xmltooling/security/impl/ExplicitKeyTrustEngine.cpp

   1 /*
   2  *  Copyright 2001-2007 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * ExplicitKeyTrustEngine.cpp
  19  *
  20  * TrustEngine based on explicit knowledge of peer key information.
  21  */
  22
  23 #include "internal.h"
  24 #include "logging.h"
  25 #include "security/Credential.h"
  26 #include "security/CredentialCriteria.h"
  27 #include "security/CredentialResolver.h"
  28 #include "security/OpenSSLTrustEngine.h"
  29 #include "security/SignatureTrustEngine.h"
  30 #include "signature/SignatureValidator.h"
  31 #include "util/NDC.h"
  32
  33 #include <xercesc/util/XMLUniDefs.hpp>
  34 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
  35 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
  36 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
  37
  38 using namespace xmlsignature;
  39 using namespace xmltooling::logging;
  40 using namespace xmltooling;
  41 using namespace std;
  42
  43 using xercesc::DOMElement;
  44
  45 namespace xmltooling {
  46     class XMLTOOL_DLLLOCAL ExplicitKeyTrustEngine : public SignatureTrustEngine, public OpenSSLTrustEngine
  47     {
  48     public:
  49         ExplicitKeyTrustEngine(const DOMElement* e) : TrustEngine(e) {}
  50         virtual ~ExplicitKeyTrustEngine() {}
  51
  52         virtual bool validate(
  53             Signature& sig,
  54             const CredentialResolver& credResolver,
  55             CredentialCriteria* criteria=NULL
  56             ) const;
  57         virtual bool validate(
  58             const XMLCh* sigAlgorithm,
  59             const char* sig,
  60             KeyInfo* keyInfo,
  61             const char* in,
  62             unsigned int in_len,
  63             const CredentialResolver& credResolver,
  64             CredentialCriteria* criteria=NULL
  65             ) const;
  66         virtual bool validate(
  67             XSECCryptoX509* certEE,
  68             const vector<XSECCryptoX509*>& certChain,
  69             const CredentialResolver& credResolver,
  70             CredentialCriteria* criteria=NULL
  71             ) const;
  72         virtual bool validate(
  73             X509* certEE,
  74             STACK_OF(X509)* certChain,
  75             const CredentialResolver& credResolver,
  76             CredentialCriteria* criteria=NULL
  77             ) const;
  78     };
  79
  80     TrustEngine* XMLTOOL_DLLLOCAL ExplicitKeyTrustEngineFactory(const DOMElement* const & e)
  81     {
  82         return new ExplicitKeyTrustEngine(e);
  83     }
  84 };
  85
  86 bool ExplicitKeyTrustEngine::validate(
  87     Signature& sig,
  88     const CredentialResolver& credResolver,
  89     CredentialCriteria* criteria
  90     ) const
  91 {
  92 #ifdef _DEBUG
  93     NDC ndc("validate");
  94 #endif
  95     Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine."EXPLICIT_KEY_TRUSTENGINE);
  96
  97     vector<const Credential*> credentials;
  98     if (criteria) {
  99         criteria->setUsage(Credential::SIGNING_CREDENTIAL);
 100         criteria->setSignature(sig, CredentialCriteria::KEYINFO_EXTRACTION_KEY);
 101         credResolver.resolve(credentials,criteria);
 102     }
 103     else {
 104         CredentialCriteria cc;
 105         cc.setUsage(Credential::SIGNING_CREDENTIAL);
 106         cc.setSignature(sig, CredentialCriteria::KEYINFO_EXTRACTION_KEY);
 107         credResolver.resolve(credentials,&cc);
 108     }
 109     if (credentials.empty()) {
 110         log.debug("unable to validate signature, no credentials available from peer");
 111         return false;
 112     }
 113
 114     log.debug("attempting to validate signature with the peer's credentials");
 115     SignatureValidator sigValidator;
 116     for (vector<const Credential*>::const_iterator c=credentials.begin(); c!=credentials.end(); ++c) {
 117         sigValidator.setCredential(*c);
 118         try {
 119             sigValidator.validate(&sig);
 120             log.debug("signature validated with credential");
 121             return true;
 122         }
 123         catch (ValidationException& e) {
 124             log.debug("public key did not validate signature: %s", e.what());
 125         }
 126     }
 127
 128     log.debug("no peer credentials validated the signature");
 129     return false;
 130 }
 131
 132 bool ExplicitKeyTrustEngine::validate(
 133     const XMLCh* sigAlgorithm,
 134     const char* sig,
 135     KeyInfo* keyInfo,
 136     const char* in,
 137     unsigned int in_len,
 138     const CredentialResolver& credResolver,
 139     CredentialCriteria* criteria
 140     ) const
 141 {
 142 #ifdef _DEBUG
 143     NDC ndc("validate");
 144 #endif
 145     Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine."EXPLICIT_KEY_TRUSTENGINE);
 146
 147     vector<const Credential*> credentials;
 148     if (criteria) {
 149         criteria->setUsage(Credential::SIGNING_CREDENTIAL);
 150         criteria->setKeyInfo(keyInfo, CredentialCriteria::KEYINFO_EXTRACTION_KEY);
 151         criteria->setXMLAlgorithm(sigAlgorithm);
 152         credResolver.resolve(credentials,criteria);
 153     }
 154     else {
 155         CredentialCriteria cc;
 156         cc.setUsage(Credential::SIGNING_CREDENTIAL);
 157         cc.setKeyInfo(keyInfo, CredentialCriteria::KEYINFO_EXTRACTION_KEY);
 158         cc.setXMLAlgorithm(sigAlgorithm);
 159         credResolver.resolve(credentials,&cc);
 160     }
 161     if (credentials.empty()) {
 162         log.debug("unable to validate signature, no credentials available from peer");
 163         return false;
 164     }
 165
 166     log.debug("attempting to validate signature with the peer's credentials");
 167     for (vector<const Credential*>::const_iterator c=credentials.begin(); c!=credentials.end(); ++c) {
 168         if ((*c)->getPublicKey()) {
 169             try {
 170                 if (Signature::verifyRawSignature((*c)->getPublicKey(), sigAlgorithm, sig, in, in_len)) {
 171                     log.debug("signature validated with public key");
 172                     return true;
 173                 }
 174             }
 175             catch (SignatureException& e) {
 176                 if (log.isDebugEnabled()) {
 177                     log.debug("public key did not validate signature: %s", e.what());
 178                 }
 179             }
 180         }
 181     }
 182
 183     log.debug("no peer credentials validated the signature");
 184     return false;
 185 }
 186
 187 bool ExplicitKeyTrustEngine::validate(
 188     XSECCryptoX509* certEE,
 189     const vector<XSECCryptoX509*>& certChain,
 190     const CredentialResolver& credResolver,
 191     CredentialCriteria* criteria
 192     ) const
 193 {
 194 #ifdef _DEBUG
 195         NDC ndc("validate");
 196 #endif
 197     if (!certEE) {
 198         Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine."EXPLICIT_KEY_TRUSTENGINE).error("unable to validate, end-entity certificate was null");
 199         return false;
 200     }
 201     else if (certEE->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
 202         Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine."EXPLICIT_KEY_TRUSTENGINE).error("only the OpenSSL XSEC provider is supported");
 203         return false;
 204     }
 205
 206     return validate(static_cast<OpenSSLCryptoX509*>(certEE)->getOpenSSLX509(), NULL, credResolver, criteria);
 207 }
 208
 209 bool ExplicitKeyTrustEngine::validate(
 210     X509* certEE,
 211     STACK_OF(X509)* certChain,
 212     const CredentialResolver& credResolver,
 213     CredentialCriteria* criteria
 214     ) const
 215 {
 216 #ifdef _DEBUG
 217     NDC ndc("validate");
 218 #endif
 219     Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine."EXPLICIT_KEY_TRUSTENGINE);
 220
 221     if (!certEE) {
 222         log.error("unable to validate, end-entity certificate was null");
 223         return false;
 224     }
 225
 226     vector<const Credential*> credentials;
 227     if (criteria) {
 228         if (criteria->getUsage()==Credential::UNSPECIFIED_CREDENTIAL)
 229             criteria->setUsage(Credential::SIGNING_CREDENTIAL);
 230         credResolver.resolve(credentials,criteria);
 231     }
 232     else {
 233         CredentialCriteria cc;
 234         cc.setUsage(Credential::SIGNING_CREDENTIAL);
 235         credResolver.resolve(credentials,&cc);
 236     }
 237     if (credentials.empty()) {
 238         log.debug("unable to validate certificate, no credentials available from peer");
 239         return false;
 240     }
 241
 242     // The "explicit" trust implementation relies solely on keys living within the
 243     // peer resolver to verify the EE certificate.
 244
 245     log.debug("attempting to match credentials from peer with end-entity certificate");
 246     for (vector<const Credential*>::const_iterator c=credentials.begin(); c!=credentials.end(); ++c) {
 247         XSECCryptoKey* key = (*c)->getPublicKey();
 248         if (key) {
 249             if (key->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
 250                 log.error("only the OpenSSL XSEC provider is supported");
 251                 continue;
 252             }
 253             switch (key->getKeyType()) {
 254                 case XSECCryptoKey::KEY_RSA_PUBLIC:
 255                 {
 256                     RSA* rsa = static_cast<OpenSSLCryptoKeyRSA*>(key)->getOpenSSLRSA();
 257                     EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(certEE));
 258                     if (rsa && evp && evp->type == EVP_PKEY_RSA &&
 259                             BN_cmp(rsa->n,evp->pkey.rsa->n) == 0 && BN_cmp(rsa->e,evp->pkey.rsa->e) == 0) {
 260                         if (evp)
 261                             EVP_PKEY_free(evp);
 262                         log.debug("end-entity certificate matches peer RSA key information");
 263                         return true;
 264                     }
 265                     if (evp)
 266                         EVP_PKEY_free(evp);
 267                     break;
 268                 }
 269
 270                 case XSECCryptoKey::KEY_DSA_PUBLIC:
 271                 {
 272                     DSA* dsa = static_cast<OpenSSLCryptoKeyDSA*>(key)->getOpenSSLDSA();
 273                     EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(certEE));
 274                     if (dsa && evp && evp->type == EVP_PKEY_DSA && BN_cmp(dsa->pub_key,evp->pkey.dsa->pub_key) == 0) {
 275                         if (evp)
 276                             EVP_PKEY_free(evp);
 277                         log.debug("end-entity certificate matches peer DSA key information");
 278                         return true;
 279                     }
 280                     if (evp)
 281                         EVP_PKEY_free(evp);
 282                     break;
 283                 }
 284
 285                 default:
 286                     log.warn("unknown peer key type, skipping...");
 287             }
 288         }
 289     }
 290
 291     log.debug("no keys within this peer's key information matched the given end-entity certificate");
 292     return false;
 293 }