95
72
#include <openssl/pem.h>
96
73
#include <openssl/bio.h>
97
74
#include <openssl/evp.h>
98
76
#include "euca_auth.h"
99
77
#include "misc.h" /* get_string_stats, logprintf */
101
#ifndef NO_AXIS /* for compiling on systems without Axis */
102
#include "oxs_axiom.h"
103
#include "oxs_x509_cert.h"
104
#include "oxs_key_mgr.h"
105
#include "rampart_handler_util.h"
106
#include "rampart_sec_processed_result.h"
107
#include "rampart_error.h"
108
#include "axis2_op_ctx.h"
109
#include "rampart_context.h"
111
#define NO_U_FAIL(x) do{ \
112
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][eucalyptus-verify] " #x );\
113
AXIS2_ERROR_SET(env->error, RAMPART_ERROR_FAILED_AUTHENTICATION, AXIS2_FAILURE);\
114
return AXIS2_FAILURE; \
117
axis2_status_t __euca_authenticate(const axutil_env_t *env,axis2_msg_ctx_t *out_msg_ctx, axis2_op_ctx_t *op_ctx)
119
//***** First get the message context before doing anything dumb w/ a NULL pointer *****/
120
axis2_msg_ctx_t *msg_ctx = NULL; //<--- incoming msg context, it is NULL, see?
121
msg_ctx = axis2_op_ctx_get_msg_ctx(op_ctx, env, AXIS2_WSDL_MESSAGE_LABEL_IN);
123
//***** Print everything from the security results, just for testing now *****//
124
rampart_context_t *rampart_context = NULL;
125
axutil_property_t *property = NULL;
127
property = axis2_msg_ctx_get_property(msg_ctx, env, RAMPART_CONTEXT);
130
rampart_context = (rampart_context_t *)axutil_property_get_value(property, env);
131
// AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," ======== PRINTING PROCESSED WSSEC TOKENS ======== ");
132
rampart_print_security_processed_results_set(env,msg_ctx);
135
//***** Extract Security Node from header from enveloper from msg_ctx *****//
136
axiom_soap_envelope_t *soap_envelope = NULL;
137
axiom_soap_header_t *soap_header = NULL;
138
axiom_node_t *sec_node = NULL;
141
soap_envelope = axis2_msg_ctx_get_soap_envelope(msg_ctx, env);
142
if(!soap_envelope) NO_U_FAIL("SOAP envelope cannot be found.");
143
soap_header = axiom_soap_envelope_get_header(soap_envelope, env);
144
if (!soap_header) NO_U_FAIL("SOAP header cannot be found.");
145
sec_node = rampart_get_security_header(env, msg_ctx, soap_header); // <---- here it is!
146
if(!sec_node)NO_U_FAIL("No node wsse:Security -- required: ws-security");
148
//***** Find the wsse:Reference to the BinarySecurityToken *****//
149
//** Path is: Security/
150
//** *sec_node must be non-NULL, kkthx **//
151
axiom_node_t *sig_node = NULL;
152
axiom_node_t *key_info_node = NULL;
153
axiom_node_t *sec_token_ref_node = NULL;
154
/** the ds:Signature node **/
155
sig_node = oxs_axiom_get_first_child_node_by_name(env,sec_node, OXS_NODE_SIGNATURE, OXS_DSIG_NS, OXS_DS );
156
if(!sig_node)NO_U_FAIL("No node ds:Signature -- required: signature");
157
/** the ds:KeyInfo **/
158
key_info_node = oxs_axiom_get_first_child_node_by_name(env, sig_node, OXS_NODE_KEY_INFO, OXS_DSIG_NS, NULL );
159
if(!key_info_node)NO_U_FAIL("No node ds:KeyInfo -- required: signature key");
160
/** the wsse:SecurityTokenReference **/
161
sec_token_ref_node = oxs_axiom_get_first_child_node_by_name(env, key_info_node,OXS_NODE_SECURITY_TOKEN_REFRENCE, OXS_WSSE_XMLNS, NULL);
162
if(!sec_token_ref_node)NO_U_FAIL("No node wsse:SecurityTokenReference -- required: signing token");
163
//** in theory this is the branching point for supporting all kinds of tokens -- we only do BST Direct Reference **/
165
//***** Find the wsse:Reference to the BinarySecurityToken *****//
166
//** *sec_token_ref_node must be non-NULL **/
167
axis2_char_t *ref = NULL;
168
axis2_char_t *ref_id = NULL;
169
axiom_node_t *token_ref_node = NULL;
170
axiom_node_t *bst_node = NULL;
171
/** the wsse:Reference node **/
172
token_ref_node = oxs_axiom_get_first_child_node_by_name(env, sec_token_ref_node,OXS_NODE_REFERENCE, OXS_WSSE_XMLNS, NULL);
173
/** pull out the name of the BST node **/
174
ref = oxs_token_get_reference(env, token_ref_node);
175
ref_id = axutil_string_substring_starting_at(axutil_strdup(env, ref), 1);
176
/** get the wsse:BinarySecurityToken used to sign the message **/
177
bst_node = oxs_axiom_get_node_by_id(env, sec_node, "Id", ref_id, OXS_WSU_XMLNS);
178
if(!bst_node){oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Error retrieving elementwith ID=%s", ref_id);NO_U_FAIL("Cant find the required node");}
181
//***** Find the wsse:Reference to the BinarySecurityToken *****//
182
//** *bst_node must be non-NULL **/
183
axis2_char_t *data = NULL;
184
oxs_x509_cert_t *_cert = NULL;
185
oxs_x509_cert_t *recv_cert = NULL;
186
axis2_char_t *file_name = NULL;
187
axis2_char_t *recv_x509_buf = NULL;
188
axis2_char_t *msg_x509_buf = NULL;
190
/** pull out the data from the BST **/
191
data = oxs_axiom_get_node_content(env, bst_node);
192
/** create an oxs_X509_cert **/
193
_cert = oxs_key_mgr_load_x509_cert_from_string(env, data);
196
//***** FINALLY -- we have the certificate used to sign the message. authenticate it HERE *****//
197
msg_x509_buf = oxs_x509_cert_get_data(_cert,env);
198
if(!msg_x509_buf)NO_U_FAIL("OMG WHAT NOW?!");
200
recv_x509_buf = (axis2_char_t *)rampart_context_get_receiver_certificate(rampart_context, env);
202
recv_cert = oxs_key_mgr_load_x509_cert_from_string(env, recv_x509_buf);
205
file_name = rampart_context_get_receiver_certificate_file(rampart_context, env);
206
if(!file_name) NO_U_FAIL("Policy for the service is incorrect -- ReceiverCertificate is not set!!");
207
if (check_file(file_name)) NO_U_FAIL("No cert file ($EUCALYPTUS/var/lib/eucalyptus/keys/cloud-cert.pem) found, failing");
208
recv_cert = oxs_key_mgr_load_x509_cert_from_pem_file(env, file_name);
212
file_name = rampart_context_get_receiver_certificate_file(rampart_context, env);
213
if(!file_name) NO_U_FAIL("Policy for the service is incorrect -- ReceiverCertificate is not set!!");
214
if (check_file(file_name)) NO_U_FAIL("No cert file ($EUCALYPTUS/var/lib/eucalyptus/keys/cloud-cert.pem) found, failing");
215
recv_cert = oxs_key_mgr_load_x509_cert_from_pem_file(env, file_name);
218
recv_x509_buf = oxs_x509_cert_get_data(recv_cert,env);
220
NO_U_FAIL("could not populate receiver cert");
223
if( axutil_strcmp(recv_x509_buf,msg_x509_buf)!=0){
224
AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," --------- Received x509 certificate value ---------" );
225
AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI, msg_x509_buf );
226
AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," --------- Local x509 certificate value! ---------" );
227
AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI, recv_x509_buf );
228
AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," ---------------------------------------------------" );
229
NO_U_FAIL("The certificate specified is invalid!");
234
oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_DEFAULT, "Cannot load certificate from string =%s", data);
235
NO_U_FAIL("Failed to build certificate from BinarySecurityToken");
237
oxs_x509_cert_free(_cert, env);
238
oxs_x509_cert_free(recv_cert, env);
239
return AXIS2_SUCCESS;
244
79
static int initialized = 0;
246
81
#define FILENAME 512