xmltooling/security/impl/InlineKeyResolver.cpp

   1 /**
   2  * Licensed to the University Corporation for Advanced Internet
   3  * Development, Inc. (UCAID) under one or more contributor license
   4  * agreements. See the NOTICE file distributed with this work for
   5  * additional information regarding copyright ownership.
   6  *
   7  * UCAID licenses this file to you under the Apache License,
   8  * Version 2.0 (the "License"); you may not use this file except
   9  * in compliance with the License. You may obtain a copy of the
  10  * License at
  11  *
  12  * http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
  17  * either express or implied. See the License for the specific
  18  * language governing permissions and limitations under the License.
  19  */
  20
  21 /**
  22  * InlineKeyResolver.cpp
  23  *
  24  * Resolves key information directly from recognized KeyInfo structures.
  25  */
  26
  27 #include "internal.h"
  28 #include "logging.h"
  29 #include "security/BasicX509Credential.h"
  30 #include "security/KeyInfoCredentialContext.h"
  31 #include "security/KeyInfoResolver.h"
  32 #include "security/SecurityHelper.h"
  33 #include "security/XSECCryptoX509CRL.h"
  34 #include "signature/KeyInfo.h"
  35 #include "signature/Signature.h"
  36 #include "util/NDC.h"
  37 #include "util/Threads.h"
  38 #include "util/XMLConstants.h"
  39 #include "validation/ValidatorSuite.h"
  40
  41 #include <xercesc/util/XMLUniDefs.hpp>
  42 #include <xsec/dsig/DSIGKeyInfoX509.hpp>
  43 #include <xsec/enc/XSECKeyInfoResolverDefault.hpp>
  44 #include <xsec/enc/XSECCryptoX509.hpp>
  45 #include <xsec/enc/XSECCryptoKeyRSA.hpp>
  46 #include <xsec/enc/XSECCryptoKeyDSA.hpp>
  47 #ifdef XMLTOOLING_XMLSEC_ECC
  48 # include <xsec/enc/XSECCryptoKeyEC.hpp>
  49 #endif
  50 #include <xsec/enc/XSECCryptoException.hpp>
  51 #include <xsec/framework/XSECException.hpp>
  52
  53 using namespace xmlsignature;
  54 using namespace xmltooling::logging;
  55 using namespace xmltooling;
  56 using namespace xercesc;
  57 using namespace std;
  58
  59 namespace xmltooling {
  60
  61     class XMLTOOL_DLLLOCAL InlineCredential : public BasicX509Credential
  62     {
  63     public:
  64         InlineCredential(const KeyInfo* keyInfo=nullptr) : BasicX509Credential(keyInfo!=nullptr), m_credctx(new KeyInfoCredentialContext(keyInfo)) {}
  65         InlineCredential(DSIGKeyInfoList* keyInfo) : BasicX509Credential(false), m_credctx(new KeyInfoCredentialContext(keyInfo)) {}
  66         InlineCredential(KeyInfoCredentialContext* context) : BasicX509Credential(context->getKeyInfo()!=nullptr) {}
  67         virtual ~InlineCredential() {}
  68
  69         XSECCryptoKey* getPrivateKey() const {
  70             return nullptr;
  71         }
  72
  73         KeyInfo* getKeyInfo(bool compact=false) const {
  74             KeyInfo* ret = m_credctx->getKeyInfo() ? m_credctx->getKeyInfo()->cloneKeyInfo() : nullptr;
  75             if (ret) {
  76                 ret->setId(nullptr);
  77                 ret->getRetrievalMethods().clear();
  78                 ret->getKeyInfoReferences().clear();
  79                 if (compact) {
  80                     ret->getKeyValues().clear();
  81                     ret->getDEREncodedKeyValues().clear();
  82                     ret->getSPKIDatas().clear();
  83                     ret->getPGPDatas().clear();
  84                     ret->getUnknownXMLObjects().clear();
  85                     VectorOf(X509Data) x509Datas=ret->getX509Datas();
  86                     for (VectorOf(X509Data)::size_type pos = 0; pos < x509Datas.size();) {
  87                         x509Datas[pos]->getX509Certificates().clear();
  88                         x509Datas[pos]->getX509CRLs().clear();
  89                         x509Datas[pos]->getOCSPResponses().clear();
  90                         x509Datas[pos]->getUnknownXMLObjects().clear();
  91                         if (x509Datas[pos]->hasChildren())
  92                             ++pos;
  93                         else
  94                             x509Datas.erase(x509Datas.begin() + pos);
  95                     }
  96                 }
  97             }
  98             if (!ret->hasChildren()) {
  99                 delete ret;
 100                 ret = nullptr;
 101             }
 102             return ret;
 103         }
 104
 105         const CredentialContext* getCredentalContext() const {
 106             return m_credctx.get();
 107         }
 108
 109         void setCredentialContext(KeyInfoCredentialContext* context) {
 110             m_credctx.reset(context);
 111         }
 112
 113         void resolve(const KeyInfo* keyInfo, int types=0, bool followRefs=false);
 114         void resolve(DSIGKeyInfoList* keyInfo, int types=0, bool followRefs=false);
 115
 116     private:
 117         bool resolveCerts(const KeyInfo* keyInfo, bool followRefs=false);
 118         bool resolveKey(const KeyInfo* keyInfo, bool followRefs=false);
 119         bool resolveCRLs(const KeyInfo* keyInfo, bool followRefs=false);
 120
 121         auto_ptr<KeyInfoCredentialContext> m_credctx;
 122     };
 123
 124     static const XMLCh keyInfoReferences[] = UNICODE_LITERAL_17(k,e,y,I,n,f,o,R,e,f,e,r,e,n,c,e,s);
 125
 126     class XMLTOOL_DLLLOCAL InlineKeyResolver : public KeyInfoResolver
 127     {
 128     public:
 129         InlineKeyResolver(const DOMElement* e)
 130             : m_followRefs(XMLHelper::getAttrBool(e, false, keyInfoReferences)) {
 131         }
 132
 133         virtual ~InlineKeyResolver() {}
 134
 135         Credential* resolve(const KeyInfo* keyInfo, int types=0) const {
 136             if (!keyInfo)
 137                 return nullptr;
 138             if (types == 0)
 139                 types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS;
 140             auto_ptr<InlineCredential> credential(new InlineCredential(keyInfo));
 141             credential->resolve(keyInfo, types, m_followRefs);
 142             return credential.release();
 143         }
 144         Credential* resolve(DSIGKeyInfoList* keyInfo, int types=0) const {
 145             if (!keyInfo)
 146                 return nullptr;
 147             if (types == 0)
 148                 types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS;
 149             auto_ptr<InlineCredential> credential(new InlineCredential(keyInfo));
 150             credential->resolve(keyInfo, types, m_followRefs);
 151             return credential.release();
 152         }
 153         Credential* resolve(KeyInfoCredentialContext* context, int types=0) const {
 154             if (!context)
 155                 return nullptr;
 156             if (types == 0)
 157                 types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS;
 158             auto_ptr<InlineCredential> credential(new InlineCredential(context));
 159             if (context->getKeyInfo())
 160                 credential->resolve(context->getKeyInfo(), types, m_followRefs);
 161             else if (context->getNativeKeyInfo())
 162                 credential->resolve(context->getNativeKeyInfo(), types, m_followRefs);
 163             credential->setCredentialContext(context);
 164             return credential.release();
 165         }
 166
 167     private:
 168         bool m_followRefs;
 169     };
 170
 171     KeyInfoResolver* XMLTOOL_DLLLOCAL InlineKeyInfoResolverFactory(const DOMElement* const & e)
 172     {
 173         return new InlineKeyResolver(e);
 174     }
 175 };
 176
 177 void InlineCredential::resolve(const KeyInfo* keyInfo, int types, bool followRefs)
 178 {
 179 #ifdef _DEBUG
 180     NDC ndc("resolve");
 181 #endif
 182
 183     if (types & X509Credential::RESOLVE_CERTS)
 184         resolveCerts(keyInfo, followRefs);
 185
 186     if (types & Credential::RESOLVE_KEYS) {
 187         if (types & X509Credential::RESOLVE_CERTS) {
 188             // If we have a cert, just use it.
 189             if (!m_xseccerts.empty())
 190                 m_key = m_xseccerts.front()->clonePublicKey();
 191             else
 192                 resolveKey(keyInfo, followRefs);
 193         }
 194         // Otherwise try directly for a key and then go for certs if none is found.
 195         else if (!resolveKey(keyInfo, followRefs) && resolveCerts(keyInfo, followRefs)) {
 196             m_key = m_xseccerts.front()->clonePublicKey();
 197         }
 198     }
 199
 200     if (types & X509Credential::RESOLVE_CRLS)
 201         resolveCRLs(keyInfo, followRefs);
 202
 203     const XMLCh* n;
 204     char* kn;
 205     const vector<KeyName*>& knames=keyInfo->getKeyNames();
 206     for (vector<KeyName*>::const_iterator kn_i=knames.begin(); kn_i!=knames.end(); ++kn_i) {
 207         n=(*kn_i)->getName();
 208         if (n && *n) {
 209             kn=toUTF8(n);
 210             m_keyNames.insert(kn);
 211             delete[] kn;
 212         }
 213     }
 214     const vector<X509Data*> datas=keyInfo->getX509Datas();
 215     for (vector<X509Data*>::const_iterator x_i=datas.begin(); x_i!=datas.end(); ++x_i) {
 216         const vector<X509SubjectName*> snames = const_cast<const X509Data*>(*x_i)->getX509SubjectNames();
 217         for (vector<X509SubjectName*>::const_iterator sn_i = snames.begin(); sn_i!=snames.end(); ++sn_i) {
 218             n = (*sn_i)->getName();
 219             if (n && *n) {
 220                 kn=toUTF8(n);
 221                 m_keyNames.insert(kn);
 222                 m_subjectName = kn;
 223                 delete[] kn;
 224             }
 225         }
 226
 227         const vector<X509IssuerSerial*> inames = const_cast<const X509Data*>(*x_i)->getX509IssuerSerials();
 228         if (!inames.empty()) {
 229             const X509IssuerName* iname = inames.front()->getX509IssuerName();
 230             if (iname) {
 231                 kn = toUTF8(iname->getName());
 232                 if (kn)
 233                     m_issuerName = kn;
 234                 delete[] kn;
 235             }
 236
 237             const X509SerialNumber* ser = inames.front()->getX509SerialNumber();
 238             if (ser) {
 239                 auto_ptr_char sn(ser->getSerialNumber());
 240                 m_serial = sn.get();
 241             }
 242         }
 243     }
 244 }
 245
 246 bool InlineCredential::resolveKey(const KeyInfo* keyInfo, bool followRefs)
 247 {
 248     Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver."INLINE_KEYINFO_RESOLVER);
 249
 250     // Check for ds:KeyValue
 251     const vector<KeyValue*>& keyValues = keyInfo->getKeyValues();
 252     for (vector<KeyValue*>::const_iterator i = keyValues.begin(); i != keyValues.end(); ++i) {
 253         try {
 254             SchemaValidators.validate(*i);    // see if it's a "valid" key
 255             RSAKeyValue* rsakv = (*i)->getRSAKeyValue();
 256             if (rsakv) {
 257                 log.debug("resolving ds:RSAKeyValue");
 258                 auto_ptr_char mod(rsakv->getModulus()->getValue());
 259                 auto_ptr_char exp(rsakv->getExponent()->getValue());
 260                 auto_ptr<XSECCryptoKeyRSA> rsa(XSECPlatformUtils::g_cryptoProvider->keyRSA());
 261                 rsa->loadPublicModulusBase64BigNums(mod.get(), strlen(mod.get()));
 262                 rsa->loadPublicExponentBase64BigNums(exp.get(), strlen(exp.get()));
 263                 m_key = rsa.release();
 264                 return true;
 265             }
 266             DSAKeyValue* dsakv = (*i)->getDSAKeyValue();
 267             if (dsakv) {
 268                 log.debug("resolving ds:DSAKeyValue");
 269                 auto_ptr<XSECCryptoKeyDSA> dsa(XSECPlatformUtils::g_cryptoProvider->keyDSA());
 270                 auto_ptr_char y(dsakv->getY()->getValue());
 271                 dsa->loadYBase64BigNums(y.get(), strlen(y.get()));
 272                 if (dsakv->getP()) {
 273                     auto_ptr_char p(dsakv->getP()->getValue());
 274                     dsa->loadPBase64BigNums(p.get(), strlen(p.get()));
 275                 }
 276                 if (dsakv->getQ()) {
 277                     auto_ptr_char q(dsakv->getQ()->getValue());
 278                     dsa->loadQBase64BigNums(q.get(), strlen(q.get()));
 279                 }
 280                 if (dsakv->getG()) {
 281                     auto_ptr_char g(dsakv->getG()->getValue());
 282                     dsa->loadGBase64BigNums(g.get(), strlen(g.get()));
 283                 }
 284                 m_key = dsa.release();
 285                 return true;
 286             }
 287 #ifdef XMLTOOLING_XMLSEC_ECC
 288             ECKeyValue* eckv = (*i)->getECKeyValue();
 289             if (eckv && eckv->getNamedCurve() && eckv->getPublicKey()) {
 290                 log.warn("resolving ds11:ECKeyValue");
 291                 auto_ptr<XSECCryptoKeyEC> ec(XSECPlatformUtils::g_cryptoProvider->keyEC());
 292                 auto_ptr_char uri(eckv->getNamedCurve()->getURI());
 293                 auto_ptr_char val(eckv->getPublicKey()->getValue());
 294                 if (uri.get() && val.get()) {
 295                     ec->loadPublicKeyBase64(uri.get(), val.get(), XMLString::stringLen(val.get()));
 296                     m_key = ec.release();
 297                     return true;
 298                 }
 299             }
 300 #endif
 301         }
 302         catch (ValidationException& ex) {
 303             log.warn("skipping invalid ds:KeyValue (%s)", ex.what());
 304         }
 305         catch(XSECException& e) {
 306             auto_ptr_char temp(e.getMsg());
 307             log.error("caught XML-Security exception loading key: %s", temp.get());
 308         }
 309         catch(XSECCryptoException& e) {
 310             log.error("caught XML-Security exception loading key: %s", e.getMsg());
 311         }
 312     }
 313
 314     // Check for ds11:DEREncodedKeyValue
 315     const vector<DEREncodedKeyValue*>& derValues = keyInfo->getDEREncodedKeyValues();
 316     for (vector<DEREncodedKeyValue*>::const_iterator j = derValues.begin(); j != derValues.end(); ++j) {
 317         log.debug("resolving ds11:DEREncodedKeyValue");
 318         m_key = SecurityHelper::fromDEREncoding((*j)->getValue());
 319         if (m_key)
 320             return true;
 321         log.warn("failed to resolve ds11:DEREncodedKeyValue");
 322     }
 323
 324
 325     if (followRefs) {
 326         // Check for KeyInfoReference.
 327         const XMLCh* fragID=nullptr;
 328         const XMLObject* treeRoot=nullptr;
 329         const vector<KeyInfoReference*>& refs = keyInfo->getKeyInfoReferences();
 330         for (vector<KeyInfoReference*>::const_iterator ref = refs.begin(); ref != refs.end(); ++ref) {
 331             fragID = (*ref)->getURI();
 332             if (!fragID || *fragID != chPound || !*(fragID+1)) {
 333                 log.warn("skipping ds11:KeyInfoReference with an empty or non-local reference");
 334                 continue;
 335             }
 336             if (!treeRoot) {
 337                 treeRoot = keyInfo;
 338                 while (treeRoot->getParent())
 339                     treeRoot = treeRoot->getParent();
 340             }
 341             keyInfo = dynamic_cast<const KeyInfo*>(XMLHelper::getXMLObjectById(*treeRoot, fragID+1));
 342             if (!keyInfo) {
 343                 log.warn("skipping ds11:KeyInfoReference, local reference did not resolve to a ds:KeyInfo");
 344                 continue;
 345             }
 346             if (resolveKey(keyInfo, false))
 347                 return true;
 348         }
 349     }
 350
 351     return false;
 352 }
 353
 354 bool InlineCredential::resolveCerts(const KeyInfo* keyInfo, bool followRefs)
 355 {
 356     Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver."INLINE_KEYINFO_RESOLVER);
 357
 358     // Check for ds:X509Data
 359     const vector<X509Data*>& x509Datas=keyInfo->getX509Datas();
 360     for (vector<X509Data*>::const_iterator j=x509Datas.begin(); m_xseccerts.empty() && j!=x509Datas.end(); ++j) {
 361         const vector<X509Certificate*> x509Certs=const_cast<const X509Data*>(*j)->getX509Certificates();
 362         for (vector<X509Certificate*>::const_iterator k=x509Certs.begin(); k!=x509Certs.end(); ++k) {
 363             try {
 364                 auto_ptr_char x((*k)->getValue());
 365                 if (!x.get()) {
 366                     log.warn("skipping empty ds:X509Certificate");
 367                 }
 368                 else {
 369                     log.debug("resolving ds:X509Certificate");
 370                     auto_ptr<XSECCryptoX509> x509(XSECPlatformUtils::g_cryptoProvider->X509());
 371                     x509->loadX509Base64Bin(x.get(), strlen(x.get()));
 372                     m_xseccerts.push_back(x509.release());
 373                 }
 374             }
 375             catch(XSECException& e) {
 376                 auto_ptr_char temp(e.getMsg());
 377                 log.error("caught XML-Security exception loading certificate: %s", temp.get());
 378             }
 379             catch(XSECCryptoException& e) {
 380                 log.error("caught XML-Security exception loading certificate: %s", e.getMsg());
 381             }
 382         }
 383     }
 384
 385     if (followRefs && m_xseccerts.empty()) {
 386         // Check for KeyInfoReference.
 387         const XMLCh* fragID=NULL;
 388         const XMLObject* treeRoot=NULL;
 389         const vector<KeyInfoReference*>& refs = keyInfo->getKeyInfoReferences();
 390         for (vector<KeyInfoReference*>::const_iterator ref = refs.begin(); ref != refs.end(); ++ref) {
 391             fragID = (*ref)->getURI();
 392             if (!fragID || *fragID != chPound || !*(fragID+1)) {
 393                 log.warn("skipping ds11:KeyInfoReference with an empty or non-local reference");
 394                 continue;
 395             }
 396             if (!treeRoot) {
 397                 treeRoot = keyInfo;
 398                 while (treeRoot->getParent())
 399                     treeRoot = treeRoot->getParent();
 400             }
 401             keyInfo = dynamic_cast<const KeyInfo*>(XMLHelper::getXMLObjectById(*treeRoot, fragID+1));
 402             if (!keyInfo) {
 403                 log.warn("skipping ds11:KeyInfoReference, local reference did not resolve to a ds:KeyInfo");
 404                 continue;
 405             }
 406             if (resolveCerts(keyInfo, false))
 407                 return true;
 408         }
 409         return false;
 410     }
 411
 412     log.debug("resolved %d certificate(s)", m_xseccerts.size());
 413     return !m_xseccerts.empty();
 414 }
 415
 416 bool InlineCredential::resolveCRLs(const KeyInfo* keyInfo, bool followRefs)
 417 {
 418     Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver."INLINE_KEYINFO_RESOLVER);
 419
 420     // Check for ds:X509Data
 421     const vector<X509Data*>& x509Datas=keyInfo->getX509Datas();
 422     for (vector<X509Data*>::const_iterator j=x509Datas.begin(); j!=x509Datas.end(); ++j) {
 423         const vector<X509CRL*> x509CRLs=const_cast<const X509Data*>(*j)->getX509CRLs();
 424         for (vector<X509CRL*>::const_iterator k=x509CRLs.begin(); k!=x509CRLs.end(); ++k) {
 425             try {
 426                 auto_ptr_char x((*k)->getValue());
 427                 if (!x.get()) {
 428                     log.warn("skipping empty ds:X509CRL");
 429                 }
 430                 else {
 431                     log.debug("resolving ds:X509CRL");
 432                     auto_ptr<XSECCryptoX509CRL> crl(XMLToolingConfig::getConfig().X509CRL());
 433                     crl->loadX509CRLBase64Bin(x.get(), strlen(x.get()));
 434                     m_crls.push_back(crl.release());
 435                 }
 436             }
 437             catch(XSECException& e) {
 438                 auto_ptr_char temp(e.getMsg());
 439                 log.error("caught XML-Security exception loading CRL: %s", temp.get());
 440             }
 441             catch(XSECCryptoException& e) {
 442                 log.error("caught XML-Security exception loading CRL: %s", e.getMsg());
 443             }
 444         }
 445     }
 446
 447     if (followRefs && m_crls.empty()) {
 448         // Check for KeyInfoReference.
 449         const XMLCh* fragID=NULL;
 450         const XMLObject* treeRoot=NULL;
 451         const vector<KeyInfoReference*>& refs = keyInfo->getKeyInfoReferences();
 452         for (vector<KeyInfoReference*>::const_iterator ref = refs.begin(); ref != refs.end(); ++ref) {
 453             fragID = (*ref)->getURI();
 454             if (!fragID || *fragID != chPound || !*(fragID+1)) {
 455                 log.warn("skipping ds11:KeyInfoReference with an empty or non-local reference");
 456                 continue;
 457             }
 458             if (!treeRoot) {
 459                 treeRoot = keyInfo;
 460                 while (treeRoot->getParent())
 461                     treeRoot = treeRoot->getParent();
 462             }
 463             keyInfo = dynamic_cast<const KeyInfo*>(XMLHelper::getXMLObjectById(*treeRoot, fragID+1));
 464             if (!keyInfo) {
 465                 log.warn("skipping ds11:KeyInfoReference, local reference did not resolve to a ds:KeyInfo");
 466                 continue;
 467             }
 468             if (resolveCRLs(keyInfo, false))
 469                 return true;
 470         }
 471         return false;
 472     }
 473
 474     log.debug("resolved %d CRL(s)", m_crls.size());
 475     return !m_crls.empty();
 476 }
 477
 478 void InlineCredential::resolve(DSIGKeyInfoList* keyInfo, int types, bool followRefs)
 479 {
 480 #ifdef _DEBUG
 481     NDC ndc("resolve");
 482 #endif
 483
 484     if (types & Credential::RESOLVE_KEYS) {
 485         // Default resolver handles RSA/DSAKeyValue and X509Certificate elements.
 486         try {
 487             XSECKeyInfoResolverDefault def;
 488             m_key = def.resolveKey(keyInfo);
 489         }
 490         catch(XSECException& e) {
 491             auto_ptr_char temp(e.getMsg());
 492             Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading certificate: %s", temp.get());
 493         }
 494         catch(XSECCryptoException& e) {
 495             Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading certificate: %s", e.getMsg());
 496         }
 497     }
 498
 499         DSIGKeyInfoList::size_type sz = keyInfo->getSize();
 500
 501     if (types & X509Credential::RESOLVE_CERTS) {
 502         for (DSIGKeyInfoList::size_type i=0; i<sz; ++i) {
 503             if (keyInfo->item(i)->getKeyInfoType()==DSIGKeyInfo::KEYINFO_X509) {
 504                 DSIGKeyInfoX509* x509 = static_cast<DSIGKeyInfoX509*>(keyInfo->item(i));
 505                 int count = x509->getCertificateListSize();
 506                 if (count) {
 507                     for (int j=0; j<count; ++j)
 508                         m_xseccerts.push_back(x509->getCertificateCryptoItem(j));
 509                     break;
 510                 }
 511             }
 512         }
 513     }
 514
 515     if (types & X509Credential::RESOLVE_CRLS) {
 516         for (DSIGKeyInfoList::size_type i=0; i<sz; ++i) {
 517             if (keyInfo->item(i)->getKeyInfoType()==DSIGKeyInfo::KEYINFO_X509) {
 518 #ifdef XMLTOOLING_XMLSEC_MULTIPLECRL
 519                 DSIGKeyInfoX509* x509 = static_cast<DSIGKeyInfoX509*>(keyInfo->item(i));
 520                 int count = x509->getX509CRLListSize();
 521                 for (int j=0; j<count; ++j) {
 522                     auto_ptr_char buf(x509->getX509CRLItem(j));
 523                     if (buf.get()) {
 524                         try {
 525                             auto_ptr<XSECCryptoX509CRL> crlobj(XMLToolingConfig::getConfig().X509CRL());
 526                             crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get()));
 527                             m_crls.push_back(crlobj.release());
 528                         }
 529                         catch(XSECException& e) {
 530                             auto_ptr_char temp(e.getMsg());
 531                             Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get());
 532                         }
 533                         catch(XSECCryptoException& e) {
 534                             Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg());
 535                         }
 536                     }
 537                 }
 538 #else
 539                 // The current xmlsec API is limited to one CRL per KeyInfo.
 540                 // For now, I'm going to process the DOM directly.
 541                 DOMNode* x509Node = keyInfo->item(i)->getKeyInfoDOMNode();
 542                 DOMElement* crlElement = x509Node ? XMLHelper::getFirstChildElement(x509Node, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME) : nullptr;
 543                 while (crlElement) {
 544                     if (crlElement->hasChildNodes()) {
 545                         auto_ptr_char buf(crlElement->getFirstChild()->getNodeValue());
 546                         if (buf.get()) {
 547                             try {
 548                                 auto_ptr<XSECCryptoX509CRL> crlobj(XMLToolingConfig::getConfig().X509CRL());
 549                                 crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get()));
 550                                 m_crls.push_back(crlobj.release());
 551                             }
 552                             catch(XSECException& e) {
 553                                 auto_ptr_char temp(e.getMsg());
 554                                 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get());
 555                             }
 556                             catch(XSECCryptoException& e) {
 557                                 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg());
 558                             }
 559                         }
 560                     }
 561                     crlElement = XMLHelper::getNextSiblingElement(crlElement, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME);
 562                 }
 563 #endif
 564             }
 565         }
 566     }
 567
 568     char* kn;
 569     const XMLCh* n;
 570
 571     for (size_t s=0; s<keyInfo->getSize(); s++) {
 572         DSIGKeyInfo* dki = keyInfo->item(s);
 573         n=dki->getKeyName();
 574         if (n && *n) {
 575             kn=toUTF8(n);
 576             m_keyNames.insert(kn);
 577             if (dki->getKeyInfoType() == DSIGKeyInfo::KEYINFO_X509)
 578                 m_subjectName = kn;
 579             delete[] kn;
 580         }
 581
 582         if (dki->getKeyInfoType() == DSIGKeyInfo::KEYINFO_X509) {
 583             DSIGKeyInfoX509* kix = static_cast<DSIGKeyInfoX509*>(dki);
 584             n = kix->getX509IssuerName();
 585             if (n && *n) {
 586                 kn=toUTF8(n);
 587                 m_issuerName = kn;
 588                 delete[] kn;
 589             }
 590             n = kix->getX509IssuerSerialNumber();
 591             if (n && *n) {
 592                 auto_ptr_char sn(n);
 593                 m_serial = sn.get();
 594             }
 595         }
 596     }
 597 }