xmltooling/security/impl/FilesystemCredentialResolver.cpp

   1 /*
   2  *  Copyright 2001-2007 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * FilesystemCredentialResolver.cpp
  19  *
  20  * Supplies credentials from local files
  21  */
  22
  23 #include "internal.h"
  24 #include "security/BasicX509Credential.h"
  25 #include "security/CredentialCriteria.h"
  26 #include "security/CredentialResolver.h"
  27 #include "security/KeyInfoResolver.h"
  28 #include "security/OpenSSLCredential.h"
  29 #include "util/NDC.h"
  30 #include "util/XMLHelper.h"
  31
  32 #include <sys/types.h>
  33 #include <sys/stat.h>
  34 #include <openssl/pkcs12.h>
  35 #include <log4cpp/Category.hh>
  36 #include <xercesc/util/XMLUniDefs.hpp>
  37 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
  38 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
  39 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
  40
  41 using namespace xmlsignature;
  42 using namespace xmltooling;
  43 using namespace log4cpp;
  44 using namespace std;
  45
  46 // OpenSSL password callback...
  47 static int passwd_callback(char* buf, int len, int verify, void* passwd)
  48 {
  49     if(!verify)
  50     {
  51         if(passwd && len > strlen(reinterpret_cast<char*>(passwd)))
  52         {
  53             strcpy(buf,reinterpret_cast<char*>(passwd));
  54             return strlen(buf);
  55         }
  56     }
  57     return 0;
  58 }
  59
  60 namespace xmltooling {
  61
  62 #if defined (_MSC_VER)
  63     #pragma warning( push )
  64     #pragma warning( disable : 4250 )
  65 #endif
  66
  67     class XMLTOOL_DLLLOCAL FilesystemCredentialResolver;
  68     class XMLTOOL_DLLLOCAL FilesystemCredential : public OpenSSLCredential, public BasicX509Credential
  69     {
  70     public:
  71         FilesystemCredential(FilesystemCredentialResolver* resolver, XSECCryptoKey* key, const std::vector<XSECCryptoX509*>& xseccerts)
  72                 : BasicX509Credential(key, xseccerts), m_resolver(resolver) {
  73             initKeyInfo();
  74         }
  75         virtual ~FilesystemCredential() {}
  76         void attach(SSL_CTX* ctx) const;
  77
  78         FilesystemCredentialResolver* m_resolver;
  79     };
  80
  81 #if defined (_MSC_VER)
  82     #pragma warning( pop )
  83 #endif
  84
  85     class XMLTOOL_DLLLOCAL FilesystemCredentialResolver : public CredentialResolver
  86     {
  87     public:
  88         FilesystemCredentialResolver(const DOMElement* e);
  89         virtual ~FilesystemCredentialResolver() {
  90             delete m_credential;
  91             for_each(m_certs.begin(),m_certs.end(),X509_free);
  92         }
  93
  94         Lockable* lock() { return this; }
  95         void unlock() {}
  96
  97         const Credential* resolve(const CredentialCriteria* criteria=NULL) const {
  98             return matches(criteria) ? m_credential : NULL;
  99         }
 100
 101         virtual vector<const Credential*>::size_type resolve(
 102             vector<const Credential*>& results, const CredentialCriteria* criteria=NULL
 103             ) const {
 104             if (matches(criteria)) {
 105                 results.push_back(m_credential);
 106                 return 1;
 107             }
 108             return 0;
 109         }
 110
 111         void attach(SSL_CTX* ctx) const;
 112
 113     private:
 114         XSECCryptoKey* loadKey();
 115         bool matches(const CredentialCriteria* criteria) const {
 116             bool match = true;
 117             if (criteria) {
 118                 // See if algorithm is kosher.
 119                 const char* alg = criteria->getKeyAlgorithm();
 120                 if (alg && *alg) {
 121                     match = false;
 122                     for (vector<string>::const_iterator a = m_algorithms.begin(); a!=m_algorithms.end(); ++a) {
 123                         if (strstr(alg, a->c_str()))
 124                             match = true;
 125                     }
 126                 }
 127                 if (match && m_credential->getPublicKey()) {
 128                     // See if we have to match a specific key.
 129                     auto_ptr<Credential> cred(
 130                         XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(*criteria,Credential::RESOLVE_KEYS)
 131                         );
 132                     if (cred.get())
 133                         match = cred->isEqual(*(m_credential->getPublicKey()));
 134                 }
 135             }
 136             return match;
 137         }
 138
 139         enum format_t { PEM=SSL_FILETYPE_PEM, DER=SSL_FILETYPE_ASN1, _PKCS12, UNKNOWN };
 140
 141         format_t getEncodingFormat(BIO* in) const;
 142         string formatToString(format_t format) const;
 143         format_t xmlFormatToFormat(const XMLCh* format_xml) const;
 144
 145         format_t m_keyformat;
 146         string m_keypath,m_keypass;
 147         vector<X509*> m_certs;
 148         FilesystemCredential* m_credential;
 149         vector<string> m_algorithms;
 150     };
 151
 152     CredentialResolver* XMLTOOL_DLLLOCAL FilesystemCredentialResolverFactory(const DOMElement* const & e)
 153     {
 154         return new FilesystemCredentialResolver(e);
 155     }
 156 };
 157
 158 static const XMLCh AlgorithmPrefix[] =  UNICODE_LITERAL_15(A,l,g,o,r,i,t,h,m,P,r,e,f,i,x);
 159 static const XMLCh CAPath[] =           UNICODE_LITERAL_6(C,A,P,a,t,h);
 160 static const XMLCh Certificate[] =      UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e);
 161 static const XMLCh format[] =           UNICODE_LITERAL_6(f,o,r,m,a,t);
 162 static const XMLCh Key[] =              UNICODE_LITERAL_3(K,e,y);
 163 static const XMLCh password[] =         UNICODE_LITERAL_8(p,a,s,s,w,o,r,d);
 164 static const XMLCh Path[] =             UNICODE_LITERAL_4(P,a,t,h);
 165
 166 FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e) : m_credential(NULL)
 167 {
 168 #ifdef _DEBUG
 169     NDC ndc("FilesystemCredentialResolver");
 170 #endif
 171     Category& log=Category::getInstance(XMLTOOLING_LOGCAT".CredentialResolver");
 172
 173     const DOMElement* root=e;
 174     e=XMLHelper::getFirstChildElement(root,AlgorithmPrefix);
 175     while (e) {
 176         if (e->hasChildNodes()) {
 177             auto_ptr_char alg(e->getFirstChild()->getNodeValue());
 178             if (alg.get())
 179                 m_algorithms.push_back(alg.get());
 180         }
 181         e=XMLHelper::getNextSiblingElement(e,AlgorithmPrefix);
 182     }
 183
 184     if (m_algorithms.empty()) {
 185         m_algorithms.push_back(URI_ID_SIG_BASE);
 186         m_algorithms.push_back(URI_ID_SIG_BASEMORE);
 187         m_algorithms.push_back("http://www.w3.org/2001/04/xmlenc#rsa");
 188     }
 189
 190     XSECCryptoKey* key=NULL;
 191     vector<XSECCryptoX509*> xseccerts;
 192
 193     format_t fformat;
 194     const XMLCh* format_xml=NULL;
 195     BIO* in = NULL;
 196
 197     // Move to Key
 198     e=XMLHelper::getFirstChildElement(root,Key);
 199     if (e) {
 200
 201         // Get raw format attrib value, but defer processing til later since may need to
 202         // determine format dynamically, and we need the Path for that.
 203         format_xml=e->getAttributeNS(NULL,format);
 204
 205         const XMLCh* password_xml=e->getAttributeNS(NULL,password);
 206         if (password_xml) {
 207             auto_ptr_char kp(password_xml);
 208             m_keypass=kp.get();
 209         }
 210
 211         e=XMLHelper::getFirstChildElement(e,Path);
 212         if (e && e->hasChildNodes()) {
 213             const XMLCh* s=e->getFirstChild()->getNodeValue();
 214             auto_ptr_char kpath(s);
 215 #ifdef WIN32
 216             struct _stat stat_buf;
 217             if (_stat(kpath.get(), &stat_buf) != 0)
 218 #else
 219             struct stat stat_buf;
 220             if (stat(kpath.get(), &stat_buf) != 0)
 221 #endif
 222             {
 223                 log.error("key file (%s) can't be opened", kpath.get());
 224                 throw XMLSecurityException("FilesystemCredentialResolver can't access key file ($1)",params(1,kpath.get()));
 225             }
 226             m_keypath=kpath.get();
 227         }
 228         else {
 229             log.error("Path element missing inside Key element");
 230             throw XMLSecurityException("FilesystemCredentialResolver can't access key file, no Path element specified.");
 231         }
 232
 233         // Determine the key encoding format dynamically, if not explicitly specified
 234         if (format_xml && *format_xml) {
 235             fformat = xmlFormatToFormat(format_xml);
 236             if (fformat != UNKNOWN) {
 237                 m_keyformat = fformat;
 238             }
 239             else {
 240                 auto_ptr_char unknown(format_xml);
 241                 log.error("configuration specifies unknown key encoding format (%s)", unknown.get());
 242                 throw XMLSecurityException("FilesystemCredentialResolver configuration contains unknown key encoding format ($1)",params(1,unknown.get()));
 243             }
 244         }
 245         else {
 246             in=BIO_new(BIO_s_file_internal());
 247             if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
 248                 m_keyformat = getEncodingFormat(in);
 249                 log.debug("key encoding format for (%s) dynamically resolved as (%s)", m_keypath.c_str(), formatToString(m_keyformat).c_str());
 250             }
 251             else {
 252                 log.error("key file (%s) can't be read to determine encoding format", m_keypath.c_str());
 253                 throw XMLSecurityException("FilesystemCredentialResolver can't read key file ($1) to determine encoding format",params(1,m_keypath.c_str()));
 254             }
 255             if (in)
 256                 BIO_free(in);
 257             in = NULL;
 258         }
 259
 260         // Load the key.
 261         key = loadKey();
 262     }
 263
 264     // Check for Certificate
 265     e=XMLHelper::getFirstChildElement(root,Certificate);
 266     if (!e) {
 267         m_credential = new FilesystemCredential(this,key,xseccerts);
 268         return;
 269     }
 270     auto_ptr_char certpass(e->getAttributeNS(NULL,password));
 271
 272     DOMElement* ep=XMLHelper::getFirstChildElement(e,Path);
 273     if (!ep || !ep->hasChildNodes()) {
 274         log.error("Path element missing inside Certificate element or is empty");
 275         delete key;
 276         throw XMLSecurityException("FilesystemCredentialResolver can't access certificate file, missing or empty Path element.");
 277     }
 278
 279     auto_ptr_char certpath(ep->getFirstChild()->getNodeValue());
 280     format_xml=e->getAttributeNS(NULL,format);
 281     if (format_xml && *format_xml) {
 282         fformat = xmlFormatToFormat(format_xml);
 283         if (fformat == UNKNOWN) {
 284             auto_ptr_char unknown(format_xml);
 285             log.error("configuration specifies unknown certificate encoding format (%s)", unknown.get());
 286             delete key;
 287             throw XMLSecurityException("FilesystemCredentialResolver configuration contains unknown certificate encoding format ($1)",params(1,unknown.get()));
 288         }
 289     }
 290
 291     try {
 292         X509* x=NULL;
 293         PKCS12* p12=NULL;
 294         in=BIO_new(BIO_s_file_internal());
 295         if (in && BIO_read_filename(in,certpath.get())>0) {
 296             if (!format_xml || !*format_xml) {
 297                 // Determine the cert encoding format dynamically, if not explicitly specified
 298                 fformat = getEncodingFormat(in);
 299                 log.debug("certificate encoding format for (%s) dynamically resolved as (%s)", certpath.get(), formatToString(fformat).c_str());
 300             }
 301
 302             switch(fformat) {
 303                 case PEM:
 304                     while (x=PEM_read_bio_X509(in,NULL,passwd_callback,const_cast<char*>(certpass.get())))
 305                         m_certs.push_back(x);
 306                     break;
 307
 308                 case DER:
 309                     x=d2i_X509_bio(in,NULL);
 310                     if (x)
 311                         m_certs.push_back(x);
 312                     else {
 313                         log_openssl();
 314                         BIO_free(in);
 315                         throw XMLSecurityException("FilesystemCredentialResolver unable to load DER certificate from file ($1)",params(1,certpath.get()));
 316                     }
 317                     break;
 318
 319                 case _PKCS12:
 320                     p12=d2i_PKCS12_bio(in,NULL);
 321                     if (p12) {
 322                         PKCS12_parse(p12, certpass.get(), NULL, &x, NULL);
 323                         PKCS12_free(p12);
 324                     }
 325                     if (x) {
 326                         m_certs.push_back(x);
 327                         x=NULL;
 328                     } else {
 329                         log_openssl();
 330                         BIO_free(in);
 331                         throw XMLSecurityException("FilesystemCredentialResolver unable to load PKCS12 certificate from file ($1)",params(1,certpath.get()));
 332                     }
 333                     break;
 334             } // end switch
 335
 336         } else {
 337             log_openssl();
 338             if (in) {
 339                 BIO_free(in);
 340                 in=NULL;
 341             }
 342             throw XMLSecurityException("FilesystemCredentialResolver unable to load certificate(s) from file ($1)",params(1,certpath.get()));
 343         }
 344         if (in) {
 345             BIO_free(in);
 346             in=NULL;
 347         }
 348
 349         if (m_certs.empty())
 350             throw XMLSecurityException("FilesystemCredentialResolver unable to load any certificate(s)");
 351
 352         // Load any extra CA files.
 353         DOMElement* extra=XMLHelper::getFirstChildElement(e,CAPath);
 354         while (extra) {
 355             if (!extra->hasChildNodes()) {
 356                 log.warn("skipping empty CAPath element");
 357                 extra = XMLHelper::getNextSiblingElement(extra,CAPath);
 358                 continue;
 359             }
 360             auto_ptr_char capath(extra->getFirstChild()->getNodeValue());
 361             x=NULL;
 362             p12=NULL;
 363             in=BIO_new(BIO_s_file_internal());
 364             if (in && BIO_read_filename(in,capath.get())>0) {
 365                 if (!format_xml || !*format_xml) {
 366                     // Determine the cert encoding format dynamically, if not explicitly specified
 367                     fformat = getEncodingFormat(in);
 368                     log.debug("CA certificate encoding format for (%s) dynamically resolved as (%s)", certpath.get(), formatToString(fformat).c_str());
 369                 }
 370
 371                 switch (fformat) {
 372                     case PEM:
 373                         while (x=PEM_read_bio_X509(in,NULL,passwd_callback,const_cast<char*>(certpass.get())))
 374                             m_certs.push_back(x);
 375                         break;
 376
 377                     case DER:
 378                         x=d2i_X509_bio(in,NULL);
 379                         if (x)
 380                             m_certs.push_back(x);
 381                         else {
 382                             log_openssl();
 383                             BIO_free(in);
 384                             throw XMLSecurityException("FilesystemCredentialResolver unable to load DER CA certificate from file ($1)",params(1,capath.get()));
 385                         }
 386                         break;
 387
 388                     case _PKCS12:
 389                         p12 = d2i_PKCS12_bio(in, NULL);
 390                         if (p12) {
 391                             PKCS12_parse(p12, certpass.get(), NULL, &x, NULL);
 392                             PKCS12_free(p12);
 393                         }
 394                         if (x) {
 395                             m_certs.push_back(x);
 396                             x=NULL;
 397                         }
 398                         else {
 399                             log_openssl();
 400                             BIO_free(in);
 401                             throw XMLSecurityException("FilesystemCredentialResolver unable to load PKCS12 CA certificate from file ($1)",params(1,capath.get()));
 402                         }
 403                         break;
 404                 } //end switch
 405
 406                 BIO_free(in);
 407             }
 408             else {
 409                 if (in)
 410                     BIO_free(in);
 411                 log_openssl();
 412                 log.error("CA file (%s) can't be opened", capath.get());
 413                 throw XMLSecurityException("FilesystemCredentialResolver can't open CA file ($1)",params(1,capath.get()));
 414             }
 415
 416             extra = XMLHelper::getNextSiblingElement(extra,CAPath);
 417         }
 418     }
 419     catch (XMLToolingException&) {
 420         delete key;
 421         for_each(m_certs.begin(), m_certs.end(), X509_free);
 422         throw;
 423     }
 424
 425     // Reflect certs over to XSEC form and wrap with credential object.
 426     for (vector<X509*>::iterator j=m_certs.begin(); j!=m_certs.end(); j++)
 427         xseccerts.push_back(new OpenSSLCryptoX509(*j));
 428     if (!key && !xseccerts.empty())
 429         key = xseccerts.front()->clonePublicKey();
 430     m_credential = new FilesystemCredential(this, key, xseccerts);
 431 }
 432
 433 XSECCryptoKey* FilesystemCredentialResolver::loadKey()
 434 {
 435 #ifdef _DEBUG
 436     NDC ndc("loadKey");
 437 #endif
 438
 439     // Get a EVP_PKEY.
 440     EVP_PKEY* pkey=NULL;
 441     BIO* in=BIO_new(BIO_s_file_internal());
 442     if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
 443         switch (m_keyformat) {
 444             case PEM:
 445                 pkey=PEM_read_bio_PrivateKey(in, NULL, passwd_callback, const_cast<char*>(m_keypass.c_str()));
 446                 break;
 447
 448             case DER:
 449                 pkey=d2i_PrivateKey_bio(in, NULL);
 450                 break;
 451
 452             default: {
 453                 PKCS12* p12 = d2i_PKCS12_bio(in, NULL);
 454                 if (p12) {
 455                     PKCS12_parse(p12, const_cast<char*>(m_keypass.c_str()), &pkey, NULL, NULL);
 456                     PKCS12_free(p12);
 457                 }
 458             }
 459         }
 460     }
 461     if (in)
 462         BIO_free(in);
 463
 464     // Now map it to an XSEC wrapper.
 465     if (pkey) {
 466         XSECCryptoKey* ret=NULL;
 467         switch (pkey->type) {
 468             case EVP_PKEY_RSA:
 469                 ret=new OpenSSLCryptoKeyRSA(pkey);
 470                 break;
 471
 472             case EVP_PKEY_DSA:
 473                 ret=new OpenSSLCryptoKeyDSA(pkey);
 474                 break;
 475
 476             default:
 477                 Category::getInstance(XMLTOOLING_LOGCAT".CredentialResolver").error("unsupported private key type");
 478         }
 479         EVP_PKEY_free(pkey);
 480         if (ret)
 481             return ret;
 482     }
 483
 484     log_openssl();
 485     throw XMLSecurityException("FilesystemCredentialResolver unable to load private key from file.");
 486 }
 487
 488 // Used to determine the encoding format of credentials files
 489 // dynamically. Supports: PEM, DER, PKCS12.
 490 FilesystemCredentialResolver::format_t FilesystemCredentialResolver::getEncodingFormat(BIO* in) const
 491 {
 492     PKCS12* p12 = NULL;
 493     format_t format;
 494
 495     const int READSIZE = 1;
 496     char buf[READSIZE];
 497     char b1;
 498     int mark;
 499
 500     try {
 501         if ( (mark = BIO_tell(in)) < 0 )
 502             throw XMLSecurityException("getEncodingFormat: BIO_tell() can't get the file position");
 503         if ( BIO_read(in, buf, READSIZE) <= 0 )
 504             throw XMLSecurityException("getEncodingFormat: BIO_read() can't read from the stream");
 505         if ( BIO_seek(in, mark) < 0 )
 506             throw XMLSecurityException("getEncodingFormat: BIO_seek() can't reset the file position");
 507     }
 508     catch (...) {
 509         log_openssl();
 510         throw;
 511     }
 512
 513     b1 = buf[0];
 514
 515     // This is a slight variation of the Java code by Chad La Joie.
 516     //
 517     // Check the first byte of the file.  If it's some kind of
 518     // DER-encoded structure (including PKCS12), it will begin with ASCII 048.
 519     // Otherwise, assume it's PEM.
 520     if (b1 !=  48) {
 521         format = PEM;
 522     } else {
 523         // Here we know it's DER-encoded, now try to parse it as a PKCS12
 524         // ASN.1 structure.  If it fails, must be another kind of DER-encoded
 525         // key/cert structure.  A little inefficient...but it works.
 526         if ( (p12=d2i_PKCS12_bio(in,NULL)) == NULL ) {
 527             format = DER;
 528         } else {
 529             format = _PKCS12;
 530         }
 531         if (p12)
 532             PKCS12_free(p12);
 533         if ( BIO_seek(in, mark) < 0 ) {
 534             log_openssl();
 535             throw XMLSecurityException("getEncodingFormat: BIO_seek() can't reset the file position");
 536         }
 537     }
 538
 539     return format;
 540 }
 541
 542 // Convert key/cert format_t types to a human-meaningful string for debug output
 543 string FilesystemCredentialResolver::formatToString(format_t format) const
 544 {
 545     switch(format) {
 546         case PEM:
 547             return "PEM";
 548         case DER:
 549             return "DER";
 550         case _PKCS12:
 551             return "PKCS12";
 552         default:
 553             return "UNKNOWN";
 554     }
 555 }
 556
 557 // Convert key/cert raw XML format attribute (XMLCh[]) to format_t type
 558 FilesystemCredentialResolver::format_t FilesystemCredentialResolver::xmlFormatToFormat(const XMLCh* format_xml) const
 559 {
 560     static const XMLCh cPEM[] = UNICODE_LITERAL_3(P,E,M);
 561     static const XMLCh cDER[] = UNICODE_LITERAL_3(D,E,R);
 562     static const XMLCh cPKCS12[] = { chLatin_P, chLatin_K, chLatin_C, chLatin_S, chDigit_1, chDigit_2, chNull };
 563     format_t format;
 564
 565     if (!XMLString::compareString(format_xml,cPEM))
 566         format=PEM;
 567     else if (!XMLString::compareString(format_xml,cDER))
 568         format=DER;
 569     else if (!XMLString::compareString(format_xml,cPKCS12))
 570         format=_PKCS12;
 571     else
 572         format=UNKNOWN;
 573
 574     return format;
 575 }
 576
 577 void FilesystemCredentialResolver::attach(SSL_CTX* ctx) const
 578 {
 579 #ifdef _DEBUG
 580     NDC ndc("attach");
 581 #endif
 582
 583     // Attach key.
 584     SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);
 585     SSL_CTX_set_default_passwd_cb_userdata(ctx, const_cast<char*>(m_keypass.c_str()));
 586
 587     int ret=0;
 588     switch (m_keyformat) {
 589         case PEM:
 590             ret=SSL_CTX_use_PrivateKey_file(ctx, m_keypath.c_str(), m_keyformat);
 591             break;
 592
 593         case DER:
 594             ret=SSL_CTX_use_RSAPrivateKey_file(ctx, m_keypath.c_str(), m_keyformat);
 595             break;
 596
 597         default: {
 598             BIO* in=BIO_new(BIO_s_file_internal());
 599             if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
 600                 EVP_PKEY* pkey=NULL;
 601                 PKCS12* p12 = d2i_PKCS12_bio(in, NULL);
 602                 if (p12) {
 603                     PKCS12_parse(p12, const_cast<char*>(m_keypass.c_str()), &pkey, NULL, NULL);
 604                     PKCS12_free(p12);
 605                     if (pkey) {
 606                         ret=SSL_CTX_use_PrivateKey(ctx, pkey);
 607                         EVP_PKEY_free(pkey);
 608                     }
 609                 }
 610             }
 611             if (in)
 612                 BIO_free(in);
 613         }
 614     }
 615
 616     if (ret!=1) {
 617         log_openssl();
 618         throw XMLSecurityException("Unable to attach private key to SSL context.");
 619     }
 620
 621     // Attach certs.
 622     for (vector<X509*>::const_iterator i=m_certs.begin(); i!=m_certs.end(); i++) {
 623         if (i==m_certs.begin()) {
 624             if (SSL_CTX_use_certificate(ctx, *i) != 1) {
 625                 log_openssl();
 626                 throw XMLSecurityException("Unable to attach client certificate to SSL context.");
 627             }
 628         }
 629         else {
 630             // When we add certs, they don't get ref counted, so we need to duplicate them.
 631             X509* dup = X509_dup(*i);
 632             if (SSL_CTX_add_extra_chain_cert(ctx, dup) != 1) {
 633                 X509_free(dup);
 634                 log_openssl();
 635                 throw XMLSecurityException("Unable to attach CA certificate to SSL context.");
 636             }
 637         }
 638     }
 639 }
 640
 641 void FilesystemCredential::attach(SSL_CTX* ctx) const
 642 {
 643     return m_resolver->attach(ctx);
 644 }