From: Scott Cantor Date: Tue, 31 Aug 2010 17:02:12 +0000 (+0000) Subject: Add max key size check. X-Git-Tag: 1.4RC1~41 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-xmltooling.git;a=commitdiff_plain;h=4e4fa4bfa35180f9bcb18a431000cc54f4583117 Add max key size check. --- diff --git a/xmltooling/security/CredentialCriteria.h b/xmltooling/security/CredentialCriteria.h index c7b711d..f163985 100644 --- a/xmltooling/security/CredentialCriteria.h +++ b/xmltooling/security/CredentialCriteria.h @@ -102,12 +102,13 @@ namespace xmltooling { /** * Set the key algorithm criteria. * - * @param keyAlgorithm The key algorithm to set + * @param keyAlgorithm the key algorithm to set */ void setKeyAlgorithm(const char* keyAlgorithm); /** * Get the key size criteria. + *

If a a maximum size is also set, this is treated as a minimum. * * @return the key size, or 0 */ @@ -115,11 +116,26 @@ namespace xmltooling { /** * Set the key size criteria. + *

If a a maximum size is also set, this is treated as a minimum. * - * @param keySize Key size to set + * @param keySize key size to set */ void setKeySize(unsigned int keySize); - + + /** + * Get the maximum key size criteria. + * + * @return the maximum key size, or 0 + */ + unsigned int getMaxKeySize() const; + + /** + * Set the maximum key size criteria. + * + * @param keySize maximum key size to set + */ + void setMaxKeySize(unsigned int keySize); + /** * Set the key algorithm and size criteria based on an XML algorithm specifier. * @@ -207,7 +223,7 @@ namespace xmltooling { private: unsigned int m_keyUsage; - unsigned int m_keySize; + unsigned int m_keySize,m_maxKeySize; std::string m_peerName,m_keyAlgorithm; std::set m_keyNames; XSECCryptoKey* m_key; diff --git a/xmltooling/security/impl/CredentialCriteria.cpp b/xmltooling/security/impl/CredentialCriteria.cpp index 8003bc5..b52e4d3 100644 --- a/xmltooling/security/impl/CredentialCriteria.cpp +++ b/xmltooling/security/impl/CredentialCriteria.cpp @@ -42,7 +42,7 @@ using namespace xmltooling; using namespace std; CredentialCriteria::CredentialCriteria() - : m_keyUsage(Credential::UNSPECIFIED_CREDENTIAL), m_keySize(0), m_key(nullptr), + : m_keyUsage(Credential::UNSPECIFIED_CREDENTIAL), m_keySize(0), m_maxKeySize(0), m_key(nullptr), m_keyInfo(nullptr), m_nativeKeyInfo(nullptr), m_credential(nullptr) { } @@ -96,6 +96,16 @@ void CredentialCriteria::setKeySize(unsigned int keySize) m_keySize = keySize; } +unsigned int CredentialCriteria::getMaxKeySize() const +{ + return m_maxKeySize; +} + +void CredentialCriteria::setMaxKeySize(unsigned int keySize) +{ + m_maxKeySize = keySize; +} + void CredentialCriteria::setXMLAlgorithm(const XMLCh* algorithm) { if (algorithm) { @@ -218,10 +228,21 @@ bool CredentialCriteria::matches(const Credential& credential) const } // KeySize check, if specified and we have one. - if (credential.getKeySize()>0 && getKeySize()>0 && credential.getKeySize() != getKeySize()) { - if (log.isDebugEnabled()) - log.debug("key size didn't match (%u != %u)", getKeySize(), credential.getKeySize()); - return false; + if (credential.getKeySize() > 0) { + if (m_keySize > 0 && m_maxKeySize == 0) { + if (credential.getKeySize() != m_keySize) { + log.debug("key size (%u) didn't match (%u)", credential.getKeySize(), m_keySize); + return false; + } + } + else if (m_keySize > 0 && credential.getKeySize() < m_keySize) { + log.debug("key size (%u) smaller than minimum (%u)", credential.getKeySize(), m_keySize); + return false; + } + else if (m_maxKeySize > 0 && credential.getKeySize() > m_maxKeySize) { + log.debug("key size (%u) larger than maximum (%u)", credential.getKeySize(), m_maxKeySize); + return false; + } } // See if we can test key names.