2 * Copyright 2001-2010 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * InlineKeyResolver.cpp
20 * Resolves key information directly from recognized KeyInfo structures.
25 #include "security/BasicX509Credential.h"
26 #include "security/KeyInfoCredentialContext.h"
27 #include "security/KeyInfoResolver.h"
28 #include "security/SecurityHelper.h"
29 #include "security/XSECCryptoX509CRL.h"
30 #include "signature/KeyInfo.h"
31 #include "signature/Signature.h"
33 #include "util/Threads.h"
34 #include "util/XMLConstants.h"
35 #include "validation/ValidatorSuite.h"
37 #include <xercesc/util/XMLUniDefs.hpp>
38 #include <xsec/dsig/DSIGKeyInfoX509.hpp>
39 #include <xsec/enc/XSECKeyInfoResolverDefault.hpp>
40 #include <xsec/enc/XSECCryptoX509.hpp>
41 #include <xsec/enc/XSECCryptoKeyRSA.hpp>
42 #include <xsec/enc/XSECCryptoKeyDSA.hpp>
43 #include <xsec/enc/XSECCryptoException.hpp>
44 #include <xsec/framework/XSECException.hpp>
46 using namespace xmlsignature;
47 using namespace xmltooling::logging;
48 using namespace xmltooling;
49 using namespace xercesc;
52 namespace xmltooling {
54 class XMLTOOL_DLLLOCAL InlineCredential : public BasicX509Credential
57 InlineCredential(const KeyInfo* keyInfo=nullptr) : BasicX509Credential(keyInfo!=nullptr), m_credctx(new KeyInfoCredentialContext(keyInfo)) {
59 InlineCredential(DSIGKeyInfoList* keyInfo) : BasicX509Credential(false), m_credctx(new KeyInfoCredentialContext(keyInfo)) {
61 InlineCredential(KeyInfoCredentialContext* context) : BasicX509Credential(context->getKeyInfo()!=nullptr), m_credctx(nullptr) {
63 virtual ~InlineCredential() {
67 XSECCryptoKey* getPrivateKey() const {
71 KeyInfo* getKeyInfo(bool compact=false) const {
72 KeyInfo* ret = m_credctx->getKeyInfo() ? m_credctx->getKeyInfo()->cloneKeyInfo() : nullptr;
75 ret->getRetrievalMethods().clear();
76 ret->getKeyInfoReferences().clear();
78 ret->getKeyValues().clear();
79 ret->getDEREncodedKeyValues().clear();
80 ret->getSPKIDatas().clear();
81 ret->getPGPDatas().clear();
82 ret->getUnknownXMLObjects().clear();
83 VectorOf(X509Data) x509Datas=ret->getX509Datas();
84 for (VectorOf(X509Data)::size_type pos = 0; pos < x509Datas.size();) {
85 x509Datas[pos]->getX509Certificates().clear();
86 x509Datas[pos]->getX509CRLs().clear();
87 x509Datas[pos]->getOCSPResponses().clear();
88 x509Datas[pos]->getUnknownXMLObjects().clear();
89 if (x509Datas[pos]->hasChildren())
92 x509Datas.erase(x509Datas.begin() + pos);
96 if (!ret->hasChildren()) {
103 const CredentialContext* getCredentalContext() const {
107 void setCredentialContext(KeyInfoCredentialContext* context) {
111 void resolve(const KeyInfo* keyInfo, int types=0, bool followRefs=false);
112 void resolve(DSIGKeyInfoList* keyInfo, int types=0, bool followRefs=false);
115 bool resolveCerts(const KeyInfo* keyInfo, bool followRefs=false);
116 bool resolveKey(const KeyInfo* keyInfo, bool followRefs=false);
117 bool resolveCRLs(const KeyInfo* keyInfo, bool followRefs=false);
119 KeyInfoCredentialContext* m_credctx;
122 static const XMLCh keyInfoReferences[] = UNICODE_LITERAL_17(k,e,y,I,n,f,o,R,e,f,e,r,e,n,c,e,s);
124 class XMLTOOL_DLLLOCAL InlineKeyResolver : public KeyInfoResolver
127 InlineKeyResolver(const DOMElement* e)
128 : m_followRefs(XMLHelper::getNodeValueAsBool(e ? e->getAttributeNodeNS(nullptr, keyInfoReferences) : nullptr, false)) {
131 virtual ~InlineKeyResolver() {}
133 Credential* resolve(const KeyInfo* keyInfo, int types=0) const {
137 types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS;
138 auto_ptr<InlineCredential> credential(new InlineCredential(keyInfo));
139 credential->resolve(keyInfo, types, m_followRefs);
140 return credential.release();
142 Credential* resolve(DSIGKeyInfoList* keyInfo, int types=0) const {
146 types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS;
147 auto_ptr<InlineCredential> credential(new InlineCredential(keyInfo));
148 credential->resolve(keyInfo, types, m_followRefs);
149 return credential.release();
151 Credential* resolve(KeyInfoCredentialContext* context, int types=0) const {
155 types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS;
156 auto_ptr<InlineCredential> credential(new InlineCredential(context));
157 if (context->getKeyInfo())
158 credential->resolve(context->getKeyInfo(), types, m_followRefs);
159 else if (context->getNativeKeyInfo())
160 credential->resolve(context->getNativeKeyInfo(), types, m_followRefs);
161 credential->setCredentialContext(context);
162 return credential.release();
169 KeyInfoResolver* XMLTOOL_DLLLOCAL InlineKeyInfoResolverFactory(const DOMElement* const & e)
171 return new InlineKeyResolver(e);
175 void InlineCredential::resolve(const KeyInfo* keyInfo, int types, bool followRefs)
181 if (types & X509Credential::RESOLVE_CERTS)
182 resolveCerts(keyInfo, followRefs);
184 if (types & Credential::RESOLVE_KEYS) {
185 if (types & X509Credential::RESOLVE_CERTS) {
186 // If we have a cert, just use it.
187 if (!m_xseccerts.empty())
188 m_key = m_xseccerts.front()->clonePublicKey();
190 resolveKey(keyInfo, followRefs);
192 // Otherwise try directly for a key and then go for certs if none is found.
193 else if (!resolveKey(keyInfo, followRefs) && resolveCerts(keyInfo, followRefs)) {
194 m_key = m_xseccerts.front()->clonePublicKey();
198 if (types & X509Credential::RESOLVE_CRLS)
199 resolveCRLs(keyInfo, followRefs);
203 const vector<KeyName*>& knames=keyInfo->getKeyNames();
204 for (vector<KeyName*>::const_iterator kn_i=knames.begin(); kn_i!=knames.end(); ++kn_i) {
205 n=(*kn_i)->getName();
208 m_keyNames.insert(kn);
212 const vector<X509Data*> datas=keyInfo->getX509Datas();
213 for (vector<X509Data*>::const_iterator x_i=datas.begin(); x_i!=datas.end(); ++x_i) {
214 const vector<X509SubjectName*> snames = const_cast<const X509Data*>(*x_i)->getX509SubjectNames();
215 for (vector<X509SubjectName*>::const_iterator sn_i = snames.begin(); sn_i!=snames.end(); ++sn_i) {
216 n = (*sn_i)->getName();
219 m_keyNames.insert(kn);
225 const vector<X509IssuerSerial*> inames = const_cast<const X509Data*>(*x_i)->getX509IssuerSerials();
226 if (!inames.empty()) {
227 const X509IssuerName* iname = inames.front()->getX509IssuerName();
229 kn = toUTF8(iname->getName());
235 const X509SerialNumber* ser = inames.front()->getX509SerialNumber();
237 auto_ptr_char sn(ser->getSerialNumber());
244 bool InlineCredential::resolveKey(const KeyInfo* keyInfo, bool followRefs)
246 Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver."INLINE_KEYINFO_RESOLVER);
248 // Check for ds:KeyValue
249 const vector<KeyValue*>& keyValues = keyInfo->getKeyValues();
250 for (vector<KeyValue*>::const_iterator i = keyValues.begin(); i != keyValues.end(); ++i) {
252 SchemaValidators.validate(*i); // see if it's a "valid" key
253 RSAKeyValue* rsakv = (*i)->getRSAKeyValue();
255 log.debug("resolving ds:RSAKeyValue");
256 auto_ptr_char mod(rsakv->getModulus()->getValue());
257 auto_ptr_char exp(rsakv->getExponent()->getValue());
258 auto_ptr<XSECCryptoKeyRSA> rsa(XSECPlatformUtils::g_cryptoProvider->keyRSA());
259 rsa->loadPublicModulusBase64BigNums(mod.get(), strlen(mod.get()));
260 rsa->loadPublicExponentBase64BigNums(exp.get(), strlen(exp.get()));
261 m_key = rsa.release();
264 DSAKeyValue* dsakv = (*i)->getDSAKeyValue();
266 log.debug("resolving ds:DSAKeyValue");
267 auto_ptr<XSECCryptoKeyDSA> dsa(XSECPlatformUtils::g_cryptoProvider->keyDSA());
268 auto_ptr_char y(dsakv->getY()->getValue());
269 dsa->loadYBase64BigNums(y.get(), strlen(y.get()));
271 auto_ptr_char p(dsakv->getP()->getValue());
272 dsa->loadPBase64BigNums(p.get(), strlen(p.get()));
275 auto_ptr_char q(dsakv->getQ()->getValue());
276 dsa->loadQBase64BigNums(q.get(), strlen(q.get()));
279 auto_ptr_char g(dsakv->getG()->getValue());
280 dsa->loadGBase64BigNums(g.get(), strlen(g.get()));
282 m_key = dsa.release();
285 ECKeyValue* eckv = (*i)->getECKeyValue();
287 log.warn("skipping ds11:ECKeyValue, not yet supported");
290 catch (ValidationException& ex) {
291 log.warn("skipping invalid ds:KeyValue (%s)", ex.what());
293 catch(XSECException& e) {
294 auto_ptr_char temp(e.getMsg());
295 log.error("caught XML-Security exception loading key: %s", temp.get());
297 catch(XSECCryptoException& e) {
298 log.error("caught XML-Security exception loading key: %s", e.getMsg());
302 // Check for ds11:DEREncodedKeyValue
303 const vector<DEREncodedKeyValue*>& derValues = keyInfo->getDEREncodedKeyValues();
304 for (vector<DEREncodedKeyValue*>::const_iterator j = derValues.begin(); j != derValues.end(); ++j) {
305 log.debug("resolving ds11:DEREncodedKeyValue");
306 m_key = SecurityHelper::fromDEREncoding((*j)->getValue());
309 log.warn("failed to resolve ds11:DEREncodedKeyValue");
314 // Check for KeyInfoReference.
315 const XMLCh* fragID=NULL;
316 const XMLObject* treeRoot=NULL;
317 const vector<KeyInfoReference*>& refs = keyInfo->getKeyInfoReferences();
318 for (vector<KeyInfoReference*>::const_iterator ref = refs.begin(); ref != refs.end(); ++ref) {
319 fragID = (*ref)->getURI();
320 if (!fragID || *fragID != chPound || !*(fragID+1)) {
321 log.warn("skipping ds11:KeyInfoReference with an empty or non-local reference");
326 while (treeRoot->getParent())
327 treeRoot = treeRoot->getParent();
329 keyInfo = dynamic_cast<const KeyInfo*>(XMLHelper::getXMLObjectById(*treeRoot, fragID+1));
331 log.warn("skipping ds11:KeyInfoReference, local reference did not resolve to a ds:KeyInfo");
334 if (resolveKey(keyInfo, false))
342 bool InlineCredential::resolveCerts(const KeyInfo* keyInfo, bool followRefs)
344 Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver."INLINE_KEYINFO_RESOLVER);
346 // Check for ds:X509Data
347 const vector<X509Data*>& x509Datas=keyInfo->getX509Datas();
348 for (vector<X509Data*>::const_iterator j=x509Datas.begin(); m_xseccerts.empty() && j!=x509Datas.end(); ++j) {
349 const vector<X509Certificate*> x509Certs=const_cast<const X509Data*>(*j)->getX509Certificates();
350 for (vector<X509Certificate*>::const_iterator k=x509Certs.begin(); k!=x509Certs.end(); ++k) {
352 auto_ptr_char x((*k)->getValue());
354 log.warn("skipping empty ds:X509Certificate");
357 log.debug("resolving ds:X509Certificate");
358 auto_ptr<XSECCryptoX509> x509(XSECPlatformUtils::g_cryptoProvider->X509());
359 x509->loadX509Base64Bin(x.get(), strlen(x.get()));
360 m_xseccerts.push_back(x509.release());
363 catch(XSECException& e) {
364 auto_ptr_char temp(e.getMsg());
365 log.error("caught XML-Security exception loading certificate: %s", temp.get());
367 catch(XSECCryptoException& e) {
368 log.error("caught XML-Security exception loading certificate: %s", e.getMsg());
373 if (followRefs && m_xseccerts.empty()) {
374 // Check for KeyInfoReference.
375 const XMLCh* fragID=NULL;
376 const XMLObject* treeRoot=NULL;
377 const vector<KeyInfoReference*>& refs = keyInfo->getKeyInfoReferences();
378 for (vector<KeyInfoReference*>::const_iterator ref = refs.begin(); ref != refs.end(); ++ref) {
379 fragID = (*ref)->getURI();
380 if (!fragID || *fragID != chPound || !*(fragID+1)) {
381 log.warn("skipping ds11:KeyInfoReference with an empty or non-local reference");
386 while (treeRoot->getParent())
387 treeRoot = treeRoot->getParent();
389 keyInfo = dynamic_cast<const KeyInfo*>(XMLHelper::getXMLObjectById(*treeRoot, fragID+1));
391 log.warn("skipping ds11:KeyInfoReference, local reference did not resolve to a ds:KeyInfo");
394 if (resolveCerts(keyInfo, false))
400 log.debug("resolved %d certificate(s)", m_xseccerts.size());
401 return !m_xseccerts.empty();
404 bool InlineCredential::resolveCRLs(const KeyInfo* keyInfo, bool followRefs)
406 Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver."INLINE_KEYINFO_RESOLVER);
408 // Check for ds:X509Data
409 const vector<X509Data*>& x509Datas=keyInfo->getX509Datas();
410 for (vector<X509Data*>::const_iterator j=x509Datas.begin(); j!=x509Datas.end(); ++j) {
411 const vector<X509CRL*> x509CRLs=const_cast<const X509Data*>(*j)->getX509CRLs();
412 for (vector<X509CRL*>::const_iterator k=x509CRLs.begin(); k!=x509CRLs.end(); ++k) {
414 auto_ptr_char x((*k)->getValue());
416 log.warn("skipping empty ds:X509CRL");
419 log.debug("resolving ds:X509CRL");
420 auto_ptr<XSECCryptoX509CRL> crl(XMLToolingConfig::getConfig().X509CRL());
421 crl->loadX509CRLBase64Bin(x.get(), strlen(x.get()));
422 m_crls.push_back(crl.release());
425 catch(XSECException& e) {
426 auto_ptr_char temp(e.getMsg());
427 log.error("caught XML-Security exception loading CRL: %s", temp.get());
429 catch(XSECCryptoException& e) {
430 log.error("caught XML-Security exception loading CRL: %s", e.getMsg());
435 if (followRefs && m_crls.empty()) {
436 // Check for KeyInfoReference.
437 const XMLCh* fragID=NULL;
438 const XMLObject* treeRoot=NULL;
439 const vector<KeyInfoReference*>& refs = keyInfo->getKeyInfoReferences();
440 for (vector<KeyInfoReference*>::const_iterator ref = refs.begin(); ref != refs.end(); ++ref) {
441 fragID = (*ref)->getURI();
442 if (!fragID || *fragID != chPound || !*(fragID+1)) {
443 log.warn("skipping ds11:KeyInfoReference with an empty or non-local reference");
448 while (treeRoot->getParent())
449 treeRoot = treeRoot->getParent();
451 keyInfo = dynamic_cast<const KeyInfo*>(XMLHelper::getXMLObjectById(*treeRoot, fragID+1));
453 log.warn("skipping ds11:KeyInfoReference, local reference did not resolve to a ds:KeyInfo");
456 if (resolveCRLs(keyInfo, false))
462 log.debug("resolved %d CRL(s)", m_crls.size());
463 return !m_crls.empty();
466 void InlineCredential::resolve(DSIGKeyInfoList* keyInfo, int types, bool followRefs)
472 if (types & Credential::RESOLVE_KEYS) {
473 // Default resolver handles RSA/DSAKeyValue and X509Certificate elements.
475 XSECKeyInfoResolverDefault def;
476 m_key = def.resolveKey(keyInfo);
478 catch(XSECException& e) {
479 auto_ptr_char temp(e.getMsg());
480 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading certificate: %s", temp.get());
482 catch(XSECCryptoException& e) {
483 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading certificate: %s", e.getMsg());
487 DSIGKeyInfoList::size_type sz = keyInfo->getSize();
489 if (types & X509Credential::RESOLVE_CERTS) {
490 for (DSIGKeyInfoList::size_type i=0; i<sz; ++i) {
491 if (keyInfo->item(i)->getKeyInfoType()==DSIGKeyInfo::KEYINFO_X509) {
492 DSIGKeyInfoX509* x509 = static_cast<DSIGKeyInfoX509*>(keyInfo->item(i));
493 int count = x509->getCertificateListSize();
495 for (int j=0; j<count; ++j)
496 m_xseccerts.push_back(x509->getCertificateCryptoItem(j));
503 if (types & X509Credential::RESOLVE_CRLS) {
504 for (DSIGKeyInfoList::size_type i=0; i<sz; ++i) {
505 if (keyInfo->item(i)->getKeyInfoType()==DSIGKeyInfo::KEYINFO_X509) {
506 #ifdef XMLTOOLING_XMLSEC_MULTIPLECRL
507 DSIGKeyInfoX509* x509 = static_cast<DSIGKeyInfoX509*>(keyInfo->item(i));
508 int count = x509->getX509CRLListSize();
509 for (int j=0; j<count; ++j) {
510 auto_ptr_char buf(x509->getX509CRLItem(j));
513 auto_ptr<XSECCryptoX509CRL> crlobj(XMLToolingConfig::getConfig().X509CRL());
514 crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get()));
515 m_crls.push_back(crlobj.release());
517 catch(XSECException& e) {
518 auto_ptr_char temp(e.getMsg());
519 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get());
521 catch(XSECCryptoException& e) {
522 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg());
527 // The current xmlsec API is limited to one CRL per KeyInfo.
528 // For now, I'm going to process the DOM directly.
529 DOMNode* x509Node = keyInfo->item(i)->getKeyInfoDOMNode();
530 DOMElement* crlElement = x509Node ? XMLHelper::getFirstChildElement(x509Node, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME) : nullptr;
532 if (crlElement->hasChildNodes()) {
533 auto_ptr_char buf(crlElement->getFirstChild()->getNodeValue());
536 auto_ptr<XSECCryptoX509CRL> crlobj(XMLToolingConfig::getConfig().X509CRL());
537 crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get()));
538 m_crls.push_back(crlobj.release());
540 catch(XSECException& e) {
541 auto_ptr_char temp(e.getMsg());
542 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get());
544 catch(XSECCryptoException& e) {
545 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg());
549 crlElement = XMLHelper::getNextSiblingElement(crlElement, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME);
559 for (size_t s=0; s<keyInfo->getSize(); s++) {
560 DSIGKeyInfo* dki = keyInfo->item(s);
564 m_keyNames.insert(kn);
565 if (dki->getKeyInfoType() == DSIGKeyInfo::KEYINFO_X509)
570 if (dki->getKeyInfoType() == DSIGKeyInfo::KEYINFO_X509) {
571 DSIGKeyInfoX509* kix = static_cast<DSIGKeyInfoX509*>(dki);
572 n = kix->getX509IssuerName();
578 n = kix->getX509IssuerSerialNumber();
projects / shibboleth / cpp-xmltooling.git / blob