projects / shibboleth / xmltooling.git / blob
? search:


0c0bbffc156ca14cfcc70de837f18d3cc79b0319
[shibboleth/xmltooling.git] / xmltooling / security / impl / FilesystemCredentialResolver.cpp
1 /*
2  *  Copyright 2001-2007 Internet2
3  * 
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16
17 /**
18  * FilesystemCredentialResolver.cpp
19  * 
20  * Supplies credentials from local files
21  */
22
23 #include "internal.h"
24 #include "logging.h"
25 #include "security/BasicX509Credential.h"
26 #include "security/CredentialCriteria.h"
27 #include "security/CredentialResolver.h"
28 #include "security/KeyInfoResolver.h"
29 #include "security/OpenSSLCredential.h"
30 #include "security/OpenSSLCryptoX509CRL.h"
31 #include "util/NDC.h"
32 #include "util/PathResolver.h"
33 #include "util/XMLHelper.h"
34
35 #include <sys/types.h>
36 #include <sys/stat.h>
37 #include <openssl/pkcs12.h>
38 #include <xercesc/util/XMLUniDefs.hpp>
39 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
40 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
41 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
42
43 using namespace xmlsignature;
44 using namespace xmltooling::logging;
45 using namespace xmltooling;
46 using namespace std;
47
48 // OpenSSL password callback...
49 static int passwd_callback(char* buf, int len, int verify, void* passwd)
50 {
51     if(!verify)
52     {
53         if(passwd && len > strlen(reinterpret_cast<char*>(passwd)))
54         {
55             strcpy(buf,reinterpret_cast<char*>(passwd));
56             return strlen(buf);
57         }
58     }  
59     return 0;
60 }
61
62 namespace xmltooling {
63
64 #if defined (_MSC_VER)
65     #pragma warning( push )
66     #pragma warning( disable : 4250 )
67 #endif
68
69     class XMLTOOL_DLLLOCAL FilesystemCredentialResolver;
70     class XMLTOOL_DLLLOCAL FilesystemCredential : public OpenSSLCredential, public BasicX509Credential
71     {
72     public:
73         FilesystemCredential(
74             FilesystemCredentialResolver* resolver, XSECCryptoKey* key, const std::vector<XSECCryptoX509*>& xseccerts, XSECCryptoX509CRL* crl=NULL
75             ) : BasicX509Credential(key, xseccerts, crl), m_resolver(resolver), m_usage(UNSPECIFIED_CREDENTIAL) {
76             extract();
77             initKeyInfo();
78         }
79         virtual ~FilesystemCredential() {
80         }
81
82         unsigned int getUsage() const {
83             return m_usage;
84         }
85
86         void setUsage(const XMLCh* usage) {
87             if (usage && *usage) {
88                 auto_ptr_char u(usage);
89                 if (!strcmp(u.get(), "signing"))
90                     m_usage = SIGNING_CREDENTIAL | TLS_CREDENTIAL;
91                 else if (!strcmp(u.get(), "TLS"))
92                     m_usage = TLS_CREDENTIAL;
93                 else if (!strcmp(u.get(), "encryption"))
94                     m_usage = ENCRYPTION_CREDENTIAL;
95             }
96         }
97
98         void addKeyNames(const DOMElement* e);
99
100         void attach(SSL_CTX* ctx) const;
101     
102     private:
103         FilesystemCredentialResolver* m_resolver;
104         unsigned int m_usage;
105     };
106
107 #if defined (_MSC_VER)
108     #pragma warning( pop )
109 #endif
110
111     class XMLTOOL_DLLLOCAL FilesystemCredentialResolver : public CredentialResolver
112     {
113     public:
114         FilesystemCredentialResolver(const DOMElement* e);
115         virtual ~FilesystemCredentialResolver() {
116             delete m_credential;
117             for_each(m_certs.begin(),m_certs.end(),X509_free);
118         }
119
120         Lockable* lock() { return this; }
121         void unlock() {}
122         
123         const Credential* resolve(const CredentialCriteria* criteria=NULL) const {
124             return (criteria ? (criteria->matches(*m_credential) ? m_credential : NULL) : m_credential);
125         }
126
127         virtual vector<const Credential*>::size_type resolve(
128             vector<const Credential*>& results, const CredentialCriteria* criteria=NULL
129             ) const {
130             if (!criteria || criteria->matches(*m_credential)) {
131                 results.push_back(m_credential);
132                 return 1;
133             }
134             return 0;
135         }
136
137         void attach(SSL_CTX* ctx) const;
138
139     private:
140         XSECCryptoKey* loadKey();
141         XSECCryptoX509CRL* loadCRL();
142         
143         enum format_t { PEM=SSL_FILETYPE_PEM, DER=SSL_FILETYPE_ASN1, _PKCS12, UNKNOWN };
144     
145         format_t getEncodingFormat(BIO* in) const;
146         string formatToString(format_t format) const;
147         format_t xmlFormatToFormat(const XMLCh* format_xml) const;
148     
149         format_t m_keyformat,m_crlformat;
150         string m_keypath,m_keypass,m_crlpath;
151         vector<X509*> m_certs;
152         FilesystemCredential* m_credential;
153     };
154
155     CredentialResolver* XMLTOOL_DLLLOCAL FilesystemCredentialResolverFactory(const DOMElement* const & e)
156     {
157         return new FilesystemCredentialResolver(e);
158     }
159
160     static const XMLCh _CredentialResolver[] =  UNICODE_LITERAL_18(C,r,e,d,e,n,t,i,a,l,R,e,s,o,l,v,e,r);
161     static const XMLCh CAPath[] =           UNICODE_LITERAL_6(C,A,P,a,t,h);
162     static const XMLCh Certificate[] =      UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e);
163     static const XMLCh _certificate[] =     UNICODE_LITERAL_11(c,e,r,t,i,f,i,c,a,t,e);
164     static const XMLCh CRL[] =              UNICODE_LITERAL_3(C,R,L);
165     static const XMLCh format[] =           UNICODE_LITERAL_6(f,o,r,m,a,t);
166     static const XMLCh Key[] =              UNICODE_LITERAL_3(K,e,y);
167     static const XMLCh _key[] =             UNICODE_LITERAL_3(k,e,y);
168     static const XMLCh keyName[] =          UNICODE_LITERAL_7(k,e,y,N,a,m,e);
169     static const XMLCh Name[] =             UNICODE_LITERAL_4(N,a,m,e);
170     static const XMLCh password[] =         UNICODE_LITERAL_8(p,a,s,s,w,o,r,d);
171     static const XMLCh Path[] =             UNICODE_LITERAL_4(P,a,t,h);
172     static const XMLCh _use[] =             UNICODE_LITERAL_3(u,s,e);
173 };
174
175 FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e) : m_credential(NULL)
176 {
177 #ifdef _DEBUG
178     NDC ndc("FilesystemCredentialResolver");
179 #endif
180     Category& log=Category::getInstance(XMLTOOLING_LOGCAT".CredentialResolver."FILESYSTEM_CREDENTIAL_RESOLVER);
181
182     if (e && (e->hasAttributeNS(NULL,_certificate) || e->hasAttributeNS(NULL,_key))) {
183         // Dummy up a simple file resolver config using these attributes.
184         DOMElement* dummy = e->getOwnerDocument()->createElementNS(NULL,_CredentialResolver);
185         DOMElement* child;
186         DOMElement* path;
187         if (e->hasAttributeNS(NULL,_key)) {
188             child = e->getOwnerDocument()->createElementNS(NULL,Key);
189             dummy->appendChild(child);
190             path = e->getOwnerDocument()->createElementNS(NULL,Path);
191             child->appendChild(path);
192             path->appendChild(e->getOwnerDocument()->createTextNode(e->getAttributeNS(NULL,_key)));
193             if (e->hasAttributeNS(NULL,password))
194                 child->setAttributeNS(NULL,password,e->getAttributeNS(NULL,password));
195             if (e->hasAttributeNS(NULL,keyName)) {
196                 path = e->getOwnerDocument()->createElementNS(NULL,Name);
197                 child->appendChild(path);
198                 path->appendChild(e->getOwnerDocument()->createTextNode(e->getAttributeNS(NULL,keyName)));
199             }
200         }
201         if (e->hasAttributeNS(NULL,_certificate)) {
202             child = e->getOwnerDocument()->createElementNS(NULL,Certificate);
203             dummy->appendChild(child);
204             path = e->getOwnerDocument()->createElementNS(NULL,Path);
205             child->appendChild(path);
206             path->appendChild(e->getOwnerDocument()->createTextNode(e->getAttributeNS(NULL,_certificate)));
207         }
208         e = dummy;  // reset "root" to the dummy config element
209     }
210     
211     const DOMElement* root=e;
212     const XMLCh* usage = root->getAttributeNS(NULL,_use);
213
214     XSECCryptoKey* key=NULL;
215     vector<XSECCryptoX509*> xseccerts;
216     XSECCryptoX509CRL* crl=NULL;
217
218     format_t fformat;
219     const XMLCh* format_xml=NULL;
220     BIO* in = NULL;
221     
222     // Move to Key
223     const DOMElement* keynode=XMLHelper::getFirstChildElement(root,Key);
224     if (keynode) {
225         // Get raw format attrib value, but defer processing til later since may need to 
226         // determine format dynamically, and we need the Path for that.
227         format_xml=keynode->getAttributeNS(NULL,format);
228             
229         const XMLCh* password_xml=keynode->getAttributeNS(NULL,password);
230         if (password_xml) {
231             auto_ptr_char kp(password_xml);
232             m_keypass=kp.get();
233         }
234         
235         e=XMLHelper::getFirstChildElement(keynode,Path);
236         if (e && e->hasChildNodes()) {
237             const XMLCh* s=e->getFirstChild()->getNodeValue();
238             auto_ptr_char kpath(s);
239             m_keypath = kpath.get();
240             XMLToolingConfig::getConfig().getPathResolver()->resolve(m_keypath, PathResolver::XMLTOOLING_CFG_FILE);
241 #ifdef WIN32
242             struct _stat stat_buf;
243             if (_stat(m_keypath.c_str(), &stat_buf) != 0)
244 #else
245             struct stat stat_buf;
246             if (stat(m_keypath.c_str(), &stat_buf) != 0)
247 #endif
248             {
249                 log.error("key file (%s) can't be opened", m_keypath.c_str());
250                 throw XMLSecurityException("FilesystemCredentialResolver can't access key file ($1)",params(1,m_keypath.c_str()));
251             }
252         }
253         else {
254             log.error("Path element missing inside Key element");
255             throw XMLSecurityException("FilesystemCredentialResolver can't access key file, no Path element specified.");
256         }
257
258         // Determine the key encoding format dynamically, if not explicitly specified
259         if (format_xml && *format_xml) {
260             fformat = xmlFormatToFormat(format_xml);
261             if (fformat != UNKNOWN) {
262                 m_keyformat = fformat;
263             }
264             else {
265                 auto_ptr_char unknown(format_xml);
266                 log.error("configuration specifies unknown key encoding format (%s)", unknown.get());
267                 throw XMLSecurityException("FilesystemCredentialResolver configuration contains unknown key encoding format ($1)",params(1,unknown.get()));
268             }
269         }
270         else {
271             in=BIO_new(BIO_s_file_internal());
272             if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
273                 m_keyformat = getEncodingFormat(in);
274                 log.debug("key encoding format for (%s) dynamically resolved as (%s)", m_keypath.c_str(), formatToString(m_keyformat).c_str());
275             }
276             else {
277                 log.error("key file (%s) can't be read to determine encoding format", m_keypath.c_str());
278                 throw XMLSecurityException("FilesystemCredentialResolver can't read key file ($1) to determine encoding format",params(1,m_keypath.c_str()));
279             }
280             if (in)
281                 BIO_free(in);
282             in = NULL;    
283         }
284         
285         // Load the key.
286         key = loadKey();
287     }
288     
289     // Check for CRL.
290     const DOMElement* crlnode=XMLHelper::getFirstChildElement(root,CRL);
291     if (crlnode) {
292         // Get raw format attrib value, but defer processing til later since may need to 
293         // determine format dynamically, and we need the Path for that.
294         format_xml=crlnode->getAttributeNS(NULL,format);
295             
296         e=XMLHelper::getFirstChildElement(crlnode,Path);
297         if (e && e->hasChildNodes()) {
298             const XMLCh* s=e->getFirstChild()->getNodeValue();
299             auto_ptr_char kpath(s);
300             m_crlpath=kpath.get();
301             XMLToolingConfig::getConfig().getPathResolver()->resolve(m_crlpath, PathResolver::XMLTOOLING_CFG_FILE);
302 #ifdef WIN32
303             struct _stat stat_buf;
304             if (_stat(m_crlpath.c_str(), &stat_buf) != 0)
305 #else
306             struct stat stat_buf;
307             if (stat(m_crlpath.c_str(), &stat_buf) != 0)
308 #endif
309             {
310                 log.error("CRL file (%s) can't be opened", m_crlpath.c_str());
311                 throw XMLSecurityException("FilesystemCredentialResolver can't access CRL file ($1)",params(1,m_crlpath.c_str()));
312             }
313         }
314         else {
315             log.error("Path element missing inside CRL element");
316             throw XMLSecurityException("FilesystemCredentialResolver can't access CRL file, no Path element specified.");
317         }
318
319         // Determine the CRL encoding format dynamically, if not explicitly specified
320         if (format_xml && *format_xml) {
321             fformat = xmlFormatToFormat(format_xml);
322             if (fformat != UNKNOWN) {
323                 m_crlformat = fformat;
324             }
325             else {
326                 auto_ptr_char unknown(format_xml);
327                 log.error("configuration specifies unknown CRL encoding format (%s)", unknown.get());
328                 throw XMLSecurityException("FilesystemCredentialResolver configuration contains unknown CRL encoding format ($1)",params(1,unknown.get()));
329             }
330         }
331         else {
332             in=BIO_new(BIO_s_file_internal());
333             if (in && BIO_read_filename(in,m_crlpath.c_str())>0) {
334                 m_crlformat = getEncodingFormat(in);
335                 log.debug("CRL encoding format for (%s) dynamically resolved as (%s)", m_crlpath.c_str(), formatToString(m_crlformat).c_str());
336             }
337             else {
338                 log.error("CRL file (%s) can't be read to determine encoding format", m_crlpath.c_str());
339                 throw XMLSecurityException("FilesystemCredentialResolver can't read CRL file ($1) to determine encoding format",params(1,m_crlpath.c_str()));
340             }
341             if (in)
342                 BIO_free(in);
343             in = NULL;
344         }
345         
346         // Load the key.
347         crl = loadCRL();
348     }
349
350     // Check for Certificate
351     e=XMLHelper::getFirstChildElement(root,Certificate);
352     if (!e) {
353         m_credential = new FilesystemCredential(this,key,xseccerts,crl);
354         m_credential->addKeyNames(keynode);
355         m_credential->setUsage(usage);
356         return;
357     }
358     auto_ptr_char certpass(e->getAttributeNS(NULL,password));
359     
360     const DOMElement* ep=XMLHelper::getFirstChildElement(e,Path);
361     if (!ep || !ep->hasChildNodes()) {
362         log.error("Path element missing inside Certificate element or is empty");
363         delete key;
364         delete crl;
365         throw XMLSecurityException("FilesystemCredentialResolver can't access certificate file, missing or empty Path element.");
366     }
367     
368     auto_ptr_char certpath2(ep->getFirstChild()->getNodeValue());
369     string certpath(certpath2.get());
370     XMLToolingConfig::getConfig().getPathResolver()->resolve(certpath, PathResolver::XMLTOOLING_CFG_FILE);
371
372     format_xml=e->getAttributeNS(NULL,format);
373     if (format_xml && *format_xml) {
374         fformat = xmlFormatToFormat(format_xml);
375         if (fformat == UNKNOWN) {
376             auto_ptr_char unknown(format_xml);
377             log.error("configuration specifies unknown certificate encoding format (%s)", unknown.get());
378             delete key;
379             delete crl;
380             throw XMLSecurityException("FilesystemCredentialResolver configuration contains unknown certificate encoding format ($1)",params(1,unknown.get()));
381         }
382     }
383     
384     try {
385         X509* x=NULL;
386         PKCS12* p12=NULL;
387         in=BIO_new(BIO_s_file_internal());
388         if (in && BIO_read_filename(in,certpath.c_str())>0) {
389             if (!format_xml || !*format_xml) {
390                 // Determine the cert encoding format dynamically, if not explicitly specified
391                 fformat = getEncodingFormat(in);
392                 log.debug("certificate encoding format for (%s) dynamically resolved as (%s)", certpath.c_str(), formatToString(fformat).c_str());
393             }
394
395             switch(fformat) {
396                 case PEM:
397                     while (x=PEM_read_bio_X509(in,NULL,passwd_callback,const_cast<char*>(certpass.get())))
398                         m_certs.push_back(x);
399                     break;
400                                 
401                 case DER:
402                     x=d2i_X509_bio(in,NULL);
403                     if (x)
404                         m_certs.push_back(x);
405                     else {
406                         log_openssl();
407                         BIO_free(in);
408                         throw XMLSecurityException("FilesystemCredentialResolver unable to load DER certificate from file ($1)",params(1,certpath.c_str()));
409                     }
410                     break;
411
412                 case _PKCS12:
413                     p12=d2i_PKCS12_bio(in,NULL);
414                     if (p12) {
415                         PKCS12_parse(p12, certpass.get(), NULL, &x, NULL);
416                         PKCS12_free(p12);
417                     }
418                     if (x) {
419                         m_certs.push_back(x);
420                         x=NULL;
421                     } else {
422                         log_openssl();
423                         BIO_free(in);
424                         throw XMLSecurityException("FilesystemCredentialResolver unable to load PKCS12 certificate from file ($1)",params(1,certpath.c_str()));
425                     }
426                     break;
427             } // end switch
428
429         } else {
430             log_openssl();
431             if (in) {
432                 BIO_free(in);
433                 in=NULL;
434             }
435             throw XMLSecurityException("FilesystemCredentialResolver unable to load certificate(s) from file ($1)",params(1,certpath.c_str()));
436         }
437         if (in) {
438             BIO_free(in);
439             in=NULL;
440         }
441
442         if (m_certs.empty())
443             throw XMLSecurityException("FilesystemCredentialResolver unable to load any certificate(s)");
444
445         // Load any extra CA files.
446         const DOMElement* extra=XMLHelper::getFirstChildElement(e,CAPath);
447         while (extra) {
448             if (!extra->hasChildNodes()) {
449                 log.warn("skipping empty CAPath element");
450                 extra = XMLHelper::getNextSiblingElement(extra,CAPath);
451                 continue;
452             }
453             auto_ptr_char capath2(extra->getFirstChild()->getNodeValue());
454             string capath(capath2.get());
455             XMLToolingConfig::getConfig().getPathResolver()->resolve(capath, PathResolver::XMLTOOLING_CFG_FILE);
456             x=NULL;
457             p12=NULL;
458             in=BIO_new(BIO_s_file_internal());
459             if (in && BIO_read_filename(in,capath.c_str())>0) {
460                 if (!format_xml || !*format_xml) {
461                     // Determine the cert encoding format dynamically, if not explicitly specified
462                     fformat = getEncodingFormat(in);
463                     log.debug("CA certificate encoding format for (%s) dynamically resolved as (%s)", capath.c_str(), formatToString(fformat).c_str());
464                 }
465
466                 switch (fformat) {
467                     case PEM:
468                         while (x=PEM_read_bio_X509(in,NULL,NULL,NULL))
469                             m_certs.push_back(x);
470                         break;
471
472                     case DER:
473                         x=d2i_X509_bio(in,NULL);
474                         if (x)
475                             m_certs.push_back(x);
476                         else {
477                             log_openssl();
478                             BIO_free(in);
479                             throw XMLSecurityException("FilesystemCredentialResolver unable to load DER CA certificate from file ($1)",params(1,capath.c_str()));
480                         }
481                         break;
482
483                     case _PKCS12:
484                         p12 = d2i_PKCS12_bio(in, NULL);
485                         if (p12) {
486                             PKCS12_parse(p12, NULL, NULL, &x, NULL);
487                             PKCS12_free(p12);
488                         }
489                         if (x) {
490                             m_certs.push_back(x);
491                             x=NULL;
492                         }
493                         else {
494                             log_openssl();
495                             BIO_free(in);
496                             throw XMLSecurityException("FilesystemCredentialResolver unable to load PKCS12 CA certificate from file ($1)",params(1,capath.c_str()));
497                         }
498                         break;
499                 } //end switch
500
501                 BIO_free(in);
502             }
503             else {
504                 if (in)
505                     BIO_free(in);
506                 log_openssl();
507                 log.error("CA file (%s) can't be opened", capath.c_str());
508                 throw XMLSecurityException("FilesystemCredentialResolver can't open CA file ($1)",params(1,capath.c_str()));
509             }
510             
511             extra = XMLHelper::getNextSiblingElement(extra,CAPath);
512         }
513     }
514     catch (XMLToolingException&) {
515         delete key;
516         delete crl;
517         for_each(m_certs.begin(), m_certs.end(), X509_free);
518         throw;
519     }
520
521     // Reflect certs over to XSEC form and wrap with credential object.
522     for (vector<X509*>::iterator j=m_certs.begin(); j!=m_certs.end(); j++)
523         xseccerts.push_back(new OpenSSLCryptoX509(*j));
524     if (!key && !xseccerts.empty())
525         key = xseccerts.front()->clonePublicKey();
526     m_credential = new FilesystemCredential(this, key, xseccerts, crl);
527     m_credential->addKeyNames(keynode);
528     m_credential->setUsage(usage);
529 }
530
531 XSECCryptoKey* FilesystemCredentialResolver::loadKey()
532 {
533 #ifdef _DEBUG
534     NDC ndc("loadKey");
535 #endif
536
537     // Get a EVP_PKEY.
538     EVP_PKEY* pkey=NULL;
539     BIO* in=BIO_new(BIO_s_file_internal());
540     if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
541         switch (m_keyformat) {
542             case PEM:
543                 pkey=PEM_read_bio_PrivateKey(in, NULL, passwd_callback, const_cast<char*>(m_keypass.c_str()));
544                 break;
545             
546             case DER:
547                 pkey=d2i_PrivateKey_bio(in, NULL);
548                 break;
549                 
550             default: {
551                 PKCS12* p12 = d2i_PKCS12_bio(in, NULL);
552                 if (p12) {
553                     PKCS12_parse(p12, const_cast<char*>(m_keypass.c_str()), &pkey, NULL, NULL);
554                     PKCS12_free(p12);
555                 }
556             }
557         }
558     }
559     if (in)
560         BIO_free(in);
561     
562     // Now map it to an XSEC wrapper.
563     if (pkey) {
564         XSECCryptoKey* ret=NULL;
565         switch (pkey->type) {
566             case EVP_PKEY_RSA:
567                 ret=new OpenSSLCryptoKeyRSA(pkey);
568                 break;
569                 
570             case EVP_PKEY_DSA:
571                 ret=new OpenSSLCryptoKeyDSA(pkey);
572                 break;
573             
574             default:
575                 Category::getInstance(XMLTOOLING_LOGCAT".CredentialResolver."FILESYSTEM_CREDENTIAL_RESOLVER).error("unsupported private key type");
576         }
577         EVP_PKEY_free(pkey);
578         if (ret)
579             return ret;
580     }
581
582     log_openssl();
583     throw XMLSecurityException("FilesystemCredentialResolver unable to load private key from file."); 
584 }
585
586 XSECCryptoX509CRL* FilesystemCredentialResolver::loadCRL()
587 {
588 #ifdef _DEBUG
589     NDC ndc("loadCRL");
590 #endif
591
592     X509_CRL* crl=NULL;
593     BIO* in=BIO_new(BIO_s_file_internal());
594     if (in && BIO_read_filename(in,m_crlpath.c_str())>0) {
595         switch (m_crlformat) {
596             case PEM:
597                 crl=PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
598                 break;
599             
600             case DER:
601                 crl=d2i_X509_CRL_bio(in, NULL);
602                 break;
603         }
604     }
605     if (in)
606         BIO_free(in);
607     
608     // Now map it to an XSEC wrapper.
609     if (crl) {
610         XSECCryptoX509CRL* ret=new OpenSSLCryptoX509CRL(crl);
611         X509_CRL_free(crl);
612         return ret;
613     }
614
615     log_openssl();
616     throw XMLSecurityException("FilesystemCredentialResolver unable to load CRL from file."); 
617 }
618
619 // Used to determine the encoding format of credentials files
620 // dynamically. Supports: PEM, DER, PKCS12.
621 FilesystemCredentialResolver::format_t FilesystemCredentialResolver::getEncodingFormat(BIO* in) const
622 {
623     PKCS12* p12 = NULL;
624     format_t format;
625
626     const int READSIZE = 1;
627     char buf[READSIZE];
628     char b1;
629     int mark;
630
631     try {
632         if ( (mark = BIO_tell(in)) < 0 ) 
633             throw XMLSecurityException("getEncodingFormat: BIO_tell() can't get the file position");
634         if ( BIO_read(in, buf, READSIZE) <= 0 ) 
635             throw XMLSecurityException("getEncodingFormat: BIO_read() can't read from the stream");
636         if ( BIO_seek(in, mark) < 0 ) 
637             throw XMLSecurityException("getEncodingFormat: BIO_seek() can't reset the file position");
638     }
639     catch (...) {
640         log_openssl();
641         throw;
642     }
643
644     b1 = buf[0];
645
646     // This is a slight variation of the Java code by Chad La Joie.
647     //
648     // Check the first byte of the file.  If it's some kind of
649     // DER-encoded structure (including PKCS12), it will begin with ASCII 048.
650     // Otherwise, assume it's PEM.
651     if (b1 !=  48) {
652         format = PEM;
653     } else {
654         // Here we know it's DER-encoded, now try to parse it as a PKCS12
655         // ASN.1 structure.  If it fails, must be another kind of DER-encoded
656         // key/cert structure.  A little inefficient...but it works.
657         if ( (p12=d2i_PKCS12_bio(in,NULL)) == NULL ) {
658             format = DER;
659         } else {
660             format = _PKCS12;
661         }
662         if (p12)
663             PKCS12_free(p12);    
664         if ( BIO_seek(in, mark) < 0 ) {
665             log_openssl();
666             throw XMLSecurityException("getEncodingFormat: BIO_seek() can't reset the file position");
667         }
668     }
669
670     return format;
671 }
672
673 // Convert key/cert format_t types to a human-meaningful string for debug output
674 string FilesystemCredentialResolver::formatToString(format_t format) const
675 {
676     switch(format) {
677         case PEM:
678             return "PEM";
679         case DER:
680             return "DER";
681         case _PKCS12:
682             return "PKCS12";
683         default:
684             return "UNKNOWN";
685     }
686 }
687
688 // Convert key/cert raw XML format attribute (XMLCh[]) to format_t type
689 FilesystemCredentialResolver::format_t FilesystemCredentialResolver::xmlFormatToFormat(const XMLCh* format_xml) const
690 {
691     static const XMLCh cPEM[] = UNICODE_LITERAL_3(P,E,M);
692     static const XMLCh cDER[] = UNICODE_LITERAL_3(D,E,R);
693     static const XMLCh cPKCS12[] = { chLatin_P, chLatin_K, chLatin_C, chLatin_S, chDigit_1, chDigit_2, chNull };
694     format_t format;
695
696     if (!XMLString::compareString(format_xml,cPEM))
697         format=PEM;
698     else if (!XMLString::compareString(format_xml,cDER))
699         format=DER;
700     else if (!XMLString::compareString(format_xml,cPKCS12))
701         format=_PKCS12;
702     else
703         format=UNKNOWN;
704
705     return format;
706 }
707
708 void FilesystemCredentialResolver::attach(SSL_CTX* ctx) const
709 {
710 #ifdef _DEBUG
711     NDC ndc("attach");
712 #endif
713
714     if (m_keypath.empty())
715         throw XMLSecurityException("No key available, unable to attach private key to SSL context.");
716
717     // Attach key.
718     SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);
719     SSL_CTX_set_default_passwd_cb_userdata(ctx, const_cast<char*>(m_keypass.c_str()));
720
721     int ret=0;
722     switch (m_keyformat) {
723         case PEM:
724             ret=SSL_CTX_use_PrivateKey_file(ctx, m_keypath.c_str(), m_keyformat);
725             break;
726             
727         case DER:
728             ret=SSL_CTX_use_RSAPrivateKey_file(ctx, m_keypath.c_str(), m_keyformat);
729             break;
730             
731         default: {
732             BIO* in=BIO_new(BIO_s_file_internal());
733             if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
734                 EVP_PKEY* pkey=NULL;
735                 PKCS12* p12 = d2i_PKCS12_bio(in, NULL);
736                 if (p12) {
737                     PKCS12_parse(p12, const_cast<char*>(m_keypass.c_str()), &pkey, NULL, NULL);
738                     PKCS12_free(p12);
739                     if (pkey) {
740                         ret=SSL_CTX_use_PrivateKey(ctx, pkey);
741                         EVP_PKEY_free(pkey);
742                     }
743                 }
744             }
745             if (in)
746                 BIO_free(in);
747         }
748     }
749     
750     if (ret!=1) {
751         log_openssl();
752         throw XMLSecurityException("Unable to attach private key to SSL context.");
753     }
754
755     // Attach certs.
756     for (vector<X509*>::const_iterator i=m_certs.begin(); i!=m_certs.end(); i++) {
757         if (i==m_certs.begin()) {
758             if (SSL_CTX_use_certificate(ctx, *i) != 1) {
759                 log_openssl();
760                 throw XMLSecurityException("Unable to attach client certificate to SSL context.");
761             }
762         }
763         else {
764             // When we add certs, they don't get ref counted, so we need to duplicate them.
765             X509* dup = X509_dup(*i);
766             if (SSL_CTX_add_extra_chain_cert(ctx, dup) != 1) {
767                 X509_free(dup);
768                 log_openssl();
769                 throw XMLSecurityException("Unable to attach CA certificate to SSL context.");
770             }
771         }
772     }
773 }
774
775 void FilesystemCredential::addKeyNames(const DOMElement* e)
776 {
777     e = e ? XMLHelper::getFirstChildElement(e, Name) : NULL;
778     while (e) {
779         if (e->hasChildNodes()) {
780             auto_ptr_char n(e->getFirstChild()->getNodeValue());
781             if (n.get() && *n.get())
782                 m_keyNames.insert(n.get());
783         }
784         e = XMLHelper::getNextSiblingElement(e, Name);
785     }
786 }
787
788 void FilesystemCredential::attach(SSL_CTX* ctx) const
789 {
790     return m_resolver->attach(ctx);
791 }
Unnamed repository; edit this file 'description' to name the repository.