#include "internal.h"
#include "io/HTTPResponse.h"
+#ifndef XMLTOOLING_LITE
+# include "security/Credential.h"
+# include "security/CredentialCriteria.h"
+# include "security/CredentialResolver.h"
+# include "security/SignatureTrustEngine.h"
+# include "signature/Signature.h"
+# include "signature/SignatureValidator.h"
+#endif
#include "util/NDC.h"
#include "util/PathResolver.h"
#include "util/ReloadableXMLFile.h"
# include <log4cpp/NDC.hh>
#endif
+#include <memory>
#include <fstream>
#include <sys/types.h>
#include <sys/stat.h>
#include <xercesc/framework/Wrapper4InputSource.hpp>
#include <xercesc/util/XMLUniDefs.hpp>
+#ifndef XMLTOOLING_LITE
+# include <xsec/dsig/DSIGReference.hpp>
+# include <xsec/dsig/DSIGTransformList.hpp>
+using namespace xmlsignature;
+#endif
+
using namespace xmltooling::logging;
using namespace xmltooling;
using namespace xercesc;
using namespace std;
+#ifndef XMLTOOLING_LITE
+namespace {
+ class XMLTOOL_DLLLOCAL DummyCredentialResolver : public CredentialResolver
+ {
+ public:
+ DummyCredentialResolver() {}
+ ~DummyCredentialResolver() {}
+
+ Lockable* lock() {return this;}
+ void unlock() {}
+
+ const Credential* resolve(const CredentialCriteria* criteria=nullptr) const {return nullptr;}
+ vector<const Credential*>::size_type resolve(
+ vector<const Credential*>& results, const CredentialCriteria* criteria=nullptr
+ ) const {return 0;}
+ };
+};
+#endif
+
static const XMLCh id[] = UNICODE_LITERAL_2(i,d);
static const XMLCh uri[] = UNICODE_LITERAL_3(u,r,i);
static const XMLCh url[] = UNICODE_LITERAL_3(u,r,l);
static const XMLCh reloadChanges[] = UNICODE_LITERAL_13(r,e,l,o,a,d,C,h,a,n,g,e,s);
static const XMLCh reloadInterval[] = UNICODE_LITERAL_14(r,e,l,o,a,d,I,n,t,e,r,v,a,l);
static const XMLCh backingFilePath[] = UNICODE_LITERAL_15(b,a,c,k,i,n,g,F,i,l,e,P,a,t,h);
+static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e);
+static const XMLCh certificate[] = UNICODE_LITERAL_11(c,e,r,t,i,f,i,c,a,t,e);
+static const XMLCh signerName[] = UNICODE_LITERAL_10(s,i,g,n,e,r,N,a,m,e);
+static const XMLCh _TrustEngine[] = UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e);
+static const XMLCh _CredentialResolver[] = UNICODE_LITERAL_18(C,r,e,d,e,n,t,i,a,l,R,e,s,o,l,v,e,r);
ReloadableXMLFile::ReloadableXMLFile(const DOMElement* e, Category& log)
- : m_root(e), m_local(true), m_validate(false), m_backupIndicator(true), m_filestamp(0), m_reloadInterval(0), m_lock(NULL), m_log(log),
- m_shutdown(false), m_reload_wait(NULL), m_reload_thread(NULL)
+ : m_root(e), m_local(true), m_validate(false), m_backupIndicator(true), m_filestamp(0), m_reloadInterval(0), m_lock(nullptr), m_log(log),
+#ifndef XMLTOOLING_LITE
+ m_credResolver(nullptr), m_trust(nullptr),
+#endif
+ m_shutdown(false), m_reload_wait(nullptr), m_reload_thread(nullptr)
{
#ifdef _DEBUG
NDC ndc("ReloadableXMLFile");
#endif
// Establish source of data...
- const XMLCh* source=e->getAttributeNS(NULL,uri);
+ const XMLCh* source=e->getAttributeNS(nullptr,uri);
if (!source || !*source) {
- source=e->getAttributeNS(NULL,url);
+ source=e->getAttributeNS(nullptr,url);
if (!source || !*source) {
- source=e->getAttributeNS(NULL,path);
+ source=e->getAttributeNS(nullptr,path);
if (!source || !*source) {
- source=e->getAttributeNS(NULL,pathname);
+ source=e->getAttributeNS(nullptr,pathname);
if (!source || !*source) {
- source=e->getAttributeNS(NULL,file);
+ source=e->getAttributeNS(nullptr,file);
if (!source || !*source) {
- source=e->getAttributeNS(NULL,filename);
+ source=e->getAttributeNS(nullptr,filename);
}
}
}
}
- else
+ else {
m_local=false;
+ }
}
- else
+ else {
m_local=false;
+ }
if (source && *source) {
- const XMLCh* flag=e->getAttributeNS(NULL,validate);
+ const XMLCh* flag=e->getAttributeNS(nullptr,validate);
m_validate=(XMLString::equals(flag,xmlconstants::XML_TRUE) || XMLString::equals(flag,xmlconstants::XML_ONE));
auto_ptr_char temp(source);
m_local=true;
}
+#ifndef XMLTOOLING_LITE
+ // Check for signature bits.
+ if (e && e->hasAttributeNS(nullptr, certificate)) {
+ // Use a file-based credential resolver rooted here.
+ m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER, e);
+ }
+ else {
+ const DOMElement* sub = e ? XMLHelper::getFirstChildElement(e, _CredentialResolver) : nullptr;
+ auto_ptr_char t(sub ? sub->getAttributeNS(nullptr, type) : nullptr);
+ if (t.get()) {
+ m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(t.get(), sub);
+ }
+ else {
+ sub = e ? XMLHelper::getFirstChildElement(e, _TrustEngine) : nullptr;
+ auto_ptr_char t2(sub ? sub->getAttributeNS(nullptr, type) : nullptr);
+ if (t2.get()) {
+ TrustEngine* trust = XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(t2.get(), sub);
+ if (!(m_trust = dynamic_cast<SignatureTrustEngine*>(trust))) {
+ delete trust;
+ throw XMLToolingException("TrustEngine-based ReloadableXMLFile requires a SignatureTrustEngine plugin.");
+ }
+
+ flag = e->getAttributeNS(nullptr, signerName);
+ if (flag && *flag) {
+ auto_ptr_char sn(flag);
+ m_signerName = sn.get();
+ }
+ }
+ }
+ }
+#endif
+
if (m_local) {
XMLToolingConfig::getConfig().getPathResolver()->resolve(m_source, PathResolver::XMLTOOLING_CFG_FILE);
- flag=e->getAttributeNS(NULL,reloadChanges);
+ flag=e->getAttributeNS(nullptr,reloadChanges);
if (!XMLString::equals(flag,xmlconstants::XML_FALSE) && !XMLString::equals(flag,xmlconstants::XML_ZERO)) {
#ifdef WIN32
struct _stat stat_buf;
}
else {
log.debug("using remote resource (%s)", m_source.c_str());
- source = e->getAttributeNS(NULL,backingFilePath);
+ source = e->getAttributeNS(nullptr,backingFilePath);
if (source && *source) {
auto_ptr_char temp2(source);
m_backing=temp2.get();
XMLToolingConfig::getConfig().getPathResolver()->resolve(m_backing, PathResolver::XMLTOOLING_RUN_FILE);
log.debug("backup remote resource to (%s)", m_backing.c_str());
}
- source = e->getAttributeNS(NULL,reloadInterval);
+ source = e->getAttributeNS(nullptr,reloadInterval);
if (source && *source) {
m_reloadInterval = XMLString::parseInt(source);
if (m_reloadInterval > 0) {
m_lock=RWLock::create();
}
}
- m_filestamp = time(NULL); // assume it gets loaded initially
+ m_filestamp = time(nullptr); // assume it gets loaded initially
}
if (m_lock) {
log.debug("no resource uri/path/name supplied, will load inline configuration");
}
- source = e->getAttributeNS(NULL, id);
+ source = e->getAttributeNS(nullptr, id);
if (source && *source) {
auto_ptr_char tempid(source);
m_id = tempid.get();
// Shut down the reload thread and let it know.
m_shutdown = true;
m_reload_wait->signal();
- m_reload_thread->join(NULL);
+ m_reload_thread->join(nullptr);
delete m_reload_thread;
delete m_reload_wait;
- m_reload_thread = NULL;
- m_reload_wait = NULL;
+ m_reload_thread = nullptr;
+ m_reload_wait = nullptr;
}
}
logging::NDC::pop();
}
- return NULL;
+ return nullptr;
}
Lockable* ReloadableXMLFile::lock()
else
m_log.debug("loading configuration from external resource...");
- DOMDocument* doc=NULL;
+ DOMDocument* doc=nullptr;
if (m_local || backup) {
auto_ptr_XMLCh widenit(backup ? m_backing.c_str() : m_source.c_str());
// Use library-wide lock for now, nothing else is using it anyway.
- Locker locker(backup ? getBackupLock() : NULL);
+ Locker locker(backup ? getBackupLock() : nullptr);
LocalFileInputSource src(widenit.get());
Wrapper4InputSource dsrc(&src, false);
if (m_validate)
doc=XMLToolingConfig::getConfig().getParser().parse(dsrc);
}
else {
- URLInputSource src(m_root, NULL, &m_cacheTag);
+ URLInputSource src(m_root, nullptr, &m_cacheTag);
Wrapper4InputSource dsrc(&src, false);
if (m_validate)
doc=XMLToolingConfig::getConfig().getValidatingParser().parse(dsrc);
}
m_log.infoStream() << "loaded XML resource (" << (backup ? m_backing : m_source) << ")" << logging::eol;
+#ifndef XMLTOOLING_LITE
+ if (m_credResolver || m_trust) {
+ m_log.debug("checking signature on XML resource");
+ try {
+ DOMElement* sigel = XMLHelper::getFirstChildElement(doc->getDocumentElement(), xmlconstants::XMLSIG_NS, Signature::LOCAL_NAME);
+ if (!sigel)
+ throw XMLSecurityException("Signature validation required, but no signature found.");
+
+ // Wrap and unmarshall the signature for the duration of the check.
+ auto_ptr<Signature> sigobj(dynamic_cast<Signature*>(SignatureBuilder::buildOneFromElement(sigel))); // don't bind to document
+ validateSignature(*sigobj.get());
+ }
+ catch (exception&) {
+ doc->release();
+ throw;
+ }
+
+ }
+#endif
if (!backup && !m_backing.empty()) {
// If the indicator is true, we're responsible for the backup.
}
}
+#ifndef XMLTOOLING_LITE
+
+void ReloadableXMLFile::validateSignature(Signature& sigObj) const
+{
+ DSIGSignature* sig=sigObj.getXMLSignature();
+ if (!sig)
+ throw XMLSecurityException("Signature does not exist yet.");
+
+ // Make sure the whole document was signed.
+ bool valid=false;
+ DSIGReferenceList* refs=sig->getReferenceList();
+ if (refs && refs->getSize()==1) {
+ DSIGReference* ref=refs->item(0);
+ if (ref) {
+ const XMLCh* URI=ref->getURI();
+ if (URI==nullptr || *URI==0) {
+ DSIGTransformList* tlist=ref->getTransforms();
+ if (tlist->getSize() <= 2) {
+ for (unsigned int i=0; tlist && i<tlist->getSize(); i++) {
+ if (tlist->item(i)->getTransformType()==TRANSFORM_ENVELOPED_SIGNATURE)
+ valid=true;
+ else if (tlist->item(i)->getTransformType()!=TRANSFORM_EXC_C14N &&
+ tlist->item(i)->getTransformType()!=TRANSFORM_C14N &&
+ tlist->item(i)->getTransformType()!=TRANSFORM_C14N11) {
+ valid=false;
+ break;
+ }
+ }
+ }
+ }
+ }
+ }
+
+ if (!valid)
+ throw XMLSecurityException("Invalid signature profile for signed configuration resource.");
+
+ // Set up criteria.
+ CredentialCriteria cc;
+ cc.setUsage(Credential::SIGNING_CREDENTIAL);
+ cc.setSignature(sigObj, CredentialCriteria::KEYINFO_EXTRACTION_KEY);
+ if (!m_signerName.empty())
+ cc.setPeerName(m_signerName.c_str());
+
+ if (m_credResolver) {
+ Locker locker(m_credResolver);
+ vector<const Credential*> creds;
+ if (m_credResolver->resolve(creds, &cc)) {
+ SignatureValidator sigValidator;
+ for (vector<const Credential*>::const_iterator i = creds.begin(); i != creds.end(); ++i) {
+ try {
+ sigValidator.setCredential(*i);
+ sigValidator.validate(&sigObj);
+ return; // success!
+ }
+ catch (exception&) {
+ }
+ }
+ throw XMLSecurityException("Unable to verify signature with supplied key(s).");
+ }
+ else {
+ throw XMLSecurityException("CredentialResolver did not supply any candidate keys.");
+ }
+ }
+ else if (m_trust) {
+ DummyCredentialResolver dummy;
+ if (m_trust->validate(sigObj, dummy, &cc))
+ return;
+ throw XMLSecurityException("TrustEngine unable to verify signature.");
+ }
+
+ throw XMLSecurityException("Unable to verify signature.");
+}
+
+#endif
+
pair<bool,DOMElement*> ReloadableXMLFile::load()
{
return load(false);
projects / shibboleth / cpp-xmltooling.git / blobdiff