projects / shibboleth / cpp-xmltooling.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge branch '1.x' of ssh://authdev.it.ohio-state.edu/~scantor/git/cpp-xmltooling...
[shibboleth/cpp-xmltooling.git] / xmltooling / XMLToolingConfig.cpp
diff --git a/xmltooling/XMLToolingConfig.cpp b/xmltooling/XMLToolingConfig.cpp
index 36294be..f5b1e40 100644 (file)
--- a/xmltooling/XMLToolingConfig.cpp
+++ b/xmltooling/XMLToolingConfig.cpp
@@ -1,17 +1,21 @@
-/*
- *  Copyright 2001-2010 Internet2
+/**
+ * Licensed to the University Corporation for Advanced Internet
+ * Development, Inc. (UCAID) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for
+ * additional information regarding copyright ownership.
  *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
+ * UCAID licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the
+ * License at
  *
- *     http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
  *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the License.
  */
 
 /**
@@ -61,6 +65,8 @@
 #ifndef XMLTOOLING_NO_XMLSEC
 # include <curl/curl.h>
 # include <openssl/err.h>
+# include <openssl/evp.h>
+# include <xsec/framework/XSECAlgorithmMapper.hpp>
 # include <xsec/framework/XSECException.hpp>
 # include <xsec/framework/XSECProvider.hpp>
 # include <xsec/transformers/TXFMBase.hpp>
@@ -72,6 +78,12 @@ using namespace xmltooling;
 using namespace xercesc;
 using namespace std;
 
+#ifdef WIN32
+# if (OPENSSL_VERSION_NUMBER >= 0x00908000)
+#  define XMLTOOLING_OPENSSL_HAVE_SHA2 1
+# endif
+#endif
+
 
 DECL_XMLTOOLING_EXCEPTION_FACTORY(XMLParserException,xmltooling);
 DECL_XMLTOOLING_EXCEPTION_FACTORY(XMLObjectException,xmltooling);
@@ -119,7 +131,7 @@ namespace {
             input = nullptr;
         }
         ~TXFMOutputLog() {
-            m_log.debug("----- END SIGNATURE DEBUG -----");
+            m_log.debug("\n----- END SIGNATURE DEBUG -----\n");
         }
 
            void setInput(TXFMBase *newInput) {
@@ -127,7 +139,7 @@ namespace {
                if (newInput->getOutputType() != TXFMBase::BYTE_STREAM)
                        throw XSECException(XSECException::TransformInputOutputFail, "OutputLog transform requires BYTE_STREAM input");
                keepComments = input->getCommentsStatus();
-            m_log.debug("----- BEGIN SIGNATURE DEBUG -----");
+            m_log.debug("\n----- BEGIN SIGNATURE DEBUG -----\n");
         }
 
            TXFMBase::ioType getInputType() {
@@ -210,6 +222,76 @@ XMLToolingConfig::~XMLToolingConfig()
 {
 }
 
+#ifndef XMLTOOLING_LITE
+const KeyInfoResolver* XMLToolingConfig::getKeyInfoResolver() const
+{
+    return m_keyInfoResolver;
+}
+
+ReplayCache* XMLToolingConfig::getReplayCache() const
+{
+    return m_replayCache;
+}
+
+void XMLToolingConfig::setKeyInfoResolver(xmltooling::KeyInfoResolver *keyInfoResolver)
+{
+    delete m_keyInfoResolver;
+    m_keyInfoResolver = keyInfoResolver;
+}
+
+void XMLToolingConfig::setReplayCache(ReplayCache* replayCache)
+{
+    delete m_replayCache;
+    m_replayCache = replayCache;
+}
+#endif
+
+PathResolver* XMLToolingConfig::getPathResolver() const
+{
+    return m_pathResolver;
+}
+
+TemplateEngine* XMLToolingConfig::getTemplateEngine() const
+{
+    return m_templateEngine;
+}
+
+const URLEncoder* XMLToolingConfig::getURLEncoder() const
+{
+    return m_urlEncoder;
+}
+
+void XMLToolingConfig::setPathResolver(PathResolver* pathResolver)
+{
+    delete m_pathResolver;
+    m_pathResolver = pathResolver;
+}
+
+void XMLToolingConfig::setTemplateEngine(TemplateEngine* templateEngine)
+{
+    delete m_templateEngine;
+    m_templateEngine = templateEngine;
+}
+
+void XMLToolingConfig::setURLEncoder(URLEncoder* urlEncoder)
+{
+    delete m_urlEncoder;
+    m_urlEncoder = urlEncoder;
+}
+
+XMLToolingInternalConfig::XMLToolingInternalConfig() :
+#ifndef XMLTOOLING_NO_XMLSEC
+    m_xsecProvider(nullptr),
+#endif
+    m_initCount(0), m_lock(Mutex::create()), m_parserPool(nullptr), m_validatingPool(nullptr)
+{
+}
+
+XMLToolingInternalConfig::~XMLToolingInternalConfig()
+{
+    delete m_lock;
+}
+
 bool XMLToolingInternalConfig::log_config(const char* config)
 {
     try {
@@ -263,7 +345,11 @@ bool XMLToolingInternalConfig::log_config(const char* config)
             string path(config);
             PropertyConfigurator::configure(m_pathResolver ? m_pathResolver->resolve(path, PathResolver::XMLTOOLING_CFG_FILE) : path);
         }
-    }
+
+#ifndef XMLTOOLING_NO_XMLSEC
+        Category::getInstance(XMLTOOLING_LOGCAT".Signature.Debugger").setAdditivity(false);
+#endif
+       }
     catch (const ConfigureFailure& e) {
         string msg = string("failed to configure logging: ") + e.what();
         Category::getInstance(XMLTOOLING_LOGCAT".Logging").crit(msg);
@@ -276,69 +362,25 @@ bool XMLToolingInternalConfig::log_config(const char* config)
     return true;
 }
 
-#ifndef XMLTOOLING_LITE
-const KeyInfoResolver* XMLToolingConfig::getKeyInfoResolver() const
-{
-    return m_keyInfoResolver;
-}
-
-ReplayCache* XMLToolingConfig::getReplayCache() const
-{
-    return m_replayCache;
-}
-
-void XMLToolingConfig::setKeyInfoResolver(xmltooling::KeyInfoResolver *keyInfoResolver)
-{
-    delete m_keyInfoResolver;
-    m_keyInfoResolver = keyInfoResolver;
-}
-
-void XMLToolingConfig::setReplayCache(ReplayCache* replayCache)
+bool XMLToolingInternalConfig::init()
 {
-    delete m_replayCache;
-    m_replayCache = replayCache;
-}
+#ifdef _DEBUG
+    xmltooling::NDC ndc("init");
 #endif
+    Category& log=Category::getInstance(XMLTOOLING_LOGCAT".Config");
 
-PathResolver* XMLToolingConfig::getPathResolver() const
-{
-    return m_pathResolver;
-}
-
-TemplateEngine* XMLToolingConfig::getTemplateEngine() const
-{
-    return m_templateEngine;
-}
-
-const URLEncoder* XMLToolingConfig::getURLEncoder() const
-{
-    return m_urlEncoder;
-}
-
-void XMLToolingConfig::setPathResolver(PathResolver* pathResolver)
-{
-    delete m_pathResolver;
-    m_pathResolver = pathResolver;
-}
+    Lock initLock(m_lock);
 
-void XMLToolingConfig::setTemplateEngine(TemplateEngine* templateEngine)
-{
-    delete m_templateEngine;
-    m_templateEngine = templateEngine;
-}
+    if (m_initCount == INT_MAX) {
+        log.crit("library initialized too many times");
+        return false;
+    }
 
-void XMLToolingConfig::setURLEncoder(URLEncoder* urlEncoder)
-{
-    delete m_urlEncoder;
-    m_urlEncoder = urlEncoder;
-}
+    if (m_initCount >= 1) {
+        ++m_initCount;
+        return true;
+    }
 
-bool XMLToolingInternalConfig::init()
-{
-#ifdef _DEBUG
-    xmltooling::NDC ndc("init");
-#endif
-    Category& log=Category::getInstance(XMLTOOLING_LOGCAT".XMLToolingConfig");
     try {
         log.debug("library initialization started");
 
@@ -347,7 +389,16 @@ bool XMLToolingInternalConfig::init()
             log.fatal("failed to initialize libcurl, OpenSSL, or Winsock");
             return false;
         }
-        log.debug("libcurl %s initialization complete", LIBCURL_VERSION);
+        curl_version_info_data* curlver = curl_version_info(CURLVERSION_NOW);
+        if (curlver) {
+            log.debug("libcurl %s initialization complete", curlver->version);
+            if (!(curlver->features & CURL_VERSION_SSL)) {
+                log.warn("libcurl lacks TLS/SSL support, this will greatly limit functionality");
+            }
+        }
+        else {
+            log.debug("libcurl %s initialization complete", LIBCURL_VERSION);
+        }
 #endif
 
         XMLPlatformUtils::Initialize();
@@ -364,7 +415,6 @@ bool XMLToolingInternalConfig::init()
 
         m_parserPool=new ParserPool();
         m_validatingPool=new ParserPool(true,true);
-        m_lock=XMLPlatformUtils::makeMutex();
 
         // Load catalogs from path.
         if (!catalog_path.empty()) {
@@ -442,11 +492,25 @@ bool XMLToolingInternalConfig::init()
 #endif
 
     log.info("%s library initialization complete", PACKAGE_STRING);
+    ++m_initCount;
     return true;
 }
 
 void XMLToolingInternalConfig::term()
 {
+#ifdef _DEBUG
+    xmltooling::NDC ndc("term");
+#endif
+
+    Lock initLock(m_lock);
+    if (m_initCount == 0) {
+        Category::getInstance(XMLTOOLING_LOGCAT".Config").crit("term without corresponding init");
+        return;
+    }
+    else if (--m_initCount > 0) {
+        return;
+    }
+
 #ifndef XMLTOOLING_NO_XMLSEC
     CRYPTO_set_locking_callback(nullptr);
     for_each(g_openssl_locks.begin(), g_openssl_locks.end(), xmltooling::cleanup<Mutex>());
@@ -511,28 +575,23 @@ void XMLToolingInternalConfig::term()
     XSECPlatformUtils::Terminate();
 #endif
 
-    XMLPlatformUtils::closeMutex(m_lock);
-    m_lock=nullptr;
     XMLPlatformUtils::Terminate();
 
 #ifndef XMLTOOLING_NO_XMLSEC
     curl_global_cleanup();
 #endif
-#ifdef _DEBUG
-    xmltooling::NDC ndc("term");
-#endif
-   Category::getInstance(XMLTOOLING_LOGCAT".XMLToolingConfig").info("%s library shutdown complete", PACKAGE_STRING);
+   Category::getInstance(XMLTOOLING_LOGCAT".Config").info("%s library shutdown complete", PACKAGE_STRING);
 }
 
 Lockable* XMLToolingInternalConfig::lock()
 {
-    xercesc::XMLPlatformUtils::lockMutex(m_lock);
+    m_lock->lock();
     return this;
 }
 
 void XMLToolingInternalConfig::unlock()
 {
-    xercesc::XMLPlatformUtils::unlockMutex(m_lock);
+    m_lock->unlock();
 }
 
 bool XMLToolingInternalConfig::load_library(const char* path, void* context)
@@ -540,7 +599,7 @@ bool XMLToolingInternalConfig::load_library(const char* path, void* context)
 #ifdef _DEBUG
     xmltooling::NDC ndc("LoadLibrary");
 #endif
-    Category& log=Category::getInstance(XMLTOOLING_LOGCAT".XMLToolingConfig");
+    Category& log=Category::getInstance(XMLTOOLING_LOGCAT".Config");
     log.info("loading extension: %s", path);
 
     Locker locker(this);
@@ -605,6 +664,7 @@ bool XMLToolingInternalConfig::load_library(const char* path, void* context)
 }
 
 #ifndef XMLTOOLING_NO_XMLSEC
+
 void xmltooling::log_openssl()
 {
     const char* file;
@@ -626,38 +686,118 @@ XSECCryptoX509CRL* XMLToolingInternalConfig::X509CRL() const
     return new OpenSSLCryptoX509CRL();
 }
 
+pair<const char*,unsigned int> XMLToolingInternalConfig::mapXMLAlgorithmToKeyAlgorithm(const XMLCh* xmlAlgorithm) const
+{
+    for (algmap_t::const_iterator i = m_algorithmMap.begin(); i != m_algorithmMap.end(); ++i) {
+        algmap_t::value_type::second_type::const_iterator j = i->second.find(xmlAlgorithm);
+        if (j != i->second.end())
+            return pair<const char*,unsigned int>(j->second.first.c_str(), j->second.second);
+    }
+    return pair<const char*,unsigned int>(nullptr, 0);
+}
+
+void XMLToolingInternalConfig::registerXMLAlgorithm(
+    const XMLCh* xmlAlgorithm, const char* keyAlgorithm, unsigned int size, XMLSecurityAlgorithmType type
+    )
+{
+    m_algorithmMap[type][xmlAlgorithm] = pair<string,unsigned int>((keyAlgorithm ? keyAlgorithm : ""), size);
+}
+
+bool XMLToolingInternalConfig::isXMLAlgorithmSupported(const XMLCh* xmlAlgorithm, XMLSecurityAlgorithmType type)
+{
+    try {
+        // First check for basic support from the xmlsec layer.
+        if (XSECPlatformUtils::g_algorithmMapper->mapURIToHandler(xmlAlgorithm)) {
+            // Make sure the algorithm is registered.
+            algmap_t::const_iterator i = m_algorithmMap.find(type);
+            if (i != m_algorithmMap.end()) {
+                algmap_t::value_type::second_type::const_iterator j = i->second.find(xmlAlgorithm);
+                if (j != i->second.end())
+                    return true;
+            }
+        }
+    }
+    catch (XSECException&) {
+    }
+    return false;
+}
+
 void XMLToolingInternalConfig::registerXMLAlgorithms()
 {
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_MD5, "RSA", 0);
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_SHA1, "RSA", 0);
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_SHA224, "RSA", 0);
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_SHA256, "RSA", 0);
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_SHA384, "RSA", 0);
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_SHA512, "RSA", 0);
+    // The deal with all the macros is to try and figure out with no false positives whether
+    // the OpenSSL version *and* the XML-Security version support the algorithms.
+
+    // With ECDSA, XML-Security exports a public macro for OpenSSL's support, and any
+    // versions of XML-Security that didn't provide the macro don't handle ECDSA anyway.
+
+    // With AES, all supported XML-Security versions export a macro for OpenSSL's support.
+
+    // With SHA2, only the very latest XML-Security exports a macro, but all the versions
+    // will handle SHA2 *if* OpenSSL does. So we use our own macro to check OpenSSL's
+    // support, and then add checks to see if specific versions are compiled out.
+
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIMD5, nullptr, 0, ALGTYPE_DIGEST);
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURISHA1, nullptr, 0, ALGTYPE_DIGEST);
+#if defined(XMLTOOLING_OPENSSL_HAVE_SHA2) && !defined(OPENSSL_NO_SHA256)
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURISHA224, nullptr, 0, ALGTYPE_DIGEST);
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURISHA256, nullptr, 0, ALGTYPE_DIGEST);
+#endif
+#if defined(XMLTOOLING_OPENSSL_HAVE_SHA2) && !defined(OPENSSL_NO_SHA512)
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURISHA384, nullptr, 0, ALGTYPE_DIGEST);
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURISHA512, nullptr, 0, ALGTYPE_DIGEST);
+#endif
 
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_1_5, "RSA", 0);
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_OAEP_MGFP1, "RSA", 0);
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIDSA_SHA1, "DSA", 0, ALGTYPE_SIGN);
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_MD5, "RSA", 0, ALGTYPE_SIGN);
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_SHA1, "RSA", 0, ALGTYPE_SIGN);
+#if defined(XMLTOOLING_OPENSSL_HAVE_SHA2) && !defined(OPENSSL_NO_SHA256)
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_SHA224, "RSA", 0, ALGTYPE_SIGN);
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_SHA256, "RSA", 0, ALGTYPE_SIGN);
+#endif
+#if defined(XMLTOOLING_OPENSSL_HAVE_SHA2) && !defined(OPENSSL_NO_SHA512)
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_SHA384, "RSA", 0, ALGTYPE_SIGN);
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_SHA512, "RSA", 0, ALGTYPE_SIGN);
+#endif
 
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIDSA_SHA1, "DSA", 0);
+#ifdef XSEC_OPENSSL_HAVE_EC
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIECDSA_SHA1, "EC", 0, ALGTYPE_SIGN);
+#if defined(XMLTOOLING_OPENSSL_HAVE_SHA2) && !defined(OPENSSL_NO_SHA256)
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIECDSA_SHA256, "EC", 0, ALGTYPE_SIGN);
+# endif
+#if defined(XMLTOOLING_OPENSSL_HAVE_SHA2) && !defined(OPENSSL_NO_SHA512)
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIECDSA_SHA384, "EC", 0, ALGTYPE_SIGN);
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIECDSA_SHA512, "EC", 0, ALGTYPE_SIGN);
+# endif
+#endif
 
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIHMAC_SHA1, "HMAC", 0);
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIHMAC_SHA224, "HMAC", 0);
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIHMAC_SHA256, "HMAC", 0);
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIHMAC_SHA384, "HMAC", 0);
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIHMAC_SHA512, "HMAC", 0);
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIHMAC_SHA1, "HMAC", 0, ALGTYPE_SIGN);
+#if defined(XMLTOOLING_OPENSSL_HAVE_SHA2) && !defined(OPENSSL_NO_SHA256)
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIHMAC_SHA224, "HMAC", 0, ALGTYPE_SIGN);
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIHMAC_SHA256, "HMAC", 0, ALGTYPE_SIGN);
+#endif
+#if defined(XMLTOOLING_OPENSSL_HAVE_SHA2) && !defined(OPENSSL_NO_SHA512)
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIHMAC_SHA384, "HMAC", 0, ALGTYPE_SIGN);
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIHMAC_SHA512, "HMAC", 0, ALGTYPE_SIGN);
+#endif
+
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_1_5, "RSA", 0, ALGTYPE_KEYENCRYPT);
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_OAEP_MGFP1, "RSA", 0, ALGTYPE_KEYENCRYPT);
 
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURI3DES_CBC, "DESede", 192);
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIKW_3DES, "DESede", 192);
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURI3DES_CBC, "DESede", 192, ALGTYPE_ENCRYPT);
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIKW_3DES, "DESede", 192, ALGTYPE_KEYENCRYPT);
 
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIAES128_CBC, "AES", 128);
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIKW_AES128, "AES", 128);
+#ifdef XSEC_OPENSSL_HAVE_AES
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIAES128_CBC, "AES", 128, ALGTYPE_ENCRYPT);
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIKW_AES128, "AES", 128, ALGTYPE_KEYENCRYPT);
 
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIAES192_CBC, "AES", 192);
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIKW_AES192, "AES", 192);
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIAES192_CBC, "AES", 192, ALGTYPE_ENCRYPT);
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIKW_AES192, "AES", 192, ALGTYPE_KEYENCRYPT);
 
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIAES256_CBC, "AES", 256);
-    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIKW_AES256, "AES", 256);
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIAES256_CBC, "AES", 256, ALGTYPE_ENCRYPT);
+    registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIKW_AES256, "AES", 256, ALGTYPE_KEYENCRYPT);
+#endif
 }
+
 #endif
 
 #ifdef WIN32
Unnamed repository; edit this file 'description' to name the repository.