xmltooling/signature/impl/FilesystemCredentialResolver.cpp

   1 /*\r
   2  *  Copyright 2001-2005 Internet2\r
   3  * \r
   4  * Licensed under the Apache License, Version 2.0 (the "License");\r
   5  * you may not use this file except in compliance with the License.\r
   6  * You may obtain a copy of the License at\r
   7  *\r
   8  *     http://www.apache.org/licenses/LICENSE-2.0\r
   9  *\r
  10  * Unless required by applicable law or agreed to in writing, software\r
  11  * distributed under the License is distributed on an "AS IS" BASIS,\r
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
  13  * See the License for the specific language governing permissions and\r
  14  * limitations under the License.\r
  15  */\r
  16 \r
  17 /**\r
  18  * FilesystemCredentialResolver.cpp\r
  19  * \r
  20  * Supplies credentials from local files\r
  21  */\r
  22 \r
  23 #include "internal.h"\r
  24 #include "signature/KeyResolver.h"\r
  25 #include "signature/OpenSSLCredentialResolver.h"\r
  26 #include "util/NDC.h"\r
  27 #include "util/XMLHelper.h"\r
  28 \r
  29 #include <sys/types.h>\r
  30 #include <sys/stat.h>\r
  31 #include <algorithm>\r
  32 #include <openssl/pkcs12.h>\r
  33 #include <log4cpp/Category.hh>\r
  34 #include <xercesc/util/XMLUniDefs.hpp>\r
  35 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>\r
  36 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>\r
  37 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>\r
  38 \r
  39 using namespace xmlsignature;\r
  40 using namespace xmltooling;\r
  41 using namespace log4cpp;\r
  42 using namespace std;\r
  43 \r
  44 // OpenSSL password callback...\r
  45 static int passwd_callback(char* buf, int len, int verify, void* passwd)\r
  46 {\r
  47     if(!verify)\r
  48     {\r
  49         if(passwd && len > strlen(reinterpret_cast<char*>(passwd)))\r
  50         {\r
  51             strcpy(buf,reinterpret_cast<char*>(passwd));\r
  52             return strlen(buf);\r
  53         }\r
  54     }  \r
  55     return 0;\r
  56 }\r
  57 \r
  58 namespace xmlsignature {\r
  59     class FilesystemCredentialResolver : public OpenSSLCredentialResolver, public KeyResolver\r
  60     {\r
  61     public:\r
  62         FilesystemCredentialResolver(const DOMElement* e);\r
  63         virtual ~FilesystemCredentialResolver();\r
  64 \r
  65         Lockable* lock() { return this; }\r
  66         void unlock() {}\r
  67         \r
  68         XSECCryptoKey* loadKey();\r
  69         \r
  70         XSECCryptoKey* getKey() const { return m_key ? m_key->clone() : NULL; }\r
  71         const vector<XSECCryptoX509*>& getCertificates() const { return m_xseccerts; }\r
  72         void attach(SSL_CTX* ctx) const;\r
  73         \r
  74         XSECCryptoKey* resolveKey(const KeyInfo* keyInfo) const { return m_key ? m_key->clone() : NULL; }\r
  75         XSECCryptoKey* resolveKey(DSIGKeyInfoList* keyInfo) const { return m_key ? m_key->clone() : NULL; }\r
  76         vector<XSECCryptoX509*>::size_type resolveCertificates(const KeyInfo* keyInfo, vector<XSECCryptoX509*>& certs) const {\r
  77             certs.assign(m_xseccerts.begin(), m_xseccerts.end());\r
  78             return certs.size();\r
  79         }\r
  80         vector<XSECCryptoX509*>::size_type resolveCertificates(DSIGKeyInfoList* keyInfo, vector<XSECCryptoX509*>& certs) const {\r
  81             certs.assign(m_xseccerts.begin(), m_xseccerts.end());\r
  82             return certs.size();\r
  83         }\r
  84         \r
  85     private:\r
  86         enum format_t { PEM=SSL_FILETYPE_PEM, DER=SSL_FILETYPE_ASN1, _PKCS12, UNKNOWN };\r
  87     \r
  88         format_t getEncodingFormat(BIO* in) const;\r
  89         string formatToString(format_t format) const;\r
  90         format_t xmlFormatToFormat(const XMLCh* format_xml) const;\r
  91     \r
  92         format_t m_keyformat;\r
  93         string m_keypath,m_keypass;\r
  94         vector<X509*> m_certs;\r
  95         vector<XSECCryptoX509*> m_xseccerts;\r
  96         XSECCryptoKey* m_key;\r
  97     };\r
  98 \r
  99     CredentialResolver* XMLTOOL_DLLLOCAL FilesystemCredentialResolverFactory(const DOMElement* const & e)\r
 100     {\r
 101         return new FilesystemCredentialResolver(e);\r
 102     }\r
 103 \r
 104     KeyResolver* XMLTOOL_DLLLOCAL FilesystemKeyResolverFactory(const DOMElement* const & e)\r
 105     {\r
 106         return new FilesystemCredentialResolver(e);\r
 107     }\r
 108 };\r
 109 \r
 110 static const XMLCh CAPath[] =           UNICODE_LITERAL_6(C,A,P,a,t,h);\r
 111 static const XMLCh Certificate[] =      UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e);\r
 112 static const XMLCh format[] =           UNICODE_LITERAL_6(f,o,r,m,a,t);\r
 113 static const XMLCh Key[] =              UNICODE_LITERAL_3(K,e,y);\r
 114 static const XMLCh password[] =         UNICODE_LITERAL_8(p,a,s,s,w,o,r,d);\r
 115 static const XMLCh Path[] =             UNICODE_LITERAL_4(P,a,t,h);\r
 116 \r
 117 FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e) : m_key(NULL)\r
 118 {\r
 119 #ifdef _DEBUG\r
 120     NDC ndc("FilesystemCredentialResolver");\r
 121 #endif\r
 122     Category& log=Category::getInstance(XMLTOOLING_LOGCAT".CredentialResolver");\r
 123 \r
 124     format_t fformat;\r
 125     const XMLCh* format_xml=NULL;\r
 126     BIO* in = NULL;\r
 127     \r
 128     // Move to Key\r
 129     const DOMElement* root=e;\r
 130     e=XMLHelper::getFirstChildElement(root,Key);\r
 131     if (e) {\r
 132 \r
 133         // Get raw format attrib value, but defer processing til later since may need to \r
 134         // determine format dynamically, and we need the Path for that.\r
 135         format_xml=e->getAttributeNS(NULL,format);\r
 136             \r
 137         const XMLCh* password_xml=e->getAttributeNS(NULL,password);\r
 138         if (password_xml) {\r
 139             auto_ptr_char kp(password_xml);\r
 140             m_keypass=kp.get();\r
 141         }\r
 142         \r
 143         e=XMLHelper::getFirstChildElement(e,Path);\r
 144         if (e && e->hasChildNodes()) {\r
 145             const XMLCh* s=e->getFirstChild()->getNodeValue();\r
 146             auto_ptr_char kpath(s);\r
 147 #ifdef WIN32\r
 148             struct _stat stat_buf;\r
 149             if (_stat(kpath.get(), &stat_buf) != 0)\r
 150 #else\r
 151             struct stat stat_buf;\r
 152             if (stat(kpath.get(), &stat_buf) != 0)\r
 153 #endif\r
 154             {\r
 155                 log.error("key file (%s) can't be opened", kpath.get());\r
 156                 throw XMLSecurityException("FilesystemCredentialResolver can't access key file ($1)",params(1,kpath.get()));\r
 157             }\r
 158             m_keypath=kpath.get();\r
 159         }\r
 160         else {\r
 161             log.error("Path element missing inside Key element");\r
 162             throw XMLSecurityException("FilesystemCredentialResolver can't access key file, no Path element specified.");\r
 163         }\r
 164 \r
 165         // Determine the key encoding format dynamically, if not explicitly specified\r
 166         if (format_xml && *format_xml) {\r
 167             fformat = xmlFormatToFormat(format_xml);\r
 168             if (fformat != UNKNOWN) {\r
 169                 m_keyformat = fformat;\r
 170             }\r
 171             else {\r
 172                 auto_ptr_char unknown(format_xml);\r
 173                 log.error("configuration specifies unknown key encoding format (%s)", unknown.get());\r
 174                 throw XMLSecurityException("FilesystemCredentialResolver configuration contains unknown key encoding format ($1)",params(1,unknown.get()));\r
 175             }\r
 176         }\r
 177         else {\r
 178             in=BIO_new(BIO_s_file_internal());\r
 179             if (in && BIO_read_filename(in,m_keypath.c_str())>0) {\r
 180                 m_keyformat = getEncodingFormat(in);\r
 181                 log.debug("key encoding format for (%s) dynamically resolved as (%s)", m_keypath.c_str(), formatToString(m_keyformat).c_str());\r
 182             }\r
 183             else {\r
 184                 log.error("key file (%s) can't be read to determine encoding format", m_keypath.c_str());\r
 185                 throw XMLSecurityException("FilesystemCredentialResolver can't read key file ($1) to determine encoding format",params(1,m_keypath.c_str()));\r
 186             }\r
 187             if (in)\r
 188                 BIO_free(in);\r
 189             in = NULL;    \r
 190         }\r
 191         \r
 192         // Load the key.\r
 193         m_key = loadKey();\r
 194     }\r
 195         \r
 196     // Check for Certificate\r
 197     e=XMLHelper::getFirstChildElement(root,Certificate);\r
 198     if (!e)\r
 199         return;\r
 200     auto_ptr_char certpass(e->getAttributeNS(NULL,password));\r
 201     \r
 202     DOMElement* ep=XMLHelper::getFirstChildElement(e,Path);\r
 203     if (!ep || !ep->hasChildNodes()) {\r
 204         log.error("Path element missing inside Certificate element or is empty");\r
 205         throw XMLSecurityException("FilesystemCredentialResolver can't access certificate file, missing or empty Path element.");\r
 206     }\r
 207     \r
 208     auto_ptr_char certpath(ep->getFirstChild()->getNodeValue());\r
 209     format_xml=e->getAttributeNS(NULL,format);\r
 210     if (format_xml && *format_xml) {\r
 211         fformat = xmlFormatToFormat(format_xml);\r
 212         if (fformat == UNKNOWN) {\r
 213             auto_ptr_char unknown(format_xml);\r
 214             log.error("configuration specifies unknown certificate encoding format (%s)", unknown.get());\r
 215             throw XMLSecurityException("FilesystemCredentialResolver configuration contains unknown certificate encoding format ($1)",params(1,unknown.get()));\r
 216         }\r
 217     }\r
 218     \r
 219     try {\r
 220         X509* x=NULL;\r
 221         PKCS12* p12=NULL;\r
 222         in=BIO_new(BIO_s_file_internal());\r
 223         if (in && BIO_read_filename(in,certpath.get())>0) {\r
 224             if (!format_xml || !*format_xml) {\r
 225                 // Determine the cert encoding format dynamically, if not explicitly specified\r
 226                 fformat = getEncodingFormat(in);\r
 227                 log.debug("certificate encoding format for (%s) dynamically resolved as (%s)", certpath.get(), formatToString(fformat).c_str());\r
 228             }\r
 229 \r
 230             switch(fformat) {\r
 231                 case PEM:\r
 232                     while (x=PEM_read_bio_X509(in,NULL,passwd_callback,const_cast<char*>(certpass.get())))\r
 233                         m_certs.push_back(x);\r
 234                     break;\r
 235                                 \r
 236                 case DER:\r
 237                     x=d2i_X509_bio(in,NULL);\r
 238                     if (x)\r
 239                         m_certs.push_back(x);\r
 240                     else {\r
 241                         log_openssl();\r
 242                         BIO_free(in);\r
 243                         throw XMLSecurityException("FilesystemCredentialResolver unable to load DER certificate from file ($1)",params(1,certpath.get()));\r
 244                     }\r
 245                     break;\r
 246 \r
 247                 case _PKCS12:\r
 248                     p12=d2i_PKCS12_bio(in,NULL);\r
 249                     if (p12) {\r
 250                         PKCS12_parse(p12, certpass.get(), NULL, &x, NULL);\r
 251                         PKCS12_free(p12);\r
 252                     }\r
 253                     if (x) {\r
 254                         m_certs.push_back(x);\r
 255                         x=NULL;\r
 256                     } else {\r
 257                         log_openssl();\r
 258                         BIO_free(in);\r
 259                         throw XMLSecurityException("FilesystemCredentialResolver unable to load PKCS12 certificate from file ($1)",params(1,certpath.get()));\r
 260                     }\r
 261                     break;\r
 262             } // end switch\r
 263 \r
 264         } else {\r
 265             log_openssl();\r
 266             if (in) {\r
 267                 BIO_free(in);\r
 268                 in=NULL;\r
 269             }\r
 270             throw XMLSecurityException("FilesystemCredentialResolver unable to load certificate(s) from file ($1)",params(1,certpath.get()));\r
 271         }\r
 272         if (in) {\r
 273             BIO_free(in);\r
 274             in=NULL;\r
 275         }\r
 276 \r
 277         if (m_certs.empty()) {\r
 278             throw XMLSecurityException("FilesystemCredentialResolver unable to load any certificate(s)");\r
 279         }\r
 280 \r
 281         // Load any extra CA files.\r
 282         DOMElement* extra=XMLHelper::getFirstChildElement(e,CAPath);\r
 283         while (extra) {\r
 284             if (!extra->hasChildNodes()) {\r
 285                 log.warn("skipping empty CAPath element");\r
 286                 extra = XMLHelper::getNextSiblingElement(extra,CAPath);\r
 287                 continue;\r
 288             }\r
 289             auto_ptr_char capath(extra->getFirstChild()->getNodeValue());\r
 290             x=NULL;\r
 291             p12=NULL;\r
 292             in=BIO_new(BIO_s_file_internal());\r
 293             if (in && BIO_read_filename(in,capath.get())>0) {\r
 294                 if (!format_xml || !*format_xml) {\r
 295                     // Determine the cert encoding format dynamically, if not explicitly specified\r
 296                     fformat = getEncodingFormat(in);\r
 297                     log.debug("CA certificate encoding format for (%s) dynamically resolved as (%s)", certpath.get(), formatToString(fformat).c_str());\r
 298                 }\r
 299 \r
 300                 switch (fformat) {\r
 301                     case PEM:\r
 302                         while (x=PEM_read_bio_X509(in,NULL,passwd_callback,const_cast<char*>(certpass.get())))\r
 303                             m_certs.push_back(x);\r
 304                         break;\r
 305 \r
 306                     case DER:\r
 307                         x=d2i_X509_bio(in,NULL);\r
 308                         if (x)\r
 309                             m_certs.push_back(x);\r
 310                         else {\r
 311                             log_openssl();\r
 312                             BIO_free(in);\r
 313                             throw XMLSecurityException("FilesystemCredentialResolver unable to load DER CA certificate from file ($1)",params(1,capath.get()));\r
 314                         }\r
 315                         break;\r
 316 \r
 317                     case _PKCS12:\r
 318                         p12 = d2i_PKCS12_bio(in, NULL);\r
 319                         if (p12) {\r
 320                             PKCS12_parse(p12, certpass.get(), NULL, &x, NULL);\r
 321                             PKCS12_free(p12);\r
 322                         }\r
 323                         if (x) {\r
 324                             m_certs.push_back(x);\r
 325                             x=NULL;\r
 326                         }\r
 327                         else {\r
 328                             log_openssl();\r
 329                             BIO_free(in);\r
 330                             throw XMLSecurityException("FilesystemCredentialResolver unable to load PKCS12 CA certificate from file ($1)",params(1,capath.get()));\r
 331                         }\r
 332                         break;\r
 333                 } //end switch\r
 334 \r
 335                 BIO_free(in);\r
 336             }\r
 337             else {\r
 338                 if (in)\r
 339                     BIO_free(in);\r
 340                 log_openssl();\r
 341                 log.error("CA file (%s) can't be opened", capath.get());\r
 342                 throw XMLSecurityException("FilesystemCredentialResolver can't open CA file ($1)",params(1,capath.get()));\r
 343             }\r
 344             \r
 345             extra = XMLHelper::getNextSiblingElement(extra,CAPath);\r
 346         }\r
 347     }\r
 348     catch (XMLToolingException&) {\r
 349         for (vector<X509*>::iterator j=m_certs.begin(); j!=m_certs.end(); j++)\r
 350             X509_free(*j);\r
 351         throw;\r
 352     }\r
 353 \r
 354     // Reflect certs over to XSEC form.\r
 355     for (vector<X509*>::iterator j=m_certs.begin(); j!=m_certs.end(); j++)\r
 356         m_xseccerts.push_back(new OpenSSLCryptoX509(*j));\r
 357 }\r
 358 \r
 359 XSECCryptoKey* FilesystemCredentialResolver::loadKey()\r
 360 {\r
 361 #ifdef _DEBUG\r
 362     NDC ndc("loadKey");\r
 363 #endif\r
 364 \r
 365     // Get a EVP_PKEY.\r
 366     EVP_PKEY* pkey=NULL;\r
 367     BIO* in=BIO_new(BIO_s_file_internal());\r
 368     if (in && BIO_read_filename(in,m_keypath.c_str())>0) {\r
 369         switch (m_keyformat) {\r
 370             case PEM:\r
 371                 pkey=PEM_read_bio_PrivateKey(in, NULL, passwd_callback, const_cast<char*>(m_keypass.c_str()));\r
 372                 break;\r
 373             \r
 374             case DER:\r
 375                 pkey=d2i_PrivateKey_bio(in, NULL);\r
 376                 break;\r
 377                 \r
 378             default: {\r
 379                 PKCS12* p12 = d2i_PKCS12_bio(in, NULL);\r
 380                 if (p12) {\r
 381                     PKCS12_parse(p12, const_cast<char*>(m_keypass.c_str()), &pkey, NULL, NULL);\r
 382                     PKCS12_free(p12);\r
 383                 }\r
 384             }\r
 385         }\r
 386     }\r
 387     if (in)\r
 388         BIO_free(in);\r
 389     \r
 390     // Now map it to an XSEC wrapper.\r
 391     if (pkey) {\r
 392         XSECCryptoKey* ret=NULL;\r
 393         switch (pkey->type) {\r
 394             case EVP_PKEY_RSA:\r
 395                 ret=new OpenSSLCryptoKeyRSA(pkey);\r
 396                 break;\r
 397                 \r
 398             case EVP_PKEY_DSA:\r
 399                 ret=new OpenSSLCryptoKeyDSA(pkey);\r
 400                 break;\r
 401             \r
 402             default:\r
 403                 Category::getInstance(XMLTOOLING_LOGCAT".CredentialResolver").error("unsupported private key type");\r
 404         }\r
 405         EVP_PKEY_free(pkey);\r
 406         if (ret)\r
 407             return ret;\r
 408     }\r
 409 \r
 410     log_openssl();\r
 411     throw XMLSecurityException("FilesystemCredentialResolver unable to load private key from file."); \r
 412 }\r
 413 \r
 414 FilesystemCredentialResolver::~FilesystemCredentialResolver()\r
 415 {\r
 416     delete m_key;\r
 417     for_each(m_certs.begin(),m_certs.end(),X509_free);\r
 418     for_each(m_xseccerts.begin(),m_xseccerts.end(),xmltooling::cleanup<XSECCryptoX509>());\r
 419 }\r
 420 \r
 421 void FilesystemCredentialResolver::attach(SSL_CTX* ctx) const\r
 422 {\r
 423 #ifdef _DEBUG\r
 424     NDC ndc("attach");\r
 425 #endif\r
 426     \r
 427     // Attach key.\r
 428     SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);\r
 429     SSL_CTX_set_default_passwd_cb_userdata(ctx, const_cast<char*>(m_keypass.c_str()));\r
 430 \r
 431     int ret=0;\r
 432     switch (m_keyformat) {\r
 433         case PEM:\r
 434             ret=SSL_CTX_use_PrivateKey_file(ctx, m_keypath.c_str(), m_keyformat);\r
 435             break;\r
 436             \r
 437         case DER:\r
 438             ret=SSL_CTX_use_RSAPrivateKey_file(ctx, m_keypath.c_str(), m_keyformat);\r
 439             break;\r
 440             \r
 441         default: {\r
 442             BIO* in=BIO_new(BIO_s_file_internal());\r
 443             if (in && BIO_read_filename(in,m_keypath.c_str())>0) {\r
 444                 EVP_PKEY* pkey=NULL;\r
 445                 PKCS12* p12 = d2i_PKCS12_bio(in, NULL);\r
 446                 if (p12) {\r
 447                     PKCS12_parse(p12, const_cast<char*>(m_keypass.c_str()), &pkey, NULL, NULL);\r
 448                     PKCS12_free(p12);\r
 449                     if (pkey) {\r
 450                         ret=SSL_CTX_use_PrivateKey(ctx, pkey);\r
 451                         EVP_PKEY_free(pkey);\r
 452                     }\r
 453                 }\r
 454             }\r
 455             if (in)\r
 456                 BIO_free(in);\r
 457         }\r
 458     }\r
 459     \r
 460     if (ret!=1) {\r
 461         log_openssl();\r
 462         throw XMLSecurityException("Unable to attach private key to SSL context.");\r
 463     }\r
 464 \r
 465     // Attach certs.\r
 466     for (vector<X509*>::const_iterator i=m_certs.begin(); i!=m_certs.end(); i++) {\r
 467         if (i==m_certs.begin()) {\r
 468             if (SSL_CTX_use_certificate(ctx, *i) != 1) {\r
 469                 log_openssl();\r
 470                 throw XMLSecurityException("Unable to attach client certificate to SSL context.");\r
 471             }\r
 472         }\r
 473         else {\r
 474             // When we add certs, they don't get ref counted, so we need to duplicate them.\r
 475             X509* dup = X509_dup(*i);\r
 476             if (SSL_CTX_add_extra_chain_cert(ctx, dup) != 1) {\r
 477                 X509_free(dup);\r
 478                 log_openssl();\r
 479                 throw XMLSecurityException("Unable to attach CA certificate to SSL context.");\r
 480             }\r
 481         }\r
 482     }\r
 483 }\r
 484 \r
 485 // Used to determine the encoding format of credentials files\r
 486 // dynamically. Supports: PEM, DER, PKCS12.\r
 487 FilesystemCredentialResolver::format_t FilesystemCredentialResolver::getEncodingFormat(BIO* in) const\r
 488 {\r
 489     PKCS12* p12 = NULL;\r
 490     format_t format;\r
 491 \r
 492     const int READSIZE = 1;\r
 493     char buf[READSIZE];\r
 494     char b1;\r
 495     int mark;\r
 496 \r
 497     try {\r
 498         if ( (mark = BIO_tell(in)) < 0 ) \r
 499             throw XMLSecurityException("getEncodingFormat: BIO_tell() can't get the file position");\r
 500         if ( BIO_read(in, buf, READSIZE) <= 0 ) \r
 501             throw XMLSecurityException("getEncodingFormat: BIO_read() can't read from the stream");\r
 502         if ( BIO_seek(in, mark) < 0 ) \r
 503             throw XMLSecurityException("getEncodingFormat: BIO_seek() can't reset the file position");\r
 504     }\r
 505     catch (...) {\r
 506         log_openssl();\r
 507         throw;\r
 508     }\r
 509 \r
 510     b1 = buf[0];\r
 511 \r
 512     // This is a slight variation of the Java code by Chad La Joie.\r
 513     //\r
 514     // Check the first byte of the file.  If it's some kind of\r
 515     // DER-encoded structure (including PKCS12), it will begin with ASCII 048.\r
 516     // Otherwise, assume it's PEM.\r
 517     if (b1 !=  48) {\r
 518         format = PEM;\r
 519     } else {\r
 520         // Here we know it's DER-encoded, now try to parse it as a PKCS12\r
 521         // ASN.1 structure.  If it fails, must be another kind of DER-encoded\r
 522         // key/cert structure.  A little inefficient...but it works.\r
 523         if ( (p12=d2i_PKCS12_bio(in,NULL)) == NULL ) {\r
 524             format = DER;\r
 525         } else {\r
 526             format = _PKCS12;\r
 527         }\r
 528         if (p12)\r
 529             PKCS12_free(p12);    \r
 530         if ( BIO_seek(in, mark) < 0 ) {\r
 531             log_openssl();\r
 532             throw XMLSecurityException("getEncodingFormat: BIO_seek() can't reset the file position");\r
 533         }\r
 534     }\r
 535 \r
 536     return format;\r
 537 }\r
 538 \r
 539 // Convert key/cert format_t types to a human-meaningful string for debug output\r
 540 string FilesystemCredentialResolver::formatToString(format_t format) const\r
 541 {\r
 542     switch(format) {\r
 543         case PEM:\r
 544             return "PEM";\r
 545         case DER:\r
 546             return "DER";\r
 547         case _PKCS12:\r
 548             return "PKCS12";\r
 549         default:\r
 550             return "UNKNOWN";\r
 551     }\r
 552 }\r
 553 \r
 554 // Convert key/cert raw XML format attribute (XMLCh[]) to format_t type\r
 555 FilesystemCredentialResolver::format_t FilesystemCredentialResolver::xmlFormatToFormat(const XMLCh* format_xml) const\r
 556 {\r
 557     static const XMLCh cPEM[] = UNICODE_LITERAL_3(P,E,M);\r
 558     static const XMLCh cDER[] = UNICODE_LITERAL_3(D,E,R);\r
 559     static const XMLCh cPKCS12[] = { chLatin_P, chLatin_K, chLatin_C, chLatin_S, chDigit_1, chDigit_2, chNull };\r
 560     format_t format;\r
 561 \r
 562     if (!XMLString::compareString(format_xml,cPEM))\r
 563         format=PEM;\r
 564     else if (!XMLString::compareString(format_xml,cDER))\r
 565         format=DER;\r
 566     else if (!XMLString::compareString(format_xml,cPKCS12))\r
 567         format=_PKCS12;\r
 568     else\r
 569         format=UNKNOWN;\r
 570 \r
 571     return format;\r
 572 }\r