-/*
- * Copyright 2001-2009 Internet2
+/**
+ * Licensed to the University Corporation for Advanced Internet
+ * Development, Inc. (UCAID) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for
+ * additional information regarding copyright ownership.
*
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
+ * UCAID licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the
+ * License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the License.
*/
/**
using xmlsignature::KeyInfo;
using xmlsignature::Signature;
+using namespace xmltooling::logging;
using namespace xmltooling;
using namespace std;
CredentialCriteria::CredentialCriteria()
- : m_keyUsage(Credential::UNSPECIFIED_CREDENTIAL), m_keySize(0), m_key(NULL),
- m_keyInfo(NULL), m_nativeKeyInfo(NULL), m_credential(NULL)
+ : m_keyUsage(Credential::UNSPECIFIED_CREDENTIAL), m_keySize(0), m_maxKeySize(0), m_key(nullptr),
+ m_keyInfo(nullptr), m_nativeKeyInfo(nullptr), m_credential(nullptr)
{
}
const char* CredentialCriteria::getPeerName() const
{
- return m_peerName.c_str();
+ return m_peerName.empty() ? nullptr : m_peerName.c_str();
}
void CredentialCriteria::setPeerName(const char* peerName)
const char* CredentialCriteria::getKeyAlgorithm() const
{
- return m_keyAlgorithm.c_str();
+ return m_keyAlgorithm.empty() ? nullptr : m_keyAlgorithm.c_str();
}
void CredentialCriteria::setKeyAlgorithm(const char* keyAlgorithm)
m_keySize = keySize;
}
+unsigned int CredentialCriteria::getMaxKeySize() const
+{
+ return m_maxKeySize;
+}
+
+void CredentialCriteria::setMaxKeySize(unsigned int keySize)
+{
+ m_maxKeySize = keySize;
+}
+
void CredentialCriteria::setXMLAlgorithm(const XMLCh* algorithm)
{
if (algorithm) {
setKeySize(mapped.second);
}
else {
- setKeyAlgorithm(NULL);
+ setKeyAlgorithm(nullptr);
setKeySize(0);
}
}
void CredentialCriteria::setKeyInfo(const KeyInfo* keyInfo, int extraction)
{
delete m_credential;
- m_credential = NULL;
+ m_credential = nullptr;
m_keyInfo = keyInfo;
if (!keyInfo || !extraction)
return;
void CredentialCriteria::setNativeKeyInfo(DSIGKeyInfoList* keyInfo, int extraction)
{
delete m_credential;
- m_credential = NULL;
+ m_credential = nullptr;
m_nativeKeyInfo = keyInfo;
if (!keyInfo || !extraction)
return;
setNativeKeyInfo(dsig->getKeyInfoList(), extraction);
}
+void CredentialCriteria::reset()
+{
+ setUsage(Credential::UNSPECIFIED_CREDENTIAL);
+ setKeySize(0);
+ setMaxKeySize(0);
+ setKeyAlgorithm(nullptr);
+ getKeyNames().clear();
+ setKeyInfo(nullptr);
+ setNativeKeyInfo(nullptr);
+}
+
bool CredentialCriteria::matches(const Credential& credential) const
{
+ Category& log = Category::getInstance(XMLTOOLING_LOGCAT".CredentialCriteria");
+
// Usage check, if specified and we have one, compare masks.
if (getUsage() != Credential::UNSPECIFIED_CREDENTIAL) {
if (credential.getUsage() != Credential::UNSPECIFIED_CREDENTIAL)
- if ((getUsage() & credential.getUsage()) == 0)
+ if ((getUsage() & credential.getUsage()) == 0) {
+ if (log.isDebugEnabled())
+ log.debug("usage didn't match (%u != %u)", getUsage(), credential.getUsage());
return false;
+ }
}
// Algorithm check, if specified and we have one.
const char* alg = getKeyAlgorithm();
if (alg && *alg) {
const char* alg2 = credential.getAlgorithm();
- if (alg2 && *alg2)
- if (strcmp(alg,alg2))
+ if (alg2 && *alg2) {
+ if (strcmp(alg,alg2)) {
+ if (log.isDebugEnabled())
+ log.debug("key algorithm didn't match ('%s' != '%s')", getKeyAlgorithm(), credential.getAlgorithm());
return false;
+ }
+ }
}
// KeySize check, if specified and we have one.
- if (credential.getKeySize()>0 && getKeySize()>0 && credential.getKeySize() != getKeySize())
- return false;
+ unsigned int ksize = credential.getKeySize();
+ if (ksize > 0) {
+ if (m_keySize > 0 && m_maxKeySize == 0) {
+ if (ksize != m_keySize) {
+ log.debug("key size (%u) didn't match (%u)", ksize, m_keySize);
+ return false;
+ }
+ }
+ else if (m_keySize > 0 && ksize < m_keySize) {
+ log.debug("key size (%u) smaller than minimum (%u)", ksize, m_keySize);
+ return false;
+ }
+ else if (m_maxKeySize > 0 && ksize > m_maxKeySize) {
+ log.debug("key size (%u) larger than maximum (%u)", ksize, m_maxKeySize);
+ return false;
+ }
+ }
// See if we can test key names.
set<string> critnames = getKeyNames();
break;
}
}
- if (!found)
+ if (!found) {
+ log.debug("credential name(s) didn't overlap");
return false;
+ }
}
// See if we have to match a specific key.
if (!key2)
return true; // no key here, so we can't test it
- return SecurityHelper::matches(*key1, *key2);
+ if (SecurityHelper::matches(*key1, *key2))
+ return true;
+
+ log.debug("keys didn't match");
+ return false;
}