2 * Copyright 2001-2007 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * CredentialCriteria.cpp
20 * Class for specifying criteria by which a CredentialResolver should resolve credentials.
24 #include "security/Credential.h"
25 #include "security/CredentialCriteria.h"
26 #include "security/KeyInfoResolver.h"
28 #include <log4cpp/Category.hh>
29 #include <openssl/dsa.h>
30 #include <openssl/rsa.h>
31 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
32 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
34 using namespace xmltooling;
37 bool CredentialCriteria::matches(const Credential& credential) const
39 // Algorithm check, if specified and we have one.
40 const char* alg = getKeyAlgorithm();
42 const char* alg2 = credential.getAlgorithm();
48 // KeySize check, if specified and we have one.
49 if (credential.getKeySize()>0 && getKeySize()>0 && credential.getKeySize() != getKeySize())
52 // See if we can test key names.
53 const set<string>& critnames = getKeyNames();
54 const set<string>& crednames = credential.getKeyNames();
55 if (!critnames.empty() && !crednames.empty()) {
57 for (set<string>::const_iterator n = critnames.begin(); n!=critnames.end(); ++n) {
58 if (crednames.count(*n)>0) {
67 // See if we have to match a specific key.
68 XSECCryptoKey* key1 = getPublicKey();
70 return true; // no key to compare against, so we're done
72 XSECCryptoKey* key2 = credential.getPublicKey();
74 return true; // no key here, so we can't test it
76 if (key1->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL ||
77 key2->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
78 log4cpp::Category::getInstance(XMLTOOLING_LOGCAT".Credential").warn("comparison of non-OpenSSL credentials are not supported");
82 if (key1->getKeyType()==XSECCryptoKey::KEY_RSA_PUBLIC || key1->getKeyType()==XSECCryptoKey::KEY_RSA_PAIR) {
83 if (key2->getKeyType()!=XSECCryptoKey::KEY_RSA_PUBLIC && key2->getKeyType()!=XSECCryptoKey::KEY_RSA_PAIR)
85 RSA* rsa1 = static_cast<OpenSSLCryptoKeyRSA*>(key1)->getOpenSSLRSA();
86 RSA* rsa2 = static_cast<OpenSSLCryptoKeyRSA*>(key2)->getOpenSSLRSA();
87 return (BN_cmp(rsa1->n,rsa2->n) == 0 && BN_cmp(rsa1->e,rsa2->e) == 0);
90 if (key1->getKeyType()==XSECCryptoKey::KEY_DSA_PUBLIC || key1->getKeyType()==XSECCryptoKey::KEY_DSA_PAIR) {
91 if (key2->getKeyType()!=XSECCryptoKey::KEY_DSA_PUBLIC && key2->getKeyType()!=XSECCryptoKey::KEY_DSA_PAIR)
93 DSA* dsa1 = static_cast<OpenSSLCryptoKeyDSA*>(key1)->getOpenSSLDSA();
94 DSA* dsa2 = static_cast<OpenSSLCryptoKeyDSA*>(key2)->getOpenSSLDSA();
95 return (BN_cmp(dsa1->pub_key,dsa2->pub_key) == 0);
98 log4cpp::Category::getInstance(XMLTOOLING_LOGCAT".CredentialCriteria").warn("unsupported key type for comparison");