2 * Copyright 2001-2007 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * FilesystemCredentialResolver.cpp
20 * Supplies credentials from local files
24 #include "security/BasicX509Credential.h"
25 #include "security/CredentialCriteria.h"
26 #include "security/CredentialResolver.h"
27 #include "security/KeyInfoResolver.h"
28 #include "security/OpenSSLCredential.h"
30 #include "util/XMLHelper.h"
32 #include <sys/types.h>
34 #include <openssl/pkcs12.h>
35 #include <log4cpp/Category.hh>
36 #include <xercesc/util/XMLUniDefs.hpp>
37 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
38 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
39 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
41 using namespace xmlsignature;
42 using namespace xmltooling;
43 using namespace log4cpp;
46 // OpenSSL password callback...
47 static int passwd_callback(char* buf, int len, int verify, void* passwd)
51 if(passwd && len > strlen(reinterpret_cast<char*>(passwd)))
53 strcpy(buf,reinterpret_cast<char*>(passwd));
60 namespace xmltooling {
62 #if defined (_MSC_VER)
63 #pragma warning( push )
64 #pragma warning( disable : 4250 )
67 class XMLTOOL_DLLLOCAL FilesystemCredentialResolver;
68 class XMLTOOL_DLLLOCAL FilesystemCredential : public OpenSSLCredential, public BasicX509Credential
71 FilesystemCredential(FilesystemCredentialResolver* resolver, XSECCryptoKey* key, const std::vector<XSECCryptoX509*>& xseccerts)
72 : BasicX509Credential(key, xseccerts), m_resolver(resolver) {
75 virtual ~FilesystemCredential() {}
76 void attach(SSL_CTX* ctx) const;
78 FilesystemCredentialResolver* m_resolver;
81 #if defined (_MSC_VER)
82 #pragma warning( pop )
85 class XMLTOOL_DLLLOCAL FilesystemCredentialResolver : public CredentialResolver
88 FilesystemCredentialResolver(const DOMElement* e);
89 virtual ~FilesystemCredentialResolver() {
91 for_each(m_certs.begin(),m_certs.end(),X509_free);
94 Lockable* lock() { return this; }
97 const Credential* resolve(const CredentialCriteria* criteria=NULL) const {
98 return matches(criteria) ? m_credential : NULL;
101 virtual vector<const Credential*>::size_type resolve(
102 vector<const Credential*>& results, const CredentialCriteria* criteria=NULL
104 if (matches(criteria)) {
105 results.push_back(m_credential);
111 void attach(SSL_CTX* ctx) const;
114 XSECCryptoKey* loadKey();
115 bool matches(const CredentialCriteria* criteria) const {
118 // See if algorithm is kosher.
119 const char* alg = criteria->getKeyAlgorithm();
122 for (vector<string>::const_iterator a = m_algorithms.begin(); a!=m_algorithms.end(); ++a) {
123 if (strstr(alg, a->c_str()))
127 if (match && m_credential->getPublicKey()) {
128 // See if we have to match a specific key.
129 auto_ptr<Credential> cred(
130 XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(*criteria,Credential::RESOLVE_KEYS)
133 match = cred->isEqual(*(m_credential->getPublicKey()));
139 enum format_t { PEM=SSL_FILETYPE_PEM, DER=SSL_FILETYPE_ASN1, _PKCS12, UNKNOWN };
141 format_t getEncodingFormat(BIO* in) const;
142 string formatToString(format_t format) const;
143 format_t xmlFormatToFormat(const XMLCh* format_xml) const;
145 format_t m_keyformat;
146 string m_keypath,m_keypass;
147 vector<X509*> m_certs;
148 FilesystemCredential* m_credential;
149 vector<string> m_algorithms;
152 CredentialResolver* XMLTOOL_DLLLOCAL FilesystemCredentialResolverFactory(const DOMElement* const & e)
154 return new FilesystemCredentialResolver(e);
158 static const XMLCh AlgorithmPrefix[] = UNICODE_LITERAL_15(A,l,g,o,r,i,t,h,m,P,r,e,f,i,x);
159 static const XMLCh CAPath[] = UNICODE_LITERAL_6(C,A,P,a,t,h);
160 static const XMLCh Certificate[] = UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e);
161 static const XMLCh format[] = UNICODE_LITERAL_6(f,o,r,m,a,t);
162 static const XMLCh Key[] = UNICODE_LITERAL_3(K,e,y);
163 static const XMLCh password[] = UNICODE_LITERAL_8(p,a,s,s,w,o,r,d);
164 static const XMLCh Path[] = UNICODE_LITERAL_4(P,a,t,h);
166 FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e) : m_credential(NULL)
169 NDC ndc("FilesystemCredentialResolver");
171 Category& log=Category::getInstance(XMLTOOLING_LOGCAT".CredentialResolver");
173 const DOMElement* root=e;
174 e=XMLHelper::getFirstChildElement(root,AlgorithmPrefix);
176 if (e->hasChildNodes()) {
177 auto_ptr_char alg(e->getFirstChild()->getNodeValue());
179 m_algorithms.push_back(alg.get());
181 e=XMLHelper::getNextSiblingElement(e,AlgorithmPrefix);
184 if (m_algorithms.empty()) {
185 m_algorithms.push_back(URI_ID_SIG_BASE);
186 m_algorithms.push_back(URI_ID_SIG_BASEMORE);
187 m_algorithms.push_back("http://www.w3.org/2001/04/xmlenc#rsa");
190 XSECCryptoKey* key=NULL;
191 vector<XSECCryptoX509*> xseccerts;
194 const XMLCh* format_xml=NULL;
198 e=XMLHelper::getFirstChildElement(root,Key);
201 // Get raw format attrib value, but defer processing til later since may need to
202 // determine format dynamically, and we need the Path for that.
203 format_xml=e->getAttributeNS(NULL,format);
205 const XMLCh* password_xml=e->getAttributeNS(NULL,password);
207 auto_ptr_char kp(password_xml);
211 e=XMLHelper::getFirstChildElement(e,Path);
212 if (e && e->hasChildNodes()) {
213 const XMLCh* s=e->getFirstChild()->getNodeValue();
214 auto_ptr_char kpath(s);
216 struct _stat stat_buf;
217 if (_stat(kpath.get(), &stat_buf) != 0)
219 struct stat stat_buf;
220 if (stat(kpath.get(), &stat_buf) != 0)
223 log.error("key file (%s) can't be opened", kpath.get());
224 throw XMLSecurityException("FilesystemCredentialResolver can't access key file ($1)",params(1,kpath.get()));
226 m_keypath=kpath.get();
229 log.error("Path element missing inside Key element");
230 throw XMLSecurityException("FilesystemCredentialResolver can't access key file, no Path element specified.");
233 // Determine the key encoding format dynamically, if not explicitly specified
234 if (format_xml && *format_xml) {
235 fformat = xmlFormatToFormat(format_xml);
236 if (fformat != UNKNOWN) {
237 m_keyformat = fformat;
240 auto_ptr_char unknown(format_xml);
241 log.error("configuration specifies unknown key encoding format (%s)", unknown.get());
242 throw XMLSecurityException("FilesystemCredentialResolver configuration contains unknown key encoding format ($1)",params(1,unknown.get()));
246 in=BIO_new(BIO_s_file_internal());
247 if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
248 m_keyformat = getEncodingFormat(in);
249 log.debug("key encoding format for (%s) dynamically resolved as (%s)", m_keypath.c_str(), formatToString(m_keyformat).c_str());
252 log.error("key file (%s) can't be read to determine encoding format", m_keypath.c_str());
253 throw XMLSecurityException("FilesystemCredentialResolver can't read key file ($1) to determine encoding format",params(1,m_keypath.c_str()));
264 // Check for Certificate
265 e=XMLHelper::getFirstChildElement(root,Certificate);
267 m_credential = new FilesystemCredential(this,key,xseccerts);
270 auto_ptr_char certpass(e->getAttributeNS(NULL,password));
272 DOMElement* ep=XMLHelper::getFirstChildElement(e,Path);
273 if (!ep || !ep->hasChildNodes()) {
274 log.error("Path element missing inside Certificate element or is empty");
276 throw XMLSecurityException("FilesystemCredentialResolver can't access certificate file, missing or empty Path element.");
279 auto_ptr_char certpath(ep->getFirstChild()->getNodeValue());
280 format_xml=e->getAttributeNS(NULL,format);
281 if (format_xml && *format_xml) {
282 fformat = xmlFormatToFormat(format_xml);
283 if (fformat == UNKNOWN) {
284 auto_ptr_char unknown(format_xml);
285 log.error("configuration specifies unknown certificate encoding format (%s)", unknown.get());
287 throw XMLSecurityException("FilesystemCredentialResolver configuration contains unknown certificate encoding format ($1)",params(1,unknown.get()));
294 in=BIO_new(BIO_s_file_internal());
295 if (in && BIO_read_filename(in,certpath.get())>0) {
296 if (!format_xml || !*format_xml) {
297 // Determine the cert encoding format dynamically, if not explicitly specified
298 fformat = getEncodingFormat(in);
299 log.debug("certificate encoding format for (%s) dynamically resolved as (%s)", certpath.get(), formatToString(fformat).c_str());
304 while (x=PEM_read_bio_X509(in,NULL,passwd_callback,const_cast<char*>(certpass.get())))
305 m_certs.push_back(x);
309 x=d2i_X509_bio(in,NULL);
311 m_certs.push_back(x);
315 throw XMLSecurityException("FilesystemCredentialResolver unable to load DER certificate from file ($1)",params(1,certpath.get()));
320 p12=d2i_PKCS12_bio(in,NULL);
322 PKCS12_parse(p12, certpass.get(), NULL, &x, NULL);
326 m_certs.push_back(x);
331 throw XMLSecurityException("FilesystemCredentialResolver unable to load PKCS12 certificate from file ($1)",params(1,certpath.get()));
342 throw XMLSecurityException("FilesystemCredentialResolver unable to load certificate(s) from file ($1)",params(1,certpath.get()));
350 throw XMLSecurityException("FilesystemCredentialResolver unable to load any certificate(s)");
352 // Load any extra CA files.
353 DOMElement* extra=XMLHelper::getFirstChildElement(e,CAPath);
355 if (!extra->hasChildNodes()) {
356 log.warn("skipping empty CAPath element");
357 extra = XMLHelper::getNextSiblingElement(extra,CAPath);
360 auto_ptr_char capath(extra->getFirstChild()->getNodeValue());
363 in=BIO_new(BIO_s_file_internal());
364 if (in && BIO_read_filename(in,capath.get())>0) {
365 if (!format_xml || !*format_xml) {
366 // Determine the cert encoding format dynamically, if not explicitly specified
367 fformat = getEncodingFormat(in);
368 log.debug("CA certificate encoding format for (%s) dynamically resolved as (%s)", certpath.get(), formatToString(fformat).c_str());
373 while (x=PEM_read_bio_X509(in,NULL,passwd_callback,const_cast<char*>(certpass.get())))
374 m_certs.push_back(x);
378 x=d2i_X509_bio(in,NULL);
380 m_certs.push_back(x);
384 throw XMLSecurityException("FilesystemCredentialResolver unable to load DER CA certificate from file ($1)",params(1,capath.get()));
389 p12 = d2i_PKCS12_bio(in, NULL);
391 PKCS12_parse(p12, certpass.get(), NULL, &x, NULL);
395 m_certs.push_back(x);
401 throw XMLSecurityException("FilesystemCredentialResolver unable to load PKCS12 CA certificate from file ($1)",params(1,capath.get()));
412 log.error("CA file (%s) can't be opened", capath.get());
413 throw XMLSecurityException("FilesystemCredentialResolver can't open CA file ($1)",params(1,capath.get()));
416 extra = XMLHelper::getNextSiblingElement(extra,CAPath);
419 catch (XMLToolingException&) {
421 for_each(m_certs.begin(), m_certs.end(), X509_free);
425 // Reflect certs over to XSEC form and wrap with credential object.
426 for (vector<X509*>::iterator j=m_certs.begin(); j!=m_certs.end(); j++)
427 xseccerts.push_back(new OpenSSLCryptoX509(*j));
428 if (!key && !xseccerts.empty())
429 key = xseccerts.front()->clonePublicKey();
430 m_credential = new FilesystemCredential(this, key, xseccerts);
433 XSECCryptoKey* FilesystemCredentialResolver::loadKey()
441 BIO* in=BIO_new(BIO_s_file_internal());
442 if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
443 switch (m_keyformat) {
445 pkey=PEM_read_bio_PrivateKey(in, NULL, passwd_callback, const_cast<char*>(m_keypass.c_str()));
449 pkey=d2i_PrivateKey_bio(in, NULL);
453 PKCS12* p12 = d2i_PKCS12_bio(in, NULL);
455 PKCS12_parse(p12, const_cast<char*>(m_keypass.c_str()), &pkey, NULL, NULL);
464 // Now map it to an XSEC wrapper.
466 XSECCryptoKey* ret=NULL;
467 switch (pkey->type) {
469 ret=new OpenSSLCryptoKeyRSA(pkey);
473 ret=new OpenSSLCryptoKeyDSA(pkey);
477 Category::getInstance(XMLTOOLING_LOGCAT".CredentialResolver").error("unsupported private key type");
485 throw XMLSecurityException("FilesystemCredentialResolver unable to load private key from file.");
488 // Used to determine the encoding format of credentials files
489 // dynamically. Supports: PEM, DER, PKCS12.
490 FilesystemCredentialResolver::format_t FilesystemCredentialResolver::getEncodingFormat(BIO* in) const
495 const int READSIZE = 1;
501 if ( (mark = BIO_tell(in)) < 0 )
502 throw XMLSecurityException("getEncodingFormat: BIO_tell() can't get the file position");
503 if ( BIO_read(in, buf, READSIZE) <= 0 )
504 throw XMLSecurityException("getEncodingFormat: BIO_read() can't read from the stream");
505 if ( BIO_seek(in, mark) < 0 )
506 throw XMLSecurityException("getEncodingFormat: BIO_seek() can't reset the file position");
515 // This is a slight variation of the Java code by Chad La Joie.
517 // Check the first byte of the file. If it's some kind of
518 // DER-encoded structure (including PKCS12), it will begin with ASCII 048.
519 // Otherwise, assume it's PEM.
523 // Here we know it's DER-encoded, now try to parse it as a PKCS12
524 // ASN.1 structure. If it fails, must be another kind of DER-encoded
525 // key/cert structure. A little inefficient...but it works.
526 if ( (p12=d2i_PKCS12_bio(in,NULL)) == NULL ) {
533 if ( BIO_seek(in, mark) < 0 ) {
535 throw XMLSecurityException("getEncodingFormat: BIO_seek() can't reset the file position");
542 // Convert key/cert format_t types to a human-meaningful string for debug output
543 string FilesystemCredentialResolver::formatToString(format_t format) const
557 // Convert key/cert raw XML format attribute (XMLCh[]) to format_t type
558 FilesystemCredentialResolver::format_t FilesystemCredentialResolver::xmlFormatToFormat(const XMLCh* format_xml) const
560 static const XMLCh cPEM[] = UNICODE_LITERAL_3(P,E,M);
561 static const XMLCh cDER[] = UNICODE_LITERAL_3(D,E,R);
562 static const XMLCh cPKCS12[] = { chLatin_P, chLatin_K, chLatin_C, chLatin_S, chDigit_1, chDigit_2, chNull };
565 if (!XMLString::compareString(format_xml,cPEM))
567 else if (!XMLString::compareString(format_xml,cDER))
569 else if (!XMLString::compareString(format_xml,cPKCS12))
577 void FilesystemCredentialResolver::attach(SSL_CTX* ctx) const
584 SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);
585 SSL_CTX_set_default_passwd_cb_userdata(ctx, const_cast<char*>(m_keypass.c_str()));
588 switch (m_keyformat) {
590 ret=SSL_CTX_use_PrivateKey_file(ctx, m_keypath.c_str(), m_keyformat);
594 ret=SSL_CTX_use_RSAPrivateKey_file(ctx, m_keypath.c_str(), m_keyformat);
598 BIO* in=BIO_new(BIO_s_file_internal());
599 if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
601 PKCS12* p12 = d2i_PKCS12_bio(in, NULL);
603 PKCS12_parse(p12, const_cast<char*>(m_keypass.c_str()), &pkey, NULL, NULL);
606 ret=SSL_CTX_use_PrivateKey(ctx, pkey);
618 throw XMLSecurityException("Unable to attach private key to SSL context.");
622 for (vector<X509*>::const_iterator i=m_certs.begin(); i!=m_certs.end(); i++) {
623 if (i==m_certs.begin()) {
624 if (SSL_CTX_use_certificate(ctx, *i) != 1) {
626 throw XMLSecurityException("Unable to attach client certificate to SSL context.");
630 // When we add certs, they don't get ref counted, so we need to duplicate them.
631 X509* dup = X509_dup(*i);
632 if (SSL_CTX_add_extra_chain_cert(ctx, dup) != 1) {
635 throw XMLSecurityException("Unable to attach CA certificate to SSL context.");
641 void FilesystemCredential::attach(SSL_CTX* ctx) const
643 return m_resolver->attach(ctx);