projects / shibboleth / xmltooling.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Support keyName in shorthand syntax.
[shibboleth/xmltooling.git] / xmltooling / security / impl / FilesystemCredentialResolver.cpp
diff --git a/xmltooling/security/impl/FilesystemCredentialResolver.cpp b/xmltooling/security/impl/FilesystemCredentialResolver.cpp
index 7bf0d0e..acd79c9 100644 (file)
--- a/xmltooling/security/impl/FilesystemCredentialResolver.cpp
+++ b/xmltooling/security/impl/FilesystemCredentialResolver.cpp
@@ -27,7 +27,9 @@
 #include "security/CredentialResolver.h"
 #include "security/KeyInfoResolver.h"
 #include "security/OpenSSLCredential.h"
+#include "security/OpenSSLCryptoX509CRL.h"
 #include "util/NDC.h"
+#include "util/PathResolver.h"
 #include "util/XMLHelper.h"
 
 #include <sys/types.h>
@@ -68,8 +70,9 @@ namespace xmltooling {
     class XMLTOOL_DLLLOCAL FilesystemCredential : public OpenSSLCredential, public BasicX509Credential
     {
     public:
-        FilesystemCredential(FilesystemCredentialResolver* resolver, XSECCryptoKey* key, const std::vector<XSECCryptoX509*>& xseccerts)
-                : BasicX509Credential(key, xseccerts), m_resolver(resolver) {
+        FilesystemCredential(
+            FilesystemCredentialResolver* resolver, XSECCryptoKey* key, const std::vector<XSECCryptoX509*>& xseccerts, XSECCryptoX509CRL* crl=NULL
+            ) : BasicX509Credential(key, xseccerts, crl), m_resolver(resolver), m_usage(UNSPECIFIED_CREDENTIAL) {
             if (!m_xseccerts.empty())
                 extractNames(m_xseccerts.front(), m_keyNames);
             initKeyInfo();
@@ -77,12 +80,29 @@ namespace xmltooling {
         virtual ~FilesystemCredential() {
         }
 
+        unsigned int getUsage() const {
+            return m_usage;
+        }
+
+        void setUsage(const XMLCh* usage) {
+            if (usage && *usage) {
+                auto_ptr_char u(usage);
+                if (!strcmp(u.get(), "signing"))
+                    m_usage = SIGNING_CREDENTIAL | TLS_CREDENTIAL;
+                else if (!strcmp(u.get(), "TLS"))
+                    m_usage = TLS_CREDENTIAL;
+                else if (!strcmp(u.get(), "encryption"))
+                    m_usage = ENCRYPTION_CREDENTIAL;
+            }
+        }
+
         void addKeyNames(const DOMElement* e);
 
         void attach(SSL_CTX* ctx) const;
     
     private:
         FilesystemCredentialResolver* m_resolver;
+        unsigned int m_usage;
     };
 
 #if defined (_MSC_VER)
@@ -119,6 +139,7 @@ namespace xmltooling {
 
     private:
         XSECCryptoKey* loadKey();
+        XSECCryptoX509CRL* loadCRL();
         
         enum format_t { PEM=SSL_FILETYPE_PEM, DER=SSL_FILETYPE_ASN1, _PKCS12, UNKNOWN };
     
@@ -126,8 +147,8 @@ namespace xmltooling {
         string formatToString(format_t format) const;
         format_t xmlFormatToFormat(const XMLCh* format_xml) const;
     
-        format_t m_keyformat;
-        string m_keypath,m_keypass;
+        format_t m_keyformat,m_crlformat;
+        string m_keypath,m_keypass,m_crlpath;
         vector<X509*> m_certs;
         FilesystemCredential* m_credential;
     };
@@ -141,12 +162,15 @@ namespace xmltooling {
     static const XMLCh CAPath[] =           UNICODE_LITERAL_6(C,A,P,a,t,h);
     static const XMLCh Certificate[] =      UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e);
     static const XMLCh _certificate[] =     UNICODE_LITERAL_11(c,e,r,t,i,f,i,c,a,t,e);
+    static const XMLCh CRL[] =              UNICODE_LITERAL_3(C,R,L);
     static const XMLCh format[] =           UNICODE_LITERAL_6(f,o,r,m,a,t);
     static const XMLCh Key[] =              UNICODE_LITERAL_3(K,e,y);
     static const XMLCh _key[] =             UNICODE_LITERAL_3(k,e,y);
+    static const XMLCh keyName[] =          UNICODE_LITERAL_7(k,e,y,N,a,m,e);
     static const XMLCh Name[] =             UNICODE_LITERAL_4(N,a,m,e);
     static const XMLCh password[] =         UNICODE_LITERAL_8(p,a,s,s,w,o,r,d);
     static const XMLCh Path[] =             UNICODE_LITERAL_4(P,a,t,h);
+    static const XMLCh _use[] =             UNICODE_LITERAL_3(u,s,e);
 };
 
 FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e) : m_credential(NULL)
@@ -169,6 +193,11 @@ FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e)
             path->appendChild(e->getOwnerDocument()->createTextNode(e->getAttributeNS(NULL,_key)));
             if (e->hasAttributeNS(NULL,password))
                 child->setAttributeNS(NULL,password,e->getAttributeNS(NULL,password));
+            if (e->hasAttributeNS(NULL,keyName)) {
+                path = e->getOwnerDocument()->createElementNS(NULL,Name);
+                child->appendChild(path);
+                path->appendChild(e->getOwnerDocument()->createTextNode(e->getAttributeNS(NULL,keyName)));
+            }
         }
         if (e->hasAttributeNS(NULL,_certificate)) {
             child = e->getOwnerDocument()->createElementNS(NULL,Certificate);
@@ -181,9 +210,11 @@ FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e)
     }
     
     const DOMElement* root=e;
+    const XMLCh* usage = root->getAttributeNS(NULL,_use);
 
     XSECCryptoKey* key=NULL;
     vector<XSECCryptoX509*> xseccerts;
+    XSECCryptoX509CRL* crl=NULL;
 
     format_t fformat;
     const XMLCh* format_xml=NULL;
@@ -192,7 +223,6 @@ FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e)
     // Move to Key
     const DOMElement* keynode=XMLHelper::getFirstChildElement(root,Key);
     if (keynode) {
-
         // Get raw format attrib value, but defer processing til later since may need to 
         // determine format dynamically, and we need the Path for that.
         format_xml=keynode->getAttributeNS(NULL,format);
@@ -207,18 +237,19 @@ FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e)
         if (e && e->hasChildNodes()) {
             const XMLCh* s=e->getFirstChild()->getNodeValue();
             auto_ptr_char kpath(s);
+            m_keypath = kpath.get();
+            XMLToolingConfig::getConfig().getPathResolver()->resolve(m_keypath, PathResolver::XMLTOOLING_CFG_FILE);
 #ifdef WIN32
             struct _stat stat_buf;
-            if (_stat(kpath.get(), &stat_buf) != 0)
+            if (_stat(m_keypath.c_str(), &stat_buf) != 0)
 #else
             struct stat stat_buf;
-            if (stat(kpath.get(), &stat_buf) != 0)
+            if (stat(m_keypath.c_str(), &stat_buf) != 0)
 #endif
             {
-                log.error("key file (%s) can't be opened", kpath.get());
-                throw XMLSecurityException("FilesystemCredentialResolver can't access key file ($1)",params(1,kpath.get()));
+                log.error("key file (%s) can't be opened", m_keypath.c_str());
+                throw XMLSecurityException("FilesystemCredentialResolver can't access key file ($1)",params(1,m_keypath.c_str()));
             }
-            m_keypath=kpath.get();
         }
         else {
             log.error("Path element missing inside Key element");
@@ -255,12 +286,74 @@ FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e)
         // Load the key.
         key = loadKey();
     }
+    
+    // Check for CRL.
+    const DOMElement* crlnode=XMLHelper::getFirstChildElement(root,CRL);
+    if (crlnode) {
+        // Get raw format attrib value, but defer processing til later since may need to 
+        // determine format dynamically, and we need the Path for that.
+        format_xml=crlnode->getAttributeNS(NULL,format);
+            
+        e=XMLHelper::getFirstChildElement(crlnode,Path);
+        if (e && e->hasChildNodes()) {
+            const XMLCh* s=e->getFirstChild()->getNodeValue();
+            auto_ptr_char kpath(s);
+            m_crlpath=kpath.get();
+            XMLToolingConfig::getConfig().getPathResolver()->resolve(m_crlpath, PathResolver::XMLTOOLING_CFG_FILE);
+#ifdef WIN32
+            struct _stat stat_buf;
+            if (_stat(m_crlpath.c_str(), &stat_buf) != 0)
+#else
+            struct stat stat_buf;
+            if (stat(m_crlpath.c_str(), &stat_buf) != 0)
+#endif
+            {
+                log.error("CRL file (%s) can't be opened", m_crlpath.c_str());
+                throw XMLSecurityException("FilesystemCredentialResolver can't access CRL file ($1)",params(1,m_crlpath.c_str()));
+            }
+        }
+        else {
+            log.error("Path element missing inside CRL element");
+            throw XMLSecurityException("FilesystemCredentialResolver can't access CRL file, no Path element specified.");
+        }
+
+        // Determine the CRL encoding format dynamically, if not explicitly specified
+        if (format_xml && *format_xml) {
+            fformat = xmlFormatToFormat(format_xml);
+            if (fformat != UNKNOWN) {
+                m_crlformat = fformat;
+            }
+            else {
+                auto_ptr_char unknown(format_xml);
+                log.error("configuration specifies unknown CRL encoding format (%s)", unknown.get());
+                throw XMLSecurityException("FilesystemCredentialResolver configuration contains unknown CRL encoding format ($1)",params(1,unknown.get()));
+            }
+        }
+        else {
+            in=BIO_new(BIO_s_file_internal());
+            if (in && BIO_read_filename(in,m_crlpath.c_str())>0) {
+                m_crlformat = getEncodingFormat(in);
+                log.debug("CRL encoding format for (%s) dynamically resolved as (%s)", m_crlpath.c_str(), formatToString(m_crlformat).c_str());
+            }
+            else {
+                log.error("CRL file (%s) can't be read to determine encoding format", m_crlpath.c_str());
+                throw XMLSecurityException("FilesystemCredentialResolver can't read CRL file ($1) to determine encoding format",params(1,m_crlpath.c_str()));
+            }
+            if (in)
+                BIO_free(in);
+            in = NULL;
+        }
         
+        // Load the key.
+        crl = loadCRL();
+    }
+
     // Check for Certificate
     e=XMLHelper::getFirstChildElement(root,Certificate);
     if (!e) {
-        m_credential = new FilesystemCredential(this,key,xseccerts);
+        m_credential = new FilesystemCredential(this,key,xseccerts,crl);
         m_credential->addKeyNames(keynode);
+        m_credential->setUsage(usage);
         return;
     }
     auto_ptr_char certpass(e->getAttributeNS(NULL,password));
@@ -269,10 +362,14 @@ FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e)
     if (!ep || !ep->hasChildNodes()) {
         log.error("Path element missing inside Certificate element or is empty");
         delete key;
+        delete crl;
         throw XMLSecurityException("FilesystemCredentialResolver can't access certificate file, missing or empty Path element.");
     }
     
-    auto_ptr_char certpath(ep->getFirstChild()->getNodeValue());
+    auto_ptr_char certpath2(ep->getFirstChild()->getNodeValue());
+    string certpath(certpath2.get());
+    XMLToolingConfig::getConfig().getPathResolver()->resolve(certpath, PathResolver::XMLTOOLING_CFG_FILE);
+
     format_xml=e->getAttributeNS(NULL,format);
     if (format_xml && *format_xml) {
         fformat = xmlFormatToFormat(format_xml);
@@ -280,6 +377,7 @@ FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e)
             auto_ptr_char unknown(format_xml);
             log.error("configuration specifies unknown certificate encoding format (%s)", unknown.get());
             delete key;
+            delete crl;
             throw XMLSecurityException("FilesystemCredentialResolver configuration contains unknown certificate encoding format ($1)",params(1,unknown.get()));
         }
     }
@@ -288,11 +386,11 @@ FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e)
         X509* x=NULL;
         PKCS12* p12=NULL;
         in=BIO_new(BIO_s_file_internal());
-        if (in && BIO_read_filename(in,certpath.get())>0) {
+        if (in && BIO_read_filename(in,certpath.c_str())>0) {
             if (!format_xml || !*format_xml) {
                 // Determine the cert encoding format dynamically, if not explicitly specified
                 fformat = getEncodingFormat(in);
-                log.debug("certificate encoding format for (%s) dynamically resolved as (%s)", certpath.get(), formatToString(fformat).c_str());
+                log.debug("certificate encoding format for (%s) dynamically resolved as (%s)", certpath.c_str(), formatToString(fformat).c_str());
             }
 
             switch(fformat) {
@@ -308,7 +406,7 @@ FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e)
                     else {
                         log_openssl();
                         BIO_free(in);
-                        throw XMLSecurityException("FilesystemCredentialResolver unable to load DER certificate from file ($1)",params(1,certpath.get()));
+                        throw XMLSecurityException("FilesystemCredentialResolver unable to load DER certificate from file ($1)",params(1,certpath.c_str()));
                     }
                     break;
 
@@ -324,7 +422,7 @@ FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e)
                     } else {
                         log_openssl();
                         BIO_free(in);
-                        throw XMLSecurityException("FilesystemCredentialResolver unable to load PKCS12 certificate from file ($1)",params(1,certpath.get()));
+                        throw XMLSecurityException("FilesystemCredentialResolver unable to load PKCS12 certificate from file ($1)",params(1,certpath.c_str()));
                     }
                     break;
             } // end switch
@@ -335,7 +433,7 @@ FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e)
                 BIO_free(in);
                 in=NULL;
             }
-            throw XMLSecurityException("FilesystemCredentialResolver unable to load certificate(s) from file ($1)",params(1,certpath.get()));
+            throw XMLSecurityException("FilesystemCredentialResolver unable to load certificate(s) from file ($1)",params(1,certpath.c_str()));
         }
         if (in) {
             BIO_free(in);
@@ -353,20 +451,22 @@ FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e)
                 extra = XMLHelper::getNextSiblingElement(extra,CAPath);
                 continue;
             }
-            auto_ptr_char capath(extra->getFirstChild()->getNodeValue());
+            auto_ptr_char capath2(extra->getFirstChild()->getNodeValue());
+            string capath(capath2.get());
+            XMLToolingConfig::getConfig().getPathResolver()->resolve(capath, PathResolver::XMLTOOLING_CFG_FILE);
             x=NULL;
             p12=NULL;
             in=BIO_new(BIO_s_file_internal());
-            if (in && BIO_read_filename(in,capath.get())>0) {
+            if (in && BIO_read_filename(in,capath.c_str())>0) {
                 if (!format_xml || !*format_xml) {
                     // Determine the cert encoding format dynamically, if not explicitly specified
                     fformat = getEncodingFormat(in);
-                    log.debug("CA certificate encoding format for (%s) dynamically resolved as (%s)", certpath.get(), formatToString(fformat).c_str());
+                    log.debug("CA certificate encoding format for (%s) dynamically resolved as (%s)", capath.c_str(), formatToString(fformat).c_str());
                 }
 
                 switch (fformat) {
                     case PEM:
-                        while (x=PEM_read_bio_X509(in,NULL,passwd_callback,const_cast<char*>(certpass.get())))
+                        while (x=PEM_read_bio_X509(in,NULL,NULL,NULL))
                             m_certs.push_back(x);
                         break;
 
@@ -377,14 +477,14 @@ FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e)
                         else {
                             log_openssl();
                             BIO_free(in);
-                            throw XMLSecurityException("FilesystemCredentialResolver unable to load DER CA certificate from file ($1)",params(1,capath.get()));
+                            throw XMLSecurityException("FilesystemCredentialResolver unable to load DER CA certificate from file ($1)",params(1,capath.c_str()));
                         }
                         break;
 
                     case _PKCS12:
                         p12 = d2i_PKCS12_bio(in, NULL);
                         if (p12) {
-                            PKCS12_parse(p12, certpass.get(), NULL, &x, NULL);
+                            PKCS12_parse(p12, NULL, NULL, &x, NULL);
                             PKCS12_free(p12);
                         }
                         if (x) {
@@ -394,7 +494,7 @@ FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e)
                         else {
                             log_openssl();
                             BIO_free(in);
-                            throw XMLSecurityException("FilesystemCredentialResolver unable to load PKCS12 CA certificate from file ($1)",params(1,capath.get()));
+                            throw XMLSecurityException("FilesystemCredentialResolver unable to load PKCS12 CA certificate from file ($1)",params(1,capath.c_str()));
                         }
                         break;
                 } //end switch
@@ -405,8 +505,8 @@ FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e)
                 if (in)
                     BIO_free(in);
                 log_openssl();
-                log.error("CA file (%s) can't be opened", capath.get());
-                throw XMLSecurityException("FilesystemCredentialResolver can't open CA file ($1)",params(1,capath.get()));
+                log.error("CA file (%s) can't be opened", capath.c_str());
+                throw XMLSecurityException("FilesystemCredentialResolver can't open CA file ($1)",params(1,capath.c_str()));
             }
             
             extra = XMLHelper::getNextSiblingElement(extra,CAPath);
@@ -414,6 +514,7 @@ FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e)
     }
     catch (XMLToolingException&) {
         delete key;
+        delete crl;
         for_each(m_certs.begin(), m_certs.end(), X509_free);
         throw;
     }
@@ -423,8 +524,9 @@ FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e)
         xseccerts.push_back(new OpenSSLCryptoX509(*j));
     if (!key && !xseccerts.empty())
         key = xseccerts.front()->clonePublicKey();
-    m_credential = new FilesystemCredential(this, key, xseccerts);
+    m_credential = new FilesystemCredential(this, key, xseccerts, crl);
     m_credential->addKeyNames(keynode);
+    m_credential->setUsage(usage);
 }
 
 XSECCryptoKey* FilesystemCredentialResolver::loadKey()
@@ -482,6 +584,39 @@ XSECCryptoKey* FilesystemCredentialResolver::loadKey()
     throw XMLSecurityException("FilesystemCredentialResolver unable to load private key from file."); 
 }
 
+XSECCryptoX509CRL* FilesystemCredentialResolver::loadCRL()
+{
+#ifdef _DEBUG
+    NDC ndc("loadCRL");
+#endif
+
+    X509_CRL* crl=NULL;
+    BIO* in=BIO_new(BIO_s_file_internal());
+    if (in && BIO_read_filename(in,m_crlpath.c_str())>0) {
+        switch (m_crlformat) {
+            case PEM:
+                crl=PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
+                break;
+            
+            case DER:
+                crl=d2i_X509_CRL_bio(in, NULL);
+                break;
+        }
+    }
+    if (in)
+        BIO_free(in);
+    
+    // Now map it to an XSEC wrapper.
+    if (crl) {
+        XSECCryptoX509CRL* ret=new OpenSSLCryptoX509CRL(crl);
+        X509_CRL_free(crl);
+        return ret;
+    }
+
+    log_openssl();
+    throw XMLSecurityException("FilesystemCredentialResolver unable to load CRL from file."); 
+}
+
 // Used to determine the encoding format of credentials files
 // dynamically. Supports: PEM, DER, PKCS12.
 FilesystemCredentialResolver::format_t FilesystemCredentialResolver::getEncodingFormat(BIO* in) const
Unnamed repository; edit this file 'description' to name the repository.