public function validate()
{
try {
$sslUrl = new Janus_OpenSsl_Url($this->_url);
} catch (Exception $e) {
$endpointResponse->Errors[] = "Endpoint is not a valid URL";
return $this->_sendResponse();
}
if (!$sslUrl->isHttps()) {
$endpointResponse->Errors[] = "Endpoint is not HTTPS";
return $this->_sendResponse();
}
$connectSuccess = $sslUrl->connect();
if (!$connectSuccess) {
$endpointResponse->Errors[] = "Endpoint is unreachable";
return $this->_sendResponse();
}
if (!$sslUrl->isCertificateValidForUrlHostname()) {
$urlHostName = $sslUrl->getHostName();
$validHostNames = $sslUrl->getServerCertificate()->getValidHostNames();
$endpointResponse->Errors[] = "Certificate does not match the hostname '{$urlHostName}' (instead it matches " . implode(', ', $validHostNames) . ")";
}
$urlChain = $sslUrl->getServerCertificateChain();
$certificates = $urlChain->getCertificates();
foreach ($certificates as $certificate) {
$certificateSubject = $certificate->getSubject();
$endpointResponse->CertificateChain[] = array('Subject' => array('DN' => $certificate->getSubjectDn(), 'CN' => isset($certificateSubject['CN']) ? $certificateSubject['CN'] : $certificateSubject['O']), 'SubjectAlternative' => array('DNS' => $certificate->getSubjectAltNames()), 'Issuer' => array('Dn' => $certificate->getIssuerDn()), 'NotBefore' => array('UnixTime' => $certificate->getValidFromUnixTime()), 'NotAfter' => array('UnixTime' => $certificate->getValidUntilUnixTime()), 'RootCa' => $certificate->getTrustedRootCertificateAuthority(), 'SelfSigned' => $certificate->isSelfSigned());
}
$urlChainValidator = new Janus_OpenSsl_Certificate_Chain_Validator($urlChain);
$urlChainValidator->validate();
}
public function runForCronTag($cronTag)
{
if (!$this->_isExecuteRequired($cronTag)) {
return array();
}
$cronLogger = new sspmod_janus_Cron_Logger();
try {
$janusConfig = sspmod_janus_DiContainer::getInstance()->getConfig();
$util = new sspmod_janus_AdminUtil();
$entities = $util->getEntities();
foreach ($entities as $partialEntity) {
$entityController = sspmod_janus_DiContainer::getInstance()->getEntityController();
$eid = $partialEntity['eid'];
if (!$entityController->setEntity($eid)) {
$cronLogger->with($eid)->error("Failed import of entity. Wrong eid '{$eid}'.");
continue;
}
$entityController->loadEntity();
$entityId = $entityController->getEntity()->getEntityid();
$entityMetadata = $entityController->getMetaArray();
foreach ($this->_endpointMetadataFields as $endPointMetaKey) {
if (!isset($entityMetadata[$endPointMetaKey])) {
// This entity does not have this binding
continue;
}
foreach ($entityMetadata[$endPointMetaKey] as $index => $binding) {
$key = $endPointMetaKey . ':' . $index;
if (!isset($binding['Location']) || trim($binding['Location']) === "") {
$cronLogger->with($entityId)->with($key)->error("Binding has no Location?");
continue;
}
try {
$sslUrl = new Janus_OpenSsl_Url($binding['Location']);
} catch (Exception $e) {
$cronLogger->with($entityId)->with($key)->with($sslUrl->getUrl())->error("Endpoint is not a valid URL");
continue;
}
if (!$sslUrl->isHttps()) {
$cronLogger->with($entityId)->with($key)->with($sslUrl->getUrl())->error("Endpoint is not HTTPS");
continue;
}
$connectSuccess = $sslUrl->connect();
if (!$connectSuccess) {
$cronLogger->with($entityId)->with($key)->with($sslUrl->getUrl())->error("Endpoint is unreachable");
continue;
}
if (!$sslUrl->isCertificateValidForUrlHostname()) {
$urlHostName = $sslUrl->getHostName();
$validHostNames = $sslUrl->getServerCertificate()->getValidHostNames();
$cronLogger->with($entityId)->with($key)->with($sslUrl->getUrl())->error("Certificate does not match the hostname '{$urlHostName}' (instead it matches " . implode(', ', $validHostNames) . ")");
}
$urlChain = $sslUrl->getServerCertificateChain();
$validator = new Janus_OpenSsl_Certificate_Chain_Validator($urlChain);
$validator->validate();
$validatorWarnings = $validator->getWarnings();
$validatorErrors = $validator->getErrors();
foreach ($validatorWarnings as $warning) {
$cronLogger->with($entityId)->with($key)->with($sslUrl->getUrl())->warn($warning);
}
foreach ($validatorErrors as $error) {
$cronLogger->with($entityId)->with($key)->with($sslUrl->getUrl())->error($error);
}
}
}
}
} catch (Exception $e) {
$cronLogger->error($e->getMessage());
}
if ($cronLogger->hasErrors()) {
$this->_mailTechnicalContact($cronTag, $cronLogger);
}
return $cronLogger->getSummaryLines();
}
public function serve($entityId)
{
if (isset($this->_trustedRootCertificateAuthoritiesFile)) {
Janus_OpenSsl_Certificate_Chain_Factory::loadRootCertificatesFromFile($this->_trustedRootCertificateAuthoritiesFile);
}
$this->_loadEntityMetadata($entityId);
foreach ($this->_endpointMetadataFields as $endPointMetaKey) {
if (!isset($this->_entityMetadata[$endPointMetaKey])) {
// This entity does not have this binding
continue;
}
$responsesByHost = array();
foreach ($this->_entityMetadata[$endPointMetaKey] as $index => $binding) {
$endpointResponse = new stdClass();
$endpointResponse->CertificateChain = array();
$endpointResponse->Errors = array();
$endpointResponse->Warnings = array();
$key = $endPointMetaKey . $index;
$this->_response->{$key} = $endpointResponse;
$endpointResponse =& $this->_response->{$key};
if (!isset($binding['Location']) || trim($binding['Location']) === "") {
$endpointResponse->Errors[] = "Binding has no Location?";
continue;
} else {
$endpointResponse->Url = $binding['Location'];
}
try {
$sslUrl = new Janus_OpenSsl_Url($binding['Location']);
} catch (Exception $e) {
$endpointResponse->Errors[] = "Endpoint is not a valid URL";
continue;
}
if (!$sslUrl->isHttps()) {
$endpointResponse->Errors[] = "Endpoint is not HTTPS";
continue;
}
// If this endpoint is the same hostename as a previous one there is no point in doing
// all that expensive work all over again.
$sslUrlHostname = $sslUrl->getHostName();
if (isset($responsesByHost[$sslUrlHostname])) {
$cachedEndpointResult = $responsesByHost[$sslUrlHostname];
$endpointResponse->CertificateChain = $cachedEndpointResult->CertificateChain;
$endpointResponse->Errors = $cachedEndpointResult->Errors;
$endpointResponse->Warnings = $cachedEndpointResult->Warnings;
continue;
} else {
$responsesByHost[$sslUrlHostname] = $endpointResponse;
}
$connectSuccess = $sslUrl->connect();
if (!$connectSuccess) {
$endpointResponse->Errors[] = "Endpoint is unreachable";
continue;
}
if (!$sslUrl->isCertificateValidForUrlHostname()) {
$urlHostName = $sslUrl->getHostName();
$validHostNames = $sslUrl->getServerCertificate()->getValidHostNames();
$endpointResponse->Errors[] = "Certificate does not match the hostname '{$urlHostName}' (instead it matches " . implode(', ', $validHostNames) . ")";
}
$urlChain = $sslUrl->getServerCertificateChain();
$certificates = $urlChain->getCertificates();
foreach ($certificates as $certificate) {
$certificateSubject = $certificate->getSubject();
$endpointResponse->CertificateChain[] = array('Subject' => array('DN' => $certificate->getSubjectDn(), 'CN' => isset($certificateSubject['CN']) ? $certificateSubject['CN'] : $certificateSubject['O']), 'SubjectAlternative' => array('DNS' => $certificate->getSubjectAltNames()), 'Issuer' => array('Dn' => $certificate->getIssuerDn()), 'NotBefore' => array('UnixTime' => $certificate->getValidFromUnixTime()), 'NotAfter' => array('UnixTime' => $certificate->getValidUntilUnixTime()), 'RootCa' => $certificate->getTrustedRootCertificateAuthority(), 'SelfSigned' => $certificate->isSelfSigned());
}
$urlChainValidator = new Janus_OpenSsl_Certificate_Chain_Validator($urlChain);
$urlChainValidator->validate();
$endpointResponse->Warnings = array_merge($endpointResponse->Warnings, $urlChainValidator->getWarnings());
$endpointResponse->Errors = array_merge($endpointResponse->Errors, $urlChainValidator->getErrors());
}
}
$this->_sendResponse();
}
