xmltooling/security/impl/ExplicitKeyTrustEngine.cpp

   1 /*
   2  *  Copyright 2001-2007 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * ExplicitKeyTrustEngine.cpp
  19  *
  20  * TrustEngine based on explicit knowledge of peer key information.
  21  */
  22
  23 #include "internal.h"
  24 #include "security/Credential.h"
  25 #include "security/CredentialCriteria.h"
  26 #include "security/CredentialResolver.h"
  27 #include "security/OpenSSLTrustEngine.h"
  28 #include "signature/SignatureValidator.h"
  29 #include "util/NDC.h"
  30
  31 #include <log4cpp/Category.hh>
  32 #include <xercesc/util/XMLUniDefs.hpp>
  33 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
  34 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
  35 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
  36
  37 using namespace xmlsignature;
  38 using namespace xmltooling;
  39 using namespace log4cpp;
  40 using namespace std;
  41
  42 namespace xmltooling {
  43     class XMLTOOL_DLLLOCAL ExplicitKeyTrustEngine : public OpenSSLTrustEngine
  44     {
  45     public:
  46         ExplicitKeyTrustEngine(const DOMElement* e) : OpenSSLTrustEngine(e) {}
  47         virtual ~ExplicitKeyTrustEngine() {}
  48
  49         virtual bool validate(
  50             Signature& sig,
  51             const CredentialResolver& credResolver,
  52             CredentialCriteria* criteria=NULL
  53             ) const;
  54         virtual bool validate(
  55             const XMLCh* sigAlgorithm,
  56             const char* sig,
  57             KeyInfo* keyInfo,
  58             const char* in,
  59             unsigned int in_len,
  60             const CredentialResolver& credResolver,
  61             CredentialCriteria* criteria=NULL
  62             ) const;
  63         virtual bool validate(
  64             XSECCryptoX509* certEE,
  65             const vector<XSECCryptoX509*>& certChain,
  66             const CredentialResolver& credResolver,
  67             CredentialCriteria* criteria=NULL
  68             ) const;
  69         virtual bool validate(
  70             X509* certEE,
  71             STACK_OF(X509)* certChain,
  72             const CredentialResolver& credResolver,
  73             CredentialCriteria* criteria=NULL
  74             ) const;
  75     };
  76
  77     TrustEngine* XMLTOOL_DLLLOCAL ExplicitKeyTrustEngineFactory(const DOMElement* const & e)
  78     {
  79         return new ExplicitKeyTrustEngine(e);
  80     }
  81 };
  82
  83 bool ExplicitKeyTrustEngine::validate(
  84     Signature& sig,
  85     const CredentialResolver& credResolver,
  86     CredentialCriteria* criteria
  87     ) const
  88 {
  89 #ifdef _DEBUG
  90     NDC ndc("validate");
  91 #endif
  92     Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine");
  93
  94     vector<const Credential*> credentials;
  95     if (criteria) {
  96         criteria->setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
  97         criteria->setSignature(sig);
  98         credResolver.resolve(credentials,criteria);
  99     }
 100     else {
 101         CredentialCriteria cc;
 102         cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
 103         cc.setSignature(sig);
 104         credResolver.resolve(credentials,&cc);
 105     }
 106     if (credentials.empty()) {
 107         log.warn("unable to validate signature, no credentials available from peer");
 108         return false;
 109     }
 110
 111     log.debug("attempting to validate signature with the peer's credentials");
 112     SignatureValidator sigValidator;
 113     for (vector<const Credential*>::const_iterator c=credentials.begin(); c!=credentials.end(); ++c) {
 114         sigValidator.setCredential(*c);
 115         try {
 116             sigValidator.validate(&sig);
 117             log.debug("signature validated with credential");
 118             return true;
 119         }
 120         catch (ValidationException& e) {
 121             log.debug("public key did not validate signature: %s", e.what());
 122         }
 123     }
 124
 125     log.error("no peer credentials validated the signature");
 126     return false;
 127 }
 128
 129 bool ExplicitKeyTrustEngine::validate(
 130     const XMLCh* sigAlgorithm,
 131     const char* sig,
 132     KeyInfo* keyInfo,
 133     const char* in,
 134     unsigned int in_len,
 135     const CredentialResolver& credResolver,
 136     CredentialCriteria* criteria
 137     ) const
 138 {
 139 #ifdef _DEBUG
 140     NDC ndc("validate");
 141 #endif
 142     Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine");
 143
 144     vector<const Credential*> credentials;
 145     if (criteria) {
 146         criteria->setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
 147         criteria->setKeyInfo(keyInfo);
 148         credResolver.resolve(credentials,criteria);
 149     }
 150     else {
 151         CredentialCriteria cc;
 152         cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
 153         cc.setKeyInfo(keyInfo);
 154         credResolver.resolve(credentials,&cc);
 155     }
 156     if (credentials.empty()) {
 157         log.warn("unable to validate signature, no credentials available from peer");
 158         return false;
 159     }
 160
 161     log.debug("attempting to validate signature with the peer's credentials");
 162     for (vector<const Credential*>::const_iterator c=credentials.begin(); c!=credentials.end(); ++c) {
 163         if ((*c)->getPublicKey()) {
 164             try {
 165                 if (Signature::verifyRawSignature((*c)->getPublicKey(), sigAlgorithm, sig, in, in_len)) {
 166                     log.debug("signature validated with public key");
 167                     return true;
 168                 }
 169             }
 170             catch (SignatureException& e) {
 171                 if (log.isDebugEnabled()) {
 172                     log.debug("public key did not validate signature: %s", e.what());
 173                 }
 174             }
 175         }
 176     }
 177
 178     log.error("no peer credentials validated the signature");
 179     return false;
 180 }
 181
 182 bool ExplicitKeyTrustEngine::validate(
 183     XSECCryptoX509* certEE,
 184     const vector<XSECCryptoX509*>& certChain,
 185     const CredentialResolver& credResolver,
 186     CredentialCriteria* criteria
 187     ) const
 188 {
 189 #ifdef _DEBUG
 190         NDC ndc("validate");
 191 #endif
 192     if (!certEE) {
 193         Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine").error("unable to validate, end-entity certificate was null");
 194         return false;
 195     }
 196     else if (certEE->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
 197         Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine").error("only the OpenSSL XSEC provider is supported");
 198         return false;
 199     }
 200
 201     return validate(static_cast<OpenSSLCryptoX509*>(certEE)->getOpenSSLX509(), NULL, credResolver, criteria);
 202 }
 203
 204 bool ExplicitKeyTrustEngine::validate(
 205     X509* certEE,
 206     STACK_OF(X509)* certChain,
 207     const CredentialResolver& credResolver,
 208     CredentialCriteria* criteria
 209     ) const
 210 {
 211 #ifdef _DEBUG
 212     NDC ndc("validate");
 213 #endif
 214     Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine");
 215
 216     if (!certEE) {
 217         log.error("unable to validate, end-entity certificate was null");
 218         return false;
 219     }
 220
 221     vector<const Credential*> credentials;
 222     if (criteria) {
 223         if (criteria->getUsage()==CredentialCriteria::UNSPECIFIED_CREDENTIAL)
 224             criteria->setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
 225         credResolver.resolve(credentials,criteria);
 226     }
 227     else {
 228         CredentialCriteria cc;
 229         cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL);
 230         credResolver.resolve(credentials,&cc);
 231     }
 232     if (credentials.empty()) {
 233         log.warn("unable to validate certificate, no credentials available from peer");
 234         return false;
 235     }
 236
 237     // The "explicit" trust implementation relies solely on keys living within the
 238     // peer resolver to verify the EE certificate.
 239
 240     log.debug("attempting to match credentials from peer with end-entity certificate");
 241     for (vector<const Credential*>::const_iterator c=credentials.begin(); c!=credentials.end(); ++c) {
 242         XSECCryptoKey* key = (*c)->getPublicKey();
 243         if (key) {
 244             log.debug("checking if peer key matches end-entity certificate");
 245             if (key->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
 246                 log.error("only the OpenSSL XSEC provider is supported");
 247                 continue;
 248             }
 249             switch (key->getKeyType()) {
 250                 case XSECCryptoKey::KEY_RSA_PUBLIC:
 251                 {
 252                     RSA* rsa = static_cast<OpenSSLCryptoKeyRSA*>(key)->getOpenSSLRSA();
 253                     EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(certEE));
 254                     if (rsa && evp && evp->type == EVP_PKEY_RSA &&
 255                             BN_cmp(rsa->n,evp->pkey.rsa->n) == 0 && BN_cmp(rsa->e,evp->pkey.rsa->e) == 0) {
 256                         if (evp)
 257                             EVP_PKEY_free(evp);
 258                         log.debug("end-entity certificate matches peer RSA key information");
 259                         return true;
 260                     }
 261                     if (evp)
 262                         EVP_PKEY_free(evp);
 263                     break;
 264                 }
 265
 266                 case XSECCryptoKey::KEY_DSA_PUBLIC:
 267                 {
 268                     DSA* dsa = static_cast<OpenSSLCryptoKeyDSA*>(key)->getOpenSSLDSA();
 269                     EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(certEE));
 270                     if (dsa && evp && evp->type == EVP_PKEY_DSA && BN_cmp(dsa->pub_key,evp->pkey.dsa->pub_key) == 0) {
 271                         if (evp)
 272                             EVP_PKEY_free(evp);
 273                         log.debug("end-entity certificate matches peer DSA key information");
 274                         return true;
 275                     }
 276                     if (evp)
 277                         EVP_PKEY_free(evp);
 278                     break;
 279                 }
 280
 281                 default:
 282                     log.warn("unknown peer key type, skipping...");
 283             }
 284         }
 285     }
 286
 287     log.debug("no keys within this peer's key information matched the given end-entity certificate");
 288     return false;
 289 }