*/
#include "internal.h"
+#include "logging.h"
#include "security/BasicX509Credential.h"
#include "security/CredentialCriteria.h"
#include "security/CredentialResolver.h"
#include <sys/types.h>
#include <sys/stat.h>
#include <openssl/pkcs12.h>
-#include <log4cpp/Category.hh>
#include <xercesc/util/XMLUniDefs.hpp>
#include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
using namespace xmlsignature;
+using namespace xmltooling::logging;
using namespace xmltooling;
-using namespace log4cpp;
using namespace std;
// OpenSSL password callback...
public:
FilesystemCredential(FilesystemCredentialResolver* resolver, XSECCryptoKey* key, const std::vector<XSECCryptoX509*>& xseccerts)
: BasicX509Credential(key, xseccerts), m_resolver(resolver) {
+ if (!m_xseccerts.empty())
+ extractNames(m_xseccerts.front(), m_keyNames);
initKeyInfo();
}
- virtual ~FilesystemCredential() {}
- void attach(SSL_CTX* ctx) const;
+ virtual ~FilesystemCredential() {
+ }
+ void addKeyNames(const DOMElement* e);
+
+ void attach(SSL_CTX* ctx) const;
+
+ private:
FilesystemCredentialResolver* m_resolver;
};
void unlock() {}
const Credential* resolve(const CredentialCriteria* criteria=NULL) const {
- return matches(criteria) ? m_credential : NULL;
+ return (criteria ? (criteria->matches(*m_credential) ? m_credential : NULL) : m_credential);
}
virtual vector<const Credential*>::size_type resolve(
vector<const Credential*>& results, const CredentialCriteria* criteria=NULL
) const {
- if (matches(criteria)) {
+ if (!criteria || criteria->matches(*m_credential)) {
results.push_back(m_credential);
return 1;
}
private:
XSECCryptoKey* loadKey();
- bool matches(const CredentialCriteria* criteria) const {
- bool match = true;
- if (criteria) {
- // See if algorithm is kosher.
- const char* alg = criteria->getKeyAlgorithm();
- if (alg && *alg) {
- match = false;
- for (vector<string>::const_iterator a = m_algorithms.begin(); a!=m_algorithms.end(); ++a) {
- if (strstr(alg, a->c_str()))
- match = true;
- }
- }
- if (match && m_credential->getPublicKey()) {
- // See if we have to match a specific key.
- auto_ptr<Credential> cred(
- XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(*criteria,Credential::RESOLVE_KEYS)
- );
- if (cred.get())
- match = cred->isEqual(*(m_credential->getPublicKey()));
- }
- }
- return match;
- }
enum format_t { PEM=SSL_FILETYPE_PEM, DER=SSL_FILETYPE_ASN1, _PKCS12, UNKNOWN };
string m_keypath,m_keypass;
vector<X509*> m_certs;
FilesystemCredential* m_credential;
- vector<string> m_algorithms;
};
CredentialResolver* XMLTOOL_DLLLOCAL FilesystemCredentialResolverFactory(const DOMElement* const & e)
{
return new FilesystemCredentialResolver(e);
}
-};
-static const XMLCh AlgorithmPrefix[] = UNICODE_LITERAL_15(A,l,g,o,r,i,t,h,m,P,r,e,f,i,x);
-static const XMLCh CAPath[] = UNICODE_LITERAL_6(C,A,P,a,t,h);
-static const XMLCh Certificate[] = UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e);
-static const XMLCh format[] = UNICODE_LITERAL_6(f,o,r,m,a,t);
-static const XMLCh Key[] = UNICODE_LITERAL_3(K,e,y);
-static const XMLCh password[] = UNICODE_LITERAL_8(p,a,s,s,w,o,r,d);
-static const XMLCh Path[] = UNICODE_LITERAL_4(P,a,t,h);
+ static const XMLCh CAPath[] = UNICODE_LITERAL_6(C,A,P,a,t,h);
+ static const XMLCh Certificate[] = UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e);
+ static const XMLCh format[] = UNICODE_LITERAL_6(f,o,r,m,a,t);
+ static const XMLCh Key[] = UNICODE_LITERAL_3(K,e,y);
+ static const XMLCh Name[] = UNICODE_LITERAL_4(N,a,m,e);
+ static const XMLCh password[] = UNICODE_LITERAL_8(p,a,s,s,w,o,r,d);
+ static const XMLCh Path[] = UNICODE_LITERAL_4(P,a,t,h);
+};
FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e) : m_credential(NULL)
{
#ifdef _DEBUG
NDC ndc("FilesystemCredentialResolver");
#endif
- Category& log=Category::getInstance(XMLTOOLING_LOGCAT".CredentialResolver");
+ Category& log=Category::getInstance(XMLTOOLING_LOGCAT".CredentialResolver."FILESYSTEM_CREDENTIAL_RESOLVER);
const DOMElement* root=e;
- e=XMLHelper::getFirstChildElement(root,AlgorithmPrefix);
- while (e) {
- if (e->hasChildNodes()) {
- auto_ptr_char alg(e->getFirstChild()->getNodeValue());
- if (alg.get())
- m_algorithms.push_back(alg.get());
- }
- e=XMLHelper::getNextSiblingElement(e,AlgorithmPrefix);
- }
-
- if (m_algorithms.empty()) {
- m_algorithms.push_back(URI_ID_SIG_BASE);
- m_algorithms.push_back(URI_ID_SIG_BASEMORE);
- m_algorithms.push_back("http://www.w3.org/2001/04/xmlenc#rsa");
- }
XSECCryptoKey* key=NULL;
vector<XSECCryptoX509*> xseccerts;
BIO* in = NULL;
// Move to Key
- e=XMLHelper::getFirstChildElement(root,Key);
- if (e) {
+ const DOMElement* keynode=XMLHelper::getFirstChildElement(root,Key);
+ if (keynode) {
// Get raw format attrib value, but defer processing til later since may need to
// determine format dynamically, and we need the Path for that.
- format_xml=e->getAttributeNS(NULL,format);
+ format_xml=keynode->getAttributeNS(NULL,format);
- const XMLCh* password_xml=e->getAttributeNS(NULL,password);
+ const XMLCh* password_xml=keynode->getAttributeNS(NULL,password);
if (password_xml) {
auto_ptr_char kp(password_xml);
m_keypass=kp.get();
}
- e=XMLHelper::getFirstChildElement(e,Path);
+ e=XMLHelper::getFirstChildElement(keynode,Path);
if (e && e->hasChildNodes()) {
const XMLCh* s=e->getFirstChild()->getNodeValue();
auto_ptr_char kpath(s);
e=XMLHelper::getFirstChildElement(root,Certificate);
if (!e) {
m_credential = new FilesystemCredential(this,key,xseccerts);
+ m_credential->addKeyNames(keynode);
return;
}
auto_ptr_char certpass(e->getAttributeNS(NULL,password));
- DOMElement* ep=XMLHelper::getFirstChildElement(e,Path);
+ const DOMElement* ep=XMLHelper::getFirstChildElement(e,Path);
if (!ep || !ep->hasChildNodes()) {
log.error("Path element missing inside Certificate element or is empty");
delete key;
throw XMLSecurityException("FilesystemCredentialResolver unable to load any certificate(s)");
// Load any extra CA files.
- DOMElement* extra=XMLHelper::getFirstChildElement(e,CAPath);
+ const DOMElement* extra=XMLHelper::getFirstChildElement(e,CAPath);
while (extra) {
if (!extra->hasChildNodes()) {
log.warn("skipping empty CAPath element");
if (!key && !xseccerts.empty())
key = xseccerts.front()->clonePublicKey();
m_credential = new FilesystemCredential(this, key, xseccerts);
+ m_credential->addKeyNames(keynode);
}
XSECCryptoKey* FilesystemCredentialResolver::loadKey()
break;
default:
- Category::getInstance(XMLTOOLING_LOGCAT".CredentialResolver").error("unsupported private key type");
+ Category::getInstance(XMLTOOLING_LOGCAT".CredentialResolver."FILESYSTEM_CREDENTIAL_RESOLVER).error("unsupported private key type");
}
EVP_PKEY_free(pkey);
if (ret)
#ifdef _DEBUG
NDC ndc("attach");
#endif
-
+
+ if (m_keypath.empty())
+ throw XMLSecurityException("No key available, unable to attach private key to SSL context.");
+
// Attach key.
SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);
SSL_CTX_set_default_passwd_cb_userdata(ctx, const_cast<char*>(m_keypass.c_str()));
}
}
+void FilesystemCredential::addKeyNames(const DOMElement* e)
+{
+ e = e ? XMLHelper::getFirstChildElement(e, Name) : NULL;
+ while (e) {
+ if (e->hasChildNodes()) {
+ auto_ptr_char n(e->getFirstChild()->getNodeValue());
+ if (n.get() && *n.get())
+ m_keyNames.insert(n.get());
+ }
+ e = XMLHelper::getNextSiblingElement(e, Name);
+ }
+}
+
void FilesystemCredential::attach(SSL_CTX* ctx) const
{
return m_resolver->attach(ctx);