2 * Copyright 2001-2010 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * BasicX509Credential.cpp
20 * Wraps an X.509-based Credential by storing key/cert objects inside.
24 #include "security/BasicX509Credential.h"
25 #include "security/KeyInfoCredentialContext.h"
26 #include "security/OpenSSLCredential.h"
27 #include "security/XSECCryptoX509CRL.h"
28 #include "signature/KeyInfo.h"
31 #include <openssl/x509v3.h>
32 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
34 using namespace xmlsignature;
35 using namespace xmltooling;
38 Credential::Credential()
42 Credential::~Credential()
46 const CredentialContext* Credential::getCredentalContext() const
51 X509Credential::X509Credential()
55 X509Credential::~X509Credential()
59 OpenSSLCredential::OpenSSLCredential()
63 OpenSSLCredential::~OpenSSLCredential()
67 CredentialContext::CredentialContext()
71 CredentialContext::~CredentialContext()
75 KeyInfoCredentialContext::KeyInfoCredentialContext(const KeyInfo* keyInfo) : m_keyInfo(keyInfo), m_nativeKeyInfo(nullptr)
79 KeyInfoCredentialContext::KeyInfoCredentialContext(DSIGKeyInfoList* keyInfo) : m_keyInfo(nullptr), m_nativeKeyInfo(keyInfo)
83 KeyInfoCredentialContext::~KeyInfoCredentialContext()
87 const KeyInfo* KeyInfoCredentialContext::getKeyInfo() const
92 DSIGKeyInfoList* KeyInfoCredentialContext::getNativeKeyInfo() const
94 return m_nativeKeyInfo;
97 BasicX509Credential::BasicX509Credential(bool ownCerts) : m_key(nullptr), m_ownCerts(ownCerts), m_keyInfo(nullptr), m_compactKeyInfo(nullptr)
101 BasicX509Credential::BasicX509Credential(XSECCryptoKey* key, const vector<XSECCryptoX509*>& certs, XSECCryptoX509CRL* crl)
102 : m_key(key), m_xseccerts(certs), m_ownCerts(true), m_keyInfo(nullptr), m_compactKeyInfo(nullptr)
105 m_crls.push_back(crl);
108 BasicX509Credential::BasicX509Credential(XSECCryptoKey* key, const vector<XSECCryptoX509*>& certs, const vector<XSECCryptoX509CRL*>& crls)
109 : m_key(key), m_xseccerts(certs), m_ownCerts(true), m_crls(crls), m_keyInfo(nullptr), m_compactKeyInfo(nullptr)
113 BasicX509Credential::~BasicX509Credential()
117 for_each(m_xseccerts.begin(), m_xseccerts.end(), xmltooling::cleanup<XSECCryptoX509>());
118 for_each(m_crls.begin(), m_crls.end(), xmltooling::cleanup<XSECCryptoX509CRL>());
120 delete m_compactKeyInfo;
123 void BasicX509Credential::initKeyInfo(unsigned int types)
127 delete m_compactKeyInfo;
128 m_compactKeyInfo = nullptr;
131 types = KEYINFO_KEY_VALUE | KEYINFO_KEY_NAME | KEYINFO_X509_CERTIFICATE | KEYINFO_X509_SUBJECTNAME | KEYINFO_X509_ISSUERSERIAL;
133 if (types & KEYINFO_KEY_NAME) {
134 const set<string>& names = getKeyNames();
135 if (!names.empty()) {
136 m_compactKeyInfo = KeyInfoBuilder::buildKeyInfo();
137 VectorOf(KeyName) knames = m_compactKeyInfo->getKeyNames();
138 for (set<string>::const_iterator n = names.begin(); n!=names.end(); ++n) {
139 if (*n == m_subjectName)
141 auto_ptr_XMLCh wide(n->c_str());
142 KeyName* kname = KeyNameBuilder::buildKeyName();
143 kname->setName(wide.get());
144 knames.push_back(kname);
149 if (types & KEYINFO_X509_SUBJECTNAME || types & KEYINFO_X509_ISSUERSERIAL) {
150 if (!m_subjectName.empty() || (!m_issuerName.empty() && !m_serial.empty())) {
151 if (!m_compactKeyInfo)
152 m_compactKeyInfo = KeyInfoBuilder::buildKeyInfo();
153 X509Data* x509Data=X509DataBuilder::buildX509Data();
154 m_compactKeyInfo->getX509Datas().push_back(x509Data);
155 if (types & KEYINFO_X509_SUBJECTNAME && !m_subjectName.empty()) {
156 X509SubjectName* sn = X509SubjectNameBuilder::buildX509SubjectName();
157 auto_ptr_XMLCh wide(m_subjectName.c_str());
158 sn->setName(wide.get());
159 x509Data->getX509SubjectNames().push_back(sn);
162 if (types & KEYINFO_X509_ISSUERSERIAL && !m_issuerName.empty() && !m_serial.empty()) {
163 X509IssuerSerial* is = X509IssuerSerialBuilder::buildX509IssuerSerial();
164 X509IssuerName* in = X509IssuerNameBuilder::buildX509IssuerName();
165 auto_ptr_XMLCh wide(m_issuerName.c_str());
166 in->setName(wide.get());
167 is->setX509IssuerName(in);
168 X509SerialNumber* ser = X509SerialNumberBuilder::buildX509SerialNumber();
169 auto_ptr_XMLCh wide2(m_serial.c_str());
170 ser->setSerialNumber(wide2.get());
171 is->setX509SerialNumber(ser);
172 x509Data->getX509IssuerSerials().push_back(is);
177 if (types & KEYINFO_X509_CERTIFICATE && !m_xseccerts.empty()) {
178 m_keyInfo = m_compactKeyInfo ? m_compactKeyInfo->cloneKeyInfo() : KeyInfoBuilder::buildKeyInfo();
179 if (m_keyInfo->getX509Datas().empty())
180 m_keyInfo->getX509Datas().push_back(X509DataBuilder::buildX509Data());
181 for (vector<XSECCryptoX509*>::const_iterator x = m_xseccerts.begin(); x!=m_xseccerts.end(); ++x) {
182 safeBuffer& buf=(*x)->getDEREncodingSB();
183 X509Certificate* x509=X509CertificateBuilder::buildX509Certificate();
184 x509->setValue(buf.sbStrToXMLCh());
185 m_keyInfo->getX509Datas().front()->getX509Certificates().push_back(x509);
190 unsigned int BasicX509Credential::getUsage() const
192 return UNSPECIFIED_CREDENTIAL;
195 const char* BasicX509Credential::getAlgorithm() const
198 switch (m_key->getKeyType()) {
199 case XSECCryptoKey::KEY_RSA_PRIVATE:
200 case XSECCryptoKey::KEY_RSA_PUBLIC:
201 case XSECCryptoKey::KEY_RSA_PAIR:
204 case XSECCryptoKey::KEY_DSA_PRIVATE:
205 case XSECCryptoKey::KEY_DSA_PUBLIC:
206 case XSECCryptoKey::KEY_DSA_PAIR:
209 case XSECCryptoKey::KEY_HMAC:
212 case XSECCryptoKey::KEY_SYMMETRIC: {
213 switch (static_cast<XSECCryptoSymmetricKey*>(m_key)->getSymmetricKeyType()) {
214 case XSECCryptoSymmetricKey::KEY_3DES_192:
216 case XSECCryptoSymmetricKey::KEY_AES_128:
218 case XSECCryptoSymmetricKey::KEY_AES_192:
220 case XSECCryptoSymmetricKey::KEY_AES_256:
229 unsigned int BasicX509Credential::getKeySize() const
232 switch (m_key->getKeyType()) {
233 case XSECCryptoKey::KEY_RSA_PRIVATE:
234 case XSECCryptoKey::KEY_RSA_PUBLIC:
235 case XSECCryptoKey::KEY_RSA_PAIR: {
236 XSECCryptoKeyRSA* rkey = static_cast<XSECCryptoKeyRSA*>(m_key);
237 return rkey->getLength();
240 case XSECCryptoKey::KEY_SYMMETRIC: {
241 switch (static_cast<XSECCryptoSymmetricKey*>(m_key)->getSymmetricKeyType()) {
242 case XSECCryptoSymmetricKey::KEY_3DES_192:
244 case XSECCryptoSymmetricKey::KEY_AES_128:
246 case XSECCryptoSymmetricKey::KEY_AES_192:
248 case XSECCryptoSymmetricKey::KEY_AES_256:
257 XSECCryptoKey* BasicX509Credential::getPrivateKey() const
260 XSECCryptoKey::KeyType type = m_key->getKeyType();
261 if (type!=XSECCryptoKey::KEY_RSA_PUBLIC && type!=XSECCryptoKey::KEY_DSA_PUBLIC)
267 XSECCryptoKey* BasicX509Credential::getPublicKey() const
270 XSECCryptoKey::KeyType type = m_key->getKeyType();
271 if (type!=XSECCryptoKey::KEY_RSA_PRIVATE && type!=XSECCryptoKey::KEY_DSA_PRIVATE)
277 const set<string>& BasicX509Credential::getKeyNames() const
282 KeyInfo* BasicX509Credential::getKeyInfo(bool compact) const
284 if (compact || !m_keyInfo)
285 return m_compactKeyInfo ? m_compactKeyInfo->cloneKeyInfo() : nullptr;
286 return m_keyInfo->cloneKeyInfo();
289 const vector<XSECCryptoX509*>& BasicX509Credential::getEntityCertificateChain() const
294 XSECCryptoX509CRL* BasicX509Credential::getCRL() const
296 return m_crls.empty() ? nullptr : m_crls.front();
299 const vector<XSECCryptoX509CRL*>& BasicX509Credential::getCRLs() const
304 const char* BasicX509Credential::getSubjectName() const
306 return m_subjectName.c_str();
309 const char* BasicX509Credential::getIssuerName() const
311 return m_issuerName.c_str();
314 const char* BasicX509Credential::getSerialNumber() const
316 return m_serial.c_str();
319 void BasicX509Credential::extract()
321 XSECCryptoX509* x509 = m_xseccerts.empty() ? nullptr : m_xseccerts.front();
322 if (!x509 || x509->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL)
324 X509* cert = static_cast<OpenSSLCryptoX509*>(x509)->getOpenSSLX509();
328 X509_NAME* issuer=X509_get_issuer_name(cert);
330 BIO* b = BIO_new(BIO_s_mem());
331 X509_NAME_print_ex(b,issuer,0,XN_FLAG_RFC2253);
333 BUF_MEM* bptr=nullptr;
334 BIO_get_mem_ptr(b, &bptr);
335 m_issuerName.erase();
336 m_issuerName.append(bptr->data, bptr->length);
340 ASN1_INTEGER* serialASN = X509_get_serialNumber(cert);
341 BIGNUM* serialBN = ASN1_INTEGER_to_BN(serialASN, nullptr);
343 char* serial = BN_bn2dec(serialBN);
346 OPENSSL_free(serial);
351 X509_NAME* subject=X509_get_subject_name(cert);
353 BIO* b = BIO_new(BIO_s_mem());
354 X509_NAME_print_ex(b,subject,0,XN_FLAG_RFC2253);
356 BUF_MEM* bptr=nullptr;
357 BIO_get_mem_ptr(b, &bptr);
358 m_subjectName.erase();
359 m_subjectName.append(bptr->data, bptr->length);
360 m_keyNames.insert(m_subjectName);
363 // Fetch the last CN RDN.
364 char* peer_CN = nullptr;
366 while ((j=X509_NAME_get_index_by_NID(subject, NID_commonName, i)) >= 0)
369 ASN1_STRING* tmp = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject, i));
370 // Copied in from libcurl.
371 /* In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the input
372 is already UTF-8 encoded. We check for this case and copy the raw
373 string manually to avoid the problem. */
374 if(tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
375 j = ASN1_STRING_length(tmp);
377 peer_CN = (char*)OPENSSL_malloc(j + 1);
378 memcpy(peer_CN, ASN1_STRING_data(tmp), j);
382 else /* not a UTF8 name */ {
383 j = ASN1_STRING_to_UTF8(reinterpret_cast<unsigned char**>(&peer_CN), tmp);
387 m_keyNames.insert(string(peer_CN, j));
389 OPENSSL_free(peer_CN);
392 STACK_OF(GENERAL_NAME)* altnames=(STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr);
394 int numalts = sk_GENERAL_NAME_num(altnames);
395 for (int an=0; an<numalts; an++) {
396 const GENERAL_NAME* check = sk_GENERAL_NAME_value(altnames, an);
397 if (check->type==GEN_DNS || check->type==GEN_URI) {
398 const char* altptr = (char*)ASN1_STRING_data(check->d.ia5);
399 const int altlen = ASN1_STRING_length(check->d.ia5);
401 m_keyNames.insert(string(altptr, altlen));
405 GENERAL_NAMES_free(altnames);