X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=xmltooling%2Fsecurity%2Fimpl%2FInlineKeyResolver.cpp;h=f3e654d0cbfe3ef2a22033b9898ccd7272c4f6c0;hb=a0d768778a8f5f539b909baf5b115e70ea765f0f;hp=a9771fb34b52623675e42b1e0eecc1a4f347c3c9;hpb=006818f66e357ec4c0c6e21d671b8624ad8136b1;p=shibboleth%2Fcpp-xmltooling.git diff --git a/xmltooling/security/impl/InlineKeyResolver.cpp b/xmltooling/security/impl/InlineKeyResolver.cpp index a9771fb..f3e654d 100644 --- a/xmltooling/security/impl/InlineKeyResolver.cpp +++ b/xmltooling/security/impl/InlineKeyResolver.cpp @@ -1,5 +1,5 @@ /* - * Copyright 2001-2007 Internet2 + * Copyright 2001-2010 Internet2 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,6 +25,7 @@ #include "security/BasicX509Credential.h" #include "security/KeyInfoCredentialContext.h" #include "security/KeyInfoResolver.h" +#include "security/XSECCryptoX509CRL.h" #include "signature/KeyInfo.h" #include "signature/Signature.h" #include "util/NDC.h" @@ -44,6 +45,7 @@ using namespace xmlsignature; using namespace xmltooling::logging; using namespace xmltooling; +using namespace xercesc; using namespace std; namespace xmltooling { @@ -51,24 +53,24 @@ namespace xmltooling { class XMLTOOL_DLLLOCAL InlineCredential : public BasicX509Credential { public: - InlineCredential(const KeyInfo* keyInfo=NULL) : BasicX509Credential(keyInfo!=NULL), m_credctx(new KeyInfoCredentialContext(keyInfo)) { + InlineCredential(const KeyInfo* keyInfo=nullptr) : BasicX509Credential(keyInfo!=nullptr), m_credctx(new KeyInfoCredentialContext(keyInfo)) { } InlineCredential(DSIGKeyInfoList* keyInfo) : BasicX509Credential(false), m_credctx(new KeyInfoCredentialContext(keyInfo)) { } - InlineCredential(KeyInfoCredentialContext* context) : BasicX509Credential(context->getKeyInfo()!=NULL), m_credctx(NULL) { + InlineCredential(KeyInfoCredentialContext* context) : BasicX509Credential(context->getKeyInfo()!=nullptr), m_credctx(nullptr) { } virtual ~InlineCredential() { delete m_credctx; } XSECCryptoKey* getPrivateKey() const { - return NULL; + return nullptr; } KeyInfo* getKeyInfo(bool compact=false) const { - KeyInfo* ret = m_credctx->getKeyInfo() ? m_credctx->getKeyInfo()->cloneKeyInfo() : NULL; + KeyInfo* ret = m_credctx->getKeyInfo() ? m_credctx->getKeyInfo()->cloneKeyInfo() : nullptr; if (ret) { - ret->setId(NULL); + ret->setId(nullptr); ret->getRetrievalMethods().clear(); if (compact) { ret->getKeyValues().clear(); @@ -89,12 +91,12 @@ namespace xmltooling { } if (!ret->hasChildren()) { delete ret; - ret = NULL; + ret = nullptr; } return ret; } - const CredentialContext* getCredentialContext() const { + const CredentialContext* getCredentalContext() const { return m_credctx; } @@ -108,7 +110,7 @@ namespace xmltooling { private: bool resolveCerts(const KeyInfo* keyInfo); bool resolveKey(const KeyInfo* keyInfo); - bool resolveCRL(const KeyInfo* keyInfo); + bool resolveCRLs(const KeyInfo* keyInfo); KeyInfoCredentialContext* m_credctx; }; @@ -121,7 +123,7 @@ namespace xmltooling { Credential* resolve(const KeyInfo* keyInfo, int types=0) const { if (!keyInfo) - return NULL; + return nullptr; if (types == 0) types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS; auto_ptr credential(new InlineCredential(keyInfo)); @@ -130,7 +132,7 @@ namespace xmltooling { } Credential* resolve(DSIGKeyInfoList* keyInfo, int types=0) const { if (!keyInfo) - return NULL; + return nullptr; if (types == 0) types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS; auto_ptr credential(new InlineCredential(keyInfo)); @@ -139,7 +141,7 @@ namespace xmltooling { } Credential* resolve(KeyInfoCredentialContext* context, int types=0) const { if (!context) - return NULL; + return nullptr; if (types == 0) types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS; auto_ptr credential(new InlineCredential(context)); @@ -172,6 +174,8 @@ void InlineCredential::resolve(const KeyInfo* keyInfo, int types) // If we have a cert, just use it. if (!m_xseccerts.empty()) m_key = m_xseccerts.front()->clonePublicKey(); + else + resolveKey(keyInfo); } // Otherwise try directly for a key and then go for certs if none is found. else if (!resolveKey(keyInfo) && resolveCerts(keyInfo)) { @@ -180,7 +184,7 @@ void InlineCredential::resolve(const KeyInfo* keyInfo, int types) } if (types & X509Credential::RESOLVE_CRLS) - resolveCRL(keyInfo); + resolveCRLs(keyInfo); const XMLCh* n; char* kn; @@ -217,8 +221,10 @@ void InlineCredential::resolve(const KeyInfo* keyInfo, int types) } const X509SerialNumber* ser = inames.front()->getX509SerialNumber(); - if (ser) - m_serial = XMLString::parseInt(ser->getSerialNumber()); + if (ser) { + auto_ptr_char sn(ser->getSerialNumber()); + m_serial = sn.get(); + } } } } @@ -315,7 +321,7 @@ bool InlineCredential::resolveCerts(const KeyInfo* keyInfo) return !m_xseccerts.empty(); } -bool InlineCredential::resolveCRL(const KeyInfo* keyInfo) +bool InlineCredential::resolveCRLs(const KeyInfo* keyInfo) { Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver."INLINE_KEYINFO_RESOLVER); @@ -333,8 +339,7 @@ bool InlineCredential::resolveCRL(const KeyInfo* keyInfo) log.debug("resolving ds:X509CRL"); auto_ptr crl(XMLToolingConfig::getConfig().X509CRL()); crl->loadX509CRLBase64Bin(x.get(), strlen(x.get())); - m_crl = crl.release(); - return true; + m_crls.push_back(crl.release()); } } catch(XSECException& e) { @@ -347,7 +352,8 @@ bool InlineCredential::resolveCRL(const KeyInfo* keyInfo) } } - return false; + log.debug("resolved %d CRL(s)", m_crls.size()); + return !m_crls.empty(); } void InlineCredential::resolve(DSIGKeyInfoList* keyInfo, int types) @@ -390,22 +396,52 @@ void InlineCredential::resolve(DSIGKeyInfoList* keyInfo, int types) if (types & X509Credential::RESOLVE_CRLS) { for (DSIGKeyInfoList::size_type i=0; iitem(i)->getKeyInfoType()==DSIGKeyInfo::KEYINFO_X509) { - auto_ptr_char buf(static_cast(keyInfo->item(i))->getX509CRL()); - if (buf.get()) { - try { - auto_ptr crlobj(XMLToolingConfig::getConfig().X509CRL()); - crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get())); - m_crl = crlobj.release(); - break; - } - catch(XSECException& e) { - auto_ptr_char temp(e.getMsg()); - Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get()); +#ifdef XMLTOOLING_XMLSEC_MULTIPLECRL + DSIGKeyInfoX509* x509 = static_cast(keyInfo->item(i)); + int count = x509->getX509CRLListSize(); + for (int j=0; jgetX509CRLItem(j)); + if (buf.get()) { + try { + auto_ptr crlobj(XMLToolingConfig::getConfig().X509CRL()); + crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get())); + m_crls.push_back(crlobj.release()); + } + catch(XSECException& e) { + auto_ptr_char temp(e.getMsg()); + Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get()); + } + catch(XSECCryptoException& e) { + Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg()); + } } - catch(XSECCryptoException& e) { - Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg()); + } +#else + // The current xmlsec API is limited to one CRL per KeyInfo. + // For now, I'm going to process the DOM directly. + DOMNode* x509Node = keyInfo->item(i)->getKeyInfoDOMNode(); + DOMElement* crlElement = x509Node ? XMLHelper::getFirstChildElement(x509Node, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME) : nullptr; + while (crlElement) { + if (crlElement->hasChildNodes()) { + auto_ptr_char buf(crlElement->getFirstChild()->getNodeValue()); + if (buf.get()) { + try { + auto_ptr crlobj(XMLToolingConfig::getConfig().X509CRL()); + crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get())); + m_crls.push_back(crlobj.release()); + } + catch(XSECException& e) { + auto_ptr_char temp(e.getMsg()); + Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get()); + } + catch(XSECCryptoException& e) { + Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg()); + } + } } + crlElement = XMLHelper::getNextSiblingElement(crlElement, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME); } +#endif } } } @@ -433,8 +469,10 @@ void InlineCredential::resolve(DSIGKeyInfoList* keyInfo, int types) delete[] kn; } n = kix->getX509IssuerSerialNumber(); - if (n && *n) - m_serial = XMLString::parseInt(n); + if (n && *n) { + auto_ptr_char sn(n); + m_serial = sn.get(); + } } } }