From: Scott Cantor Date: Mon, 12 Jun 2006 01:00:46 +0000 (+0000) Subject: Exception hierarchy altered, add EncryptedKey resolution. X-Git-Tag: 1.0-alpha1~229 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-xmltooling.git;a=commitdiff_plain;h=fb67842a358b830f18eb0ba008b8d294cf273d3c Exception hierarchy altered, add EncryptedKey resolution. --- diff --git a/xmltooling/Makefile.am b/xmltooling/Makefile.am index 64543ae..0e8cdfe 100644 --- a/xmltooling/Makefile.am +++ b/xmltooling/Makefile.am @@ -17,103 +17,104 @@ utilincludedir = $(includedir)/xmltooling/util valincludedir = $(includedir)/xmltooling/validation libxmltoolinginclude_HEADERS = \ - AbstractAttributeExtensibleXMLObject.h \ - AbstractChildlessElement.h \ - AbstractComplexElement.h \ - AbstractDOMCachingXMLObject.h \ - AbstractElementProxy.h \ - AbstractSimpleElement.h \ - AbstractXMLObject.h \ - AttributeExtensibleXMLObject.h \ - base.h \ - config_pub.h \ - ElementProxy.h \ - exceptions.h \ - Lockable.h \ - Namespace.h \ - PluginManager.h \ - QName.h \ - SimpleElement.h \ - unicode.h \ - version.h \ - XMLObject.h \ - XMLObjectBuilder.h \ - XMLToolingConfig.h + AbstractAttributeExtensibleXMLObject.h \ + AbstractChildlessElement.h \ + AbstractComplexElement.h \ + AbstractDOMCachingXMLObject.h \ + AbstractElementProxy.h \ + AbstractSimpleElement.h \ + AbstractXMLObject.h \ + AttributeExtensibleXMLObject.h \ + base.h \ + config_pub.h \ + ElementProxy.h \ + exceptions.h \ + Lockable.h \ + Namespace.h \ + PluginManager.h \ + QName.h \ + SimpleElement.h \ + unicode.h \ + version.h \ + XMLObject.h \ + XMLObjectBuilder.h \ + XMLToolingConfig.h encinclude_HEADERS = \ encryption/Decrypter.h \ + encryption/EncryptedKeyResolver.h \ encryption/Encrypter.h \ - encryption/Encryption.h + encryption/Encryption.h implinclude_HEADERS = \ - impl/AnyElement.h \ - impl/UnknownElement.h + impl/AnyElement.h \ + impl/UnknownElement.h ioinclude_HEADERS = \ - io/AbstractXMLObjectMarshaller.h \ - io/AbstractXMLObjectUnmarshaller.h + io/AbstractXMLObjectMarshaller.h \ + io/AbstractXMLObjectUnmarshaller.h siginclude_HEADERS = \ - signature/ContentReference.h \ - signature/KeyInfo.h \ - signature/KeyResolver.h \ - signature/Signature.h \ - signature/SignatureValidator.h + signature/ContentReference.h \ + signature/KeyInfo.h \ + signature/KeyResolver.h \ + signature/Signature.h \ + signature/SignatureValidator.h utilinclude_HEADERS = \ - util/DateTime.h \ - util/NDC.h \ - util/ParserPool.h \ - util/XMLConstants.h \ - util/XMLHelper.h \ - util/XMLObjectChildrenList.h + util/DateTime.h \ + util/NDC.h \ + util/ParserPool.h \ + util/XMLConstants.h \ + util/XMLHelper.h \ + util/XMLObjectChildrenList.h valinclude_HEADERS = \ - validation/AbstractValidatingXMLObject.h \ - validation/ValidatingXMLObject.h \ - validation/Validator.h + validation/AbstractValidatingXMLObject.h \ + validation/ValidatingXMLObject.h \ + validation/Validator.h noinst_HEADERS = \ - internal.h + internal.h if BUILD_XMLSEC xmlsec_sources = \ - encryption/impl/Decrypter.cpp \ - encryption/impl/Encrypter.cpp \ + encryption/impl/Decrypter.cpp \ + encryption/impl/Encrypter.cpp \ signature/impl/SignatureValidator.cpp \ - signature/impl/XMLSecSignatureImpl.cpp + signature/impl/XMLSecSignatureImpl.cpp else xmlsec_sources = endif libxmltooling_la_SOURCES = \ - AbstractAttributeExtensibleXMLObject.cpp \ - AbstractChildlessElement.cpp \ - AbstractComplexElement.cpp \ - AbstractDOMCachingXMLObject.cpp \ - AbstractXMLObject.cpp \ - exceptions.cpp \ - Namespace.cpp \ - QName.cpp \ - unicode.cpp \ - XMLObjectBuilder.cpp \ - XMLToolingConfig.cpp \ - encryption/impl/EncryptionImpl.cpp \ - encryption/impl/EncryptionSchemaValidators.cpp \ - impl/AnyElement.cpp \ - impl/UnknownElement.cpp \ - io/AbstractXMLObjectMarshaller.cpp \ - io/AbstractXMLObjectUnmarshaller.cpp \ - signature/impl/KeyInfoImpl.cpp \ - signature/impl/KeyInfoSchemaValidators.cpp \ - util/DateTime.cpp \ - util/NDC.cpp \ - util/ParserPool.cpp \ - util/XMLConstants.cpp \ - util/XMLHelper.cpp \ - validation/AbstractValidatingXMLObject.cpp \ - validation/Validator.cpp \ - ${xmlsec_sources} + AbstractAttributeExtensibleXMLObject.cpp \ + AbstractChildlessElement.cpp \ + AbstractComplexElement.cpp \ + AbstractDOMCachingXMLObject.cpp \ + AbstractXMLObject.cpp \ + exceptions.cpp \ + Namespace.cpp \ + QName.cpp \ + unicode.cpp \ + XMLObjectBuilder.cpp \ + XMLToolingConfig.cpp \ + encryption/impl/EncryptionImpl.cpp \ + encryption/impl/EncryptionSchemaValidators.cpp \ + impl/AnyElement.cpp \ + impl/UnknownElement.cpp \ + io/AbstractXMLObjectMarshaller.cpp \ + io/AbstractXMLObjectUnmarshaller.cpp \ + signature/impl/KeyInfoImpl.cpp \ + signature/impl/KeyInfoSchemaValidators.cpp \ + util/DateTime.cpp \ + util/NDC.cpp \ + util/ParserPool.cpp \ + util/XMLConstants.cpp \ + util/XMLHelper.cpp \ + validation/AbstractValidatingXMLObject.cpp \ + validation/Validator.cpp \ + ${xmlsec_sources} # this is different from the project version # http://sources.redhat.com/autobook/autobook/autobook_91.html diff --git a/xmltooling/encryption/Decrypter.h b/xmltooling/encryption/Decrypter.h index 19a245b..2ab2b3a 100644 --- a/xmltooling/encryption/Decrypter.h +++ b/xmltooling/encryption/Decrypter.h @@ -41,8 +41,8 @@ namespace xmlencryption { * Constructor. * Resolvers will be deleted when Decrypter is. * - * @param KEKresolver resolves key decryption key based on KeyInfo information - * @param resolver resolves data decryption key based on KeyInfo information + * @param KEKresolver resolves key decryption key + * @param resolver resolves data decryption key */ Decrypter(xmlsignature::KeyResolver* KEKresolver=NULL, xmlsignature::KeyResolver* resolver=NULL) : m_cipher(NULL), m_resolver(resolver), m_KEKresolver(KEKresolver) { @@ -51,7 +51,7 @@ namespace xmlencryption { ~Decrypter(); /** - * Replace the current KeyResolver interface, if any, with a new one. + * Replace the current data encryption KeyResolver interface, if any, with a new one. * * @param resolver the KeyResolver to attach */ diff --git a/xmltooling/encryption/EncryptedKeyResolver.h b/xmltooling/encryption/EncryptedKeyResolver.h new file mode 100644 index 0000000..01dcf85 --- /dev/null +++ b/xmltooling/encryption/EncryptedKeyResolver.h @@ -0,0 +1,49 @@ +/* + * Copyright 2001-2006 Internet2 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * @file EncryptedKeyResolver.h + * + * Resolves encrypted keys based on EncryptedData information or other external factors. + */ + +#if !defined(__xmltooling_enckeyres_h__) && !defined(XMLTOOLING_NO_XMLSEC) +#define __xmltooling_enckeyres_h__ + +#include +#include + +namespace xmlencryption { + + /** + * An API for resolving encrypted decryption keys. + */ + class XMLTOOL_API EncryptedKeyResolver : public xmlsignature::KeyResolver { + public: + virtual ~EncryptedKeyResolver() {} + + /** + * Returns an encrypted key based on the supplied KeyInfo information. + * + * @param encryptedData an encrypted object + * @return the resolved EncryptedKey object + */ + virtual EncryptedKey* resolveKey(EncryptedData* encryptedData)=0; + }; + +}; + +#endif /* __xmltooling_enckeyres_h__ */ diff --git a/xmltooling/encryption/Encrypter.h b/xmltooling/encryption/Encrypter.h index 63d2be7..4d56561 100644 --- a/xmltooling/encryption/Encrypter.h +++ b/xmltooling/encryption/Encrypter.h @@ -192,7 +192,7 @@ namespace xmlencryption { unsigned char m_keyBuffer[32]; }; - DECL_XMLTOOLING_EXCEPTION(EncryptionException,XMLTOOL_EXCEPTIONAPI(XMLTOOL_API),xmlencryption,xmltooling::XMLToolingException,Exceptions in encryption processing); + DECL_XMLTOOLING_EXCEPTION(EncryptionException,XMLTOOL_EXCEPTIONAPI(XMLTOOL_API),xmlencryption,xmltooling::XMLSecurityException,Exceptions in encryption processing); }; diff --git a/xmltooling/encryption/impl/Decrypter.cpp b/xmltooling/encryption/impl/Decrypter.cpp index 0788761..0a1fe09 100644 --- a/xmltooling/encryption/impl/Decrypter.cpp +++ b/xmltooling/encryption/impl/Decrypter.cpp @@ -22,6 +22,7 @@ #include "internal.h" #include "encryption/Decrypter.h" +#include "encryption/EncryptedKeyResolver.h" #include #include @@ -63,8 +64,9 @@ DOMDocumentFragment* Decrypter::decryptData(EncryptedData* encryptedData) XSECCryptoKey* key=NULL; if (m_resolver) key=m_resolver->resolveKey(encryptedData->getKeyInfo()); - if (!key) { - // See if there's an encrypted key present. We'll need the algorithm... + + if (!key && m_KEKresolver) { + // See if there's an encrypted key available. We'll need the algorithm... const XMLCh* algorithm= encryptedData->getEncryptionMethod() ? encryptedData->getEncryptionMethod()->getAlgorithm() : NULL; if (!algorithm) @@ -85,9 +87,25 @@ DOMDocumentFragment* Decrypter::decryptData(EncryptedData* encryptedData) } } - if (!key) - throw DecryptionException("Unable to resolve a decryption key."); + if (!key) { + // Check for a non-trivial resolver. + EncryptedKeyResolver* ekr=dynamic_cast(m_resolver); + if (ekr) { + EncryptedKey* encKey=ekr->resolveKey(encryptedData); + if (encKey) { + try { + key=decryptKey(encKey, algorithm); + } + catch (DecryptionException& e) { + log4cpp::Category::getInstance(XMLTOOLING_LOGCAT".Decrypter").warn(e.what()); + } + } + } + } } + + if (!key) + throw DecryptionException("Unable to resolve a decryption key."); m_cipher->setKey(key); DOMNode* ret=m_cipher->decryptElementDetached(encryptedData->getDOM()); diff --git a/xmltooling/exceptions.h b/xmltooling/exceptions.h index 2291a9c..1c07a34 100644 --- a/xmltooling/exceptions.h +++ b/xmltooling/exceptions.h @@ -350,6 +350,7 @@ namespace xmltooling { DECL_XMLTOOLING_EXCEPTION(UnknownAttributeException,XMLTOOL_EXCEPTIONAPI(XMLTOOL_API),xmltooling,XMLToolingException,Exceptions due to processing of unknown attributes); DECL_XMLTOOLING_EXCEPTION(UnknownExtensionException,XMLTOOL_EXCEPTIONAPI(XMLTOOL_API),xmltooling,XMLToolingException,Exceptions from use of an unrecognized extension/plugin); DECL_XMLTOOLING_EXCEPTION(ValidationException,XMLTOOL_EXCEPTIONAPI(XMLTOOL_API),xmltooling,XMLToolingException,Exceptions during object validation); + DECL_XMLTOOLING_EXCEPTION(XMLSecurityException,XMLTOOL_EXCEPTIONAPI(XMLTOOL_API),xmltooling,XMLToolingException,Exceptions related to the XML security layer); }; diff --git a/xmltooling/signature/KeyResolver.h b/xmltooling/signature/KeyResolver.h index cf318be..7d060c6 100644 --- a/xmltooling/signature/KeyResolver.h +++ b/xmltooling/signature/KeyResolver.h @@ -31,16 +31,15 @@ namespace xmlsignature { /** - * An API for resolving decryption keys. - * Can be used during both data and key decryption. + * An API for resolving keys. */ class XMLTOOL_API KeyResolver { public: /** - * Constructor based on a single externally supplied decryption key. + * Constructor based on a single externally supplied key. * The key will be destroyed when the resolver is. * - * @param key external decryption key + * @param key external key */ KeyResolver(XSECCryptoKey* key=NULL) : m_key(key) {} diff --git a/xmltooling/signature/Signature.h b/xmltooling/signature/Signature.h index 135dd98..02c4267 100644 --- a/xmltooling/signature/Signature.h +++ b/xmltooling/signature/Signature.h @@ -165,7 +165,7 @@ namespace xmlsignature { } }; - DECL_XMLTOOLING_EXCEPTION(SignatureException,XMLTOOL_EXCEPTIONAPI(XMLTOOL_API),xmlsignature,xmltooling::XMLToolingException,Exceptions in signature processing); + DECL_XMLTOOLING_EXCEPTION(SignatureException,XMLTOOL_EXCEPTIONAPI(XMLTOOL_API),xmlsignature,xmltooling::XMLSecurityException,Exceptions in signature processing); }; diff --git a/xmltooling/xmltooling.vcproj b/xmltooling/xmltooling.vcproj index 54a48c3..4bed022 100644 --- a/xmltooling/xmltooling.vcproj +++ b/xmltooling/xmltooling.vcproj @@ -531,6 +531,10 @@ > + +