2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
22 * BasicX509Credential.cpp
24 * Wraps an X.509-based Credential by storing key/cert objects inside.
28 #include "security/BasicX509Credential.h"
29 #include "security/KeyInfoCredentialContext.h"
30 #include "security/OpenSSLCredential.h"
31 #include "security/SecurityHelper.h"
32 #include "security/XSECCryptoX509CRL.h"
33 #include "signature/KeyInfo.h"
36 #include <openssl/x509v3.h>
37 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
38 #include <xercesc/util/Base64.hpp>
40 using namespace xmlsignature;
41 using namespace xmltooling;
42 using namespace xercesc;
45 Credential::Credential()
49 Credential::~Credential()
53 const CredentialContext* Credential::getCredentalContext() const
58 X509Credential::X509Credential()
62 X509Credential::~X509Credential()
66 OpenSSLCredential::OpenSSLCredential()
70 OpenSSLCredential::~OpenSSLCredential()
74 CredentialContext::CredentialContext()
78 CredentialContext::~CredentialContext()
82 KeyInfoCredentialContext::KeyInfoCredentialContext(const KeyInfo* keyInfo) : m_keyInfo(keyInfo), m_nativeKeyInfo(nullptr)
86 KeyInfoCredentialContext::KeyInfoCredentialContext(DSIGKeyInfoList* keyInfo) : m_keyInfo(nullptr), m_nativeKeyInfo(keyInfo)
90 KeyInfoCredentialContext::~KeyInfoCredentialContext()
94 const KeyInfo* KeyInfoCredentialContext::getKeyInfo() const
99 DSIGKeyInfoList* KeyInfoCredentialContext::getNativeKeyInfo() const
101 return m_nativeKeyInfo;
104 BasicX509Credential::BasicX509Credential(bool ownCerts) : m_key(nullptr), m_ownCerts(ownCerts), m_keyInfo(nullptr), m_compactKeyInfo(nullptr)
108 BasicX509Credential::BasicX509Credential(XSECCryptoKey* key, const vector<XSECCryptoX509*>& certs, XSECCryptoX509CRL* crl)
109 : m_key(key), m_xseccerts(certs), m_ownCerts(true), m_keyInfo(nullptr), m_compactKeyInfo(nullptr)
112 m_crls.push_back(crl);
115 BasicX509Credential::BasicX509Credential(XSECCryptoKey* key, const vector<XSECCryptoX509*>& certs, const vector<XSECCryptoX509CRL*>& crls)
116 : m_key(key), m_xseccerts(certs), m_ownCerts(true), m_crls(crls), m_keyInfo(nullptr), m_compactKeyInfo(nullptr)
120 BasicX509Credential::~BasicX509Credential()
124 for_each(m_xseccerts.begin(), m_xseccerts.end(), xmltooling::cleanup<XSECCryptoX509>());
125 for_each(m_crls.begin(), m_crls.end(), xmltooling::cleanup<XSECCryptoX509CRL>());
127 delete m_compactKeyInfo;
130 void BasicX509Credential::initKeyInfo(unsigned int types)
134 delete m_compactKeyInfo;
135 m_compactKeyInfo = nullptr;
137 // Default will disable X509IssuerSerial due to schema validation issues.
139 types = KEYINFO_KEY_VALUE | KEYINFO_KEY_NAME | KEYINFO_X509_CERTIFICATE | KEYINFO_X509_SUBJECTNAME | KEYINFO_X509_DIGEST;
141 if (types & KEYINFO_KEY_NAME) {
142 const set<string>& names = getKeyNames();
143 if (!names.empty()) {
144 m_compactKeyInfo = KeyInfoBuilder::buildKeyInfo();
145 VectorOf(KeyName) knames = m_compactKeyInfo->getKeyNames();
146 for (set<string>::const_iterator n = names.begin(); n!=names.end(); ++n) {
147 if (*n == m_subjectName)
149 auto_ptr_XMLCh wide(n->c_str());
150 KeyName* kname = KeyNameBuilder::buildKeyName();
151 kname->setName(wide.get());
152 knames.push_back(kname);
157 if (types & KEYINFO_X509_SUBJECTNAME || types & KEYINFO_X509_ISSUERSERIAL) {
158 if (!m_subjectName.empty() || (!m_issuerName.empty() && !m_serial.empty())) {
159 if (!m_compactKeyInfo)
160 m_compactKeyInfo = KeyInfoBuilder::buildKeyInfo();
161 X509Data* x509Data=X509DataBuilder::buildX509Data();
162 m_compactKeyInfo->getX509Datas().push_back(x509Data);
163 if (types & KEYINFO_X509_SUBJECTNAME && !m_subjectName.empty()) {
164 X509SubjectName* sn = X509SubjectNameBuilder::buildX509SubjectName();
165 auto_ptr_XMLCh wide(m_subjectName.c_str());
166 sn->setName(wide.get());
167 x509Data->getX509SubjectNames().push_back(sn);
170 if (types & KEYINFO_X509_ISSUERSERIAL && !m_issuerName.empty() && !m_serial.empty()) {
171 X509IssuerSerial* is = X509IssuerSerialBuilder::buildX509IssuerSerial();
172 X509IssuerName* in = X509IssuerNameBuilder::buildX509IssuerName();
173 auto_ptr_XMLCh wide(m_issuerName.c_str());
174 in->setName(wide.get());
175 is->setX509IssuerName(in);
176 X509SerialNumber* ser = X509SerialNumberBuilder::buildX509SerialNumber();
177 auto_ptr_XMLCh wide2(m_serial.c_str());
178 ser->setSerialNumber(wide2.get());
179 is->setX509SerialNumber(ser);
180 x509Data->getX509IssuerSerials().push_back(is);
185 if (types & KEYINFO_X509_CERTIFICATE && !m_xseccerts.empty()) {
186 m_keyInfo = m_compactKeyInfo ? m_compactKeyInfo->cloneKeyInfo() : KeyInfoBuilder::buildKeyInfo();
187 if (m_keyInfo->getX509Datas().empty())
188 m_keyInfo->getX509Datas().push_back(X509DataBuilder::buildX509Data());
189 for (vector<XSECCryptoX509*>::const_iterator x = m_xseccerts.begin(); x!=m_xseccerts.end(); ++x) {
190 safeBuffer& buf=(*x)->getDEREncodingSB();
191 X509Certificate* x509=X509CertificateBuilder::buildX509Certificate();
192 x509->setValue(buf.sbStrToXMLCh());
193 m_keyInfo->getX509Datas().front()->getX509Certificates().push_back(x509);
197 if (types & KEYINFO_X509_DIGEST && !m_xseccerts.empty()) {
198 if (!m_compactKeyInfo)
199 m_compactKeyInfo = KeyInfoBuilder::buildKeyInfo();
200 if (m_compactKeyInfo->getX509Datas().empty())
201 m_compactKeyInfo->getX509Datas().push_back(X509DataBuilder::buildX509Data());
202 safeBuffer& buf=m_xseccerts.front()->getDEREncodingSB();
204 XMLByte* decoded = Base64::decode(reinterpret_cast<const XMLByte*>(buf.rawCharBuffer()), &x);
206 string xdig = SecurityHelper::doHash("SHA1", reinterpret_cast<char*>(decoded), x, false);
207 #ifdef XMLTOOLING_XERCESC_HAS_XMLBYTE_RELEASE
208 XMLString::release(&decoded);
210 XMLString::release((char**)&decoded);
212 XMLByte* encoded = Base64::encode(reinterpret_cast<const XMLByte*>(xdig.c_str()), xdig.length(), &x);
214 auto_ptr_XMLCh widenit(reinterpret_cast<char*>(encoded));
215 #ifdef XMLTOOLING_XERCESC_HAS_XMLBYTE_RELEASE
216 XMLString::release(&encoded);
218 XMLString::release((char**)&encoded);
220 X509Digest* x509dig = X509DigestBuilder::buildX509Digest();
221 x509dig->setValue(widenit.get());
222 x509dig->setAlgorithm(DSIGConstants::s_unicodeStrURISHA1);
223 m_compactKeyInfo->getX509Datas().front()->getX509Digests().push_back(x509dig);
229 unsigned int BasicX509Credential::getUsage() const
231 return UNSPECIFIED_CREDENTIAL;
234 const char* BasicX509Credential::getAlgorithm() const
237 switch (m_key->getKeyType()) {
238 case XSECCryptoKey::KEY_RSA_PRIVATE:
239 case XSECCryptoKey::KEY_RSA_PUBLIC:
240 case XSECCryptoKey::KEY_RSA_PAIR:
243 case XSECCryptoKey::KEY_DSA_PRIVATE:
244 case XSECCryptoKey::KEY_DSA_PUBLIC:
245 case XSECCryptoKey::KEY_DSA_PAIR:
248 #ifdef XMLTOOLING_XMLSEC_ECC
249 case XSECCryptoKey::KEY_EC_PRIVATE:
250 case XSECCryptoKey::KEY_EC_PUBLIC:
251 case XSECCryptoKey::KEY_EC_PAIR:
255 case XSECCryptoKey::KEY_HMAC:
258 case XSECCryptoKey::KEY_SYMMETRIC: {
259 switch (static_cast<XSECCryptoSymmetricKey*>(m_key)->getSymmetricKeyType()) {
260 case XSECCryptoSymmetricKey::KEY_3DES_192:
262 case XSECCryptoSymmetricKey::KEY_AES_128:
264 case XSECCryptoSymmetricKey::KEY_AES_192:
266 case XSECCryptoSymmetricKey::KEY_AES_256:
275 unsigned int BasicX509Credential::getKeySize() const
278 switch (m_key->getKeyType()) {
279 case XSECCryptoKey::KEY_RSA_PRIVATE:
280 case XSECCryptoKey::KEY_RSA_PUBLIC:
281 case XSECCryptoKey::KEY_RSA_PAIR: {
282 XSECCryptoKeyRSA* rkey = static_cast<XSECCryptoKeyRSA*>(m_key);
283 return 8 * rkey->getLength();
286 case XSECCryptoKey::KEY_SYMMETRIC: {
287 switch (static_cast<XSECCryptoSymmetricKey*>(m_key)->getSymmetricKeyType()) {
288 case XSECCryptoSymmetricKey::KEY_3DES_192:
290 case XSECCryptoSymmetricKey::KEY_AES_128:
292 case XSECCryptoSymmetricKey::KEY_AES_192:
294 case XSECCryptoSymmetricKey::KEY_AES_256:
303 XSECCryptoKey* BasicX509Credential::getPrivateKey() const
306 XSECCryptoKey::KeyType type = m_key->getKeyType();
307 if (type != XSECCryptoKey::KEY_RSA_PUBLIC && type != XSECCryptoKey::KEY_DSA_PUBLIC
308 #ifdef XMLTOOLING_XMLSEC_ECC
309 && type != XSECCryptoKey::KEY_EC_PUBLIC
317 XSECCryptoKey* BasicX509Credential::getPublicKey() const
320 XSECCryptoKey::KeyType type = m_key->getKeyType();
321 if (type != XSECCryptoKey::KEY_RSA_PRIVATE && type != XSECCryptoKey::KEY_DSA_PRIVATE
322 #ifdef XMLTOOLING_XMLSEC_ECC
323 && type != XSECCryptoKey::KEY_EC_PRIVATE
331 const set<string>& BasicX509Credential::getKeyNames() const
336 KeyInfo* BasicX509Credential::getKeyInfo(bool compact) const
338 if (compact || !m_keyInfo)
339 return m_compactKeyInfo ? m_compactKeyInfo->cloneKeyInfo() : nullptr;
340 return m_keyInfo->cloneKeyInfo();
343 const vector<XSECCryptoX509*>& BasicX509Credential::getEntityCertificateChain() const
348 XSECCryptoX509CRL* BasicX509Credential::getCRL() const
350 return m_crls.empty() ? nullptr : m_crls.front();
353 const vector<XSECCryptoX509CRL*>& BasicX509Credential::getCRLs() const
358 const char* BasicX509Credential::getSubjectName() const
360 return m_subjectName.c_str();
363 const char* BasicX509Credential::getIssuerName() const
365 return m_issuerName.c_str();
368 const char* BasicX509Credential::getSerialNumber() const
370 return m_serial.c_str();
373 void BasicX509Credential::extract()
375 XSECCryptoX509* x509 = m_xseccerts.empty() ? nullptr : m_xseccerts.front();
376 if (!x509 || x509->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL)
378 X509* cert = static_cast<OpenSSLCryptoX509*>(x509)->getOpenSSLX509();
382 X509_NAME* issuer=X509_get_issuer_name(cert);
384 BIO* b = BIO_new(BIO_s_mem());
385 X509_NAME_print_ex(b,issuer,0,XN_FLAG_RFC2253);
387 BUF_MEM* bptr=nullptr;
388 BIO_get_mem_ptr(b, &bptr);
389 m_issuerName.erase();
390 m_issuerName.append(bptr->data, bptr->length);
394 ASN1_INTEGER* serialASN = X509_get_serialNumber(cert);
395 BIGNUM* serialBN = ASN1_INTEGER_to_BN(serialASN, nullptr);
397 char* serial = BN_bn2dec(serialBN);
400 OPENSSL_free(serial);
405 X509_NAME* subject=X509_get_subject_name(cert);
407 BIO* b = BIO_new(BIO_s_mem());
408 X509_NAME_print_ex(b,subject,0,XN_FLAG_RFC2253);
410 BUF_MEM* bptr=nullptr;
411 BIO_get_mem_ptr(b, &bptr);
412 m_subjectName.erase();
413 m_subjectName.append(bptr->data, bptr->length);
414 m_keyNames.insert(m_subjectName);
417 // Fetch the last CN RDN.
418 char* peer_CN = nullptr;
420 while ((j=X509_NAME_get_index_by_NID(subject, NID_commonName, i)) >= 0)
423 ASN1_STRING* tmp = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject, i));
424 // Copied in from libcurl.
425 /* In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the input
426 is already UTF-8 encoded. We check for this case and copy the raw
427 string manually to avoid the problem. */
428 if(tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
429 j = ASN1_STRING_length(tmp);
431 peer_CN = (char*)OPENSSL_malloc(j + 1);
432 memcpy(peer_CN, ASN1_STRING_data(tmp), j);
436 else /* not a UTF8 name */ {
437 j = ASN1_STRING_to_UTF8(reinterpret_cast<unsigned char**>(&peer_CN), tmp);
441 m_keyNames.insert(string(peer_CN, j));
443 OPENSSL_free(peer_CN);
446 STACK_OF(GENERAL_NAME)* altnames=(STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr);
448 int numalts = sk_GENERAL_NAME_num(altnames);
449 for (int an=0; an<numalts; an++) {
450 const GENERAL_NAME* check = sk_GENERAL_NAME_value(altnames, an);
451 if (check->type==GEN_DNS || check->type==GEN_URI) {
452 const char* altptr = (char*)ASN1_STRING_data(check->d.ia5);
453 const int altlen = ASN1_STRING_length(check->d.ia5);
455 m_keyNames.insert(string(altptr, altlen));
459 GENERAL_NAMES_free(altnames);