From 3a483d1201952acebd06484696ba282836c902a5 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Wed, 9 Aug 2006 12:20:12 +0000
Subject: [PATCH] System to extract SSL endpoints from the metadata and probe
 them to find out what their issuing CA is.  Provision for locations that
 require client certificates as well as those that do not.

---
 build/extract_cert_locs.xsl   | 39 ++++++++++++++++++++
 build/extract_nocert_locs.xsl | 39 ++++++++++++++++++++
 build/probe_certs.pl          | 55 ++++++++++++++++++++++++++++
 build/probe_nocerts.pl        | 61 +++++++++++++++++++++++++++++++
 build/ssl_test.key            | 15 ++++++++
 build/ssl_test.pem            | 67 +++++++++++++++++++++++++++++++++++
 6 files changed, 276 insertions(+)
 create mode 100644 build/extract_cert_locs.xsl
 create mode 100644 build/extract_nocert_locs.xsl
 create mode 100644 build/probe_certs.pl
 create mode 100644 build/probe_nocerts.pl
 create mode 100644 build/ssl_test.key
 create mode 100644 build/ssl_test.pem

diff --git a/build/extract_cert_locs.xsl b/build/extract_cert_locs.xsl
new file mode 100644
index 00000000..bff9297c
--- /dev/null
+++ b/build/extract_cert_locs.xsl
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	extract_nocert_locs.xsl
+	
+	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+	a list of service locations that do not require certificates to be
+	presented to them.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+	$Id: extract_cert_locs.xsl,v 1.1 2006/08/09 12:20:12 iay Exp $
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
+	exclude-result-prefixes="shibmeta md ds wayf">
+
+	<!-- Output is plain text -->
+	<xsl:output method="text"/>
+
+	<xsl:template match="//md:AttributeService">
+		<xsl:value-of select="@Location"/>
+		<xsl:text>&#x0a;</xsl:text>
+	</xsl:template>
+	
+	<xsl:template match="//md:ArtifactResolutionService">
+		<xsl:value-of select="@Location"/>
+		<xsl:text>&#x0a;</xsl:text>
+	</xsl:template>
+	
+	<xsl:template match="text()">
+		<!-- do nothing -->
+	</xsl:template>
+</xsl:stylesheet>
diff --git a/build/extract_nocert_locs.xsl b/build/extract_nocert_locs.xsl
new file mode 100644
index 00000000..ad5a1c03
--- /dev/null
+++ b/build/extract_nocert_locs.xsl
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	extract_nocert_locs.xsl
+	
+	XSL stylesheet that takes a SAML 2.0 metadata file and extracts
+	a list of service locations that do not require certificates to be
+	presented to them.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+	$Id: extract_nocert_locs.xsl,v 1.1 2006/08/09 12:20:12 iay Exp $
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
+	exclude-result-prefixes="shibmeta md ds wayf">
+
+	<!-- Output is plain text -->
+	<xsl:output method="text"/>
+
+	<xsl:template match="//md:SingleSignOnService">
+		<xsl:value-of select="@Location"/>
+		<xsl:text>&#x0a;</xsl:text>
+	</xsl:template>
+
+	<xsl:template match="//md:AssertionConsumerService">
+		<xsl:value-of select="@Location"/>
+		<xsl:text>&#x0a;</xsl:text>
+	</xsl:template>
+
+	<xsl:template match="text()">
+		<!-- do nothing -->
+	</xsl:template>
+</xsl:stylesheet>
diff --git a/build/probe_certs.pl b/build/probe_certs.pl
new file mode 100644
index 00000000..b7e28d18
--- /dev/null
+++ b/build/probe_certs.pl
@@ -0,0 +1,55 @@
+#!/usr/bin/perl -w
+
+open(XML,"java -cp ../xalan-j_2_6_0/bin/xalan.jar org.apache.xalan.xslt.Process -IN ../xml/sdss-metadata-unsigned.xml -XSL extract_cert_locs.xsl|") || die "could not open input file";
+while (<XML>) {
+	if (/^http:/) {
+		print "skipping http location: $_";
+	} elsif (/^https:\/\/([^\/:]+(:\d+)?)\//) {
+		my $location = $1;
+		$location .= ":443" unless defined $2;
+		$locations{$location} = 1;
+	} else {
+		print "bad location: $_";
+	}
+}
+close XML;
+
+$count = scalar keys %locations;
+print "Unique SSL with-certificate locations: $count\n";
+foreach $loc (sort keys %locations) {
+	print "probing: $loc\n";
+	$cmd = "openssl s_client -connect $loc -showcerts -verify 10 -cert ssl_test.pem -key ssl_test.key </dev/null 2>/dev/null ";
+	open (CMD, "$cmd|") || die "can't open s_client command";
+	$got = 0;
+	while (<CMD>) {
+		if (/^Server certificate/ .. /\-\-\-/) {
+			if (/^issuer=(.*)$/) {
+				$issuers{$1}{$loc} = 1;
+				$numissued++;
+				$got = 1;
+			}
+		}
+	}
+	close CMD;
+	$failed{$loc} = 1 unless $got;
+}
+print "\n\n";
+
+$count = scalar keys %failed;
+print "\n\nProbes that failed: $count\n";
+foreach $loc (sort keys %failed) {
+	print "   $loc\n";
+}
+print "\n\n";
+
+print "Probes we got an issuer back from: $numissued\n";
+$count = scalar keys %issuers;
+print "Unique issuers: $count\n";
+foreach $issuer (sort keys %issuers) {
+	%locs = %{ $issuers{$issuer} };
+	$n = scalar keys %locs;
+	print "$n: $issuer\n";
+	foreach $loc (sort keys %locs) {
+		print "   $loc\n";
+	} 
+}
diff --git a/build/probe_nocerts.pl b/build/probe_nocerts.pl
new file mode 100644
index 00000000..66a9e423
--- /dev/null
+++ b/build/probe_nocerts.pl
@@ -0,0 +1,61 @@
+#!/usr/bin/perl -w
+
+$known_bad{'census.data-archive.ac.uk:8080'} = 1;
+
+open(XML,"java -cp ../xalan-j_2_6_0/bin/xalan.jar org.apache.xalan.xslt.Process -IN ../xml/sdss-metadata-unsigned.xml -XSL extract_nocert_locs.xsl|") || die "could not open input file";
+while (<XML>) {
+	if (/^http:/) {
+		print "skipping http location: $_";
+	} elsif (/^https:\/\/([^\/:]+(:\d+)?)\//) {
+		my $location = $1;
+		$location .= ":443" unless defined $2;
+		if ($known_bad{$location}) {
+			print "skipping known bad location: $_";
+		} else {
+			$locations{$location} = 1;
+		}
+	} else {
+		print "bad location: $_";
+	}
+}
+close XML;
+
+$count = scalar keys %locations;
+print "Unique SSL non-certificate locations: $count\n";
+foreach $loc (sort keys %locations) {
+	print "probing: $loc\n";
+	$cmd = "openssl s_client -connect $loc -showcerts -verify 10 </dev/null 2>/dev/null ";
+	open (CMD, "$cmd|") || die "can't open s_client command";
+	$got = 0;
+	while (<CMD>) {
+		if (/^Server certificate/ .. /\-\-\-/) {
+			if (/^issuer=(.*)$/) {
+				$issuers{$1}{$loc} = 1;
+				$numissued++;
+				$got = 1;
+			}
+		}
+	}
+	close CMD;
+	$failed{$loc} = 1 unless $got;
+}
+print "\n\n";
+
+$count = scalar keys %failed;
+print "\n\nProbes that failed: $count\n";
+foreach $loc (sort keys %failed) {
+	print "   $loc\n";
+}
+print "\n\n";
+
+print "Probes we got an issuer back from: $numissued\n";
+$count = scalar keys %issuers;
+print "Unique issuers: $count\n";
+foreach $issuer (sort keys %issuers) {
+	%locs = %{ $issuers{$issuer} };
+	$n = scalar keys %locs;
+	print "$n: $issuer\n";
+	foreach $loc (sort keys %locs) {
+		print "   $loc\n";
+	} 
+}
diff --git a/build/ssl_test.key b/build/ssl_test.key
new file mode 100644
index 00000000..78e2108e
--- /dev/null
+++ b/build/ssl_test.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQDSB22xmJ6+JezeMmmo5vw/ElWORMgDxsmpi7M/b1Aftl1fk76y
+XubZBmLFhO2zxkPO4fjefS/kyP4SIyiHWEagXjm/WcPeJSWSqoxaQs/YzQ1jw11V
+vONqCx/O0MO4Y0reSt4Ato1WhJboThExLgN61+Lz60D+Q2hAc8cG+fzd2QIDAQAB
+AoGALjWKMd/FVUqc0co/qvSfHPVYs4N4ijQrXE0rM9K2yzNhWcz00OPGYItiIdj8
+P2hotNTM346lge2i0LTBjv2iE/JRcZevIA15MV7qCzTiWCfALNTqPnyrIEOjfoms
+L/t3Rbb5Id+X2g3OKtyaNF/ImHYP0+nUKjdK7zNs/giXLHECQQD16LltmL82pYR9
+oxlnRum/TXKjEPUfBAgnfVUbnpq+wpoBSI35YNNLMNzNrBJOic7eZp3JF3ystbXU
+fU20A8C9AkEA2qXItAjAyZWlvhA41XiLu/MZf3pjuao+qzKnxvUdOQZxl5lf6A42
+UYXZUGdgNYyFxfUaHLFBU9mA53lHi95JTQJAMzLyMIRmA22wySvFJUCZeFAatyLX
+tk5zmC07JBYAqAkCYZQGo05qj7QrtNLHuPxuStXYsj6moZrvsb8pB3rkjQJAAm6f
+qekDA/sHKfMSPsWlgES2/uUEoPcU1WCt3xew6IZ60v3gxDsMPaHohe1wc4gJoOcW
+EEWkfWNI/MorkpG5bQJAD5qGQunLqxVwwTpYG6si5OtxnQ4hSgYgZcgrePO5yRsi
+wcwT+rpCmi5rpsiuu9bP8upPHzV3pnJdVSR6K/wKBw==
+-----END RSA PRIVATE KEY-----
diff --git a/build/ssl_test.pem b/build/ssl_test.pem
new file mode 100644
index 00000000..bdd6549f
--- /dev/null
+++ b/build/ssl_test.pem
@@ -0,0 +1,67 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 65 (0x41)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=GB, O=JISC Core Middleware Programme, CN=SDSS CA
+        Validity
+            Not Before: Aug  9 09:21:54 2006 GMT
+            Not After : Dec 31 00:00:00 2008 GMT
+        Subject: C=GB, O=JISC Core Middleware Programme, OU=SDSS Project, CN=SDSS Federation SSL Tester
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:d2:07:6d:b1:98:9e:be:25:ec:de:32:69:a8:e6:
+                    fc:3f:12:55:8e:44:c8:03:c6:c9:a9:8b:b3:3f:6f:
+                    50:1f:b6:5d:5f:93:be:b2:5e:e6:d9:06:62:c5:84:
+                    ed:b3:c6:43:ce:e1:f8:de:7d:2f:e4:c8:fe:12:23:
+                    28:87:58:46:a0:5e:39:bf:59:c3:de:25:25:92:aa:
+                    8c:5a:42:cf:d8:cd:0d:63:c3:5d:55:bc:e3:6a:0b:
+                    1f:ce:d0:c3:b8:63:4a:de:4a:de:00:b6:8d:56:84:
+                    96:e8:4e:11:31:2e:03:7a:d7:e2:f3:eb:40:fe:43:
+                    68:40:73:c7:06:f9:fc:dd:d9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment, Data Encipherment
+            X509v3 CRL Distribution Points: 
+                URI:http://sdss.ac.uk/ca/sdss-ca.crl
+
+            X509v3 Subject Key Identifier: 
+                7C:67:CC:3D:6D:40:43:EE:1A:79:5D:14:DA:C3:A0:54:B2:96:B8:06
+            X509v3 Authority Key Identifier: 
+                keyid:BE:AD:20:87:49:07:67:71:1E:CF:D7:BA:AB:40:8A:77:16:1D:2B:C0
+                DirName:/C=GB/O=JISC Core Middleware Programme/CN=SDSS CA
+                serial:00
+
+    Signature Algorithm: sha1WithRSAEncryption
+        1e:e1:11:92:b1:0c:5e:6a:8e:55:93:0c:2b:92:0b:a0:9b:ba:
+        55:37:de:91:78:4a:a8:87:09:50:d5:46:fa:53:98:c4:9c:94:
+        ac:0f:92:28:40:bf:7d:63:cf:1f:a1:2b:af:6f:63:ba:e4:26:
+        a3:3e:05:f8:8a:cc:a3:47:a1:86:74:d9:92:96:89:88:37:4d:
+        28:c7:bb:d4:5c:f2:93:d3:8e:08:2d:68:6c:72:cf:7c:83:6d:
+        98:6f:dd:37:9b:5c:4a:6e:3b:9d:a5:66:25:6d:69:05:8c:2e:
+        f4:d9:41:63:ef:0b:5a:7a:8e:1e:e4:5f:35:6a:93:7d:6f:67:
+        4a:4a
+-----BEGIN CERTIFICATE-----
+MIIDEDCCAnmgAwIBAgIBQTANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJHQjEn
+MCUGA1UEChMeSklTQyBDb3JlIE1pZGRsZXdhcmUgUHJvZ3JhbW1lMRAwDgYDVQQD
+EwdTRFNTIENBMB4XDTA2MDgwOTA5MjE1NFoXDTA4MTIzMTAwMDAwMFowcjELMAkG
+A1UEBhMCR0IxJzAlBgNVBAoTHkpJU0MgQ29yZSBNaWRkbGV3YXJlIFByb2dyYW1t
+ZTEVMBMGA1UECxMMU0RTUyBQcm9qZWN0MSMwIQYDVQQDExpTRFNTIEZlZGVyYXRp
+b24gU1NMIFRlc3RlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0gdtsZie
+viXs3jJpqOb8PxJVjkTIA8bJqYuzP29QH7ZdX5O+sl7m2QZixYTts8ZDzuH43n0v
+5Mj+EiMoh1hGoF45v1nD3iUlkqqMWkLP2M0NY8NdVbzjagsfztDDuGNK3kreALaN
+VoSW6E4RMS4Detfi8+tA/kNoQHPHBvn83dkCAwEAAaOB3zCB3DAJBgNVHRMEAjAA
+MAsGA1UdDwQEAwIEsDAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vc2Rzcy5hYy51
+ay9jYS9zZHNzLWNhLmNybDAdBgNVHQ4EFgQUfGfMPW1AQ+4aeV0U2sOgVLKWuAYw
+cAYDVR0jBGkwZ4AUvq0gh0kHZ3Eez9e6q0CKdxYdK8ChTKRKMEgxCzAJBgNVBAYT
+AkdCMScwJQYDVQQKEx5KSVNDIENvcmUgTWlkZGxld2FyZSBQcm9ncmFtbWUxEDAO
+BgNVBAMTB1NEU1MgQ0GCAQAwDQYJKoZIhvcNAQEFBQADgYEAHuERkrEMXmqOVZMM
+K5ILoJu6VTfekXhKqIcJUNVG+lOYxJyUrA+SKEC/fWPPH6Err29juuQmoz4F+IrM
+o0ehhnTZkpaJiDdNKMe71Fzyk9OOCC1obHLPfINtmG/dN5tcSm47naVmJW1pBYwu
+9NlBY+8LWnqOHuRfNWqTfW9nSko=
+-----END CERTIFICATE-----