/*
- * Copyright 2001-2007 Internet2
+ * Copyright 2001-2010 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
#include "security/BasicX509Credential.h"
#include "security/KeyInfoCredentialContext.h"
#include "security/KeyInfoResolver.h"
+#include "security/XSECCryptoX509CRL.h"
#include "signature/KeyInfo.h"
#include "signature/Signature.h"
#include "util/NDC.h"
using namespace xmlsignature;
using namespace xmltooling::logging;
using namespace xmltooling;
+using namespace xercesc;
using namespace std;
namespace xmltooling {
return ret;
}
- const CredentialContext* getCredentialContext() const {
+ const CredentialContext* getCredentalContext() const {
return m_credctx;
}
private:
bool resolveCerts(const KeyInfo* keyInfo);
bool resolveKey(const KeyInfo* keyInfo);
- bool resolveCRL(const KeyInfo* keyInfo);
+ bool resolveCRLs(const KeyInfo* keyInfo);
KeyInfoCredentialContext* m_credctx;
};
// If we have a cert, just use it.
if (!m_xseccerts.empty())
m_key = m_xseccerts.front()->clonePublicKey();
+ else
+ resolveKey(keyInfo);
}
// Otherwise try directly for a key and then go for certs if none is found.
else if (!resolveKey(keyInfo) && resolveCerts(keyInfo)) {
}
if (types & X509Credential::RESOLVE_CRLS)
- resolveCRL(keyInfo);
+ resolveCRLs(keyInfo);
+
+ const XMLCh* n;
+ char* kn;
+ const vector<KeyName*>& knames=keyInfo->getKeyNames();
+ for (vector<KeyName*>::const_iterator kn_i=knames.begin(); kn_i!=knames.end(); ++kn_i) {
+ n=(*kn_i)->getName();
+ if (n && *n) {
+ kn=toUTF8(n);
+ m_keyNames.insert(kn);
+ delete[] kn;
+ }
+ }
+ const vector<X509Data*> datas=keyInfo->getX509Datas();
+ for (vector<X509Data*>::const_iterator x_i=datas.begin(); x_i!=datas.end(); ++x_i) {
+ const vector<X509SubjectName*> snames = const_cast<const X509Data*>(*x_i)->getX509SubjectNames();
+ for (vector<X509SubjectName*>::const_iterator sn_i = snames.begin(); sn_i!=snames.end(); ++sn_i) {
+ n = (*sn_i)->getName();
+ if (n && *n) {
+ kn=toUTF8(n);
+ m_keyNames.insert(kn);
+ m_subjectName = kn;
+ delete[] kn;
+ }
+ }
+
+ const vector<X509IssuerSerial*> inames = const_cast<const X509Data*>(*x_i)->getX509IssuerSerials();
+ if (!inames.empty()) {
+ const X509IssuerName* iname = inames.front()->getX509IssuerName();
+ if (iname) {
+ kn = toUTF8(iname->getName());
+ if (kn)
+ m_issuerName = kn;
+ delete[] kn;
+ }
- keyInfo->extractNames(m_keyNames);
+ const X509SerialNumber* ser = inames.front()->getX509SerialNumber();
+ if (ser) {
+ auto_ptr_char sn(ser->getSerialNumber());
+ m_serial = sn.get();
+ }
+ }
+ }
}
bool InlineCredential::resolveKey(const KeyInfo* keyInfo)
}
}
- // Check for RetrievalMethod.
- const XMLCh* fragID=NULL;
- const XMLObject* treeRoot=NULL;
- const vector<RetrievalMethod*>& methods=keyInfo->getRetrievalMethods();
- for (vector<RetrievalMethod*>::const_iterator m=methods.begin(); m!=methods.end(); ++m) {
- if (!XMLString::equals((*m)->getType(),RetrievalMethod::TYPE_RSAKEYVALUE) &&
- !XMLString::equals((*m)->getType(),RetrievalMethod::TYPE_DSAKEYVALUE))
- continue;
- fragID = (*m)->getURI();
- if (!fragID || *fragID != chPound || !*(fragID+1)) {
- log.warn("skipping ds:RetrievalMethod with an empty or non-local reference");
- continue;
- }
- if (!treeRoot) {
- treeRoot = keyInfo;
- while (treeRoot->getParent())
- treeRoot = treeRoot->getParent();
- }
- keyInfo = dynamic_cast<const KeyInfo*>(XMLHelper::getXMLObjectById(*treeRoot, fragID+1));
- if (!keyInfo) {
- log.warn("skipping ds:RetrievalMethod, local reference did not resolve to a ds:KeyInfo");
- continue;
- }
- if (resolveKey(keyInfo))
- return true;
- }
return false;
}
}
}
}
-
- if (m_xseccerts.empty()) {
- // Check for RetrievalMethod.
- const XMLCh* fragID=NULL;
- const XMLObject* treeRoot=NULL;
- const vector<RetrievalMethod*> methods=keyInfo->getRetrievalMethods();
- for (vector<RetrievalMethod*>::const_iterator m=methods.begin(); m!=methods.end(); ++m) {
- if (!XMLString::equals((*m)->getType(),RetrievalMethod::TYPE_X509DATA))
- continue;
- fragID = (*m)->getURI();
- if (!fragID || *fragID != chPound || !*(fragID+1)) {
- log.warn("skipping ds:RetrievalMethod with an empty or non-local reference");
- continue;
- }
- if (!treeRoot) {
- treeRoot = keyInfo;
- while (treeRoot->getParent())
- treeRoot = treeRoot->getParent();
- }
- keyInfo = dynamic_cast<const KeyInfo*>(XMLHelper::getXMLObjectById(*treeRoot, fragID+1));
- if (!keyInfo) {
- log.warn("skipping ds:RetrievalMethod, local reference did not resolve to a ds:KeyInfo");
- continue;
- }
- if (resolveCerts(keyInfo))
- return true;
- }
- return false;
- }
log.debug("resolved %d certificate(s)", m_xseccerts.size());
return !m_xseccerts.empty();
}
-bool InlineCredential::resolveCRL(const KeyInfo* keyInfo)
+bool InlineCredential::resolveCRLs(const KeyInfo* keyInfo)
{
Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver."INLINE_KEYINFO_RESOLVER);
log.debug("resolving ds:X509CRL");
auto_ptr<XSECCryptoX509CRL> crl(XMLToolingConfig::getConfig().X509CRL());
crl->loadX509CRLBase64Bin(x.get(), strlen(x.get()));
- m_crl = crl.release();
- return true;
+ m_crls.push_back(crl.release());
}
}
catch(XSECException& e) {
auto_ptr_char temp(e.getMsg());
- log.error("caught XML-Security exception loading certificate: %s", temp.get());
+ log.error("caught XML-Security exception loading CRL: %s", temp.get());
}
catch(XSECCryptoException& e) {
- log.error("caught XML-Security exception loading certificate: %s", e.getMsg());
+ log.error("caught XML-Security exception loading CRL: %s", e.getMsg());
}
}
}
- // Check for RetrievalMethod.
- const XMLCh* fragID=NULL;
- const XMLObject* treeRoot=NULL;
- const vector<RetrievalMethod*> methods=keyInfo->getRetrievalMethods();
- for (vector<RetrievalMethod*>::const_iterator m=methods.begin(); m!=methods.end(); ++m) {
- if (!XMLString::equals((*m)->getType(),RetrievalMethod::TYPE_X509DATA))
- continue;
- fragID = (*m)->getURI();
- if (!fragID || *fragID != chPound || !*(fragID+1)) {
- log.warn("skipping ds:RetrievalMethod with an empty or non-local reference");
- continue;
- }
- if (!treeRoot) {
- treeRoot = keyInfo;
- while (treeRoot->getParent())
- treeRoot = treeRoot->getParent();
- }
- keyInfo = dynamic_cast<const KeyInfo*>(XMLHelper::getXMLObjectById(*treeRoot, fragID+1));
- if (!keyInfo) {
- log.warn("skipping ds:RetrievalMethod, local reference did not resolve to a ds:KeyInfo");
- continue;
- }
- if (resolveCRL(keyInfo))
- return true;
- }
-
- return false;
+ log.debug("resolved %d CRL(s)", m_crls.size());
+ return !m_crls.empty();
}
void InlineCredential::resolve(DSIGKeyInfoList* keyInfo, int types)
if (types & X509Credential::RESOLVE_CRLS) {
for (DSIGKeyInfoList::size_type i=0; i<sz; ++i) {
if (keyInfo->item(i)->getKeyInfoType()==DSIGKeyInfo::KEYINFO_X509) {
- auto_ptr_char buf(static_cast<DSIGKeyInfoX509*>(keyInfo->item(i))->getX509CRL());
- if (buf.get()) {
- try {
- auto_ptr<XSECCryptoX509CRL> crlobj(XMLToolingConfig::getConfig().X509CRL());
- crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get()));
- m_crl = crlobj.release();
- break;
- }
- catch(XSECException& e) {
- auto_ptr_char temp(e.getMsg());
- Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get());
+#ifdef XMLTOOLING_XMLSEC_MULTIPLECRL
+ DSIGKeyInfoX509* x509 = static_cast<DSIGKeyInfoX509*>(keyInfo->item(i));
+ int count = x509->getX509CRLListSize();
+ for (int j=0; j<count; ++j) {
+ auto_ptr_char buf(x509->getX509CRLItem(j));
+ if (buf.get()) {
+ try {
+ auto_ptr<XSECCryptoX509CRL> crlobj(XMLToolingConfig::getConfig().X509CRL());
+ crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get()));
+ m_crls.push_back(crlobj.release());
+ }
+ catch(XSECException& e) {
+ auto_ptr_char temp(e.getMsg());
+ Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get());
+ }
+ catch(XSECCryptoException& e) {
+ Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg());
+ }
}
- catch(XSECCryptoException& e) {
- Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg());
+ }
+#else
+ // The current xmlsec API is limited to one CRL per KeyInfo.
+ // For now, I'm going to process the DOM directly.
+ DOMNode* x509Node = keyInfo->item(i)->getKeyInfoDOMNode();
+ DOMElement* crlElement = x509Node ? XMLHelper::getFirstChildElement(x509Node, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME) : NULL;
+ while (crlElement) {
+ if (crlElement->hasChildNodes()) {
+ auto_ptr_char buf(crlElement->getFirstChild()->getNodeValue());
+ if (buf.get()) {
+ try {
+ auto_ptr<XSECCryptoX509CRL> crlobj(XMLToolingConfig::getConfig().X509CRL());
+ crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get()));
+ m_crls.push_back(crlobj.release());
+ }
+ catch(XSECException& e) {
+ auto_ptr_char temp(e.getMsg());
+ Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get());
+ }
+ catch(XSECCryptoException& e) {
+ Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg());
+ }
+ }
}
+ crlElement = XMLHelper::getNextSiblingElement(crlElement, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME);
}
+#endif
}
}
}
- Signature::extractNames(keyInfo, m_keyNames);
+ char* kn;
+ const XMLCh* n;
+
+ for (size_t s=0; s<keyInfo->getSize(); s++) {
+ DSIGKeyInfo* dki = keyInfo->item(s);
+ n=dki->getKeyName();
+ if (n && *n) {
+ kn=toUTF8(n);
+ m_keyNames.insert(kn);
+ if (dki->getKeyInfoType() == DSIGKeyInfo::KEYINFO_X509)
+ m_subjectName = kn;
+ delete[] kn;
+ }
+
+ if (dki->getKeyInfoType() == DSIGKeyInfo::KEYINFO_X509) {
+ DSIGKeyInfoX509* kix = static_cast<DSIGKeyInfoX509*>(dki);
+ n = kix->getX509IssuerName();
+ if (n && *n) {
+ kn=toUTF8(n);
+ m_issuerName = kn;
+ delete[] kn;
+ }
+ n = kix->getX509IssuerSerialNumber();
+ if (n && *n) {
+ auto_ptr_char sn(n);
+ m_serial = sn.get();
+ }
+ }
+ }
}