X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=xmltooling%2Fsecurity%2Fimpl%2FInlineKeyResolver.cpp;h=589245b219fb2524d5443bbf500090f738a7675b;hb=83de10b45721b7882182aaa8a6df0c729db8fc01;hp=2c2e87d7a1f1d9efbfbd56e1b3b4cf057f398056;hpb=851b777a3cbe82a6c300afab781db3549e44a279;p=shibboleth%2Fcpp-xmltooling.git diff --git a/xmltooling/security/impl/InlineKeyResolver.cpp b/xmltooling/security/impl/InlineKeyResolver.cpp index 2c2e87d..589245b 100644 --- a/xmltooling/security/impl/InlineKeyResolver.cpp +++ b/xmltooling/security/impl/InlineKeyResolver.cpp @@ -1,5 +1,5 @@ /* - * Copyright 2001-2007 Internet2 + * Copyright 2001-2010 Internet2 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,9 +21,11 @@ */ #include "internal.h" +#include "logging.h" #include "security/BasicX509Credential.h" #include "security/KeyInfoCredentialContext.h" #include "security/KeyInfoResolver.h" +#include "security/XSECCryptoX509CRL.h" #include "signature/KeyInfo.h" #include "signature/Signature.h" #include "util/NDC.h" @@ -31,7 +33,6 @@ #include "util/XMLConstants.h" #include "validation/ValidatorSuite.h" -#include #include #include #include @@ -42,8 +43,9 @@ #include using namespace xmlsignature; +using namespace xmltooling::logging; using namespace xmltooling; -using namespace log4cpp; +using namespace xercesc; using namespace std; namespace xmltooling { @@ -94,7 +96,7 @@ namespace xmltooling { return ret; } - const CredentialContext* getCredentialContext() const { + const CredentialContext* getCredentalContext() const { return m_credctx; } @@ -108,7 +110,7 @@ namespace xmltooling { private: bool resolveCerts(const KeyInfo* keyInfo); bool resolveKey(const KeyInfo* keyInfo); - bool resolveCRL(const KeyInfo* keyInfo); + bool resolveCRLs(const KeyInfo* keyInfo); KeyInfoCredentialContext* m_credctx; }; @@ -172,6 +174,8 @@ void InlineCredential::resolve(const KeyInfo* keyInfo, int types) // If we have a cert, just use it. if (!m_xseccerts.empty()) m_key = m_xseccerts.front()->clonePublicKey(); + else + resolveKey(keyInfo); } // Otherwise try directly for a key and then go for certs if none is found. else if (!resolveKey(keyInfo) && resolveCerts(keyInfo)) { @@ -180,9 +184,49 @@ void InlineCredential::resolve(const KeyInfo* keyInfo, int types) } if (types & X509Credential::RESOLVE_CRLS) - resolveCRL(keyInfo); + resolveCRLs(keyInfo); + + const XMLCh* n; + char* kn; + const vector& knames=keyInfo->getKeyNames(); + for (vector::const_iterator kn_i=knames.begin(); kn_i!=knames.end(); ++kn_i) { + n=(*kn_i)->getName(); + if (n && *n) { + kn=toUTF8(n); + m_keyNames.insert(kn); + delete[] kn; + } + } + const vector datas=keyInfo->getX509Datas(); + for (vector::const_iterator x_i=datas.begin(); x_i!=datas.end(); ++x_i) { + const vector snames = const_cast(*x_i)->getX509SubjectNames(); + for (vector::const_iterator sn_i = snames.begin(); sn_i!=snames.end(); ++sn_i) { + n = (*sn_i)->getName(); + if (n && *n) { + kn=toUTF8(n); + m_keyNames.insert(kn); + m_subjectName = kn; + delete[] kn; + } + } + + const vector inames = const_cast(*x_i)->getX509IssuerSerials(); + if (!inames.empty()) { + const X509IssuerName* iname = inames.front()->getX509IssuerName(); + if (iname) { + kn = toUTF8(iname->getName()); + if (kn) + m_issuerName = kn; + delete[] kn; + } - keyInfo->extractNames(m_keyNames); + const X509SerialNumber* ser = inames.front()->getX509SerialNumber(); + if (ser) { + auto_ptr_char sn(ser->getSerialNumber()); + m_serial = sn.get(); + } + } + } } bool InlineCredential::resolveKey(const KeyInfo* keyInfo) @@ -239,32 +283,6 @@ bool InlineCredential::resolveKey(const KeyInfo* keyInfo) } } - // Check for RetrievalMethod. - const XMLCh* fragID=NULL; - const XMLObject* treeRoot=NULL; - const vector& methods=keyInfo->getRetrievalMethods(); - for (vector::const_iterator m=methods.begin(); m!=methods.end(); ++m) { - if (!XMLString::equals((*m)->getType(),RetrievalMethod::TYPE_RSAKEYVALUE) && - !XMLString::equals((*m)->getType(),RetrievalMethod::TYPE_DSAKEYVALUE)) - continue; - fragID = (*m)->getURI(); - if (!fragID || *fragID != chPound || !*(fragID+1)) { - log.warn("skipping ds:RetrievalMethod with an empty or non-local reference"); - continue; - } - if (!treeRoot) { - treeRoot = keyInfo; - while (treeRoot->getParent()) - treeRoot = treeRoot->getParent(); - } - keyInfo = dynamic_cast(XMLHelper::getXMLObjectById(*treeRoot, fragID+1)); - if (!keyInfo) { - log.warn("skipping ds:RetrievalMethod, local reference did not resolve to a ds:KeyInfo"); - continue; - } - if (resolveKey(keyInfo)) - return true; - } return false; } @@ -298,41 +316,12 @@ bool InlineCredential::resolveCerts(const KeyInfo* keyInfo) } } } - - if (m_xseccerts.empty()) { - // Check for RetrievalMethod. - const XMLCh* fragID=NULL; - const XMLObject* treeRoot=NULL; - const vector methods=keyInfo->getRetrievalMethods(); - for (vector::const_iterator m=methods.begin(); m!=methods.end(); ++m) { - if (!XMLString::equals((*m)->getType(),RetrievalMethod::TYPE_X509DATA)) - continue; - fragID = (*m)->getURI(); - if (!fragID || *fragID != chPound || !*(fragID+1)) { - log.warn("skipping ds:RetrievalMethod with an empty or non-local reference"); - continue; - } - if (!treeRoot) { - treeRoot = keyInfo; - while (treeRoot->getParent()) - treeRoot = treeRoot->getParent(); - } - keyInfo = dynamic_cast(XMLHelper::getXMLObjectById(*treeRoot, fragID+1)); - if (!keyInfo) { - log.warn("skipping ds:RetrievalMethod, local reference did not resolve to a ds:KeyInfo"); - continue; - } - if (resolveCerts(keyInfo)) - return true; - } - return false; - } log.debug("resolved %d certificate(s)", m_xseccerts.size()); return !m_xseccerts.empty(); } -bool InlineCredential::resolveCRL(const KeyInfo* keyInfo) +bool InlineCredential::resolveCRLs(const KeyInfo* keyInfo) { Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver."INLINE_KEYINFO_RESOLVER); @@ -350,47 +339,21 @@ bool InlineCredential::resolveCRL(const KeyInfo* keyInfo) log.debug("resolving ds:X509CRL"); auto_ptr crl(XMLToolingConfig::getConfig().X509CRL()); crl->loadX509CRLBase64Bin(x.get(), strlen(x.get())); - m_crl = crl.release(); - return true; + m_crls.push_back(crl.release()); } } catch(XSECException& e) { auto_ptr_char temp(e.getMsg()); - log.error("caught XML-Security exception loading certificate: %s", temp.get()); + log.error("caught XML-Security exception loading CRL: %s", temp.get()); } catch(XSECCryptoException& e) { - log.error("caught XML-Security exception loading certificate: %s", e.getMsg()); + log.error("caught XML-Security exception loading CRL: %s", e.getMsg()); } } } - // Check for RetrievalMethod. - const XMLCh* fragID=NULL; - const XMLObject* treeRoot=NULL; - const vector methods=keyInfo->getRetrievalMethods(); - for (vector::const_iterator m=methods.begin(); m!=methods.end(); ++m) { - if (!XMLString::equals((*m)->getType(),RetrievalMethod::TYPE_X509DATA)) - continue; - fragID = (*m)->getURI(); - if (!fragID || *fragID != chPound || !*(fragID+1)) { - log.warn("skipping ds:RetrievalMethod with an empty or non-local reference"); - continue; - } - if (!treeRoot) { - treeRoot = keyInfo; - while (treeRoot->getParent()) - treeRoot = treeRoot->getParent(); - } - keyInfo = dynamic_cast(XMLHelper::getXMLObjectById(*treeRoot, fragID+1)); - if (!keyInfo) { - log.warn("skipping ds:RetrievalMethod, local reference did not resolve to a ds:KeyInfo"); - continue; - } - if (resolveCRL(keyInfo)) - return true; - } - - return false; + log.debug("resolved %d CRL(s)", m_crls.size()); + return !m_crls.empty(); } void InlineCredential::resolve(DSIGKeyInfoList* keyInfo, int types) @@ -433,25 +396,83 @@ void InlineCredential::resolve(DSIGKeyInfoList* keyInfo, int types) if (types & X509Credential::RESOLVE_CRLS) { for (DSIGKeyInfoList::size_type i=0; iitem(i)->getKeyInfoType()==DSIGKeyInfo::KEYINFO_X509) { - auto_ptr_char buf(static_cast(keyInfo->item(i))->getX509CRL()); - if (buf.get()) { - try { - auto_ptr crlobj(XMLToolingConfig::getConfig().X509CRL()); - crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get())); - m_crl = crlobj.release(); - break; - } - catch(XSECException& e) { - auto_ptr_char temp(e.getMsg()); - Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get()); +#ifdef XMLTOOLING_XMLSEC_MULTIPLECRL + DSIGKeyInfoX509* x509 = static_cast(keyInfo->item(i)); + int count = x509->getX509CRLListSize(); + for (int j=0; jgetX509CRLItem(j)); + if (buf.get()) { + try { + auto_ptr crlobj(XMLToolingConfig::getConfig().X509CRL()); + crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get())); + m_crls.push_back(crlobj.release()); + } + catch(XSECException& e) { + auto_ptr_char temp(e.getMsg()); + Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get()); + } + catch(XSECCryptoException& e) { + Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg()); + } } - catch(XSECCryptoException& e) { - Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg()); + } +#else + // The current xmlsec API is limited to one CRL per KeyInfo. + // For now, I'm going to process the DOM directly. + DOMNode* x509Node = keyInfo->item(i)->getKeyInfoDOMNode(); + DOMElement* crlElement = x509Node ? XMLHelper::getFirstChildElement(x509Node, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME) : NULL; + while (crlElement) { + if (crlElement->hasChildNodes()) { + auto_ptr_char buf(crlElement->getFirstChild()->getNodeValue()); + if (buf.get()) { + try { + auto_ptr crlobj(XMLToolingConfig::getConfig().X509CRL()); + crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get())); + m_crls.push_back(crlobj.release()); + } + catch(XSECException& e) { + auto_ptr_char temp(e.getMsg()); + Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get()); + } + catch(XSECCryptoException& e) { + Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg()); + } + } } + crlElement = XMLHelper::getNextSiblingElement(crlElement, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME); } +#endif } } } - Signature::extractNames(keyInfo, m_keyNames); + char* kn; + const XMLCh* n; + + for (size_t s=0; sgetSize(); s++) { + DSIGKeyInfo* dki = keyInfo->item(s); + n=dki->getKeyName(); + if (n && *n) { + kn=toUTF8(n); + m_keyNames.insert(kn); + if (dki->getKeyInfoType() == DSIGKeyInfo::KEYINFO_X509) + m_subjectName = kn; + delete[] kn; + } + + if (dki->getKeyInfoType() == DSIGKeyInfo::KEYINFO_X509) { + DSIGKeyInfoX509* kix = static_cast(dki); + n = kix->getX509IssuerName(); + if (n && *n) { + kn=toUTF8(n); + m_issuerName = kn; + delete[] kn; + } + n = kix->getX509IssuerSerialNumber(); + if (n && *n) { + auto_ptr_char sn(n); + m_serial = sn.get(); + } + } + } }