X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=xmltooling%2Fsecurity%2Fimpl%2FCredentialCriteria.cpp;h=8003bc5cc737945240d5ddc5e83083c80bb3a3a7;hb=a0d768778a8f5f539b909baf5b115e70ea765f0f;hp=61877711a998aad71ad45d94485b12f2a84800b1;hpb=a6ec5ba5d5a9ce4f3e127fdc455eea31051390c2;p=shibboleth%2Fcpp-xmltooling.git diff --git a/xmltooling/security/impl/CredentialCriteria.cpp b/xmltooling/security/impl/CredentialCriteria.cpp index 6187771..8003bc5 100644 --- a/xmltooling/security/impl/CredentialCriteria.cpp +++ b/xmltooling/security/impl/CredentialCriteria.cpp @@ -1,5 +1,5 @@ /* - * Copyright 2001-2008 Internet2 + * Copyright 2001-2010 Internet2 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,43 +22,212 @@ #include "internal.h" #include "logging.h" -#include "security/Credential.h" +#include "XMLToolingConfig.h" +#include "security/X509Credential.h" #include "security/CredentialCriteria.h" #include "security/KeyInfoResolver.h" #include "security/SecurityHelper.h" +#include "signature/Signature.h" #include #include +#include #include #include +using xmlsignature::KeyInfo; +using xmlsignature::Signature; +using namespace xmltooling::logging; using namespace xmltooling; using namespace std; +CredentialCriteria::CredentialCriteria() + : m_keyUsage(Credential::UNSPECIFIED_CREDENTIAL), m_keySize(0), m_key(nullptr), + m_keyInfo(nullptr), m_nativeKeyInfo(nullptr), m_credential(nullptr) +{ +} + +CredentialCriteria::~CredentialCriteria() +{ + delete m_credential; +} + +unsigned int CredentialCriteria::getUsage() const +{ + return m_keyUsage; +} + +void CredentialCriteria::setUsage(unsigned int usage) +{ + m_keyUsage = usage; +} + +const char* CredentialCriteria::getPeerName() const +{ + return m_peerName.c_str(); +} + +void CredentialCriteria::setPeerName(const char* peerName) +{ + m_peerName.erase(); + if (peerName) + m_peerName = peerName; +} + +const char* CredentialCriteria::getKeyAlgorithm() const +{ + return m_keyAlgorithm.c_str(); +} + +void CredentialCriteria::setKeyAlgorithm(const char* keyAlgorithm) +{ + m_keyAlgorithm.erase(); + if (keyAlgorithm) + m_keyAlgorithm = keyAlgorithm; +} + +unsigned int CredentialCriteria::getKeySize() const +{ + return m_keySize; +} + +void CredentialCriteria::setKeySize(unsigned int keySize) +{ + m_keySize = keySize; +} + +void CredentialCriteria::setXMLAlgorithm(const XMLCh* algorithm) +{ + if (algorithm) { + pair mapped = XMLToolingConfig::getConfig().mapXMLAlgorithmToKeyAlgorithm(algorithm); + setKeyAlgorithm(mapped.first); + setKeySize(mapped.second); + } + else { + setKeyAlgorithm(nullptr); + setKeySize(0); + } +} + +const set& CredentialCriteria::getKeyNames() const +{ + return m_keyNames; +} + +set& CredentialCriteria::getKeyNames() +{ + return m_keyNames; +} + +XSECCryptoKey* CredentialCriteria::getPublicKey() const +{ + return m_key; +} + +void CredentialCriteria::setPublicKey(XSECCryptoKey* key) +{ + m_key = key; +} + +const KeyInfo* CredentialCriteria::getKeyInfo() const +{ + return m_keyInfo; +} + +void CredentialCriteria::setKeyInfo(const KeyInfo* keyInfo, int extraction) +{ + delete m_credential; + m_credential = nullptr; + m_keyInfo = keyInfo; + if (!keyInfo || !extraction) + return; + + int types = (extraction & KEYINFO_EXTRACTION_KEY) ? Credential::RESOLVE_KEYS : 0; + types |= (extraction & KEYINFO_EXTRACTION_KEYNAMES) ? X509Credential::RESOLVE_CERTS : 0; + m_credential = XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(keyInfo,types); + + // Ensure any key names have been sucked out for later if desired. + if (extraction & KEYINFO_EXTRACTION_KEYNAMES) { + X509Credential* xcred = dynamic_cast(m_credential); + if (xcred) + xcred->extract(); + } +} + +DSIGKeyInfoList* CredentialCriteria::getNativeKeyInfo() const +{ + return m_nativeKeyInfo; +} + +void CredentialCriteria::setNativeKeyInfo(DSIGKeyInfoList* keyInfo, int extraction) +{ + delete m_credential; + m_credential = nullptr; + m_nativeKeyInfo = keyInfo; + if (!keyInfo || !extraction) + return; + + int types = (extraction & KEYINFO_EXTRACTION_KEY) ? Credential::RESOLVE_KEYS : 0; + types |= (extraction & KEYINFO_EXTRACTION_KEYNAMES) ? X509Credential::RESOLVE_CERTS : 0; + m_credential = XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(keyInfo,types); + + // Ensure any key names have been sucked out for later if desired. + if (extraction & KEYINFO_EXTRACTION_KEYNAMES) { + X509Credential* xcred = dynamic_cast(m_credential); + if (xcred) + xcred->extract(); + } +} + +void CredentialCriteria::setSignature(const Signature& sig, int extraction) +{ + setXMLAlgorithm(sig.getSignatureAlgorithm()); + KeyInfo* k = sig.getKeyInfo(); + if (k) + return setKeyInfo(k, extraction); + DSIGSignature* dsig = sig.getXMLSignature(); + if (dsig) + setNativeKeyInfo(dsig->getKeyInfoList(), extraction); +} + bool CredentialCriteria::matches(const Credential& credential) const { + Category& log = Category::getInstance(XMLTOOLING_LOGCAT".CredentialCriteria"); + // Usage check, if specified and we have one, compare masks. if (getUsage() != Credential::UNSPECIFIED_CREDENTIAL) { if (credential.getUsage() != Credential::UNSPECIFIED_CREDENTIAL) - if ((getUsage() & credential.getUsage()) == 0) + if ((getUsage() & credential.getUsage()) == 0) { + if (log.isDebugEnabled()) + log.debug("usage didn't match (%u != %u)", getUsage(), credential.getUsage()); return false; + } } // Algorithm check, if specified and we have one. const char* alg = getKeyAlgorithm(); if (alg && *alg) { const char* alg2 = credential.getAlgorithm(); - if (alg2 && *alg2) - if (strcmp(alg,alg2)) + if (alg2 && *alg2) { + if (strcmp(alg,alg2)) { + if (log.isDebugEnabled()) + log.debug("key algorithm didn't match ('%s' != '%s')", getKeyAlgorithm(), credential.getAlgorithm()); return false; + } + } } // KeySize check, if specified and we have one. - if (credential.getKeySize()>0 && getKeySize()>0 && credential.getKeySize() != getKeySize()) + if (credential.getKeySize()>0 && getKeySize()>0 && credential.getKeySize() != getKeySize()) { + if (log.isDebugEnabled()) + log.debug("key size didn't match (%u != %u)", getKeySize(), credential.getKeySize()); return false; + } // See if we can test key names. - const set& critnames = getKeyNames(); + set critnames = getKeyNames(); + if (m_credential) + critnames.insert(m_credential->getKeyNames().begin(), m_credential->getKeyNames().end()); const set& crednames = credential.getKeyNames(); if (!critnames.empty() && !crednames.empty()) { bool found = false; @@ -68,12 +237,16 @@ bool CredentialCriteria::matches(const Credential& credential) const break; } } - if (!found) + if (!found) { + log.debug("credential name(s) didn't overlap"); return false; + } } // See if we have to match a specific key. const XSECCryptoKey* key1 = getPublicKey(); + if (!key1 && m_credential) + key1 = m_credential->getPublicKey(); if (!key1) return true; // no key to compare against, so we're done @@ -81,5 +254,9 @@ bool CredentialCriteria::matches(const Credential& credential) const if (!key2) return true; // no key here, so we can't test it - return SecurityHelper::matches(*key1, *key2); + if (SecurityHelper::matches(*key1, *key2)) + return true; + + log.debug("keys didn't match"); + return false; }