X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=shib%2FBasicTrust.cpp;h=c588a42c57806707d8c6cfe286e3ddaa9be43bef;hb=5bf6a7459c6fa151f5f9d618dccfa3e1c8e9f5b8;hp=3de204ec6b5afe3d4f3df458f7c03402638ed49b;hpb=95d70673bd46f24d07c53794ace3775e680fb396;p=shibboleth%2Fcpp-sp.git diff --git a/shib/BasicTrust.cpp b/shib/BasicTrust.cpp index 3de204e..c588a42 100644 --- a/shib/BasicTrust.cpp +++ b/shib/BasicTrust.cpp @@ -25,6 +25,8 @@ #include "internal.h" #include +#include +#include #include using namespace shibboleth::logging; @@ -104,7 +106,7 @@ bool BasicTrust::validate(void* certEE, const Iterator& certChain, const // The new "basic" trust implementation relies solely on certificates living within the // role interface to verify the EE certificate. - log.debug("comparing certificate to KeyDescriptors"); + log.debug("comparing key inside certificate to KeyDescriptors"); Iterator kd_i=role->getKeyDescriptors(); while (kd_i.hasNext()) { const IKeyDescriptor* kd=kd_i.next(); @@ -115,24 +117,56 @@ bool BasicTrust::validate(void* certEE, const Iterator& certChain, const continue; Iterator resolvers(m_resolvers); while (resolvers.hasNext()) { - XSECCryptoX509* cert=resolvers.next()->resolveCert(KIL); - if (cert) { - log.debug("KeyDescriptor resolved into a certificate, comparing it..."); - if (cert->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) { - log.warn("only the OpenSSL XSEC provider is supported"); + XSECCryptoKey* key=((XSECKeyInfoResolver*)*resolvers.next())->resolveKey(KIL); + if (key) { + log.debug("KeyDescriptor resolved into a key, comparing it..."); + if (key->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) { + log.error("only the OpenSSL XSEC provider is supported"); continue; } - else if (!X509_cmp(reinterpret_cast(certEE),static_cast(cert)->getOpenSSLX509())) { - log.info("certificate match found in KeyDescriptor"); - return true; + + switch (key->getKeyType()) { + case XSECCryptoKey::KEY_RSA_PUBLIC: + case XSECCryptoKey::KEY_RSA_PAIR: + { + RSA* rsa = static_cast(key)->getOpenSSLRSA(); + EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(reinterpret_cast(certEE))); + if (rsa && evp && evp->type == EVP_PKEY_RSA && + BN_cmp(rsa->n,evp->pkey.rsa->n) == 0 && BN_cmp(rsa->e,evp->pkey.rsa->e) == 0) { + if (evp) + EVP_PKEY_free(evp); + log.debug("matching key found in KeyDescriptor"); + return true; + } + if (evp) + EVP_PKEY_free(evp); + break; + } + + case XSECCryptoKey::KEY_DSA_PUBLIC: + case XSECCryptoKey::KEY_DSA_PAIR: + { + DSA* dsa = static_cast(key)->getOpenSSLDSA(); + EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(reinterpret_cast(certEE))); + if (dsa && evp && evp->type == EVP_PKEY_DSA && BN_cmp(dsa->pub_key,evp->pkey.dsa->pub_key) == 0) { + if (evp) + EVP_PKEY_free(evp); + log.debug("matching key found in KeyDescriptor"); + return true; + } + if (evp) + EVP_PKEY_free(evp); + break; + } + + default: + log.warn("unknown key type in KeyDescriptor, skipping..."); } - else - log.debug("certificate did not match"); } } } - log.debug("failed to find an exact match for certificate in KeyDescriptors"); + log.debug("failed to find a matching key for certificate in KeyDescriptors"); return false; }