projects / shibboleth / cpp-xmltooling.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Reducing header overuse, non-inlining selected methods (CPPOST-35).
[shibboleth/cpp-xmltooling.git] / xmltooling / security / impl / CredentialCriteria.cpp
1 /*
2  *  Copyright 2001-2009 Internet2
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16
17 /**
18  * CredentialCriteria.cpp
19  *
20  * Class for specifying criteria by which a CredentialResolver should resolve credentials.
21  */
22
23 #include "internal.h"
24 #include "logging.h"
25 #include "XMLToolingConfig.h"
26 #include "security/X509Credential.h"
27 #include "security/CredentialCriteria.h"
28 #include "security/KeyInfoResolver.h"
29 #include "security/SecurityHelper.h"
30 #include "signature/Signature.h"
31
32 #include <openssl/dsa.h>
33 #include <openssl/rsa.h>
34 #include <xsec/dsig/DSIGKeyInfoList.hpp>
35 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
36 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
37
38 using xmlsignature::KeyInfo;
39 using xmlsignature::Signature;
40 using namespace xmltooling;
41 using namespace std;
42
43 CredentialCriteria::CredentialCriteria()
44     : m_keyUsage(Credential::UNSPECIFIED_CREDENTIAL), m_keySize(0), m_key(NULL),
45         m_keyInfo(NULL), m_nativeKeyInfo(NULL), m_credential(NULL)
46 {
47 }
48
49 CredentialCriteria::~CredentialCriteria()
50 {
51     delete m_credential;
52 }
53
54 unsigned int CredentialCriteria::getUsage() const
55 {
56     return m_keyUsage;
57 }
58
59 void CredentialCriteria::setUsage(unsigned int usage)
60 {
61     m_keyUsage = usage;
62 }
63
64 const char* CredentialCriteria::getPeerName() const
65 {
66     return m_peerName.c_str();
67 }
68
69 void CredentialCriteria::setPeerName(const char* peerName)
70 {
71     m_peerName.erase();
72     if (peerName)
73         m_peerName = peerName;
74 }
75
76 const char* CredentialCriteria::getKeyAlgorithm() const
77 {
78     return m_keyAlgorithm.c_str();
79 }
80
81 void CredentialCriteria::setKeyAlgorithm(const char* keyAlgorithm)
82 {
83     m_keyAlgorithm.erase();
84     if (keyAlgorithm)
85         m_keyAlgorithm = keyAlgorithm;
86 }
87
88 unsigned int CredentialCriteria::getKeySize() const
89 {
90     return m_keySize;
91 }
92
93 void CredentialCriteria::setKeySize(unsigned int keySize)
94 {
95     m_keySize = keySize;
96 }
97
98 void CredentialCriteria::setXMLAlgorithm(const XMLCh* algorithm)
99 {
100     if (algorithm) {
101         pair<const char*,unsigned int> mapped = XMLToolingConfig::getConfig().mapXMLAlgorithmToKeyAlgorithm(algorithm);
102         setKeyAlgorithm(mapped.first);
103         setKeySize(mapped.second);
104     }
105     else {
106         setKeyAlgorithm(NULL);
107         setKeySize(0);
108     }
109 }
110
111 const set<string>& CredentialCriteria::getKeyNames() const
112 {
113     return m_keyNames;
114 }
115
116 set<string>& CredentialCriteria::getKeyNames()
117 {
118     return m_keyNames;
119 }
120
121 XSECCryptoKey* CredentialCriteria::getPublicKey() const
122 {
123     return m_key;
124 }
125
126 void CredentialCriteria::setPublicKey(XSECCryptoKey* key)
127 {
128     m_key = key;
129 }
130
131 const KeyInfo* CredentialCriteria::getKeyInfo() const
132 {
133     return m_keyInfo;
134 }
135
136 void CredentialCriteria::setKeyInfo(const KeyInfo* keyInfo, int extraction)
137 {
138     delete m_credential;
139     m_credential = NULL;
140     m_keyInfo = keyInfo;
141     if (!keyInfo || !extraction)
142         return;
143
144     int types = (extraction & KEYINFO_EXTRACTION_KEY) ? Credential::RESOLVE_KEYS : 0;
145     types |= (extraction & KEYINFO_EXTRACTION_KEYNAMES) ? X509Credential::RESOLVE_CERTS : 0;
146     m_credential = XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(keyInfo,types);
147
148     // Ensure any key names have been sucked out for later if desired.
149     if (extraction & KEYINFO_EXTRACTION_KEYNAMES) {
150         X509Credential* xcred = dynamic_cast<X509Credential*>(m_credential);
151         if (xcred)
152             xcred->extract();
153     }
154 }
155
156 DSIGKeyInfoList* CredentialCriteria::getNativeKeyInfo() const
157 {
158     return m_nativeKeyInfo;
159 }
160
161 void CredentialCriteria::setNativeKeyInfo(DSIGKeyInfoList* keyInfo, int extraction)
162 {
163     delete m_credential;
164     m_credential = NULL;
165     m_nativeKeyInfo = keyInfo;
166     if (!keyInfo || !extraction)
167         return;
168
169     int types = (extraction & KEYINFO_EXTRACTION_KEY) ? Credential::RESOLVE_KEYS : 0;
170     types |= (extraction & KEYINFO_EXTRACTION_KEYNAMES) ? X509Credential::RESOLVE_CERTS : 0;
171     m_credential = XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(keyInfo,types);
172
173     // Ensure any key names have been sucked out for later if desired.
174     if (extraction & KEYINFO_EXTRACTION_KEYNAMES) {
175         X509Credential* xcred = dynamic_cast<X509Credential*>(m_credential);
176         if (xcred)
177             xcred->extract();
178     }
179 }
180
181 void CredentialCriteria::setSignature(const Signature& sig, int extraction)
182 {
183     setXMLAlgorithm(sig.getSignatureAlgorithm());
184     KeyInfo* k = sig.getKeyInfo();
185     if (k)
186         return setKeyInfo(k, extraction);
187     DSIGSignature* dsig = sig.getXMLSignature();
188     if (dsig)
189         setNativeKeyInfo(dsig->getKeyInfoList(), extraction);
190 }
191
192 bool CredentialCriteria::matches(const Credential& credential) const
193 {
194     // Usage check, if specified and we have one, compare masks.
195     if (getUsage() != Credential::UNSPECIFIED_CREDENTIAL) {
196         if (credential.getUsage() != Credential::UNSPECIFIED_CREDENTIAL)
197             if ((getUsage() & credential.getUsage()) == 0)
198                 return false;
199     }
200
201     // Algorithm check, if specified and we have one.
202     const char* alg = getKeyAlgorithm();
203     if (alg && *alg) {
204         const char* alg2 = credential.getAlgorithm();
205         if (alg2 && *alg2)
206             if (strcmp(alg,alg2))
207                 return false;
208     }
209
210     // KeySize check, if specified and we have one.
211     if (credential.getKeySize()>0 && getKeySize()>0 && credential.getKeySize() != getKeySize())
212         return false;
213
214     // See if we can test key names.
215     set<string> critnames = getKeyNames();
216     if (m_credential)
217         critnames.insert(m_credential->getKeyNames().begin(), m_credential->getKeyNames().end());
218     const set<string>& crednames = credential.getKeyNames();
219     if (!critnames.empty() && !crednames.empty()) {
220         bool found = false;
221         for (set<string>::const_iterator n = critnames.begin(); n!=critnames.end(); ++n) {
222             if (crednames.count(*n)>0) {
223                 found = true;
224                 break;
225             }
226         }
227         if (!found)
228             return false;
229     }
230
231     // See if we have to match a specific key.
232     const XSECCryptoKey* key1 = getPublicKey();
233     if (!key1 && m_credential)
234         key1 = m_credential->getPublicKey();
235     if (!key1)
236         return true;    // no key to compare against, so we're done
237
238     const XSECCryptoKey* key2 = credential.getPublicKey();
239     if (!key2)
240         return true;   // no key here, so we can't test it
241
242     return SecurityHelper::matches(*key1, *key2);
243 }
Unnamed repository; edit this file 'description' to name the repository.