2 * Copyright 2001-2007 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * BasicX509Credential.cpp
20 * Wraps an X.509-based Credential by storing key/cert objects inside.
24 #include "security/BasicX509Credential.h"
25 #include "signature/KeyInfo.h"
28 #include <openssl/x509v3.h>
29 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
31 using namespace xmlsignature;
32 using namespace xmltooling;
35 BasicX509Credential::~BasicX509Credential()
39 for_each(m_xseccerts.begin(), m_xseccerts.end(), xmltooling::cleanup<XSECCryptoX509>());
42 delete m_compactKeyInfo;
45 void BasicX509Credential::initKeyInfo(unsigned int types)
49 delete m_compactKeyInfo;
50 m_compactKeyInfo = NULL;
53 types = KEYINFO_KEY_VALUE | KEYINFO_KEY_NAME | KEYINFO_X509_CERTIFICATE | KEYINFO_X509_SUBJECTNAME | KEYINFO_X509_ISSUERSERIAL;
55 if (types & KEYINFO_KEY_NAME) {
56 const set<string>& names = getKeyNames();
58 m_compactKeyInfo = KeyInfoBuilder::buildKeyInfo();
59 VectorOf(KeyName) knames = m_compactKeyInfo->getKeyNames();
60 for (set<string>::const_iterator n = names.begin(); n!=names.end(); ++n) {
61 if (*n == m_subjectName)
63 auto_ptr_XMLCh wide(n->c_str());
64 KeyName* kname = KeyNameBuilder::buildKeyName();
65 kname->setName(wide.get());
66 knames.push_back(kname);
71 if (types & KEYINFO_X509_SUBJECTNAME || types & KEYINFO_X509_ISSUERSERIAL) {
72 if (!m_subjectName.empty() || (!m_issuerName.empty() && !m_serial.empty())) {
73 if (!m_compactKeyInfo)
74 m_compactKeyInfo = KeyInfoBuilder::buildKeyInfo();
75 X509Data* x509Data=X509DataBuilder::buildX509Data();
76 m_compactKeyInfo->getX509Datas().push_back(x509Data);
77 if (types & KEYINFO_X509_SUBJECTNAME && !m_subjectName.empty()) {
78 X509SubjectName* sn = X509SubjectNameBuilder::buildX509SubjectName();
79 auto_ptr_XMLCh wide(m_subjectName.c_str());
80 sn->setName(wide.get());
81 x509Data->getX509SubjectNames().push_back(sn);
84 if (types & KEYINFO_X509_ISSUERSERIAL && !m_issuerName.empty() && !m_serial.empty()) {
85 X509IssuerSerial* is = X509IssuerSerialBuilder::buildX509IssuerSerial();
86 X509IssuerName* in = X509IssuerNameBuilder::buildX509IssuerName();
87 auto_ptr_XMLCh wide(m_issuerName.c_str());
88 in->setName(wide.get());
89 is->setX509IssuerName(in);
90 X509SerialNumber* ser = X509SerialNumberBuilder::buildX509SerialNumber();
91 auto_ptr_XMLCh wide2(m_serial.c_str());
92 ser->setSerialNumber(wide2.get());
93 is->setX509SerialNumber(ser);
94 x509Data->getX509IssuerSerials().push_back(is);
99 if (types & KEYINFO_X509_CERTIFICATE && !m_xseccerts.empty()) {
100 m_keyInfo = m_compactKeyInfo ? m_compactKeyInfo->cloneKeyInfo() : KeyInfoBuilder::buildKeyInfo();
101 if (m_keyInfo->getX509Datas().empty())
102 m_keyInfo->getX509Datas().push_back(X509DataBuilder::buildX509Data());
103 for (vector<XSECCryptoX509*>::const_iterator x = m_xseccerts.begin(); x!=m_xseccerts.end(); ++x) {
104 safeBuffer& buf=(*x)->getDEREncodingSB();
105 X509Certificate* x509=X509CertificateBuilder::buildX509Certificate();
106 x509->setValue(buf.sbStrToXMLCh());
107 m_keyInfo->getX509Datas().front()->getX509Certificates().push_back(x509);
112 void BasicX509Credential::extract()
114 XSECCryptoX509* x509 = m_xseccerts.empty() ? NULL : m_xseccerts.front();
115 if (!x509 || x509->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL)
117 X509* cert = static_cast<OpenSSLCryptoX509*>(x509)->getOpenSSLX509();
125 X509_NAME* issuer=X509_get_issuer_name(cert);
127 memset(buf,0,sizeof(buf));
128 b = BIO_new(BIO_s_mem());
129 BIO_set_mem_eof_return(b, 0);
130 len=X509_NAME_print_ex(b,issuer,0,XN_FLAG_RFC2253);
132 m_issuerName.erase();
133 while ((len = BIO_read(b, buf, 255)) > 0) {
140 ASN1_INTEGER* serialASN = X509_get_serialNumber(cert);
141 BIGNUM* serialBN = ASN1_INTEGER_to_BN(serialASN, NULL);
143 char* serial = BN_bn2dec(serialBN);
151 X509_NAME* subject=X509_get_subject_name(cert);
153 memset(buf,0,sizeof(buf));
154 b = BIO_new(BIO_s_mem());
155 BIO_set_mem_eof_return(b, 0);
156 len=X509_NAME_print_ex(b,subject,0,XN_FLAG_RFC2253);
158 m_subjectName.erase();
159 while ((len = BIO_read(b, buf, 255)) > 0) {
163 m_keyNames.insert(m_subjectName);
166 memset(buf,0,sizeof(buf));
167 if (X509_NAME_get_text_by_NID(subject,NID_commonName,buf,255)>0)
168 m_keyNames.insert(buf);
170 STACK_OF(GENERAL_NAME)* altnames=(STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
173 int numalts = sk_GENERAL_NAME_num(altnames);
174 for (int an=0; an<numalts; an++) {
175 const GENERAL_NAME* check = sk_GENERAL_NAME_value(altnames, an);
176 if (check->type==GEN_DNS || check->type==GEN_URI) {
177 const char* altptr = (char*)ASN1_STRING_data(check->d.ia5);
178 const int altlen = ASN1_STRING_length(check->d.ia5);
181 alt.append(altptr,altlen);
182 m_keyNames.insert(alt);
187 GENERAL_NAMES_free(altnames);
191 const char* BasicX509Credential::getAlgorithm() const
194 switch (m_key->getKeyType()) {
195 case XSECCryptoKey::KEY_RSA_PRIVATE:
196 case XSECCryptoKey::KEY_RSA_PUBLIC:
197 case XSECCryptoKey::KEY_RSA_PAIR:
200 case XSECCryptoKey::KEY_DSA_PRIVATE:
201 case XSECCryptoKey::KEY_DSA_PUBLIC:
202 case XSECCryptoKey::KEY_DSA_PAIR:
205 case XSECCryptoKey::KEY_HMAC:
208 case XSECCryptoKey::KEY_SYMMETRIC: {
209 switch (static_cast<XSECCryptoSymmetricKey*>(m_key)->getSymmetricKeyType()) {
210 case XSECCryptoSymmetricKey::KEY_3DES_192:
212 case XSECCryptoSymmetricKey::KEY_AES_128:
214 case XSECCryptoSymmetricKey::KEY_AES_192:
216 case XSECCryptoSymmetricKey::KEY_AES_256:
225 unsigned int BasicX509Credential::getKeySize() const
228 switch (m_key->getKeyType()) {
229 case XSECCryptoKey::KEY_RSA_PRIVATE:
230 case XSECCryptoKey::KEY_RSA_PUBLIC:
231 case XSECCryptoKey::KEY_RSA_PAIR: {
232 XSECCryptoKeyRSA* rkey = static_cast<XSECCryptoKeyRSA*>(m_key);
233 return rkey->getLength();
236 case XSECCryptoKey::KEY_SYMMETRIC: {
237 switch (static_cast<XSECCryptoSymmetricKey*>(m_key)->getSymmetricKeyType()) {
238 case XSECCryptoSymmetricKey::KEY_3DES_192:
240 case XSECCryptoSymmetricKey::KEY_AES_128:
242 case XSECCryptoSymmetricKey::KEY_AES_192:
244 case XSECCryptoSymmetricKey::KEY_AES_256: