CPPFLAGS="-I${with_xmlsec}/include $CPPFLAGS"
fi])
LIBS="-lxml-security-c $LIBS"
-AC_CHECK_HEADER([xsec/xenc/XENCEncryptionMethod.hpp],,AC_MSG_ERROR([unable to find xml-security 1.1 header files]),[#include <xercesc/dom/DOM.hpp>])
+AC_CHECK_HEADER([xsec/xenc/XENCEncryptionMethod.hpp],,AC_MSG_ERROR([unable to find xml-security header files]),[#include <xercesc/dom/DOM.hpp>])
+AC_MSG_CHECKING([XML-Security version])
+AC_PREPROC_IFELSE(
+ [AC_LANG_PROGRAM([#include <xsec/utils/XSECPlatformUtils.hpp>],
+ [#if XSEC_VERSION_MAJOR > 1 || (XSEC_VERSION_MAJOR == 1 && XSEC_VERSION_MEDIUM > 2)
+int i = 0;
+#else
+#error need version 1.3.0 or later
+#endif])],
+ [AC_MSG_RESULT(OK)],
+ [AC_MSG_FAILURE([XML-Security version 1.3.0 or greater is required.])])
AC_TRY_LINK(
[#include <xsec/utils/XSECPlatformUtils.hpp>],
[XSECPlatformUtils::Initialise()],
#include "internal.h"
#include <openssl/x509.h>
+#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
+#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
#include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
using namespace shibboleth::logging;
// The new "basic" trust implementation relies solely on certificates living within the
// role interface to verify the EE certificate.
- log.debug("comparing certificate to KeyDescriptors");
+ log.debug("comparing key inside certificate to KeyDescriptors");
Iterator<const IKeyDescriptor*> kd_i=role->getKeyDescriptors();
while (kd_i.hasNext()) {
const IKeyDescriptor* kd=kd_i.next();
continue;
Iterator<KeyInfoResolver*> resolvers(m_resolvers);
while (resolvers.hasNext()) {
- XSECCryptoX509* cert=resolvers.next()->resolveCert(KIL);
- if (cert) {
- log.debug("KeyDescriptor resolved into a certificate, comparing it...");
- if (cert->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
- log.warn("only the OpenSSL XSEC provider is supported");
+ XSECCryptoKey* key=((XSECKeyInfoResolver*)*resolvers.next())->resolveKey(KIL);
+ if (key) {
+ log.debug("KeyDescriptor resolved into a key, comparing it...");
+ if (key->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
+ log.error("only the OpenSSL XSEC provider is supported");
continue;
}
- else if (!X509_cmp(reinterpret_cast<X509*>(certEE),static_cast<OpenSSLCryptoX509*>(cert)->getOpenSSLX509())) {
- log.info("certificate match found in KeyDescriptor");
- return true;
+
+ switch (key->getKeyType()) {
+ case XSECCryptoKey::KEY_RSA_PUBLIC:
+ case XSECCryptoKey::KEY_RSA_PAIR:
+ {
+ RSA* rsa = static_cast<OpenSSLCryptoKeyRSA*>(key)->getOpenSSLRSA();
+ EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(reinterpret_cast<X509*>(certEE)));
+ if (rsa && evp && evp->type == EVP_PKEY_RSA &&
+ BN_cmp(rsa->n,evp->pkey.rsa->n) == 0 && BN_cmp(rsa->e,evp->pkey.rsa->e) == 0) {
+ if (evp)
+ EVP_PKEY_free(evp);
+ log.debug("matching key found in KeyDescriptor");
+ return true;
+ }
+ if (evp)
+ EVP_PKEY_free(evp);
+ break;
+ }
+
+ case XSECCryptoKey::KEY_DSA_PUBLIC:
+ case XSECCryptoKey::KEY_DSA_PAIR:
+ {
+ DSA* dsa = static_cast<OpenSSLCryptoKeyDSA*>(key)->getOpenSSLDSA();
+ EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(reinterpret_cast<X509*>(certEE)));
+ if (dsa && evp && evp->type == EVP_PKEY_DSA && BN_cmp(dsa->pub_key,evp->pkey.dsa->pub_key) == 0) {
+ if (evp)
+ EVP_PKEY_free(evp);
+ log.debug("matching key found in KeyDescriptor");
+ return true;
+ }
+ if (evp)
+ EVP_PKEY_free(evp);
+ break;
+ }
+
+ default:
+ log.warn("unknown key type in KeyDescriptor, skipping...");
}
- else
- log.debug("certificate did not match");
}
}
}
- log.debug("failed to find an exact match for certificate in KeyDescriptors");
+ log.debug("failed to find a matching key for certificate in KeyDescriptors");
return false;
}
BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildRequires: openssl-devel, curl-devel >= 7.10.6
-BuildRequires: xerces%{?xercesver}-c-devel >= 2.8.0, xml-security-c-devel >= 1.1.0
+BuildRequires: xerces%{?xercesver}-c-devel >= 2.8.0, xml-security-c-devel >= 1.3.0
BuildRequires: zlib-devel, opensaml-devel >= 1.1.1, opensaml-devel < 2.0
%{?_with_log4cpp:BuildRequires: log4cpp-devel >= 1.0}
%{!?_with_log4cpp:BuildRequires: log4shib-devel}