예제 #1
0
 public function validate()
 {
     try {
         $sslUrl = new Janus_OpenSsl_Url($this->_url);
     } catch (Exception $e) {
         $endpointResponse->Errors[] = "Endpoint is not a valid URL";
         return $this->_sendResponse();
     }
     if (!$sslUrl->isHttps()) {
         $endpointResponse->Errors[] = "Endpoint is not HTTPS";
         return $this->_sendResponse();
     }
     $connectSuccess = $sslUrl->connect();
     if (!$connectSuccess) {
         $endpointResponse->Errors[] = "Endpoint is unreachable";
         return $this->_sendResponse();
     }
     if (!$sslUrl->isCertificateValidForUrlHostname()) {
         $urlHostName = $sslUrl->getHostName();
         $validHostNames = $sslUrl->getServerCertificate()->getValidHostNames();
         $endpointResponse->Errors[] = "Certificate does not match the hostname '{$urlHostName}' (instead it matches " . implode(', ', $validHostNames) . ")";
     }
     $urlChain = $sslUrl->getServerCertificateChain();
     $certificates = $urlChain->getCertificates();
     foreach ($certificates as $certificate) {
         $certificateSubject = $certificate->getSubject();
         $endpointResponse->CertificateChain[] = array('Subject' => array('DN' => $certificate->getSubjectDn(), 'CN' => isset($certificateSubject['CN']) ? $certificateSubject['CN'] : $certificateSubject['O']), 'SubjectAlternative' => array('DNS' => $certificate->getSubjectAltNames()), 'Issuer' => array('Dn' => $certificate->getIssuerDn()), 'NotBefore' => array('UnixTime' => $certificate->getValidFromUnixTime()), 'NotAfter' => array('UnixTime' => $certificate->getValidUntilUnixTime()), 'RootCa' => $certificate->getTrustedRootCertificateAuthority(), 'SelfSigned' => $certificate->isSelfSigned());
     }
     $urlChainValidator = new Janus_OpenSsl_Certificate_Chain_Validator($urlChain);
     $urlChainValidator->validate();
 }
 public function runForCronTag($cronTag)
 {
     if (!$this->_isExecuteRequired($cronTag)) {
         return array();
     }
     $cronLogger = new sspmod_janus_Cron_Logger();
     try {
         $janusConfig = sspmod_janus_DiContainer::getInstance()->getConfig();
         $util = new sspmod_janus_AdminUtil();
         $entities = $util->getEntities();
         foreach ($entities as $partialEntity) {
             $entityController = sspmod_janus_DiContainer::getInstance()->getEntityController();
             $eid = $partialEntity['eid'];
             if (!$entityController->setEntity($eid)) {
                 $cronLogger->with($eid)->error("Failed import of entity. Wrong eid '{$eid}'.");
                 continue;
             }
             $entityController->loadEntity();
             $entityId = $entityController->getEntity()->getEntityid();
             $entityMetadata = $entityController->getMetaArray();
             foreach ($this->_endpointMetadataFields as $endPointMetaKey) {
                 if (!isset($entityMetadata[$endPointMetaKey])) {
                     // This entity does not have this binding
                     continue;
                 }
                 foreach ($entityMetadata[$endPointMetaKey] as $index => $binding) {
                     $key = $endPointMetaKey . ':' . $index;
                     if (!isset($binding['Location']) || trim($binding['Location']) === "") {
                         $cronLogger->with($entityId)->with($key)->error("Binding has no Location?");
                         continue;
                     }
                     try {
                         $sslUrl = new Janus_OpenSsl_Url($binding['Location']);
                     } catch (Exception $e) {
                         $cronLogger->with($entityId)->with($key)->with($sslUrl->getUrl())->error("Endpoint is not a valid URL");
                         continue;
                     }
                     if (!$sslUrl->isHttps()) {
                         $cronLogger->with($entityId)->with($key)->with($sslUrl->getUrl())->error("Endpoint is not HTTPS");
                         continue;
                     }
                     $connectSuccess = $sslUrl->connect();
                     if (!$connectSuccess) {
                         $cronLogger->with($entityId)->with($key)->with($sslUrl->getUrl())->error("Endpoint is unreachable");
                         continue;
                     }
                     if (!$sslUrl->isCertificateValidForUrlHostname()) {
                         $urlHostName = $sslUrl->getHostName();
                         $validHostNames = $sslUrl->getServerCertificate()->getValidHostNames();
                         $cronLogger->with($entityId)->with($key)->with($sslUrl->getUrl())->error("Certificate does not match the hostname '{$urlHostName}' (instead it matches " . implode(', ', $validHostNames) . ")");
                     }
                     $urlChain = $sslUrl->getServerCertificateChain();
                     $validator = new Janus_OpenSsl_Certificate_Chain_Validator($urlChain);
                     $validator->validate();
                     $validatorWarnings = $validator->getWarnings();
                     $validatorErrors = $validator->getErrors();
                     foreach ($validatorWarnings as $warning) {
                         $cronLogger->with($entityId)->with($key)->with($sslUrl->getUrl())->warn($warning);
                     }
                     foreach ($validatorErrors as $error) {
                         $cronLogger->with($entityId)->with($key)->with($sslUrl->getUrl())->error($error);
                     }
                 }
             }
         }
     } catch (Exception $e) {
         $cronLogger->error($e->getMessage());
     }
     if ($cronLogger->hasErrors()) {
         $this->_mailTechnicalContact($cronTag, $cronLogger);
     }
     return $cronLogger->getSummaryLines();
 }
예제 #3
0
 public function serve($entityId)
 {
     if (isset($this->_trustedRootCertificateAuthoritiesFile)) {
         Janus_OpenSsl_Certificate_Chain_Factory::loadRootCertificatesFromFile($this->_trustedRootCertificateAuthoritiesFile);
     }
     $this->_loadEntityMetadata($entityId);
     foreach ($this->_endpointMetadataFields as $endPointMetaKey) {
         if (!isset($this->_entityMetadata[$endPointMetaKey])) {
             // This entity does not have this binding
             continue;
         }
         $responsesByHost = array();
         foreach ($this->_entityMetadata[$endPointMetaKey] as $index => $binding) {
             $endpointResponse = new stdClass();
             $endpointResponse->CertificateChain = array();
             $endpointResponse->Errors = array();
             $endpointResponse->Warnings = array();
             $key = $endPointMetaKey . $index;
             $this->_response->{$key} = $endpointResponse;
             $endpointResponse =& $this->_response->{$key};
             if (!isset($binding['Location']) || trim($binding['Location']) === "") {
                 $endpointResponse->Errors[] = "Binding has no Location?";
                 continue;
             } else {
                 $endpointResponse->Url = $binding['Location'];
             }
             try {
                 $sslUrl = new Janus_OpenSsl_Url($binding['Location']);
             } catch (Exception $e) {
                 $endpointResponse->Errors[] = "Endpoint is not a valid URL";
                 continue;
             }
             if (!$sslUrl->isHttps()) {
                 $endpointResponse->Errors[] = "Endpoint is not HTTPS";
                 continue;
             }
             // If this endpoint is the same hostename as a previous one there is no point in doing
             // all that expensive work all over again.
             $sslUrlHostname = $sslUrl->getHostName();
             if (isset($responsesByHost[$sslUrlHostname])) {
                 $cachedEndpointResult = $responsesByHost[$sslUrlHostname];
                 $endpointResponse->CertificateChain = $cachedEndpointResult->CertificateChain;
                 $endpointResponse->Errors = $cachedEndpointResult->Errors;
                 $endpointResponse->Warnings = $cachedEndpointResult->Warnings;
                 continue;
             } else {
                 $responsesByHost[$sslUrlHostname] = $endpointResponse;
             }
             $connectSuccess = $sslUrl->connect();
             if (!$connectSuccess) {
                 $endpointResponse->Errors[] = "Endpoint is unreachable";
                 continue;
             }
             if (!$sslUrl->isCertificateValidForUrlHostname()) {
                 $urlHostName = $sslUrl->getHostName();
                 $validHostNames = $sslUrl->getServerCertificate()->getValidHostNames();
                 $endpointResponse->Errors[] = "Certificate does not match the hostname '{$urlHostName}' (instead it matches " . implode(', ', $validHostNames) . ")";
             }
             $urlChain = $sslUrl->getServerCertificateChain();
             $certificates = $urlChain->getCertificates();
             foreach ($certificates as $certificate) {
                 $certificateSubject = $certificate->getSubject();
                 $endpointResponse->CertificateChain[] = array('Subject' => array('DN' => $certificate->getSubjectDn(), 'CN' => isset($certificateSubject['CN']) ? $certificateSubject['CN'] : $certificateSubject['O']), 'SubjectAlternative' => array('DNS' => $certificate->getSubjectAltNames()), 'Issuer' => array('Dn' => $certificate->getIssuerDn()), 'NotBefore' => array('UnixTime' => $certificate->getValidFromUnixTime()), 'NotAfter' => array('UnixTime' => $certificate->getValidUntilUnixTime()), 'RootCa' => $certificate->getTrustedRootCertificateAuthority(), 'SelfSigned' => $certificate->isSelfSigned());
             }
             $urlChainValidator = new Janus_OpenSsl_Certificate_Chain_Validator($urlChain);
             $urlChainValidator->validate();
             $endpointResponse->Warnings = array_merge($endpointResponse->Warnings, $urlChainValidator->getWarnings());
             $endpointResponse->Errors = array_merge($endpointResponse->Errors, $urlChainValidator->getErrors());
         }
     }
     $this->_sendResponse();
 }