xmltooling/security/impl/CredentialCriteria.cpp

   1 /*
   2  *  Copyright 2001-2009 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * CredentialCriteria.cpp
  19  *
  20  * Class for specifying criteria by which a CredentialResolver should resolve credentials.
  21  */
  22
  23 #include "internal.h"
  24 #include "logging.h"
  25 #include "security/X509Credential.h"
  26 #include "security/CredentialCriteria.h"
  27 #include "security/KeyInfoResolver.h"
  28 #include "security/SecurityHelper.h"
  29
  30 #include <openssl/dsa.h>
  31 #include <openssl/rsa.h>
  32 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
  33 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
  34
  35 using namespace xmltooling;
  36 using namespace std;
  37
  38 void CredentialCriteria::setKeyInfo(const xmlsignature::KeyInfo* keyInfo, int extraction)
  39 {
  40     delete m_credential;
  41     m_credential = NULL;
  42     m_keyInfo = keyInfo;
  43     if (!keyInfo || !extraction)
  44         return;
  45
  46     int types = (extraction & KEYINFO_EXTRACTION_KEY) ? Credential::RESOLVE_KEYS : 0;
  47     types |= (extraction & KEYINFO_EXTRACTION_KEYNAMES) ? X509Credential::RESOLVE_CERTS : 0;
  48     m_credential = XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(keyInfo,types);
  49
  50     // Ensure any key names have been sucked out for later if desired.
  51     if (extraction & KEYINFO_EXTRACTION_KEYNAMES) {
  52         X509Credential* xcred = dynamic_cast<X509Credential*>(m_credential);
  53         if (xcred)
  54             xcred->extract();
  55     }
  56 }
  57
  58 void CredentialCriteria::setNativeKeyInfo(DSIGKeyInfoList* keyInfo, int extraction)
  59 {
  60     delete m_credential;
  61     m_credential = NULL;
  62     m_nativeKeyInfo = keyInfo;
  63     if (!keyInfo || !extraction)
  64         return;
  65
  66     int types = (extraction & KEYINFO_EXTRACTION_KEY) ? Credential::RESOLVE_KEYS : 0;
  67     types |= (extraction & KEYINFO_EXTRACTION_KEYNAMES) ? X509Credential::RESOLVE_CERTS : 0;
  68     m_credential = XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(keyInfo,types);
  69
  70     // Ensure any key names have been sucked out for later if desired.
  71     if (extraction & KEYINFO_EXTRACTION_KEYNAMES) {
  72         X509Credential* xcred = dynamic_cast<X509Credential*>(m_credential);
  73         if (xcred)
  74             xcred->extract();
  75     }
  76 }
  77
  78 void CredentialCriteria::setSignature(const xmlsignature::Signature& sig, int extraction)
  79 {
  80     setXMLAlgorithm(sig.getSignatureAlgorithm());
  81     xmlsignature::KeyInfo* k = sig.getKeyInfo();
  82     if (k)
  83         return setKeyInfo(k, extraction);
  84     DSIGSignature* dsig = sig.getXMLSignature();
  85     if (dsig)
  86         setNativeKeyInfo(dsig->getKeyInfoList(), extraction);
  87 }
  88
  89 bool CredentialCriteria::matches(const Credential& credential) const
  90 {
  91     // Usage check, if specified and we have one, compare masks.
  92     if (getUsage() != Credential::UNSPECIFIED_CREDENTIAL) {
  93         if (credential.getUsage() != Credential::UNSPECIFIED_CREDENTIAL)
  94             if ((getUsage() & credential.getUsage()) == 0)
  95                 return false;
  96     }
  97
  98     // Algorithm check, if specified and we have one.
  99     const char* alg = getKeyAlgorithm();
 100     if (alg && *alg) {
 101         const char* alg2 = credential.getAlgorithm();
 102         if (alg2 && *alg2)
 103             if (strcmp(alg,alg2))
 104                 return false;
 105     }
 106
 107     // KeySize check, if specified and we have one.
 108     if (credential.getKeySize()>0 && getKeySize()>0 && credential.getKeySize() != getKeySize())
 109         return false;
 110
 111     // See if we can test key names.
 112     set<string> critnames = getKeyNames();
 113     if (m_credential)
 114         critnames.insert(m_credential->getKeyNames().begin(), m_credential->getKeyNames().end());
 115     const set<string>& crednames = credential.getKeyNames();
 116     if (!critnames.empty() && !crednames.empty()) {
 117         bool found = false;
 118         for (set<string>::const_iterator n = critnames.begin(); n!=critnames.end(); ++n) {
 119             if (crednames.count(*n)>0) {
 120                 found = true;
 121                 break;
 122             }
 123         }
 124         if (!found)
 125             return false;
 126     }
 127
 128     // See if we have to match a specific key.
 129     const XSECCryptoKey* key1 = getPublicKey();
 130     if (!key1 && m_credential)
 131         key1 = m_credential->getPublicKey();
 132     if (!key1)
 133         return true;    // no key to compare against, so we're done
 134
 135     const XSECCryptoKey* key2 = credential.getPublicKey();
 136     if (!key2)
 137         return true;   // no key here, so we can't test it
 138
 139     return SecurityHelper::matches(*key1, *key2);
 140 }