2 * Copyright 2001-2010 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
20 * A helper class for working with keys, certificates, etc.
25 #include "io/HTTPResponse.h"
26 #include "security/OpenSSLCryptoX509CRL.h"
27 #include "security/SecurityHelper.h"
28 #include "security/X509Credential.h"
29 #include "soap/HTTPSOAPTransport.h"
33 #include <openssl/evp.h>
34 #include <openssl/pem.h>
35 #include <openssl/pkcs12.h>
36 #include <xsec/enc/XSECCryptoException.hpp>
37 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
38 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
39 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
40 #if defined(XMLTOOLING_XMLSEC_ECC) && defined(XMLTOOLING_OPENSSL_HAVE_EC)
41 # include <xsec/enc/OpenSSL/OpenSSLCryptoKeyEC.hpp>
43 #include <xercesc/util/Base64.hpp>
46 # if (OPENSSL_VERSION_NUMBER >= 0x00907000)
47 # define XMLTOOLING_OPENSSL_HAVE_EC 1
51 using namespace xmltooling::logging;
52 using namespace xmltooling;
55 // OpenSSL password callback...
56 static int passwd_callback(char* buf, int len, int verify, void* passwd)
60 if(passwd && len > strlen(reinterpret_cast<char*>(passwd)))
62 strcpy(buf,reinterpret_cast<char*>(passwd));
69 const char* SecurityHelper::guessEncodingFormat(const char* pathname)
71 const char* format=nullptr;
72 BIO* in=BIO_new(BIO_s_file_internal());
73 if (in && BIO_read_filename(in, pathname)>0) {
74 const int READSIZE = 1;
78 // Examine the first byte.
80 if ((mark = BIO_tell(in)) < 0)
81 throw XMLSecurityException("Error loading file: BIO_tell() can't get the file position.");
82 if (BIO_read(in, buf, READSIZE) <= 0)
83 throw XMLSecurityException("Error loading file: BIO_read() can't read from the stream.");
84 if (BIO_seek(in, mark) < 0)
85 throw XMLSecurityException("Error loading file: BIO_seek() can't reset the file position.");
93 // Check the first byte of the file. If it's some kind of DER-encoded structure
94 // (including PKCS12), it will begin with ASCII 048. Otherwise, assume it's PEM.
99 // Here we know it's DER-encoded, now try to parse it as a PKCS12 ASN.1 structure.
100 // If it fails, must be another kind of DER-encoded structure.
102 if ((p12=d2i_PKCS12_bio(in, nullptr)) == nullptr) {
115 throw XMLSecurityException("Unable to determine encoding for file ($1).", params(1,pathname));
118 XSECCryptoKey* SecurityHelper::loadKeyFromFile(const char* pathname, const char* format, const char* password)
121 NDC ndc("loadKeyFromFile");
123 Category& log = Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper");
124 log.info("loading private key from file (%s)", pathname);
128 EVP_PKEY* pkey=nullptr;
130 BIO* in=BIO_new(BIO_s_file_internal());
131 if (in && BIO_read_filename(in, pathname)>0) {
132 // If the format isn't set, try and guess it.
133 if (!format || !*format) {
134 const int READSIZE = 1;
138 // Examine the first byte.
140 if ((mark = BIO_tell(in)) < 0)
141 throw XMLSecurityException("Error loading key: BIO_tell() can't get the file position.");
142 if (BIO_read(in, buf, READSIZE) <= 0)
143 throw XMLSecurityException("Error loading key: BIO_read() can't read from the stream.");
144 if (BIO_seek(in, mark) < 0)
145 throw XMLSecurityException("Error loading key: BIO_seek() can't reset the file position.");
153 // Check the first byte of the file. If it's some kind of DER-encoded structure
154 // (including PKCS12), it will begin with ASCII 048. Otherwise, assume it's PEM.
159 // Here we know it's DER-encoded, now try to parse it as a PKCS12 ASN.1 structure.
160 // If it fails, must be another kind of DER-encoded structure.
161 if ((p12=d2i_PKCS12_bio(in, nullptr)) == nullptr) {
163 if (BIO_seek(in, mark) < 0) {
166 throw XMLSecurityException("Error loading key: BIO_seek() can't reset the file position.");
173 log.debug("key encoding format for (%s) dynamically resolved as (%s)", pathname, format);
176 // The format should be known, so parse accordingly.
177 if (!strcmp(format, "PEM")) {
178 pkey = PEM_read_bio_PrivateKey(in, nullptr, passwd_callback, const_cast<char*>(password));
180 else if (!strcmp(format, "DER")) {
181 pkey=d2i_PrivateKey_bio(in, nullptr);
183 else if (!strcmp(format, "PKCS12")) {
185 p12 = d2i_PKCS12_bio(in, nullptr);
188 PKCS12_parse(p12, const_cast<char*>(password), &pkey, &x, nullptr);
194 log.error("unknown key encoding format (%s)", format);
200 // Now map it to an XSEC wrapper.
202 XSECCryptoKey* ret=nullptr;
203 switch (pkey->type) {
205 ret=new OpenSSLCryptoKeyRSA(pkey);
209 ret=new OpenSSLCryptoKeyDSA(pkey);
212 #if defined(XMLTOOLING_XMLSEC_ECC) && defined(XMLTOOLING_OPENSSL_HAVE_EC)
214 ret=new OpenSSLCryptoKeyEC(pkey);
218 log.error("unsupported private key type");
226 throw XMLSecurityException("Unable to load private key from file ($1).", params(1, pathname));
229 vector<XSECCryptoX509*>::size_type SecurityHelper::loadCertificatesFromFile(
230 vector<XSECCryptoX509*>& certs, const char* pathname, const char* format, const char* password
234 NDC ndc("loadCertificatesFromFile");
236 Category& log = Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper");
237 log.info("loading certificate(s) from file (%s)", pathname);
239 vector<XSECCryptoX509*>::size_type count = certs.size();
245 BIO* in=BIO_new(BIO_s_file_internal());
246 if (in && BIO_read_filename(in, pathname)>0) {
247 // If the format isn't set, try and guess it.
248 if (!format || !*format) {
249 const int READSIZE = 1;
253 // Examine the first byte.
255 if ((mark = BIO_tell(in)) < 0)
256 throw XMLSecurityException("Error loading certificate: BIO_tell() can't get the file position.");
257 if (BIO_read(in, buf, READSIZE) <= 0)
258 throw XMLSecurityException("Error loading certificate: BIO_read() can't read from the stream.");
259 if (BIO_seek(in, mark) < 0)
260 throw XMLSecurityException("Error loading certificate: BIO_seek() can't reset the file position.");
268 // Check the first byte of the file. If it's some kind of DER-encoded structure
269 // (including PKCS12), it will begin with ASCII 048. Otherwise, assume it's PEM.
274 // Here we know it's DER-encoded, now try to parse it as a PKCS12 ASN.1 structure.
275 // If it fails, must be another kind of DER-encoded structure.
276 if ((p12=d2i_PKCS12_bio(in, nullptr)) == nullptr) {
278 if (BIO_seek(in, mark) < 0) {
281 throw XMLSecurityException("Error loading certificate: BIO_seek() can't reset the file position.");
290 // The format should be known, so parse accordingly.
291 if (!strcmp(format, "PEM")) {
292 while (x=PEM_read_bio_X509(in, nullptr, nullptr, nullptr)) {
293 certs.push_back(new OpenSSLCryptoX509(x));
297 else if (!strcmp(format, "DER")) {
298 x=d2i_X509_bio(in, nullptr);
300 certs.push_back(new OpenSSLCryptoX509(x));
304 else if (!strcmp(format, "PKCS12")) {
306 p12 = d2i_PKCS12_bio(in, nullptr);
308 EVP_PKEY* pkey=nullptr;
309 STACK_OF(X509)* CAstack = sk_X509_new_null();
310 PKCS12_parse(p12, const_cast<char*>(password), &pkey, &x, &CAstack);
314 certs.push_back(new OpenSSLCryptoX509(x));
317 x = sk_X509_pop(CAstack);
319 certs.push_back(new OpenSSLCryptoX509(x));
321 x = sk_X509_pop(CAstack);
323 sk_X509_free(CAstack);
330 if (certs.size() == count) {
332 throw XMLSecurityException("Unable to load certificate(s) from file ($1).", params(1, pathname));
338 vector<XSECCryptoX509CRL*>::size_type SecurityHelper::loadCRLsFromFile(
339 vector<XSECCryptoX509CRL*>& crls, const char* pathname, const char* format
343 NDC ndc("loadCRLsFromFile");
345 Category& log = Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper");
346 log.info("loading CRL(s) from file (%s)", pathname);
348 vector<XSECCryptoX509CRL*>::size_type count = crls.size();
350 BIO* in=BIO_new(BIO_s_file_internal());
351 if (in && BIO_read_filename(in, pathname)>0) {
352 // If the format isn't set, try and guess it.
353 if (!format || !*format) {
354 const int READSIZE = 1;
358 // Examine the first byte.
360 if ((mark = BIO_tell(in)) < 0)
361 throw XMLSecurityException("Error loading CRL: BIO_tell() can't get the file position.");
362 if (BIO_read(in, buf, READSIZE) <= 0)
363 throw XMLSecurityException("Error loading CRL: BIO_read() can't read from the stream.");
364 if (BIO_seek(in, mark) < 0)
365 throw XMLSecurityException("Error loading CRL: BIO_seek() can't reset the file position.");
373 // Check the first byte of the file. If it's some kind of DER-encoded structure
374 // it will begin with ASCII 048. Otherwise, assume it's PEM.
381 log.debug("CRL encoding format for (%s) dynamically resolved as (%s)", pathname, format);
384 X509_CRL* crl=nullptr;
385 if (!strcmp(format, "PEM")) {
386 while (crl=PEM_read_bio_X509_CRL(in, nullptr, nullptr, nullptr)) {
387 crls.push_back(new OpenSSLCryptoX509CRL(crl));
391 else if (!strcmp(format, "DER")) {
392 crl=d2i_X509_CRL_bio(in, nullptr);
394 crls.push_back(new OpenSSLCryptoX509CRL(crl));
399 log.error("unknown CRL encoding format (%s)", format);
405 if (crls.size() == count) {
407 throw XMLSecurityException("Unable to load CRL(s) from file ($1).", params(1, pathname));
413 XSECCryptoKey* SecurityHelper::loadKeyFromURL(SOAPTransport& transport, const char* backing, const char* format, const char* password)
417 istream& msg = transport.receive();
419 // Check for "not modified" status.
420 if (dynamic_cast<HTTPSOAPTransport*>(&transport) && transport.getStatusCode() == HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED)
421 throw (long)HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED;
423 // Dump to output file.
424 ofstream out(backing, fstream::trunc|fstream::binary);
428 return loadKeyFromFile(backing, format, password);
431 vector<XSECCryptoX509*>::size_type SecurityHelper::loadCertificatesFromURL(
432 vector<XSECCryptoX509*>& certs, SOAPTransport& transport, const char* backing, const char* format, const char* password
436 istream& msg = transport.receive();
438 // Check for "not modified" status.
439 if (dynamic_cast<HTTPSOAPTransport*>(&transport) && transport.getStatusCode() == HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED)
440 throw (long)HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED;
442 // Dump to output file.
443 ofstream out(backing, fstream::trunc|fstream::binary);
447 return loadCertificatesFromFile(certs, backing, format, password);
450 vector<XSECCryptoX509CRL*>::size_type SecurityHelper::loadCRLsFromURL(
451 vector<XSECCryptoX509CRL*>& crls, SOAPTransport& transport, const char* backing, const char* format
456 istream& msg = transport.receive();
458 // Check for "not modified" status.
459 if (dynamic_cast<HTTPSOAPTransport*>(&transport) && transport.getStatusCode() == HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED)
460 throw (long)HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED;
462 // Dump to output file.
463 ofstream out(backing, fstream::trunc|fstream::binary);
467 return loadCRLsFromFile(crls, backing, format);
470 bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key2)
472 if (key1.getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL ||
473 key2.getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
474 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("comparison of non-OpenSSL keys not supported");
478 // If one key is public or both, just compare the public key half.
479 if (key1.getKeyType()==XSECCryptoKey::KEY_RSA_PUBLIC || key1.getKeyType()==XSECCryptoKey::KEY_RSA_PAIR) {
480 if (key2.getKeyType()!=XSECCryptoKey::KEY_RSA_PUBLIC && key2.getKeyType()!=XSECCryptoKey::KEY_RSA_PAIR)
482 const RSA* rsa1 = static_cast<const OpenSSLCryptoKeyRSA&>(key1).getOpenSSLRSA();
483 const RSA* rsa2 = static_cast<const OpenSSLCryptoKeyRSA&>(key2).getOpenSSLRSA();
484 return (rsa1 && rsa2 && BN_cmp(rsa1->n,rsa2->n) == 0 && BN_cmp(rsa1->e,rsa2->e) == 0);
487 // For a private key, compare the private half.
488 if (key1.getKeyType()==XSECCryptoKey::KEY_RSA_PRIVATE) {
489 if (key2.getKeyType()!=XSECCryptoKey::KEY_RSA_PRIVATE && key2.getKeyType()!=XSECCryptoKey::KEY_RSA_PAIR)
491 const RSA* rsa1 = static_cast<const OpenSSLCryptoKeyRSA&>(key1).getOpenSSLRSA();
492 const RSA* rsa2 = static_cast<const OpenSSLCryptoKeyRSA&>(key2).getOpenSSLRSA();
493 return (rsa1 && rsa2 && BN_cmp(rsa1->n,rsa2->n) == 0 && BN_cmp(rsa1->d,rsa2->d) == 0);
496 // If one key is public or both, just compare the public key half.
497 if (key1.getKeyType()==XSECCryptoKey::KEY_DSA_PUBLIC || key1.getKeyType()==XSECCryptoKey::KEY_DSA_PAIR) {
498 if (key2.getKeyType()!=XSECCryptoKey::KEY_DSA_PUBLIC && key2.getKeyType()!=XSECCryptoKey::KEY_DSA_PAIR)
500 const DSA* dsa1 = static_cast<const OpenSSLCryptoKeyDSA&>(key1).getOpenSSLDSA();
501 const DSA* dsa2 = static_cast<const OpenSSLCryptoKeyDSA&>(key2).getOpenSSLDSA();
502 return (dsa1 && dsa2 && BN_cmp(dsa1->pub_key,dsa2->pub_key) == 0);
505 // For a private key, compare the private half.
506 if (key1.getKeyType()==XSECCryptoKey::KEY_DSA_PRIVATE) {
507 if (key2.getKeyType()!=XSECCryptoKey::KEY_DSA_PRIVATE && key2.getKeyType()!=XSECCryptoKey::KEY_DSA_PAIR)
509 const DSA* dsa1 = static_cast<const OpenSSLCryptoKeyDSA&>(key1).getOpenSSLDSA();
510 const DSA* dsa2 = static_cast<const OpenSSLCryptoKeyDSA&>(key2).getOpenSSLDSA();
511 return (dsa1 && dsa2 && BN_cmp(dsa1->priv_key,dsa2->priv_key) == 0);
514 #if defined(XMLTOOLING_XMLSEC_ECC) && defined(XMLTOOLING_OPENSSL_HAVE_EC)
515 // If one key is public or both, just compare the public key half.
516 if (key1.getKeyType()==XSECCryptoKey::KEY_EC_PUBLIC || key1.getKeyType()==XSECCryptoKey::KEY_EC_PAIR) {
517 if (key2.getKeyType()!=XSECCryptoKey::KEY_EC_PUBLIC && key2.getKeyType()!=XSECCryptoKey::KEY_EC_PAIR)
519 const EC_KEY* ec1 = static_cast<const OpenSSLCryptoKeyEC&>(key1).getOpenSSLEC();
520 const EC_KEY* ec2 = static_cast<const OpenSSLCryptoKeyEC&>(key2).getOpenSSLEC();
523 if (EC_GROUP_cmp(EC_KEY_get0_group(ec1), EC_KEY_get0_group(ec2), nullptr) != 0)
525 return (EC_POINT_cmp(EC_KEY_get0_group(ec1), EC_KEY_get0_public_key(ec1), EC_KEY_get0_public_key(ec2), nullptr) == 0);
528 // For a private key, compare the private half.
529 if (key1.getKeyType()==XSECCryptoKey::KEY_EC_PRIVATE) {
530 if (key2.getKeyType()!=XSECCryptoKey::KEY_EC_PRIVATE && key2.getKeyType()!=XSECCryptoKey::KEY_EC_PAIR)
532 const EC_KEY* ec1 = static_cast<const OpenSSLCryptoKeyEC&>(key1).getOpenSSLEC();
533 const EC_KEY* ec2 = static_cast<const OpenSSLCryptoKeyEC&>(key2).getOpenSSLEC();
534 return (ec1 && ec2 && BN_cmp(EC_KEY_get0_private_key(ec1), EC_KEY_get0_private_key(ec2)) == 0);
538 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("unsupported key type for comparison");
542 string SecurityHelper::doHash(const char* hashAlg, const char* buf, unsigned long buflen, bool toHex)
544 static char DIGITS[] = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
547 const EVP_MD* md = EVP_get_digestbyname(hashAlg);
549 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error("hash algorithm (%s) not available", hashAlg);
553 BIO* chain = BIO_new(BIO_s_mem());
554 BIO* b = BIO_new(BIO_f_md());
556 chain = BIO_push(b, chain);
557 BIO_write(chain, buf, buflen);
560 char digest[EVP_MAX_MD_SIZE];
561 int len = BIO_gets(chain, digest, EVP_MD_size(md));
563 if (len != EVP_MD_size(md)) {
564 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error(
565 "hash result length (%d) did not match expected value (%d)", len, EVP_MD_size(md)
570 for (int i=0; i < len; ++i) {
571 ret += (DIGITS[((unsigned char)(0xF0 & digest[i])) >> 4 ]);
572 ret += (DIGITS[0x0F & digest[i]]);
576 for (int i=0; i < len; ++i) {
583 string SecurityHelper::getDEREncoding(const XSECCryptoKey& key, const char* hash, bool nowrap)
587 if (key.getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
588 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("encoding of non-OpenSSL keys not supported");
592 const RSA* rsa = nullptr;
593 const DSA* dsa = nullptr;
594 #if defined(XMLTOOLING_XMLSEC_ECC) && defined(XMLTOOLING_OPENSSL_HAVE_EC)
595 const EC_KEY* ec = nullptr;
598 if (key.getKeyType() == XSECCryptoKey::KEY_RSA_PUBLIC || key.getKeyType() == XSECCryptoKey::KEY_RSA_PAIR) {
599 rsa = static_cast<const OpenSSLCryptoKeyRSA&>(key).getOpenSSLRSA();
601 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("key was not populated");
605 else if (key.getKeyType() == XSECCryptoKey::KEY_DSA_PUBLIC || key.getKeyType() == XSECCryptoKey::KEY_DSA_PAIR) {
606 dsa = static_cast<const OpenSSLCryptoKeyDSA&>(key).getOpenSSLDSA();
608 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("key was not populated");
612 #if defined(XMLTOOLING_XMLSEC_ECC) && defined(XMLTOOLING_OPENSSL_HAVE_EC)
613 else if (key.getKeyType() == XSECCryptoKey::KEY_EC_PUBLIC || key.getKeyType() == XSECCryptoKey::KEY_EC_PAIR) {
614 ec = static_cast<const OpenSSLCryptoKeyEC&>(key).getOpenSSLEC();
616 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("key was not populated");
622 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("public key type not supported");
626 const EVP_MD* md=nullptr;
628 md = EVP_get_digestbyname(hash);
630 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error("hash algorithm (%s) not available", hash);
635 BIO* chain = BIO_new(BIO_s_mem());
636 BIO* b = BIO_new(BIO_f_base64());
638 BIO_set_flags(b, BIO_FLAGS_BASE64_NO_NL);
639 chain = BIO_push(b, chain);
641 b = BIO_new(BIO_f_md());
643 chain = BIO_push(b, chain);
647 i2d_RSA_PUBKEY_bio(chain, const_cast<RSA*>(rsa));
649 i2d_DSA_PUBKEY_bio(chain, const_cast<DSA*>(dsa));
650 #if defined(XMLTOOLING_XMLSEC_ECC) && defined(XMLTOOLING_OPENSSL_HAVE_EC)
652 i2d_EC_PUBKEY_bio(chain, const_cast<EC_KEY*>(ec));
657 char digest[EVP_MAX_MD_SIZE];
658 int len = BIO_gets(chain, digest, EVP_MD_size(md));
659 if (len != EVP_MD_size(md)) {
667 BIO_write(chain, digest, len);
670 BUF_MEM* bptr=nullptr;
671 BIO_get_mem_ptr(chain, &bptr);
672 if (bptr && bptr->length > 0)
673 ret.append(bptr->data, bptr->length);
679 string SecurityHelper::getDEREncoding(const XSECCryptoX509& cert, const char* hash, bool nowrap)
683 if (cert.getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
684 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("encoding of non-OpenSSL keys not supported");
688 const EVP_MD* md=nullptr;
690 md = EVP_get_digestbyname(hash);
692 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error("hash algorithm (%s) not available", hash);
697 const X509* x = static_cast<const OpenSSLCryptoX509&>(cert).getOpenSSLX509();
698 EVP_PKEY* key = X509_get_pubkey(const_cast<X509*>(x));
700 BIO* chain = BIO_new(BIO_s_mem());
701 BIO* b = BIO_new(BIO_f_base64());
703 BIO_set_flags(b, BIO_FLAGS_BASE64_NO_NL);
704 chain = BIO_push(b, chain);
706 b = BIO_new(BIO_f_md());
708 chain = BIO_push(b, chain);
710 i2d_PUBKEY_bio(chain, key);
714 char digest[EVP_MAX_MD_SIZE];
715 int len = BIO_gets(chain, digest, EVP_MD_size(md));
716 if (len != EVP_MD_size(md)) {
724 BIO_write(chain, digest, len);
727 BUF_MEM* bptr=nullptr;
728 BIO_get_mem_ptr(chain, &bptr);
729 if (bptr && bptr->length > 0)
730 ret.append(bptr->data, bptr->length);
735 string SecurityHelper::getDEREncoding(const Credential& cred, const char* hash, bool nowrap)
737 const X509Credential* x509 = dynamic_cast<const X509Credential*>(&cred);
738 if (x509 && !x509->getEntityCertificateChain().empty())
739 return getDEREncoding(*(x509->getEntityCertificateChain().front()), hash, nowrap);
740 else if (cred.getPublicKey())
741 return getDEREncoding(*(cred.getPublicKey()), hash, nowrap);
745 string SecurityHelper::getDEREncoding(const XSECCryptoKey& key, bool hash, bool nowrap)
747 return getDEREncoding(key, hash ? "SHA1" : nullptr, nowrap);
750 string SecurityHelper::getDEREncoding(const XSECCryptoX509& cert, bool hash, bool nowrap)
752 return getDEREncoding(cert, hash ? "SHA1" : nullptr, nowrap);
755 string SecurityHelper::getDEREncoding(const Credential& cred, bool hash, bool nowrap)
757 return getDEREncoding(cred, hash ? "SHA1" : nullptr, nowrap);
760 XSECCryptoKey* SecurityHelper::fromDEREncoding(const char* buf, unsigned long buflen, bool base64)
763 XMLByte* decoded=nullptr;
765 decoded = xercesc::Base64::decode(reinterpret_cast<const XMLByte*>(buf), &x);
767 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error("base64 decode failed");
772 BIO* b = BIO_new_mem_buf((void*)(base64 ? (char*)decoded : buf), (base64 ? x : buflen));
773 EVP_PKEY* pkey = d2i_PUBKEY_bio(b, nullptr);
776 #ifdef XMLTOOLING_XERCESC_HAS_XMLBYTE_RELEASE
777 XMLString::release(&decoded);
779 XMLString::release((char**)&decoded);
784 // Now map it to an XSEC wrapper.
785 XSECCryptoKey* ret = nullptr;
787 switch (pkey->type) {
789 ret = new OpenSSLCryptoKeyRSA(pkey);
793 ret = new OpenSSLCryptoKeyDSA(pkey);
796 #if defined(XMLTOOLING_XMLSEC_ECC) && defined(XMLTOOLING_OPENSSL_HAVE_EC)
798 ret = new OpenSSLCryptoKeyEC(pkey);
802 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error("unsupported public key type");
805 catch (XSECCryptoException& ex) {
806 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error(ex.getMsg());
815 XSECCryptoKey* SecurityHelper::fromDEREncoding(const XMLCh* buf)
818 XMLByte* decoded = xercesc::Base64::decodeToXMLByte(buf, &x);
820 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error("base64 decode failed");
823 XSECCryptoKey* ret = fromDEREncoding((const char*)decoded, x, false);
824 #ifdef XMLTOOLING_XERCESC_HAS_XMLBYTE_RELEASE
825 XMLString::release(&decoded);
827 XMLString::release((char**)&decoded);