-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
System to extract SSL endpoints from the metadata and probe them to f…
…ind out what their issuing CA is. Provision for locations that require client certificates as well as those that do not.
- Loading branch information
Showing
6 changed files
with
276 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <!-- | ||
| extract_nocert_locs.xsl | ||
| XSL stylesheet that takes a SAML 2.0 metadata file and extracts | ||
| a list of service locations that do not require certificates to be | ||
| presented to them. | ||
| Author: Ian A. Young <ian@iay.org.uk> | ||
| $Id: extract_cert_locs.xsl,v 1.1 2006/08/09 12:20:12 iay Exp $ | ||
| --> | ||
| <xsl:stylesheet version="1.0" | ||
| xmlns:xsl="http://www.w3.org/1999/XSL/Transform" | ||
| xmlns:ds="http://www.w3.org/2000/09/xmldsig#" | ||
| xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0" | ||
| xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" | ||
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
| xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF" | ||
| exclude-result-prefixes="shibmeta md ds wayf"> | ||
|
|
||
| <!-- Output is plain text --> | ||
| <xsl:output method="text"/> | ||
|
|
||
| <xsl:template match="//md:AttributeService"> | ||
| <xsl:value-of select="@Location"/> | ||
| <xsl:text>
</xsl:text> | ||
| </xsl:template> | ||
|
|
||
| <xsl:template match="//md:ArtifactResolutionService"> | ||
| <xsl:value-of select="@Location"/> | ||
| <xsl:text>
</xsl:text> | ||
| </xsl:template> | ||
|
|
||
| <xsl:template match="text()"> | ||
| <!-- do nothing --> | ||
| </xsl:template> | ||
| </xsl:stylesheet> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <!-- | ||
| extract_nocert_locs.xsl | ||
| XSL stylesheet that takes a SAML 2.0 metadata file and extracts | ||
| a list of service locations that do not require certificates to be | ||
| presented to them. | ||
| Author: Ian A. Young <ian@iay.org.uk> | ||
| $Id: extract_nocert_locs.xsl,v 1.1 2006/08/09 12:20:12 iay Exp $ | ||
| --> | ||
| <xsl:stylesheet version="1.0" | ||
| xmlns:xsl="http://www.w3.org/1999/XSL/Transform" | ||
| xmlns:ds="http://www.w3.org/2000/09/xmldsig#" | ||
| xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0" | ||
| xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" | ||
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
| xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF" | ||
| exclude-result-prefixes="shibmeta md ds wayf"> | ||
|
|
||
| <!-- Output is plain text --> | ||
| <xsl:output method="text"/> | ||
|
|
||
| <xsl:template match="//md:SingleSignOnService"> | ||
| <xsl:value-of select="@Location"/> | ||
| <xsl:text>
</xsl:text> | ||
| </xsl:template> | ||
|
|
||
| <xsl:template match="//md:AssertionConsumerService"> | ||
| <xsl:value-of select="@Location"/> | ||
| <xsl:text>
</xsl:text> | ||
| </xsl:template> | ||
|
|
||
| <xsl:template match="text()"> | ||
| <!-- do nothing --> | ||
| </xsl:template> | ||
| </xsl:stylesheet> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| #!/usr/bin/perl -w | ||
|
|
||
| open(XML,"java -cp ../xalan-j_2_6_0/bin/xalan.jar org.apache.xalan.xslt.Process -IN ../xml/sdss-metadata-unsigned.xml -XSL extract_cert_locs.xsl|") || die "could not open input file"; | ||
| while (<XML>) { | ||
| if (/^http:/) { | ||
| print "skipping http location: $_"; | ||
| } elsif (/^https:\/\/([^\/:]+(:\d+)?)\//) { | ||
| my $location = $1; | ||
| $location .= ":443" unless defined $2; | ||
| $locations{$location} = 1; | ||
| } else { | ||
| print "bad location: $_"; | ||
| } | ||
| } | ||
| close XML; | ||
|
|
||
| $count = scalar keys %locations; | ||
| print "Unique SSL with-certificate locations: $count\n"; | ||
| foreach $loc (sort keys %locations) { | ||
| print "probing: $loc\n"; | ||
| $cmd = "openssl s_client -connect $loc -showcerts -verify 10 -cert ssl_test.pem -key ssl_test.key </dev/null 2>/dev/null "; | ||
| open (CMD, "$cmd|") || die "can't open s_client command"; | ||
| $got = 0; | ||
| while (<CMD>) { | ||
| if (/^Server certificate/ .. /\-\-\-/) { | ||
| if (/^issuer=(.*)$/) { | ||
| $issuers{$1}{$loc} = 1; | ||
| $numissued++; | ||
| $got = 1; | ||
| } | ||
| } | ||
| } | ||
| close CMD; | ||
| $failed{$loc} = 1 unless $got; | ||
| } | ||
| print "\n\n"; | ||
|
|
||
| $count = scalar keys %failed; | ||
| print "\n\nProbes that failed: $count\n"; | ||
| foreach $loc (sort keys %failed) { | ||
| print " $loc\n"; | ||
| } | ||
| print "\n\n"; | ||
|
|
||
| print "Probes we got an issuer back from: $numissued\n"; | ||
| $count = scalar keys %issuers; | ||
| print "Unique issuers: $count\n"; | ||
| foreach $issuer (sort keys %issuers) { | ||
| %locs = %{ $issuers{$issuer} }; | ||
| $n = scalar keys %locs; | ||
| print "$n: $issuer\n"; | ||
| foreach $loc (sort keys %locs) { | ||
| print " $loc\n"; | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| #!/usr/bin/perl -w | ||
|
|
||
| $known_bad{'census.data-archive.ac.uk:8080'} = 1; | ||
|
|
||
| open(XML,"java -cp ../xalan-j_2_6_0/bin/xalan.jar org.apache.xalan.xslt.Process -IN ../xml/sdss-metadata-unsigned.xml -XSL extract_nocert_locs.xsl|") || die "could not open input file"; | ||
| while (<XML>) { | ||
| if (/^http:/) { | ||
| print "skipping http location: $_"; | ||
| } elsif (/^https:\/\/([^\/:]+(:\d+)?)\//) { | ||
| my $location = $1; | ||
| $location .= ":443" unless defined $2; | ||
| if ($known_bad{$location}) { | ||
| print "skipping known bad location: $_"; | ||
| } else { | ||
| $locations{$location} = 1; | ||
| } | ||
| } else { | ||
| print "bad location: $_"; | ||
| } | ||
| } | ||
| close XML; | ||
|
|
||
| $count = scalar keys %locations; | ||
| print "Unique SSL non-certificate locations: $count\n"; | ||
| foreach $loc (sort keys %locations) { | ||
| print "probing: $loc\n"; | ||
| $cmd = "openssl s_client -connect $loc -showcerts -verify 10 </dev/null 2>/dev/null "; | ||
| open (CMD, "$cmd|") || die "can't open s_client command"; | ||
| $got = 0; | ||
| while (<CMD>) { | ||
| if (/^Server certificate/ .. /\-\-\-/) { | ||
| if (/^issuer=(.*)$/) { | ||
| $issuers{$1}{$loc} = 1; | ||
| $numissued++; | ||
| $got = 1; | ||
| } | ||
| } | ||
| } | ||
| close CMD; | ||
| $failed{$loc} = 1 unless $got; | ||
| } | ||
| print "\n\n"; | ||
|
|
||
| $count = scalar keys %failed; | ||
| print "\n\nProbes that failed: $count\n"; | ||
| foreach $loc (sort keys %failed) { | ||
| print " $loc\n"; | ||
| } | ||
| print "\n\n"; | ||
|
|
||
| print "Probes we got an issuer back from: $numissued\n"; | ||
| $count = scalar keys %issuers; | ||
| print "Unique issuers: $count\n"; | ||
| foreach $issuer (sort keys %issuers) { | ||
| %locs = %{ $issuers{$issuer} }; | ||
| $n = scalar keys %locs; | ||
| print "$n: $issuer\n"; | ||
| foreach $loc (sort keys %locs) { | ||
| print " $loc\n"; | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| -----BEGIN RSA PRIVATE KEY----- | ||
| MIICWwIBAAKBgQDSB22xmJ6+JezeMmmo5vw/ElWORMgDxsmpi7M/b1Aftl1fk76y | ||
| XubZBmLFhO2zxkPO4fjefS/kyP4SIyiHWEagXjm/WcPeJSWSqoxaQs/YzQ1jw11V | ||
| vONqCx/O0MO4Y0reSt4Ato1WhJboThExLgN61+Lz60D+Q2hAc8cG+fzd2QIDAQAB | ||
| AoGALjWKMd/FVUqc0co/qvSfHPVYs4N4ijQrXE0rM9K2yzNhWcz00OPGYItiIdj8 | ||
| P2hotNTM346lge2i0LTBjv2iE/JRcZevIA15MV7qCzTiWCfALNTqPnyrIEOjfoms | ||
| L/t3Rbb5Id+X2g3OKtyaNF/ImHYP0+nUKjdK7zNs/giXLHECQQD16LltmL82pYR9 | ||
| oxlnRum/TXKjEPUfBAgnfVUbnpq+wpoBSI35YNNLMNzNrBJOic7eZp3JF3ystbXU | ||
| fU20A8C9AkEA2qXItAjAyZWlvhA41XiLu/MZf3pjuao+qzKnxvUdOQZxl5lf6A42 | ||
| UYXZUGdgNYyFxfUaHLFBU9mA53lHi95JTQJAMzLyMIRmA22wySvFJUCZeFAatyLX | ||
| tk5zmC07JBYAqAkCYZQGo05qj7QrtNLHuPxuStXYsj6moZrvsb8pB3rkjQJAAm6f | ||
| qekDA/sHKfMSPsWlgES2/uUEoPcU1WCt3xew6IZ60v3gxDsMPaHohe1wc4gJoOcW | ||
| EEWkfWNI/MorkpG5bQJAD5qGQunLqxVwwTpYG6si5OtxnQ4hSgYgZcgrePO5yRsi | ||
| wcwT+rpCmi5rpsiuu9bP8upPHzV3pnJdVSR6K/wKBw== | ||
| -----END RSA PRIVATE KEY----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| Certificate: | ||
| Data: | ||
| Version: 3 (0x2) | ||
| Serial Number: 65 (0x41) | ||
| Signature Algorithm: sha1WithRSAEncryption | ||
| Issuer: C=GB, O=JISC Core Middleware Programme, CN=SDSS CA | ||
| Validity | ||
| Not Before: Aug 9 09:21:54 2006 GMT | ||
| Not After : Dec 31 00:00:00 2008 GMT | ||
| Subject: C=GB, O=JISC Core Middleware Programme, OU=SDSS Project, CN=SDSS Federation SSL Tester | ||
| Subject Public Key Info: | ||
| Public Key Algorithm: rsaEncryption | ||
| RSA Public Key: (1024 bit) | ||
| Modulus (1024 bit): | ||
| 00:d2:07:6d:b1:98:9e:be:25:ec:de:32:69:a8:e6: | ||
| fc:3f:12:55:8e:44:c8:03:c6:c9:a9:8b:b3:3f:6f: | ||
| 50:1f:b6:5d:5f:93:be:b2:5e:e6:d9:06:62:c5:84: | ||
| ed:b3:c6:43:ce:e1:f8:de:7d:2f:e4:c8:fe:12:23: | ||
| 28:87:58:46:a0:5e:39:bf:59:c3:de:25:25:92:aa: | ||
| 8c:5a:42:cf:d8:cd:0d:63:c3:5d:55:bc:e3:6a:0b: | ||
| 1f:ce:d0:c3:b8:63:4a:de:4a:de:00:b6:8d:56:84: | ||
| 96:e8:4e:11:31:2e:03:7a:d7:e2:f3:eb:40:fe:43: | ||
| 68:40:73:c7:06:f9:fc:dd:d9 | ||
| Exponent: 65537 (0x10001) | ||
| X509v3 extensions: | ||
| X509v3 Basic Constraints: | ||
| CA:FALSE | ||
| X509v3 Key Usage: | ||
| Digital Signature, Key Encipherment, Data Encipherment | ||
| X509v3 CRL Distribution Points: | ||
| URI:http://sdss.ac.uk/ca/sdss-ca.crl | ||
|
|
||
| X509v3 Subject Key Identifier: | ||
| 7C:67:CC:3D:6D:40:43:EE:1A:79:5D:14:DA:C3:A0:54:B2:96:B8:06 | ||
| X509v3 Authority Key Identifier: | ||
| keyid:BE:AD:20:87:49:07:67:71:1E:CF:D7:BA:AB:40:8A:77:16:1D:2B:C0 | ||
| DirName:/C=GB/O=JISC Core Middleware Programme/CN=SDSS CA | ||
| serial:00 | ||
|
|
||
| Signature Algorithm: sha1WithRSAEncryption | ||
| 1e:e1:11:92:b1:0c:5e:6a:8e:55:93:0c:2b:92:0b:a0:9b:ba: | ||
| 55:37:de:91:78:4a:a8:87:09:50:d5:46:fa:53:98:c4:9c:94: | ||
| ac:0f:92:28:40:bf:7d:63:cf:1f:a1:2b:af:6f:63:ba:e4:26: | ||
| a3:3e:05:f8:8a:cc:a3:47:a1:86:74:d9:92:96:89:88:37:4d: | ||
| 28:c7:bb:d4:5c:f2:93:d3:8e:08:2d:68:6c:72:cf:7c:83:6d: | ||
| 98:6f:dd:37:9b:5c:4a:6e:3b:9d:a5:66:25:6d:69:05:8c:2e: | ||
| f4:d9:41:63:ef:0b:5a:7a:8e:1e:e4:5f:35:6a:93:7d:6f:67: | ||
| 4a:4a | ||
| -----BEGIN CERTIFICATE----- | ||
| MIIDEDCCAnmgAwIBAgIBQTANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJHQjEn | ||
| MCUGA1UEChMeSklTQyBDb3JlIE1pZGRsZXdhcmUgUHJvZ3JhbW1lMRAwDgYDVQQD | ||
| EwdTRFNTIENBMB4XDTA2MDgwOTA5MjE1NFoXDTA4MTIzMTAwMDAwMFowcjELMAkG | ||
| A1UEBhMCR0IxJzAlBgNVBAoTHkpJU0MgQ29yZSBNaWRkbGV3YXJlIFByb2dyYW1t | ||
| ZTEVMBMGA1UECxMMU0RTUyBQcm9qZWN0MSMwIQYDVQQDExpTRFNTIEZlZGVyYXRp | ||
| b24gU1NMIFRlc3RlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0gdtsZie | ||
| viXs3jJpqOb8PxJVjkTIA8bJqYuzP29QH7ZdX5O+sl7m2QZixYTts8ZDzuH43n0v | ||
| 5Mj+EiMoh1hGoF45v1nD3iUlkqqMWkLP2M0NY8NdVbzjagsfztDDuGNK3kreALaN | ||
| VoSW6E4RMS4Detfi8+tA/kNoQHPHBvn83dkCAwEAAaOB3zCB3DAJBgNVHRMEAjAA | ||
| MAsGA1UdDwQEAwIEsDAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vc2Rzcy5hYy51 | ||
| ay9jYS9zZHNzLWNhLmNybDAdBgNVHQ4EFgQUfGfMPW1AQ+4aeV0U2sOgVLKWuAYw | ||
| cAYDVR0jBGkwZ4AUvq0gh0kHZ3Eez9e6q0CKdxYdK8ChTKRKMEgxCzAJBgNVBAYT | ||
| AkdCMScwJQYDVQQKEx5KSVNDIENvcmUgTWlkZGxld2FyZSBQcm9ncmFtbWUxEDAO | ||
| BgNVBAMTB1NEU1MgQ0GCAQAwDQYJKoZIhvcNAQEFBQADgYEAHuERkrEMXmqOVZMM | ||
| K5ILoJu6VTfekXhKqIcJUNVG+lOYxJyUrA+SKEC/fWPPH6Err29juuQmoz4F+IrM | ||
| o0ehhnTZkpaJiDdNKMe71Fzyk9OOCC1obHLPfINtmG/dN5tcSm47naVmJW1pBYwu | ||
| 9NlBY+8LWnqOHuRfNWqTfW9nSko= | ||
| -----END CERTIFICATE----- |