xmltooling/security/impl/FilesystemCredentialResolver.cpp

   1 /*
   2  *  Copyright 2001-2007 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * FilesystemCredentialResolver.cpp
  19  *
  20  * Supplies credentials from local files
  21  */
  22
  23 #include "internal.h"
  24 #include "security/BasicX509Credential.h"
  25 #include "security/CredentialCriteria.h"
  26 #include "security/CredentialResolver.h"
  27 #include "security/KeyInfoResolver.h"
  28 #include "security/OpenSSLCredential.h"
  29 #include "util/NDC.h"
  30 #include "util/XMLHelper.h"
  31
  32 #include <sys/types.h>
  33 #include <sys/stat.h>
  34 #include <openssl/pkcs12.h>
  35 #include <log4cpp/Category.hh>
  36 #include <xercesc/util/XMLUniDefs.hpp>
  37 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
  38 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
  39 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
  40
  41 using namespace xmlsignature;
  42 using namespace xmltooling;
  43 using namespace log4cpp;
  44 using namespace std;
  45
  46 // OpenSSL password callback...
  47 static int passwd_callback(char* buf, int len, int verify, void* passwd)
  48 {
  49     if(!verify)
  50     {
  51         if(passwd && len > strlen(reinterpret_cast<char*>(passwd)))
  52         {
  53             strcpy(buf,reinterpret_cast<char*>(passwd));
  54             return strlen(buf);
  55         }
  56     }
  57     return 0;
  58 }
  59
  60 namespace xmltooling {
  61
  62 #if defined (_MSC_VER)
  63     #pragma warning( push )
  64     #pragma warning( disable : 4250 )
  65 #endif
  66
  67     class XMLTOOL_DLLLOCAL FilesystemCredentialResolver;
  68     class XMLTOOL_DLLLOCAL FilesystemCredential : public OpenSSLCredential, public BasicX509Credential
  69     {
  70     public:
  71         FilesystemCredential(FilesystemCredentialResolver* resolver, XSECCryptoKey* key, const std::vector<XSECCryptoX509*>& xseccerts)
  72                 : BasicX509Credential(key, xseccerts), m_resolver(resolver) {
  73             initKeyInfo();
  74         }
  75         virtual ~FilesystemCredential() {
  76         }
  77
  78         void attach(SSL_CTX* ctx) const;
  79
  80     private:
  81         FilesystemCredentialResolver* m_resolver;
  82     };
  83
  84 #if defined (_MSC_VER)
  85     #pragma warning( pop )
  86 #endif
  87
  88     class XMLTOOL_DLLLOCAL FilesystemCredentialResolver : public CredentialResolver
  89     {
  90     public:
  91         FilesystemCredentialResolver(const DOMElement* e);
  92         virtual ~FilesystemCredentialResolver() {
  93             delete m_credential;
  94             for_each(m_certs.begin(),m_certs.end(),X509_free);
  95         }
  96
  97         Lockable* lock() { return this; }
  98         void unlock() {}
  99
 100         const Credential* resolve(const CredentialCriteria* criteria=NULL) const {
 101             return matches(criteria) ? m_credential : NULL;
 102         }
 103
 104         virtual vector<const Credential*>::size_type resolve(
 105             vector<const Credential*>& results, const CredentialCriteria* criteria=NULL
 106             ) const {
 107             if (matches(criteria)) {
 108                 results.push_back(m_credential);
 109                 return 1;
 110             }
 111             return 0;
 112         }
 113
 114         void attach(SSL_CTX* ctx) const;
 115
 116     private:
 117         XSECCryptoKey* loadKey();
 118         bool matches(const CredentialCriteria* criteria) const {
 119             bool match = true;
 120             if (criteria) {
 121                 const char* alg = criteria->getKeyAlgorithm();
 122                 if (alg && *alg) {
 123                     const char* alg2 = m_credential->getAlgorithm();
 124                     if (alg2 && *alg2)
 125                         match = XMLString::equals(alg,alg2);
 126                 }
 127                 if (match && criteria->getKeySize()>0 && m_credential->getKeySize()>0)
 128                     match = (criteria->getKeySize() == m_credential->getKeySize());
 129                 if (match && m_credential->getPublicKey()) {
 130                     // See if we have to match a specific key.
 131                     auto_ptr<Credential> cred(
 132                         XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(*criteria,Credential::RESOLVE_KEYS)
 133                         );
 134                     if (cred.get())
 135                         match = cred->isEqual(*(m_credential->getPublicKey()));
 136                 }
 137             }
 138             return match;
 139         }
 140
 141         enum format_t { PEM=SSL_FILETYPE_PEM, DER=SSL_FILETYPE_ASN1, _PKCS12, UNKNOWN };
 142
 143         format_t getEncodingFormat(BIO* in) const;
 144         string formatToString(format_t format) const;
 145         format_t xmlFormatToFormat(const XMLCh* format_xml) const;
 146
 147         format_t m_keyformat;
 148         string m_keypath,m_keypass;
 149         vector<X509*> m_certs;
 150         FilesystemCredential* m_credential;
 151     };
 152
 153     CredentialResolver* XMLTOOL_DLLLOCAL FilesystemCredentialResolverFactory(const DOMElement* const & e)
 154     {
 155         return new FilesystemCredentialResolver(e);
 156     }
 157 };
 158
 159 static const XMLCh CAPath[] =           UNICODE_LITERAL_6(C,A,P,a,t,h);
 160 static const XMLCh Certificate[] =      UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e);
 161 static const XMLCh format[] =           UNICODE_LITERAL_6(f,o,r,m,a,t);
 162 static const XMLCh Key[] =              UNICODE_LITERAL_3(K,e,y);
 163 static const XMLCh password[] =         UNICODE_LITERAL_8(p,a,s,s,w,o,r,d);
 164 static const XMLCh Path[] =             UNICODE_LITERAL_4(P,a,t,h);
 165
 166 FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e) : m_credential(NULL)
 167 {
 168 #ifdef _DEBUG
 169     NDC ndc("FilesystemCredentialResolver");
 170 #endif
 171     Category& log=Category::getInstance(XMLTOOLING_LOGCAT".CredentialResolver");
 172
 173     const DOMElement* root=e;
 174
 175     XSECCryptoKey* key=NULL;
 176     vector<XSECCryptoX509*> xseccerts;
 177
 178     format_t fformat;
 179     const XMLCh* format_xml=NULL;
 180     BIO* in = NULL;
 181
 182     // Move to Key
 183     e=XMLHelper::getFirstChildElement(root,Key);
 184     if (e) {
 185
 186         // Get raw format attrib value, but defer processing til later since may need to
 187         // determine format dynamically, and we need the Path for that.
 188         format_xml=e->getAttributeNS(NULL,format);
 189
 190         const XMLCh* password_xml=e->getAttributeNS(NULL,password);
 191         if (password_xml) {
 192             auto_ptr_char kp(password_xml);
 193             m_keypass=kp.get();
 194         }
 195
 196         e=XMLHelper::getFirstChildElement(e,Path);
 197         if (e && e->hasChildNodes()) {
 198             const XMLCh* s=e->getFirstChild()->getNodeValue();
 199             auto_ptr_char kpath(s);
 200 #ifdef WIN32
 201             struct _stat stat_buf;
 202             if (_stat(kpath.get(), &stat_buf) != 0)
 203 #else
 204             struct stat stat_buf;
 205             if (stat(kpath.get(), &stat_buf) != 0)
 206 #endif
 207             {
 208                 log.error("key file (%s) can't be opened", kpath.get());
 209                 throw XMLSecurityException("FilesystemCredentialResolver can't access key file ($1)",params(1,kpath.get()));
 210             }
 211             m_keypath=kpath.get();
 212         }
 213         else {
 214             log.error("Path element missing inside Key element");
 215             throw XMLSecurityException("FilesystemCredentialResolver can't access key file, no Path element specified.");
 216         }
 217
 218         // Determine the key encoding format dynamically, if not explicitly specified
 219         if (format_xml && *format_xml) {
 220             fformat = xmlFormatToFormat(format_xml);
 221             if (fformat != UNKNOWN) {
 222                 m_keyformat = fformat;
 223             }
 224             else {
 225                 auto_ptr_char unknown(format_xml);
 226                 log.error("configuration specifies unknown key encoding format (%s)", unknown.get());
 227                 throw XMLSecurityException("FilesystemCredentialResolver configuration contains unknown key encoding format ($1)",params(1,unknown.get()));
 228             }
 229         }
 230         else {
 231             in=BIO_new(BIO_s_file_internal());
 232             if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
 233                 m_keyformat = getEncodingFormat(in);
 234                 log.debug("key encoding format for (%s) dynamically resolved as (%s)", m_keypath.c_str(), formatToString(m_keyformat).c_str());
 235             }
 236             else {
 237                 log.error("key file (%s) can't be read to determine encoding format", m_keypath.c_str());
 238                 throw XMLSecurityException("FilesystemCredentialResolver can't read key file ($1) to determine encoding format",params(1,m_keypath.c_str()));
 239             }
 240             if (in)
 241                 BIO_free(in);
 242             in = NULL;
 243         }
 244
 245         // Load the key.
 246         key = loadKey();
 247     }
 248
 249     // Check for Certificate
 250     e=XMLHelper::getFirstChildElement(root,Certificate);
 251     if (!e) {
 252         m_credential = new FilesystemCredential(this,key,xseccerts);
 253         return;
 254     }
 255     auto_ptr_char certpass(e->getAttributeNS(NULL,password));
 256
 257     DOMElement* ep=XMLHelper::getFirstChildElement(e,Path);
 258     if (!ep || !ep->hasChildNodes()) {
 259         log.error("Path element missing inside Certificate element or is empty");
 260         delete key;
 261         throw XMLSecurityException("FilesystemCredentialResolver can't access certificate file, missing or empty Path element.");
 262     }
 263
 264     auto_ptr_char certpath(ep->getFirstChild()->getNodeValue());
 265     format_xml=e->getAttributeNS(NULL,format);
 266     if (format_xml && *format_xml) {
 267         fformat = xmlFormatToFormat(format_xml);
 268         if (fformat == UNKNOWN) {
 269             auto_ptr_char unknown(format_xml);
 270             log.error("configuration specifies unknown certificate encoding format (%s)", unknown.get());
 271             delete key;
 272             throw XMLSecurityException("FilesystemCredentialResolver configuration contains unknown certificate encoding format ($1)",params(1,unknown.get()));
 273         }
 274     }
 275
 276     try {
 277         X509* x=NULL;
 278         PKCS12* p12=NULL;
 279         in=BIO_new(BIO_s_file_internal());
 280         if (in && BIO_read_filename(in,certpath.get())>0) {
 281             if (!format_xml || !*format_xml) {
 282                 // Determine the cert encoding format dynamically, if not explicitly specified
 283                 fformat = getEncodingFormat(in);
 284                 log.debug("certificate encoding format for (%s) dynamically resolved as (%s)", certpath.get(), formatToString(fformat).c_str());
 285             }
 286
 287             switch(fformat) {
 288                 case PEM:
 289                     while (x=PEM_read_bio_X509(in,NULL,passwd_callback,const_cast<char*>(certpass.get())))
 290                         m_certs.push_back(x);
 291                     break;
 292
 293                 case DER:
 294                     x=d2i_X509_bio(in,NULL);
 295                     if (x)
 296                         m_certs.push_back(x);
 297                     else {
 298                         log_openssl();
 299                         BIO_free(in);
 300                         throw XMLSecurityException("FilesystemCredentialResolver unable to load DER certificate from file ($1)",params(1,certpath.get()));
 301                     }
 302                     break;
 303
 304                 case _PKCS12:
 305                     p12=d2i_PKCS12_bio(in,NULL);
 306                     if (p12) {
 307                         PKCS12_parse(p12, certpass.get(), NULL, &x, NULL);
 308                         PKCS12_free(p12);
 309                     }
 310                     if (x) {
 311                         m_certs.push_back(x);
 312                         x=NULL;
 313                     } else {
 314                         log_openssl();
 315                         BIO_free(in);
 316                         throw XMLSecurityException("FilesystemCredentialResolver unable to load PKCS12 certificate from file ($1)",params(1,certpath.get()));
 317                     }
 318                     break;
 319             } // end switch
 320
 321         } else {
 322             log_openssl();
 323             if (in) {
 324                 BIO_free(in);
 325                 in=NULL;
 326             }
 327             throw XMLSecurityException("FilesystemCredentialResolver unable to load certificate(s) from file ($1)",params(1,certpath.get()));
 328         }
 329         if (in) {
 330             BIO_free(in);
 331             in=NULL;
 332         }
 333
 334         if (m_certs.empty())
 335             throw XMLSecurityException("FilesystemCredentialResolver unable to load any certificate(s)");
 336
 337         // Load any extra CA files.
 338         DOMElement* extra=XMLHelper::getFirstChildElement(e,CAPath);
 339         while (extra) {
 340             if (!extra->hasChildNodes()) {
 341                 log.warn("skipping empty CAPath element");
 342                 extra = XMLHelper::getNextSiblingElement(extra,CAPath);
 343                 continue;
 344             }
 345             auto_ptr_char capath(extra->getFirstChild()->getNodeValue());
 346             x=NULL;
 347             p12=NULL;
 348             in=BIO_new(BIO_s_file_internal());
 349             if (in && BIO_read_filename(in,capath.get())>0) {
 350                 if (!format_xml || !*format_xml) {
 351                     // Determine the cert encoding format dynamically, if not explicitly specified
 352                     fformat = getEncodingFormat(in);
 353                     log.debug("CA certificate encoding format for (%s) dynamically resolved as (%s)", certpath.get(), formatToString(fformat).c_str());
 354                 }
 355
 356                 switch (fformat) {
 357                     case PEM:
 358                         while (x=PEM_read_bio_X509(in,NULL,passwd_callback,const_cast<char*>(certpass.get())))
 359                             m_certs.push_back(x);
 360                         break;
 361
 362                     case DER:
 363                         x=d2i_X509_bio(in,NULL);
 364                         if (x)
 365                             m_certs.push_back(x);
 366                         else {
 367                             log_openssl();
 368                             BIO_free(in);
 369                             throw XMLSecurityException("FilesystemCredentialResolver unable to load DER CA certificate from file ($1)",params(1,capath.get()));
 370                         }
 371                         break;
 372
 373                     case _PKCS12:
 374                         p12 = d2i_PKCS12_bio(in, NULL);
 375                         if (p12) {
 376                             PKCS12_parse(p12, certpass.get(), NULL, &x, NULL);
 377                             PKCS12_free(p12);
 378                         }
 379                         if (x) {
 380                             m_certs.push_back(x);
 381                             x=NULL;
 382                         }
 383                         else {
 384                             log_openssl();
 385                             BIO_free(in);
 386                             throw XMLSecurityException("FilesystemCredentialResolver unable to load PKCS12 CA certificate from file ($1)",params(1,capath.get()));
 387                         }
 388                         break;
 389                 } //end switch
 390
 391                 BIO_free(in);
 392             }
 393             else {
 394                 if (in)
 395                     BIO_free(in);
 396                 log_openssl();
 397                 log.error("CA file (%s) can't be opened", capath.get());
 398                 throw XMLSecurityException("FilesystemCredentialResolver can't open CA file ($1)",params(1,capath.get()));
 399             }
 400
 401             extra = XMLHelper::getNextSiblingElement(extra,CAPath);
 402         }
 403     }
 404     catch (XMLToolingException&) {
 405         delete key;
 406         for_each(m_certs.begin(), m_certs.end(), X509_free);
 407         throw;
 408     }
 409
 410     // Reflect certs over to XSEC form and wrap with credential object.
 411     for (vector<X509*>::iterator j=m_certs.begin(); j!=m_certs.end(); j++)
 412         xseccerts.push_back(new OpenSSLCryptoX509(*j));
 413     if (!key && !xseccerts.empty())
 414         key = xseccerts.front()->clonePublicKey();
 415     m_credential = new FilesystemCredential(this, key, xseccerts);
 416 }
 417
 418 XSECCryptoKey* FilesystemCredentialResolver::loadKey()
 419 {
 420 #ifdef _DEBUG
 421     NDC ndc("loadKey");
 422 #endif
 423
 424     // Get a EVP_PKEY.
 425     EVP_PKEY* pkey=NULL;
 426     BIO* in=BIO_new(BIO_s_file_internal());
 427     if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
 428         switch (m_keyformat) {
 429             case PEM:
 430                 pkey=PEM_read_bio_PrivateKey(in, NULL, passwd_callback, const_cast<char*>(m_keypass.c_str()));
 431                 break;
 432
 433             case DER:
 434                 pkey=d2i_PrivateKey_bio(in, NULL);
 435                 break;
 436
 437             default: {
 438                 PKCS12* p12 = d2i_PKCS12_bio(in, NULL);
 439                 if (p12) {
 440                     PKCS12_parse(p12, const_cast<char*>(m_keypass.c_str()), &pkey, NULL, NULL);
 441                     PKCS12_free(p12);
 442                 }
 443             }
 444         }
 445     }
 446     if (in)
 447         BIO_free(in);
 448
 449     // Now map it to an XSEC wrapper.
 450     if (pkey) {
 451         XSECCryptoKey* ret=NULL;
 452         switch (pkey->type) {
 453             case EVP_PKEY_RSA:
 454                 ret=new OpenSSLCryptoKeyRSA(pkey);
 455                 break;
 456
 457             case EVP_PKEY_DSA:
 458                 ret=new OpenSSLCryptoKeyDSA(pkey);
 459                 break;
 460
 461             default:
 462                 Category::getInstance(XMLTOOLING_LOGCAT".CredentialResolver").error("unsupported private key type");
 463         }
 464         EVP_PKEY_free(pkey);
 465         if (ret)
 466             return ret;
 467     }
 468
 469     log_openssl();
 470     throw XMLSecurityException("FilesystemCredentialResolver unable to load private key from file.");
 471 }
 472
 473 // Used to determine the encoding format of credentials files
 474 // dynamically. Supports: PEM, DER, PKCS12.
 475 FilesystemCredentialResolver::format_t FilesystemCredentialResolver::getEncodingFormat(BIO* in) const
 476 {
 477     PKCS12* p12 = NULL;
 478     format_t format;
 479
 480     const int READSIZE = 1;
 481     char buf[READSIZE];
 482     char b1;
 483     int mark;
 484
 485     try {
 486         if ( (mark = BIO_tell(in)) < 0 )
 487             throw XMLSecurityException("getEncodingFormat: BIO_tell() can't get the file position");
 488         if ( BIO_read(in, buf, READSIZE) <= 0 )
 489             throw XMLSecurityException("getEncodingFormat: BIO_read() can't read from the stream");
 490         if ( BIO_seek(in, mark) < 0 )
 491             throw XMLSecurityException("getEncodingFormat: BIO_seek() can't reset the file position");
 492     }
 493     catch (...) {
 494         log_openssl();
 495         throw;
 496     }
 497
 498     b1 = buf[0];
 499
 500     // This is a slight variation of the Java code by Chad La Joie.
 501     //
 502     // Check the first byte of the file.  If it's some kind of
 503     // DER-encoded structure (including PKCS12), it will begin with ASCII 048.
 504     // Otherwise, assume it's PEM.
 505     if (b1 !=  48) {
 506         format = PEM;
 507     } else {
 508         // Here we know it's DER-encoded, now try to parse it as a PKCS12
 509         // ASN.1 structure.  If it fails, must be another kind of DER-encoded
 510         // key/cert structure.  A little inefficient...but it works.
 511         if ( (p12=d2i_PKCS12_bio(in,NULL)) == NULL ) {
 512             format = DER;
 513         } else {
 514             format = _PKCS12;
 515         }
 516         if (p12)
 517             PKCS12_free(p12);
 518         if ( BIO_seek(in, mark) < 0 ) {
 519             log_openssl();
 520             throw XMLSecurityException("getEncodingFormat: BIO_seek() can't reset the file position");
 521         }
 522     }
 523
 524     return format;
 525 }
 526
 527 // Convert key/cert format_t types to a human-meaningful string for debug output
 528 string FilesystemCredentialResolver::formatToString(format_t format) const
 529 {
 530     switch(format) {
 531         case PEM:
 532             return "PEM";
 533         case DER:
 534             return "DER";
 535         case _PKCS12:
 536             return "PKCS12";
 537         default:
 538             return "UNKNOWN";
 539     }
 540 }
 541
 542 // Convert key/cert raw XML format attribute (XMLCh[]) to format_t type
 543 FilesystemCredentialResolver::format_t FilesystemCredentialResolver::xmlFormatToFormat(const XMLCh* format_xml) const
 544 {
 545     static const XMLCh cPEM[] = UNICODE_LITERAL_3(P,E,M);
 546     static const XMLCh cDER[] = UNICODE_LITERAL_3(D,E,R);
 547     static const XMLCh cPKCS12[] = { chLatin_P, chLatin_K, chLatin_C, chLatin_S, chDigit_1, chDigit_2, chNull };
 548     format_t format;
 549
 550     if (!XMLString::compareString(format_xml,cPEM))
 551         format=PEM;
 552     else if (!XMLString::compareString(format_xml,cDER))
 553         format=DER;
 554     else if (!XMLString::compareString(format_xml,cPKCS12))
 555         format=_PKCS12;
 556     else
 557         format=UNKNOWN;
 558
 559     return format;
 560 }
 561
 562 void FilesystemCredentialResolver::attach(SSL_CTX* ctx) const
 563 {
 564 #ifdef _DEBUG
 565     NDC ndc("attach");
 566 #endif
 567
 568     // Attach key.
 569     SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);
 570     SSL_CTX_set_default_passwd_cb_userdata(ctx, const_cast<char*>(m_keypass.c_str()));
 571
 572     int ret=0;
 573     switch (m_keyformat) {
 574         case PEM:
 575             ret=SSL_CTX_use_PrivateKey_file(ctx, m_keypath.c_str(), m_keyformat);
 576             break;
 577
 578         case DER:
 579             ret=SSL_CTX_use_RSAPrivateKey_file(ctx, m_keypath.c_str(), m_keyformat);
 580             break;
 581
 582         default: {
 583             BIO* in=BIO_new(BIO_s_file_internal());
 584             if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
 585                 EVP_PKEY* pkey=NULL;
 586                 PKCS12* p12 = d2i_PKCS12_bio(in, NULL);
 587                 if (p12) {
 588                     PKCS12_parse(p12, const_cast<char*>(m_keypass.c_str()), &pkey, NULL, NULL);
 589                     PKCS12_free(p12);
 590                     if (pkey) {
 591                         ret=SSL_CTX_use_PrivateKey(ctx, pkey);
 592                         EVP_PKEY_free(pkey);
 593                     }
 594                 }
 595             }
 596             if (in)
 597                 BIO_free(in);
 598         }
 599     }
 600
 601     if (ret!=1) {
 602         log_openssl();
 603         throw XMLSecurityException("Unable to attach private key to SSL context.");
 604     }
 605
 606     // Attach certs.
 607     for (vector<X509*>::const_iterator i=m_certs.begin(); i!=m_certs.end(); i++) {
 608         if (i==m_certs.begin()) {
 609             if (SSL_CTX_use_certificate(ctx, *i) != 1) {
 610                 log_openssl();
 611                 throw XMLSecurityException("Unable to attach client certificate to SSL context.");
 612             }
 613         }
 614         else {
 615             // When we add certs, they don't get ref counted, so we need to duplicate them.
 616             X509* dup = X509_dup(*i);
 617             if (SSL_CTX_add_extra_chain_cert(ctx, dup) != 1) {
 618                 X509_free(dup);
 619                 log_openssl();
 620                 throw XMLSecurityException("Unable to attach CA certificate to SSL context.");
 621             }
 622         }
 623     }
 624 }
 625
 626 void FilesystemCredential::attach(SSL_CTX* ctx) const
 627 {
 628     return m_resolver->attach(ctx);
 629 }