From 0e22cb3b302196547e3ed0e45870567c9681a82f Mon Sep 17 00:00:00 2001 From: Scott Cantor Date: Mon, 15 May 2006 02:24:54 +0000 Subject: [PATCH] Integrated credential resolver API with signing context. --- saml/signature/SigningContext.cpp | 4 +- saml/signature/SigningContext.h | 72 +++++++++------------------------ saml/signature/VerifyingContext.h | 10 +++-- samltest/signature/SAML1AssertionTest.h | 26 +++++++----- 4 files changed, 45 insertions(+), 67 deletions(-) diff --git a/saml/signature/SigningContext.cpp b/saml/signature/SigningContext.cpp index 445147e..e77052b 100644 --- a/saml/signature/SigningContext.cpp +++ b/saml/signature/SigningContext.cpp @@ -40,7 +40,7 @@ public: } }; -void SigningContext::createSignature(DSIGSignature* sig) const +bool SigningContext::createSignature(DSIGSignature* sig) { DSIGReference* ref=NULL; XMLCh* buf=new XMLCh[XMLString::stringLen(m_id) + 2]; @@ -58,4 +58,6 @@ void SigningContext::createSignature(DSIGSignature* sig) const ref->appendEnvelopedSignatureTransform(); DSIGTransformC14n* c14n=ref->appendCanonicalizationTransform(CANON_C14NE_NOC); for_each(m_prefixes.begin(), m_prefixes.end(), bind1st(_addprefix(),c14n)); + + return false; } diff --git a/saml/signature/SigningContext.h b/saml/signature/SigningContext.h index bdd1cbe..f737bbc 100644 --- a/saml/signature/SigningContext.h +++ b/saml/signature/SigningContext.h @@ -29,7 +29,8 @@ namespace opensaml { /** - * Singleton object that manages library startup/shutdown.configuration. + * SAML-specific signature profile context. + * This is not a synchronized implementation. */ class SAML_API SigningContext : public virtual xmlsignature::SigningContext { @@ -37,53 +38,36 @@ namespace opensaml { /** * Constructor. * - * @param id identifier of object being signed - * @param key signing key to use, will be freed by context - * @param certs a certificate chain to embed, or NULL + * @param id identifier of object being signed + * @param credentials resolver to signing key/certs to use + * @param keyInfo a complete KeyInfo object to attach, will be freed by context */ - SigningContext(const XMLCh* id, XSECCryptoKey* key, const std::vector* certs=NULL) - : m_id(id), m_key(key), m_certs(certs), m_keyInfo(NULL) { - } - - /** - * Constructor. - * - * @param id identifier of object being signed - * @param key signing key to use, will be freed by context - * @param keyInfo a complete KeyInfo object to attach, will be freed by context - */ - SigningContext(const XMLCh* id, XSECCryptoKey* key, xmlsignature::KeyInfo* keyInfo) - : m_id(id), m_key(key), m_certs(NULL), m_keyInfo(keyInfo) { + SigningContext(const XMLCh* id, xmltooling::CredentialResolver& creds, xmlsignature::KeyInfo* keyInfo=NULL) + : m_id(id), m_creds(creds), m_keyInfo(keyInfo) { } virtual ~SigningContext() { - delete m_key; delete m_keyInfo; } /** - * Given a "blank" native signature, asks the context to define the - * appropriate signature transforms, references, etc. - * This method MAY attach ds:KeyInfo information, or a set of X.509 - * certificates can be returned from the SigningContext::getX509Certificates() - * method instead. + * Given a "blank" native signature, creates signature content + * appropriate for the SAML assertion or message being signed. * * @param sig native signature interface + * @return indicator whether ds:KeyInfo was created by context */ - virtual void createSignature(DSIGSignature* sig) const; - + virtual bool createSignature(DSIGSignature* sig); + /** - * Gets a reference to a collection of certificates to append to - * the ds:KeyInfo element in a ds:X509Data chain. - * The certificate corresponding to the signing key SHOULD be - * first, followed by any additional intermediates to append. + * Gets a reference to the credential resolver supplied during construction. * - * @return an immutable collection of certificates to embed + * @return the resolver */ - virtual const std::vector* getX509Certificates() const { - return m_certs; + virtual xmltooling::CredentialResolver& getCredentialResolver() { + return m_creds; } - + /** * Gets a KeyInfo structure to embed. * Ownership of the object MUST be transferred to the caller. @@ -92,25 +76,12 @@ namespace opensaml { * * @return pointer to a KeyInfo structure, will be freed by caller */ - virtual xmlsignature::KeyInfo* getKeyInfo() const { + virtual xmlsignature::KeyInfo* getKeyInfo() { xmlsignature::KeyInfo* ret=m_keyInfo; m_keyInfo=NULL; return ret; } - /** - * Gets the signing key to use. - * Must be compatible with the intended signature algorithm. Ownership of the key - * MUST be transferred to the caller. - * - * @return pointer to a signing key, will be freed by caller - */ - virtual XSECCryptoKey* getSigningKey() const { - XSECCryptoKey* ret=m_key; - m_key=NULL; - return ret; - } - void addInclusivePrefix(const char* prefix) { m_prefixes.push_back(prefix); } @@ -119,11 +90,8 @@ namespace opensaml { /** Identifier of object to sign. */ const XMLCh* m_id; - /** Signing key. */ - mutable XSECCryptoKey* m_key; - - /** Optional pointer to certificate chain to embed. */ - const std::vector* m_certs; + /** Reference to credentials to sign with. */ + xmltooling::CredentialResolver& m_creds; /** Optional pointer to KeyInfo to embed. */ mutable xmlsignature::KeyInfo* m_keyInfo; diff --git a/saml/signature/VerifyingContext.h b/saml/signature/VerifyingContext.h index 77d730d..261cfdf 100644 --- a/saml/signature/VerifyingContext.h +++ b/saml/signature/VerifyingContext.h @@ -29,7 +29,7 @@ namespace opensaml { /** - * Singleton object that manages library startup/shutdown.configuration. + * SAML-specific signature profile verification. */ class SAML_API VerifyingContext : public virtual xmlsignature::VerifyingContext { @@ -44,8 +44,12 @@ namespace opensaml { virtual ~VerifyingContext() {} /** - * Given a native signature, asks the context to verify the signature - * in accordance with the relying party's requirements. + * Given a native signature, verifies that the signature content + * is appropriate for the SAML assertion/message being verified. + * Does NOT perform actual cryptographic evaluation + * of the signature in the absence of policy. Subclasses should + * override this method with their policies, call the base class + * and then evaluate further. * * @param sig native signature object * diff --git a/samltest/signature/SAML1AssertionTest.h b/samltest/signature/SAML1AssertionTest.h index 910d20a..cb07142 100644 --- a/samltest/signature/SAML1AssertionTest.h +++ b/samltest/signature/SAML1AssertionTest.h @@ -29,24 +29,23 @@ using namespace opensaml::saml1; #include #include -class TestContext : public VerifyingContext +class TestContext : public virtual CredentialResolver, public SigningContext, public VerifyingContext { - SigningContext* m_signing; vector m_certs; + OpenSSLCryptoKeyRSA* m_key; public: - TestContext(const XMLCh* uri) : VerifyingContext(uri), m_signing(NULL) { - OpenSSLCryptoKeyRSA* key=NULL; + TestContext(const XMLCh* uri) : VerifyingContext(uri), SigningContext(uri,*this), m_key(NULL) { string keypath=data_path + "key.pem"; BIO* in=BIO_new(BIO_s_file_internal()); if (in && BIO_read_filename(in,keypath.c_str())>0) { EVP_PKEY* pkey=PEM_read_bio_PrivateKey(in, NULL, NULL, NULL); if (pkey) { - key=new OpenSSLCryptoKeyRSA(pkey); + m_key=new OpenSSLCryptoKeyRSA(pkey); EVP_PKEY_free(pkey); } } if (in) BIO_free(in); - TS_ASSERT(key!=NULL); + TS_ASSERT(m_key!=NULL); string certpath=data_path + "cert.pem"; in=BIO_new(BIO_s_file_internal()); @@ -59,16 +58,13 @@ public: } if (in) BIO_free(in); TS_ASSERT(m_certs.size()>0); - m_signing=new SigningContext(uri, key, &m_certs); } virtual ~TestContext() { - delete m_signing; + delete m_key; for_each(m_certs.begin(),m_certs.end(),xmltooling::cleanup()); } - SigningContext* getSigningContext() { return m_signing; } - void verifySignature(DSIGSignature* sig) const { VerifyingContext::verifySignature(sig); sig->setSigningKey(NULL); @@ -76,6 +72,14 @@ public: sig->setKeyInfoResolver(&resolver); sig->verify(); } + + xmlsignature::KeyInfo* getKeyInfo() { return NULL; } + const char* getId() const { return "test"; } + const vector* getX509Certificates() { return &m_certs; } + XSECCryptoKey* getPublicKey() { return m_key; } + XSECCryptoKey* getPrivateKey() { return m_key; } + Lockable& lock() { return *this; } + void unlock() {} }; class SAML1AssertionTest : public CxxTest::TestSuite, public SAMLObjectBaseTestCase { @@ -118,7 +122,7 @@ public: // Signing context for the assertion. TestContext tc(id.get()); - MarshallingContext mctx(sig,tc.getSigningContext()); + MarshallingContext mctx(sig,&tc); DOMElement* rootElement = assertion->marshall((DOMDocument*)NULL,&mctx); string buf; -- 2.1.4