xmltooling/security/impl/InlineKeyResolver.cpp

   1 /**
   2  * Licensed to the University Corporation for Advanced Internet
   3  * Development, Inc. (UCAID) under one or more contributor license
   4  * agreements. See the NOTICE file distributed with this work for
   5  * additional information regarding copyright ownership.
   6  *
   7  * UCAID licenses this file to you under the Apache License,
   8  * Version 2.0 (the "License"); you may not use this file except
   9  * in compliance with the License. You may obtain a copy of the
  10  * License at
  11  *
  12  * http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
  17  * either express or implied. See the License for the specific
  18  * language governing permissions and limitations under the License.
  19  */
  20
  21 /**
  22  * InlineKeyResolver.cpp
  23  *
  24  * Resolves key information directly from recognized KeyInfo structures.
  25  */
  26
  27 #include "internal.h"
  28 #include "logging.h"
  29 #include "security/BasicX509Credential.h"
  30 #include "security/KeyInfoCredentialContext.h"
  31 #include "security/KeyInfoResolver.h"
  32 #include "security/SecurityHelper.h"
  33 #include "security/XSECCryptoX509CRL.h"
  34 #include "signature/KeyInfo.h"
  35 #include "signature/Signature.h"
  36 #include "util/NDC.h"
  37 #include "util/Threads.h"
  38 #include "util/XMLConstants.h"
  39 #include "validation/ValidatorSuite.h"
  40
  41 #include <boost/iterator/indirect_iterator.hpp>
  42 #include <xercesc/util/XMLUniDefs.hpp>
  43 #include <xsec/dsig/DSIGKeyInfoX509.hpp>
  44 #include <xsec/enc/XSECKeyInfoResolverDefault.hpp>
  45 #include <xsec/enc/XSECCryptoX509.hpp>
  46 #include <xsec/enc/XSECCryptoKeyRSA.hpp>
  47 #include <xsec/enc/XSECCryptoKeyDSA.hpp>
  48 #ifdef XMLTOOLING_XMLSEC_ECC
  49 # include <xsec/enc/XSECCryptoKeyEC.hpp>
  50 #endif
  51 #include <xsec/enc/XSECCryptoException.hpp>
  52 #include <xsec/framework/XSECException.hpp>
  53
  54 using namespace xmlsignature;
  55 using namespace xmltooling::logging;
  56 using namespace xmltooling;
  57 using namespace xercesc;
  58 using namespace boost;
  59 using namespace std;
  60
  61 namespace xmltooling {
  62
  63     class XMLTOOL_DLLLOCAL InlineCredential : public BasicX509Credential
  64     {
  65     public:
  66         InlineCredential(const KeyInfo* keyInfo=nullptr) : BasicX509Credential(keyInfo!=nullptr), m_credctx(new KeyInfoCredentialContext(keyInfo)) {}
  67         InlineCredential(DSIGKeyInfoList* keyInfo) : BasicX509Credential(false), m_credctx(new KeyInfoCredentialContext(keyInfo)) {}
  68         InlineCredential(KeyInfoCredentialContext* context) : BasicX509Credential(context->getKeyInfo()!=nullptr) {}
  69         virtual ~InlineCredential() {}
  70
  71         XSECCryptoKey* getPrivateKey() const {
  72             return nullptr;
  73         }
  74
  75         KeyInfo* getKeyInfo(bool compact=false) const {
  76             KeyInfo* ret = m_credctx->getKeyInfo() ? m_credctx->getKeyInfo()->cloneKeyInfo() : nullptr;
  77             if (ret) {
  78                 ret->setId(nullptr);
  79                 ret->getRetrievalMethods().clear();
  80                 ret->getKeyInfoReferences().clear();
  81                 if (compact) {
  82                     ret->getKeyValues().clear();
  83                     ret->getDEREncodedKeyValues().clear();
  84                     ret->getSPKIDatas().clear();
  85                     ret->getPGPDatas().clear();
  86                     ret->getUnknownXMLObjects().clear();
  87                     VectorOf(X509Data) x509Datas=ret->getX509Datas();
  88                     for (VectorOf(X509Data)::size_type pos = 0; pos < x509Datas.size();) {
  89                         x509Datas[pos]->getX509Certificates().clear();
  90                         x509Datas[pos]->getX509CRLs().clear();
  91                         x509Datas[pos]->getOCSPResponses().clear();
  92                         x509Datas[pos]->getUnknownXMLObjects().clear();
  93                         if (x509Datas[pos]->hasChildren())
  94                             ++pos;
  95                         else
  96                             x509Datas.erase(x509Datas.begin() + pos);
  97                     }
  98                 }
  99             }
 100             if (!ret->hasChildren()) {
 101                 delete ret;
 102                 ret = nullptr;
 103             }
 104             return ret;
 105         }
 106
 107         const CredentialContext* getCredentalContext() const {
 108             return m_credctx.get();
 109         }
 110
 111         void setCredentialContext(KeyInfoCredentialContext* context) {
 112             m_credctx.reset(context);
 113         }
 114
 115         void resolve(const KeyInfo* keyInfo, int types=0, bool followRefs=false);
 116         void resolve(DSIGKeyInfoList* keyInfo, int types=0, bool followRefs=false);
 117
 118     private:
 119         bool resolveCerts(const KeyInfo* keyInfo, bool followRefs=false);
 120         bool resolveKey(const KeyInfo* keyInfo, bool followRefs=false);
 121         bool resolveCRLs(const KeyInfo* keyInfo, bool followRefs=false);
 122
 123         auto_ptr<KeyInfoCredentialContext> m_credctx;
 124     };
 125
 126     static const XMLCh keyInfoReferences[] = UNICODE_LITERAL_17(k,e,y,I,n,f,o,R,e,f,e,r,e,n,c,e,s);
 127
 128     class XMLTOOL_DLLLOCAL InlineKeyResolver : public KeyInfoResolver
 129     {
 130     public:
 131         InlineKeyResolver(const DOMElement* e)
 132             : m_followRefs(XMLHelper::getAttrBool(e, false, keyInfoReferences)) {
 133         }
 134
 135         virtual ~InlineKeyResolver() {}
 136
 137         Credential* resolve(const KeyInfo* keyInfo, int types=0) const {
 138             if (!keyInfo)
 139                 return nullptr;
 140             if (types == 0)
 141                 types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS;
 142             auto_ptr<InlineCredential> credential(new InlineCredential(keyInfo));
 143             credential->resolve(keyInfo, types, m_followRefs);
 144             return credential.release();
 145         }
 146         Credential* resolve(DSIGKeyInfoList* keyInfo, int types=0) const {
 147             if (!keyInfo)
 148                 return nullptr;
 149             if (types == 0)
 150                 types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS;
 151             auto_ptr<InlineCredential> credential(new InlineCredential(keyInfo));
 152             credential->resolve(keyInfo, types, m_followRefs);
 153             return credential.release();
 154         }
 155         Credential* resolve(KeyInfoCredentialContext* context, int types=0) const {
 156             if (!context)
 157                 return nullptr;
 158             if (types == 0)
 159                 types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS;
 160             auto_ptr<InlineCredential> credential(new InlineCredential(context));
 161             if (context->getKeyInfo())
 162                 credential->resolve(context->getKeyInfo(), types, m_followRefs);
 163             else if (context->getNativeKeyInfo())
 164                 credential->resolve(context->getNativeKeyInfo(), types, m_followRefs);
 165             credential->setCredentialContext(context);
 166             return credential.release();
 167         }
 168
 169     private:
 170         bool m_followRefs;
 171     };
 172
 173     KeyInfoResolver* XMLTOOL_DLLLOCAL InlineKeyInfoResolverFactory(const DOMElement* const & e)
 174     {
 175         return new InlineKeyResolver(e);
 176     }
 177 };
 178
 179 void InlineCredential::resolve(const KeyInfo* keyInfo, int types, bool followRefs)
 180 {
 181 #ifdef _DEBUG
 182     NDC ndc("resolve");
 183 #endif
 184
 185     if (types & X509Credential::RESOLVE_CERTS)
 186         resolveCerts(keyInfo, followRefs);
 187
 188     if (types & Credential::RESOLVE_KEYS) {
 189         if (types & X509Credential::RESOLVE_CERTS) {
 190             // If we have a cert, just use it.
 191             if (!m_xseccerts.empty())
 192                 m_key = m_xseccerts.front()->clonePublicKey();
 193             else
 194                 resolveKey(keyInfo, followRefs);
 195         }
 196         // Otherwise try directly for a key and then go for certs if none is found.
 197         else if (!resolveKey(keyInfo, followRefs) && resolveCerts(keyInfo, followRefs)) {
 198             m_key = m_xseccerts.front()->clonePublicKey();
 199         }
 200     }
 201
 202     if (types & X509Credential::RESOLVE_CRLS)
 203         resolveCRLs(keyInfo, followRefs);
 204
 205     const XMLCh* n;
 206     char* kn;
 207     const vector<KeyName*>& knames=keyInfo->getKeyNames();
 208     for (indirect_iterator<vector<KeyName*>::const_iterator> kn_i = make_indirect_iterator(knames.begin());
 209             kn_i != make_indirect_iterator(knames.end()); ++kn_i) {
 210         n = kn_i->getName();
 211         if (n && *n) {
 212             kn = toUTF8(n);
 213             m_keyNames.insert(kn);
 214             delete[] kn;
 215         }
 216     }
 217     const vector<X509Data*> datas=keyInfo->getX509Datas();
 218     for (vector<X509Data*>::const_iterator x_i=datas.begin(); x_i!=datas.end(); ++x_i) {
 219         const vector<X509SubjectName*> snames = const_cast<const X509Data*>(*x_i)->getX509SubjectNames();
 220         for (vector<X509SubjectName*>::const_iterator sn_i = snames.begin(); sn_i!=snames.end(); ++sn_i) {
 221             n = (*sn_i)->getName();
 222             if (n && *n) {
 223                 kn=toUTF8(n);
 224                 m_keyNames.insert(kn);
 225                 m_subjectName = kn;
 226                 delete[] kn;
 227             }
 228         }
 229
 230         const vector<X509IssuerSerial*> inames = const_cast<const X509Data*>(*x_i)->getX509IssuerSerials();
 231         if (!inames.empty()) {
 232             const X509IssuerName* iname = inames.front()->getX509IssuerName();
 233             if (iname) {
 234                 kn = toUTF8(iname->getName());
 235                 if (kn)
 236                     m_issuerName = kn;
 237                 delete[] kn;
 238             }
 239
 240             const X509SerialNumber* ser = inames.front()->getX509SerialNumber();
 241             if (ser) {
 242                 auto_ptr_char sn(ser->getSerialNumber());
 243                 m_serial = sn.get();
 244             }
 245         }
 246     }
 247 }
 248
 249 bool InlineCredential::resolveKey(const KeyInfo* keyInfo, bool followRefs)
 250 {
 251     Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver."INLINE_KEYINFO_RESOLVER);
 252
 253     // Check for ds:KeyValue
 254     const vector<KeyValue*>& keyValues = keyInfo->getKeyValues();
 255     for (indirect_iterator<vector<KeyValue*>::const_iterator> i = make_indirect_iterator(keyValues.begin());
 256             i != make_indirect_iterator(keyValues.end()); ++i) {
 257         try {
 258             SchemaValidators.validate(*(i.base()));    // see if it's a "valid" key
 259             RSAKeyValue* rsakv = i->getRSAKeyValue();
 260             if (rsakv) {
 261                 log.debug("resolving ds:RSAKeyValue");
 262                 auto_ptr_char mod(rsakv->getModulus()->getValue());
 263                 auto_ptr_char exp(rsakv->getExponent()->getValue());
 264                 auto_ptr<XSECCryptoKeyRSA> rsa(XSECPlatformUtils::g_cryptoProvider->keyRSA());
 265                 rsa->loadPublicModulusBase64BigNums(mod.get(), strlen(mod.get()));
 266                 rsa->loadPublicExponentBase64BigNums(exp.get(), strlen(exp.get()));
 267                 m_key = rsa.release();
 268                 return true;
 269             }
 270             DSAKeyValue* dsakv = i->getDSAKeyValue();
 271             if (dsakv) {
 272                 log.debug("resolving ds:DSAKeyValue");
 273                 auto_ptr<XSECCryptoKeyDSA> dsa(XSECPlatformUtils::g_cryptoProvider->keyDSA());
 274                 auto_ptr_char y(dsakv->getY()->getValue());
 275                 dsa->loadYBase64BigNums(y.get(), strlen(y.get()));
 276                 if (dsakv->getP()) {
 277                     auto_ptr_char p(dsakv->getP()->getValue());
 278                     dsa->loadPBase64BigNums(p.get(), strlen(p.get()));
 279                 }
 280                 if (dsakv->getQ()) {
 281                     auto_ptr_char q(dsakv->getQ()->getValue());
 282                     dsa->loadQBase64BigNums(q.get(), strlen(q.get()));
 283                 }
 284                 if (dsakv->getG()) {
 285                     auto_ptr_char g(dsakv->getG()->getValue());
 286                     dsa->loadGBase64BigNums(g.get(), strlen(g.get()));
 287                 }
 288                 m_key = dsa.release();
 289                 return true;
 290             }
 291 #ifdef XMLTOOLING_XMLSEC_ECC
 292             ECKeyValue* eckv = i->getECKeyValue();
 293             if (eckv && eckv->getNamedCurve() && eckv->getPublicKey()) {
 294                 log.warn("resolving ds11:ECKeyValue");
 295                 auto_ptr<XSECCryptoKeyEC> ec(XSECPlatformUtils::g_cryptoProvider->keyEC());
 296                 auto_ptr_char uri(eckv->getNamedCurve()->getURI());
 297                 auto_ptr_char val(eckv->getPublicKey()->getValue());
 298                 if (uri.get() && val.get()) {
 299                     ec->loadPublicKeyBase64(uri.get(), val.get(), XMLString::stringLen(val.get()));
 300                     m_key = ec.release();
 301                     return true;
 302                 }
 303             }
 304 #endif
 305         }
 306         catch (ValidationException& ex) {
 307             log.warn("skipping invalid ds:KeyValue (%s)", ex.what());
 308         }
 309         catch(XSECException& e) {
 310             auto_ptr_char temp(e.getMsg());
 311             log.error("caught XML-Security exception loading key: %s", temp.get());
 312         }
 313         catch(XSECCryptoException& e) {
 314             log.error("caught XML-Security exception loading key: %s", e.getMsg());
 315         }
 316     }
 317
 318     // Check for ds11:DEREncodedKeyValue
 319     const vector<DEREncodedKeyValue*>& derValues = keyInfo->getDEREncodedKeyValues();
 320     for (indirect_iterator<vector<DEREncodedKeyValue*>::const_iterator> j = make_indirect_iterator(derValues.begin());
 321             j != make_indirect_iterator(derValues.end()); ++j) {
 322         log.debug("resolving ds11:DEREncodedKeyValue");
 323         m_key = SecurityHelper::fromDEREncoding(j->getValue());
 324         if (m_key)
 325             return true;
 326         log.warn("failed to resolve ds11:DEREncodedKeyValue");
 327     }
 328
 329
 330     if (followRefs) {
 331         // Check for KeyInfoReference.
 332         const XMLCh* fragID=nullptr;
 333         const XMLObject* treeRoot=nullptr;
 334         const vector<KeyInfoReference*>& refs = keyInfo->getKeyInfoReferences();
 335         for (indirect_iterator<vector<KeyInfoReference*>::const_iterator> ref = make_indirect_iterator(refs.begin());
 336                 ref != make_indirect_iterator(refs.end()); ++ref) {
 337             fragID = ref->getURI();
 338             if (!fragID || *fragID != chPound || !*(fragID+1)) {
 339                 log.warn("skipping ds11:KeyInfoReference with an empty or non-local reference");
 340                 continue;
 341             }
 342             if (!treeRoot) {
 343                 treeRoot = keyInfo;
 344                 while (treeRoot->getParent())
 345                     treeRoot = treeRoot->getParent();
 346             }
 347             keyInfo = dynamic_cast<const KeyInfo*>(XMLHelper::getXMLObjectById(*treeRoot, fragID+1));
 348             if (!keyInfo) {
 349                 log.warn("skipping ds11:KeyInfoReference, local reference did not resolve to a ds:KeyInfo");
 350                 continue;
 351             }
 352             if (resolveKey(keyInfo, false))
 353                 return true;
 354         }
 355     }
 356
 357     return false;
 358 }
 359
 360 bool InlineCredential::resolveCerts(const KeyInfo* keyInfo, bool followRefs)
 361 {
 362     Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver."INLINE_KEYINFO_RESOLVER);
 363
 364     // Check for ds:X509Data
 365     const vector<X509Data*>& x509Datas=keyInfo->getX509Datas();
 366     for (vector<X509Data*>::const_iterator j = x509Datas.begin(); m_xseccerts.empty() && j != x509Datas.end(); ++j) {
 367         const vector<X509Certificate*> x509Certs=const_cast<const X509Data*>(*j)->getX509Certificates();
 368         for (indirect_iterator<vector<X509Certificate*>::const_iterator> k = make_indirect_iterator(x509Certs.begin());
 369                 k != make_indirect_iterator(x509Certs.end()); ++k) {
 370             try {
 371                 auto_ptr_char x(k->getValue());
 372                 if (!x.get()) {
 373                     log.warn("skipping empty ds:X509Certificate");
 374                 }
 375                 else {
 376                     log.debug("resolving ds:X509Certificate");
 377                     auto_ptr<XSECCryptoX509> x509(XSECPlatformUtils::g_cryptoProvider->X509());
 378                     x509->loadX509Base64Bin(x.get(), strlen(x.get()));
 379                     m_xseccerts.push_back(x509.release());
 380                 }
 381             }
 382             catch(XSECException& e) {
 383                 auto_ptr_char temp(e.getMsg());
 384                 log.error("caught XML-Security exception loading certificate: %s", temp.get());
 385             }
 386             catch(XSECCryptoException& e) {
 387                 log.error("caught XML-Security exception loading certificate: %s", e.getMsg());
 388             }
 389         }
 390     }
 391
 392     if (followRefs && m_xseccerts.empty()) {
 393         // Check for KeyInfoReference.
 394         const XMLCh* fragID=NULL;
 395         const XMLObject* treeRoot=NULL;
 396         const vector<KeyInfoReference*>& refs = keyInfo->getKeyInfoReferences();
 397         for (indirect_iterator<vector<KeyInfoReference*>::const_iterator> ref = make_indirect_iterator(refs.begin());
 398                 ref != make_indirect_iterator(refs.end()); ++ref) {
 399             fragID = ref->getURI();
 400             if (!fragID || *fragID != chPound || !*(fragID+1)) {
 401                 log.warn("skipping ds11:KeyInfoReference with an empty or non-local reference");
 402                 continue;
 403             }
 404             if (!treeRoot) {
 405                 treeRoot = keyInfo;
 406                 while (treeRoot->getParent())
 407                     treeRoot = treeRoot->getParent();
 408             }
 409             keyInfo = dynamic_cast<const KeyInfo*>(XMLHelper::getXMLObjectById(*treeRoot, fragID+1));
 410             if (!keyInfo) {
 411                 log.warn("skipping ds11:KeyInfoReference, local reference did not resolve to a ds:KeyInfo");
 412                 continue;
 413             }
 414             if (resolveCerts(keyInfo, false))
 415                 return true;
 416         }
 417         return false;
 418     }
 419
 420     log.debug("resolved %d certificate(s)", m_xseccerts.size());
 421     return !m_xseccerts.empty();
 422 }
 423
 424 bool InlineCredential::resolveCRLs(const KeyInfo* keyInfo, bool followRefs)
 425 {
 426     Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver."INLINE_KEYINFO_RESOLVER);
 427
 428     // Check for ds:X509Data
 429     const vector<X509Data*>& x509Datas=keyInfo->getX509Datas();
 430     for (vector<X509Data*>::const_iterator j=x509Datas.begin(); j!=x509Datas.end(); ++j) {
 431         const vector<X509CRL*> x509CRLs=const_cast<const X509Data*>(*j)->getX509CRLs();
 432         for (indirect_iterator<vector<X509CRL*>::const_iterator> k = make_indirect_iterator(x509CRLs.begin());
 433                 k != make_indirect_iterator(x509CRLs.end()); ++k) {
 434             try {
 435                 auto_ptr_char x(k->getValue());
 436                 if (!x.get()) {
 437                     log.warn("skipping empty ds:X509CRL");
 438                 }
 439                 else {
 440                     log.debug("resolving ds:X509CRL");
 441                     auto_ptr<XSECCryptoX509CRL> crl(XMLToolingConfig::getConfig().X509CRL());
 442                     crl->loadX509CRLBase64Bin(x.get(), strlen(x.get()));
 443                     m_crls.push_back(crl.release());
 444                 }
 445             }
 446             catch(XSECException& e) {
 447                 auto_ptr_char temp(e.getMsg());
 448                 log.error("caught XML-Security exception loading CRL: %s", temp.get());
 449             }
 450             catch(XSECCryptoException& e) {
 451                 log.error("caught XML-Security exception loading CRL: %s", e.getMsg());
 452             }
 453         }
 454     }
 455
 456     if (followRefs && m_crls.empty()) {
 457         // Check for KeyInfoReference.
 458         const XMLCh* fragID=NULL;
 459         const XMLObject* treeRoot=NULL;
 460         const vector<KeyInfoReference*>& refs = keyInfo->getKeyInfoReferences();
 461         for (indirect_iterator<vector<KeyInfoReference*>::const_iterator> ref = make_indirect_iterator(refs.begin());
 462                 ref != make_indirect_iterator(refs.end()); ++ref) {
 463             fragID = ref->getURI();
 464             if (!fragID || *fragID != chPound || !*(fragID+1)) {
 465                 log.warn("skipping ds11:KeyInfoReference with an empty or non-local reference");
 466                 continue;
 467             }
 468             if (!treeRoot) {
 469                 treeRoot = keyInfo;
 470                 while (treeRoot->getParent())
 471                     treeRoot = treeRoot->getParent();
 472             }
 473             keyInfo = dynamic_cast<const KeyInfo*>(XMLHelper::getXMLObjectById(*treeRoot, fragID+1));
 474             if (!keyInfo) {
 475                 log.warn("skipping ds11:KeyInfoReference, local reference did not resolve to a ds:KeyInfo");
 476                 continue;
 477             }
 478             if (resolveCRLs(keyInfo, false))
 479                 return true;
 480         }
 481         return false;
 482     }
 483
 484     log.debug("resolved %d CRL(s)", m_crls.size());
 485     return !m_crls.empty();
 486 }
 487
 488 void InlineCredential::resolve(DSIGKeyInfoList* keyInfo, int types, bool followRefs)
 489 {
 490 #ifdef _DEBUG
 491     NDC ndc("resolve");
 492 #endif
 493
 494     if (types & Credential::RESOLVE_KEYS) {
 495         // Default resolver handles RSA/DSAKeyValue and X509Certificate elements.
 496         try {
 497             XSECKeyInfoResolverDefault def;
 498             m_key = def.resolveKey(keyInfo);
 499         }
 500         catch(XSECException& e) {
 501             auto_ptr_char temp(e.getMsg());
 502             Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading certificate: %s", temp.get());
 503         }
 504         catch(XSECCryptoException& e) {
 505             Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading certificate: %s", e.getMsg());
 506         }
 507     }
 508
 509         DSIGKeyInfoList::size_type sz = keyInfo->getSize();
 510
 511     if (types & X509Credential::RESOLVE_CERTS) {
 512         for (DSIGKeyInfoList::size_type i=0; i<sz; ++i) {
 513             if (keyInfo->item(i)->getKeyInfoType()==DSIGKeyInfo::KEYINFO_X509) {
 514                 DSIGKeyInfoX509* x509 = static_cast<DSIGKeyInfoX509*>(keyInfo->item(i));
 515                 int count = x509->getCertificateListSize();
 516                 if (count) {
 517                     for (int j=0; j<count; ++j)
 518                         m_xseccerts.push_back(x509->getCertificateCryptoItem(j));
 519                     break;
 520                 }
 521             }
 522         }
 523     }
 524
 525     if (types & X509Credential::RESOLVE_CRLS) {
 526         for (DSIGKeyInfoList::size_type i=0; i<sz; ++i) {
 527             if (keyInfo->item(i)->getKeyInfoType()==DSIGKeyInfo::KEYINFO_X509) {
 528 #ifdef XMLTOOLING_XMLSEC_MULTIPLECRL
 529                 DSIGKeyInfoX509* x509 = static_cast<DSIGKeyInfoX509*>(keyInfo->item(i));
 530                 int count = x509->getX509CRLListSize();
 531                 for (int j=0; j<count; ++j) {
 532                     auto_ptr_char buf(x509->getX509CRLItem(j));
 533                     if (buf.get()) {
 534                         try {
 535                             auto_ptr<XSECCryptoX509CRL> crlobj(XMLToolingConfig::getConfig().X509CRL());
 536                             crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get()));
 537                             m_crls.push_back(crlobj.release());
 538                         }
 539                         catch(XSECException& e) {
 540                             auto_ptr_char temp(e.getMsg());
 541                             Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get());
 542                         }
 543                         catch(XSECCryptoException& e) {
 544                             Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg());
 545                         }
 546                     }
 547                 }
 548 #else
 549                 // The current xmlsec API is limited to one CRL per KeyInfo.
 550                 // For now, I'm going to process the DOM directly.
 551                 DOMNode* x509Node = keyInfo->item(i)->getKeyInfoDOMNode();
 552                 DOMElement* crlElement = x509Node ? XMLHelper::getFirstChildElement(x509Node, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME) : nullptr;
 553                 while (crlElement) {
 554                     if (crlElement->hasChildNodes()) {
 555                         auto_ptr_char buf(crlElement->getFirstChild()->getNodeValue());
 556                         if (buf.get()) {
 557                             try {
 558                                 auto_ptr<XSECCryptoX509CRL> crlobj(XMLToolingConfig::getConfig().X509CRL());
 559                                 crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get()));
 560                                 m_crls.push_back(crlobj.release());
 561                             }
 562                             catch(XSECException& e) {
 563                                 auto_ptr_char temp(e.getMsg());
 564                                 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get());
 565                             }
 566                             catch(XSECCryptoException& e) {
 567                                 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg());
 568                             }
 569                         }
 570                     }
 571                     crlElement = XMLHelper::getNextSiblingElement(crlElement, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME);
 572                 }
 573 #endif
 574             }
 575         }
 576     }
 577
 578     char* kn;
 579     const XMLCh* n;
 580
 581     for (size_t s=0; s<keyInfo->getSize(); s++) {
 582         DSIGKeyInfo* dki = keyInfo->item(s);
 583         n=dki->getKeyName();
 584         if (n && *n) {
 585             kn=toUTF8(n);
 586             m_keyNames.insert(kn);
 587             if (dki->getKeyInfoType() == DSIGKeyInfo::KEYINFO_X509)
 588                 m_subjectName = kn;
 589             delete[] kn;
 590         }
 591
 592         if (dki->getKeyInfoType() == DSIGKeyInfo::KEYINFO_X509) {
 593             DSIGKeyInfoX509* kix = static_cast<DSIGKeyInfoX509*>(dki);
 594             n = kix->getX509IssuerName();
 595             if (n && *n) {
 596                 kn=toUTF8(n);
 597                 m_issuerName = kn;
 598                 delete[] kn;
 599             }
 600             n = kix->getX509IssuerSerialNumber();
 601             if (n && *n) {
 602                 auto_ptr_char sn(n);
 603                 m_serial = sn.get();
 604             }
 605         }
 606     }
 607 }