xmltooling/security/impl/ChainingTrustEngine.cpp

   1 /**
   2  * Licensed to the University Corporation for Advanced Internet
   3  * Development, Inc. (UCAID) under one or more contributor license
   4  * agreements. See the NOTICE file distributed with this work for
   5  * additional information regarding copyright ownership.
   6  *
   7  * UCAID licenses this file to you under the Apache License,
   8  * Version 2.0 (the "License"); you may not use this file except
   9  * in compliance with the License. You may obtain a copy of the
  10  * License at
  11  *
  12  * http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
  17  * either express or implied. See the License for the specific
  18  * language governing permissions and limitations under the License.
  19  */
  20
  21 /**
  22  * ChainingTrustEngine.cpp
  23  *
  24  * OpenSSLTrustEngine that uses multiple engines in sequence.
  25  */
  26
  27 #include "internal.h"
  28 #include "exceptions.h"
  29 #include "logging.h"
  30 #include "security/ChainingTrustEngine.h"
  31 #include "security/CredentialCriteria.h"
  32 #include "util/XMLHelper.h"
  33
  34 #include <algorithm>
  35 #include <xercesc/util/XMLUniDefs.hpp>
  36
  37 using namespace xmlsignature;
  38 using namespace xmltooling::logging;
  39 using namespace xmltooling;
  40 using namespace std;
  41
  42 using xercesc::DOMElement;
  43
  44 namespace xmltooling {
  45     TrustEngine* XMLTOOL_DLLLOCAL ChainingTrustEngineFactory(const DOMElement* const & e)
  46     {
  47         return new ChainingTrustEngine(e);
  48     }
  49 };
  50
  51 static const XMLCh _TrustEngine[] =                 UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e);
  52 static const XMLCh type[] =                         UNICODE_LITERAL_4(t,y,p,e);
  53
  54 ChainingTrustEngine::ChainingTrustEngine(const DOMElement* e) : TrustEngine(e) {
  55     Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine."CHAINING_TRUSTENGINE);
  56     e = e ? XMLHelper::getFirstChildElement(e, _TrustEngine) : nullptr;
  57     while (e) {
  58         try {
  59             string t = XMLHelper::getAttrString(e, nullptr, type);
  60             if (!t.empty()) {
  61                 log.info("building TrustEngine of type %s", t.c_str());
  62                 addTrustEngine(XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(t.c_str(), e));
  63             }
  64         }
  65         catch (exception& ex) {
  66             log.error("error building TrustEngine: %s", ex.what());
  67         }
  68         e = XMLHelper::getNextSiblingElement(e, _TrustEngine);
  69     }
  70 }
  71
  72 ChainingTrustEngine::~ChainingTrustEngine() {
  73     for_each(m_engines.begin(), m_engines.end(), xmltooling::cleanup<TrustEngine>());
  74 }
  75
  76 void ChainingTrustEngine::addTrustEngine(TrustEngine* newEngine)
  77 {
  78     m_engines.push_back(newEngine);
  79     SignatureTrustEngine* sig = dynamic_cast<SignatureTrustEngine*>(newEngine);
  80     if (sig)
  81         m_sigEngines.push_back(sig);
  82     X509TrustEngine* x509 = dynamic_cast<X509TrustEngine*>(newEngine);
  83     if (x509)
  84         m_x509Engines.push_back(x509);
  85     OpenSSLTrustEngine* ossl = dynamic_cast<OpenSSLTrustEngine*>(newEngine);
  86     if (ossl)
  87         m_osslEngines.push_back(ossl);
  88 }
  89
  90 TrustEngine* ChainingTrustEngine::removeTrustEngine(TrustEngine* oldEngine)
  91 {
  92     vector<TrustEngine*>::iterator i = find(m_engines.begin(), m_engines.end(), oldEngine);
  93     if (i != m_engines.end()) {
  94         m_engines.erase(i);
  95
  96         SignatureTrustEngine* sig = dynamic_cast<SignatureTrustEngine*>(oldEngine);
  97         if (sig) {
  98             vector<SignatureTrustEngine*>::iterator s = find(m_sigEngines.begin(), m_sigEngines.end(), sig);
  99             if (s != m_sigEngines.end())
 100                 m_sigEngines.erase(s);
 101         }
 102
 103         X509TrustEngine* x509 = dynamic_cast<X509TrustEngine*>(oldEngine);
 104         if (x509) {
 105             vector<X509TrustEngine*>::iterator x = find(m_x509Engines.begin(), m_x509Engines.end(), x509);
 106             if (x != m_x509Engines.end())
 107                 m_x509Engines.erase(x);
 108         }
 109
 110         OpenSSLTrustEngine* ossl = dynamic_cast<OpenSSLTrustEngine*>(oldEngine);
 111         if (ossl) {
 112             vector<OpenSSLTrustEngine*>::iterator o = find(m_osslEngines.begin(), m_osslEngines.end(), ossl);
 113             if (o != m_osslEngines.end())
 114                 m_osslEngines.erase(o);
 115         }
 116
 117         return oldEngine;
 118     }
 119     return nullptr;
 120 }
 121
 122 bool ChainingTrustEngine::validate(Signature& sig, const CredentialResolver& credResolver, CredentialCriteria* criteria) const
 123 {
 124     unsigned int usage = criteria ? criteria->getUsage() : 0;
 125     for (vector<SignatureTrustEngine*>::const_iterator i=m_sigEngines.begin(); i!=m_sigEngines.end(); ++i) {
 126         if ((*i)->validate(sig,credResolver,criteria))
 127             return true;
 128         if (criteria) {
 129             criteria->reset();
 130             criteria->setUsage(usage);
 131         }
 132     }
 133     return false;
 134 }
 135
 136 bool ChainingTrustEngine::validate(
 137     const XMLCh* sigAlgorithm,
 138     const char* sig,
 139     KeyInfo* keyInfo,
 140     const char* in,
 141     unsigned int in_len,
 142     const CredentialResolver& credResolver,
 143     CredentialCriteria* criteria
 144     ) const
 145 {
 146     unsigned int usage = criteria ? criteria->getUsage() : 0;
 147     for (vector<SignatureTrustEngine*>::const_iterator i=m_sigEngines.begin(); i!=m_sigEngines.end(); ++i) {
 148         if ((*i)->validate(sigAlgorithm, sig, keyInfo, in, in_len, credResolver, criteria))
 149             return true;
 150         if (criteria) {
 151             criteria->reset();
 152             criteria->setUsage(usage);
 153         }
 154     }
 155     return false;
 156 }
 157
 158 bool ChainingTrustEngine::validate(
 159     XSECCryptoX509* certEE,
 160     const vector<XSECCryptoX509*>& certChain,
 161     const CredentialResolver& credResolver,
 162     CredentialCriteria* criteria
 163     ) const
 164 {
 165     unsigned int usage = criteria ? criteria->getUsage() : 0;
 166     for (vector<X509TrustEngine*>::const_iterator i=m_x509Engines.begin(); i!=m_x509Engines.end(); ++i) {
 167         if ((*i)->validate(certEE,certChain,credResolver,criteria))
 168             return true;
 169         if (criteria) {
 170             criteria->reset();
 171             criteria->setUsage(usage);
 172         }
 173     }
 174     return false;
 175 }
 176
 177 bool ChainingTrustEngine::validate(
 178     X509* certEE,
 179     STACK_OF(X509)* certChain,
 180     const CredentialResolver& credResolver,
 181     CredentialCriteria* criteria
 182     ) const
 183 {
 184     unsigned int usage = criteria ? criteria->getUsage() : 0;
 185     for (vector<OpenSSLTrustEngine*>::const_iterator i=m_osslEngines.begin(); i!=m_osslEngines.end(); ++i) {
 186         if ((*i)->validate(certEE,certChain,credResolver,criteria))
 187             return true;
 188         if (criteria) {
 189             criteria->reset();
 190             criteria->setUsage(usage);
 191         }
 192     }
 193     return false;
 194 }