2 * Copyright 2001-2010 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * InlineKeyResolver.cpp
20 * Resolves key information directly from recognized KeyInfo structures.
25 #include "security/BasicX509Credential.h"
26 #include "security/KeyInfoCredentialContext.h"
27 #include "security/KeyInfoResolver.h"
28 #include "security/XSECCryptoX509CRL.h"
29 #include "signature/KeyInfo.h"
30 #include "signature/Signature.h"
32 #include "util/Threads.h"
33 #include "util/XMLConstants.h"
34 #include "validation/ValidatorSuite.h"
36 #include <xercesc/util/XMLUniDefs.hpp>
37 #include <xsec/dsig/DSIGKeyInfoX509.hpp>
38 #include <xsec/enc/XSECKeyInfoResolverDefault.hpp>
39 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
40 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
41 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
42 #include <xsec/enc/XSECCryptoException.hpp>
43 #include <xsec/framework/XSECException.hpp>
45 using namespace xmlsignature;
46 using namespace xmltooling::logging;
47 using namespace xmltooling;
48 using namespace xercesc;
51 namespace xmltooling {
53 class XMLTOOL_DLLLOCAL InlineCredential : public BasicX509Credential
56 InlineCredential(const KeyInfo* keyInfo=NULL) : BasicX509Credential(keyInfo!=NULL), m_credctx(new KeyInfoCredentialContext(keyInfo)) {
58 InlineCredential(DSIGKeyInfoList* keyInfo) : BasicX509Credential(false), m_credctx(new KeyInfoCredentialContext(keyInfo)) {
60 InlineCredential(KeyInfoCredentialContext* context) : BasicX509Credential(context->getKeyInfo()!=NULL), m_credctx(NULL) {
62 virtual ~InlineCredential() {
66 XSECCryptoKey* getPrivateKey() const {
70 KeyInfo* getKeyInfo(bool compact=false) const {
71 KeyInfo* ret = m_credctx->getKeyInfo() ? m_credctx->getKeyInfo()->cloneKeyInfo() : NULL;
74 ret->getRetrievalMethods().clear();
76 ret->getKeyValues().clear();
77 ret->getSPKIDatas().clear();
78 ret->getPGPDatas().clear();
79 ret->getUnknownXMLObjects().clear();
80 VectorOf(X509Data) x509Datas=ret->getX509Datas();
81 for (VectorOf(X509Data)::size_type pos = 0; pos < x509Datas.size();) {
82 x509Datas[pos]->getX509Certificates().clear();
83 x509Datas[pos]->getX509CRLs().clear();
84 x509Datas[pos]->getUnknownXMLObjects().clear();
85 if (x509Datas[pos]->hasChildren())
88 x509Datas.erase(x509Datas.begin() + pos);
92 if (!ret->hasChildren()) {
99 const CredentialContext* getCredentalContext() const {
103 void setCredentialContext(KeyInfoCredentialContext* context) {
107 void resolve(const KeyInfo* keyInfo, int types=0);
108 void resolve(DSIGKeyInfoList* keyInfo, int types=0);
111 bool resolveCerts(const KeyInfo* keyInfo);
112 bool resolveKey(const KeyInfo* keyInfo);
113 bool resolveCRLs(const KeyInfo* keyInfo);
115 KeyInfoCredentialContext* m_credctx;
118 class XMLTOOL_DLLLOCAL InlineKeyResolver : public KeyInfoResolver
121 InlineKeyResolver() {}
122 virtual ~InlineKeyResolver() {}
124 Credential* resolve(const KeyInfo* keyInfo, int types=0) const {
128 types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS;
129 auto_ptr<InlineCredential> credential(new InlineCredential(keyInfo));
130 credential->resolve(keyInfo, types);
131 return credential.release();
133 Credential* resolve(DSIGKeyInfoList* keyInfo, int types=0) const {
137 types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS;
138 auto_ptr<InlineCredential> credential(new InlineCredential(keyInfo));
139 credential->resolve(keyInfo, types);
140 return credential.release();
142 Credential* resolve(KeyInfoCredentialContext* context, int types=0) const {
146 types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS;
147 auto_ptr<InlineCredential> credential(new InlineCredential(context));
148 if (context->getKeyInfo())
149 credential->resolve(context->getKeyInfo(), types);
150 else if (context->getNativeKeyInfo())
151 credential->resolve(context->getNativeKeyInfo(), types);
152 credential->setCredentialContext(context);
153 return credential.release();
157 KeyInfoResolver* XMLTOOL_DLLLOCAL InlineKeyInfoResolverFactory(const DOMElement* const & e)
159 return new InlineKeyResolver();
163 void InlineCredential::resolve(const KeyInfo* keyInfo, int types)
169 if (types & X509Credential::RESOLVE_CERTS)
170 resolveCerts(keyInfo);
172 if (types & Credential::RESOLVE_KEYS) {
173 if (types & X509Credential::RESOLVE_CERTS) {
174 // If we have a cert, just use it.
175 if (!m_xseccerts.empty())
176 m_key = m_xseccerts.front()->clonePublicKey();
180 // Otherwise try directly for a key and then go for certs if none is found.
181 else if (!resolveKey(keyInfo) && resolveCerts(keyInfo)) {
182 m_key = m_xseccerts.front()->clonePublicKey();
186 if (types & X509Credential::RESOLVE_CRLS)
187 resolveCRLs(keyInfo);
191 const vector<KeyName*>& knames=keyInfo->getKeyNames();
192 for (vector<KeyName*>::const_iterator kn_i=knames.begin(); kn_i!=knames.end(); ++kn_i) {
193 n=(*kn_i)->getName();
196 m_keyNames.insert(kn);
200 const vector<X509Data*> datas=keyInfo->getX509Datas();
201 for (vector<X509Data*>::const_iterator x_i=datas.begin(); x_i!=datas.end(); ++x_i) {
202 const vector<X509SubjectName*> snames = const_cast<const X509Data*>(*x_i)->getX509SubjectNames();
203 for (vector<X509SubjectName*>::const_iterator sn_i = snames.begin(); sn_i!=snames.end(); ++sn_i) {
204 n = (*sn_i)->getName();
207 m_keyNames.insert(kn);
213 const vector<X509IssuerSerial*> inames = const_cast<const X509Data*>(*x_i)->getX509IssuerSerials();
214 if (!inames.empty()) {
215 const X509IssuerName* iname = inames.front()->getX509IssuerName();
217 kn = toUTF8(iname->getName());
223 const X509SerialNumber* ser = inames.front()->getX509SerialNumber();
225 auto_ptr_char sn(ser->getSerialNumber());
232 bool InlineCredential::resolveKey(const KeyInfo* keyInfo)
234 Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver."INLINE_KEYINFO_RESOLVER);
236 // Check for ds:KeyValue
237 const vector<KeyValue*>& keyValues = keyInfo->getKeyValues();
238 for (vector<KeyValue*>::const_iterator i=keyValues.begin(); i!=keyValues.end(); ++i) {
240 SchemaValidators.validate(*i); // see if it's a "valid" key
241 RSAKeyValue* rsakv = (*i)->getRSAKeyValue();
243 log.debug("resolving ds:RSAKeyValue");
244 auto_ptr_char mod(rsakv->getModulus()->getValue());
245 auto_ptr_char exp(rsakv->getExponent()->getValue());
246 auto_ptr<XSECCryptoKeyRSA> rsa(XSECPlatformUtils::g_cryptoProvider->keyRSA());
247 rsa->loadPublicModulusBase64BigNums(mod.get(), strlen(mod.get()));
248 rsa->loadPublicExponentBase64BigNums(exp.get(), strlen(exp.get()));
249 m_key = rsa.release();
252 DSAKeyValue* dsakv = (*i)->getDSAKeyValue();
254 log.debug("resolving ds:DSAKeyValue");
255 auto_ptr<XSECCryptoKeyDSA> dsa(XSECPlatformUtils::g_cryptoProvider->keyDSA());
256 auto_ptr_char y(dsakv->getY()->getValue());
257 dsa->loadYBase64BigNums(y.get(), strlen(y.get()));
259 auto_ptr_char p(dsakv->getP()->getValue());
260 dsa->loadPBase64BigNums(p.get(), strlen(p.get()));
263 auto_ptr_char q(dsakv->getQ()->getValue());
264 dsa->loadQBase64BigNums(q.get(), strlen(q.get()));
267 auto_ptr_char g(dsakv->getG()->getValue());
268 dsa->loadGBase64BigNums(g.get(), strlen(g.get()));
270 m_key = dsa.release();
274 catch (ValidationException& ex) {
275 log.warn("skipping invalid ds:KeyValue (%s)", ex.what());
277 catch(XSECException& e) {
278 auto_ptr_char temp(e.getMsg());
279 log.error("caught XML-Security exception loading key: %s", temp.get());
281 catch(XSECCryptoException& e) {
282 log.error("caught XML-Security exception loading key: %s", e.getMsg());
289 bool InlineCredential::resolveCerts(const KeyInfo* keyInfo)
291 Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver."INLINE_KEYINFO_RESOLVER);
293 // Check for ds:X509Data
294 const vector<X509Data*>& x509Datas=keyInfo->getX509Datas();
295 for (vector<X509Data*>::const_iterator j=x509Datas.begin(); m_xseccerts.empty() && j!=x509Datas.end(); ++j) {
296 const vector<X509Certificate*> x509Certs=const_cast<const X509Data*>(*j)->getX509Certificates();
297 for (vector<X509Certificate*>::const_iterator k=x509Certs.begin(); k!=x509Certs.end(); ++k) {
299 auto_ptr_char x((*k)->getValue());
301 log.warn("skipping empty ds:X509Certificate");
304 log.debug("resolving ds:X509Certificate");
305 auto_ptr<XSECCryptoX509> x509(XSECPlatformUtils::g_cryptoProvider->X509());
306 x509->loadX509Base64Bin(x.get(), strlen(x.get()));
307 m_xseccerts.push_back(x509.release());
310 catch(XSECException& e) {
311 auto_ptr_char temp(e.getMsg());
312 log.error("caught XML-Security exception loading certificate: %s", temp.get());
314 catch(XSECCryptoException& e) {
315 log.error("caught XML-Security exception loading certificate: %s", e.getMsg());
320 log.debug("resolved %d certificate(s)", m_xseccerts.size());
321 return !m_xseccerts.empty();
324 bool InlineCredential::resolveCRLs(const KeyInfo* keyInfo)
326 Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver."INLINE_KEYINFO_RESOLVER);
328 // Check for ds:X509Data
329 const vector<X509Data*>& x509Datas=keyInfo->getX509Datas();
330 for (vector<X509Data*>::const_iterator j=x509Datas.begin(); j!=x509Datas.end(); ++j) {
331 const vector<X509CRL*> x509CRLs=const_cast<const X509Data*>(*j)->getX509CRLs();
332 for (vector<X509CRL*>::const_iterator k=x509CRLs.begin(); k!=x509CRLs.end(); ++k) {
334 auto_ptr_char x((*k)->getValue());
336 log.warn("skipping empty ds:X509CRL");
339 log.debug("resolving ds:X509CRL");
340 auto_ptr<XSECCryptoX509CRL> crl(XMLToolingConfig::getConfig().X509CRL());
341 crl->loadX509CRLBase64Bin(x.get(), strlen(x.get()));
342 m_crls.push_back(crl.release());
345 catch(XSECException& e) {
346 auto_ptr_char temp(e.getMsg());
347 log.error("caught XML-Security exception loading CRL: %s", temp.get());
349 catch(XSECCryptoException& e) {
350 log.error("caught XML-Security exception loading CRL: %s", e.getMsg());
355 log.debug("resolved %d CRL(s)", m_crls.size());
356 return !m_crls.empty();
359 void InlineCredential::resolve(DSIGKeyInfoList* keyInfo, int types)
365 if (types & Credential::RESOLVE_KEYS) {
366 // Default resolver handles RSA/DSAKeyValue and X509Certificate elements.
368 XSECKeyInfoResolverDefault def;
369 m_key = def.resolveKey(keyInfo);
371 catch(XSECException& e) {
372 auto_ptr_char temp(e.getMsg());
373 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading certificate: %s", temp.get());
375 catch(XSECCryptoException& e) {
376 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading certificate: %s", e.getMsg());
380 DSIGKeyInfoList::size_type sz = keyInfo->getSize();
382 if (types & X509Credential::RESOLVE_CERTS) {
383 for (DSIGKeyInfoList::size_type i=0; i<sz; ++i) {
384 if (keyInfo->item(i)->getKeyInfoType()==DSIGKeyInfo::KEYINFO_X509) {
385 DSIGKeyInfoX509* x509 = static_cast<DSIGKeyInfoX509*>(keyInfo->item(i));
386 int count = x509->getCertificateListSize();
388 for (int j=0; j<count; ++j)
389 m_xseccerts.push_back(x509->getCertificateCryptoItem(j));
396 if (types & X509Credential::RESOLVE_CRLS) {
397 for (DSIGKeyInfoList::size_type i=0; i<sz; ++i) {
398 if (keyInfo->item(i)->getKeyInfoType()==DSIGKeyInfo::KEYINFO_X509) {
399 #ifdef XMLTOOLING_XMLSEC_MULTIPLECRL
400 DSIGKeyInfoX509* x509 = static_cast<DSIGKeyInfoX509*>(keyInfo->item(i));
401 int count = x509->getX509CRLListSize();
402 for (int j=0; j<count; ++j) {
403 auto_ptr_char buf(x509->getX509CRLItem(j));
406 auto_ptr<XSECCryptoX509CRL> crlobj(XMLToolingConfig::getConfig().X509CRL());
407 crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get()));
408 m_crls.push_back(crlobj.release());
410 catch(XSECException& e) {
411 auto_ptr_char temp(e.getMsg());
412 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get());
414 catch(XSECCryptoException& e) {
415 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg());
420 // The current xmlsec API is limited to one CRL per KeyInfo.
421 // For now, I'm going to process the DOM directly.
422 DOMNode* x509Node = keyInfo->item(i)->getKeyInfoDOMNode();
423 DOMElement* crlElement = x509Node ? XMLHelper::getFirstChildElement(x509Node, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME) : NULL;
425 if (crlElement->hasChildNodes()) {
426 auto_ptr_char buf(crlElement->getFirstChild()->getNodeValue());
429 auto_ptr<XSECCryptoX509CRL> crlobj(XMLToolingConfig::getConfig().X509CRL());
430 crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get()));
431 m_crls.push_back(crlobj.release());
433 catch(XSECException& e) {
434 auto_ptr_char temp(e.getMsg());
435 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get());
437 catch(XSECCryptoException& e) {
438 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg());
442 crlElement = XMLHelper::getNextSiblingElement(crlElement, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME);
452 for (size_t s=0; s<keyInfo->getSize(); s++) {
453 DSIGKeyInfo* dki = keyInfo->item(s);
457 m_keyNames.insert(kn);
458 if (dki->getKeyInfoType() == DSIGKeyInfo::KEYINFO_X509)
463 if (dki->getKeyInfoType() == DSIGKeyInfo::KEYINFO_X509) {
464 DSIGKeyInfoX509* kix = static_cast<DSIGKeyInfoX509*>(dki);
465 n = kix->getX509IssuerName();
471 n = kix->getX509IssuerSerialNumber();