protected function _loadCertificateChain()
{
if (isset($this->_trustedRootCertificateAuthoritiesFile)) {
Janus_OpenSsl_Certificate_Chain_Factory::loadRootCertificatesFromFile($this->_trustedRootCertificateAuthoritiesFile);
}
try {
$this->_certificateChain = Janus_OpenSsl_Certificate_Chain_Factory::createFromCertificateIssuerUrl($this->_certificate);
} catch (Exception $e) {
$this->_response->Errors[] = $e->getMessage();
return false;
}
$certificates = $this->_certificateChain->getCertificates();
/**
* @var Janus_OpenSsl_Certificate $certificate
*/
foreach ($certificates as $certificate) {
$certificateSubject = $certificate->getSubject();
$this->_response->CertificateChain[] = array('Subject' => array('DN' => $certificate->getSubjectDn(), 'CN' => isset($certificateSubject['CN']) ? $certificateSubject['CN'] : $certificateSubject['O']), 'SubjectAlternative' => array('DNS' => $certificate->getSubjectAltNames()), 'Issuer' => array('Dn' => $certificate->getIssuerDn()), 'NotBefore' => array('UnixTime' => $certificate->getValidFromUnixTime()), 'NotAfter' => array('UnixTime' => $certificate->getValidUntilUnixTime()), 'RootCa' => $certificate->getTrustedRootCertificateAuthority(), 'SelfSigned' => $certificate->isSelfSigned());
}
return true;
}
public function runForCronTag($cronTag)
{
if (!$this->_isExecuteRequired($cronTag)) {
return array();
}
$cronLogger = new sspmod_janus_Cron_Logger();
try {
$janusConfig = sspmod_janus_DiContainer::getInstance()->getConfig();
$srConfig = sspmod_janus_DiContainer::getInstance()->getConfig();
$rootCertificatesFile = $srConfig->getString('ca_bundle_file');
$util = new sspmod_janus_AdminUtil();
$entities = $util->getEntities();
foreach ($entities as $partialEntity) {
try {
$entityController = sspmod_janus_DiContainer::getInstance()->getEntityController();
$eid = $partialEntity['eid'];
if (!$entityController->setEntity($eid)) {
$cronLogger->with($eid)->error("Failed import of entity. Wrong eid '{$eid}'.");
continue;
}
$entityController->loadEntity();
$entityId = $entityController->getEntity()->getEntityid();
$entityType = $entityController->getEntity()->getType();
try {
try {
$certificate = $entityController->getCertificate();
// @workaround
// Since getCertificate() returns false when certificate does not exist following check is required to skip validation
if (empty($certificate)) {
throw new Exception('No certificate found');
}
} catch (Exception $e) {
if ($entityType === 'saml20-sp') {
$cronLogger->with($entityId)->notice("SP does not have a certificate");
} else {
if ($entityType === 'saml20-idp') {
$cronLogger->with($entityId)->warn("Unable to create certificate object, certData missing?");
}
}
continue;
}
$validator = new Janus_OpenSsl_Certificate_Validator($certificate);
$validator->setIgnoreSelfSigned(true);
$validator->validate();
$validatorWarnings = $validator->getWarnings();
$validatorErrors = $validator->getErrors();
foreach ($validatorWarnings as $warning) {
$cronLogger->with($entityId)->warn($warning);
}
foreach ($validatorErrors as $error) {
$cronLogger->with($entityId)->error($error);
}
Janus_OpenSsl_Certificate_Chain_Factory::loadRootCertificatesFromFile($rootCertificatesFile);
$chain = Janus_OpenSsl_Certificate_Chain_Factory::createFromCertificateIssuerUrl($certificate);
$validator = new Janus_OpenSsl_Certificate_Chain_Validator($chain);
$validator->setIgnoreSelfSigned(true);
$validator->setTrustedRootCertificateAuthorityFile($rootCertificatesFile);
$validator->validate();
$validatorWarnings = $validator->getWarnings();
$validatorErrors = $validator->getErrors();
foreach ($validatorWarnings as $warning) {
$cronLogger->with($entityId)->warn($warning);
}
foreach ($validatorErrors as $error) {
$cronLogger->with($entityId)->error($error);
}
} catch (Exception $e) {
$cronLogger->with($entityId)->error($e->getMessage());
}
} catch (Exception $e) {
$cronLogger->error($e->getMessage() . $e->getTraceAsString());
}
}
} catch (Exception $e) {
$cronLogger->error($e->getMessage() . $e->getTraceAsString());
}
if ($cronLogger->hasErrors()) {
$this->_mailTechnicalContact($cronTag, $cronLogger);
}
return $cronLogger->getSummaryLines();
}
public static function setRootCertificates(array $list)
{
self::$s_rootCertificates = $list;
}
public function serve($entityId)
{
if (isset($this->_trustedRootCertificateAuthoritiesFile)) {
Janus_OpenSsl_Certificate_Chain_Factory::loadRootCertificatesFromFile($this->_trustedRootCertificateAuthoritiesFile);
}
$this->_loadEntityMetadata($entityId);
foreach ($this->_endpointMetadataFields as $endPointMetaKey) {
if (!isset($this->_entityMetadata[$endPointMetaKey])) {
// This entity does not have this binding
continue;
}
$responsesByHost = array();
foreach ($this->_entityMetadata[$endPointMetaKey] as $index => $binding) {
$endpointResponse = new stdClass();
$endpointResponse->CertificateChain = array();
$endpointResponse->Errors = array();
$endpointResponse->Warnings = array();
$key = $endPointMetaKey . $index;
$this->_response->{$key} = $endpointResponse;
$endpointResponse =& $this->_response->{$key};
if (!isset($binding['Location']) || trim($binding['Location']) === "") {
$endpointResponse->Errors[] = "Binding has no Location?";
continue;
} else {
$endpointResponse->Url = $binding['Location'];
}
try {
$sslUrl = new Janus_OpenSsl_Url($binding['Location']);
} catch (Exception $e) {
$endpointResponse->Errors[] = "Endpoint is not a valid URL";
continue;
}
if (!$sslUrl->isHttps()) {
$endpointResponse->Errors[] = "Endpoint is not HTTPS";
continue;
}
// If this endpoint is the same hostename as a previous one there is no point in doing
// all that expensive work all over again.
$sslUrlHostname = $sslUrl->getHostName();
if (isset($responsesByHost[$sslUrlHostname])) {
$cachedEndpointResult = $responsesByHost[$sslUrlHostname];
$endpointResponse->CertificateChain = $cachedEndpointResult->CertificateChain;
$endpointResponse->Errors = $cachedEndpointResult->Errors;
$endpointResponse->Warnings = $cachedEndpointResult->Warnings;
continue;
} else {
$responsesByHost[$sslUrlHostname] = $endpointResponse;
}
$connectSuccess = $sslUrl->connect();
if (!$connectSuccess) {
$endpointResponse->Errors[] = "Endpoint is unreachable";
continue;
}
if (!$sslUrl->isCertificateValidForUrlHostname()) {
$urlHostName = $sslUrl->getHostName();
$validHostNames = $sslUrl->getServerCertificate()->getValidHostNames();
$endpointResponse->Errors[] = "Certificate does not match the hostname '{$urlHostName}' (instead it matches " . implode(', ', $validHostNames) . ")";
}
$urlChain = $sslUrl->getServerCertificateChain();
$certificates = $urlChain->getCertificates();
foreach ($certificates as $certificate) {
$certificateSubject = $certificate->getSubject();
$endpointResponse->CertificateChain[] = array('Subject' => array('DN' => $certificate->getSubjectDn(), 'CN' => isset($certificateSubject['CN']) ? $certificateSubject['CN'] : $certificateSubject['O']), 'SubjectAlternative' => array('DNS' => $certificate->getSubjectAltNames()), 'Issuer' => array('Dn' => $certificate->getIssuerDn()), 'NotBefore' => array('UnixTime' => $certificate->getValidFromUnixTime()), 'NotAfter' => array('UnixTime' => $certificate->getValidUntilUnixTime()), 'RootCa' => $certificate->getTrustedRootCertificateAuthority(), 'SelfSigned' => $certificate->isSelfSigned());
}
$urlChainValidator = new Janus_OpenSsl_Certificate_Chain_Validator($urlChain);
$urlChainValidator->validate();
$endpointResponse->Warnings = array_merge($endpointResponse->Warnings, $urlChainValidator->getWarnings());
$endpointResponse->Errors = array_merge($endpointResponse->Errors, $urlChainValidator->getErrors());
}
}
$this->_sendResponse();
}
public function getServerCertificateChain()
{
$blocks = explode("\n---\n", $this->_connection->getOutput());
$certificateOutput = $blocks[1];
$certificatesFound = Janus_OpenSsl_Certificate_Utility::getCertificatesFromText($certificateOutput);
return Janus_OpenSsl_Certificate_Chain_Factory::createFromCertificates($certificatesFound);
}
