2 * Copyright 2001-2007 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * InlineKeyResolver.cpp
20 * Resolves key information directly from recognized KeyInfo structures.
24 #include "security/BasicX509Credential.h"
25 #include "security/KeyInfoCredentialContext.h"
26 #include "security/KeyInfoResolver.h"
27 #include "signature/KeyInfo.h"
28 #include "signature/Signature.h"
30 #include "util/Threads.h"
31 #include "util/XMLConstants.h"
32 #include "validation/ValidatorSuite.h"
34 #include <log4cpp/Category.hh>
35 #include <xercesc/util/XMLUniDefs.hpp>
36 #include <xsec/dsig/DSIGKeyInfoX509.hpp>
37 #include <xsec/enc/XSECKeyInfoResolverDefault.hpp>
38 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
39 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
40 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
41 #include <xsec/enc/XSECCryptoException.hpp>
42 #include <xsec/framework/XSECException.hpp>
44 using namespace xmlsignature;
45 using namespace xmltooling;
46 using namespace log4cpp;
49 namespace xmltooling {
51 class XMLTOOL_DLLLOCAL InlineCredential : public BasicX509Credential
54 InlineCredential(const KeyInfo* keyInfo=NULL) : BasicX509Credential(keyInfo!=NULL), m_credctx(new KeyInfoCredentialContext(keyInfo)) {
56 InlineCredential(DSIGKeyInfoList* keyInfo) : BasicX509Credential(false), m_credctx(new KeyInfoCredentialContext(keyInfo)) {
58 InlineCredential(KeyInfoCredentialContext* context) : BasicX509Credential(context->getKeyInfo()!=NULL), m_credctx(NULL) {
60 virtual ~InlineCredential() {
64 XSECCryptoKey* getPrivateKey() const {
68 KeyInfo* getKeyInfo(bool compact=false) const {
69 KeyInfo* ret = m_credctx->getKeyInfo() ? m_credctx->getKeyInfo()->cloneKeyInfo() : NULL;
71 ret->getKeyValues().clear();
72 ret->getSPKIDatas().clear();
73 ret->getPGPDatas().clear();
74 ret->getUnknownXMLObjects().clear();
75 const vector<X509Data*> x509Datas=const_cast<const KeyInfo*>(ret)->getX509Datas();
76 for (vector<X509Data*>::const_iterator x=x509Datas.begin(); x!=x509Datas.end(); ++x) {
77 (*x)->getX509Certificates().clear();
78 (*x)->getX509CRLs().clear();
79 (*x)->getUnknownXMLObjects().clear();
85 const CredentialContext* getCredentialContext() const {
89 void setCredentialContext(KeyInfoCredentialContext* context) {
93 void resolve(const KeyInfo* keyInfo, int types=0);
94 void resolve(DSIGKeyInfoList* keyInfo, int types=0);
97 bool resolveCerts(const KeyInfo* keyInfo);
98 bool resolveKey(const KeyInfo* keyInfo);
99 bool resolveCRL(const KeyInfo* keyInfo);
101 KeyInfoCredentialContext* m_credctx;
104 class XMLTOOL_DLLLOCAL InlineKeyResolver : public KeyInfoResolver
107 InlineKeyResolver() {}
108 virtual ~InlineKeyResolver() {}
110 Credential* resolve(const KeyInfo* keyInfo, int types=0) const {
114 types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS;
115 auto_ptr<InlineCredential> credential(new InlineCredential(keyInfo));
116 credential->resolve(keyInfo, types);
117 return credential.release();
119 Credential* resolve(DSIGKeyInfoList* keyInfo, int types=0) const {
123 types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS;
124 auto_ptr<InlineCredential> credential(new InlineCredential(keyInfo));
125 credential->resolve(keyInfo, types);
126 return credential.release();
128 Credential* resolve(KeyInfoCredentialContext* context, int types=0) const {
132 types = Credential::RESOLVE_KEYS|X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS;
133 auto_ptr<InlineCredential> credential(new InlineCredential(context));
134 if (context->getKeyInfo())
135 credential->resolve(context->getKeyInfo(), types);
136 else if (context->getNativeKeyInfo())
137 credential->resolve(context->getNativeKeyInfo(), types);
138 credential->setCredentialContext(context);
139 return credential.release();
143 KeyInfoResolver* XMLTOOL_DLLLOCAL InlineKeyInfoResolverFactory(const DOMElement* const & e)
145 return new InlineKeyResolver();
149 void InlineCredential::resolve(const KeyInfo* keyInfo, int types)
155 if (types & X509Credential::RESOLVE_CERTS)
156 resolveCerts(keyInfo);
158 if (types & Credential::RESOLVE_KEYS) {
159 if (types & X509Credential::RESOLVE_CERTS) {
160 // If we have a cert, just use it.
161 if (!m_xseccerts.empty())
162 m_key = m_xseccerts.front()->clonePublicKey();
164 // Otherwise try directly for a key and then go for certs if none is found.
165 else if (!resolveKey(keyInfo) && resolveCerts(keyInfo)) {
166 m_key = m_xseccerts.front()->clonePublicKey();
170 if (types & X509Credential::RESOLVE_CRLS)
173 keyInfo->extractNames(m_keyNames);
176 bool InlineCredential::resolveKey(const KeyInfo* keyInfo)
178 Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver");
180 // Check for ds:KeyValue
181 const vector<KeyValue*>& keyValues = keyInfo->getKeyValues();
182 for (vector<KeyValue*>::const_iterator i=keyValues.begin(); i!=keyValues.end(); ++i) {
184 SchemaValidators.validate(*i); // see if it's a "valid" key
185 RSAKeyValue* rsakv = (*i)->getRSAKeyValue();
187 log.debug("resolving ds:RSAKeyValue");
188 auto_ptr_char mod(rsakv->getModulus()->getValue());
189 auto_ptr_char exp(rsakv->getExponent()->getValue());
190 auto_ptr<XSECCryptoKeyRSA> rsa(XSECPlatformUtils::g_cryptoProvider->keyRSA());
191 rsa->loadPublicModulusBase64BigNums(mod.get(), strlen(mod.get()));
192 rsa->loadPublicExponentBase64BigNums(exp.get(), strlen(exp.get()));
193 m_key = rsa.release();
196 DSAKeyValue* dsakv = (*i)->getDSAKeyValue();
198 log.debug("resolving ds:DSAKeyValue");
199 auto_ptr<XSECCryptoKeyDSA> dsa(XSECPlatformUtils::g_cryptoProvider->keyDSA());
200 auto_ptr_char y(dsakv->getY()->getValue());
201 dsa->loadYBase64BigNums(y.get(), strlen(y.get()));
203 auto_ptr_char p(dsakv->getP()->getValue());
204 dsa->loadPBase64BigNums(p.get(), strlen(p.get()));
207 auto_ptr_char q(dsakv->getQ()->getValue());
208 dsa->loadQBase64BigNums(q.get(), strlen(q.get()));
211 auto_ptr_char g(dsakv->getG()->getValue());
212 dsa->loadGBase64BigNums(g.get(), strlen(g.get()));
214 m_key = dsa.release();
218 catch (ValidationException& ex) {
219 log.warn("skipping invalid ds:KeyValue (%s)", ex.what());
221 catch(XSECException& e) {
222 auto_ptr_char temp(e.getMsg());
223 log.error("caught XML-Security exception loading key: %s", temp.get());
225 catch(XSECCryptoException& e) {
226 log.error("caught XML-Security exception loading key: %s", e.getMsg());
230 // Check for RetrievalMethod.
231 const XMLCh* fragID=NULL;
232 const XMLObject* treeRoot=NULL;
233 const vector<RetrievalMethod*>& methods=keyInfo->getRetrievalMethods();
234 for (vector<RetrievalMethod*>::const_iterator m=methods.begin(); m!=methods.end(); ++m) {
235 if (!XMLString::equals((*m)->getType(),RetrievalMethod::TYPE_RSAKEYVALUE) &&
236 !XMLString::equals((*m)->getType(),RetrievalMethod::TYPE_DSAKEYVALUE))
238 fragID = (*m)->getURI();
239 if (!fragID || *fragID != chPound || !*(fragID+1)) {
240 log.warn("skipping ds:RetrievalMethod with an empty or non-local reference");
245 while (treeRoot->getParent())
246 treeRoot = treeRoot->getParent();
248 keyInfo = dynamic_cast<const KeyInfo*>(XMLHelper::getXMLObjectById(*treeRoot, fragID+1));
250 log.warn("skipping ds:RetrievalMethod, local reference did not resolve to a ds:KeyInfo");
253 if (resolveKey(keyInfo))
259 bool InlineCredential::resolveCerts(const KeyInfo* keyInfo)
261 Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver");
263 // Check for ds:X509Data
264 const vector<X509Data*>& x509Datas=keyInfo->getX509Datas();
265 for (vector<X509Data*>::const_iterator j=x509Datas.begin(); m_xseccerts.empty() && j!=x509Datas.end(); ++j) {
266 const vector<X509Certificate*> x509Certs=const_cast<const X509Data*>(*j)->getX509Certificates();
267 for (vector<X509Certificate*>::const_iterator k=x509Certs.begin(); k!=x509Certs.end(); ++k) {
269 auto_ptr_char x((*k)->getValue());
271 log.warn("skipping empty ds:X509Certificate");
274 log.debug("resolving ds:X509Certificate");
275 auto_ptr<XSECCryptoX509> x509(XSECPlatformUtils::g_cryptoProvider->X509());
276 x509->loadX509Base64Bin(x.get(), strlen(x.get()));
277 m_xseccerts.push_back(x509.release());
280 catch(XSECException& e) {
281 auto_ptr_char temp(e.getMsg());
282 log.error("caught XML-Security exception loading certificate: %s", temp.get());
284 catch(XSECCryptoException& e) {
285 log.error("caught XML-Security exception loading certificate: %s", e.getMsg());
290 if (m_xseccerts.empty()) {
291 // Check for RetrievalMethod.
292 const XMLCh* fragID=NULL;
293 const XMLObject* treeRoot=NULL;
294 const vector<RetrievalMethod*> methods=keyInfo->getRetrievalMethods();
295 for (vector<RetrievalMethod*>::const_iterator m=methods.begin(); m!=methods.end(); ++m) {
296 if (!XMLString::equals((*m)->getType(),RetrievalMethod::TYPE_X509DATA))
298 fragID = (*m)->getURI();
299 if (!fragID || *fragID != chPound || !*(fragID+1)) {
300 log.warn("skipping ds:RetrievalMethod with an empty or non-local reference");
305 while (treeRoot->getParent())
306 treeRoot = treeRoot->getParent();
308 keyInfo = dynamic_cast<const KeyInfo*>(XMLHelper::getXMLObjectById(*treeRoot, fragID+1));
310 log.warn("skipping ds:RetrievalMethod, local reference did not resolve to a ds:KeyInfo");
313 if (resolveCerts(keyInfo))
319 log.debug("resolved %d certificate(s)", m_xseccerts.size());
320 return !m_xseccerts.empty();
323 bool InlineCredential::resolveCRL(const KeyInfo* keyInfo)
325 Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver");
327 // Check for ds:X509Data
328 const vector<X509Data*>& x509Datas=keyInfo->getX509Datas();
329 for (vector<X509Data*>::const_iterator j=x509Datas.begin(); j!=x509Datas.end(); ++j) {
330 const vector<X509CRL*> x509CRLs=const_cast<const X509Data*>(*j)->getX509CRLs();
331 for (vector<X509CRL*>::const_iterator k=x509CRLs.begin(); k!=x509CRLs.end(); ++k) {
333 auto_ptr_char x((*k)->getValue());
335 log.warn("skipping empty ds:X509CRL");
338 log.debug("resolving ds:X509CRL");
339 auto_ptr<XSECCryptoX509CRL> crl(XMLToolingConfig::getConfig().X509CRL());
340 crl->loadX509CRLBase64Bin(x.get(), strlen(x.get()));
341 m_crl = crl.release();
345 catch(XSECException& e) {
346 auto_ptr_char temp(e.getMsg());
347 log.error("caught XML-Security exception loading certificate: %s", temp.get());
349 catch(XSECCryptoException& e) {
350 log.error("caught XML-Security exception loading certificate: %s", e.getMsg());
355 // Check for RetrievalMethod.
356 const XMLCh* fragID=NULL;
357 const XMLObject* treeRoot=NULL;
358 const vector<RetrievalMethod*> methods=keyInfo->getRetrievalMethods();
359 for (vector<RetrievalMethod*>::const_iterator m=methods.begin(); m!=methods.end(); ++m) {
360 if (!XMLString::equals((*m)->getType(),RetrievalMethod::TYPE_X509DATA))
362 fragID = (*m)->getURI();
363 if (!fragID || *fragID != chPound || !*(fragID+1)) {
364 log.warn("skipping ds:RetrievalMethod with an empty or non-local reference");
369 while (treeRoot->getParent())
370 treeRoot = treeRoot->getParent();
372 keyInfo = dynamic_cast<const KeyInfo*>(XMLHelper::getXMLObjectById(*treeRoot, fragID+1));
374 log.warn("skipping ds:RetrievalMethod, local reference did not resolve to a ds:KeyInfo");
377 if (resolveCRL(keyInfo))
384 void InlineCredential::resolve(DSIGKeyInfoList* keyInfo, int types)
390 if (types & Credential::RESOLVE_KEYS) {
391 // Default resolver handles RSA/DSAKeyValue and X509Certificate elements.
393 XSECKeyInfoResolverDefault def;
394 m_key = def.resolveKey(keyInfo);
396 catch(XSECException& e) {
397 auto_ptr_char temp(e.getMsg());
398 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver").error("caught XML-Security exception loading certificate: %s", temp.get());
400 catch(XSECCryptoException& e) {
401 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver").error("caught XML-Security exception loading certificate: %s", e.getMsg());
405 DSIGKeyInfoList::size_type sz = keyInfo->getSize();
407 if (types & X509Credential::RESOLVE_CERTS) {
408 for (DSIGKeyInfoList::size_type i=0; i<sz; ++i) {
409 if (keyInfo->item(i)->getKeyInfoType()==DSIGKeyInfo::KEYINFO_X509) {
410 DSIGKeyInfoX509* x509 = static_cast<DSIGKeyInfoX509*>(keyInfo->item(i));
411 int count = x509->getCertificateListSize();
413 for (int j=0; j<count; ++j)
414 m_xseccerts.push_back(x509->getCertificateCryptoItem(j));
421 if (types & X509Credential::RESOLVE_CRLS) {
422 for (DSIGKeyInfoList::size_type i=0; i<sz; ++i) {
423 if (keyInfo->item(i)->getKeyInfoType()==DSIGKeyInfo::KEYINFO_X509) {
424 auto_ptr_char buf(static_cast<DSIGKeyInfoX509*>(keyInfo->item(i))->getX509CRL());
427 auto_ptr<XSECCryptoX509CRL> crlobj(XMLToolingConfig::getConfig().X509CRL());
428 crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get()));
429 m_crl = crlobj.release();
432 catch(XSECException& e) {
433 auto_ptr_char temp(e.getMsg());
434 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver").error("caught XML-Security exception loading CRL: %s", temp.get());
436 catch(XSECCryptoException& e) {
437 Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver").error("caught XML-Security exception loading CRL: %s", e.getMsg());
444 Signature::extractNames(keyInfo, m_keyNames);