#define __xmltooling_decrypter_h__
#include <xmltooling/encryption/Encryption.h>
-#include <xmltooling/security/KeyResolver.h>
-#include <xsec/enc/XSECCryptoKey.hpp>
#include <xsec/xenc/XENCCipher.hpp>
+namespace xmltooling {
+ class XMLTOOL_API CredentialResolver;
+ class XMLTOOL_API KeyResolver;
+};
+
namespace xmlencryption {
/**
public:
/**
* Constructor.
- * Resolvers will be deleted when Decrypter is.
*
- * @param KEKresolver resolves key decryption key
- * @param resolver resolves data decryption key
+ * @param KEKresolver locked credential resolver to supply key decryption key
+ * @param resolver directly or indirectly resolves the data decryption key
*/
- Decrypter(xmltooling::KeyResolver* KEKresolver=NULL, xmltooling::KeyResolver* resolver=NULL)
- : m_cipher(NULL), m_resolver(resolver), m_KEKresolver(KEKresolver) {
+ Decrypter(const xmltooling::CredentialResolver* KEKresolver=NULL, const xmltooling::KeyResolver* resolver=NULL)
+ : m_cipher(NULL), m_KEKresolver(KEKresolver), m_resolver(resolver) {
}
~Decrypter();
*
* @param resolver the KeyResolver to attach
*/
- void setKeyResolver(xmltooling::KeyResolver* resolver) {
- delete m_resolver;
+ void setKeyResolver(const xmltooling::KeyResolver* resolver) {
m_resolver=resolver;
}
/**
- * Replace the current key encryption KeyResolver interface, if any, with a new one.
+ * Replace the current key encryption CredentialResolver interface, if any, with a new one.
*
- * @param resolver the KeyResolver to attach
+ * @param resolver the locked CredentialResolver to attach
*/
- void setKEKResolver(xmltooling::KeyResolver* resolver) {
- delete m_KEKresolver;
+ void setKEKResolver(const xmltooling::CredentialResolver* resolver) {
m_KEKresolver=resolver;
}
* approach should be to unmarshall the DOM and then release it, or the
* DOM can also be imported into a separately owned document.
*
- * @param encryptedData the encrypted data to decrypt
+ * @param encryptedData the data to decrypt
* @return the decrypted DOM fragment
*/
- DOMDocumentFragment* decryptData(EncryptedData* encryptedData);
+ DOMDocumentFragment* decryptData(EncryptedData& encryptedData);
/**
* Decrypts the supplied information and returns the resulting key.
* @param algorithm the algorithm associated with the decrypted key
* @return the decrypted key
*/
- XSECCryptoKey* decryptKey(EncryptedKey* encryptedKey, const XMLCh* algorithm);
+ XSECCryptoKey* decryptKey(EncryptedKey& encryptedKey, const XMLCh* algorithm);
private:
XENCCipher* m_cipher;
- xmltooling::KeyResolver* m_resolver;
- xmltooling::KeyResolver* m_KEKresolver;
+ const xmltooling::CredentialResolver* m_KEKresolver;
+ const xmltooling::KeyResolver* m_resolver;
};
DECL_XMLTOOLING_EXCEPTION(DecryptionException,XMLTOOL_EXCEPTIONAPI(XMLTOOL_API),xmlencryption,xmltooling::XMLToolingException,Exceptions in decryption processing);
virtual ~EncryptedKeyResolver() {}
/**
- * Returns an encrypted key based on the supplied KeyInfo information.
+ * Returns an encrypted key based on the supplied object's KeyInfo information.
*
* @param encryptedData an encrypted object
* @return the resolved EncryptedKey object
*/
- virtual EncryptedKey* resolveKey(EncryptedData* encryptedData)=0;
+ virtual EncryptedKey* resolveKey(EncryptedData& encryptedData) const=0;
};
};
#include "internal.h"
#include "encryption/Decrypter.h"
#include "encryption/EncryptedKeyResolver.h"
+#include "security/CredentialResolver.h"
#include <log4cpp/Category.hh>
#include <xsec/enc/XSECCryptoException.hpp>
{
if (m_cipher)
XMLToolingInternalConfig::getInternalConfig().m_xsecProvider->releaseCipher(m_cipher);
- delete m_resolver;
- delete m_KEKresolver;
}
-DOMDocumentFragment* Decrypter::decryptData(EncryptedData* encryptedData)
+DOMDocumentFragment* Decrypter::decryptData(EncryptedData& encryptedData)
{
- if (encryptedData->getDOM()==NULL)
+ if (encryptedData.getDOM()==NULL)
throw DecryptionException("The object must be marshalled before decryption.");
// We can reuse the cipher object if the document hasn't changed.
- if (m_cipher && m_cipher->getDocument()!=encryptedData->getDOM()->getOwnerDocument()) {
+ if (m_cipher && m_cipher->getDocument()!=encryptedData.getDOM()->getOwnerDocument()) {
XMLToolingInternalConfig::getInternalConfig().m_xsecProvider->releaseCipher(m_cipher);
m_cipher=NULL;
}
if (!m_cipher)
- m_cipher=XMLToolingInternalConfig::getInternalConfig().m_xsecProvider->newCipher(encryptedData->getDOM()->getOwnerDocument());
+ m_cipher=XMLToolingInternalConfig::getInternalConfig().m_xsecProvider->newCipher(encryptedData.getDOM()->getOwnerDocument());
try {
// Resolve decryption key.
XSECCryptoKey* key=NULL;
if (m_resolver)
- key=m_resolver->resolveKey(encryptedData->getKeyInfo());
+ key=m_resolver->resolveKey(encryptedData.getKeyInfo());
if (!key && m_KEKresolver) {
// See if there's an encrypted key available. We'll need the algorithm...
const XMLCh* algorithm=
- encryptedData->getEncryptionMethod() ? encryptedData->getEncryptionMethod()->getAlgorithm() : NULL;
+ encryptedData.getEncryptionMethod() ? encryptedData.getEncryptionMethod()->getAlgorithm() : NULL;
if (!algorithm)
throw DecryptionException("No EncryptionMethod/@Algorithm set, key decryption cannot proceed.");
- if (encryptedData->getKeyInfo()) {
- const vector<XMLObject*>& others=const_cast<const KeyInfo*>(encryptedData->getKeyInfo())->getUnknownXMLObjects();
+ if (encryptedData.getKeyInfo()) {
+ const vector<XMLObject*>& others=const_cast<const KeyInfo*>(encryptedData.getKeyInfo())->getUnknownXMLObjects();
for (vector<XMLObject*>::const_iterator i=others.begin(); i!=others.end(); i++) {
EncryptedKey* encKey=dynamic_cast<EncryptedKey*>(*i);
if (encKey) {
try {
- key=decryptKey(encKey, algorithm);
+ key=decryptKey(*encKey, algorithm);
}
catch (DecryptionException& e) {
log4cpp::Category::getInstance(XMLTOOLING_LOGCAT".Decrypter").warn(e.what());
if (!key) {
// Check for a non-trivial resolver.
- EncryptedKeyResolver* ekr=dynamic_cast<EncryptedKeyResolver*>(m_resolver);
+ const EncryptedKeyResolver* ekr=dynamic_cast<const EncryptedKeyResolver*>(m_resolver);
if (ekr) {
EncryptedKey* encKey=ekr->resolveKey(encryptedData);
if (encKey) {
try {
- key=decryptKey(encKey, algorithm);
+ key=decryptKey(*encKey, algorithm);
}
catch (DecryptionException& e) {
log4cpp::Category::getInstance(XMLTOOLING_LOGCAT".Decrypter").warn(e.what());
throw DecryptionException("Unable to resolve a decryption key.");
m_cipher->setKey(key);
- DOMNode* ret=m_cipher->decryptElementDetached(encryptedData->getDOM());
+ DOMNode* ret=m_cipher->decryptElementDetached(encryptedData.getDOM());
if (ret->getNodeType()!=DOMNode::DOCUMENT_FRAGMENT_NODE) {
ret->release();
throw DecryptionException("Decryption operation did not result in DocumentFragment.");
}
}
-XSECCryptoKey* Decrypter::decryptKey(EncryptedKey* encryptedKey, const XMLCh* algorithm)
+XSECCryptoKey* Decrypter::decryptKey(EncryptedKey& encryptedKey, const XMLCh* algorithm)
{
- if (encryptedKey->getDOM()==NULL)
+ if (encryptedKey.getDOM()==NULL)
throw DecryptionException("The object must be marshalled before decryption.");
// We can reuse the cipher object if the document hasn't changed.
- if (m_cipher && m_cipher->getDocument()!=encryptedKey->getDOM()->getOwnerDocument()) {
+ if (m_cipher && m_cipher->getDocument()!=encryptedKey.getDOM()->getOwnerDocument()) {
XMLToolingInternalConfig::getInternalConfig().m_xsecProvider->releaseCipher(m_cipher);
m_cipher=NULL;
}
if (!m_cipher)
- m_cipher=XMLToolingInternalConfig::getInternalConfig().m_xsecProvider->newCipher(encryptedKey->getDOM()->getOwnerDocument());
+ m_cipher=XMLToolingInternalConfig::getInternalConfig().m_xsecProvider->newCipher(encryptedKey.getDOM()->getOwnerDocument());
try {
// Resolve key decryption key.
XSECCryptoKey* key=NULL;
if (m_KEKresolver)
- key=m_KEKresolver->resolveKey(encryptedKey->getKeyInfo());
+ key=m_KEKresolver->getKey(encryptedKey.getKeyInfo());
if (!key)
throw DecryptionException("Unable to resolve a key decryption key.");
m_cipher->setKEK(key);
XMLByte buffer[1024];
- int keySize = m_cipher->decryptKey(encryptedKey->getDOM(), buffer, 1024);
+ int keySize = m_cipher->decryptKey(encryptedKey.getDOM(), buffer, 1024);
if (keySize > 0) {
// Try to map the key.
XSECAlgorithmHandler* handler = XSECPlatformUtils::g_algorithmMapper->mapURIToHandler(algorithm);
#include <xsec/enc/XSECCryptoKey.hpp>
#include <xsec/enc/XSECCryptoX509.hpp>
+namespace xmlsignature {
+ class XMLTOOL_API KeyInfo;
+};
+
namespace xmltooling {
/**
virtual ~CredentialResolver() {}
/**
- * Returns a secret or private key to use for signing operations.
+ * Returns a secret or private key to use for signing or decryption operations.
* The caller is responsible for deleting the key when finished with it.
*
+ * @param keyInfo optional material identifying a decryption key
* @return a secret or private key
*/
- virtual XSECCryptoKey* getKey() const=0;
+ virtual XSECCryptoKey* getKey(const xmlsignature::KeyInfo* keyInfo=NULL) const=0;
/**
* Returns a set of certificates to publish during signing operations.
XSECCryptoKey* loadKey();
- XSECCryptoKey* getKey() const { return m_key ? m_key->clone() : NULL; }
+ XSECCryptoKey* getKey(const KeyInfo* keyInfo=NULL) const { return m_key ? m_key->clone() : NULL; }
const vector<XSECCryptoX509*>& getCertificates() const { return m_xseccerts; }
void attach(SSL_CTX* ctx) const;
dynamic_cast<EncryptedData*>(XMLObjectBuilder::buildOneFromElement(doc2->getDocumentElement(),true))
);
- Decrypter decrypter(new KeyResolver(m_resolver->getKey()));
- DOMDocumentFragment* frag = decrypter.decryptData(encData2.get());
+ Decrypter decrypter(m_resolver);
+ DOMDocumentFragment* frag = decrypter.decryptData(*encData2.get());
XMLHelper::serialize(static_cast<DOMElement*>(frag->getFirstChild()), buf);
//TS_TRACE(buf.c_str());
TS_ASSERT(doc->getDocumentElement()->isEqualNode(frag->getFirstChild()));