xmltooling/security/impl/BasicX509Credential.cpp

   1 /*
   2  *  Copyright 2001-2007 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * BasicX509Credential.cpp
  19  *
  20  * Wraps an X.509-based Credential by storing key/cert objects inside.
  21  */
  22
  23 #include "internal.h"
  24 #include "security/BasicX509Credential.h"
  25 #include "signature/KeyInfo.h"
  26
  27 #include <algorithm>
  28 #include <openssl/x509v3.h>
  29 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
  30
  31 using namespace xmlsignature;
  32 using namespace xmltooling;
  33 using namespace std;
  34
  35 BasicX509Credential::~BasicX509Credential()
  36 {
  37     delete m_key;
  38     if (m_ownCerts)
  39         for_each(m_xseccerts.begin(), m_xseccerts.end(), xmltooling::cleanup<XSECCryptoX509>());
  40     delete m_crl;
  41     delete m_keyInfo;
  42     delete m_compactKeyInfo;
  43 }
  44
  45 void BasicX509Credential::initKeyInfo(unsigned int types)
  46 {
  47     delete m_keyInfo;
  48     m_keyInfo = NULL;
  49     delete m_compactKeyInfo;
  50     m_compactKeyInfo = NULL;
  51
  52     if (types == 0)
  53         types = KEYINFO_KEY_VALUE | KEYINFO_KEY_NAME | KEYINFO_X509_CERTIFICATE | KEYINFO_X509_SUBJECTNAME | KEYINFO_X509_ISSUERSERIAL;
  54
  55     if (types & KEYINFO_KEY_NAME) {
  56         const set<string>& names = getKeyNames();
  57         if (!names.empty()) {
  58             m_compactKeyInfo = KeyInfoBuilder::buildKeyInfo();
  59             VectorOf(KeyName) knames = m_compactKeyInfo->getKeyNames();
  60             for (set<string>::const_iterator n = names.begin(); n!=names.end(); ++n) {
  61                 if (*n == m_subjectName)
  62                     continue;
  63                 auto_ptr_XMLCh wide(n->c_str());
  64                 KeyName* kname = KeyNameBuilder::buildKeyName();
  65                 kname->setName(wide.get());
  66                 knames.push_back(kname);
  67             }
  68         }
  69     }
  70
  71     if (types & KEYINFO_X509_SUBJECTNAME || types & KEYINFO_X509_ISSUERSERIAL) {
  72         if (!m_subjectName.empty() || (!m_issuerName.empty() && !m_serial.empty())) {
  73             if (!m_compactKeyInfo)
  74                 m_compactKeyInfo = KeyInfoBuilder::buildKeyInfo();
  75             X509Data* x509Data=X509DataBuilder::buildX509Data();
  76             m_compactKeyInfo->getX509Datas().push_back(x509Data);
  77             if (types & KEYINFO_X509_SUBJECTNAME && !m_subjectName.empty()) {
  78                 X509SubjectName* sn = X509SubjectNameBuilder::buildX509SubjectName();
  79                 auto_ptr_XMLCh wide(m_subjectName.c_str());
  80                 sn->setName(wide.get());
  81                 x509Data->getX509SubjectNames().push_back(sn);
  82             }
  83
  84             if (types & KEYINFO_X509_ISSUERSERIAL && !m_issuerName.empty() && !m_serial.empty()) {
  85                 X509IssuerSerial* is = X509IssuerSerialBuilder::buildX509IssuerSerial();
  86                 X509IssuerName* in = X509IssuerNameBuilder::buildX509IssuerName();
  87                 auto_ptr_XMLCh wide(m_issuerName.c_str());
  88                 in->setName(wide.get());
  89                 is->setX509IssuerName(in);
  90                 X509SerialNumber* ser = X509SerialNumberBuilder::buildX509SerialNumber();
  91                 auto_ptr_XMLCh wide2(m_serial.c_str());
  92                 ser->setSerialNumber(wide2.get());
  93                 is->setX509SerialNumber(ser);
  94                 x509Data->getX509IssuerSerials().push_back(is);
  95             }
  96         }
  97     }
  98
  99     if (types & KEYINFO_X509_CERTIFICATE && !m_xseccerts.empty()) {
 100         m_keyInfo = m_compactKeyInfo ? m_compactKeyInfo->cloneKeyInfo() : KeyInfoBuilder::buildKeyInfo();
 101         if (m_keyInfo->getX509Datas().empty())
 102             m_keyInfo->getX509Datas().push_back(X509DataBuilder::buildX509Data());
 103         for (vector<XSECCryptoX509*>::const_iterator x = m_xseccerts.begin(); x!=m_xseccerts.end(); ++x) {
 104             safeBuffer& buf=(*x)->getDEREncodingSB();
 105             X509Certificate* x509=X509CertificateBuilder::buildX509Certificate();
 106             x509->setValue(buf.sbStrToXMLCh());
 107             m_keyInfo->getX509Datas().front()->getX509Certificates().push_back(x509);
 108         }
 109     }
 110 }
 111
 112 void BasicX509Credential::extract()
 113 {
 114     XSECCryptoX509* x509 = m_xseccerts.empty() ? NULL : m_xseccerts.front();
 115     if (!x509 || x509->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL)
 116         return;
 117     X509* cert = static_cast<OpenSSLCryptoX509*>(x509)->getOpenSSLX509();
 118     if (!cert)
 119         return;
 120
 121     BIO* b;
 122     int len;
 123     char buf[256];
 124
 125     X509_NAME* issuer=X509_get_issuer_name(cert);
 126     if (issuer) {
 127         memset(buf,0,sizeof(buf));
 128         b = BIO_new(BIO_s_mem());
 129         BIO_set_mem_eof_return(b, 0);
 130         len=X509_NAME_print_ex(b,issuer,0,XN_FLAG_RFC2253);
 131         BIO_flush(b);
 132         m_issuerName.erase();
 133         while ((len = BIO_read(b, buf, 255)) > 0) {
 134             buf[len] = '\0';
 135             m_issuerName+=buf;
 136         }
 137         BIO_free(b);
 138     }
 139
 140     ASN1_INTEGER* serialASN = X509_get_serialNumber(cert);
 141     BIGNUM* serialBN = ASN1_INTEGER_to_BN(serialASN, NULL);
 142     if (serialBN) {
 143         char* serial = BN_bn2dec(serialBN);
 144         if (serial) {
 145             m_serial = serial;
 146             free(serial);
 147         }
 148         BN_free(serialBN);
 149     }
 150
 151     X509_NAME* subject=X509_get_subject_name(cert);
 152     if (subject) {
 153         memset(buf,0,sizeof(buf));
 154         b = BIO_new(BIO_s_mem());
 155         BIO_set_mem_eof_return(b, 0);
 156         len=X509_NAME_print_ex(b,subject,0,XN_FLAG_RFC2253);
 157         BIO_flush(b);
 158         m_subjectName.erase();
 159         while ((len = BIO_read(b, buf, 255)) > 0) {
 160             buf[len] = '\0';
 161             m_subjectName+=buf;
 162         }
 163         m_keyNames.insert(m_subjectName);
 164         BIO_free(b);
 165
 166         memset(buf,0,sizeof(buf));
 167         if (X509_NAME_get_text_by_NID(subject,NID_commonName,buf,255)>0)
 168             m_keyNames.insert(buf);
 169
 170         STACK_OF(GENERAL_NAME)* altnames=(STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
 171         if (altnames) {
 172             string alt;
 173             int numalts = sk_GENERAL_NAME_num(altnames);
 174             for (int an=0; an<numalts; an++) {
 175                 const GENERAL_NAME* check = sk_GENERAL_NAME_value(altnames, an);
 176                 if (check->type==GEN_DNS || check->type==GEN_URI) {
 177                     const char* altptr = (char*)ASN1_STRING_data(check->d.ia5);
 178                     const int altlen = ASN1_STRING_length(check->d.ia5);
 179                     if (altlen>0) {
 180                         alt.erase();
 181                         alt.append(altptr,altlen);
 182                         m_keyNames.insert(alt);
 183                     }
 184                 }
 185             }
 186         }
 187         GENERAL_NAMES_free(altnames);
 188     }
 189 }
 190
 191 const char* BasicX509Credential::getAlgorithm() const
 192 {
 193     if (m_key) {
 194         switch (m_key->getKeyType()) {
 195             case XSECCryptoKey::KEY_RSA_PRIVATE:
 196             case XSECCryptoKey::KEY_RSA_PUBLIC:
 197             case XSECCryptoKey::KEY_RSA_PAIR:
 198                 return "RSA";
 199
 200             case XSECCryptoKey::KEY_DSA_PRIVATE:
 201             case XSECCryptoKey::KEY_DSA_PUBLIC:
 202             case XSECCryptoKey::KEY_DSA_PAIR:
 203                 return "DSA";
 204
 205             case XSECCryptoKey::KEY_HMAC:
 206                 return "HMAC";
 207
 208             case XSECCryptoKey::KEY_SYMMETRIC: {
 209                 switch (static_cast<XSECCryptoSymmetricKey*>(m_key)->getSymmetricKeyType()) {
 210                     case XSECCryptoSymmetricKey::KEY_3DES_192:
 211                         return "DESede";
 212                     case XSECCryptoSymmetricKey::KEY_AES_128:
 213                         return "AES";
 214                     case XSECCryptoSymmetricKey::KEY_AES_192:
 215                         return "AES";
 216                     case XSECCryptoSymmetricKey::KEY_AES_256:
 217                         return "AES";
 218                 }
 219             }
 220         }
 221     }
 222     return NULL;
 223 }
 224
 225 unsigned int BasicX509Credential::getKeySize() const
 226 {
 227     if (m_key) {
 228         switch (m_key->getKeyType()) {
 229             case XSECCryptoKey::KEY_RSA_PRIVATE:
 230             case XSECCryptoKey::KEY_RSA_PUBLIC:
 231             case XSECCryptoKey::KEY_RSA_PAIR: {
 232                 XSECCryptoKeyRSA* rkey = static_cast<XSECCryptoKeyRSA*>(m_key);
 233                 return rkey->getLength();
 234             }
 235
 236             case XSECCryptoKey::KEY_SYMMETRIC: {
 237                 switch (static_cast<XSECCryptoSymmetricKey*>(m_key)->getSymmetricKeyType()) {
 238                     case XSECCryptoSymmetricKey::KEY_3DES_192:
 239                         return 192;
 240                     case XSECCryptoSymmetricKey::KEY_AES_128:
 241                         return 128;
 242                     case XSECCryptoSymmetricKey::KEY_AES_192:
 243                         return 192;
 244                     case XSECCryptoSymmetricKey::KEY_AES_256:
 245                         return 256;
 246                 }
 247             }
 248         }
 249     }
 250     return 0;
 251 }