signature/VerifyingContext.h
utilinclude_HEADERS = \
+ util/CredentialResolver.h \
util/DateTime.h \
util/NDC.h \
util/ParserPool.h \
* Abstract interface to objects that can be manipulated in and out of XML form. \r
*/\r
\r
-#if !defined(__xmltooling_xmlobj_h__)\r
+#ifndef __xmltooling_xmlobj_h__\r
#define __xmltooling_xmlobj_h__\r
\r
#include <set>\r
* @param sig a signature object\r
* @param ctx the signing context to associate with the signature \r
*/\r
- MarshallingContext(xmlsignature::Signature* sig, const xmlsignature::SigningContext* ctx) {\r
+ MarshallingContext(xmlsignature::Signature* sig, xmlsignature::SigningContext* ctx) {\r
m_signingContexts.push_back(std::make_pair(sig,ctx));\r
}\r
\r
/** Array of signing contexts, keyed off of the associated Signature */\r
- std::vector< std::pair<xmlsignature::Signature*,const xmlsignature::SigningContext*> > m_signingContexts;\r
+ std::vector< std::pair<xmlsignature::Signature*,xmlsignature::SigningContext*> > m_signingContexts;\r
#endif\r
};\r
\r
}\r
\r
#ifndef XMLTOOLING_NO_XMLSEC\r
- class _signit : public unary_function<const pair<Signature*,const SigningContext*>&, void> {\r
+ class _signit : public unary_function<const pair<Signature*,SigningContext*>&, void> {\r
public:\r
- void operator()(const pair<Signature*,const SigningContext*>& p) const {\r
+ void operator()(const pair<Signature*,SigningContext*>& p) const {\r
p.first->sign(*(p.second));\r
}\r
};\r
* @param ctx the signing context that determines the signature's content\r
* @throws SignatureException thrown if the signing operation fails\r
*/\r
- virtual void sign(const SigningContext& ctx)=0;\r
+ virtual void sign(SigningContext& ctx)=0;\r
\r
/**\r
* Verifies an XML signature based on the supplied context.\r
#define __xmltooling_signctx_h__\r
\r
#include <xmltooling/signature/KeyInfo.h>\r
+#include <xmltooling/util/CredentialResolver.h>\r
\r
#include <vector>\r
#include <xsec/dsig/DSIGSignature.hpp>\r
\r
/**\r
* Given a "blank" native signature, asks the context to define the\r
- * appropriate signature transforms, references, etc.\r
- * This method MAY attach ds:KeyInfo information, or a set of X.509\r
- * certificates can be returned from the SigningContext::getX509Certificates()\r
- * method instead.\r
+ * appropriate signature transforms, references, etc. The context\r
+ * should return true iff the necessary ds:KeyInfo information was\r
+ * also attached.\r
* \r
* @param sig native signature interface\r
+ * @return indicator whether ds:KeyInfo was created by context\r
*/\r
- virtual void createSignature(DSIGSignature* sig) const=0;\r
+ virtual bool createSignature(DSIGSignature* sig)=0;\r
\r
/**\r
- * Gets a reference to a collection of certificates to append to\r
- * the ds:KeyInfo element in a ds:X509Data chain.\r
- * The certificate corresponding to the signing key SHOULD be\r
- * first, followed by any additional intermediates to append. \r
+ * Gets a reference to a credential resolver.\r
+ * The resolver's certificates will be included in the signature only\r
+ * if the context returns false when creating the signature and returns\r
+ * NULL from the getKeyInfo() method.\r
* \r
- * @return an immutable collection of certificates to embed\r
+ * \r
+ * @return a resolver to the credentials to sign with\r
*/\r
- virtual const std::vector<XSECCryptoX509*>* getX509Certificates() const=0;\r
+ virtual xmltooling::CredentialResolver& getCredentialResolver()=0;\r
\r
/**\r
* Gets a KeyInfo structure to embed.\r
* Ownership of the object MUST be transferred to the caller.\r
- * This method will only be called if no certificates are returned from\r
- * the getX509Certificates() method.\r
* \r
* @return pointer to a KeyInfo structure, will be freed by caller\r
*/\r
- virtual KeyInfo* getKeyInfo() const=0;\r
+ virtual KeyInfo* getKeyInfo()=0;\r
\r
- /**\r
- * Gets the signing key to use.\r
- * Must be compatible with the intended signature algorithm. Ownership of the key\r
- * MUST be transferred to the caller.\r
- * \r
- * @return pointer to a signing key, will be freed by caller\r
- */\r
- virtual XSECCryptoKey* getSigningKey() const=0;\r
- \r
protected:\r
SigningContext() {}\r
};\r
void setCanonicalizationMethod(const XMLCh* c14n) { m_c14n = prepareForAssignment(m_c14n,c14n); }\r
void setSignatureAlgorithm(const XMLCh* sm) { m_sm = prepareForAssignment(m_sm,sm); }\r
\r
- void sign(const SigningContext& ctx);\r
+ void sign(SigningContext& ctx);\r
void verify(const VerifyingContext& ctx) const;\r
\r
private:\r
}\r
};\r
\r
-void XMLSecSignatureImpl::sign(const SigningContext& ctx)\r
+void XMLSecSignatureImpl::sign(SigningContext& ctx)\r
{\r
Category& log=Category::getInstance(XMLTOOLING_LOGCAT".Signature");\r
log.debug("applying signature");\r
\r
try {\r
log.debug("creating signature content");\r
- ctx.createSignature(m_signature);\r
- const std::vector<XSECCryptoX509*>* certs=ctx.getX509Certificates();\r
- if (certs && !certs->empty()) {\r
- DSIGKeyInfoX509* x509Data=m_signature->appendX509Data();\r
- for_each(certs->begin(),certs->end(),bind1st(_addcert(),x509Data));\r
- }\r
- else {\r
+ CredentialResolver& cr=ctx.getCredentialResolver();\r
+ if (!ctx.createSignature(m_signature)) {\r
auto_ptr<KeyInfo> keyInfo(ctx.getKeyInfo());\r
if (keyInfo.get()) {\r
DOMElement* domElement=keyInfo->marshall(m_signature->getParentDocument());\r
getDOM()->appendChild(domElement);\r
}\r
+ else {\r
+ Locker locker1(cr);\r
+ const std::vector<XSECCryptoX509*>* certs=cr.getX509Certificates();\r
+ if (certs && !certs->empty()) {\r
+ DSIGKeyInfoX509* x509Data=m_signature->appendX509Data();\r
+ for_each(certs->begin(),certs->end(),bind1st(_addcert(),x509Data));\r
+ }\r
+ }\r
}\r
\r
log.debug("computing signature");\r
- m_signature->setSigningKey(ctx.getSigningKey());\r
+ Locker locker2(cr);\r
+ XSECCryptoKey* key=cr.getPrivateKey();\r
+ if (!key)\r
+ throw SignatureException(string("Unable to obtain signing key from CredentialResolver (") + cr.getId() + ")");\r
+ m_signature->setSigningKey(key->clone());\r
m_signature->sign();\r
}\r
catch(XSECException& e) {\r
--- /dev/null
+/*\r
+ * Copyright 2001-2006 Internet2\r
+ * \r
+ * Licensed under the Apache License, Version 2.0 (the "License");\r
+ * you may not use this file except in compliance with the License.\r
+ * You may obtain a copy of the License at\r
+ *\r
+ * http://www.apache.org/licenses/LICENSE-2.0\r
+ *\r
+ * Unless required by applicable law or agreed to in writing, software\r
+ * distributed under the License is distributed on an "AS IS" BASIS,\r
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+ * See the License for the specific language governing permissions and\r
+ * limitations under the License.\r
+ */\r
+\r
+/**\r
+ * @file CredentialResolver.h\r
+ * \r
+ * Provides access to keys and certificates.\r
+ */\r
+\r
+#if !defined(__xmltooling_credres_h__) && !defined(XMLTOOLING_NO_XMLSEC)\r
+#define __xmltooling_credres_h__\r
+\r
+#include <xmltooling/Lockable.h>\r
+\r
+#include <vector>\r
+#include <xsec/enc/XSECCryptoKey.hpp>\r
+#include <xsec/enc/XSECCryptoX509.hpp>\r
+\r
+namespace xmltooling {\r
+\r
+ /**\r
+ * An abstract interface to credential formats like files, keystores, hardware tokens, etc.\r
+ * All non-const methods require that the interface be locked.\r
+ */\r
+ class XMLTOOL_API CredentialResolver : public virtual Lockable\r
+ {\r
+ MAKE_NONCOPYABLE(CredentialResolver);\r
+ public:\r
+ virtual ~CredentialResolver() {}\r
+\r
+ /**\r
+ * Returns an identifier for the credential.\r
+ * \r
+ * @return the identifier\r
+ */\r
+ virtual const char* getId() const=0;\r
+\r
+ /**\r
+ * Gets the public key associated with the credential.\r
+ * The caller <strong>MUST NOT</strong> modify the object.\r
+ * \r
+ * @return the public key, or NULL\r
+ */\r
+ virtual XSECCryptoKey* getPublicKey()=0;\r
+\r
+ /**\r
+ * Gets the private key associated with the credential.\r
+ * The caller <strong>MUST NOT</strong> modify the object.\r
+ * \r
+ * @return the private key, or NULL\r
+ */\r
+ virtual XSECCryptoKey* getPrivateKey()=0;\r
+\r
+ /**\r
+ * Gets the certificate chain associated with the credential.\r
+ * The caller <strong>MUST NOT</strong> modify the objects.\r
+ * The EE certificate <strong>MUST</strong> be first.\r
+ * \r
+ * @return a chain of certificates, or NULL\r
+ */\r
+ virtual const std::vector<XSECCryptoX509*>* getX509Certificates()=0;\r
+ \r
+ protected:\r
+ CredentialResolver() {}\r
+ };\r
+\r
+};\r
+\r
+#endif /* __xmltooling_credres_h__ */\r
#include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>\r
#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>\r
\r
-class TestContext : public SigningContext, public VerifyingContext\r
+class TestContext : public SigningContext, public VerifyingContext, CredentialResolver\r
{\r
XSECCryptoKey* m_key;\r
vector<XSECCryptoX509*> m_certs;\r
XMLString::release(&m_uri);\r
}\r
\r
- void createSignature(DSIGSignature* sig) const {\r
+ bool createSignature(DSIGSignature* sig) {\r
DSIGReference* ref=sig->createReference(m_uri);\r
ref->appendEnvelopedSignatureTransform();\r
ref->appendCanonicalizationTransform(CANON_C14NE_NOC);\r
+ return false;\r
}\r
\r
void verifySignature(DSIGSignature* sig) const {\r
sig->verify();\r
}\r
\r
- const std::vector<XSECCryptoX509*>* getX509Certificates() const { return &m_certs; }\r
- KeyInfo* getKeyInfo() const { return NULL; }\r
- XSECCryptoKey* getSigningKey() const { return m_key->clone(); }\r
+ KeyInfo* getKeyInfo() { return NULL; }\r
+ CredentialResolver& getCredentialResolver() { return *this; }\r
+ const char* getId() const { return "test"; }\r
+ const std::vector<XSECCryptoX509*>* getX509Certificates() { return &m_certs; }\r
+ XSECCryptoKey* getPublicKey() { return m_key; }\r
+ XSECCryptoKey* getPrivateKey() { return m_key; }\r
+ Lockable& lock() { return *this; }\r
+ void unlock() {}\r
};\r
\r
class SignatureTest : public CxxTest::TestSuite {\r