xmltooling/security/impl/FilesystemCredentialResolver.cpp

   1 /*
   2  *  Copyright 2001-2007 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 /**
  18  * FilesystemCredentialResolver.cpp
  19  *
  20  * Supplies credentials from local files
  21  */
  22
  23 #include "internal.h"
  24 #include "logging.h"
  25 #include "security/BasicX509Credential.h"
  26 #include "security/CredentialCriteria.h"
  27 #include "security/CredentialResolver.h"
  28 #include "security/KeyInfoResolver.h"
  29 #include "security/OpenSSLCredential.h"
  30 #include "util/NDC.h"
  31 #include "util/XMLHelper.h"
  32
  33 #include <sys/types.h>
  34 #include <sys/stat.h>
  35 #include <openssl/pkcs12.h>
  36 #include <xercesc/util/XMLUniDefs.hpp>
  37 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
  38 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
  39 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
  40
  41 using namespace xmlsignature;
  42 using namespace xmltooling::logging;
  43 using namespace xmltooling;
  44 using namespace std;
  45
  46 // OpenSSL password callback...
  47 static int passwd_callback(char* buf, int len, int verify, void* passwd)
  48 {
  49     if(!verify)
  50     {
  51         if(passwd && len > strlen(reinterpret_cast<char*>(passwd)))
  52         {
  53             strcpy(buf,reinterpret_cast<char*>(passwd));
  54             return strlen(buf);
  55         }
  56     }
  57     return 0;
  58 }
  59
  60 namespace xmltooling {
  61
  62 #if defined (_MSC_VER)
  63     #pragma warning( push )
  64     #pragma warning( disable : 4250 )
  65 #endif
  66
  67     class XMLTOOL_DLLLOCAL FilesystemCredentialResolver;
  68     class XMLTOOL_DLLLOCAL FilesystemCredential : public OpenSSLCredential, public BasicX509Credential
  69     {
  70     public:
  71         FilesystemCredential(FilesystemCredentialResolver* resolver, XSECCryptoKey* key, const std::vector<XSECCryptoX509*>& xseccerts)
  72                 : BasicX509Credential(key, xseccerts), m_resolver(resolver) {
  73             if (!m_xseccerts.empty())
  74                 extractNames(m_xseccerts.front(), m_keyNames);
  75             initKeyInfo();
  76         }
  77         virtual ~FilesystemCredential() {
  78         }
  79
  80         void addKeyNames(const DOMElement* e);
  81
  82         void attach(SSL_CTX* ctx) const;
  83
  84     private:
  85         FilesystemCredentialResolver* m_resolver;
  86     };
  87
  88 #if defined (_MSC_VER)
  89     #pragma warning( pop )
  90 #endif
  91
  92     class XMLTOOL_DLLLOCAL FilesystemCredentialResolver : public CredentialResolver
  93     {
  94     public:
  95         FilesystemCredentialResolver(const DOMElement* e);
  96         virtual ~FilesystemCredentialResolver() {
  97             delete m_credential;
  98             for_each(m_certs.begin(),m_certs.end(),X509_free);
  99         }
 100
 101         Lockable* lock() { return this; }
 102         void unlock() {}
 103
 104         const Credential* resolve(const CredentialCriteria* criteria=NULL) const {
 105             return (criteria ? (criteria->matches(*m_credential) ? m_credential : NULL) : m_credential);
 106         }
 107
 108         virtual vector<const Credential*>::size_type resolve(
 109             vector<const Credential*>& results, const CredentialCriteria* criteria=NULL
 110             ) const {
 111             if (!criteria || criteria->matches(*m_credential)) {
 112                 results.push_back(m_credential);
 113                 return 1;
 114             }
 115             return 0;
 116         }
 117
 118         void attach(SSL_CTX* ctx) const;
 119
 120     private:
 121         XSECCryptoKey* loadKey();
 122
 123         enum format_t { PEM=SSL_FILETYPE_PEM, DER=SSL_FILETYPE_ASN1, _PKCS12, UNKNOWN };
 124
 125         format_t getEncodingFormat(BIO* in) const;
 126         string formatToString(format_t format) const;
 127         format_t xmlFormatToFormat(const XMLCh* format_xml) const;
 128
 129         format_t m_keyformat;
 130         string m_keypath,m_keypass;
 131         vector<X509*> m_certs;
 132         FilesystemCredential* m_credential;
 133     };
 134
 135     CredentialResolver* XMLTOOL_DLLLOCAL FilesystemCredentialResolverFactory(const DOMElement* const & e)
 136     {
 137         return new FilesystemCredentialResolver(e);
 138     }
 139
 140     static const XMLCh _CredentialResolver[] =  UNICODE_LITERAL_18(C,r,e,d,e,n,t,i,a,l,R,e,s,o,l,v,e,r);
 141     static const XMLCh CAPath[] =           UNICODE_LITERAL_6(C,A,P,a,t,h);
 142     static const XMLCh Certificate[] =      UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e);
 143     static const XMLCh _certificate[] =     UNICODE_LITERAL_11(c,e,r,t,i,f,i,c,a,t,e);
 144     static const XMLCh format[] =           UNICODE_LITERAL_6(f,o,r,m,a,t);
 145     static const XMLCh Key[] =              UNICODE_LITERAL_3(K,e,y);
 146     static const XMLCh _key[] =             UNICODE_LITERAL_3(k,e,y);
 147     static const XMLCh Name[] =             UNICODE_LITERAL_4(N,a,m,e);
 148     static const XMLCh password[] =         UNICODE_LITERAL_8(p,a,s,s,w,o,r,d);
 149     static const XMLCh Path[] =             UNICODE_LITERAL_4(P,a,t,h);
 150 };
 151
 152 FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e) : m_credential(NULL)
 153 {
 154 #ifdef _DEBUG
 155     NDC ndc("FilesystemCredentialResolver");
 156 #endif
 157     Category& log=Category::getInstance(XMLTOOLING_LOGCAT".CredentialResolver."FILESYSTEM_CREDENTIAL_RESOLVER);
 158
 159     if (e && (e->hasAttributeNS(NULL,_certificate) || e->hasAttributeNS(NULL,_key))) {
 160         // Dummy up a simple file resolver config using these attributes.
 161         DOMElement* dummy = e->getOwnerDocument()->createElementNS(NULL,_CredentialResolver);
 162         DOMElement* child;
 163         DOMElement* path;
 164         if (e->hasAttributeNS(NULL,_key)) {
 165             child = e->getOwnerDocument()->createElementNS(NULL,Key);
 166             dummy->appendChild(child);
 167             path = e->getOwnerDocument()->createElementNS(NULL,Path);
 168             child->appendChild(path);
 169             path->appendChild(e->getOwnerDocument()->createTextNode(e->getAttributeNS(NULL,_key)));
 170             if (e->hasAttributeNS(NULL,password))
 171                 child->setAttributeNS(NULL,password,e->getAttributeNS(NULL,password));
 172         }
 173         if (e->hasAttributeNS(NULL,_certificate)) {
 174             child = e->getOwnerDocument()->createElementNS(NULL,Certificate);
 175             dummy->appendChild(child);
 176             path = e->getOwnerDocument()->createElementNS(NULL,Path);
 177             child->appendChild(path);
 178             path->appendChild(e->getOwnerDocument()->createTextNode(e->getAttributeNS(NULL,_certificate)));
 179         }
 180         e = dummy;  // reset "root" to the dummy config element
 181     }
 182
 183     const DOMElement* root=e;
 184
 185     XSECCryptoKey* key=NULL;
 186     vector<XSECCryptoX509*> xseccerts;
 187
 188     format_t fformat;
 189     const XMLCh* format_xml=NULL;
 190     BIO* in = NULL;
 191
 192     // Move to Key
 193     const DOMElement* keynode=XMLHelper::getFirstChildElement(root,Key);
 194     if (keynode) {
 195
 196         // Get raw format attrib value, but defer processing til later since may need to
 197         // determine format dynamically, and we need the Path for that.
 198         format_xml=keynode->getAttributeNS(NULL,format);
 199
 200         const XMLCh* password_xml=keynode->getAttributeNS(NULL,password);
 201         if (password_xml) {
 202             auto_ptr_char kp(password_xml);
 203             m_keypass=kp.get();
 204         }
 205
 206         e=XMLHelper::getFirstChildElement(keynode,Path);
 207         if (e && e->hasChildNodes()) {
 208             const XMLCh* s=e->getFirstChild()->getNodeValue();
 209             auto_ptr_char kpath(s);
 210 #ifdef WIN32
 211             struct _stat stat_buf;
 212             if (_stat(kpath.get(), &stat_buf) != 0)
 213 #else
 214             struct stat stat_buf;
 215             if (stat(kpath.get(), &stat_buf) != 0)
 216 #endif
 217             {
 218                 log.error("key file (%s) can't be opened", kpath.get());
 219                 throw XMLSecurityException("FilesystemCredentialResolver can't access key file ($1)",params(1,kpath.get()));
 220             }
 221             m_keypath=kpath.get();
 222         }
 223         else {
 224             log.error("Path element missing inside Key element");
 225             throw XMLSecurityException("FilesystemCredentialResolver can't access key file, no Path element specified.");
 226         }
 227
 228         // Determine the key encoding format dynamically, if not explicitly specified
 229         if (format_xml && *format_xml) {
 230             fformat = xmlFormatToFormat(format_xml);
 231             if (fformat != UNKNOWN) {
 232                 m_keyformat = fformat;
 233             }
 234             else {
 235                 auto_ptr_char unknown(format_xml);
 236                 log.error("configuration specifies unknown key encoding format (%s)", unknown.get());
 237                 throw XMLSecurityException("FilesystemCredentialResolver configuration contains unknown key encoding format ($1)",params(1,unknown.get()));
 238             }
 239         }
 240         else {
 241             in=BIO_new(BIO_s_file_internal());
 242             if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
 243                 m_keyformat = getEncodingFormat(in);
 244                 log.debug("key encoding format for (%s) dynamically resolved as (%s)", m_keypath.c_str(), formatToString(m_keyformat).c_str());
 245             }
 246             else {
 247                 log.error("key file (%s) can't be read to determine encoding format", m_keypath.c_str());
 248                 throw XMLSecurityException("FilesystemCredentialResolver can't read key file ($1) to determine encoding format",params(1,m_keypath.c_str()));
 249             }
 250             if (in)
 251                 BIO_free(in);
 252             in = NULL;
 253         }
 254
 255         // Load the key.
 256         key = loadKey();
 257     }
 258
 259     // Check for Certificate
 260     e=XMLHelper::getFirstChildElement(root,Certificate);
 261     if (!e) {
 262         m_credential = new FilesystemCredential(this,key,xseccerts);
 263         m_credential->addKeyNames(keynode);
 264         return;
 265     }
 266     auto_ptr_char certpass(e->getAttributeNS(NULL,password));
 267
 268     const DOMElement* ep=XMLHelper::getFirstChildElement(e,Path);
 269     if (!ep || !ep->hasChildNodes()) {
 270         log.error("Path element missing inside Certificate element or is empty");
 271         delete key;
 272         throw XMLSecurityException("FilesystemCredentialResolver can't access certificate file, missing or empty Path element.");
 273     }
 274
 275     auto_ptr_char certpath(ep->getFirstChild()->getNodeValue());
 276     format_xml=e->getAttributeNS(NULL,format);
 277     if (format_xml && *format_xml) {
 278         fformat = xmlFormatToFormat(format_xml);
 279         if (fformat == UNKNOWN) {
 280             auto_ptr_char unknown(format_xml);
 281             log.error("configuration specifies unknown certificate encoding format (%s)", unknown.get());
 282             delete key;
 283             throw XMLSecurityException("FilesystemCredentialResolver configuration contains unknown certificate encoding format ($1)",params(1,unknown.get()));
 284         }
 285     }
 286
 287     try {
 288         X509* x=NULL;
 289         PKCS12* p12=NULL;
 290         in=BIO_new(BIO_s_file_internal());
 291         if (in && BIO_read_filename(in,certpath.get())>0) {
 292             if (!format_xml || !*format_xml) {
 293                 // Determine the cert encoding format dynamically, if not explicitly specified
 294                 fformat = getEncodingFormat(in);
 295                 log.debug("certificate encoding format for (%s) dynamically resolved as (%s)", certpath.get(), formatToString(fformat).c_str());
 296             }
 297
 298             switch(fformat) {
 299                 case PEM:
 300                     while (x=PEM_read_bio_X509(in,NULL,passwd_callback,const_cast<char*>(certpass.get())))
 301                         m_certs.push_back(x);
 302                     break;
 303
 304                 case DER:
 305                     x=d2i_X509_bio(in,NULL);
 306                     if (x)
 307                         m_certs.push_back(x);
 308                     else {
 309                         log_openssl();
 310                         BIO_free(in);
 311                         throw XMLSecurityException("FilesystemCredentialResolver unable to load DER certificate from file ($1)",params(1,certpath.get()));
 312                     }
 313                     break;
 314
 315                 case _PKCS12:
 316                     p12=d2i_PKCS12_bio(in,NULL);
 317                     if (p12) {
 318                         PKCS12_parse(p12, certpass.get(), NULL, &x, NULL);
 319                         PKCS12_free(p12);
 320                     }
 321                     if (x) {
 322                         m_certs.push_back(x);
 323                         x=NULL;
 324                     } else {
 325                         log_openssl();
 326                         BIO_free(in);
 327                         throw XMLSecurityException("FilesystemCredentialResolver unable to load PKCS12 certificate from file ($1)",params(1,certpath.get()));
 328                     }
 329                     break;
 330             } // end switch
 331
 332         } else {
 333             log_openssl();
 334             if (in) {
 335                 BIO_free(in);
 336                 in=NULL;
 337             }
 338             throw XMLSecurityException("FilesystemCredentialResolver unable to load certificate(s) from file ($1)",params(1,certpath.get()));
 339         }
 340         if (in) {
 341             BIO_free(in);
 342             in=NULL;
 343         }
 344
 345         if (m_certs.empty())
 346             throw XMLSecurityException("FilesystemCredentialResolver unable to load any certificate(s)");
 347
 348         // Load any extra CA files.
 349         const DOMElement* extra=XMLHelper::getFirstChildElement(e,CAPath);
 350         while (extra) {
 351             if (!extra->hasChildNodes()) {
 352                 log.warn("skipping empty CAPath element");
 353                 extra = XMLHelper::getNextSiblingElement(extra,CAPath);
 354                 continue;
 355             }
 356             auto_ptr_char capath(extra->getFirstChild()->getNodeValue());
 357             x=NULL;
 358             p12=NULL;
 359             in=BIO_new(BIO_s_file_internal());
 360             if (in && BIO_read_filename(in,capath.get())>0) {
 361                 if (!format_xml || !*format_xml) {
 362                     // Determine the cert encoding format dynamically, if not explicitly specified
 363                     fformat = getEncodingFormat(in);
 364                     log.debug("CA certificate encoding format for (%s) dynamically resolved as (%s)", certpath.get(), formatToString(fformat).c_str());
 365                 }
 366
 367                 switch (fformat) {
 368                     case PEM:
 369                         while (x=PEM_read_bio_X509(in,NULL,passwd_callback,const_cast<char*>(certpass.get())))
 370                             m_certs.push_back(x);
 371                         break;
 372
 373                     case DER:
 374                         x=d2i_X509_bio(in,NULL);
 375                         if (x)
 376                             m_certs.push_back(x);
 377                         else {
 378                             log_openssl();
 379                             BIO_free(in);
 380                             throw XMLSecurityException("FilesystemCredentialResolver unable to load DER CA certificate from file ($1)",params(1,capath.get()));
 381                         }
 382                         break;
 383
 384                     case _PKCS12:
 385                         p12 = d2i_PKCS12_bio(in, NULL);
 386                         if (p12) {
 387                             PKCS12_parse(p12, certpass.get(), NULL, &x, NULL);
 388                             PKCS12_free(p12);
 389                         }
 390                         if (x) {
 391                             m_certs.push_back(x);
 392                             x=NULL;
 393                         }
 394                         else {
 395                             log_openssl();
 396                             BIO_free(in);
 397                             throw XMLSecurityException("FilesystemCredentialResolver unable to load PKCS12 CA certificate from file ($1)",params(1,capath.get()));
 398                         }
 399                         break;
 400                 } //end switch
 401
 402                 BIO_free(in);
 403             }
 404             else {
 405                 if (in)
 406                     BIO_free(in);
 407                 log_openssl();
 408                 log.error("CA file (%s) can't be opened", capath.get());
 409                 throw XMLSecurityException("FilesystemCredentialResolver can't open CA file ($1)",params(1,capath.get()));
 410             }
 411
 412             extra = XMLHelper::getNextSiblingElement(extra,CAPath);
 413         }
 414     }
 415     catch (XMLToolingException&) {
 416         delete key;
 417         for_each(m_certs.begin(), m_certs.end(), X509_free);
 418         throw;
 419     }
 420
 421     // Reflect certs over to XSEC form and wrap with credential object.
 422     for (vector<X509*>::iterator j=m_certs.begin(); j!=m_certs.end(); j++)
 423         xseccerts.push_back(new OpenSSLCryptoX509(*j));
 424     if (!key && !xseccerts.empty())
 425         key = xseccerts.front()->clonePublicKey();
 426     m_credential = new FilesystemCredential(this, key, xseccerts);
 427     m_credential->addKeyNames(keynode);
 428 }
 429
 430 XSECCryptoKey* FilesystemCredentialResolver::loadKey()
 431 {
 432 #ifdef _DEBUG
 433     NDC ndc("loadKey");
 434 #endif
 435
 436     // Get a EVP_PKEY.
 437     EVP_PKEY* pkey=NULL;
 438     BIO* in=BIO_new(BIO_s_file_internal());
 439     if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
 440         switch (m_keyformat) {
 441             case PEM:
 442                 pkey=PEM_read_bio_PrivateKey(in, NULL, passwd_callback, const_cast<char*>(m_keypass.c_str()));
 443                 break;
 444
 445             case DER:
 446                 pkey=d2i_PrivateKey_bio(in, NULL);
 447                 break;
 448
 449             default: {
 450                 PKCS12* p12 = d2i_PKCS12_bio(in, NULL);
 451                 if (p12) {
 452                     PKCS12_parse(p12, const_cast<char*>(m_keypass.c_str()), &pkey, NULL, NULL);
 453                     PKCS12_free(p12);
 454                 }
 455             }
 456         }
 457     }
 458     if (in)
 459         BIO_free(in);
 460
 461     // Now map it to an XSEC wrapper.
 462     if (pkey) {
 463         XSECCryptoKey* ret=NULL;
 464         switch (pkey->type) {
 465             case EVP_PKEY_RSA:
 466                 ret=new OpenSSLCryptoKeyRSA(pkey);
 467                 break;
 468
 469             case EVP_PKEY_DSA:
 470                 ret=new OpenSSLCryptoKeyDSA(pkey);
 471                 break;
 472
 473             default:
 474                 Category::getInstance(XMLTOOLING_LOGCAT".CredentialResolver."FILESYSTEM_CREDENTIAL_RESOLVER).error("unsupported private key type");
 475         }
 476         EVP_PKEY_free(pkey);
 477         if (ret)
 478             return ret;
 479     }
 480
 481     log_openssl();
 482     throw XMLSecurityException("FilesystemCredentialResolver unable to load private key from file.");
 483 }
 484
 485 // Used to determine the encoding format of credentials files
 486 // dynamically. Supports: PEM, DER, PKCS12.
 487 FilesystemCredentialResolver::format_t FilesystemCredentialResolver::getEncodingFormat(BIO* in) const
 488 {
 489     PKCS12* p12 = NULL;
 490     format_t format;
 491
 492     const int READSIZE = 1;
 493     char buf[READSIZE];
 494     char b1;
 495     int mark;
 496
 497     try {
 498         if ( (mark = BIO_tell(in)) < 0 )
 499             throw XMLSecurityException("getEncodingFormat: BIO_tell() can't get the file position");
 500         if ( BIO_read(in, buf, READSIZE) <= 0 )
 501             throw XMLSecurityException("getEncodingFormat: BIO_read() can't read from the stream");
 502         if ( BIO_seek(in, mark) < 0 )
 503             throw XMLSecurityException("getEncodingFormat: BIO_seek() can't reset the file position");
 504     }
 505     catch (...) {
 506         log_openssl();
 507         throw;
 508     }
 509
 510     b1 = buf[0];
 511
 512     // This is a slight variation of the Java code by Chad La Joie.
 513     //
 514     // Check the first byte of the file.  If it's some kind of
 515     // DER-encoded structure (including PKCS12), it will begin with ASCII 048.
 516     // Otherwise, assume it's PEM.
 517     if (b1 !=  48) {
 518         format = PEM;
 519     } else {
 520         // Here we know it's DER-encoded, now try to parse it as a PKCS12
 521         // ASN.1 structure.  If it fails, must be another kind of DER-encoded
 522         // key/cert structure.  A little inefficient...but it works.
 523         if ( (p12=d2i_PKCS12_bio(in,NULL)) == NULL ) {
 524             format = DER;
 525         } else {
 526             format = _PKCS12;
 527         }
 528         if (p12)
 529             PKCS12_free(p12);
 530         if ( BIO_seek(in, mark) < 0 ) {
 531             log_openssl();
 532             throw XMLSecurityException("getEncodingFormat: BIO_seek() can't reset the file position");
 533         }
 534     }
 535
 536     return format;
 537 }
 538
 539 // Convert key/cert format_t types to a human-meaningful string for debug output
 540 string FilesystemCredentialResolver::formatToString(format_t format) const
 541 {
 542     switch(format) {
 543         case PEM:
 544             return "PEM";
 545         case DER:
 546             return "DER";
 547         case _PKCS12:
 548             return "PKCS12";
 549         default:
 550             return "UNKNOWN";
 551     }
 552 }
 553
 554 // Convert key/cert raw XML format attribute (XMLCh[]) to format_t type
 555 FilesystemCredentialResolver::format_t FilesystemCredentialResolver::xmlFormatToFormat(const XMLCh* format_xml) const
 556 {
 557     static const XMLCh cPEM[] = UNICODE_LITERAL_3(P,E,M);
 558     static const XMLCh cDER[] = UNICODE_LITERAL_3(D,E,R);
 559     static const XMLCh cPKCS12[] = { chLatin_P, chLatin_K, chLatin_C, chLatin_S, chDigit_1, chDigit_2, chNull };
 560     format_t format;
 561
 562     if (!XMLString::compareString(format_xml,cPEM))
 563         format=PEM;
 564     else if (!XMLString::compareString(format_xml,cDER))
 565         format=DER;
 566     else if (!XMLString::compareString(format_xml,cPKCS12))
 567         format=_PKCS12;
 568     else
 569         format=UNKNOWN;
 570
 571     return format;
 572 }
 573
 574 void FilesystemCredentialResolver::attach(SSL_CTX* ctx) const
 575 {
 576 #ifdef _DEBUG
 577     NDC ndc("attach");
 578 #endif
 579
 580     if (m_keypath.empty())
 581         throw XMLSecurityException("No key available, unable to attach private key to SSL context.");
 582
 583     // Attach key.
 584     SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);
 585     SSL_CTX_set_default_passwd_cb_userdata(ctx, const_cast<char*>(m_keypass.c_str()));
 586
 587     int ret=0;
 588     switch (m_keyformat) {
 589         case PEM:
 590             ret=SSL_CTX_use_PrivateKey_file(ctx, m_keypath.c_str(), m_keyformat);
 591             break;
 592
 593         case DER:
 594             ret=SSL_CTX_use_RSAPrivateKey_file(ctx, m_keypath.c_str(), m_keyformat);
 595             break;
 596
 597         default: {
 598             BIO* in=BIO_new(BIO_s_file_internal());
 599             if (in && BIO_read_filename(in,m_keypath.c_str())>0) {
 600                 EVP_PKEY* pkey=NULL;
 601                 PKCS12* p12 = d2i_PKCS12_bio(in, NULL);
 602                 if (p12) {
 603                     PKCS12_parse(p12, const_cast<char*>(m_keypass.c_str()), &pkey, NULL, NULL);
 604                     PKCS12_free(p12);
 605                     if (pkey) {
 606                         ret=SSL_CTX_use_PrivateKey(ctx, pkey);
 607                         EVP_PKEY_free(pkey);
 608                     }
 609                 }
 610             }
 611             if (in)
 612                 BIO_free(in);
 613         }
 614     }
 615
 616     if (ret!=1) {
 617         log_openssl();
 618         throw XMLSecurityException("Unable to attach private key to SSL context.");
 619     }
 620
 621     // Attach certs.
 622     for (vector<X509*>::const_iterator i=m_certs.begin(); i!=m_certs.end(); i++) {
 623         if (i==m_certs.begin()) {
 624             if (SSL_CTX_use_certificate(ctx, *i) != 1) {
 625                 log_openssl();
 626                 throw XMLSecurityException("Unable to attach client certificate to SSL context.");
 627             }
 628         }
 629         else {
 630             // When we add certs, they don't get ref counted, so we need to duplicate them.
 631             X509* dup = X509_dup(*i);
 632             if (SSL_CTX_add_extra_chain_cert(ctx, dup) != 1) {
 633                 X509_free(dup);
 634                 log_openssl();
 635                 throw XMLSecurityException("Unable to attach CA certificate to SSL context.");
 636             }
 637         }
 638     }
 639 }
 640
 641 void FilesystemCredential::addKeyNames(const DOMElement* e)
 642 {
 643     e = e ? XMLHelper::getFirstChildElement(e, Name) : NULL;
 644     while (e) {
 645         if (e->hasChildNodes()) {
 646             auto_ptr_char n(e->getFirstChild()->getNodeValue());
 647             if (n.get() && *n.get())
 648                 m_keyNames.insert(n.get());
 649         }
 650         e = XMLHelper::getNextSiblingElement(e, Name);
 651     }
 652 }
 653
 654 void FilesystemCredential::attach(SSL_CTX* ctx) const
 655 {
 656     return m_resolver->attach(ctx);
 657 }