2 * Copyright 2001-2010 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * CredentialCriteria.cpp
20 * Class for specifying criteria by which a CredentialResolver should resolve credentials.
25 #include "XMLToolingConfig.h"
26 #include "security/X509Credential.h"
27 #include "security/CredentialCriteria.h"
28 #include "security/KeyInfoResolver.h"
29 #include "security/SecurityHelper.h"
30 #include "signature/Signature.h"
32 #include <openssl/dsa.h>
33 #include <openssl/rsa.h>
34 #include <xsec/dsig/DSIGKeyInfoList.hpp>
35 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
36 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
38 using xmlsignature::KeyInfo;
39 using xmlsignature::Signature;
40 using namespace xmltooling::logging;
41 using namespace xmltooling;
44 CredentialCriteria::CredentialCriteria()
45 : m_keyUsage(Credential::UNSPECIFIED_CREDENTIAL), m_keySize(0), m_maxKeySize(0), m_key(nullptr),
46 m_keyInfo(nullptr), m_nativeKeyInfo(nullptr), m_credential(nullptr)
50 CredentialCriteria::~CredentialCriteria()
55 unsigned int CredentialCriteria::getUsage() const
60 void CredentialCriteria::setUsage(unsigned int usage)
65 const char* CredentialCriteria::getPeerName() const
67 return m_peerName.c_str();
70 void CredentialCriteria::setPeerName(const char* peerName)
74 m_peerName = peerName;
77 const char* CredentialCriteria::getKeyAlgorithm() const
79 return m_keyAlgorithm.c_str();
82 void CredentialCriteria::setKeyAlgorithm(const char* keyAlgorithm)
84 m_keyAlgorithm.erase();
86 m_keyAlgorithm = keyAlgorithm;
89 unsigned int CredentialCriteria::getKeySize() const
94 void CredentialCriteria::setKeySize(unsigned int keySize)
99 unsigned int CredentialCriteria::getMaxKeySize() const
104 void CredentialCriteria::setMaxKeySize(unsigned int keySize)
106 m_maxKeySize = keySize;
109 void CredentialCriteria::setXMLAlgorithm(const XMLCh* algorithm)
112 pair<const char*,unsigned int> mapped = XMLToolingConfig::getConfig().mapXMLAlgorithmToKeyAlgorithm(algorithm);
113 setKeyAlgorithm(mapped.first);
114 setKeySize(mapped.second);
117 setKeyAlgorithm(nullptr);
122 const set<string>& CredentialCriteria::getKeyNames() const
127 set<string>& CredentialCriteria::getKeyNames()
132 XSECCryptoKey* CredentialCriteria::getPublicKey() const
137 void CredentialCriteria::setPublicKey(XSECCryptoKey* key)
142 const KeyInfo* CredentialCriteria::getKeyInfo() const
147 void CredentialCriteria::setKeyInfo(const KeyInfo* keyInfo, int extraction)
150 m_credential = nullptr;
152 if (!keyInfo || !extraction)
155 int types = (extraction & KEYINFO_EXTRACTION_KEY) ? Credential::RESOLVE_KEYS : 0;
156 types |= (extraction & KEYINFO_EXTRACTION_KEYNAMES) ? X509Credential::RESOLVE_CERTS : 0;
157 m_credential = XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(keyInfo,types);
159 // Ensure any key names have been sucked out for later if desired.
160 if (extraction & KEYINFO_EXTRACTION_KEYNAMES) {
161 X509Credential* xcred = dynamic_cast<X509Credential*>(m_credential);
167 DSIGKeyInfoList* CredentialCriteria::getNativeKeyInfo() const
169 return m_nativeKeyInfo;
172 void CredentialCriteria::setNativeKeyInfo(DSIGKeyInfoList* keyInfo, int extraction)
175 m_credential = nullptr;
176 m_nativeKeyInfo = keyInfo;
177 if (!keyInfo || !extraction)
180 int types = (extraction & KEYINFO_EXTRACTION_KEY) ? Credential::RESOLVE_KEYS : 0;
181 types |= (extraction & KEYINFO_EXTRACTION_KEYNAMES) ? X509Credential::RESOLVE_CERTS : 0;
182 m_credential = XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(keyInfo,types);
184 // Ensure any key names have been sucked out for later if desired.
185 if (extraction & KEYINFO_EXTRACTION_KEYNAMES) {
186 X509Credential* xcred = dynamic_cast<X509Credential*>(m_credential);
192 void CredentialCriteria::setSignature(const Signature& sig, int extraction)
194 setXMLAlgorithm(sig.getSignatureAlgorithm());
195 KeyInfo* k = sig.getKeyInfo();
197 return setKeyInfo(k, extraction);
198 DSIGSignature* dsig = sig.getXMLSignature();
200 setNativeKeyInfo(dsig->getKeyInfoList(), extraction);
203 bool CredentialCriteria::matches(const Credential& credential) const
205 Category& log = Category::getInstance(XMLTOOLING_LOGCAT".CredentialCriteria");
207 // Usage check, if specified and we have one, compare masks.
208 if (getUsage() != Credential::UNSPECIFIED_CREDENTIAL) {
209 if (credential.getUsage() != Credential::UNSPECIFIED_CREDENTIAL)
210 if ((getUsage() & credential.getUsage()) == 0) {
211 if (log.isDebugEnabled())
212 log.debug("usage didn't match (%u != %u)", getUsage(), credential.getUsage());
217 // Algorithm check, if specified and we have one.
218 const char* alg = getKeyAlgorithm();
220 const char* alg2 = credential.getAlgorithm();
222 if (strcmp(alg,alg2)) {
223 if (log.isDebugEnabled())
224 log.debug("key algorithm didn't match ('%s' != '%s')", getKeyAlgorithm(), credential.getAlgorithm());
230 // KeySize check, if specified and we have one.
231 if (credential.getKeySize() > 0) {
232 if (m_keySize > 0 && m_maxKeySize == 0) {
233 if (credential.getKeySize() != m_keySize) {
234 log.debug("key size (%u) didn't match (%u)", credential.getKeySize(), m_keySize);
238 else if (m_keySize > 0 && credential.getKeySize() < m_keySize) {
239 log.debug("key size (%u) smaller than minimum (%u)", credential.getKeySize(), m_keySize);
242 else if (m_maxKeySize > 0 && credential.getKeySize() > m_maxKeySize) {
243 log.debug("key size (%u) larger than maximum (%u)", credential.getKeySize(), m_maxKeySize);
248 // See if we can test key names.
249 set<string> critnames = getKeyNames();
251 critnames.insert(m_credential->getKeyNames().begin(), m_credential->getKeyNames().end());
252 const set<string>& crednames = credential.getKeyNames();
253 if (!critnames.empty() && !crednames.empty()) {
255 for (set<string>::const_iterator n = critnames.begin(); n!=critnames.end(); ++n) {
256 if (crednames.count(*n)>0) {
262 log.debug("credential name(s) didn't overlap");
267 // See if we have to match a specific key.
268 const XSECCryptoKey* key1 = getPublicKey();
269 if (!key1 && m_credential)
270 key1 = m_credential->getPublicKey();
272 return true; // no key to compare against, so we're done
274 const XSECCryptoKey* key2 = credential.getPublicKey();
276 return true; // no key here, so we can't test it
278 if (SecurityHelper::matches(*key1, *key2))
281 log.debug("keys didn't match");