Extend KeyResolver to include certificate resolution, add inline resolver.

[shibboleth/cpp-xmltooling.git] / xmltooling / signature / impl / InlineKeyResolver.cpp

/*\r
 *  Copyright 2001-2005 Internet2\r
 * \r
 * Licensed under the Apache License, Version 2.0 (the "License");\r
 * you may not use this file except in compliance with the License.\r
 * You may obtain a copy of the License at\r
 *\r
 *     http://www.apache.org/licenses/LICENSE-2.0\r
 *\r
 * Unless required by applicable law or agreed to in writing, software\r
 * distributed under the License is distributed on an "AS IS" BASIS,\r
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
 * See the License for the specific language governing permissions and\r
 * limitations under the License.\r
 */\r
\r
/**\r
 * InlineKeyResolver.cpp\r
 * \r
 * Resolves key information directly from recognized KeyInfo structures.\r
 */\r
\r
#include "internal.h"\r
#include "signature/KeyResolver.h"\r
#include "util/NDC.h"\r
#include "util/Threads.h"\r
\r
#include <algorithm>\r
#include <log4cpp/Category.hh>\r
#include <xercesc/util/XMLUniDefs.hpp>\r
#include <xsec/dsig/DSIGKeyInfoX509.hpp>\r
#include <xsec/enc/XSECKeyInfoResolverDefault.hpp>\r
#include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>\r
#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>\r
#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>\r
#include <xsec/enc/XSECCryptoException.hpp>\r
#include <xsec/framework/XSECException.hpp>\r
\r
using namespace xmlsignature;\r
using namespace xmltooling;\r
using namespace log4cpp;\r
using namespace std;\r
\r
namespace xmlsignature {\r
    class XMLTOOL_DLLLOCAL InlineKeyResolver : public KeyResolver\r
    {\r
    public:\r
        InlineKeyResolver(const DOMElement* e);\r
        virtual ~InlineKeyResolver();\r
\r
        XSECCryptoKey* resolveKey(const KeyInfo* keyInfo) const;\r
        XSECCryptoKey* resolveKey(DSIGKeyInfoList* keyInfo) const;\r
        vector<XSECCryptoX509*>::size_type resolveCertificates(const KeyInfo* keyInfo, vector<XSECCryptoX509*>& certs) const;\r
        vector<XSECCryptoX509*>::size_type resolveCertificates(DSIGKeyInfoList* keyInfo, vector<XSECCryptoX509*>& certs) const;\r
        \r
    private:\r
        struct XMLTOOL_DLLLOCAL CacheEntry {\r
            CacheEntry() : m_key(NULL) {}\r
            ~CacheEntry() {\r
                delete m_key;\r
                for_each(m_certs.begin(),m_certs.end(),xmltooling::cleanup<XSECCryptoX509>());\r
            }\r
            XSECCryptoKey* m_key;\r
            vector<XSECCryptoX509*> m_certs;\r
        };\r
\r
        void _resolve(const KeyInfo* keyInfo, CacheEntry& entry) const;\r
        XSECCryptoKey* _resolveKey(const KeyInfo* keyInfo) const;\r
        vector<XSECCryptoX509*>::size_type _resolveCertificates(const KeyInfo* keyInfo, vector<XSECCryptoX509*>& certs) const;\r
\r
        RWLock* m_lock;\r
        mutable map<const KeyInfo*,CacheEntry> m_cache;\r
    };\r
\r
    KeyResolver* XMLTOOL_DLLLOCAL InlineKeyResolverFactory(const DOMElement* const & e)\r
    {\r
        return new InlineKeyResolver(e);\r
    }\r
};\r
\r
static const XMLCh cache[] = UNICODE_LITERAL_5(c,a,c,h,e);\r
\r
InlineKeyResolver::InlineKeyResolver(const DOMElement* e) : m_lock(NULL)\r
{\r
    const XMLCh* flag = e ? e->getAttributeNS(NULL,cache) : NULL;\r
    if (flag && XMLString::equals(flag,XMLConstants::XML_TRUE) || XMLString::equals(flag,XMLConstants::XML_ONE))\r
        m_lock=RWLock::create();\r
}\r
\r
InlineKeyResolver::~InlineKeyResolver()\r
{\r
    m_cache.clear();\r
    delete m_lock;\r
}\r
\r
void InlineKeyResolver::_resolve(const KeyInfo* keyInfo, CacheEntry& entry) const\r
{\r
    if (_resolveCertificates(keyInfo, entry.m_certs)>0)\r
        entry.m_key = entry.m_certs.front()->clonePublicKey();\r
    else\r
        entry.m_key = _resolveKey(keyInfo);\r
}\r
\r
XSECCryptoKey* InlineKeyResolver::_resolveKey(const KeyInfo* keyInfo) const\r
{\r
#ifdef _DEBUG\r
    NDC ndc("_resolveKey");\r
#endif\r
    Category& log=Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver");\r
\r
    // Check for ds:X509Data\r
    const vector<X509Data*>& x509Datas=keyInfo->getX509Datas();\r
    for (vector<X509Data*>::const_iterator j=x509Datas.begin(); j!=x509Datas.end(); ++j) {\r
        try {\r
            const vector<X509Certificate*> x509Certs=const_cast<const X509Data*>(*j)->getX509Certificates();\r
            if (!x509Certs.empty()) {\r
                auto_ptr_char x(x509Certs.front()->getValue());\r
                if (!x.get()) {\r
                    log.warn("skipping empty ds:X509Certificate");\r
                }\r
                else {\r
                    log.debug("resolving ds:X509Certificate");\r
                    auto_ptr<XSECCryptoX509> x509(XSECPlatformUtils::g_cryptoProvider->X509());\r
                    x509->loadX509Base64Bin(x.get(), strlen(x.get()));\r
                    return x509->clonePublicKey();\r
                }\r
            }\r
        }\r
        catch(XSECException& e) {\r
            auto_ptr_char temp(e.getMsg());\r
            log.error("caught XML-Security exception loading certificate: %s", temp.get());\r
        }\r
        catch(XSECCryptoException& e) {\r
            log.error("caught XML-Security exception loading certificate: %s", e.getMsg());\r
        }\r
    }\r
\r
    // Check for ds:KeyValue\r
    const vector<KeyValue*>& keyValues = keyInfo->getKeyValues();\r
    for (vector<KeyValue*>::const_iterator i=keyValues.begin(); i!=keyValues.end(); ++i) {\r
        try {\r
            KeyInfoSchemaValidators.validate(*i);    // see if it's a "valid" key\r
            RSAKeyValue* rsakv = (*i)->getRSAKeyValue();\r
            if (rsakv) {\r
                log.debug("resolving ds:RSAKeyValue");\r
                auto_ptr_char mod(rsakv->getModulus()->getValue());\r
                auto_ptr_char exp(rsakv->getExponent()->getValue());\r
                auto_ptr<XSECCryptoKeyRSA> rsa(XSECPlatformUtils::g_cryptoProvider->keyRSA());\r
                rsa->loadPublicModulusBase64BigNums(mod.get(), strlen(mod.get()));\r
                rsa->loadPublicExponentBase64BigNums(exp.get(), strlen(exp.get()));\r
                return rsa.release();\r
            }\r
            DSAKeyValue* dsakv = (*i)->getDSAKeyValue();\r
            if (dsakv) {\r
                log.debug("resolving ds:DSAKeyValue");\r
                auto_ptr<XSECCryptoKeyDSA> dsa(XSECPlatformUtils::g_cryptoProvider->keyDSA());\r
                auto_ptr_char y(dsakv->getY()->getValue());\r
                dsa->loadYBase64BigNums(y.get(), strlen(y.get()));\r
                if (dsakv->getP()) {\r
                    auto_ptr_char p(dsakv->getP()->getValue());\r
                    dsa->loadPBase64BigNums(p.get(), strlen(p.get()));\r
                }\r
                if (dsakv->getQ()) {\r
                    auto_ptr_char q(dsakv->getQ()->getValue());\r
                    dsa->loadQBase64BigNums(q.get(), strlen(q.get()));\r
                }\r
                if (dsakv->getG()) {\r
                    auto_ptr_char g(dsakv->getG()->getValue());\r
                    dsa->loadGBase64BigNums(g.get(), strlen(g.get()));\r
                }\r
                return dsa.release();\r
            }\r
        }\r
        catch (ValidationException& ex) {\r
            log.warn("skipping invalid ds:KeyValue (%s)", ex.what());\r
        }\r
        catch(XSECException& e) {\r
            auto_ptr_char temp(e.getMsg());\r
            log.error("caught XML-Security exception loading key: %s", temp.get());\r
        }\r
        catch(XSECCryptoException& e) {\r
            log.error("caught XML-Security exception loading key: %s", e.getMsg());\r
        }\r
    }\r
\r
    log.warn("unable to resolve key");\r
    return NULL;\r
}\r
\r
vector<XSECCryptoX509*>::size_type InlineKeyResolver::_resolveCertificates(\r
    const KeyInfo* keyInfo, vector<XSECCryptoX509*>& certs\r
    ) const\r
{\r
#ifdef _DEBUG\r
    NDC ndc("_resolveCertificates");\r
#endif\r
    Category& log=Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver");\r
\r
    // Check for ds:X509Data\r
    const vector<X509Data*>& x509Datas=keyInfo->getX509Datas();\r
    for (vector<X509Data*>::const_iterator j=x509Datas.begin(); certs.empty() && j!=x509Datas.end(); ++j) {\r
        const vector<X509Certificate*> x509Certs=const_cast<const X509Data*>(*j)->getX509Certificates();\r
        for (vector<X509Certificate*>::const_iterator k=x509Certs.begin(); k!=x509Certs.end(); ++k) {\r
            try {\r
                auto_ptr_char x((*k)->getValue());\r
                if (!x.get()) {\r
                    log.warn("skipping empty ds:X509Certificate");\r
                }\r
                else {\r
                    log.debug("resolving ds:X509Certificate");\r
                    auto_ptr<XSECCryptoX509> x509(XSECPlatformUtils::g_cryptoProvider->X509());\r
                    x509->loadX509Base64Bin(x.get(), strlen(x.get()));\r
                    certs.push_back(x509.release());\r
                }\r
            }\r
            catch(XSECException& e) {\r
                auto_ptr_char temp(e.getMsg());\r
                log.error("caught XML-Security exception loading certificate: %s", temp.get());\r
            }\r
            catch(XSECCryptoException& e) {\r
                log.error("caught XML-Security exception loading certificate: %s", e.getMsg());\r
            }\r
        }\r
    }\r
    if (log.isDebugEnabled()) {\r
        log.debug("resolved %d certificate%s", certs.size(), certs.size()==1 ? "" : "s");\r
    }\r
    return certs.size();\r
}\r
\r
XSECCryptoKey* InlineKeyResolver::resolveKey(const KeyInfo* keyInfo) const\r
{\r
    // Caching?\r
    if (m_lock) {\r
        // Get read lock.\r
        m_lock->rdlock();\r
        map<const KeyInfo*,CacheEntry>::iterator i=m_cache.find(keyInfo);\r
        if (i != m_cache.end()) {\r
            // Found in cache, so just return the results.\r
            SharedLock locker(m_lock,false);\r
            return i->second.m_key ? i->second.m_key->clone() : NULL;\r
        }\r
        else {\r
            // Elevate lock.\r
            m_lock->unlock();\r
            m_lock->wrlock();\r
            SharedLock locker(m_lock,false);\r
            // Recheck cache.\r
            i=m_cache.find(keyInfo);\r
            if (i == m_cache.end()) {\r
                i = m_cache.insert(make_pair(keyInfo,CacheEntry())).first;\r
                _resolve(i->first, i->second);\r
            }\r
            return i->second.m_key ? i->second.m_key->clone() : NULL;\r
        }\r
    }\r
    return _resolveKey(keyInfo);\r
}\r
\r
vector<XSECCryptoX509*>::size_type InlineKeyResolver::resolveCertificates(\r
    const KeyInfo* keyInfo, vector<XSECCryptoX509*>& certs\r
    ) const\r
{\r
    // Caching?\r
    if (m_lock) {\r
        // Get read lock.\r
        m_lock->rdlock();\r
        map<const KeyInfo*,CacheEntry>::iterator i=m_cache.find(keyInfo);\r
        if (i != m_cache.end()) {\r
            // Found in cache, so just return the results.\r
            SharedLock locker(m_lock,false);\r
            certs.assign(i->second.m_certs.begin(), i->second.m_certs.end());\r
            return certs.size();\r
        }\r
        else {\r
            // Elevate lock.\r
            m_lock->unlock();\r
            m_lock->wrlock();\r
            SharedLock locker(m_lock,false);\r
            // Recheck cache.\r
            i=m_cache.find(keyInfo);\r
            if (i == m_cache.end()) {\r
                i = m_cache.insert(make_pair(keyInfo,CacheEntry())).first;\r
                _resolve(i->first, i->second);\r
            }\r
            certs.assign(i->second.m_certs.begin(), i->second.m_certs.end());\r
            return certs.size();\r
        }\r
    }\r
    return _resolveCertificates(keyInfo, certs);\r
}\r
\r
XSECCryptoKey* InlineKeyResolver::resolveKey(DSIGKeyInfoList* keyInfo) const\r
{\r
#ifdef _DEBUG\r
    NDC ndc("_resolveKey");\r
#endif\r
\r
    // Default resolver handles RSA/DSAKeyValue and X509Certificate elements.\r
    try {\r
        XSECKeyInfoResolverDefault def;\r
        return def.resolveKey(keyInfo);\r
    }\r
    catch(XSECException& e) {\r
        auto_ptr_char temp(e.getMsg());\r
        Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver").error("caught XML-Security exception loading certificate: %s", temp.get());\r
    }\r
    catch(XSECCryptoException& e) {\r
        Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver").error("caught XML-Security exception loading certificate: %s", e.getMsg());\r
    }\r
    return NULL;\r
}\r
\r
vector<XSECCryptoX509*>::size_type InlineKeyResolver::resolveCertificates(\r
    DSIGKeyInfoList* keyInfo, vector<XSECCryptoX509*>& certs\r
    ) const\r
{\r
    certs.clear();\r
        DSIGKeyInfoList::size_type sz = keyInfo->getSize();\r
    for (DSIGKeyInfoList::size_type i=0; certs.empty() && i<sz; ++i) {\r
        if (keyInfo->item(i)->getKeyInfoType()==DSIGKeyInfo::KEYINFO_X509) {\r
            DSIGKeyInfoX509* x509 = static_cast<DSIGKeyInfoX509*>(keyInfo->item(i));\r
            int count = x509->getCertificateListSize();\r
            for (int j=0; j<count; ++j) {\r
                certs.push_back(x509->getCertificateCryptoItem(j));\r
            }\r
        }\r
    }\r
    return certs.size();\r
}\r