projects / shibboleth / cpp-xmltooling.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Major revamp of credential and trust handling code, PKIX engine still needs work.
[shibboleth/cpp-xmltooling.git] / xmltooling / encryption / impl / Decrypter.cpp
diff --git a/xmltooling/encryption/impl/Decrypter.cpp b/xmltooling/encryption/impl/Decrypter.cpp
index 2f2afe2..aaeed9d 100644 (file)
--- a/xmltooling/encryption/impl/Decrypter.cpp
+++ b/xmltooling/encryption/impl/Decrypter.cpp
@@ -23,6 +23,8 @@
 #include "internal.h"
 #include "encryption/Decrypter.h"
 #include "encryption/EncryptedKeyResolver.h"
+#include "security/Credential.h"
+#include "security/CredentialCriteria.h"
 #include "security/CredentialResolver.h"
 
 #include <log4cpp/Category.hh>
@@ -44,11 +46,11 @@ Decrypter::~Decrypter()
         XMLToolingInternalConfig::getInternalConfig().m_xsecProvider->releaseCipher(m_cipher);
 }
 
-DOMDocumentFragment* Decrypter::decryptData(EncryptedData& encryptedData)
+DOMDocumentFragment* Decrypter::decryptData(const EncryptedData& encryptedData, XSECCryptoKey* key)
 {
     if (encryptedData.getDOM()==NULL)
         throw DecryptionException("The object must be marshalled before decryption.");
-    
+
     // We can reuse the cipher object if the document hasn't changed.
 
     if (m_cipher && m_cipher->getDocument()!=encryptedData.getDOM()->getOwnerDocument()) {
@@ -58,56 +60,9 @@ DOMDocumentFragment* Decrypter::decryptData(EncryptedData& encryptedData)
     
     if (!m_cipher)
         m_cipher=XMLToolingInternalConfig::getInternalConfig().m_xsecProvider->newCipher(encryptedData.getDOM()->getOwnerDocument());
-    
-    try {
-        // Resolve decryption key.
-        XSECCryptoKey* key=NULL;
-        if (m_resolver)
-            key=m_resolver->resolveKey(encryptedData.getKeyInfo());
-
-        if (!key && m_KEKresolver) {
-            // See if there's an encrypted key available. We'll need the algorithm...
-            const XMLCh* algorithm=
-                encryptedData.getEncryptionMethod() ? encryptedData.getEncryptionMethod()->getAlgorithm() : NULL;
-            if (!algorithm)
-                throw DecryptionException("No EncryptionMethod/@Algorithm set, key decryption cannot proceed.");
-            
-            if (encryptedData.getKeyInfo()) {
-                const vector<XMLObject*>& others=const_cast<const KeyInfo*>(encryptedData.getKeyInfo())->getUnknownXMLObjects();
-                for (vector<XMLObject*>::const_iterator i=others.begin(); i!=others.end(); i++) {
-                    EncryptedKey* encKey=dynamic_cast<EncryptedKey*>(*i);
-                    if (encKey) {
-                        try {
-                            key=decryptKey(*encKey, algorithm);
-                        }
-                        catch (DecryptionException& e) {
-                            log4cpp::Category::getInstance(XMLTOOLING_LOGCAT".Decrypter").warn(e.what());
-                        }
-                    }
-                }
-            }
-            
-            if (!key) {
-                // Check for a non-trivial resolver.
-                const EncryptedKeyResolver* ekr=dynamic_cast<const EncryptedKeyResolver*>(m_resolver);
-                if (ekr) {
-                    EncryptedKey* encKey=ekr->resolveKey(encryptedData);
-                    if (encKey) {
-                        try {
-                            key=decryptKey(*encKey, algorithm);
-                        }
-                        catch (DecryptionException& e) {
-                            log4cpp::Category::getInstance(XMLTOOLING_LOGCAT".Decrypter").warn(e.what());
-                        }
-                    }
-                }
-            }
-        }
 
-        if (!key)
-            throw DecryptionException("Unable to resolve a decryption key.");
-        
-        m_cipher->setKey(key);
+    try {
+        m_cipher->setKey(key->clone());
         DOMNode* ret=m_cipher->decryptElementDetached(encryptedData.getDOM());
         if (ret->getNodeType()!=DOMNode::DOCUMENT_FRAGMENT_NODE) {
             ret->release();
@@ -124,8 +79,78 @@ DOMDocumentFragment* Decrypter::decryptData(EncryptedData& encryptedData)
     }
 }
 
-XSECCryptoKey* Decrypter::decryptKey(EncryptedKey& encryptedKey, const XMLCh* algorithm)
+DOMDocumentFragment* Decrypter::decryptData(const EncryptedData& encryptedData, const XMLCh* recipient)
 {
+    if (!m_credResolver)
+        throw DecryptionException("No CredentialResolver supplied to provide decryption keys.");
+
+    // Resolve a decryption key directly.
+    vector<const Credential*> creds;
+    if (m_criteria) {
+        m_criteria->setUsage(CredentialCriteria::ENCRYPTION_CREDENTIAL);
+        m_criteria->setKeyInfo(encryptedData.getKeyInfo());
+        const EncryptionMethod* meth = encryptedData.getEncryptionMethod();
+        if (meth) {
+            auto_ptr_char alg(meth->getAlgorithm());
+            m_criteria->setKeyAlgorithm(alg.get());
+        }
+        m_credResolver->resolve(creds,m_criteria);
+    }
+    else {
+        CredentialCriteria criteria;
+        criteria.setUsage(CredentialCriteria::ENCRYPTION_CREDENTIAL);
+        criteria.setKeyInfo(encryptedData.getKeyInfo());
+        const EncryptionMethod* meth = encryptedData.getEncryptionMethod();
+        if (meth) {
+            auto_ptr_char alg(meth->getAlgorithm());
+            criteria.setKeyAlgorithm(alg.get());
+        }
+        m_credResolver->resolve(creds,&criteria);
+    }
+
+    // Loop over them and try each one.
+    XSECCryptoKey* key;
+    for (vector<const Credential*>::const_iterator cred = creds.begin(); cred!=creds.end(); ++cred) {
+        try {
+            key = (*cred)->getPrivateKey();
+            if (!key)
+                continue;
+            return decryptData(encryptedData, key);
+        }
+        catch(DecryptionException& ex) {
+            log4cpp::Category::getInstance(XMLTOOLING_LOGCAT".Decrypter").warn(ex.what());
+        }
+    }
+
+    // We need to find an encrypted decryption key somewhere. We'll need the underlying algorithm...
+    const XMLCh* algorithm=
+        encryptedData.getEncryptionMethod() ? encryptedData.getEncryptionMethod()->getAlgorithm() : NULL;
+    if (!algorithm)
+        throw DecryptionException("No EncryptionMethod/@Algorithm set, key decryption cannot proceed.");
+    
+    // Check for external resolver.
+    const EncryptedKey* encKey=NULL;
+    if (m_EKResolver)
+        encKey = m_EKResolver->resolveKey(encryptedData, recipient);
+    else {
+        EncryptedKeyResolver ekr;
+        encKey = ekr.resolveKey(encryptedData, recipient);
+    }
+
+    if (!encKey)
+        throw DecryptionException("Unable to locate an encrypted key.");
+
+    auto_ptr<XSECCryptoKey> keywrapper(decryptKey(*encKey, algorithm));
+    if (!keywrapper.get())
+        throw DecryptionException("Unable to decrypt the encrypted key.");
+    return decryptData(encryptedData, keywrapper.get());
+}
+
+XSECCryptoKey* Decrypter::decryptKey(const EncryptedKey& encryptedKey, const XMLCh* algorithm)
+{
+    if (!m_credResolver)
+        throw DecryptionException("No CredentialResolver supplied to provide decryption keys.");
+
     if (encryptedKey.getDOM()==NULL)
         throw DecryptionException("The object must be marshalled before decryption.");
     
@@ -139,31 +164,52 @@ XSECCryptoKey* Decrypter::decryptKey(EncryptedKey& encryptedKey, const XMLCh* al
     if (!m_cipher)
         m_cipher=XMLToolingInternalConfig::getInternalConfig().m_xsecProvider->newCipher(encryptedKey.getDOM()->getOwnerDocument());
     
+    // Resolve key decryption key. We can't loop over possible credentials because
+    // we can't tell a valid decrypt from an invalid one.
+    const Credential* cred=NULL;
+    if (m_criteria) {
+        m_criteria->setUsage(CredentialCriteria::ENCRYPTION_CREDENTIAL);
+        m_criteria->setKeyInfo(encryptedKey.getKeyInfo());
+        const EncryptionMethod* meth = encryptedKey.getEncryptionMethod();
+        if (meth) {
+            auto_ptr_char alg(meth->getAlgorithm());
+            m_criteria->setKeyAlgorithm(alg.get());
+        }
+        cred = m_credResolver->resolve(m_criteria);
+    }
+    else {
+        CredentialCriteria criteria;
+        criteria.setUsage(CredentialCriteria::ENCRYPTION_CREDENTIAL);
+        criteria.setKeyInfo(encryptedKey.getKeyInfo());
+        const EncryptionMethod* meth = encryptedKey.getEncryptionMethod();
+        if (meth) {
+            auto_ptr_char alg(meth->getAlgorithm());
+            criteria.setKeyAlgorithm(alg.get());
+        }
+        cred = m_credResolver->resolve(&criteria);
+    }
+    if (!cred || !cred->getPrivateKey())
+        throw DecryptionException("Unable to resolve a key decryption key.");
+
     try {
-        // Resolve key decryption key.
-        XSECCryptoKey* key=NULL;
-        if (m_KEKresolver)
-            key=m_KEKresolver->getKey(encryptedKey.getKeyInfo());
-        if (!key)
-            throw DecryptionException("Unable to resolve a key decryption key.");
-        m_cipher->setKEK(key);
-        
+        m_cipher->setKEK(cred->getPrivateKey()->clone());
         XMLByte buffer[1024];
+        memset(buffer,0,sizeof(buffer));
         int keySize = m_cipher->decryptKey(encryptedKey.getDOM(), buffer, 1024);
-        if (keySize > 0) {
-            // Try to map the key.
-            XSECAlgorithmHandler* handler = XSECPlatformUtils::g_algorithmMapper->mapURIToHandler(algorithm);
-            if (handler != NULL)
-                return handler->createKeyForURI(algorithm, buffer, keySize);
-            throw DecryptionException("Unrecognized algorithm, could not build object around decrypted key.");
-        }
-        throw DecryptionException("Unable to decrypt key.");
+        if (keySize<=0)
+            throw DecryptionException("Unable to decrypt key.");
+
+        // Try to map the key.
+        XSECAlgorithmHandler* handler = XSECPlatformUtils::g_algorithmMapper->mapURIToHandler(algorithm);
+        if (handler != NULL)
+            return handler->createKeyForURI(algorithm, buffer, keySize);
+        throw DecryptionException("Unrecognized algorithm, could not build object around decrypted key.");
     }
     catch(XSECException& e) {
         auto_ptr_char temp(e.getMsg());
-        throw DecryptionException(string("XMLSecurity exception while decrypting: ") + temp.get());
+        throw DecryptionException(string("XMLSecurity exception while decrypting key: ") + temp.get());
     }
     catch(XSECCryptoException& e) {
-        throw DecryptionException(string("XMLSecurity exception while decrypting: ") + e.getMsg());
+        throw DecryptionException(string("XMLSecurity exception while decrypting key: ") + e.getMsg());
     }
 }
Unnamed repository; edit this file 'description' to name the repository.