X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=xmltooling%2Fencryption%2FEncrypter.h;h=1996b4836efbcd0667685c67b7b42b449b092aed;hb=81b488b2790e7bdeb2f43560b1d4a7d22c3dfdf5;hp=bb00268be7cac2bd9248c36f6c289e5cde462624;hpb=e39828c168f8f0135373daf46989d6b28257b39f;p=shibboleth%2Fcpp-xmltooling.git diff --git a/xmltooling/encryption/Encrypter.h b/xmltooling/encryption/Encrypter.h index bb00268..1996b48 100644 --- a/xmltooling/encryption/Encrypter.h +++ b/xmltooling/encryption/Encrypter.h @@ -1,21 +1,25 @@ -/* - * Copyright 2001-2006 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at +/** + * Licensed to the University Corporation for Advanced Internet + * Development, Inc. (UCAID) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for + * additional information regarding copyright ownership. * - * http://www.apache.org/licenses/LICENSE-2.0 + * UCAID licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the + * License at * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, + * either express or implied. See the License for the specific + * language governing permissions and limitations under the License. */ /** - * @file Encrypter.h + * @file xmltooling/encryption/Encrypter.h * * Methods for encrypting XMLObjects and other data. */ @@ -23,13 +27,21 @@ #if !defined(__xmltooling_encrypter_h__) && !defined(XMLTOOLING_NO_XMLSEC) #define __xmltooling_encrypter_h__ -#include +#include + +#include -#include -#include +class XENCCipher; + +namespace xmltooling { + class XMLTOOL_API Credential; +}; namespace xmlencryption { + class XMLTOOL_API EncryptedData; + class XMLTOOL_API EncryptedKey; + /** * Wrapper API for XML Encryption functionality. * Designed to allow both external and internal key generation as follows: @@ -47,7 +59,10 @@ namespace xmlencryption { * Summing up, if KeyEncryptionParams are used, a raw key must be available or the * key can be generated when the encryption algorithm itself is a standard one. If * no KeyEncryptionParams are supplied, then the key must be supplied either in raw - * or object form. + * or object form. + * + * Finally, when encrypting data, the key transport algorithm can be left blank to + * derive it from the data encryption algorithm. */ class XMLTOOL_API Encrypter { @@ -57,126 +72,155 @@ namespace xmlencryption { * Structure to collect encryption requirements. */ struct XMLTOOL_API EncryptionParams { - /** * Constructor. + * * The algorithm constant and key buffer MUST be accessible for the life of - * the structure. The other objects will be destroyed if need be when the structure is destroyed. + * the structure. * - * @param algorithm the XML Encryption key wrapping or transport algorithm constant + * @param algorithm the XML Encryption algorithm constant * @param keyBuffer buffer containing the raw key information * @param keyBufferSize the size of the raw key buffer in bytes - * @param key the key encryption key to use, or NULL - * @param keyInfo a KeyInfo object to place within the EncryptedData structure + * @param credential optional Credential supplying the encryption key + * @param compact true iff the encrypted representation should be made as small as possible */ EncryptionParams( - const XMLCh* algorithm=DSIGConstants::s_unicodeStrURIAES256_CBC, - const unsigned char* keyBuffer=NULL, +#ifdef XSEC_OPENSSL_HAVE_AES + const XMLCh* algorithm=DSIGConstants::s_unicodeStrURIAES128_CBC, +#else + const XMLCh* algorithm=DSIGConstants::s_unicodeStrURI3DES_CBC, +#endif + const unsigned char* keyBuffer=nullptr, unsigned int keyBufferSize=0, - XSECCryptoKey* key=NULL, - xmlsignature::KeyInfo* keyInfo=NULL - ) : m_keyBuffer(keyBuffer), m_keyBufferSize(keyBufferSize), m_key(key), m_keyInfo(keyInfo), m_algorithm(algorithm) { - } - - ~EncryptionParams() { - delete m_key; - delete m_keyInfo; - } - private: - const unsigned char* m_keyBuffer; - unsigned int m_keyBufferSize; - XSECCryptoKey* m_key; - xmlsignature::KeyInfo* m_keyInfo; + const xmltooling::Credential* credential=nullptr, + bool compact=false + ); + + ~EncryptionParams(); + + /** Data encryption algorithm. */ const XMLCh* m_algorithm; - friend class Encrypter; + /** Buffer containing encryption key. */ + const unsigned char* m_keyBuffer; + + /** Size of buffer. */ + unsigned int m_keyBufferSize; + + /** Credential containing the encryption key. */ + const xmltooling::Credential* m_credential; + + /** Flag limiting the size of the encrypted XML representation. */ + bool m_compact; }; /** * Structure to collect key wrapping/transport requirements. */ struct XMLTOOL_API KeyEncryptionParams { - /** * Constructor. - * The algorithm constant MUST be accessible for the life of the structure. - * Using a static constant suffices for this. The other objects will be destroyed if need be - * when the structure is destroyed. * - * @param algorithm the XML Encryption key wrapping or transport algorithm constant - * @param key the key encryption key to use - * @param keyInfo a KeyInfo object to place within the EncryptedKey structure that describes the KEK + * @param credential a Credential supplying the key encryption key + * @param algorithm XML Encryption key wrapping or transport algorithm constant + * @param recipient optional name of recipient of encrypted key */ - KeyEncryptionParams(const XMLCh* algorithm, XSECCryptoKey* key, xmlsignature::KeyInfo* keyInfo=NULL) - : m_key(key), m_keyInfo(keyInfo), m_algorithm(algorithm) { - } + KeyEncryptionParams( + const xmltooling::Credential& credential, const XMLCh* algorithm=nullptr, const XMLCh* recipient=nullptr + ); - ~KeyEncryptionParams() { - delete m_key; - delete m_keyInfo; - } - private: - XSECCryptoKey* m_key; - xmlsignature::KeyInfo* m_keyInfo; + ~KeyEncryptionParams(); + + /** Credential containing key encryption key. */ + const xmltooling::Credential& m_credential; + + /** Key transport or wrapping algorithm. */ const XMLCh* m_algorithm; - - friend class Encrypter; + + /** Name of recipient that owns the key encryption key. */ + const XMLCh* m_recipient; }; - Encrypter() : m_cipher(NULL) {} + Encrypter(); - ~Encrypter(); + virtual ~Encrypter(); /** * Encrypts the supplied element and returns the resulting object. - * The returned object will be unmarshalled around a DOM tree created - * using the encrypted element's owning document. * * If an encryption algorithm is set, but no key, a random key will be - * generated iff keParams is non-NULL and the algorithm is known. + * generated iff kencParams is non-NULL and the algorithm is known. * * If key encryption parameters are supplied, then the encryption key * is wrapped and the result placed into an EncryptedKey object in the * KeyInfo of the returned EncryptedData. * - * @param element the DOM element to encrypt - * @param keParams key encryption settings, or NULL + * @param element the DOM element to encrypt + * @param encParams primary encryption settings + * @param kencParams key encryption settings, or nullptr + * @return a stand-alone EncryptedData object, unconnected to the source DOM */ - EncryptedData* encryptElement(DOMElement* element, EncryptionParams& encParams, KeyEncryptionParams* kencParams=NULL); + EncryptedData* encryptElement( + xercesc::DOMElement* element, EncryptionParams& encParams, KeyEncryptionParams* kencParams=nullptr + ); /** * Encrypts the supplied element's children and returns the resulting object. - * The returned object will be unmarshalled around a DOM tree created - * using the encrypted content's owning document. * * If an encryption algorithm is set, but no key, a random key will be - * generated iff keParams is non-NULL and the algorithm is known. + * generated iff kencParams is non-NULL and the algorithm is known. * If key encryption parameters are supplied, then the encryption key * is wrapped and the result placed into an EncryptedKey object in the * KeyInfo of the returned EncryptedData. * - * @param element parent element of children to encrypt - * @param keParams key encryption settings, or NULL + * @param element parent element of children to encrypt + * @param encParams primary encryption settings + * @param kencParams key encryption settings, or nullptr + * @return a stand-alone EncryptedData object, unconnected to the source DOM */ - EncryptedData* encryptElementContent(DOMElement* element, EncryptionParams& encParams, KeyEncryptionParams* kencParams=NULL); + EncryptedData* encryptElementContent( + xercesc::DOMElement* element, EncryptionParams& encParams, KeyEncryptionParams* kencParams=nullptr + ); /** * Encrypts the supplied input stream and returns the resulting object. - * The returned object will be unmarshalled around a DOM tree created - * using the encrypted element's owning document. * * If an encryption algorithm is set, but no key, a random key will be - * generated iff keParams is non-NULL and the algorithm is known. + * generated iff kencParams is non-NULL and the algorithm is known. * If key encryption parameters are supplied, then the encryption key * is wrapped and the result placed into an EncryptedKey object in the * KeyInfo of the returned EncryptedData. * - * @param input the stream to encrypt - * @param keParams key encryption settings, or NULL + * @param input the stream to encrypt + * @param encParams primary encryption settings + * @param kencParams key encryption settings, or nullptr + * @return a stand-alone EncryptedData object, unconnected to any DOM + */ + EncryptedData* encryptStream(std::istream& input, EncryptionParams& encParams, KeyEncryptionParams* kencParams=nullptr); + + /** + * Encrypts the supplied key and returns the resulting object. + * + * @param keyBuffer raw key material to encrypt + * @param keyBufferSize size in bytes of raw key material + * @param kencParams key encryption settings + * @param compact true iff the encrypted representation should be made as small as possible + * @return a stand-alone EncryptedKey object, unconnected to any DOM + */ + EncryptedKey* encryptKey( + const unsigned char* keyBuffer, unsigned int keyBufferSize, KeyEncryptionParams& kencParams, bool compact=false + ); + + /** + * Maps a data encryption algorithm to an appropriate key transport algorithm to use. + * + * @param credential the key encryption key + * @param encryptionAlg data encryption algorithm + * @return a key transport algorithm */ - EncryptedData* encryptStream(std::istream& input, EncryptionParams& encParams, KeyEncryptionParams* kencParams=NULL); + static const XMLCh* getKeyTransportAlgorithm(const xmltooling::Credential& credential, const XMLCh* encryptionAlg); private: void checkParams(EncryptionParams& encParams, KeyEncryptionParams* kencParams); @@ -186,7 +230,7 @@ namespace xmlencryption { unsigned char m_keyBuffer[32]; }; - DECL_XMLTOOLING_EXCEPTION(EncryptionException,XMLTOOL_EXCEPTIONAPI(XMLTOOL_API),xmlencryption,xmltooling::XMLToolingException,Exceptions in encryption processing); + DECL_XMLTOOLING_EXCEPTION(EncryptionException,XMLTOOL_EXCEPTIONAPI(XMLTOOL_API),xmlencryption,xmltooling::XMLSecurityException,Exceptions in encryption processing); };