janus_OpenSsl_Certificate_Chain_Validator($this->_certificateChain);
$validator->setIgnoreSelfSigned(true);
if (isset($this->_trustedRootCertificateAuthoritiesFile)) {
$validator->setTrustedRootCertificateAuthorityFile($this->_trustedRootCertificateAuthoritiesFile);
}
$validator->validate();
$this->_response->Warnings = array_merge($this->_response->Warnings, $validator->getWarnings());
$this->_response->Errors = array_merge($this->_response->Errors, $validator->getErrors());
}
