2 * Copyright 2001-2010 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
20 * A helper class for working with keys, certificates, etc.
25 #include "io/HTTPResponse.h"
26 #include "security/OpenSSLCryptoX509CRL.h"
27 #include "security/SecurityHelper.h"
28 #include "security/X509Credential.h"
29 #include "soap/HTTPSOAPTransport.h"
33 #include <openssl/evp.h>
34 #include <openssl/pem.h>
35 #include <openssl/pkcs12.h>
36 #include <xsec/enc/XSECCryptoException.hpp>
37 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
38 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
39 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
40 #ifdef XMLTOOLING_XMLSEC_ECC
41 # include <xsec/enc/OpenSSL/OpenSSLCryptoKeyEC.hpp>
43 #include <xercesc/util/Base64.hpp>
45 using namespace xmltooling::logging;
46 using namespace xmltooling;
49 // OpenSSL password callback...
50 static int passwd_callback(char* buf, int len, int verify, void* passwd)
54 if(passwd && len > strlen(reinterpret_cast<char*>(passwd)))
56 strcpy(buf,reinterpret_cast<char*>(passwd));
63 const char* SecurityHelper::guessEncodingFormat(const char* pathname)
65 const char* format=nullptr;
66 BIO* in=BIO_new(BIO_s_file_internal());
67 if (in && BIO_read_filename(in, pathname)>0) {
68 const int READSIZE = 1;
72 // Examine the first byte.
74 if ((mark = BIO_tell(in)) < 0)
75 throw XMLSecurityException("Error loading file: BIO_tell() can't get the file position.");
76 if (BIO_read(in, buf, READSIZE) <= 0)
77 throw XMLSecurityException("Error loading file: BIO_read() can't read from the stream.");
78 if (BIO_seek(in, mark) < 0)
79 throw XMLSecurityException("Error loading file: BIO_seek() can't reset the file position.");
87 // Check the first byte of the file. If it's some kind of DER-encoded structure
88 // (including PKCS12), it will begin with ASCII 048. Otherwise, assume it's PEM.
93 // Here we know it's DER-encoded, now try to parse it as a PKCS12 ASN.1 structure.
94 // If it fails, must be another kind of DER-encoded structure.
96 if ((p12=d2i_PKCS12_bio(in, nullptr)) == nullptr) {
109 throw XMLSecurityException("Unable to determine encoding for file ($1).", params(1,pathname));
112 XSECCryptoKey* SecurityHelper::loadKeyFromFile(const char* pathname, const char* format, const char* password)
115 NDC ndc("loadKeyFromFile");
117 Category& log = Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper");
118 log.info("loading private key from file (%s)", pathname);
122 EVP_PKEY* pkey=nullptr;
124 BIO* in=BIO_new(BIO_s_file_internal());
125 if (in && BIO_read_filename(in, pathname)>0) {
126 // If the format isn't set, try and guess it.
127 if (!format || !*format) {
128 const int READSIZE = 1;
132 // Examine the first byte.
134 if ((mark = BIO_tell(in)) < 0)
135 throw XMLSecurityException("Error loading key: BIO_tell() can't get the file position.");
136 if (BIO_read(in, buf, READSIZE) <= 0)
137 throw XMLSecurityException("Error loading key: BIO_read() can't read from the stream.");
138 if (BIO_seek(in, mark) < 0)
139 throw XMLSecurityException("Error loading key: BIO_seek() can't reset the file position.");
147 // Check the first byte of the file. If it's some kind of DER-encoded structure
148 // (including PKCS12), it will begin with ASCII 048. Otherwise, assume it's PEM.
153 // Here we know it's DER-encoded, now try to parse it as a PKCS12 ASN.1 structure.
154 // If it fails, must be another kind of DER-encoded structure.
155 if ((p12=d2i_PKCS12_bio(in, nullptr)) == nullptr) {
157 if (BIO_seek(in, mark) < 0) {
160 throw XMLSecurityException("Error loading key: BIO_seek() can't reset the file position.");
167 log.debug("key encoding format for (%s) dynamically resolved as (%s)", pathname, format);
170 // The format should be known, so parse accordingly.
171 if (!strcmp(format, "PEM")) {
172 pkey = PEM_read_bio_PrivateKey(in, nullptr, passwd_callback, const_cast<char*>(password));
174 else if (!strcmp(format, "DER")) {
175 pkey=d2i_PrivateKey_bio(in, nullptr);
177 else if (!strcmp(format, "PKCS12")) {
179 p12 = d2i_PKCS12_bio(in, nullptr);
182 PKCS12_parse(p12, const_cast<char*>(password), &pkey, &x, nullptr);
188 log.error("unknown key encoding format (%s)", format);
194 // Now map it to an XSEC wrapper.
196 XSECCryptoKey* ret=nullptr;
197 switch (pkey->type) {
199 ret=new OpenSSLCryptoKeyRSA(pkey);
203 ret=new OpenSSLCryptoKeyDSA(pkey);
206 #ifdef XSEC_OPENSSL_HAVE_EC
208 ret=new OpenSSLCryptoKeyEC(pkey);
212 log.error("unsupported private key type");
220 throw XMLSecurityException("Unable to load private key from file ($1).", params(1, pathname));
223 vector<XSECCryptoX509*>::size_type SecurityHelper::loadCertificatesFromFile(
224 vector<XSECCryptoX509*>& certs, const char* pathname, const char* format, const char* password
228 NDC ndc("loadCertificatesFromFile");
230 Category& log = Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper");
231 log.info("loading certificate(s) from file (%s)", pathname);
233 vector<XSECCryptoX509*>::size_type count = certs.size();
239 BIO* in=BIO_new(BIO_s_file_internal());
240 if (in && BIO_read_filename(in, pathname)>0) {
241 // If the format isn't set, try and guess it.
242 if (!format || !*format) {
243 const int READSIZE = 1;
247 // Examine the first byte.
249 if ((mark = BIO_tell(in)) < 0)
250 throw XMLSecurityException("Error loading certificate: BIO_tell() can't get the file position.");
251 if (BIO_read(in, buf, READSIZE) <= 0)
252 throw XMLSecurityException("Error loading certificate: BIO_read() can't read from the stream.");
253 if (BIO_seek(in, mark) < 0)
254 throw XMLSecurityException("Error loading certificate: BIO_seek() can't reset the file position.");
262 // Check the first byte of the file. If it's some kind of DER-encoded structure
263 // (including PKCS12), it will begin with ASCII 048. Otherwise, assume it's PEM.
268 // Here we know it's DER-encoded, now try to parse it as a PKCS12 ASN.1 structure.
269 // If it fails, must be another kind of DER-encoded structure.
270 if ((p12=d2i_PKCS12_bio(in, nullptr)) == nullptr) {
272 if (BIO_seek(in, mark) < 0) {
275 throw XMLSecurityException("Error loading certificate: BIO_seek() can't reset the file position.");
284 // The format should be known, so parse accordingly.
285 if (!strcmp(format, "PEM")) {
286 while (x=PEM_read_bio_X509(in, nullptr, nullptr, nullptr)) {
287 certs.push_back(new OpenSSLCryptoX509(x));
291 else if (!strcmp(format, "DER")) {
292 x=d2i_X509_bio(in, nullptr);
294 certs.push_back(new OpenSSLCryptoX509(x));
298 else if (!strcmp(format, "PKCS12")) {
300 p12 = d2i_PKCS12_bio(in, nullptr);
302 EVP_PKEY* pkey=nullptr;
303 STACK_OF(X509)* CAstack = sk_X509_new_null();
304 PKCS12_parse(p12, const_cast<char*>(password), &pkey, &x, &CAstack);
308 certs.push_back(new OpenSSLCryptoX509(x));
311 x = sk_X509_pop(CAstack);
313 certs.push_back(new OpenSSLCryptoX509(x));
315 x = sk_X509_pop(CAstack);
317 sk_X509_free(CAstack);
324 if (certs.size() == count) {
326 throw XMLSecurityException("Unable to load certificate(s) from file ($1).", params(1, pathname));
332 vector<XSECCryptoX509CRL*>::size_type SecurityHelper::loadCRLsFromFile(
333 vector<XSECCryptoX509CRL*>& crls, const char* pathname, const char* format
337 NDC ndc("loadCRLsFromFile");
339 Category& log = Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper");
340 log.info("loading CRL(s) from file (%s)", pathname);
342 vector<XSECCryptoX509CRL*>::size_type count = crls.size();
344 BIO* in=BIO_new(BIO_s_file_internal());
345 if (in && BIO_read_filename(in, pathname)>0) {
346 // If the format isn't set, try and guess it.
347 if (!format || !*format) {
348 const int READSIZE = 1;
352 // Examine the first byte.
354 if ((mark = BIO_tell(in)) < 0)
355 throw XMLSecurityException("Error loading CRL: BIO_tell() can't get the file position.");
356 if (BIO_read(in, buf, READSIZE) <= 0)
357 throw XMLSecurityException("Error loading CRL: BIO_read() can't read from the stream.");
358 if (BIO_seek(in, mark) < 0)
359 throw XMLSecurityException("Error loading CRL: BIO_seek() can't reset the file position.");
367 // Check the first byte of the file. If it's some kind of DER-encoded structure
368 // it will begin with ASCII 048. Otherwise, assume it's PEM.
375 log.debug("CRL encoding format for (%s) dynamically resolved as (%s)", pathname, format);
378 X509_CRL* crl=nullptr;
379 if (!strcmp(format, "PEM")) {
380 while (crl=PEM_read_bio_X509_CRL(in, nullptr, nullptr, nullptr)) {
381 crls.push_back(new OpenSSLCryptoX509CRL(crl));
385 else if (!strcmp(format, "DER")) {
386 crl=d2i_X509_CRL_bio(in, nullptr);
388 crls.push_back(new OpenSSLCryptoX509CRL(crl));
393 log.error("unknown CRL encoding format (%s)", format);
399 if (crls.size() == count) {
401 throw XMLSecurityException("Unable to load CRL(s) from file ($1).", params(1, pathname));
407 XSECCryptoKey* SecurityHelper::loadKeyFromURL(SOAPTransport& transport, const char* backing, const char* format, const char* password)
411 istream& msg = transport.receive();
413 // Check for "not modified" status.
414 if (dynamic_cast<HTTPSOAPTransport*>(&transport) && transport.getStatusCode() == HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED)
415 throw (long)HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED;
417 // Dump to output file.
418 ofstream out(backing, fstream::trunc|fstream::binary);
422 return loadKeyFromFile(backing, format, password);
425 vector<XSECCryptoX509*>::size_type SecurityHelper::loadCertificatesFromURL(
426 vector<XSECCryptoX509*>& certs, SOAPTransport& transport, const char* backing, const char* format, const char* password
430 istream& msg = transport.receive();
432 // Check for "not modified" status.
433 if (dynamic_cast<HTTPSOAPTransport*>(&transport) && transport.getStatusCode() == HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED)
434 throw (long)HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED;
436 // Dump to output file.
437 ofstream out(backing, fstream::trunc|fstream::binary);
441 return loadCertificatesFromFile(certs, backing, format, password);
444 vector<XSECCryptoX509CRL*>::size_type SecurityHelper::loadCRLsFromURL(
445 vector<XSECCryptoX509CRL*>& crls, SOAPTransport& transport, const char* backing, const char* format
450 istream& msg = transport.receive();
452 // Check for "not modified" status.
453 if (dynamic_cast<HTTPSOAPTransport*>(&transport) && transport.getStatusCode() == HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED)
454 throw (long)HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED;
456 // Dump to output file.
457 ofstream out(backing, fstream::trunc|fstream::binary);
461 return loadCRLsFromFile(crls, backing, format);
464 bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key2)
466 if (key1.getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL ||
467 key2.getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
468 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("comparison of non-OpenSSL keys not supported");
472 // If one key is public or both, just compare the public key half.
473 if (key1.getKeyType()==XSECCryptoKey::KEY_RSA_PUBLIC || key1.getKeyType()==XSECCryptoKey::KEY_RSA_PAIR) {
474 if (key2.getKeyType()!=XSECCryptoKey::KEY_RSA_PUBLIC && key2.getKeyType()!=XSECCryptoKey::KEY_RSA_PAIR)
476 const RSA* rsa1 = static_cast<const OpenSSLCryptoKeyRSA&>(key1).getOpenSSLRSA();
477 const RSA* rsa2 = static_cast<const OpenSSLCryptoKeyRSA&>(key2).getOpenSSLRSA();
478 return (rsa1 && rsa2 && BN_cmp(rsa1->n,rsa2->n) == 0 && BN_cmp(rsa1->e,rsa2->e) == 0);
481 // For a private key, compare the private half.
482 if (key1.getKeyType()==XSECCryptoKey::KEY_RSA_PRIVATE) {
483 if (key2.getKeyType()!=XSECCryptoKey::KEY_RSA_PRIVATE && key2.getKeyType()!=XSECCryptoKey::KEY_RSA_PAIR)
485 const RSA* rsa1 = static_cast<const OpenSSLCryptoKeyRSA&>(key1).getOpenSSLRSA();
486 const RSA* rsa2 = static_cast<const OpenSSLCryptoKeyRSA&>(key2).getOpenSSLRSA();
487 return (rsa1 && rsa2 && BN_cmp(rsa1->n,rsa2->n) == 0 && BN_cmp(rsa1->d,rsa2->d) == 0);
490 // If one key is public or both, just compare the public key half.
491 if (key1.getKeyType()==XSECCryptoKey::KEY_DSA_PUBLIC || key1.getKeyType()==XSECCryptoKey::KEY_DSA_PAIR) {
492 if (key2.getKeyType()!=XSECCryptoKey::KEY_DSA_PUBLIC && key2.getKeyType()!=XSECCryptoKey::KEY_DSA_PAIR)
494 const DSA* dsa1 = static_cast<const OpenSSLCryptoKeyDSA&>(key1).getOpenSSLDSA();
495 const DSA* dsa2 = static_cast<const OpenSSLCryptoKeyDSA&>(key2).getOpenSSLDSA();
496 return (dsa1 && dsa2 && BN_cmp(dsa1->pub_key,dsa2->pub_key) == 0);
499 // For a private key, compare the private half.
500 if (key1.getKeyType()==XSECCryptoKey::KEY_DSA_PRIVATE) {
501 if (key2.getKeyType()!=XSECCryptoKey::KEY_DSA_PRIVATE && key2.getKeyType()!=XSECCryptoKey::KEY_DSA_PAIR)
503 const DSA* dsa1 = static_cast<const OpenSSLCryptoKeyDSA&>(key1).getOpenSSLDSA();
504 const DSA* dsa2 = static_cast<const OpenSSLCryptoKeyDSA&>(key2).getOpenSSLDSA();
505 return (dsa1 && dsa2 && BN_cmp(dsa1->priv_key,dsa2->priv_key) == 0);
508 #ifdef XMLTOOLING_XMLSEC_ECC
509 // If one key is public or both, just compare the public key half.
510 if (key1.getKeyType()==XSECCryptoKey::KEY_EC_PUBLIC || key1.getKeyType()==XSECCryptoKey::KEY_EC_PAIR) {
511 if (key2.getKeyType()!=XSECCryptoKey::KEY_EC_PUBLIC && key2.getKeyType()!=XSECCryptoKey::KEY_EC_PAIR)
513 const EC_KEY* ec1 = static_cast<const OpenSSLCryptoKeyEC&>(key1).getOpenSSLEC();
514 const EC_KEY* ec2 = static_cast<const OpenSSLCryptoKeyEC&>(key2).getOpenSSLEC();
517 if (EC_GROUP_cmp(EC_KEY_get0_group(ec1), EC_KEY_get0_group(ec2), nullptr) != 0)
519 return (EC_POINT_cmp(EC_KEY_get0_group(ec1), EC_KEY_get0_public_key(ec1), EC_KEY_get0_public_key(ec2), nullptr) == 0);
522 // For a private key, compare the private half.
523 if (key1.getKeyType()==XSECCryptoKey::KEY_EC_PRIVATE) {
524 if (key2.getKeyType()!=XSECCryptoKey::KEY_EC_PRIVATE && key2.getKeyType()!=XSECCryptoKey::KEY_EC_PAIR)
526 const EC_KEY* ec1 = static_cast<const OpenSSLCryptoKeyEC&>(key1).getOpenSSLEC();
527 const EC_KEY* ec2 = static_cast<const OpenSSLCryptoKeyEC&>(key2).getOpenSSLEC();
528 return (ec1 && ec2 && BN_cmp(EC_KEY_get0_private_key(ec1), EC_KEY_get0_private_key(ec2)) == 0);
532 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("unsupported key type for comparison");
536 string SecurityHelper::doHash(const char* hashAlg, const char* buf, unsigned long buflen, bool toHex)
538 static char DIGITS[] = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
541 const EVP_MD* md = EVP_get_digestbyname(hashAlg);
543 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error("hash algorithm (%s) not available", hashAlg);
547 BIO* chain = BIO_new(BIO_s_mem());
548 BIO* b = BIO_new(BIO_f_md());
550 chain = BIO_push(b, chain);
551 BIO_write(chain, buf, buflen);
554 char digest[EVP_MAX_MD_SIZE];
555 int len = BIO_gets(chain, digest, EVP_MD_size(md));
557 if (len != EVP_MD_size(md)) {
558 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error(
559 "hash result length (%d) did not match expected value (%d)", len, EVP_MD_size(md)
564 for (int i=0; i < len; ++i) {
565 ret += (DIGITS[((unsigned char)(0xF0 & digest[i])) >> 4 ]);
566 ret += (DIGITS[0x0F & digest[i]]);
570 for (int i=0; i < len; ++i) {
577 string SecurityHelper::getDEREncoding(const XSECCryptoKey& key, const char* hash, bool nowrap)
581 if (key.getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
582 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("encoding of non-OpenSSL keys not supported");
586 const RSA* rsa = nullptr;
587 const DSA* dsa = nullptr;
588 #ifdef XMLTOOLING_XMLSEC_ECC
589 const EC_KEY* ec = nullptr;
592 if (key.getKeyType() == XSECCryptoKey::KEY_RSA_PUBLIC || key.getKeyType() == XSECCryptoKey::KEY_RSA_PAIR) {
593 rsa = static_cast<const OpenSSLCryptoKeyRSA&>(key).getOpenSSLRSA();
595 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("key was not populated");
599 else if (key.getKeyType() == XSECCryptoKey::KEY_DSA_PUBLIC || key.getKeyType() == XSECCryptoKey::KEY_DSA_PAIR) {
600 dsa = static_cast<const OpenSSLCryptoKeyDSA&>(key).getOpenSSLDSA();
602 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("key was not populated");
606 #ifdef XMLTOOLING_XMLSEC_ECC
607 else if (key.getKeyType() == XSECCryptoKey::KEY_EC_PUBLIC || key.getKeyType() == XSECCryptoKey::KEY_EC_PAIR) {
608 ec = static_cast<const OpenSSLCryptoKeyEC&>(key).getOpenSSLEC();
610 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("key was not populated");
616 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("public key type not supported");
620 const EVP_MD* md=nullptr;
622 md = EVP_get_digestbyname(hash);
624 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error("hash algorithm (%s) not available", hash);
629 BIO* chain = BIO_new(BIO_s_mem());
630 BIO* b = BIO_new(BIO_f_base64());
632 BIO_set_flags(b, BIO_FLAGS_BASE64_NO_NL);
633 chain = BIO_push(b, chain);
635 b = BIO_new(BIO_f_md());
637 chain = BIO_push(b, chain);
641 i2d_RSA_PUBKEY_bio(chain, const_cast<RSA*>(rsa));
643 i2d_DSA_PUBKEY_bio(chain, const_cast<DSA*>(dsa));
644 #ifdef XMLTOOLING_XMLSEC_ECC
646 i2d_EC_PUBKEY_bio(chain, const_cast<EC_KEY*>(ec));
651 char digest[EVP_MAX_MD_SIZE];
652 int len = BIO_gets(chain, digest, EVP_MD_size(md));
653 if (len != EVP_MD_size(md)) {
661 BIO_write(chain, digest, len);
664 BUF_MEM* bptr=nullptr;
665 BIO_get_mem_ptr(chain, &bptr);
666 if (bptr && bptr->length > 0)
667 ret.append(bptr->data, bptr->length);
673 string SecurityHelper::getDEREncoding(const XSECCryptoX509& cert, const char* hash, bool nowrap)
677 if (cert.getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
678 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("encoding of non-OpenSSL keys not supported");
682 const EVP_MD* md=nullptr;
684 md = EVP_get_digestbyname(hash);
686 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error("hash algorithm (%s) not available", hash);
691 const X509* x = static_cast<const OpenSSLCryptoX509&>(cert).getOpenSSLX509();
692 EVP_PKEY* key = X509_get_pubkey(const_cast<X509*>(x));
694 BIO* chain = BIO_new(BIO_s_mem());
695 BIO* b = BIO_new(BIO_f_base64());
697 BIO_set_flags(b, BIO_FLAGS_BASE64_NO_NL);
698 chain = BIO_push(b, chain);
700 b = BIO_new(BIO_f_md());
702 chain = BIO_push(b, chain);
704 i2d_PUBKEY_bio(chain, key);
708 char digest[EVP_MAX_MD_SIZE];
709 int len = BIO_gets(chain, digest, EVP_MD_size(md));
710 if (len != EVP_MD_size(md)) {
718 BIO_write(chain, digest, len);
721 BUF_MEM* bptr=nullptr;
722 BIO_get_mem_ptr(chain, &bptr);
723 if (bptr && bptr->length > 0)
724 ret.append(bptr->data, bptr->length);
729 string SecurityHelper::getDEREncoding(const Credential& cred, const char* hash, bool nowrap)
731 const X509Credential* x509 = dynamic_cast<const X509Credential*>(&cred);
732 if (x509 && !x509->getEntityCertificateChain().empty())
733 return getDEREncoding(*(x509->getEntityCertificateChain().front()), hash, nowrap);
734 else if (cred.getPublicKey())
735 return getDEREncoding(*(cred.getPublicKey()), hash, nowrap);
739 string SecurityHelper::getDEREncoding(const XSECCryptoKey& key, bool hash, bool nowrap)
741 return getDEREncoding(key, hash ? "SHA1" : nullptr, nowrap);
744 string SecurityHelper::getDEREncoding(const XSECCryptoX509& cert, bool hash, bool nowrap)
746 return getDEREncoding(cert, hash ? "SHA1" : nullptr, nowrap);
749 string SecurityHelper::getDEREncoding(const Credential& cred, bool hash, bool nowrap)
751 return getDEREncoding(cred, hash ? "SHA1" : nullptr, nowrap);
754 XSECCryptoKey* SecurityHelper::fromDEREncoding(const char* buf, unsigned long buflen, bool base64)
757 XMLByte* decoded=nullptr;
759 decoded = xercesc::Base64::decode(reinterpret_cast<const XMLByte*>(buf), &x);
761 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error("base64 decode failed");
766 BIO* b = BIO_new_mem_buf((void*)(base64 ? (char*)decoded : buf), (base64 ? x : buflen));
767 EVP_PKEY* pkey = d2i_PUBKEY_bio(b, nullptr);
770 #ifdef XMLTOOLING_XERCESC_HAS_XMLBYTE_RELEASE
771 XMLString::release(&decoded);
773 XMLString::release((char**)&decoded);
778 // Now map it to an XSEC wrapper.
779 XSECCryptoKey* ret = nullptr;
781 switch (pkey->type) {
783 ret = new OpenSSLCryptoKeyRSA(pkey);
787 ret = new OpenSSLCryptoKeyDSA(pkey);
790 #ifdef XMLTOOLING_XMLSEC_ECC
792 ret = new OpenSSLCryptoKeyEC(pkey);
796 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error("unsupported public key type");
799 catch (XSECCryptoException& ex) {
800 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error(ex.getMsg());
809 XSECCryptoKey* SecurityHelper::fromDEREncoding(const XMLCh* buf)
812 XMLByte* decoded = xercesc::Base64::decodeToXMLByte(buf, &x);
814 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error("base64 decode failed");
817 XSECCryptoKey* ret = fromDEREncoding((const char*)decoded, x, false);
818 #ifdef XMLTOOLING_XERCESC_HAS_XMLBYTE_RELEASE
819 XMLString::release(&decoded);
821 XMLString::release((char**)&decoded);