From: Scott Cantor Date: Thu, 19 Apr 2007 22:01:27 +0000 (+0000) Subject: Multi-line svn commit, see body. X-Git-Tag: 1.0-alpha1~67 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-xmltooling.git;a=commitdiff_plain;h=10f9e25bb2f29ec48303b02352166754157100e5 Multi-line svn commit, see body. Simplify turning creds into KeyInfo for shared objects. Add a function to derive key transport from data encryption algorithm. --- diff --git a/xmltooling/encryption/Encrypter.h b/xmltooling/encryption/Encrypter.h index 3495904..c0f5463 100644 --- a/xmltooling/encryption/Encrypter.h +++ b/xmltooling/encryption/Encrypter.h @@ -51,7 +51,10 @@ namespace xmlencryption { * Summing up, if KeyEncryptionParams are used, a raw key must be available or the * key can be generated when the encryption algorithm itself is a standard one. If * no KeyEncryptionParams are supplied, then the key must be supplied either in raw - * or object form. + * or object form. + * + * Finally, when encrypting data, the key transport algorithm can be left blank to + * derive it from the data encryption algorithm. */ class XMLTOOL_API Encrypter { @@ -104,12 +107,12 @@ namespace xmlencryption { * Constructor. * * @param credential a Credential supplying the key encryption key - * @param algorithm the XML Encryption key wrapping or transport algorithm constant + * @param algorithm XML Encryption key wrapping or transport algorithm constant * @param recipient optional name of recipient of encrypted key */ KeyEncryptionParams( const xmltooling::Credential& credential, - const XMLCh* algorithm, + const XMLCh* algorithm=NULL, const XMLCh* recipient=NULL ) : m_credential(credential), m_algorithm(algorithm), m_recipient(recipient) { } @@ -195,6 +198,19 @@ namespace xmlencryption { const unsigned char* keyBuffer, unsigned int keyBufferSize, KeyEncryptionParams& kencParams, bool compact=false ); + /** + * Maps a data encryption algorithm to an appropriate key transport algorithm to use. + * + * @param algorithm data encryption algorithm + * @return a key transport algorithm + */ + static const XMLCh* getKeyTransportAlgorithm(const XMLCh* algorithm) { + if (xercesc::XMLString::equals(algorithm,DSIGConstants::s_unicodeStrURI3DES_CBC)) + return DSIGConstants::s_unicodeStrURIRSA_1_5; + else + return DSIGConstants::s_unicodeStrURIRSA_OAEP_MGFP1; + } + private: void checkParams(EncryptionParams& encParams, KeyEncryptionParams* kencParams); EncryptedData* decorateAndUnmarshall(EncryptionParams& encParams, KeyEncryptionParams* kencParams); diff --git a/xmltooling/encryption/impl/Encrypter.cpp b/xmltooling/encryption/impl/Encrypter.cpp index 45e9e07..b3dfb93 100644 --- a/xmltooling/encryption/impl/Encrypter.cpp +++ b/xmltooling/encryption/impl/Encrypter.cpp @@ -186,15 +186,17 @@ EncryptedData* Encrypter::decorateAndUnmarshall(EncryptionParams& encParams, Key xmlEncData->releaseThisAndChildrenDOM(); // KeyInfo? - const KeyInfo* kinfo = encParams.m_credential ? encParams.m_credential->getKeyInfo(encParams.m_compact) : NULL; + KeyInfo* kinfo = encParams.m_credential ? encParams.m_credential->getKeyInfo(encParams.m_compact) : NULL; if (kinfo) - xmlEncData->setKeyInfo(kinfo->cloneKeyInfo()); + xmlEncData->setKeyInfo(kinfo); // Are we doing a key encryption? if (kencParams) { XSECCryptoKey* kek = kencParams->m_credential.getPublicKey(); if (!kek) throw EncryptionException("Credential in KeyEncryptionParams structure did not supply a public key."); + if (!kencParams->m_algorithm) + kencParams->m_algorithm = getKeyTransportAlgorithm(encParams.m_algorithm); m_cipher->setKEK(kek->clone()); // ownership of this belongs to us, for some reason... @@ -215,7 +217,7 @@ EncryptedData* Encrypter::decorateAndUnmarshall(EncryptionParams& encParams, Key // KeyInfo? kinfo = kencParams->m_credential.getKeyInfo(encParams.m_compact); if (kinfo) - xmlEncKey->setKeyInfo(kinfo->cloneKeyInfo()); + xmlEncKey->setKeyInfo(kinfo); // Add the EncryptedKey inline. if (!xmlEncData->getKeyInfo()) @@ -262,9 +264,9 @@ EncryptedKey* Encrypter::encryptKey(const unsigned char* keyBuffer, unsigned int xmlEncKey->setRecipient(kencParams.m_recipient); // KeyInfo? - const KeyInfo* kinfo = kencParams.m_credential.getKeyInfo(compact); + KeyInfo* kinfo = kencParams.m_credential.getKeyInfo(compact); if (kinfo) - xmlEncKey->setKeyInfo(kinfo->cloneKeyInfo()); + xmlEncKey->setKeyInfo(kinfo); xmlObjectKey.release(); return xmlEncKey; diff --git a/xmltooling/security/BasicX509Credential.h b/xmltooling/security/BasicX509Credential.h index 6435655..b6accbe 100644 --- a/xmltooling/security/BasicX509Credential.h +++ b/xmltooling/security/BasicX509Credential.h @@ -24,13 +24,10 @@ #define __xmltooling_basicx509cred_h__ #include +#include #include -namespace xmlsignature { - class XMLTOOL_API KeyInfo; -}; - namespace xmltooling { /** @@ -166,8 +163,10 @@ namespace xmltooling { return m_keyNames; } - const xmlsignature::KeyInfo* getKeyInfo(bool compact=false) const { - return compact ? m_compactKeyInfo : (m_keyInfo ? m_keyInfo : m_compactKeyInfo); + xmlsignature::KeyInfo* getKeyInfo(bool compact=false) const { + if (compact || !m_keyInfo) + return m_compactKeyInfo ? m_compactKeyInfo->cloneKeyInfo() : NULL; + return m_keyInfo->cloneKeyInfo(); } const std::vector& getEntityCertificateChain() const { diff --git a/xmltooling/security/Credential.h b/xmltooling/security/Credential.h index 3b3362c..85c6505 100644 --- a/xmltooling/security/Credential.h +++ b/xmltooling/security/Credential.h @@ -101,9 +101,9 @@ namespace xmltooling { * communicating with other entities. * * @param compact true iff the communication medium is such that only compact forms should be included - * @return reference to a KeyInfo object + * @return a KeyInfo object, which must be freed by the caller */ - virtual const xmlsignature::KeyInfo* getKeyInfo(bool compact=false) const=0; + virtual xmlsignature::KeyInfo* getKeyInfo(bool compact=false) const=0; /** * Get the credential context information, which provides additional information diff --git a/xmltooling/security/impl/InlineKeyResolver.cpp b/xmltooling/security/impl/InlineKeyResolver.cpp index 122aff3..c198b93 100644 --- a/xmltooling/security/impl/InlineKeyResolver.cpp +++ b/xmltooling/security/impl/InlineKeyResolver.cpp @@ -65,8 +65,21 @@ namespace xmltooling { return NULL; } - const KeyInfo* getKeyInfo(bool compact=false) const { - return m_credctx->getKeyInfo(); + KeyInfo* getKeyInfo(bool compact=false) const { + KeyInfo* ret = m_credctx->getKeyInfo() ? m_credctx->getKeyInfo()->cloneKeyInfo() : NULL; + if (ret && compact) { + ret->getKeyValues().clear(); + ret->getSPKIDatas().clear(); + ret->getPGPDatas().clear(); + ret->getUnknownXMLObjects().clear(); + const vector x509Datas=const_cast(ret)->getX509Datas(); + for (vector::const_iterator x=x509Datas.begin(); x!=x509Datas.end(); ++x) { + (*x)->getX509Certificates().clear(); + (*x)->getX509CRLs().clear(); + (*x)->getUnknownXMLObjects().clear(); + } + } + return ret; } const CredentialContext* getCredentialContext() const { diff --git a/xmltooling/signature/impl/XMLSecSignatureImpl.cpp b/xmltooling/signature/impl/XMLSecSignatureImpl.cpp index 388ceb0..e3aaaac 100644 --- a/xmltooling/signature/impl/XMLSecSignatureImpl.cpp +++ b/xmltooling/signature/impl/XMLSecSignatureImpl.cpp @@ -306,9 +306,7 @@ DOMElement* XMLSecSignatureImpl::marshall(DOMDocument* document, const vectorgetKeyInfo(); - if (fromcred) - m_keyInfo = fromcred->cloneKeyInfo(); + m_keyInfo = credential->getKeyInfo(); } if (m_keyInfo && (!m_signature->getKeyInfoList() || m_signature->getKeyInfoList()->isEmpty())) { m_keyInfo->marshall(cachedDOM); @@ -391,9 +389,7 @@ DOMElement* XMLSecSignatureImpl::marshall(DOMElement* parentElement, const vecto if (credential) { delete m_keyInfo; m_keyInfo = NULL; - const KeyInfo* fromcred = credential->getKeyInfo(); - if (fromcred) - m_keyInfo = fromcred->cloneKeyInfo(); + m_keyInfo = credential->getKeyInfo(); } if (m_keyInfo && (!m_signature->getKeyInfoList() || m_signature->getKeyInfoList()->isEmpty())) { m_keyInfo->marshall(cachedDOM); diff --git a/xmltoolingtest/EncryptionTest.h b/xmltoolingtest/EncryptionTest.h index f3de66a..3d6c79a 100644 --- a/xmltoolingtest/EncryptionTest.h +++ b/xmltoolingtest/EncryptionTest.h @@ -40,9 +40,11 @@ public: m_resolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin( FILESYSTEM_CREDENTIAL_RESOLVER,doc->getDocumentElement() ); + XMLObjectBuilder::registerDefaultBuilder(new UnknownElementBuilder()); } void tearDown() { + XMLObjectBuilder::deregisterDefaultBuilder(); delete m_resolver; } @@ -61,7 +63,7 @@ public: Encrypter encrypter; Encrypter::EncryptionParams ep; - Encrypter::KeyEncryptionParams kep(*cred,DSIGConstants::s_unicodeStrURIRSA_1_5); + Encrypter::KeyEncryptionParams kep(*cred); auto_ptr encData(encrypter.encryptElement(doc->getDocumentElement(),ep,&kep)); string buf;