X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-xmltooling.git;a=blobdiff_plain;f=xmltooling%2Fsecurity%2Fimpl%2FCredential.cpp;h=024e8bd280fb08caa5b995a6fdb329029f440c5a;hp=2656f8d2ccb8e12df14347fd77f2ceeb487c435e;hb=d96a01ce4d9648bb3186f74d43610b6f12d49758;hpb=5a4c9204dc299319e9ca7c18f44918a82892045a diff --git a/xmltooling/security/impl/Credential.cpp b/xmltooling/security/impl/Credential.cpp index 2656f8d..024e8bd 100644 --- a/xmltooling/security/impl/Credential.cpp +++ b/xmltooling/security/impl/Credential.cpp @@ -22,6 +22,8 @@ #include "internal.h" #include "security/Credential.h" +#include "security/CredentialCriteria.h" +#include "security/KeyInfoResolver.h" #include #include @@ -30,33 +32,65 @@ #include using namespace xmltooling; +using namespace std; -bool Credential::isEqual(XSECCryptoKey& key) const +bool Credential::matches(const CredentialCriteria& criteria) const { - XSECCryptoKey* key2 = getPublicKey(); - if (!key2) { - log4cpp::Category::getInstance(XMLTOOLING_LOGCAT".Credential").warn("no public key in credential for comparison"); + // Algorithm check, if specified and we have one. + const char* alg = criteria.getKeyAlgorithm(); + if (alg && *alg) { + const char* alg2 = getAlgorithm(); + if (alg2 && *alg2) + if (strcmp(alg,alg2)) + return false; + } + + // KeySize check, if specified and we have one. + if (criteria.getKeySize()>0 && getKeySize()>0 && criteria.getKeySize() != getKeySize()) return false; + + // See if we can test key names. + const set& critnames = criteria.getKeyNames(); + const set& crednames = getKeyNames(); + if (!critnames.empty() && !crednames.empty()) { + bool found = false; + for (set::const_iterator n = critnames.begin(); n!=critnames.end(); ++n) { + if (crednames.count(*n)>0) { + found = true; + break; + } + } + if (!found) + return false; } - if (key.getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL || + // See if we have to match a specific key. + XSECCryptoKey* key1 = criteria.getPublicKey(); + if (!key1) + return true; // no key to compare against, so we're done + + XSECCryptoKey* key2 = getPublicKey(); + if (!key2) + return false; // no key here, so we can't possibly match the criteria + + if (key1->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL || key2->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) { - log4cpp::Category::getInstance(XMLTOOLING_LOGCAT".Credential").warn("non-OpenSSL credentials are not supported."); + log4cpp::Category::getInstance(XMLTOOLING_LOGCAT".Credential").warn("comparison of non-OpenSSL credentials are not supported"); return false; } - if (key.getKeyType()==XSECCryptoKey::KEY_RSA_PUBLIC || key.getKeyType()==XSECCryptoKey::KEY_RSA_PAIR) { - if (key2->getKeyType()!=XSECCryptoKey::KEY_RSA_PUBLIC && key2->getKeyType()==XSECCryptoKey::KEY_RSA_PAIR) + if (key1->getKeyType()==XSECCryptoKey::KEY_RSA_PUBLIC || key1->getKeyType()==XSECCryptoKey::KEY_RSA_PAIR) { + if (key2->getKeyType()!=XSECCryptoKey::KEY_RSA_PUBLIC && key2->getKeyType()!=XSECCryptoKey::KEY_RSA_PAIR) return false; - RSA* rsa1 = static_cast(&key)->getOpenSSLRSA(); + RSA* rsa1 = static_cast(key1)->getOpenSSLRSA(); RSA* rsa2 = static_cast(key2)->getOpenSSLRSA(); return (BN_cmp(rsa1->n,rsa2->n) == 0 && BN_cmp(rsa1->e,rsa2->e) == 0); } - if (key.getKeyType()==XSECCryptoKey::KEY_DSA_PUBLIC || key.getKeyType()==XSECCryptoKey::KEY_DSA_PAIR) { - if (key2->getKeyType()!=XSECCryptoKey::KEY_DSA_PUBLIC && key2->getKeyType()==XSECCryptoKey::KEY_DSA_PAIR) + if (key1->getKeyType()==XSECCryptoKey::KEY_DSA_PUBLIC || key1->getKeyType()==XSECCryptoKey::KEY_DSA_PAIR) { + if (key2->getKeyType()!=XSECCryptoKey::KEY_DSA_PUBLIC && key2->getKeyType()!=XSECCryptoKey::KEY_DSA_PAIR) return false; - DSA* dsa1 = static_cast(&key)->getOpenSSLDSA(); + DSA* dsa1 = static_cast(key1)->getOpenSSLDSA(); DSA* dsa2 = static_cast(key2)->getOpenSSLDSA(); return (BN_cmp(dsa1->pub_key,dsa2->pub_key) == 0); }