2 * Copyright 2001-2005 Internet2
\r
4 * Licensed under the Apache License, Version 2.0 (the "License");
\r
5 * you may not use this file except in compliance with the License.
\r
6 * You may obtain a copy of the License at
\r
8 * http://www.apache.org/licenses/LICENSE-2.0
\r
10 * Unless required by applicable law or agreed to in writing, software
\r
11 * distributed under the License is distributed on an "AS IS" BASIS,
\r
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
13 * See the License for the specific language governing permissions and
\r
14 * limitations under the License.
\r
18 * FilesystemCredentialResolver.cpp
\r
20 * Supplies credentials from local files
\r
23 #include "internal.h"
\r
24 #include "signature/KeyResolver.h"
\r
25 #include "signature/OpenSSLCredentialResolver.h"
\r
26 #include "util/NDC.h"
\r
27 #include "util/XMLHelper.h"
\r
29 #include <sys/types.h>
\r
30 #include <sys/stat.h>
\r
31 #include <algorithm>
\r
32 #include <openssl/pkcs12.h>
\r
33 #include <log4cpp/Category.hh>
\r
34 #include <xercesc/util/XMLUniDefs.hpp>
\r
35 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
\r
36 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
\r
37 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
\r
39 using namespace xmlsignature;
\r
40 using namespace xmltooling;
\r
41 using namespace log4cpp;
\r
42 using namespace std;
\r
44 // OpenSSL password callback...
\r
45 static int passwd_callback(char* buf, int len, int verify, void* passwd)
\r
49 if(passwd && len > strlen(reinterpret_cast<char*>(passwd)))
\r
51 strcpy(buf,reinterpret_cast<char*>(passwd));
\r
58 namespace xmlsignature {
\r
59 class FilesystemCredentialResolver : public OpenSSLCredentialResolver, public KeyResolver
\r
62 FilesystemCredentialResolver(const DOMElement* e);
\r
63 virtual ~FilesystemCredentialResolver();
\r
65 Lockable* lock() { return this; }
\r
68 XSECCryptoKey* loadKey();
\r
70 XSECCryptoKey* getKey() const { return m_key ? m_key->clone() : NULL; }
\r
71 const vector<XSECCryptoX509*>& getCertificates() const { return m_xseccerts; }
\r
72 void attach(SSL_CTX* ctx) const;
\r
74 XSECCryptoKey* resolveKey(const KeyInfo* keyInfo) const { return m_key ? m_key->clone() : NULL; }
\r
75 XSECCryptoKey* resolveKey(DSIGKeyInfoList* keyInfo) const { return m_key ? m_key->clone() : NULL; }
\r
76 vector<XSECCryptoX509*>::size_type resolveCertificates(const KeyInfo* keyInfo, ResolvedCertificates& certs) const {
\r
77 accessCertificates(certs).assign(m_xseccerts.begin(), m_xseccerts.end());
\r
78 accessOwned(certs) = false;
\r
79 return accessCertificates(certs).size();
\r
81 vector<XSECCryptoX509*>::size_type resolveCertificates(DSIGKeyInfoList* keyInfo, ResolvedCertificates& certs) const {
\r
82 accessCertificates(certs).assign(m_xseccerts.begin(), m_xseccerts.end());
\r
83 accessOwned(certs) = false;
\r
84 return accessCertificates(certs).size();
\r
88 enum format_t { PEM=SSL_FILETYPE_PEM, DER=SSL_FILETYPE_ASN1, _PKCS12, UNKNOWN };
\r
90 format_t getEncodingFormat(BIO* in) const;
\r
91 string formatToString(format_t format) const;
\r
92 format_t xmlFormatToFormat(const XMLCh* format_xml) const;
\r
94 format_t m_keyformat;
\r
95 string m_keypath,m_keypass;
\r
96 vector<X509*> m_certs;
\r
97 vector<XSECCryptoX509*> m_xseccerts;
\r
98 XSECCryptoKey* m_key;
\r
101 CredentialResolver* XMLTOOL_DLLLOCAL FilesystemCredentialResolverFactory(const DOMElement* const & e)
\r
103 return new FilesystemCredentialResolver(e);
\r
106 KeyResolver* XMLTOOL_DLLLOCAL FilesystemKeyResolverFactory(const DOMElement* const & e)
\r
108 return new FilesystemCredentialResolver(e);
\r
112 static const XMLCh CAPath[] = UNICODE_LITERAL_6(C,A,P,a,t,h);
\r
113 static const XMLCh Certificate[] = UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e);
\r
114 static const XMLCh format[] = UNICODE_LITERAL_6(f,o,r,m,a,t);
\r
115 static const XMLCh Key[] = UNICODE_LITERAL_3(K,e,y);
\r
116 static const XMLCh password[] = UNICODE_LITERAL_8(p,a,s,s,w,o,r,d);
\r
117 static const XMLCh Path[] = UNICODE_LITERAL_4(P,a,t,h);
\r
119 FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e) : m_key(NULL)
\r
122 NDC ndc("FilesystemCredentialResolver");
\r
124 Category& log=Category::getInstance(XMLTOOLING_LOGCAT".CredentialResolver");
\r
127 const XMLCh* format_xml=NULL;
\r
131 const DOMElement* root=e;
\r
132 e=XMLHelper::getFirstChildElement(root,Key);
\r
135 // Get raw format attrib value, but defer processing til later since may need to
\r
136 // determine format dynamically, and we need the Path for that.
\r
137 format_xml=e->getAttributeNS(NULL,format);
\r
139 const XMLCh* password_xml=e->getAttributeNS(NULL,password);
\r
140 if (password_xml) {
\r
141 auto_ptr_char kp(password_xml);
\r
142 m_keypass=kp.get();
\r
145 e=XMLHelper::getFirstChildElement(e,Path);
\r
146 if (e && e->hasChildNodes()) {
\r
147 const XMLCh* s=e->getFirstChild()->getNodeValue();
\r
148 auto_ptr_char kpath(s);
\r
150 struct _stat stat_buf;
\r
151 if (_stat(kpath.get(), &stat_buf) != 0)
\r
153 struct stat stat_buf;
\r
154 if (stat(kpath.get(), &stat_buf) != 0)
\r
157 log.error("key file (%s) can't be opened", kpath.get());
\r
158 throw XMLSecurityException("FilesystemCredentialResolver can't access key file ($1)",params(1,kpath.get()));
\r
160 m_keypath=kpath.get();
\r
163 log.error("Path element missing inside Key element");
\r
164 throw XMLSecurityException("FilesystemCredentialResolver can't access key file, no Path element specified.");
\r
167 // Determine the key encoding format dynamically, if not explicitly specified
\r
168 if (format_xml && *format_xml) {
\r
169 fformat = xmlFormatToFormat(format_xml);
\r
170 if (fformat != UNKNOWN) {
\r
171 m_keyformat = fformat;
\r
174 auto_ptr_char unknown(format_xml);
\r
175 log.error("configuration specifies unknown key encoding format (%s)", unknown.get());
\r
176 throw XMLSecurityException("FilesystemCredentialResolver configuration contains unknown key encoding format ($1)",params(1,unknown.get()));
\r
180 in=BIO_new(BIO_s_file_internal());
\r
181 if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
\r
182 m_keyformat = getEncodingFormat(in);
\r
183 log.debug("key encoding format for (%s) dynamically resolved as (%s)", m_keypath.c_str(), formatToString(m_keyformat).c_str());
\r
186 log.error("key file (%s) can't be read to determine encoding format", m_keypath.c_str());
\r
187 throw XMLSecurityException("FilesystemCredentialResolver can't read key file ($1) to determine encoding format",params(1,m_keypath.c_str()));
\r
198 // Check for Certificate
\r
199 e=XMLHelper::getFirstChildElement(root,Certificate);
\r
202 auto_ptr_char certpass(e->getAttributeNS(NULL,password));
\r
204 DOMElement* ep=XMLHelper::getFirstChildElement(e,Path);
\r
205 if (!ep || !ep->hasChildNodes()) {
\r
206 log.error("Path element missing inside Certificate element or is empty");
\r
207 throw XMLSecurityException("FilesystemCredentialResolver can't access certificate file, missing or empty Path element.");
\r
210 auto_ptr_char certpath(ep->getFirstChild()->getNodeValue());
\r
211 format_xml=e->getAttributeNS(NULL,format);
\r
212 if (format_xml && *format_xml) {
\r
213 fformat = xmlFormatToFormat(format_xml);
\r
214 if (fformat == UNKNOWN) {
\r
215 auto_ptr_char unknown(format_xml);
\r
216 log.error("configuration specifies unknown certificate encoding format (%s)", unknown.get());
\r
217 throw XMLSecurityException("FilesystemCredentialResolver configuration contains unknown certificate encoding format ($1)",params(1,unknown.get()));
\r
224 in=BIO_new(BIO_s_file_internal());
\r
225 if (in && BIO_read_filename(in,certpath.get())>0) {
\r
226 if (!format_xml || !*format_xml) {
\r
227 // Determine the cert encoding format dynamically, if not explicitly specified
\r
228 fformat = getEncodingFormat(in);
\r
229 log.debug("certificate encoding format for (%s) dynamically resolved as (%s)", certpath.get(), formatToString(fformat).c_str());
\r
234 while (x=PEM_read_bio_X509(in,NULL,passwd_callback,const_cast<char*>(certpass.get())))
\r
235 m_certs.push_back(x);
\r
239 x=d2i_X509_bio(in,NULL);
\r
241 m_certs.push_back(x);
\r
245 throw XMLSecurityException("FilesystemCredentialResolver unable to load DER certificate from file ($1)",params(1,certpath.get()));
\r
250 p12=d2i_PKCS12_bio(in,NULL);
\r
252 PKCS12_parse(p12, certpass.get(), NULL, &x, NULL);
\r
256 m_certs.push_back(x);
\r
261 throw XMLSecurityException("FilesystemCredentialResolver unable to load PKCS12 certificate from file ($1)",params(1,certpath.get()));
\r
272 throw XMLSecurityException("FilesystemCredentialResolver unable to load certificate(s) from file ($1)",params(1,certpath.get()));
\r
279 if (m_certs.empty()) {
\r
280 throw XMLSecurityException("FilesystemCredentialResolver unable to load any certificate(s)");
\r
283 // Load any extra CA files.
\r
284 DOMElement* extra=XMLHelper::getFirstChildElement(e,CAPath);
\r
286 if (!extra->hasChildNodes()) {
\r
287 log.warn("skipping empty CAPath element");
\r
288 extra = XMLHelper::getNextSiblingElement(extra,CAPath);
\r
291 auto_ptr_char capath(extra->getFirstChild()->getNodeValue());
\r
294 in=BIO_new(BIO_s_file_internal());
\r
295 if (in && BIO_read_filename(in,capath.get())>0) {
\r
296 if (!format_xml || !*format_xml) {
\r
297 // Determine the cert encoding format dynamically, if not explicitly specified
\r
298 fformat = getEncodingFormat(in);
\r
299 log.debug("CA certificate encoding format for (%s) dynamically resolved as (%s)", certpath.get(), formatToString(fformat).c_str());
\r
304 while (x=PEM_read_bio_X509(in,NULL,passwd_callback,const_cast<char*>(certpass.get())))
\r
305 m_certs.push_back(x);
\r
309 x=d2i_X509_bio(in,NULL);
\r
311 m_certs.push_back(x);
\r
315 throw XMLSecurityException("FilesystemCredentialResolver unable to load DER CA certificate from file ($1)",params(1,capath.get()));
\r
320 p12 = d2i_PKCS12_bio(in, NULL);
\r
322 PKCS12_parse(p12, certpass.get(), NULL, &x, NULL);
\r
326 m_certs.push_back(x);
\r
332 throw XMLSecurityException("FilesystemCredentialResolver unable to load PKCS12 CA certificate from file ($1)",params(1,capath.get()));
\r
343 log.error("CA file (%s) can't be opened", capath.get());
\r
344 throw XMLSecurityException("FilesystemCredentialResolver can't open CA file ($1)",params(1,capath.get()));
\r
347 extra = XMLHelper::getNextSiblingElement(extra,CAPath);
\r
350 catch (XMLToolingException&) {
\r
351 for (vector<X509*>::iterator j=m_certs.begin(); j!=m_certs.end(); j++)
\r
356 // Reflect certs over to XSEC form.
\r
357 for (vector<X509*>::iterator j=m_certs.begin(); j!=m_certs.end(); j++)
\r
358 m_xseccerts.push_back(new OpenSSLCryptoX509(*j));
\r
361 XSECCryptoKey* FilesystemCredentialResolver::loadKey()
\r
364 NDC ndc("loadKey");
\r
368 EVP_PKEY* pkey=NULL;
\r
369 BIO* in=BIO_new(BIO_s_file_internal());
\r
370 if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
\r
371 switch (m_keyformat) {
\r
373 pkey=PEM_read_bio_PrivateKey(in, NULL, passwd_callback, const_cast<char*>(m_keypass.c_str()));
\r
377 pkey=d2i_PrivateKey_bio(in, NULL);
\r
381 PKCS12* p12 = d2i_PKCS12_bio(in, NULL);
\r
383 PKCS12_parse(p12, const_cast<char*>(m_keypass.c_str()), &pkey, NULL, NULL);
\r
392 // Now map it to an XSEC wrapper.
\r
394 XSECCryptoKey* ret=NULL;
\r
395 switch (pkey->type) {
\r
397 ret=new OpenSSLCryptoKeyRSA(pkey);
\r
401 ret=new OpenSSLCryptoKeyDSA(pkey);
\r
405 Category::getInstance(XMLTOOLING_LOGCAT".CredentialResolver").error("unsupported private key type");
\r
407 EVP_PKEY_free(pkey);
\r
413 throw XMLSecurityException("FilesystemCredentialResolver unable to load private key from file.");
\r
416 FilesystemCredentialResolver::~FilesystemCredentialResolver()
\r
419 for_each(m_certs.begin(),m_certs.end(),X509_free);
\r
420 for_each(m_xseccerts.begin(),m_xseccerts.end(),xmltooling::cleanup<XSECCryptoX509>());
\r
423 void FilesystemCredentialResolver::attach(SSL_CTX* ctx) const
\r
430 SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);
\r
431 SSL_CTX_set_default_passwd_cb_userdata(ctx, const_cast<char*>(m_keypass.c_str()));
\r
434 switch (m_keyformat) {
\r
436 ret=SSL_CTX_use_PrivateKey_file(ctx, m_keypath.c_str(), m_keyformat);
\r
440 ret=SSL_CTX_use_RSAPrivateKey_file(ctx, m_keypath.c_str(), m_keyformat);
\r
444 BIO* in=BIO_new(BIO_s_file_internal());
\r
445 if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
\r
446 EVP_PKEY* pkey=NULL;
\r
447 PKCS12* p12 = d2i_PKCS12_bio(in, NULL);
\r
449 PKCS12_parse(p12, const_cast<char*>(m_keypass.c_str()), &pkey, NULL, NULL);
\r
452 ret=SSL_CTX_use_PrivateKey(ctx, pkey);
\r
453 EVP_PKEY_free(pkey);
\r
464 throw XMLSecurityException("Unable to attach private key to SSL context.");
\r
468 for (vector<X509*>::const_iterator i=m_certs.begin(); i!=m_certs.end(); i++) {
\r
469 if (i==m_certs.begin()) {
\r
470 if (SSL_CTX_use_certificate(ctx, *i) != 1) {
\r
472 throw XMLSecurityException("Unable to attach client certificate to SSL context.");
\r
476 // When we add certs, they don't get ref counted, so we need to duplicate them.
\r
477 X509* dup = X509_dup(*i);
\r
478 if (SSL_CTX_add_extra_chain_cert(ctx, dup) != 1) {
\r
481 throw XMLSecurityException("Unable to attach CA certificate to SSL context.");
\r
487 // Used to determine the encoding format of credentials files
\r
488 // dynamically. Supports: PEM, DER, PKCS12.
\r
489 FilesystemCredentialResolver::format_t FilesystemCredentialResolver::getEncodingFormat(BIO* in) const
\r
491 PKCS12* p12 = NULL;
\r
494 const int READSIZE = 1;
\r
495 char buf[READSIZE];
\r
500 if ( (mark = BIO_tell(in)) < 0 )
\r
501 throw XMLSecurityException("getEncodingFormat: BIO_tell() can't get the file position");
\r
502 if ( BIO_read(in, buf, READSIZE) <= 0 )
\r
503 throw XMLSecurityException("getEncodingFormat: BIO_read() can't read from the stream");
\r
504 if ( BIO_seek(in, mark) < 0 )
\r
505 throw XMLSecurityException("getEncodingFormat: BIO_seek() can't reset the file position");
\r
514 // This is a slight variation of the Java code by Chad La Joie.
\r
516 // Check the first byte of the file. If it's some kind of
\r
517 // DER-encoded structure (including PKCS12), it will begin with ASCII 048.
\r
518 // Otherwise, assume it's PEM.
\r
522 // Here we know it's DER-encoded, now try to parse it as a PKCS12
\r
523 // ASN.1 structure. If it fails, must be another kind of DER-encoded
\r
524 // key/cert structure. A little inefficient...but it works.
\r
525 if ( (p12=d2i_PKCS12_bio(in,NULL)) == NULL ) {
\r
532 if ( BIO_seek(in, mark) < 0 ) {
\r
534 throw XMLSecurityException("getEncodingFormat: BIO_seek() can't reset the file position");
\r
541 // Convert key/cert format_t types to a human-meaningful string for debug output
\r
542 string FilesystemCredentialResolver::formatToString(format_t format) const
\r
556 // Convert key/cert raw XML format attribute (XMLCh[]) to format_t type
\r
557 FilesystemCredentialResolver::format_t FilesystemCredentialResolver::xmlFormatToFormat(const XMLCh* format_xml) const
\r
559 static const XMLCh cPEM[] = UNICODE_LITERAL_3(P,E,M);
\r
560 static const XMLCh cDER[] = UNICODE_LITERAL_3(D,E,R);
\r
561 static const XMLCh cPKCS12[] = { chLatin_P, chLatin_K, chLatin_C, chLatin_S, chDigit_1, chDigit_2, chNull };
\r
564 if (!XMLString::compareString(format_xml,cPEM))
\r
566 else if (!XMLString::compareString(format_xml,cDER))
\r
568 else if (!XMLString::compareString(format_xml,cPKCS12))
\r