From 83de10b45721b7882182aaa8a6df0c729db8fc01 Mon Sep 17 00:00:00 2001 From: Scott Cantor Date: Thu, 4 Feb 2010 18:57:26 +0000 Subject: [PATCH] Add code paths for new xmlsec APIs, and allow for undetermined signature algorithm. --- config_win32.h | 8 ++++++ configure.ac | 14 +++++++++++ xmltooling/security/impl/InlineKeyResolver.cpp | 30 +++++++++++++++++++---- xmltooling/signature/Signature.h | 4 +-- xmltooling/signature/impl/XMLSecSignatureImpl.cpp | 21 +++++++++++----- xmltoolingtest/InlineKeyResolverTest.h | 4 +-- xmltoolingtest/KeyInfoTest.h | 4 +-- xmltoolingtest/data/KeyInfo1.xml | 25 +++++++++++++++++++ 8 files changed, 93 insertions(+), 17 deletions(-) diff --git a/config_win32.h b/config_win32.h index f006cf4..924ccd5 100644 --- a/config_win32.h +++ b/config_win32.h @@ -117,6 +117,14 @@ /* Define if you wish to disable Xalan-dependent features. */ #define XSEC_NO_XALAN +#ifndef XMLTOOLING_NO_XMLSEC +# include +# if (_XSEC_VERSION_FULL >= 10600) +# define XMLTOOLING_XMLSEC_MULTIPLECRL 1 +# define XMLTOOLING_XMLSEC_SIGALGORITHM 1 +# endif +#endif + /* Define to empty if `const' does not conform to ANSI C. */ /* #undef const */ diff --git a/configure.ac b/configure.ac index 92ea9ff..3c47dde 100644 --- a/configure.ac +++ b/configure.ac @@ -291,6 +291,20 @@ int i = 0; [AC_MSG_ERROR([unable to link with XML-Security])]) AC_CHECK_TYPE([xsecsize_t],[AC_DEFINE([HAVE_XSECSIZE_T], [1], [Define to 1 if you have the 'xsecsize_t' type.])]) + AC_MSG_CHECKING([whether XML-Security-C has multiple CRL support]) + AC_TRY_COMPILE([#include ], + [DSIGKeyInfoList* klist; klist->getX509CRLListSize();], + [AC_MSG_RESULT([yes])] + [AC_DEFINE([XMLTOOLING_XMLSEC_MULTIPLECRL], [1], [Define to 1 if XML-Security-C handles multiple CRLs.])], + [AC_MSG_RESULT([no])]) + + AC_MSG_CHECKING([whether XML-Security-C exposes the signature algorithm URI]) + AC_TRY_COMPILE([#include ], + [DSIGSignature* sig; sig->getAlgorithmURI();], + [AC_MSG_RESULT([yes])] + [AC_DEFINE([XMLTOOLING_XMLSEC_SIGALGORITHM], [1], [Define to 1 if XML-Security-C exposes the signature algorithm URI.])], + [AC_MSG_RESULT([no])]) + # restore master libs LIBS="$save_LIBS" diff --git a/xmltooling/security/impl/InlineKeyResolver.cpp b/xmltooling/security/impl/InlineKeyResolver.cpp index 252539b..589245b 100644 --- a/xmltooling/security/impl/InlineKeyResolver.cpp +++ b/xmltooling/security/impl/InlineKeyResolver.cpp @@ -1,5 +1,5 @@ /* - * Copyright 2001-2009 Internet2 + * Copyright 2001-2010 Internet2 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -394,14 +394,33 @@ void InlineCredential::resolve(DSIGKeyInfoList* keyInfo, int types) } if (types & X509Credential::RESOLVE_CRLS) { - DOMNode* x509Node; - DOMElement* crlElement; for (DSIGKeyInfoList::size_type i=0; iitem(i)->getKeyInfoType()==DSIGKeyInfo::KEYINFO_X509) { +#ifdef XMLTOOLING_XMLSEC_MULTIPLECRL + DSIGKeyInfoX509* x509 = static_cast(keyInfo->item(i)); + int count = x509->getX509CRLListSize(); + for (int j=0; jgetX509CRLItem(j)); + if (buf.get()) { + try { + auto_ptr crlobj(XMLToolingConfig::getConfig().X509CRL()); + crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get())); + m_crls.push_back(crlobj.release()); + } + catch(XSECException& e) { + auto_ptr_char temp(e.getMsg()); + Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", temp.get()); + } + catch(XSECCryptoException& e) { + Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver."INLINE_KEYINFO_RESOLVER).error("caught XML-Security exception loading CRL: %s", e.getMsg()); + } + } + } +#else // The current xmlsec API is limited to one CRL per KeyInfo. // For now, I'm going to process the DOM directly. - x509Node = keyInfo->item(i)->getKeyInfoDOMNode(); - crlElement = x509Node ? XMLHelper::getFirstChildElement(x509Node, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME) : NULL; + DOMNode* x509Node = keyInfo->item(i)->getKeyInfoDOMNode(); + DOMElement* crlElement = x509Node ? XMLHelper::getFirstChildElement(x509Node, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME) : NULL; while (crlElement) { if (crlElement->hasChildNodes()) { auto_ptr_char buf(crlElement->getFirstChild()->getNodeValue()); @@ -422,6 +441,7 @@ void InlineCredential::resolve(DSIGKeyInfoList* keyInfo, int types) } crlElement = XMLHelper::getNextSiblingElement(crlElement, xmlconstants::XMLSIG_NS, X509CRL::LOCAL_NAME); } +#endif } } } diff --git a/xmltooling/signature/Signature.h b/xmltooling/signature/Signature.h index 007f78b..cfadb9c 100644 --- a/xmltooling/signature/Signature.h +++ b/xmltooling/signature/Signature.h @@ -1,5 +1,5 @@ /* - * Copyright 2001-2009 Internet2 + * Copyright 2001-2010 Internet2 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -61,7 +61,7 @@ namespace xmlsignature { /** * Gets the signing algorithm for the signature. * - * @return the signature algorithm + * @return the signature algorithm, or NULL if indeterminate */ virtual const XMLCh* getSignatureAlgorithm() const=0; diff --git a/xmltooling/signature/impl/XMLSecSignatureImpl.cpp b/xmltooling/signature/impl/XMLSecSignatureImpl.cpp index 7bce903..dec07c1 100644 --- a/xmltooling/signature/impl/XMLSecSignatureImpl.cpp +++ b/xmltooling/signature/impl/XMLSecSignatureImpl.cpp @@ -91,12 +91,15 @@ namespace xmlsignature { } const XMLCh* getSignatureAlgorithm() const { if (!m_sm && m_signature) { +#ifdef XMLTOOLING_XMLSEC_SIGALGORITHM + m_sm = XMLString::replicate(m_signature->getAlgorithmURI()); +#else safeBuffer sURI; - if (signatureHashMethod2URI(sURI, m_signature->getSignatureMethod(), m_signature->getHashMethod()) == false) - return NULL; - m_sm = XMLString::replicate(sURI.sbStrToXMLCh()); + if (signatureHashMethod2URI(sURI, m_signature->getSignatureMethod(), m_signature->getHashMethod())) + m_sm = XMLString::replicate(sURI.sbStrToXMLCh()); +#endif } - return m_sm ? m_sm : DSIGConstants::s_unicodeStrURIRSA_SHA1; + return m_sm; } KeyInfo* getKeyInfo() const { return m_keyInfo; } @@ -276,7 +279,10 @@ DOMElement* XMLSecSignatureImpl::marshall(DOMDocument* document, const vectornewSignature(); temp->setDSIGNSPrefix(XMLSIG_PREFIX); - cachedDOM=temp->createBlankSignature(document, getCanonicalizationMethod(), getSignatureAlgorithm()); + const XMLCh* alg = getSignatureAlgorithm(); + if (!alg) + alg = DSIGConstants::s_unicodeStrURIRSA_SHA1; + cachedDOM=temp->createBlankSignature(document, getCanonicalizationMethod(), alg); m_signature = temp; } else { @@ -373,7 +379,10 @@ DOMElement* XMLSecSignatureImpl::marshall(DOMElement* parentElement, const vecto log.debug("creating empty Signature element"); DSIGSignature* temp=XMLToolingInternalConfig::getInternalConfig().m_xsecProvider->newSignature(); temp->setDSIGNSPrefix(XMLSIG_PREFIX); - cachedDOM=temp->createBlankSignature(parentElement->getOwnerDocument(), getCanonicalizationMethod(), getSignatureAlgorithm()); + const XMLCh* alg = getSignatureAlgorithm(); + if (!alg) + alg = DSIGConstants::s_unicodeStrURIRSA_SHA1; + cachedDOM=temp->createBlankSignature(parentElement->getOwnerDocument(), getCanonicalizationMethod(), alg); m_signature = temp; } else { diff --git a/xmltoolingtest/InlineKeyResolverTest.h b/xmltoolingtest/InlineKeyResolverTest.h index cc13252..1ecaaaa 100644 --- a/xmltoolingtest/InlineKeyResolverTest.h +++ b/xmltoolingtest/InlineKeyResolverTest.h @@ -1,5 +1,5 @@ /* - * Copyright 2001-2009 Internet2 + * Copyright 2001-2010 Internet2 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -58,6 +58,6 @@ public: TSM_ASSERT("Unable to resolve public key.", cred->getPublicKey()!=NULL); TSM_ASSERT_EQUALS("Unexpected key type.", cred->getPublicKey()->getKeyType(), XSECCryptoKey::KEY_RSA_PUBLIC); TSM_ASSERT_EQUALS("Wrong certificate count.", cred->getEntityCertificateChain().size(), 1); - TSM_ASSERT("Unable to resolve CRL.", cred->getCRL()!=NULL); + TSM_ASSERT_EQUALS("Wrong CRL count.", cred->getCRLs().size(), 3); } }; diff --git a/xmltoolingtest/KeyInfoTest.h b/xmltoolingtest/KeyInfoTest.h index 609d167..b38790f 100644 --- a/xmltoolingtest/KeyInfoTest.h +++ b/xmltoolingtest/KeyInfoTest.h @@ -1,5 +1,5 @@ /* - * Copyright 2001-2007 Internet2 + * Copyright 2001-2010 Internet2 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -46,7 +46,7 @@ public: auto_ptr kiObject(dynamic_cast(b->buildFromDocument(doc))); TS_ASSERT(kiObject.get()!=NULL); TSM_ASSERT_EQUALS("Number of child elements was not expected value", - 3, kiObject->getOrderedChildren().size()); + 4, kiObject->getOrderedChildren().size()); TSM_ASSERT_EQUALS("Number of child elements was not expected value", 1, kiObject->getKeyValues().size()); TSM_ASSERT_EQUALS("Number of child elements was not expected value", diff --git a/xmltoolingtest/data/KeyInfo1.xml b/xmltoolingtest/data/KeyInfo1.xml index e31ab73..f43192f 100644 --- a/xmltoolingtest/data/KeyInfo1.xml +++ b/xmltoolingtest/data/KeyInfo1.xml @@ -20,4 +20,29 @@ /50cy2EUSe6YtzA8pGXzSP67YC/3U0D8U4A= + + + MIICKjCCARICAQEwDQYJKoZIhvcNAQEFBQAwdzELMAkGA1UEBhMCQ0gxQDA+BgNVBAoTN1N3aXRj + aCAtIFRlbGVpbmZvcm1hdGlrZGllbnN0ZSBmdWVyIExlaHJlIHVuZCBGb3JzY2h1bmcxJjAkBgNV + BAMTHVNXSVRDSGFhaSBNZXRhZGF0YSBTaWduaW5nIENBFw0wODA5MDIwNDAwMDdaFw0wODA5MjMw + NDAwMDdaMDYwNAIVSWITCHaaiMetadataSignerTest0Fw0wODA1MjcwODE3NTlaMAwwCgYDVR0V + BAMKAQSgLzAtMB8GA1UdIwQYMBaAFG6idTQyfos1XdiTIq2IvM82okZmMAoGA1UdFAQDAgFCMA0G + CSqGSIb3DQEBBQUAA4IBAQCJfSE0x/Gu6zjEfEviR+s568qgRwHLmgTigz3iY0GNfgNTOFttZM0+ + 3AjApSI2FGQHm4K+69MLJNfiH/drNMMnAjY1F2Y8YNkujeyamWBL0HljH8z7lH0uWePFbXje5JTg + sCyGARWq46Ted7kekgUdSwNIzreMlLrcdSiEcPw4cTPrMLMj4FbiJVcjn8O1mkBhJOvQTF0Em9Qn + g3AeJVx9QzfJTK5B8qZRF7eJDxe+lHsC8UU7HHT0p4cgrBiiBJi+kypFMZepmJi0OJ6fkEHCbAhI + IEjDrLGetw0Bq0otJHwueaKcqL2/J2krrsDWUniRyw6X6CK/YtFrAf8RJ9GK + + + MIIB5TCBzgIBATANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJDSDFAMD4GA1UEChM3U3dpdGNo + IC0gVGVsZWluZm9ybWF0aWtkaWVuc3RlIGZ1ZXIgTGVocmUgdW5kIEZvcnNjaHVuZzEaMBgGA1UE + AxMRU1dJVENIYWFpIFJvb3QgQ0EXDTA4MDUxNTA2MzA1NVoXDTA5MTExNDA2MzA1NVqgLzAtMB8G + A1UdIwQYMBaAFOma4gZY6w/XgQNdXJe5sbWTfTuEMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUA + A4IBAQCjTKxJjysq8pl799mPu+m/90hKGZ+nu3YBR8yStYFVm/7WvDW62c2OalRlFipcA/cU4lpU + cbb1698/XHLfVX4UiZ6+90rQPRtM3VG0fB8Dz/perhCjvjGLB7PWVI/1KKg+b4VFLDqoU/WMbR3O + FF6tK+Gfvk3xFhSgaUIpJXVwgJWGYEXbfr6hHaIJ0VjKxvLGUcpRrfsVPNVZVNfYfaHvH2BsdWhq + vDMyK3mhySRlYQX0dvi7majHpwzUPQcyr1a5c+hl50Lo0TJ7pIgZn1kc0oj1bxZHt6dGUQz9mhxU + M9ZChStEJ32+ghr/sK/2DA3nkIcCZ/Ou4btRgsG1F8yG + + -- 2.1.4