xmltooling/security/impl/InlineKeyResolver.cpp

   1 /*
   2  *  Copyright 2001-2010 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * InlineKeyResolver.cpp
  19  *
  20  * Resolves key information directly from recognized KeyInfo structures.
  21  */
  22
  23 #include "internal.h"
  24 #include "logging.h"
  25 #include "security/BasicX509Credential.h"
  26 #include "security/KeyInfoCredentialContext.h"
  27 #include "security/KeyInfoResolver.h"
  28 #include "security/SecurityHelper.h"
  29 #include "security/XSECCryptoX509CRL.h"
  30 #include "signature/KeyInfo.h"
  31 #include "signature/Signature.h"
  32 #include "util/NDC.h"
  33 #include "util/Threads.h"
  34 #include "util/XMLConstants.h"
  35 #include "validation/ValidatorSuite.h"
  36
  37 #include <xercesc/util/XMLUniDefs.hpp>
  38 #include <xsec/dsig/DSIGKeyInfoX509.hpp>
  39 #include <xsec/enc/XSECKeyInfoResolverDefault.hpp>
  40 #include <xsec/enc/XSECCryptoX509.hpp>
  41 #include <xsec/enc/XSECCryptoKeyRSA.hpp>
  42 #include <xsec/enc/XSECCryptoKeyDSA.hpp>
  43 #ifdef XMLTOOLING_XMLSEC_ECC
  44 # include <xsec/enc/XSECCryptoKeyEC.hpp>
  45 #endif
  46 #include <xsec/enc/XSECCryptoException.hpp>
  47 #include <xsec/framework/XSECException.hpp>
  48
  49 using namespace xmlsignature;
  50 using namespace xmltooling::logging;
  51 using namespace xmltooling;
  52 using namespace xercesc;
  53 using namespace std;
  54
  55 namespace xmltooling {
  56
  57     class XMLTOOL_DLLLOCAL InlineCredential : public BasicX509Credential
  58     {
  59     public:
  60         InlineCredential(const KeyInfo* keyInfo=nullptr) : BasicX509Credential(keyInfo!=nullptr), m_credctx(new KeyInfoCredentialContext(keyInfo)) {
  61         }
  62         InlineCredential(DSIGKeyInfoList* keyInfo) : BasicX509Credential(false), m_credctx(new KeyInfoCredentialContext(keyInfo)) {
  63         }
  64         InlineCredential(KeyInfoCredentialContext* context) : BasicX509Credential(context->getKeyInfo()!=nullptr), m_credctx(nullptr) {
  65         }
  66         virtual ~InlineCredential() {
  67             delete m_credctx;
  68         }
  69
  70         XSECCryptoKey* getPrivateKey() const {
  71             return nullptr;
  72         }
  73
  74         KeyInfo* getKeyInfo(bool compact=false) const {
  75             KeyInfo* ret = m_credctx->getKeyInfo() ? m_credctx->getKeyInfo()->cloneKeyInfo() : nullptr;
  76             if (ret) {
  77                 ret->setId(nullptr);
  78                 ret->getRetrievalMethods().clear();
  79                 ret->getKeyInfoReferences().clear();
  80                 if (compact) {
  81                     ret->getKeyValues().clear();
  82                     ret->getDEREncodedKeyValues().clear();
  83                     ret->getSPKIDatas().clear();
  84                     ret->getPGPDatas().clear();
  85                     ret->getUnknownXMLObjects().clear();
  86                     VectorOf(X509Data) x509Datas=ret->getX509Datas();
  87                     for (VectorOf(X509Data)::size_type pos = 0; pos < x509Datas.size();) {
  88                         x509Datas[pos]->getX509Certificates().clear();
  89                         x509Datas[pos]->getX509CRLs().clear();
  90                         x509Datas[pos]->getOCSPResponses().clear();
  91                         x509Datas[pos]->getUnknownXMLObjects().clear();
  92                         if (x509Datas[pos]->hasChildren())
  93                             ++pos;
  94                         else
  95                             x509Datas.erase(x509Datas.begin() + pos);
  96                     }
  97                 }
  98             }
  99             if (!ret->hasChildren()) {
 100                 delete ret;
 101                 ret = nullptr;
 102             }
 103             return ret;
 104         }
 105
 106         const CredentialContext* getCredentalContext() const {
 107             return m_credctx;
 108         }
 109
 110         void setCredentialContext(KeyInfoCredentialContext* context) {
 111             m_credctx = context;
 112         }
 113
 114         void resolve(const KeyInfo* keyInfo, int types=0, bool followRefs=false);
 115         void resolve(DSIGKeyInfoList* keyInfo, int types=0, bool followRefs=false);
 116
 117     private:
 118         bool resolveCerts(const KeyInfo* keyInfo, bool followRefs=false);
 119         bool resolveKey(const KeyInfo* keyInfo, bool followRefs=false);
 120         bool resolveCRLs(const KeyInfo* keyInfo, bool followRefs=false);
 121
 122         KeyInfoCredentialContext* m_credctx;
 123     };
 124
 125     static const XMLCh keyInfoReferences[] = UNICODE_LITERAL_17(k,e,y,I,n,f,o,R,e,f,e,r,e,n,c,e,s);
 126
 127     class XMLTOOL_DLLLOCAL InlineKeyResolver : public KeyInfoResolver
 128     {
 129     public:
 130         InlineKeyResolver(const DOMElement* e)
 131             : m_followRefs(XMLHelper::getAttrBool(e, false, keyInfoReferences)) {
 132         }
 133
 134         virtual ~InlineKeyResolver() {}
 135
 136         Credential* resolve(const KeyInfo* keyInfo, int types=0) const {
 137             if (!keyInfo)
 138                 return nullptr;
 139             if (types == 0)
 140                 types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS;
 141             auto_ptr<InlineCredential> credential(new InlineCredential(keyInfo));
 142             credential->resolve(keyInfo, types, m_followRefs);
 143             return credential.release();
 144         }
 145         Credential* resolve(DSIGKeyInfoList* keyInfo, int types=0) const {
 146             if (!keyInfo)
 147                 return nullptr;
 148             if (types == 0)
 149                 types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS;
 150             auto_ptr<InlineCredential> credential(new InlineCredential(keyInfo));
 151             credential->resolve(keyInfo, types, m_followRefs);
 152             return credential.release();
 153         }
 154         Credential* resolve(KeyInfoCredentialContext* context, int types=0) const {
 155             if (!context)
 156                 return nullptr;
 157             if (types == 0)
 158                 types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS;
 159             auto_ptr<InlineCredential> credential(new InlineCredential(context));
 160             if (context->getKeyInfo())
 161                 credential->resolve(context->getKeyInfo(), types, m_followRefs);
 162             else if (context->getNativeKeyInfo())
 163                 credential->resolve(context->getNativeKeyInfo(), types, m_followRefs);
 164             credential->setCredentialContext(context);
 165             return credential.release();
 166         }
 167
 168     private:
 169         bool m_followRefs;
 170     };
 171
 172     KeyInfoResolver* XMLTOOL_DLLLOCAL InlineKeyInfoResolverFactory(const DOMElement* const & e)
 173     {
 174         return new InlineKeyResolver(e);
 175     }
 176 };
 177
 178 void InlineCredential::resolve(const KeyInfo* keyInfo, int types, bool followRefs)
 179 {
 180 #ifdef _DEBUG
 181     NDC ndc("resolve");
 182 #endif
 183
 184     if (types & X509Credential::RESOLVE_CERTS)
 185         resolveCerts(keyInfo, followRefs);
 186
 187     if (types & Credential::RESOLVE_KEYS) {
 188         if (types & X509Credential::RESOLVE_CERTS) {
 189             // If we have a cert, just use it.
 190             if (!m_xseccerts.empty())
 191                 m_key = m_xseccerts.front()->clonePublicKey();
 192             else
 193                 resolveKey(keyInfo, followRefs);
 194         }
 195         // Otherwise try directly for a key and then go for certs if none is found.
 196         else if (!resolveKey(keyInfo, followRefs) && resolveCerts(keyInfo, followRefs)) {
 197             m_key = m_xseccerts.front()->clonePublicKey();
 198         }
 199     }
 200
 201     if (types & X509Credential::RESOLVE_CRLS)
 202         resolveCRLs(keyInfo, followRefs);
 203
 204     const XMLCh* n;
 205     char* kn;
 206     const vector<KeyName*>& knames=keyInfo->getKeyNames();
 207     for (vector<KeyName*>::const_iterator kn_i=knames.begin(); kn_i!=knames.end(); ++kn_i) {
 208         n=(*kn_i)->getName();
 209         if (n && *n) {
 210             kn=toUTF8(n);
 211             m_keyNames.insert(kn);
 212             delete[] kn;
 213         }
 214     }
 215     const vector<X509Data*> datas=keyInfo->getX509Datas();
 216     for (vector<X509Data*>::const_iterator x_i=datas.begin(); x_i!=datas.end(); ++x_i) {
 217         const vector<X509SubjectName*> snames = const_cast<const X509Data*>(*x_i)->getX509SubjectNames();
 218         for (vector<X509SubjectName*>::const_iterator sn_i = snames.begin(); sn_i!=snames.end(); ++sn_i) {
 219             n = (*sn_i)->getName();
 220             if (n && *n) {
 221                 kn=toUTF8(n);
 222                 m_keyNames.insert(kn);
 223                 m_subjectName = kn;
 224                 delete[] kn;
 225             }
 226         }
 227
 228         const vector<X509IssuerSerial*> inames = const_cast<const X509Data*>(*x_i)->getX509IssuerSerials();
 229         if (!inames.empty()) {
 230             const X509IssuerName* iname = inames.front()->getX509IssuerName();
 231             if (iname) {
 232                 kn = toUTF8(iname->getName());
 233                 if (kn)
 234                     m_issuerName = kn;
 235                 delete[] kn;
 236             }
 237
 238             const X509SerialNumber* ser = inames.front()->getX509SerialNumber();
 239             if (ser) {
 240                 auto_ptr_char sn(ser->getSerialNumber());
 241                 m_serial = sn.get();
 242             }
 243         }
 244     }
 245 }
 246
 247 bool InlineCredential::resolveKey(const KeyInfo* keyInfo, bool followRefs)
 248 {
 249     Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver."INLINE_KEYINFO_RESOLVER);
 250
 251     // Check for ds:KeyValue
 252     const vector<KeyValue*>& keyValues = keyInfo->getKeyValues();
 253     for (vector<KeyValue*>::const_iterator i = keyValues.begin(); i != keyValues.end(); ++i) {
 254         try {
 255             SchemaValidators.validate(*i);    // see if it's a "valid" key
 256             RSAKeyValue* rsakv = (*i)->getRSAKeyValue();
 257             if (rsakv) {
 258                 log.debug("resolving ds:RSAKeyValue");
 259                 auto_ptr_char mod(rsakv->getModulus()->getValue());
 260                 auto_ptr_char exp(rsakv->getExponent()->getValue());
 261                 auto_ptr<XSECCryptoKeyRSA> rsa(XSECPlatformUtils::g_cryptoProvider->keyRSA());
 262                 rsa->loadPublicModulusBase64BigNums(mod.get(), strlen(mod.get()));
 263                 rsa->loadPublicExponentBase64BigNums(exp.get(), strlen(exp.get()));
 264                 m_key = rsa.release();
 265                 return true;
 266             }
 267             DSAKeyValue* dsakv = (*i)->getDSAKeyValue();
 268             if (dsakv) {
 269                 log.debug("resolving ds:DSAKeyValue");
 270                 auto_ptr<XSECCryptoKeyDSA> dsa(XSECPlatformUtils::g_cryptoProvider->keyDSA());
 271                 auto_ptr_char y(dsakv->getY()->getValue());
 272                 dsa->loadYBase64BigNums(y.get(), strlen(y.get()));
 273                 if (dsakv->getP()) {
 274                     auto_ptr_char p(dsakv->getP()->getValue());
 275                     dsa->loadPBase64BigNums(p.get(), strlen(p.get()));
 276                 }
 277                 if (dsakv->getQ()) {
 278                     auto_ptr_char q(dsakv->getQ()->getValue());
 279                     dsa->loadQBase64BigNums(q.get(), strlen(q.get()));
 280                 }
 281                 if (dsakv->getG()) {
 282                     auto_ptr_char g(dsakv->getG()->getValue());
 283                     dsa->loadGBase64BigNums(g.get(), strlen(g.get()));
 284                 }
 285                 m_key = dsa.release();
 286                 return true;
 287             }
 288 #ifdef XMLTOOLING_XMLSEC_ECC
 289             ECKeyValue* eckv = (*i)->getECKeyValue();
 290             if (eckv && eckv->getNamedCurve() && eckv->getPublicKey()) {
 291                 log.warn("resolving ds11:ECKeyValue");
 292                 auto_ptr<XSECCryptoKeyEC> ec(XSECPlatformUtils::g_cryptoProvider->keyEC());
 293                 auto_ptr_char uri(eckv->getNamedCurve()->getURI());
 294                 auto_ptr_char val(eckv->getPublicKey()->getValue());
 295                 if (uri.get() && val.get()) {
 296                     ec->loadPublicKeyBase64(uri.get(), val.get(), XMLString::stringLen(val.get()));
 297                     m_key = ec.release();
 298                     return true;
 299                 }
 300             }
 301 #endif
 302         }
 303         catch (ValidationException& ex) {
 304             log.warn("skipping invalid ds:KeyValue (%s)", ex.what());
 305         }
 306         catch(XSECException& e) {
 307             auto_ptr_char temp(e.getMsg());
 308             log.error("caught XML-Security exception loading key: %s", temp.get());
 309         }
 310         catch(XSECCryptoException& e) {
 311             log.error("caught XML-Security exception loading key: %s", e.getMsg());
 312         }
 313     }
 314
 315     // Check for ds11:DEREncodedKeyValue
 316     const vector<DEREncodedKeyValue*>& derValues = keyInfo->getDEREncodedKeyValues();
 317     for (vector<DEREncodedKeyValue*>::const_iterator j = derValues.begin(); j != derValues.end(); ++j) {
 318         log.debug("resolving ds11:DEREncodedKeyValue");
 319         m_key = SecurityHelper::fromDEREncoding((*j)->getValue());
 320         if (m_key)
 321             return true;
 322         log.warn("failed to resolve ds11:DEREncodedKeyValue");
 323     }
 324
 325
 326     if (followRefs) {
 327         // Check for KeyInfoReference.
 328         const XMLCh* fragID=nullptr;
 329         const XMLObject* treeRoot=nullptr;
 330         const vector<KeyInfoReference*>& refs = keyInfo->getKeyInfoReferences();
 331         for (vector<KeyInfoReference*>::const_iterator ref = refs.begin(); ref != refs.end(); ++ref) {
 332             fragID = (*ref)->getURI();
 333             if (!fragID || *fragID != chPound || !*(fragID+1)) {
 334                 log.warn("skipping ds11:KeyInfoReference with an empty or non-local reference");
 335                 continue;
 336             }
 337             if (!treeRoot) {
 338                 treeRoot = keyInfo;
 339                 while (treeRoot->getParent())
 340                     treeRoot = treeRoot->getParent();
 341             }
 342             keyInfo = dynamic_cast<const KeyInfo*>(XMLHelper::getXMLObjectById(*treeRoot, fragID+1));
 343             if (!keyInfo) {
 344                 log.warn("skipping ds11:KeyInfoReference, local reference did not resolve to a ds:KeyInfo");
 345                 continue;
 346             }
 347             if (resolveKey(keyInfo, false))
 348                 return true;
 349         }
 350     }
 351
 352     return false;
 353 }
 354
 355 bool InlineCredential::resolveCerts(const KeyInfo* keyInfo, bool followRefs)
 356 {
 357     Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver."INLINE_KEYINFO_RESOLVER);
 358
 359     // Check for ds:X509Data
 360     const vector<X509Data*>& x509Datas=keyInfo->getX509Datas();
 361     for (vector<X509Data*>::const_iterator j=x509Datas.begin(); m_xseccerts.empty() && j!=x509Datas.end(); ++j) {
 362         const vector<X509Certificate*> x509Certs=const_cast<const X509Data*>(*j)->getX509Certificates();
 363         for (vector<X509Certificate*>::const_iterator k=x509Certs.begin(); k!=x509Certs.end(); ++k) {
 364             try {
 365                 auto_ptr_char x((*k)->getValue());
 366                 if (!x.get()) {
 367                     log.warn("skipping empty ds:X509Certificate");
 368                 }
 369                 else {
 370                     log.debug("resolving ds:X509Certificate");
 371                     auto_ptr<XSECCryptoX509> x509(XSECPlatformUtils::g_cryptoProvider->X509());
 372                     x509->loadX509Base64Bin(x.get(), strlen(x.get()));
 373                     m_xseccerts.push_back(x509.release());
 374                 }
 375             }
 376             catch(XSECException& e) {
 377                 auto_ptr_char temp(e.getMsg());
 378                 log.error("caught XML-Security exception loading certificate: %s", temp.get());
 379             }
 380             catch(XSECCryptoException& e) {
 381                 log.error("caught XML-Security exception loading certificate: %s", e.getMsg());
 382             }
 383         }
 384     }
 385
 386     if (followRefs && m_xseccerts.empty()) {
 387         // Check for KeyInfoReference.
 388         const XMLCh* fragID=NULL;
 389         const XMLObject* treeRoot=NULL;
 390         const vector<KeyInfoReference*>& refs = keyInfo->getKeyInfoReferences();
 391         for (vector<KeyInfoReference*>::const_iterator ref = refs.begin(); ref != refs.end(); ++ref) {
 392             fragID = (*ref)->getURI();
 393             if (!fragID || *fragID != chPound || !*(fragID+1)) {
 394                 log.warn("skipping ds11:KeyInfoReference with an empty or non-local reference");
 395                 continue;
 396             }
 397             if (!treeRoot) {
 398                 treeRoot = keyInfo;
 399                 while (treeRoot->getParent())
 400                     treeRoot = treeRoot->getParent();
 401             }
 402             keyInfo = dynamic_cast<const KeyInfo*>(XMLHelper::getXMLObjectById(*treeRoot, fragID+1));
 403             if (!keyInfo) {
 404                 log.warn("skipping ds11:KeyInfoReference, local reference did not resolve to a ds:KeyInfo");
 405                 continue;
 406             }
 407             if (resolveCerts(keyInfo, false))
 408                 return true;
 409         }
 410         return false;
 411     }
 412
 413     log.debug("resolved %d certificate(s)", m_xseccerts.size());
 414     return !m_xseccerts.empty();
 415 }
 416
 417 bool InlineCredential::resolveCRLs(const KeyInfo* keyInfo, bool followRefs)
 418 {
 419     Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver."INLINE_KEYINFO_RESOLVER);
 420
 421     // Check for ds:X509Data
 422     const vector<X509Data*>& x509Datas=keyInfo->getX509Datas();
 423     for (vector<X509Data*>::const_iterator j=x509Datas.begin(); j!=x509Datas.end(); ++j) {
 424         const vector<X509CRL*> x509CRLs=const_cast<const X509Data*>(*j)->getX509CRLs();
 425         for (vector<X509CRL*>::const_iterator k=x509CRLs.begin(); k!=x509CRLs.end(); ++k) {
 426             try {
 427                 auto_ptr_char x((*k)->getValue());
 428                 if (!x.get()) {
 429                     log.warn("skipping empty ds:X509CRL");
 430                 }
 431                 else {
 432                     log.debug("resolving ds:X509CRL");
 433                     auto_ptr<XSECCryptoX509CRL> crl(XMLToolingConfig::getConfig().X509CRL());
 434                     crl->loadX509CRLBase64Bin(x.get(), strlen(x.get()));
 435                     m_crls.push_back(crl.release());
 436                 }
 437             }
 438             catch(XSECException& e) {
 439                 auto_ptr_char temp(e.getMsg());
 440                 log.error("caught XML-Security exception loading CRL: %s", temp.get());
 441             }
 442             catch(XSECCryptoException& e) {
 443                 log.error("caught XML-Security exception loading CRL: %s", e.getMsg());
 444             }
 445         }
 446     }
 447
 448     if (followRefs && m_crls.empty()) {
 449         // Check for KeyInfoReference.
 450         const XMLCh* fragID=NULL;
 451         const XMLObject* treeRoot=NULL;
 452         const vector<KeyInfoReference*>& refs = keyInfo->getKeyInfoReferences();
 453         for (vector<KeyInfoReference*>::const_iterator ref = refs.begin(); ref != refs.end(); ++ref) {
 454             fragID = (*ref)->getURI();
 455             if (!fragID || *fragID != chPound || !*(fragID+1)) {
 456                 log.warn("skipping ds11:KeyInfoReference with an empty or non-local reference");
 457                 continue;
 458             }
 459             if (!treeRoot) {
 460                 treeRoot = keyInfo;
 461                 while (treeRoot->getParent())
 462                     treeRoot = treeRoot->getParent();
 463             }
 464             keyInfo = dynamic_cast<const KeyInfo*>(XMLHelper::getXMLObjectById(*treeRoot, fragID+1));
 465             if (!keyInfo) {
 466                 log.warn("skipping ds11:KeyInfoReference, local reference did not resolve to a ds:KeyInfo");
 467                 continue;
 468             }
 469             if (resolveCRLs(keyInfo, false))
 470                 return true;
 471         }
 472         return false;
 473     }
 474
 475     log.debug("resolved %d CRL(s)", m_crls.size());
 476     return !m_crls.empty();
 477 }
 478
 479 void InlineCredential::resolve(DSIGKeyInfoList* keyInfo, int types, bool followRefs)
 480 {
 481 #ifdef _DEBUG
 482     NDC ndc("resolve");
 483 #endif
 484
 485     if (types & Credential::RESOLVE_KEYS) {
 486         // Default resolver handles RSA/DSAKeyValue and X509Certificate elements.
 487         try {
 488             XSECKeyInfoResolverDefault def;
 489             m_key = def.resolveKey(keyInfo);
 490         }
 491         catch(XSECException& e) {
 492             auto_ptr_char temp(e.getMsg());
 493             Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading certificate: %s", temp.get());
 494         }
 495         catch(XSECCryptoException& e) {
 496             Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading certificate: %s", e.getMsg());
 497         }
 498     }
 499
 500         DSIGKeyInfoList::size_type sz = keyInfo->getSize();
 501
 502     if (types & X509Credential::RESOLVE_CERTS) {
 503         for (DSIGKeyInfoList::size_type i=0; i<sz; ++i) {
 504             if (keyInfo->item(i)->getKeyInfoType()==DSIGKeyInfo::KEYINFO_X509) {
 505                 DSIGKeyInfoX509* x509 = static_cast<DSIGKeyInfoX509*>(keyInfo->item(i));
 506                 int count = x509->getCertificateListSize();
 507                 if (count) {
 508                     for (int j=0; j<count; ++j)
 509                         m_xseccerts.push_back(x509->getCertificateCryptoItem(j));
 510                     break;
 511                 }
 512             }
 513         }
 514     }
 515
 516     if (types & X509Credential::RESOLVE_CRLS) {
 517         for (DSIGKeyInfoList::size_type i=0; i<sz; ++i) {
 518             if (keyInfo->item(i)->getKeyInfoType()==DSIGKeyInfo::KEYINFO_X509) {
 519 #ifdef XMLTOOLING_XMLSEC_MULTIPLECRL
 520                 DSIGKeyInfoX509* x509 = static_cast<DSIGKeyInfoX509*>(keyInfo->item(i));
 521                 int count = x509->getX509CRLListSize();
 522                 for (int j=0; j<count; ++j) {
 523                     auto_ptr_char buf(x509->getX509CRLItem(j));
 524                     if (buf.get()) {
 525                         try {
 526                             auto_ptr<XSECCryptoX509CRL> crlobj(XMLToolingConfig::getConfig().X509CRL());
 527                             crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get()));
 528                             m_crls.push_back(crlobj.release());
 529                         }
 530                         catch(XSECException& e) {
 531                             auto_ptr_char temp(e.getMsg());
 532                             Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get());
 533                         }
 534                         catch(XSECCryptoException& e) {
 535                             Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg());
 536                         }
 537                     }
 538                 }
 539 #else
 540                 // The current xmlsec API is limited to one CRL per KeyInfo.
 541                 // For now, I'm going to process the DOM directly.
 542                 DOMNode* x509Node = keyInfo->item(i)->getKeyInfoDOMNode();
 543                 DOMElement* crlElement = x509Node ? XMLHelper::getFirstChildElement(x509Node, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME) : nullptr;
 544                 while (crlElement) {
 545                     if (crlElement->hasChildNodes()) {
 546                         auto_ptr_char buf(crlElement->getFirstChild()->getNodeValue());
 547                         if (buf.get()) {
 548                             try {
 549                                 auto_ptr<XSECCryptoX509CRL> crlobj(XMLToolingConfig::getConfig().X509CRL());
 550                                 crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get()));
 551                                 m_crls.push_back(crlobj.release());
 552                             }
 553                             catch(XSECException& e) {
 554                                 auto_ptr_char temp(e.getMsg());
 555                                 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get());
 556                             }
 557                             catch(XSECCryptoException& e) {
 558                                 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg());
 559                             }
 560                         }
 561                     }
 562                     crlElement = XMLHelper::getNextSiblingElement(crlElement, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME);
 563                 }
 564 #endif
 565             }
 566         }
 567     }
 568
 569     char* kn;
 570     const XMLCh* n;
 571
 572     for (size_t s=0; s<keyInfo->getSize(); s++) {
 573         DSIGKeyInfo* dki = keyInfo->item(s);
 574         n=dki->getKeyName();
 575         if (n && *n) {
 576             kn=toUTF8(n);
 577             m_keyNames.insert(kn);
 578             if (dki->getKeyInfoType() == DSIGKeyInfo::KEYINFO_X509)
 579                 m_subjectName = kn;
 580             delete[] kn;
 581         }
 582
 583         if (dki->getKeyInfoType() == DSIGKeyInfo::KEYINFO_X509) {
 584             DSIGKeyInfoX509* kix = static_cast<DSIGKeyInfoX509*>(dki);
 585             n = kix->getX509IssuerName();
 586             if (n && *n) {
 587                 kn=toUTF8(n);
 588                 m_issuerName = kn;
 589                 delete[] kn;
 590             }
 591             n = kix->getX509IssuerSerialNumber();
 592             if (n && *n) {
 593                 auto_ptr_char sn(n);
 594                 m_serial = sn.get();
 595             }
 596         }
 597     }
 598 }