From: Scott Cantor Date: Mon, 21 Aug 2006 20:41:21 +0000 (+0000) Subject: X509CRL wrappers (gap in XML-Sec at the moment) X-Git-Tag: 1.0-alpha1~193 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-xmltooling.git;a=commitdiff_plain;h=9bec6bea2cb7234f52d96c91f6225d5aac18192a X509CRL wrappers (gap in XML-Sec at the moment) --- diff --git a/xmltooling/Makefile.am b/xmltooling/Makefile.am index e8e7d37..bbc738b 100644 --- a/xmltooling/Makefile.am +++ b/xmltooling/Makefile.am @@ -58,7 +58,8 @@ ioinclude_HEADERS = \ secinclude_HEADERS = \ security/TrustEngine.h \ - security/X509TrustEngine.h + security/X509TrustEngine.h \ + security/XSECCryptoX509CRL.h siginclude_HEADERS = \ signature/CachingKeyResolver.h \ @@ -84,7 +85,8 @@ valinclude_HEADERS = \ validation/ValidatorSuite.h noinst_HEADERS = \ - internal.h + internal.h \ + security/impl/OpenSSLCryptoX509CRL.h if BUILD_XMLSEC xmlsec_sources = \ @@ -92,6 +94,8 @@ xmlsec_sources = \ encryption/impl/Encrypter.cpp \ security/impl/TrustEngine.cpp \ security/impl/ExplicitKeyTrustEngine.cpp \ + security/impl/XSECCryptoX509CRL.cpp \ + security/impl/OpenSSLCryptoX509CRL.cpp \ signature/impl/CredentialResolver.cpp \ signature/impl/FilesystemCredentialResolver.cpp \ signature/impl/InlineKeyResolver.cpp \ diff --git a/xmltooling/XMLToolingConfig.cpp b/xmltooling/XMLToolingConfig.cpp index e80b136..63bd034 100644 --- a/xmltooling/XMLToolingConfig.cpp +++ b/xmltooling/XMLToolingConfig.cpp @@ -26,6 +26,7 @@ #include "encryption/Encryption.h" #include "impl/UnknownElement.h" #include "security/TrustEngine.h" +#include "security/impl/OpenSSLCryptoX509CRL.h" #include "signature/CredentialResolver.h" #include "util/NDC.h" #include "util/XMLConstants.h" @@ -344,4 +345,9 @@ void xmltooling::log_openssl() code=ERR_get_error_line_data(&file,&line,&data,&flags); } } + +XSECCryptoX509CRL* XMLToolingInternalConfig::X509CRL() const +{ + return new OpenSSLCryptoX509CRL(); +} #endif diff --git a/xmltooling/XMLToolingConfig.h b/xmltooling/XMLToolingConfig.h index 9995cdb..4b5ff2c 100644 --- a/xmltooling/XMLToolingConfig.h +++ b/xmltooling/XMLToolingConfig.h @@ -42,6 +42,7 @@ namespace xmlsignature { namespace xmltooling { class XMLTOOL_API TrustEngine; + class XMLTOOL_API XSECCryptoX509CRL; /** * Singleton object that manages library startup/shutdown.configuration. @@ -127,19 +128,24 @@ namespace xmltooling { #ifndef XMLTOOLING_NO_XMLSEC /** + * Returns an X.509 CRL implementation object. + */ + virtual XSECCryptoX509CRL* X509CRL() const=0; + + /** * Manages factories for KeyResolver plugins. */ - xmltooling::PluginManager KeyResolverManager; + PluginManager KeyResolverManager; /** * Manages factories for CredentialResolver plugins. */ - xmltooling::PluginManager CredentialResolverManager; + PluginManager CredentialResolverManager; /** * Manages factories for TrustEngine plugins. */ - xmltooling::PluginManager TrustEngineManager; + PluginManager TrustEngineManager; #endif protected: diff --git a/xmltooling/internal.h b/xmltooling/internal.h index 1ddd193..f4c51bf 100644 --- a/xmltooling/internal.h +++ b/xmltooling/internal.h @@ -83,6 +83,8 @@ namespace xmltooling { } #ifndef XMLTOOLING_NO_XMLSEC + XSECCryptoX509CRL* X509CRL() const; + XSECProvider* m_xsecProvider; #endif diff --git a/xmltooling/security/XSECCryptoX509CRL.h b/xmltooling/security/XSECCryptoX509CRL.h new file mode 100644 index 0000000..3a06261 --- /dev/null +++ b/xmltooling/security/XSECCryptoX509CRL.h @@ -0,0 +1,79 @@ +/* + * Copyright 2006 The Apache Software Foundation. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * @file xmltooling/security/XSECCryptoX509CRL.h + * + * Wrapper for X.509 CRL objects, similar to existing XSEC wrappers. + */ + +#if !defined(__xmltooling_x509crl_h__) && !defined(XMLTOOLING_NO_XMLSEC) +#define __xmltooling_x509crl_h__ + +#include +#include + +namespace xmltooling { + /** + * Interface class for X.509 CRLs + * The library uses classes derived from this to process X.509 CRLs. + */ + class XMLTOOL_API XSECCryptoX509CRL { + MAKE_NONCOPYABLE(XSECCryptoX509CRL); + protected: + XSECCryptoX509CRL() {} + public: + virtual ~XSECCryptoX509CRL() {} + + /** + * Returns a string that identifies the crypto owner of this library. + * + * @return the crypto provider name + */ + virtual const XMLCh* getProviderName() const=0; + + /** + * Load a CRL into the object. + * Takes a base64 DER-encoded CRL and loads it. + * + * @param buf buffer containing the Base64 encoded CRL + * @param len number of bytes of data in the CRL buffer + */ + + virtual void loadX509CRLBase64Bin(const char* buf, unsigned int len)=0; + + /** + * Load a PEM encoded CRL into the object. + * + * Takes a PEM encoded CRL and loads it. + * + * @param buf buffer containing the PEM encoded CRL + * @param len number of bytes of data in the CRL buffer (0 if the string is null terminated) + */ + void loadX509CRLPEM(const char* buf, unsigned int len=0); + + /** + * Get a Base64 DER encoded copy of the CRL + * + * @return A safeBuffer containing the DER encoded certificate + */ + virtual safeBuffer& getDEREncodingSB(void)=0; + }; +}; + +#endif /* __xmltooling_x509crl_h__ */ + + diff --git a/xmltooling/security/impl/OpenSSLCryptoX509CRL.cpp b/xmltooling/security/impl/OpenSSLCryptoX509CRL.cpp new file mode 100644 index 0000000..167bbd4 --- /dev/null +++ b/xmltooling/security/impl/OpenSSLCryptoX509CRL.cpp @@ -0,0 +1,112 @@ +/* + * Copyright 2006 The Apache Software Foundation. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * OpenSSLCryptoX509CRL.cpp + * + * OpenSSL-based class for handling X.509 CRLs + */ + +#include "internal.h" +#include "security/impl/OpenSSLCryptoX509CRL.h" + +#include +#include +#include + +#include + +XSEC_USING_XERCES(ArrayJanitor); +XSEC_USING_XERCES(Janitor); + +using namespace xmltooling; + +OpenSSLCryptoX509CRL::~OpenSSLCryptoX509CRL() +{ + if (mp_X509CRL) + X509_CRL_free(mp_X509CRL); +} + +OpenSSLCryptoX509CRL::OpenSSLCryptoX509CRL(X509_CRL* x) { + + // Build this from an existing X509_CRL structure + + mp_X509CRL = X509_CRL_dup(x); + + // Now need to create the DER encoding + + BIO* b64 = BIO_new(BIO_f_base64()); + BIO* bmem = BIO_new(BIO_s_mem()); + + BIO_set_mem_eof_return(bmem, 0); + b64 = BIO_push(b64, bmem); + + // Translate X509 to Base64 + + i2d_X509_CRL_bio(b64, x); + + BIO_flush(b64); + + char buf[1024]; + unsigned int l; + + m_DERX509CRL.sbStrcpyIn(""); + + while ((l = BIO_read(bmem, buf, 1023)) > 0) { + buf[l] = '\0'; + m_DERX509CRL.sbStrcatIn(buf); + } + + BIO_free_all(b64); +} + +void OpenSSLCryptoX509CRL::loadX509CRLBase64Bin(const char* buf, unsigned int len) { + + // Free anything currently held. + + if (mp_X509CRL) + X509_CRL_free(mp_X509CRL); + + int bufLen = len; + unsigned char* outBuf; + XSECnew(outBuf, unsigned char[len + 1]); + ArrayJanitor j_outBuf(outBuf); + + XSCryptCryptoBase64 *b64; + XSECnew(b64, XSCryptCryptoBase64); + Janitor j_b64(b64); + + b64->decodeInit(); + bufLen = b64->decode((unsigned char *) buf, len, outBuf, len); + bufLen += b64->decodeFinish(&outBuf[bufLen], len-bufLen); + + if (bufLen > 0) { +#if defined(XSEC_OPENSSL_D2IX509_CONST_BUFFER) + mp_X509CRL= d2i_X509_CRL(NULL, (const unsigned char **) (&outBuf), bufLen); +#else + mp_X509CRL= d2i_X509_CRL(NULL, &outBuf, bufLen); +#endif + } + + // Check to see if we have a CRL.... + if (mp_X509CRL == NULL) { + throw XSECCryptoException(XSECCryptoException::X509Error, + "OpenSSL:X509CRL - Error translating Base64 DER encoding into OpenSSL X509 CRL structure"); + } + + m_DERX509CRL.sbStrcpyIn(buf); + +} diff --git a/xmltooling/security/impl/OpenSSLCryptoX509CRL.h b/xmltooling/security/impl/OpenSSLCryptoX509CRL.h new file mode 100644 index 0000000..0216998 --- /dev/null +++ b/xmltooling/security/impl/OpenSSLCryptoX509CRL.h @@ -0,0 +1,59 @@ +/* + * Copyright 2006 The Apache Software Foundation. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * OpenSSLCryptoX509CRL.h + * + * OpenSSL-based class for handling X.509 CRLs + */ + +#if !defined(__xmltooling_opensslx509crl_h__) && !defined(XMLTOOLING_NO_XMLSEC) +#define __xmltooling_opensslx509crl_h__ + +#include "security/XSECCryptoX509CRL.h" + +#include +#include +#include + +namespace xmltooling { + class XMLTOOL_DLLLOCAL OpenSSLCryptoX509CRL : public XSECCryptoX509CRL { + public: + OpenSSLCryptoX509CRL() : m_DERX509CRL(""), mp_X509CRL(NULL) {} + virtual ~OpenSSLCryptoX509CRL(); + + virtual const XMLCh* getProviderName() const { + return DSIGConstants::s_unicodeStrPROVOpenSSL; + } + virtual void loadX509CRLBase64Bin(const char* buf, unsigned int len); + + virtual safeBuffer& getDEREncodingSB(void) { + return m_DERX509CRL; + } + + OpenSSLCryptoX509CRL(X509_CRL* x); + X509_CRL* getOpenSSLX509CRL(void) { + return mp_X509CRL; + } + + private: + X509_CRL* mp_X509CRL; + safeBuffer m_DERX509CRL; + }; +}; + +#endif /* __xmltooling_opensslx509crl_h__ */ + diff --git a/xmltooling/security/impl/XSECCryptoX509CRL.cpp b/xmltooling/security/impl/XSECCryptoX509CRL.cpp new file mode 100644 index 0000000..0c8eea8 --- /dev/null +++ b/xmltooling/security/impl/XSECCryptoX509CRL.cpp @@ -0,0 +1,86 @@ +/* + * Copyright 2006 The Apache Software Foundation. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * XSECCryptoX509CRL.cpp + * + * Wrapper for X.509 CRL objects, similar to existing XSEC wrappers. + */ + +#include "internal.h" +#include "security/XSECCryptoX509CRL.h" + +#include +#include + +using namespace xmltooling; + +void XSECCryptoX509CRL::loadX509CRLPEM(const char* buf, unsigned int len) +{ + const char * b; + char * b1 = NULL; + if (len == 0) + b = buf; + else { + XSECnew(b1, char[len+1]); + memcpy(b1, buf, len); + b1[len] = '\0'; + b = b1; + } + + const char *p = strstr(buf, "-----BEGIN X509 CRL-----"); + + if (p == NULL) { + + if (b1 != NULL) + delete[] b1; + + throw XSECCryptoException(XSECCryptoException::X509Error, + "X509CRL::loadX509CRLPEM - Cannot find start of PEM CRL"); + + } + + p += strlen("-----BEGIN X509 CRL-----"); + + while (*p == '\n' || *p == '\r' || *p == '-') + p++; + + safeBuffer output; + int i = 0; + while (*p != '\0' && *p != '-') { + output[i++] = *p; + ++p; + } + + if (strstr(p, "-----END X509 CRL-----") != p) { + + if (b1 != NULL) + delete[] b1; + + throw XSECCryptoException(XSECCryptoException::X509Error, + "X509CRL::loadX509PEMCRL - Cannot find end of PEM certificate"); + + } + + if (b1 != NULL) + delete[] b1; + + output[i] = '\0'; + + this->loadX509CRLBase64Bin(output.rawCharBuffer(), i); + +} + diff --git a/xmltooling/xmltooling.vcproj b/xmltooling/xmltooling.vcproj index f897226..3b14d58 100644 --- a/xmltooling/xmltooling.vcproj +++ b/xmltooling/xmltooling.vcproj @@ -360,9 +360,21 @@ > + + + + + + @@ -598,6 +610,10 @@ RelativePath=".\security\X509TrustEngine.h" > + +