public function validate() { try { $sslUrl = new Janus_OpenSsl_Url($this->_url); } catch (Exception $e) { $endpointResponse->Errors[] = "Endpoint is not a valid URL"; return $this->_sendResponse(); } if (!$sslUrl->isHttps()) { $endpointResponse->Errors[] = "Endpoint is not HTTPS"; return $this->_sendResponse(); } $connectSuccess = $sslUrl->connect(); if (!$connectSuccess) { $endpointResponse->Errors[] = "Endpoint is unreachable"; return $this->_sendResponse(); } if (!$sslUrl->isCertificateValidForUrlHostname()) { $urlHostName = $sslUrl->getHostName(); $validHostNames = $sslUrl->getServerCertificate()->getValidHostNames(); $endpointResponse->Errors[] = "Certificate does not match the hostname '{$urlHostName}' (instead it matches " . implode(', ', $validHostNames) . ")"; } $urlChain = $sslUrl->getServerCertificateChain(); $certificates = $urlChain->getCertificates(); foreach ($certificates as $certificate) { $certificateSubject = $certificate->getSubject(); $endpointResponse->CertificateChain[] = array('Subject' => array('DN' => $certificate->getSubjectDn(), 'CN' => isset($certificateSubject['CN']) ? $certificateSubject['CN'] : $certificateSubject['O']), 'SubjectAlternative' => array('DNS' => $certificate->getSubjectAltNames()), 'Issuer' => array('Dn' => $certificate->getIssuerDn()), 'NotBefore' => array('UnixTime' => $certificate->getValidFromUnixTime()), 'NotAfter' => array('UnixTime' => $certificate->getValidUntilUnixTime()), 'RootCa' => $certificate->getTrustedRootCertificateAuthority(), 'SelfSigned' => $certificate->isSelfSigned()); } $urlChainValidator = new Janus_OpenSsl_Certificate_Chain_Validator($urlChain); $urlChainValidator->validate(); }
public function runForCronTag($cronTag) { if (!$this->_isExecuteRequired($cronTag)) { return array(); } $cronLogger = new sspmod_janus_Cron_Logger(); try { $janusConfig = sspmod_janus_DiContainer::getInstance()->getConfig(); $util = new sspmod_janus_AdminUtil(); $entities = $util->getEntities(); foreach ($entities as $partialEntity) { $entityController = sspmod_janus_DiContainer::getInstance()->getEntityController(); $eid = $partialEntity['eid']; if (!$entityController->setEntity($eid)) { $cronLogger->with($eid)->error("Failed import of entity. Wrong eid '{$eid}'."); continue; } $entityController->loadEntity(); $entityId = $entityController->getEntity()->getEntityid(); $entityMetadata = $entityController->getMetaArray(); foreach ($this->_endpointMetadataFields as $endPointMetaKey) { if (!isset($entityMetadata[$endPointMetaKey])) { // This entity does not have this binding continue; } foreach ($entityMetadata[$endPointMetaKey] as $index => $binding) { $key = $endPointMetaKey . ':' . $index; if (!isset($binding['Location']) || trim($binding['Location']) === "") { $cronLogger->with($entityId)->with($key)->error("Binding has no Location?"); continue; } try { $sslUrl = new Janus_OpenSsl_Url($binding['Location']); } catch (Exception $e) { $cronLogger->with($entityId)->with($key)->with($sslUrl->getUrl())->error("Endpoint is not a valid URL"); continue; } if (!$sslUrl->isHttps()) { $cronLogger->with($entityId)->with($key)->with($sslUrl->getUrl())->error("Endpoint is not HTTPS"); continue; } $connectSuccess = $sslUrl->connect(); if (!$connectSuccess) { $cronLogger->with($entityId)->with($key)->with($sslUrl->getUrl())->error("Endpoint is unreachable"); continue; } if (!$sslUrl->isCertificateValidForUrlHostname()) { $urlHostName = $sslUrl->getHostName(); $validHostNames = $sslUrl->getServerCertificate()->getValidHostNames(); $cronLogger->with($entityId)->with($key)->with($sslUrl->getUrl())->error("Certificate does not match the hostname '{$urlHostName}' (instead it matches " . implode(', ', $validHostNames) . ")"); } $urlChain = $sslUrl->getServerCertificateChain(); $validator = new Janus_OpenSsl_Certificate_Chain_Validator($urlChain); $validator->validate(); $validatorWarnings = $validator->getWarnings(); $validatorErrors = $validator->getErrors(); foreach ($validatorWarnings as $warning) { $cronLogger->with($entityId)->with($key)->with($sslUrl->getUrl())->warn($warning); } foreach ($validatorErrors as $error) { $cronLogger->with($entityId)->with($key)->with($sslUrl->getUrl())->error($error); } } } } } catch (Exception $e) { $cronLogger->error($e->getMessage()); } if ($cronLogger->hasErrors()) { $this->_mailTechnicalContact($cronTag, $cronLogger); } return $cronLogger->getSummaryLines(); }
public function serve($entityId) { if (isset($this->_trustedRootCertificateAuthoritiesFile)) { Janus_OpenSsl_Certificate_Chain_Factory::loadRootCertificatesFromFile($this->_trustedRootCertificateAuthoritiesFile); } $this->_loadEntityMetadata($entityId); foreach ($this->_endpointMetadataFields as $endPointMetaKey) { if (!isset($this->_entityMetadata[$endPointMetaKey])) { // This entity does not have this binding continue; } $responsesByHost = array(); foreach ($this->_entityMetadata[$endPointMetaKey] as $index => $binding) { $endpointResponse = new stdClass(); $endpointResponse->CertificateChain = array(); $endpointResponse->Errors = array(); $endpointResponse->Warnings = array(); $key = $endPointMetaKey . $index; $this->_response->{$key} = $endpointResponse; $endpointResponse =& $this->_response->{$key}; if (!isset($binding['Location']) || trim($binding['Location']) === "") { $endpointResponse->Errors[] = "Binding has no Location?"; continue; } else { $endpointResponse->Url = $binding['Location']; } try { $sslUrl = new Janus_OpenSsl_Url($binding['Location']); } catch (Exception $e) { $endpointResponse->Errors[] = "Endpoint is not a valid URL"; continue; } if (!$sslUrl->isHttps()) { $endpointResponse->Errors[] = "Endpoint is not HTTPS"; continue; } // If this endpoint is the same hostename as a previous one there is no point in doing // all that expensive work all over again. $sslUrlHostname = $sslUrl->getHostName(); if (isset($responsesByHost[$sslUrlHostname])) { $cachedEndpointResult = $responsesByHost[$sslUrlHostname]; $endpointResponse->CertificateChain = $cachedEndpointResult->CertificateChain; $endpointResponse->Errors = $cachedEndpointResult->Errors; $endpointResponse->Warnings = $cachedEndpointResult->Warnings; continue; } else { $responsesByHost[$sslUrlHostname] = $endpointResponse; } $connectSuccess = $sslUrl->connect(); if (!$connectSuccess) { $endpointResponse->Errors[] = "Endpoint is unreachable"; continue; } if (!$sslUrl->isCertificateValidForUrlHostname()) { $urlHostName = $sslUrl->getHostName(); $validHostNames = $sslUrl->getServerCertificate()->getValidHostNames(); $endpointResponse->Errors[] = "Certificate does not match the hostname '{$urlHostName}' (instead it matches " . implode(', ', $validHostNames) . ")"; } $urlChain = $sslUrl->getServerCertificateChain(); $certificates = $urlChain->getCertificates(); foreach ($certificates as $certificate) { $certificateSubject = $certificate->getSubject(); $endpointResponse->CertificateChain[] = array('Subject' => array('DN' => $certificate->getSubjectDn(), 'CN' => isset($certificateSubject['CN']) ? $certificateSubject['CN'] : $certificateSubject['O']), 'SubjectAlternative' => array('DNS' => $certificate->getSubjectAltNames()), 'Issuer' => array('Dn' => $certificate->getIssuerDn()), 'NotBefore' => array('UnixTime' => $certificate->getValidFromUnixTime()), 'NotAfter' => array('UnixTime' => $certificate->getValidUntilUnixTime()), 'RootCa' => $certificate->getTrustedRootCertificateAuthority(), 'SelfSigned' => $certificate->isSelfSigned()); } $urlChainValidator = new Janus_OpenSsl_Certificate_Chain_Validator($urlChain); $urlChainValidator->validate(); $endpointResponse->Warnings = array_merge($endpointResponse->Warnings, $urlChainValidator->getWarnings()); $endpointResponse->Errors = array_merge($endpointResponse->Errors, $urlChainValidator->getErrors()); } } $this->_sendResponse(); }