2 * Copyright 2001-2009 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * CredentialCriteria.cpp
20 * Class for specifying criteria by which a CredentialResolver should resolve credentials.
25 #include "XMLToolingConfig.h"
26 #include "security/X509Credential.h"
27 #include "security/CredentialCriteria.h"
28 #include "security/KeyInfoResolver.h"
29 #include "security/SecurityHelper.h"
30 #include "signature/Signature.h"
32 #include <openssl/dsa.h>
33 #include <openssl/rsa.h>
34 #include <xsec/dsig/DSIGKeyInfoList.hpp>
35 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
36 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
38 using namespace xmltooling;
41 CredentialCriteria::CredentialCriteria()
42 : m_keyUsage(Credential::UNSPECIFIED_CREDENTIAL), m_keySize(0), m_key(NULL),
43 m_keyInfo(NULL), m_nativeKeyInfo(NULL), m_credential(NULL)
47 CredentialCriteria::~CredentialCriteria()
52 void CredentialCriteria::setXMLAlgorithm(const XMLCh* algorithm)
55 pair<const char*,unsigned int> mapped = XMLToolingConfig::getConfig().mapXMLAlgorithmToKeyAlgorithm(algorithm);
56 setKeyAlgorithm(mapped.first);
57 setKeySize(mapped.second);
60 setKeyAlgorithm(NULL);
65 void CredentialCriteria::setKeyInfo(const xmlsignature::KeyInfo* keyInfo, int extraction)
70 if (!keyInfo || !extraction)
73 int types = (extraction & KEYINFO_EXTRACTION_KEY) ? Credential::RESOLVE_KEYS : 0;
74 types |= (extraction & KEYINFO_EXTRACTION_KEYNAMES) ? X509Credential::RESOLVE_CERTS : 0;
75 m_credential = XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(keyInfo,types);
77 // Ensure any key names have been sucked out for later if desired.
78 if (extraction & KEYINFO_EXTRACTION_KEYNAMES) {
79 X509Credential* xcred = dynamic_cast<X509Credential*>(m_credential);
85 void CredentialCriteria::setNativeKeyInfo(DSIGKeyInfoList* keyInfo, int extraction)
89 m_nativeKeyInfo = keyInfo;
90 if (!keyInfo || !extraction)
93 int types = (extraction & KEYINFO_EXTRACTION_KEY) ? Credential::RESOLVE_KEYS : 0;
94 types |= (extraction & KEYINFO_EXTRACTION_KEYNAMES) ? X509Credential::RESOLVE_CERTS : 0;
95 m_credential = XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(keyInfo,types);
97 // Ensure any key names have been sucked out for later if desired.
98 if (extraction & KEYINFO_EXTRACTION_KEYNAMES) {
99 X509Credential* xcred = dynamic_cast<X509Credential*>(m_credential);
105 void CredentialCriteria::setSignature(const xmlsignature::Signature& sig, int extraction)
107 setXMLAlgorithm(sig.getSignatureAlgorithm());
108 xmlsignature::KeyInfo* k = sig.getKeyInfo();
110 return setKeyInfo(k, extraction);
111 DSIGSignature* dsig = sig.getXMLSignature();
113 setNativeKeyInfo(dsig->getKeyInfoList(), extraction);
116 bool CredentialCriteria::matches(const Credential& credential) const
118 // Usage check, if specified and we have one, compare masks.
119 if (getUsage() != Credential::UNSPECIFIED_CREDENTIAL) {
120 if (credential.getUsage() != Credential::UNSPECIFIED_CREDENTIAL)
121 if ((getUsage() & credential.getUsage()) == 0)
125 // Algorithm check, if specified and we have one.
126 const char* alg = getKeyAlgorithm();
128 const char* alg2 = credential.getAlgorithm();
130 if (strcmp(alg,alg2))
134 // KeySize check, if specified and we have one.
135 if (credential.getKeySize()>0 && getKeySize()>0 && credential.getKeySize() != getKeySize())
138 // See if we can test key names.
139 set<string> critnames = getKeyNames();
141 critnames.insert(m_credential->getKeyNames().begin(), m_credential->getKeyNames().end());
142 const set<string>& crednames = credential.getKeyNames();
143 if (!critnames.empty() && !crednames.empty()) {
145 for (set<string>::const_iterator n = critnames.begin(); n!=critnames.end(); ++n) {
146 if (crednames.count(*n)>0) {
155 // See if we have to match a specific key.
156 const XSECCryptoKey* key1 = getPublicKey();
157 if (!key1 && m_credential)
158 key1 = m_credential->getPublicKey();
160 return true; // no key to compare against, so we're done
162 const XSECCryptoKey* key2 = credential.getPublicKey();
164 return true; // no key here, so we can't test it
166 return SecurityHelper::matches(*key1, *key2);