Add code paths for new xmlsec APIs, and allow for undetermined signature algorithm.

diff --git a/config_win32.h b/config_win32.h
index f006cf4..924ccd5 100644 (file)
--- a/config_win32.h
+++ b/config_win32.h
@@ -117,6 +117,14 @@
 /* Define if you wish to disable Xalan-dependent features. */
 #define XSEC_NO_XALAN
 
+#ifndef XMLTOOLING_NO_XMLSEC
+# include <xsec/framework/XSECDefs.hpp>
+# if (_XSEC_VERSION_FULL >= 10600)
+#  define XMLTOOLING_XMLSEC_MULTIPLECRL 1
+#  define XMLTOOLING_XMLSEC_SIGALGORITHM 1
+# endif
+#endif
+
 /* Define to empty if `const' does not conform to ANSI C. */
 /* #undef const */
 

diff --git a/configure.ac b/configure.ac
index 92ea9ff..3c47dde 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -291,6 +291,20 @@ int i = 0;
             [AC_MSG_ERROR([unable to link with XML-Security])])
     AC_CHECK_TYPE([xsecsize_t],[AC_DEFINE([HAVE_XSECSIZE_T], [1], [Define to 1 if you have the 'xsecsize_t' type.])])
 
+    AC_MSG_CHECKING([whether XML-Security-C has multiple CRL support])
+    AC_TRY_COMPILE([#include <xsec/dsig/DSIGKeyInfoList.hpp>],
+          [DSIGKeyInfoList* klist; klist->getX509CRLListSize();],
+          [AC_MSG_RESULT([yes])]
+          [AC_DEFINE([XMLTOOLING_XMLSEC_MULTIPLECRL], [1], [Define to 1 if XML-Security-C handles multiple CRLs.])],
+          [AC_MSG_RESULT([no])])
+
+    AC_MSG_CHECKING([whether XML-Security-C exposes the signature algorithm URI])
+    AC_TRY_COMPILE([#include <xsec/dsig/DSIGSignature.hpp>],
+          [DSIGSignature* sig; sig->getAlgorithmURI();],
+          [AC_MSG_RESULT([yes])]
+          [AC_DEFINE([XMLTOOLING_XMLSEC_SIGALGORITHM], [1], [Define to 1 if XML-Security-C exposes the signature algorithm URI.])],
+          [AC_MSG_RESULT([no])])
+
        # restore master libs
        LIBS="$save_LIBS"
 

diff --git a/xmltooling/security/impl/InlineKeyResolver.cpp b/xmltooling/security/impl/InlineKeyResolver.cpp
index 252539b..589245b 100644 (file)
--- a/xmltooling/security/impl/InlineKeyResolver.cpp
+++ b/xmltooling/security/impl/InlineKeyResolver.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2001-2009 Internet2
+ *  Copyright 2001-2010 Internet2
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -394,14 +394,33 @@ void InlineCredential::resolve(DSIGKeyInfoList* keyInfo, int types)
     }
 
     if (types & X509Credential::RESOLVE_CRLS) {
-        DOMNode* x509Node;
-        DOMElement* crlElement;
         for (DSIGKeyInfoList::size_type i=0; i<sz; ++i) {
             if (keyInfo->item(i)->getKeyInfoType()==DSIGKeyInfo::KEYINFO_X509) {
+#ifdef XMLTOOLING_XMLSEC_MULTIPLECRL
+                DSIGKeyInfoX509* x509 = static_cast<DSIGKeyInfoX509*>(keyInfo->item(i));
+                int count = x509->getX509CRLListSize();
+                for (int j=0; j<count; ++j) {
+                    auto_ptr_char buf(x509->getX509CRLItem(j));
+                    if (buf.get()) {
+                        try {
+                            auto_ptr<XSECCryptoX509CRL> crlobj(XMLToolingConfig::getConfig().X509CRL());
+                            crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get()));
+                            m_crls.push_back(crlobj.release());
+                        }
+                        catch(XSECException& e) {
+                            auto_ptr_char temp(e.getMsg());
+                            Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get());
+                        }
+                        catch(XSECCryptoException& e) {
+                            Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg());
+                        }
+                    }
+                }
+#else
                 // The current xmlsec API is limited to one CRL per KeyInfo.
                 // For now, I'm going to process the DOM directly.
-                x509Node = keyInfo->item(i)->getKeyInfoDOMNode();
-                crlElement = x509Node ? XMLHelper::getFirstChildElement(x509Node, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME) : NULL;
+                DOMNode* x509Node = keyInfo->item(i)->getKeyInfoDOMNode();
+                DOMElement* crlElement = x509Node ? XMLHelper::getFirstChildElement(x509Node, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME) : NULL;
                 while (crlElement) {
                     if (crlElement->hasChildNodes()) {
                         auto_ptr_char buf(crlElement->getFirstChild()->getNodeValue());
@@ -422,6 +441,7 @@ void InlineCredential::resolve(DSIGKeyInfoList* keyInfo, int types)
                     }
                     crlElement = XMLHelper::getNextSiblingElement(crlElement, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME);
                 }
+#endif
             }
         }
     }

diff --git a/xmltooling/signature/Signature.h b/xmltooling/signature/Signature.h
index 007f78b..cfadb9c 100644 (file)
--- a/xmltooling/signature/Signature.h
+++ b/xmltooling/signature/Signature.h
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2001-2009 Internet2
+ *  Copyright 2001-2010 Internet2
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -61,7 +61,7 @@ namespace xmlsignature {
         /**
          * Gets the signing algorithm for the signature.
          * 
-         * @return    the signature algorithm
+         * @return    the signature algorithm, or NULL if indeterminate
          */
         virtual const XMLCh* getSignatureAlgorithm() const=0;
 

diff --git a/xmltooling/signature/impl/XMLSecSignatureImpl.cpp b/xmltooling/signature/impl/XMLSecSignatureImpl.cpp
index 7bce903..dec07c1 100644 (file)
--- a/xmltooling/signature/impl/XMLSecSignatureImpl.cpp
+++ b/xmltooling/signature/impl/XMLSecSignatureImpl.cpp
@@ -91,12 +91,15 @@ namespace xmlsignature {
         }
         const XMLCh* getSignatureAlgorithm() const {
             if (!m_sm && m_signature) {
+#ifdef XMLTOOLING_XMLSEC_SIGALGORITHM
+                m_sm = XMLString::replicate(m_signature->getAlgorithmURI());
+#else
                 safeBuffer sURI;
-                if (signatureHashMethod2URI(sURI, m_signature->getSignatureMethod(), m_signature->getHashMethod()) == false)
-                    return NULL;
-                m_sm = XMLString::replicate(sURI.sbStrToXMLCh());
+                if (signatureHashMethod2URI(sURI, m_signature->getSignatureMethod(), m_signature->getHashMethod()))
+                    m_sm = XMLString::replicate(sURI.sbStrToXMLCh());
+#endif
             }
-            return m_sm ? m_sm : DSIGConstants::s_unicodeStrURIRSA_SHA1;
+            return m_sm;
         }
 
         KeyInfo* getKeyInfo() const { return m_keyInfo; }
@@ -276,7 +279,10 @@ DOMElement* XMLSecSignatureImpl::marshall(DOMDocument* document, const vector<Si
         }
         DSIGSignature* temp=XMLToolingInternalConfig::getInternalConfig().m_xsecProvider->newSignature();
         temp->setDSIGNSPrefix(XMLSIG_PREFIX);
-        cachedDOM=temp->createBlankSignature(document, getCanonicalizationMethod(), getSignatureAlgorithm());
+        const XMLCh* alg = getSignatureAlgorithm();
+        if (!alg)
+            alg = DSIGConstants::s_unicodeStrURIRSA_SHA1;
+        cachedDOM=temp->createBlankSignature(document, getCanonicalizationMethod(), alg);
         m_signature = temp;
     }
     else {
@@ -373,7 +379,10 @@ DOMElement* XMLSecSignatureImpl::marshall(DOMElement* parentElement, const vecto
         log.debug("creating empty Signature element");
         DSIGSignature* temp=XMLToolingInternalConfig::getInternalConfig().m_xsecProvider->newSignature();
         temp->setDSIGNSPrefix(XMLSIG_PREFIX);
-        cachedDOM=temp->createBlankSignature(parentElement->getOwnerDocument(), getCanonicalizationMethod(), getSignatureAlgorithm());
+        const XMLCh* alg = getSignatureAlgorithm();
+        if (!alg)
+            alg = DSIGConstants::s_unicodeStrURIRSA_SHA1;
+        cachedDOM=temp->createBlankSignature(parentElement->getOwnerDocument(), getCanonicalizationMethod(), alg);
         m_signature = temp;
     }
     else {

diff --git a/xmltoolingtest/InlineKeyResolverTest.h b/xmltoolingtest/InlineKeyResolverTest.h
index cc13252..1ecaaaa 100644 (file)
--- a/xmltoolingtest/InlineKeyResolverTest.h
+++ b/xmltoolingtest/InlineKeyResolverTest.h
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2001-2009 Internet2
+ *  Copyright 2001-2010 Internet2
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -58,6 +58,6 @@ public:
         TSM_ASSERT("Unable to resolve public key.", cred->getPublicKey()!=NULL);
         TSM_ASSERT_EQUALS("Unexpected key type.", cred->getPublicKey()->getKeyType(), XSECCryptoKey::KEY_RSA_PUBLIC);
         TSM_ASSERT_EQUALS("Wrong certificate count.", cred->getEntityCertificateChain().size(), 1);
-        TSM_ASSERT("Unable to resolve CRL.", cred->getCRL()!=NULL);
+        TSM_ASSERT_EQUALS("Wrong CRL count.", cred->getCRLs().size(), 3);
     }
 };

diff --git a/xmltoolingtest/KeyInfoTest.h b/xmltoolingtest/KeyInfoTest.h
index 609d167..b38790f 100644 (file)
--- a/xmltoolingtest/KeyInfoTest.h
+++ b/xmltoolingtest/KeyInfoTest.h
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2001-2007 Internet2
+ *  Copyright 2001-2010 Internet2
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -46,7 +46,7 @@ public:
         auto_ptr<KeyInfo> kiObject(dynamic_cast<KeyInfo*>(b->buildFromDocument(doc)));
         TS_ASSERT(kiObject.get()!=NULL);
         TSM_ASSERT_EQUALS("Number of child elements was not expected value",
-            3, kiObject->getOrderedChildren().size());
+            4, kiObject->getOrderedChildren().size());
         TSM_ASSERT_EQUALS("Number of child elements was not expected value",
             1, kiObject->getKeyValues().size());
         TSM_ASSERT_EQUALS("Number of child elements was not expected value",

diff --git a/xmltoolingtest/data/KeyInfo1.xml b/xmltoolingtest/data/KeyInfo1.xml
index e31ab73..f43192f 100644 (file)
--- a/xmltoolingtest/data/KeyInfo1.xml
+++ b/xmltoolingtest/data/KeyInfo1.xml
@@ -20,4 +20,29 @@
             /50cy2EUSe6YtzA8pGXzSP67YC/3U0D8U4A=
         </ds:X509CRL>
     </ds:X509Data>
+    <ds:X509Data>
+        <ds:X509CRL>
+            MIICKjCCARICAQEwDQYJKoZIhvcNAQEFBQAwdzELMAkGA1UEBhMCQ0gxQDA+BgNVBAoTN1N3aXRj
+            aCAtIFRlbGVpbmZvcm1hdGlrZGllbnN0ZSBmdWVyIExlaHJlIHVuZCBGb3JzY2h1bmcxJjAkBgNV
+            BAMTHVNXSVRDSGFhaSBNZXRhZGF0YSBTaWduaW5nIENBFw0wODA5MDIwNDAwMDdaFw0wODA5MjMw
+            NDAwMDdaMDYwNAIVSWITCHaaiMetadataSignerTest0Fw0wODA1MjcwODE3NTlaMAwwCgYDVR0V
+            BAMKAQSgLzAtMB8GA1UdIwQYMBaAFG6idTQyfos1XdiTIq2IvM82okZmMAoGA1UdFAQDAgFCMA0G
+            CSqGSIb3DQEBBQUAA4IBAQCJfSE0x/Gu6zjEfEviR+s568qgRwHLmgTigz3iY0GNfgNTOFttZM0+
+            3AjApSI2FGQHm4K+69MLJNfiH/drNMMnAjY1F2Y8YNkujeyamWBL0HljH8z7lH0uWePFbXje5JTg
+            sCyGARWq46Ted7kekgUdSwNIzreMlLrcdSiEcPw4cTPrMLMj4FbiJVcjn8O1mkBhJOvQTF0Em9Qn
+            g3AeJVx9QzfJTK5B8qZRF7eJDxe+lHsC8UU7HHT0p4cgrBiiBJi+kypFMZepmJi0OJ6fkEHCbAhI
+            IEjDrLGetw0Bq0otJHwueaKcqL2/J2krrsDWUniRyw6X6CK/YtFrAf8RJ9GK
+        </ds:X509CRL>
+        <ds:X509CRL>
+            MIIB5TCBzgIBATANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJDSDFAMD4GA1UEChM3U3dpdGNo
+            IC0gVGVsZWluZm9ybWF0aWtkaWVuc3RlIGZ1ZXIgTGVocmUgdW5kIEZvcnNjaHVuZzEaMBgGA1UE
+            AxMRU1dJVENIYWFpIFJvb3QgQ0EXDTA4MDUxNTA2MzA1NVoXDTA5MTExNDA2MzA1NVqgLzAtMB8G
+            A1UdIwQYMBaAFOma4gZY6w/XgQNdXJe5sbWTfTuEMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUA
+            A4IBAQCjTKxJjysq8pl799mPu+m/90hKGZ+nu3YBR8yStYFVm/7WvDW62c2OalRlFipcA/cU4lpU
+            cbb1698/XHLfVX4UiZ6+90rQPRtM3VG0fB8Dz/perhCjvjGLB7PWVI/1KKg+b4VFLDqoU/WMbR3O
+            FF6tK+Gfvk3xFhSgaUIpJXVwgJWGYEXbfr6hHaIJ0VjKxvLGUcpRrfsVPNVZVNfYfaHvH2BsdWhq
+            vDMyK3mhySRlYQX0dvi7majHpwzUPQcyr1a5c+hl50Lo0TJ7pIgZn1kc0oj1bxZHt6dGUQz9mhxU
+            M9ZChStEJ32+ghr/sK/2DA3nkIcCZ/Ou4btRgsG1F8yG
+        </ds:X509CRL>
+    </ds:X509Data>
 </ds:KeyInfo>