2 * Copyright 2001-2010 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
20 * A helper class for working with keys, certificates, etc.
25 #include "io/HTTPResponse.h"
26 #include "security/OpenSSLCryptoX509CRL.h"
27 #include "security/SecurityHelper.h"
28 #include "security/X509Credential.h"
29 #include "soap/HTTPSOAPTransport.h"
33 #include <openssl/evp.h>
34 #include <openssl/pem.h>
35 #include <openssl/pkcs12.h>
36 #include <xsec/enc/XSECCryptoException.hpp>
37 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
38 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
39 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
40 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyEC.hpp>
41 #include <xercesc/util/Base64.hpp>
43 using namespace xmltooling::logging;
44 using namespace xmltooling;
47 // OpenSSL password callback...
48 static int passwd_callback(char* buf, int len, int verify, void* passwd)
52 if(passwd && len > strlen(reinterpret_cast<char*>(passwd)))
54 strcpy(buf,reinterpret_cast<char*>(passwd));
61 const char* SecurityHelper::guessEncodingFormat(const char* pathname)
63 const char* format=nullptr;
64 BIO* in=BIO_new(BIO_s_file_internal());
65 if (in && BIO_read_filename(in, pathname)>0) {
66 const int READSIZE = 1;
70 // Examine the first byte.
72 if ((mark = BIO_tell(in)) < 0)
73 throw XMLSecurityException("Error loading file: BIO_tell() can't get the file position.");
74 if (BIO_read(in, buf, READSIZE) <= 0)
75 throw XMLSecurityException("Error loading file: BIO_read() can't read from the stream.");
76 if (BIO_seek(in, mark) < 0)
77 throw XMLSecurityException("Error loading file: BIO_seek() can't reset the file position.");
85 // Check the first byte of the file. If it's some kind of DER-encoded structure
86 // (including PKCS12), it will begin with ASCII 048. Otherwise, assume it's PEM.
91 // Here we know it's DER-encoded, now try to parse it as a PKCS12 ASN.1 structure.
92 // If it fails, must be another kind of DER-encoded structure.
94 if ((p12=d2i_PKCS12_bio(in, nullptr)) == nullptr) {
107 throw XMLSecurityException("Unable to determine encoding for file ($1).", params(1,pathname));
110 XSECCryptoKey* SecurityHelper::loadKeyFromFile(const char* pathname, const char* format, const char* password)
113 NDC ndc("loadKeyFromFile");
115 Category& log = Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper");
116 log.info("loading private key from file (%s)", pathname);
120 EVP_PKEY* pkey=nullptr;
122 BIO* in=BIO_new(BIO_s_file_internal());
123 if (in && BIO_read_filename(in, pathname)>0) {
124 // If the format isn't set, try and guess it.
125 if (!format || !*format) {
126 const int READSIZE = 1;
130 // Examine the first byte.
132 if ((mark = BIO_tell(in)) < 0)
133 throw XMLSecurityException("Error loading key: BIO_tell() can't get the file position.");
134 if (BIO_read(in, buf, READSIZE) <= 0)
135 throw XMLSecurityException("Error loading key: BIO_read() can't read from the stream.");
136 if (BIO_seek(in, mark) < 0)
137 throw XMLSecurityException("Error loading key: BIO_seek() can't reset the file position.");
145 // Check the first byte of the file. If it's some kind of DER-encoded structure
146 // (including PKCS12), it will begin with ASCII 048. Otherwise, assume it's PEM.
151 // Here we know it's DER-encoded, now try to parse it as a PKCS12 ASN.1 structure.
152 // If it fails, must be another kind of DER-encoded structure.
153 if ((p12=d2i_PKCS12_bio(in, nullptr)) == nullptr) {
155 if (BIO_seek(in, mark) < 0) {
158 throw XMLSecurityException("Error loading key: BIO_seek() can't reset the file position.");
165 log.debug("key encoding format for (%s) dynamically resolved as (%s)", pathname, format);
168 // The format should be known, so parse accordingly.
169 if (!strcmp(format, "PEM")) {
170 pkey = PEM_read_bio_PrivateKey(in, nullptr, passwd_callback, const_cast<char*>(password));
172 else if (!strcmp(format, "DER")) {
173 pkey=d2i_PrivateKey_bio(in, nullptr);
175 else if (!strcmp(format, "PKCS12")) {
177 p12 = d2i_PKCS12_bio(in, nullptr);
180 PKCS12_parse(p12, const_cast<char*>(password), &pkey, &x, nullptr);
186 log.error("unknown key encoding format (%s)", format);
192 // Now map it to an XSEC wrapper.
194 XSECCryptoKey* ret=nullptr;
195 switch (pkey->type) {
197 ret=new OpenSSLCryptoKeyRSA(pkey);
201 ret=new OpenSSLCryptoKeyDSA(pkey);
204 #ifdef XSEC_OPENSSL_HAVE_EC
206 ret=new OpenSSLCryptoKeyEC(pkey);
210 log.error("unsupported private key type");
218 throw XMLSecurityException("Unable to load private key from file ($1).", params(1, pathname));
221 vector<XSECCryptoX509*>::size_type SecurityHelper::loadCertificatesFromFile(
222 vector<XSECCryptoX509*>& certs, const char* pathname, const char* format, const char* password
226 NDC ndc("loadCertificatesFromFile");
228 Category& log = Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper");
229 log.info("loading certificate(s) from file (%s)", pathname);
231 vector<XSECCryptoX509*>::size_type count = certs.size();
237 BIO* in=BIO_new(BIO_s_file_internal());
238 if (in && BIO_read_filename(in, pathname)>0) {
239 // If the format isn't set, try and guess it.
240 if (!format || !*format) {
241 const int READSIZE = 1;
245 // Examine the first byte.
247 if ((mark = BIO_tell(in)) < 0)
248 throw XMLSecurityException("Error loading certificate: BIO_tell() can't get the file position.");
249 if (BIO_read(in, buf, READSIZE) <= 0)
250 throw XMLSecurityException("Error loading certificate: BIO_read() can't read from the stream.");
251 if (BIO_seek(in, mark) < 0)
252 throw XMLSecurityException("Error loading certificate: BIO_seek() can't reset the file position.");
260 // Check the first byte of the file. If it's some kind of DER-encoded structure
261 // (including PKCS12), it will begin with ASCII 048. Otherwise, assume it's PEM.
266 // Here we know it's DER-encoded, now try to parse it as a PKCS12 ASN.1 structure.
267 // If it fails, must be another kind of DER-encoded structure.
268 if ((p12=d2i_PKCS12_bio(in, nullptr)) == nullptr) {
270 if (BIO_seek(in, mark) < 0) {
273 throw XMLSecurityException("Error loading certificate: BIO_seek() can't reset the file position.");
282 // The format should be known, so parse accordingly.
283 if (!strcmp(format, "PEM")) {
284 while (x=PEM_read_bio_X509(in, nullptr, nullptr, nullptr)) {
285 certs.push_back(new OpenSSLCryptoX509(x));
289 else if (!strcmp(format, "DER")) {
290 x=d2i_X509_bio(in, nullptr);
292 certs.push_back(new OpenSSLCryptoX509(x));
296 else if (!strcmp(format, "PKCS12")) {
298 p12 = d2i_PKCS12_bio(in, nullptr);
300 EVP_PKEY* pkey=nullptr;
301 STACK_OF(X509)* CAstack = sk_X509_new_null();
302 PKCS12_parse(p12, const_cast<char*>(password), &pkey, &x, &CAstack);
306 certs.push_back(new OpenSSLCryptoX509(x));
309 x = sk_X509_pop(CAstack);
311 certs.push_back(new OpenSSLCryptoX509(x));
313 x = sk_X509_pop(CAstack);
315 sk_X509_free(CAstack);
322 if (certs.size() == count) {
324 throw XMLSecurityException("Unable to load certificate(s) from file ($1).", params(1, pathname));
330 vector<XSECCryptoX509CRL*>::size_type SecurityHelper::loadCRLsFromFile(
331 vector<XSECCryptoX509CRL*>& crls, const char* pathname, const char* format
335 NDC ndc("loadCRLsFromFile");
337 Category& log = Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper");
338 log.info("loading CRL(s) from file (%s)", pathname);
340 vector<XSECCryptoX509CRL*>::size_type count = crls.size();
342 BIO* in=BIO_new(BIO_s_file_internal());
343 if (in && BIO_read_filename(in, pathname)>0) {
344 // If the format isn't set, try and guess it.
345 if (!format || !*format) {
346 const int READSIZE = 1;
350 // Examine the first byte.
352 if ((mark = BIO_tell(in)) < 0)
353 throw XMLSecurityException("Error loading CRL: BIO_tell() can't get the file position.");
354 if (BIO_read(in, buf, READSIZE) <= 0)
355 throw XMLSecurityException("Error loading CRL: BIO_read() can't read from the stream.");
356 if (BIO_seek(in, mark) < 0)
357 throw XMLSecurityException("Error loading CRL: BIO_seek() can't reset the file position.");
365 // Check the first byte of the file. If it's some kind of DER-encoded structure
366 // it will begin with ASCII 048. Otherwise, assume it's PEM.
373 log.debug("CRL encoding format for (%s) dynamically resolved as (%s)", pathname, format);
376 X509_CRL* crl=nullptr;
377 if (!strcmp(format, "PEM")) {
378 while (crl=PEM_read_bio_X509_CRL(in, nullptr, nullptr, nullptr)) {
379 crls.push_back(new OpenSSLCryptoX509CRL(crl));
383 else if (!strcmp(format, "DER")) {
384 crl=d2i_X509_CRL_bio(in, nullptr);
386 crls.push_back(new OpenSSLCryptoX509CRL(crl));
391 log.error("unknown CRL encoding format (%s)", format);
397 if (crls.size() == count) {
399 throw XMLSecurityException("Unable to load CRL(s) from file ($1).", params(1, pathname));
405 XSECCryptoKey* SecurityHelper::loadKeyFromURL(SOAPTransport& transport, const char* backing, const char* format, const char* password)
409 istream& msg = transport.receive();
411 // Check for "not modified" status.
412 if (dynamic_cast<HTTPSOAPTransport*>(&transport) && transport.getStatusCode() == HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED)
413 throw (long)HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED;
415 // Dump to output file.
416 ofstream out(backing, fstream::trunc|fstream::binary);
420 return loadKeyFromFile(backing, format, password);
423 vector<XSECCryptoX509*>::size_type SecurityHelper::loadCertificatesFromURL(
424 vector<XSECCryptoX509*>& certs, SOAPTransport& transport, const char* backing, const char* format, const char* password
428 istream& msg = transport.receive();
430 // Check for "not modified" status.
431 if (dynamic_cast<HTTPSOAPTransport*>(&transport) && transport.getStatusCode() == HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED)
432 throw (long)HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED;
434 // Dump to output file.
435 ofstream out(backing, fstream::trunc|fstream::binary);
439 return loadCertificatesFromFile(certs, backing, format, password);
442 vector<XSECCryptoX509CRL*>::size_type SecurityHelper::loadCRLsFromURL(
443 vector<XSECCryptoX509CRL*>& crls, SOAPTransport& transport, const char* backing, const char* format
448 istream& msg = transport.receive();
450 // Check for "not modified" status.
451 if (dynamic_cast<HTTPSOAPTransport*>(&transport) && transport.getStatusCode() == HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED)
452 throw (long)HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED;
454 // Dump to output file.
455 ofstream out(backing, fstream::trunc|fstream::binary);
459 return loadCRLsFromFile(crls, backing, format);
462 bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key2)
464 if (key1.getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL ||
465 key2.getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
466 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("comparison of non-OpenSSL keys not supported");
470 // If one key is public or both, just compare the public key half.
471 if (key1.getKeyType()==XSECCryptoKey::KEY_RSA_PUBLIC || key1.getKeyType()==XSECCryptoKey::KEY_RSA_PAIR) {
472 if (key2.getKeyType()!=XSECCryptoKey::KEY_RSA_PUBLIC && key2.getKeyType()!=XSECCryptoKey::KEY_RSA_PAIR)
474 const RSA* rsa1 = static_cast<const OpenSSLCryptoKeyRSA&>(key1).getOpenSSLRSA();
475 const RSA* rsa2 = static_cast<const OpenSSLCryptoKeyRSA&>(key2).getOpenSSLRSA();
476 return (rsa1 && rsa2 && BN_cmp(rsa1->n,rsa2->n) == 0 && BN_cmp(rsa1->e,rsa2->e) == 0);
479 // For a private key, compare the private half.
480 if (key1.getKeyType()==XSECCryptoKey::KEY_RSA_PRIVATE) {
481 if (key2.getKeyType()!=XSECCryptoKey::KEY_RSA_PRIVATE && key2.getKeyType()!=XSECCryptoKey::KEY_RSA_PAIR)
483 const RSA* rsa1 = static_cast<const OpenSSLCryptoKeyRSA&>(key1).getOpenSSLRSA();
484 const RSA* rsa2 = static_cast<const OpenSSLCryptoKeyRSA&>(key2).getOpenSSLRSA();
485 return (rsa1 && rsa2 && BN_cmp(rsa1->n,rsa2->n) == 0 && BN_cmp(rsa1->d,rsa2->d) == 0);
488 // If one key is public or both, just compare the public key half.
489 if (key1.getKeyType()==XSECCryptoKey::KEY_DSA_PUBLIC || key1.getKeyType()==XSECCryptoKey::KEY_DSA_PAIR) {
490 if (key2.getKeyType()!=XSECCryptoKey::KEY_DSA_PUBLIC && key2.getKeyType()!=XSECCryptoKey::KEY_DSA_PAIR)
492 const DSA* dsa1 = static_cast<const OpenSSLCryptoKeyDSA&>(key1).getOpenSSLDSA();
493 const DSA* dsa2 = static_cast<const OpenSSLCryptoKeyDSA&>(key2).getOpenSSLDSA();
494 return (dsa1 && dsa2 && BN_cmp(dsa1->pub_key,dsa2->pub_key) == 0);
497 // For a private key, compare the private half.
498 if (key1.getKeyType()==XSECCryptoKey::KEY_DSA_PRIVATE) {
499 if (key2.getKeyType()!=XSECCryptoKey::KEY_DSA_PRIVATE && key2.getKeyType()!=XSECCryptoKey::KEY_DSA_PAIR)
501 const DSA* dsa1 = static_cast<const OpenSSLCryptoKeyDSA&>(key1).getOpenSSLDSA();
502 const DSA* dsa2 = static_cast<const OpenSSLCryptoKeyDSA&>(key2).getOpenSSLDSA();
503 return (dsa1 && dsa2 && BN_cmp(dsa1->priv_key,dsa2->priv_key) == 0);
506 #ifdef XMLTOOLING_XMLSEC_ECC
507 // If one key is public or both, just compare the public key half.
508 if (key1.getKeyType()==XSECCryptoKey::KEY_EC_PUBLIC || key1.getKeyType()==XSECCryptoKey::KEY_EC_PAIR) {
509 if (key2.getKeyType()!=XSECCryptoKey::KEY_EC_PUBLIC && key2.getKeyType()!=XSECCryptoKey::KEY_EC_PAIR)
511 const EC_KEY* ec1 = static_cast<const OpenSSLCryptoKeyEC&>(key1).getOpenSSLEC();
512 const EC_KEY* ec2 = static_cast<const OpenSSLCryptoKeyEC&>(key2).getOpenSSLEC();
515 if (EC_GROUP_cmp(EC_KEY_get0_group(ec1), EC_KEY_get0_group(ec2), nullptr) != 0)
517 return (EC_POINT_cmp(EC_KEY_get0_group(ec1), EC_KEY_get0_public_key(ec1), EC_KEY_get0_public_key(ec2), nullptr) == 0);
520 // For a private key, compare the private half.
521 if (key1.getKeyType()==XSECCryptoKey::KEY_EC_PRIVATE) {
522 if (key2.getKeyType()!=XSECCryptoKey::KEY_EC_PRIVATE && key2.getKeyType()!=XSECCryptoKey::KEY_EC_PAIR)
524 const EC_KEY* ec1 = static_cast<const OpenSSLCryptoKeyEC&>(key1).getOpenSSLEC();
525 const EC_KEY* ec2 = static_cast<const OpenSSLCryptoKeyEC&>(key2).getOpenSSLEC();
526 return (ec1 && ec2 && BN_cmp(EC_KEY_get0_private_key(ec1), EC_KEY_get0_private_key(ec2)) == 0);
530 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("unsupported key type for comparison");
534 string SecurityHelper::doHash(const char* hashAlg, const char* buf, unsigned long buflen, bool toHex)
536 static char DIGITS[] = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
539 const EVP_MD* md = EVP_get_digestbyname(hashAlg);
541 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error("hash algorithm (%s) not available", hashAlg);
545 BIO* chain = BIO_new(BIO_s_mem());
546 BIO* b = BIO_new(BIO_f_md());
548 chain = BIO_push(b, chain);
549 BIO_write(chain, buf, buflen);
552 char digest[EVP_MAX_MD_SIZE];
553 int len = BIO_gets(chain, digest, EVP_MD_size(md));
555 if (len != EVP_MD_size(md)) {
556 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error(
557 "hash result length (%d) did not match expected value (%d)", len, EVP_MD_size(md)
562 for (int i=0; i < len; ++i) {
563 ret += (DIGITS[((unsigned char)(0xF0 & digest[i])) >> 4 ]);
564 ret += (DIGITS[0x0F & digest[i]]);
568 for (int i=0; i < len; ++i) {
575 string SecurityHelper::getDEREncoding(const XSECCryptoKey& key, const char* hash, bool nowrap)
579 if (key.getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
580 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("encoding of non-OpenSSL keys not supported");
584 const RSA* rsa = nullptr;
585 const DSA* dsa = nullptr;
586 #ifdef XMLTOOLING_XMLSEC_ECC
587 const EC_KEY* ec = nullptr;
590 if (key.getKeyType() == XSECCryptoKey::KEY_RSA_PUBLIC || key.getKeyType() == XSECCryptoKey::KEY_RSA_PAIR) {
591 rsa = static_cast<const OpenSSLCryptoKeyRSA&>(key).getOpenSSLRSA();
593 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("key was not populated");
597 else if (key.getKeyType() == XSECCryptoKey::KEY_DSA_PUBLIC || key.getKeyType() == XSECCryptoKey::KEY_DSA_PAIR) {
598 dsa = static_cast<const OpenSSLCryptoKeyDSA&>(key).getOpenSSLDSA();
600 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("key was not populated");
604 #ifdef XMLTOOLING_XMLSEC_ECC
605 else if (key.getKeyType() == XSECCryptoKey::KEY_EC_PUBLIC || key.getKeyType() == XSECCryptoKey::KEY_EC_PAIR) {
606 ec = static_cast<const OpenSSLCryptoKeyEC&>(key).getOpenSSLEC();
608 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("key was not populated");
614 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("public key type not supported");
618 const EVP_MD* md=nullptr;
620 md = EVP_get_digestbyname(hash);
622 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error("hash algorithm (%s) not available", hash);
627 BIO* chain = BIO_new(BIO_s_mem());
628 BIO* b = BIO_new(BIO_f_base64());
630 BIO_set_flags(b, BIO_FLAGS_BASE64_NO_NL);
631 chain = BIO_push(b, chain);
633 b = BIO_new(BIO_f_md());
635 chain = BIO_push(b, chain);
639 i2d_RSA_PUBKEY_bio(chain, const_cast<RSA*>(rsa));
641 i2d_DSA_PUBKEY_bio(chain, const_cast<DSA*>(dsa));
642 #ifdef XMLTOOLING_XMLSEC_ECC
644 i2d_EC_PUBKEY_bio(chain, const_cast<EC_KEY*>(ec));
649 char digest[EVP_MAX_MD_SIZE];
650 int len = BIO_gets(chain, digest, EVP_MD_size(md));
651 if (len != EVP_MD_size(md)) {
659 BIO_write(chain, digest, len);
662 BUF_MEM* bptr=nullptr;
663 BIO_get_mem_ptr(chain, &bptr);
664 if (bptr && bptr->length > 0)
665 ret.append(bptr->data, bptr->length);
671 string SecurityHelper::getDEREncoding(const XSECCryptoX509& cert, const char* hash, bool nowrap)
675 if (cert.getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
676 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").warn("encoding of non-OpenSSL keys not supported");
680 const EVP_MD* md=nullptr;
682 md = EVP_get_digestbyname(hash);
684 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error("hash algorithm (%s) not available", hash);
689 const X509* x = static_cast<const OpenSSLCryptoX509&>(cert).getOpenSSLX509();
690 EVP_PKEY* key = X509_get_pubkey(const_cast<X509*>(x));
692 BIO* chain = BIO_new(BIO_s_mem());
693 BIO* b = BIO_new(BIO_f_base64());
695 BIO_set_flags(b, BIO_FLAGS_BASE64_NO_NL);
696 chain = BIO_push(b, chain);
698 b = BIO_new(BIO_f_md());
700 chain = BIO_push(b, chain);
702 i2d_PUBKEY_bio(chain, key);
706 char digest[EVP_MAX_MD_SIZE];
707 int len = BIO_gets(chain, digest, EVP_MD_size(md));
708 if (len != EVP_MD_size(md)) {
716 BIO_write(chain, digest, len);
719 BUF_MEM* bptr=nullptr;
720 BIO_get_mem_ptr(chain, &bptr);
721 if (bptr && bptr->length > 0)
722 ret.append(bptr->data, bptr->length);
727 string SecurityHelper::getDEREncoding(const Credential& cred, const char* hash, bool nowrap)
729 const X509Credential* x509 = dynamic_cast<const X509Credential*>(&cred);
730 if (x509 && !x509->getEntityCertificateChain().empty())
731 return getDEREncoding(*(x509->getEntityCertificateChain().front()), hash, nowrap);
732 else if (cred.getPublicKey())
733 return getDEREncoding(*(cred.getPublicKey()), hash, nowrap);
737 string SecurityHelper::getDEREncoding(const XSECCryptoKey& key, bool hash, bool nowrap)
739 return getDEREncoding(key, hash ? "SHA1" : nullptr, nowrap);
742 string SecurityHelper::getDEREncoding(const XSECCryptoX509& cert, bool hash, bool nowrap)
744 return getDEREncoding(cert, hash ? "SHA1" : nullptr, nowrap);
747 string SecurityHelper::getDEREncoding(const Credential& cred, bool hash, bool nowrap)
749 return getDEREncoding(cred, hash ? "SHA1" : nullptr, nowrap);
752 XSECCryptoKey* SecurityHelper::fromDEREncoding(const char* buf, unsigned long buflen, bool base64)
755 XMLByte* decoded=nullptr;
757 decoded = xercesc::Base64::decode(reinterpret_cast<const XMLByte*>(buf), &x);
759 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error("base64 decode failed");
764 BIO* b = BIO_new_mem_buf((void*)(base64 ? (char*)decoded : buf), (base64 ? x : buflen));
765 EVP_PKEY* pkey = d2i_PUBKEY_bio(b, nullptr);
768 #ifdef XMLTOOLING_XERCESC_HAS_XMLBYTE_RELEASE
769 XMLString::release(&decoded);
771 XMLString::release((char**)&decoded);
776 // Now map it to an XSEC wrapper.
777 XSECCryptoKey* ret = nullptr;
779 switch (pkey->type) {
781 ret = new OpenSSLCryptoKeyRSA(pkey);
785 ret = new OpenSSLCryptoKeyDSA(pkey);
788 #ifdef XMLTOOLING_XMLSEC_ECC
790 ret = new OpenSSLCryptoKeyEC(pkey);
794 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error("unsupported public key type");
797 catch (XSECCryptoException& ex) {
798 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error(ex.getMsg());
807 XSECCryptoKey* SecurityHelper::fromDEREncoding(const XMLCh* buf)
810 XMLByte* decoded = xercesc::Base64::decodeToXMLByte(buf, &x);
812 Category::getInstance(XMLTOOLING_LOGCAT".SecurityHelper").error("base64 decode failed");
815 XSECCryptoKey* ret = fromDEREncoding((const char*)decoded, x, false);
816 #ifdef XMLTOOLING_XERCESC_HAS_XMLBYTE_RELEASE
817 XMLString::release(&decoded);
819 XMLString::release((char**)&decoded);