Extend KeyResolver to include certificate resolution, add inline resolver.

git-svn-id: https://svn.middleware.georgetown.edu/cpp-xmltooling/trunk@144 de75baf8-a10c-0410-a50a-987c0e22f00f

diff --git a/xmltooling/Makefile.am b/xmltooling/Makefile.am
index cdcd8b6..bd5c2d4 100644 (file)
--- a/xmltooling/Makefile.am
+++ b/xmltooling/Makefile.am
@@ -85,6 +85,8 @@ xmlsec_sources = \
        encryption/impl/Encrypter.cpp \
        signature/impl/CredentialResolver.cpp \
        signature/impl/FilesystemCredentialResolver.cpp \
+       signature/impl/InlineKeyResolver.cpp \
+       signature/impl/KeyResolver.cpp \
        signature/impl/SignatureValidator.cpp \
        signature/impl/XMLSecSignatureImpl.cpp
 else

diff --git a/xmltooling/XMLToolingConfig.cpp b/xmltooling/XMLToolingConfig.cpp
index a5a4e3b..ae102b9 100644 (file)
--- a/xmltooling/XMLToolingConfig.cpp
+++ b/xmltooling/XMLToolingConfig.cpp
@@ -26,7 +26,7 @@
 #include "encryption/Encryption.h"
 #include "impl/UnknownElement.h"
 #include "signature/CredentialResolver.h"
-#include "signature/KeyInfo.h"
+#include "signature/KeyResolver.h"
 #include "signature/Signature.h"
 #include "util/NDC.h"
 #include "util/XMLConstants.h"
@@ -177,6 +177,7 @@ bool XMLToolingInternalConfig::init()
 #ifndef XMLTOOLING_NO_XMLSEC
         XMLObjectBuilder::registerBuilder(QName(XMLConstants::XMLSIG_NS,Signature::LOCAL_NAME),new SignatureBuilder());
         REGISTER_EXCEPTION_FACTORY(SignatureException,xmlsignature);
+        registerKeyResolvers();
         registerCredentialResolvers();
 #endif
     }

diff --git a/xmltooling/signature/KeyResolver.h b/xmltooling/signature/KeyResolver.h
index 2c88250..8a4774b 100644 (file)
--- a/xmltooling/signature/KeyResolver.h
+++ b/xmltooling/signature/KeyResolver.h
@@ -17,7 +17,8 @@
 /**\r
  * @file KeyResolver.h\r
  * \r
- * Resolves keys based on KeyInfo information or other external factors. \r
+ * Resolves public keys and certificates based on KeyInfo information or\r
+ * external factors. \r
  */\r
 \r
 #if !defined(__xmltooling_keyres_h__) && !defined(XMLTOOLING_NO_XMLSEC)\r
@@ -27,11 +28,17 @@
 \r
 #include <xsec/dsig/DSIGKeyInfoList.hpp>\r
 #include <xsec/enc/XSECCryptoKey.hpp>\r
+#include <xsec/enc/XSECCryptoX509.hpp>\r
+\r
+#include <vector>\r
 \r
 namespace xmlsignature {\r
 \r
     /**\r
-     * An API for resolving keys.\r
+     * An API for resolving keys. The default/simple implementation\r
+     * allows a hard-wired key to be supplied. This is mostly\r
+     * useful for testing, or to adapt another mechanism for supplying\r
+     * keys to this interface.\r
      */\r
     class XMLTOOL_API KeyResolver {\r
         MAKE_NONCOPYABLE(KeyResolver);\r
@@ -55,7 +62,7 @@ namespace xmlsignature {
          * @param keyInfo   the key information\r
          * @return  the resolved key\r
          */\r
-        virtual XSECCryptoKey* resolveKey(KeyInfo* keyInfo) {\r
+        virtual XSECCryptoKey* resolveKey(const KeyInfo* keyInfo) const {\r
             return m_key ? m_key->clone() : NULL;\r
         }\r
 \r
@@ -66,14 +73,48 @@ namespace xmlsignature {
          * @param keyInfo   the key information\r
          * @return  the resolved key\r
          */\r
-        virtual XSECCryptoKey* resolveKey(DSIGKeyInfoList* keyInfo=NULL) {\r
+        virtual XSECCryptoKey* resolveKey(DSIGKeyInfoList* keyInfo) const {\r
             return m_key ? m_key->clone() : NULL;\r
         }\r
+\r
+        /**\r
+         * Returns a set of certificates based on the supplied KeyInfo information.\r
+         * The certificates must be cloned if kept beyond the lifetime of the KeyInfo source.\r
+         * \r
+         * @param keyInfo   the key information\r
+         * @param certs     reference to vector to store certificates\r
+         * @return  number of certificates returned\r
+         */\r
+        virtual std::vector<XSECCryptoX509*>::size_type resolveCertificates(\r
+            const KeyInfo* keyInfo, std::vector<XSECCryptoX509*>& certs\r
+            ) const;\r
         \r
+        /**\r
+         * Returns a set of certificates based on the supplied KeyInfo information.\r
+         * The certificates must be cloned if kept beyond the lifetime of the KeyInfo source.\r
+         * \r
+         * @param keyInfo   the key information\r
+         * @param certs     reference to vector to store certificates\r
+         * @return  number of certificates returned\r
+         */\r
+        virtual std::vector<XSECCryptoX509*>::size_type resolveCertificates(\r
+            DSIGKeyInfoList* keyInfo, std::vector<XSECCryptoX509*>& certs \r
+            ) const;\r
+\r
     protected:\r
         XSECCryptoKey* m_key;\r
     };\r
 \r
+    /**\r
+     * Registers KeyResolver classes into the runtime.\r
+     */\r
+    void XMLTOOL_API registerKeyResolvers();\r
+\r
+    /** KeyResolver based on hard-wired key */\r
+    #define FILESYSTEM_KEY_RESOLVER  "org.opensaml.xmlooling.FilesystemKeyResolver"\r
+\r
+    /** KeyResolver based on extracting information directly out of a KeyInfo */\r
+    #define INLINE_KEY_RESOLVER  "org.opensaml.xmlooling.InlineKeyResolver"\r
 };\r
 \r
 #endif /* __xmltooling_keyres_h__ */\r

diff --git a/xmltooling/signature/impl/FilesystemCredentialResolver.cpp b/xmltooling/signature/impl/FilesystemCredentialResolver.cpp
index 86e70b1..c4362d5 100644 (file)
--- a/xmltooling/signature/impl/FilesystemCredentialResolver.cpp
+++ b/xmltooling/signature/impl/FilesystemCredentialResolver.cpp
@@ -21,13 +21,11 @@
  */\r
 \r
 #include "internal.h"\r
+#include "signature/KeyResolver.h"\r
 #include "signature/OpenSSLCredentialResolver.h"\r
 #include "util/NDC.h"\r
 #include "util/XMLHelper.h"\r
 \r
-using namespace xmlsignature;\r
-using namespace xmltooling;\r
-\r
 #include <sys/types.h>\r
 #include <sys/stat.h>\r
 #include <algorithm>\r
@@ -58,20 +56,31 @@ static int passwd_callback(char* buf, int len, int verify, void* passwd)
 }\r
 \r
 namespace xmlsignature {\r
-    class FilesystemCredentialResolver : public CredentialResolver\r
+    class FilesystemCredentialResolver : public OpenSSLCredentialResolver, public KeyResolver\r
     {\r
     public:\r
         FilesystemCredentialResolver(const DOMElement* e);\r
-        ~FilesystemCredentialResolver();\r
+        virtual ~FilesystemCredentialResolver();\r
 \r
         Lockable* lock() { return this; }\r
         void unlock() {}\r
         \r
         XSECCryptoKey* loadKey();\r
         \r
-        void attach(SSL_CTX* ctx) const;\r
-        XSECCryptoKey* getKey() const { return m_key->clone(); }\r
+        XSECCryptoKey* getKey() const { return m_key ? m_key->clone() : NULL; }\r
         const vector<XSECCryptoX509*>& getCertificates() const { return m_xseccerts; }\r
+        void attach(SSL_CTX* ctx) const;\r
+        \r
+        XSECCryptoKey* resolveKey(const KeyInfo* keyInfo) const { return m_key ? m_key->clone() : NULL; }\r
+        XSECCryptoKey* resolveKey(DSIGKeyInfoList* keyInfo) const { return m_key ? m_key->clone() : NULL; }\r
+        vector<XSECCryptoX509*>::size_type resolveCertificates(const KeyInfo* keyInfo, vector<XSECCryptoX509*>& certs) const {\r
+            certs.assign(m_xseccerts.begin(), m_xseccerts.end());\r
+            return certs.size();\r
+        }\r
+        vector<XSECCryptoX509*>::size_type resolveCertificates(DSIGKeyInfoList* keyInfo, vector<XSECCryptoX509*>& certs) const {\r
+            certs.assign(m_xseccerts.begin(), m_xseccerts.end());\r
+            return certs.size();\r
+        }\r
         \r
     private:\r
         enum format_t { PEM=SSL_FILETYPE_PEM, DER=SSL_FILETYPE_ASN1, _PKCS12, UNKNOWN };\r
@@ -91,6 +100,11 @@ namespace xmlsignature {
     {\r
         return new FilesystemCredentialResolver(e);\r
     }\r
+\r
+    KeyResolver* XMLTOOL_DLLLOCAL FilesystemKeyResolverFactory(const DOMElement* const & e)\r
+    {\r
+        return new FilesystemCredentialResolver(e);\r
+    }\r
 };\r
 \r
 static const XMLCh CAPath[] =           UNICODE_LITERAL_6(C,A,P,a,t,h);\r
@@ -100,7 +114,7 @@ static const XMLCh Key[] =              UNICODE_LITERAL_3(K,e,y);
 static const XMLCh password[] =         UNICODE_LITERAL_8(p,a,s,s,w,o,r,d);\r
 static const XMLCh Path[] =             UNICODE_LITERAL_4(P,a,t,h);\r
 \r
-FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e)\r
+FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e) : m_key(NULL)\r
 {\r
 #ifdef _DEBUG\r
     NDC ndc("FilesystemCredentialResolver");\r
@@ -399,6 +413,7 @@ XSECCryptoKey* FilesystemCredentialResolver::loadKey()
 \r
 FilesystemCredentialResolver::~FilesystemCredentialResolver()\r
 {\r
+    delete m_key;\r
     for_each(m_certs.begin(),m_certs.end(),X509_free);\r
     for_each(m_xseccerts.begin(),m_xseccerts.end(),xmltooling::cleanup<XSECCryptoX509>());\r
 }\r

diff --git a/xmltooling/signature/impl/InlineKeyResolver.cpp b/xmltooling/signature/impl/InlineKeyResolver.cpp
new file mode 100644 (file)
index 0000000..c34db20
--- /dev/null
+++ b/xmltooling/signature/impl/InlineKeyResolver.cpp
@@ -0,0 +1,330 @@
+/*\r
+ *  Copyright 2001-2005 Internet2\r
+ * \r
+ * Licensed under the Apache License, Version 2.0 (the "License");\r
+ * you may not use this file except in compliance with the License.\r
+ * You may obtain a copy of the License at\r
+ *\r
+ *     http://www.apache.org/licenses/LICENSE-2.0\r
+ *\r
+ * Unless required by applicable law or agreed to in writing, software\r
+ * distributed under the License is distributed on an "AS IS" BASIS,\r
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+ * See the License for the specific language governing permissions and\r
+ * limitations under the License.\r
+ */\r
+\r
+/**\r
+ * InlineKeyResolver.cpp\r
+ * \r
+ * Resolves key information directly from recognized KeyInfo structures.\r
+ */\r
+\r
+#include "internal.h"\r
+#include "signature/KeyResolver.h"\r
+#include "util/NDC.h"\r
+#include "util/Threads.h"\r
+\r
+#include <algorithm>\r
+#include <log4cpp/Category.hh>\r
+#include <xercesc/util/XMLUniDefs.hpp>\r
+#include <xsec/dsig/DSIGKeyInfoX509.hpp>\r
+#include <xsec/enc/XSECKeyInfoResolverDefault.hpp>\r
+#include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>\r
+#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>\r
+#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>\r
+#include <xsec/enc/XSECCryptoException.hpp>\r
+#include <xsec/framework/XSECException.hpp>\r
+\r
+using namespace xmlsignature;\r
+using namespace xmltooling;\r
+using namespace log4cpp;\r
+using namespace std;\r
+\r
+namespace xmlsignature {\r
+    class XMLTOOL_DLLLOCAL InlineKeyResolver : public KeyResolver\r
+    {\r
+    public:\r
+        InlineKeyResolver(const DOMElement* e);\r
+        virtual ~InlineKeyResolver();\r
+\r
+        XSECCryptoKey* resolveKey(const KeyInfo* keyInfo) const;\r
+        XSECCryptoKey* resolveKey(DSIGKeyInfoList* keyInfo) const;\r
+        vector<XSECCryptoX509*>::size_type resolveCertificates(const KeyInfo* keyInfo, vector<XSECCryptoX509*>& certs) const;\r
+        vector<XSECCryptoX509*>::size_type resolveCertificates(DSIGKeyInfoList* keyInfo, vector<XSECCryptoX509*>& certs) const;\r
+        \r
+    private:\r
+        struct XMLTOOL_DLLLOCAL CacheEntry {\r
+            CacheEntry() : m_key(NULL) {}\r
+            ~CacheEntry() {\r
+                delete m_key;\r
+                for_each(m_certs.begin(),m_certs.end(),xmltooling::cleanup<XSECCryptoX509>());\r
+            }\r
+            XSECCryptoKey* m_key;\r
+            vector<XSECCryptoX509*> m_certs;\r
+        };\r
+\r
+        void _resolve(const KeyInfo* keyInfo, CacheEntry& entry) const;\r
+        XSECCryptoKey* _resolveKey(const KeyInfo* keyInfo) const;\r
+        vector<XSECCryptoX509*>::size_type _resolveCertificates(const KeyInfo* keyInfo, vector<XSECCryptoX509*>& certs) const;\r
+\r
+        RWLock* m_lock;\r
+        mutable map<const KeyInfo*,CacheEntry> m_cache;\r
+    };\r
+\r
+    KeyResolver* XMLTOOL_DLLLOCAL InlineKeyResolverFactory(const DOMElement* const & e)\r
+    {\r
+        return new InlineKeyResolver(e);\r
+    }\r
+};\r
+\r
+static const XMLCh cache[] = UNICODE_LITERAL_5(c,a,c,h,e);\r
+\r
+InlineKeyResolver::InlineKeyResolver(const DOMElement* e) : m_lock(NULL)\r
+{\r
+    const XMLCh* flag = e ? e->getAttributeNS(NULL,cache) : NULL;\r
+    if (flag && XMLString::equals(flag,XMLConstants::XML_TRUE) || XMLString::equals(flag,XMLConstants::XML_ONE))\r
+        m_lock=RWLock::create();\r
+}\r
+\r
+InlineKeyResolver::~InlineKeyResolver()\r
+{\r
+    m_cache.clear();\r
+    delete m_lock;\r
+}\r
+\r
+void InlineKeyResolver::_resolve(const KeyInfo* keyInfo, CacheEntry& entry) const\r
+{\r
+    if (_resolveCertificates(keyInfo, entry.m_certs)>0)\r
+        entry.m_key = entry.m_certs.front()->clonePublicKey();\r
+    else\r
+        entry.m_key = _resolveKey(keyInfo);\r
+}\r
+\r
+XSECCryptoKey* InlineKeyResolver::_resolveKey(const KeyInfo* keyInfo) const\r
+{\r
+#ifdef _DEBUG\r
+    NDC ndc("_resolveKey");\r
+#endif\r
+    Category& log=Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver");\r
+\r
+    // Check for ds:X509Data\r
+    const vector<X509Data*>& x509Datas=keyInfo->getX509Datas();\r
+    for (vector<X509Data*>::const_iterator j=x509Datas.begin(); j!=x509Datas.end(); ++j) {\r
+        try {\r
+            const vector<X509Certificate*> x509Certs=const_cast<const X509Data*>(*j)->getX509Certificates();\r
+            if (!x509Certs.empty()) {\r
+                auto_ptr_char x(x509Certs.front()->getValue());\r
+                if (!x.get()) {\r
+                    log.warn("skipping empty ds:X509Certificate");\r
+                }\r
+                else {\r
+                    log.debug("resolving ds:X509Certificate");\r
+                    auto_ptr<XSECCryptoX509> x509(XSECPlatformUtils::g_cryptoProvider->X509());\r
+                    x509->loadX509Base64Bin(x.get(), strlen(x.get()));\r
+                    return x509->clonePublicKey();\r
+                }\r
+            }\r
+        }\r
+        catch(XSECException& e) {\r
+            auto_ptr_char temp(e.getMsg());\r
+            log.error("caught XML-Security exception loading certificate: %s", temp.get());\r
+        }\r
+        catch(XSECCryptoException& e) {\r
+            log.error("caught XML-Security exception loading certificate: %s", e.getMsg());\r
+        }\r
+    }\r
+\r
+    // Check for ds:KeyValue\r
+    const vector<KeyValue*>& keyValues = keyInfo->getKeyValues();\r
+    for (vector<KeyValue*>::const_iterator i=keyValues.begin(); i!=keyValues.end(); ++i) {\r
+        try {\r
+            KeyInfoSchemaValidators.validate(*i);    // see if it's a "valid" key\r
+            RSAKeyValue* rsakv = (*i)->getRSAKeyValue();\r
+            if (rsakv) {\r
+                log.debug("resolving ds:RSAKeyValue");\r
+                auto_ptr_char mod(rsakv->getModulus()->getValue());\r
+                auto_ptr_char exp(rsakv->getExponent()->getValue());\r
+                auto_ptr<XSECCryptoKeyRSA> rsa(XSECPlatformUtils::g_cryptoProvider->keyRSA());\r
+                rsa->loadPublicModulusBase64BigNums(mod.get(), strlen(mod.get()));\r
+                rsa->loadPublicExponentBase64BigNums(exp.get(), strlen(exp.get()));\r
+                return rsa.release();\r
+            }\r
+            DSAKeyValue* dsakv = (*i)->getDSAKeyValue();\r
+            if (dsakv) {\r
+                log.debug("resolving ds:DSAKeyValue");\r
+                auto_ptr<XSECCryptoKeyDSA> dsa(XSECPlatformUtils::g_cryptoProvider->keyDSA());\r
+                auto_ptr_char y(dsakv->getY()->getValue());\r
+                dsa->loadYBase64BigNums(y.get(), strlen(y.get()));\r
+                if (dsakv->getP()) {\r
+                    auto_ptr_char p(dsakv->getP()->getValue());\r
+                    dsa->loadPBase64BigNums(p.get(), strlen(p.get()));\r
+                }\r
+                if (dsakv->getQ()) {\r
+                    auto_ptr_char q(dsakv->getQ()->getValue());\r
+                    dsa->loadQBase64BigNums(q.get(), strlen(q.get()));\r
+                }\r
+                if (dsakv->getG()) {\r
+                    auto_ptr_char g(dsakv->getG()->getValue());\r
+                    dsa->loadGBase64BigNums(g.get(), strlen(g.get()));\r
+                }\r
+                return dsa.release();\r
+            }\r
+        }\r
+        catch (ValidationException& ex) {\r
+            log.warn("skipping invalid ds:KeyValue (%s)", ex.what());\r
+        }\r
+        catch(XSECException& e) {\r
+            auto_ptr_char temp(e.getMsg());\r
+            log.error("caught XML-Security exception loading key: %s", temp.get());\r
+        }\r
+        catch(XSECCryptoException& e) {\r
+            log.error("caught XML-Security exception loading key: %s", e.getMsg());\r
+        }\r
+    }\r
+\r
+    log.warn("unable to resolve key");\r
+    return NULL;\r
+}\r
+\r
+vector<XSECCryptoX509*>::size_type InlineKeyResolver::_resolveCertificates(\r
+    const KeyInfo* keyInfo, vector<XSECCryptoX509*>& certs\r
+    ) const\r
+{\r
+#ifdef _DEBUG\r
+    NDC ndc("_resolveCertificates");\r
+#endif\r
+    Category& log=Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver");\r
+\r
+    // Check for ds:X509Data\r
+    const vector<X509Data*>& x509Datas=keyInfo->getX509Datas();\r
+    for (vector<X509Data*>::const_iterator j=x509Datas.begin(); certs.empty() && j!=x509Datas.end(); ++j) {\r
+        const vector<X509Certificate*> x509Certs=const_cast<const X509Data*>(*j)->getX509Certificates();\r
+        for (vector<X509Certificate*>::const_iterator k=x509Certs.begin(); k!=x509Certs.end(); ++k) {\r
+            try {\r
+                auto_ptr_char x((*k)->getValue());\r
+                if (!x.get()) {\r
+                    log.warn("skipping empty ds:X509Certificate");\r
+                }\r
+                else {\r
+                    log.debug("resolving ds:X509Certificate");\r
+                    auto_ptr<XSECCryptoX509> x509(XSECPlatformUtils::g_cryptoProvider->X509());\r
+                    x509->loadX509Base64Bin(x.get(), strlen(x.get()));\r
+                    certs.push_back(x509.release());\r
+                }\r
+            }\r
+            catch(XSECException& e) {\r
+                auto_ptr_char temp(e.getMsg());\r
+                log.error("caught XML-Security exception loading certificate: %s", temp.get());\r
+            }\r
+            catch(XSECCryptoException& e) {\r
+                log.error("caught XML-Security exception loading certificate: %s", e.getMsg());\r
+            }\r
+        }\r
+    }\r
+    if (log.isDebugEnabled()) {\r
+        log.debug("resolved %d certificate%s", certs.size(), certs.size()==1 ? "" : "s");\r
+    }\r
+    return certs.size();\r
+}\r
+\r
+XSECCryptoKey* InlineKeyResolver::resolveKey(const KeyInfo* keyInfo) const\r
+{\r
+    // Caching?\r
+    if (m_lock) {\r
+        // Get read lock.\r
+        m_lock->rdlock();\r
+        map<const KeyInfo*,CacheEntry>::iterator i=m_cache.find(keyInfo);\r
+        if (i != m_cache.end()) {\r
+            // Found in cache, so just return the results.\r
+            SharedLock locker(m_lock,false);\r
+            return i->second.m_key ? i->second.m_key->clone() : NULL;\r
+        }\r
+        else {\r
+            // Elevate lock.\r
+            m_lock->unlock();\r
+            m_lock->wrlock();\r
+            SharedLock locker(m_lock,false);\r
+            // Recheck cache.\r
+            i=m_cache.find(keyInfo);\r
+            if (i == m_cache.end()) {\r
+                i = m_cache.insert(make_pair(keyInfo,CacheEntry())).first;\r
+                _resolve(i->first, i->second);\r
+            }\r
+            return i->second.m_key ? i->second.m_key->clone() : NULL;\r
+        }\r
+    }\r
+    return _resolveKey(keyInfo);\r
+}\r
+\r
+vector<XSECCryptoX509*>::size_type InlineKeyResolver::resolveCertificates(\r
+    const KeyInfo* keyInfo, vector<XSECCryptoX509*>& certs\r
+    ) const\r
+{\r
+    // Caching?\r
+    if (m_lock) {\r
+        // Get read lock.\r
+        m_lock->rdlock();\r
+        map<const KeyInfo*,CacheEntry>::iterator i=m_cache.find(keyInfo);\r
+        if (i != m_cache.end()) {\r
+            // Found in cache, so just return the results.\r
+            SharedLock locker(m_lock,false);\r
+            certs.assign(i->second.m_certs.begin(), i->second.m_certs.end());\r
+            return certs.size();\r
+        }\r
+        else {\r
+            // Elevate lock.\r
+            m_lock->unlock();\r
+            m_lock->wrlock();\r
+            SharedLock locker(m_lock,false);\r
+            // Recheck cache.\r
+            i=m_cache.find(keyInfo);\r
+            if (i == m_cache.end()) {\r
+                i = m_cache.insert(make_pair(keyInfo,CacheEntry())).first;\r
+                _resolve(i->first, i->second);\r
+            }\r
+            certs.assign(i->second.m_certs.begin(), i->second.m_certs.end());\r
+            return certs.size();\r
+        }\r
+    }\r
+    return _resolveCertificates(keyInfo, certs);\r
+}\r
+\r
+XSECCryptoKey* InlineKeyResolver::resolveKey(DSIGKeyInfoList* keyInfo) const\r
+{\r
+#ifdef _DEBUG\r
+    NDC ndc("_resolveKey");\r
+#endif\r
+\r
+    // Default resolver handles RSA/DSAKeyValue and X509Certificate elements.\r
+    try {\r
+        XSECKeyInfoResolverDefault def;\r
+        return def.resolveKey(keyInfo);\r
+    }\r
+    catch(XSECException& e) {\r
+        auto_ptr_char temp(e.getMsg());\r
+        Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver").error("caught XML-Security exception loading certificate: %s", temp.get());\r
+    }\r
+    catch(XSECCryptoException& e) {\r
+        Category::getInstance(XMLTOOLING_LOGCAT".KeyResolver").error("caught XML-Security exception loading certificate: %s", e.getMsg());\r
+    }\r
+    return NULL;\r
+}\r
+\r
+vector<XSECCryptoX509*>::size_type InlineKeyResolver::resolveCertificates(\r
+    DSIGKeyInfoList* keyInfo, vector<XSECCryptoX509*>& certs\r
+    ) const\r
+{\r
+    certs.clear();\r
+       DSIGKeyInfoList::size_type sz = keyInfo->getSize();\r
+    for (DSIGKeyInfoList::size_type i=0; certs.empty() && i<sz; ++i) {\r
+        if (keyInfo->item(i)->getKeyInfoType()==DSIGKeyInfo::KEYINFO_X509) {\r
+            DSIGKeyInfoX509* x509 = static_cast<DSIGKeyInfoX509*>(keyInfo->item(i));\r
+            int count = x509->getCertificateListSize();\r
+            for (int j=0; j<count; ++j) {\r
+                certs.push_back(x509->getCertificateCryptoItem(j));\r
+            }\r
+        }\r
+    }\r
+    return certs.size();\r
+}\r

diff --git a/xmltooling/signature/impl/KeyResolver.cpp b/xmltooling/signature/impl/KeyResolver.cpp
new file mode 100644 (file)
index 0000000..65925e0
--- /dev/null
+++ b/xmltooling/signature/impl/KeyResolver.cpp
@@ -0,0 +1,54 @@
+/*
+ *  Copyright 2001-2006 Internet2
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * KeyResolver.cpp
+ * 
+ * Registration of factories for built-in resolvers
+ */
+
+#include "internal.h"
+#include "signature/KeyResolver.h"
+
+using namespace xmlsignature;
+using namespace xmltooling;
+using namespace std;
+
+namespace xmlsignature {
+    XMLTOOL_DLLLOCAL PluginManager<KeyResolver,const DOMElement*>::Factory FilesystemKeyResolverFactory;
+    XMLTOOL_DLLLOCAL PluginManager<KeyResolver,const DOMElement*>::Factory InlineKeyResolverFactory;
+};
+
+void XMLTOOL_API xmlsignature::registerKeyResolvers()
+{
+    XMLToolingConfig& conf=XMLToolingConfig::getConfig();
+    conf.KeyResolverManager.registerFactory(FILESYSTEM_KEY_RESOLVER, FilesystemKeyResolverFactory);
+    conf.KeyResolverManager.registerFactory(INLINE_KEY_RESOLVER, InlineKeyResolverFactory);
+}
+
+vector<XSECCryptoX509*>::size_type KeyResolver::resolveCertificates(
+    const KeyInfo* keyInfo, vector<XSECCryptoX509*>& certs
+    ) const
+{
+    return 0;
+}
+
+vector<XSECCryptoX509*>::size_type KeyResolver::resolveCertificates(
+    DSIGKeyInfoList* keyInfo, vector<XSECCryptoX509*>& certs
+    ) const
+{
+    return 0;
+}

diff --git a/xmltooling/xmltooling.vcproj b/xmltooling/xmltooling.vcproj
index 51492df..9f6a1ff 100644 (file)
--- a/xmltooling/xmltooling.vcproj
+++ b/xmltooling/xmltooling.vcproj
@@ -300,6 +300,10 @@
                                                >\r
                                        </File>\r
                                        <File\r
+                                               RelativePath=".\signature\impl\InlineKeyResolver.cpp"\r
+                                               >\r
+                                       </File>\r
+                                       <File\r
                                                RelativePath=".\signature\impl\KeyInfoImpl.cpp"\r
                                                >\r
                                        </File>\r
@@ -308,6 +312,10 @@
                                                >\r
                                        </File>\r
                                        <File\r
+                                               RelativePath=".\signature\impl\KeyResolver.cpp"\r
+                                               >\r
+                                       </File>\r
+                                       <File\r
                                                RelativePath=".\signature\impl\SignatureValidator.cpp"\r
                                                >\r
                                        </File>\r

diff --git a/xmltoolingtest/InlineKeyResolverTest.h b/xmltoolingtest/InlineKeyResolverTest.h
new file mode 100644 (file)
index 0000000..1c9e39e
--- /dev/null
+++ b/xmltoolingtest/InlineKeyResolverTest.h
@@ -0,0 +1,59 @@
+/*\r
+ *  Copyright 2001-2005 Internet2\r
+ * \r
+ * Licensed under the Apache License, Version 2.0 (the "License");\r
+ * you may not use this file except in compliance with the License.\r
+ * You may obtain a copy of the License at\r
+ *\r
+ *     http://www.apache.org/licenses/LICENSE-2.0\r
+ *\r
+ * Unless required by applicable law or agreed to in writing, software\r
+ * distributed under the License is distributed on an "AS IS" BASIS,\r
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+ * See the License for the specific language governing permissions and\r
+ * limitations under the License.\r
+ */\r
+\r
+#include "XMLObjectBaseTestCase.h"\r
+\r
+#include <fstream>\r
+#include <xmltooling/signature/KeyResolver.h>\r
+\r
+using namespace xmlsignature;\r
+\r
+class InlineKeyResolverTest : public CxxTest::TestSuite {\r
+    KeyResolver* m_resolver;\r
+public:\r
+    InlineKeyResolverTest() : m_resolver(NULL) {}\r
+\r
+    void setUp() {\r
+        string config = data_path + "InlineKeyResolver.xml";\r
+        ifstream in(config.c_str());\r
+        DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);\r
+        XercesJanitor<DOMDocument> janitor(doc);\r
+        m_resolver=XMLToolingConfig::getConfig().KeyResolverManager.newPlugin(INLINE_KEY_RESOLVER,doc->getDocumentElement());\r
+    }\r
+\r
+    void tearDown() {\r
+        delete m_resolver;\r
+        m_resolver=NULL;\r
+    }\r
+\r
+    void testResolver() {\r
+        string path=data_path + "KeyInfo1.xml";\r
+        ifstream fs(path.c_str());\r
+        DOMDocument* doc=XMLToolingConfig::getConfig().getValidatingParser().parse(fs);\r
+        TS_ASSERT(doc!=NULL);\r
+        const XMLObjectBuilder* b = XMLObjectBuilder::getBuilder(doc->getDocumentElement());\r
+        TS_ASSERT(b!=NULL);\r
+        auto_ptr<KeyInfo> kiObject(dynamic_cast<KeyInfo*>(b->buildFromDocument(doc)));\r
+        TS_ASSERT(kiObject.get()!=NULL);\r
+\r
+        auto_ptr<XSECCryptoKey> key(m_resolver->resolveKey(kiObject.get()));\r
+        TSM_ASSERT("Unable to resolve public key.", key.get()!=NULL);\r
+        TSM_ASSERT_EQUALS("Unexpected key type.", key->getKeyType(), XSECCryptoKey::KEY_RSA_PUBLIC);\r
+\r
+        vector<XSECCryptoX509*> certs;\r
+        TSM_ASSERT_EQUALS("Wrong certificate count.", m_resolver->resolveCertificates(kiObject.get(), certs), 1);\r
+    }\r
+};\r

diff --git a/xmltoolingtest/Makefile.am b/xmltoolingtest/Makefile.am
index 4525b08..9430f41 100644 (file)
--- a/xmltoolingtest/Makefile.am
+++ b/xmltoolingtest/Makefile.am
@@ -11,6 +11,7 @@ if BUILD_XMLSEC
 xmlsec_sources = \
     EncryptionTest.h \
     FilesystemCredentialResolverTest.h \
+    InlineKeyResolverTest.h \
     SignatureTest.h
 else
 xmlsec_sources =

diff --git a/xmltoolingtest/data/InlineKeyResolver.xml b/xmltoolingtest/data/InlineKeyResolver.xml
new file mode 100644 (file)
index 0000000..a7dbb84
--- /dev/null
+++ b/xmltoolingtest/data/InlineKeyResolver.xml
@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<InlineKeyResolver cache="true"/>

diff --git a/xmltoolingtest/xmltoolingtest.vcproj b/xmltoolingtest/xmltoolingtest.vcproj
index 3bf88f1..8d365db 100644 (file)
--- a/xmltoolingtest/xmltoolingtest.vcproj
+++ b/xmltoolingtest/xmltoolingtest.vcproj
@@ -196,6 +196,10 @@
                                >\r
                        </File>\r
                        <File\r
+                               RelativePath=".\InlineKeyResolverTest.cpp"\r
+                               >\r
+                       </File>\r
+                       <File\r
                                RelativePath=".\KeyInfoTest.cpp"\r
                                >\r
                        </File>\r
@@ -310,6 +314,28 @@
                                </FileConfiguration>\r
                        </File>\r
                        <File\r
+                               RelativePath=".\InlineKeyResolverTest.h"\r
+                               >\r
+                               <FileConfiguration\r
+                                       Name="Debug|Win32"\r
+                                       >\r
+                                       <Tool\r
+                                               Name="VCCustomBuildTool"\r
+                                               CommandLine="\perl\bin\perl.exe -w \cxxtest\cxxtestgen.pl --part --have-eh --have-std --abort-on-fail -o &quot;$(InputName)&quot;.cpp &quot;$(InputPath)&quot;"\r
+                                               Outputs="&quot;$(InputName)&quot;.cpp"\r
+                                       />\r
+                               </FileConfiguration>\r
+                               <FileConfiguration\r
+                                       Name="Release|Win32"\r
+                                       >\r
+                                       <Tool\r
+                                               Name="VCCustomBuildTool"\r
+                                               CommandLine="\perl\bin\perl.exe -w \cxxtest\cxxtestgen.pl --part --have-eh --have-std --abort-on-fail -o &quot;$(InputName)&quot;.cpp &quot;$(InputPath)&quot;"\r
+                                               Outputs="&quot;$(InputName)&quot;.cpp"\r
+                                       />\r
+                               </FileConfiguration>\r
+                       </File>\r
+                       <File\r
                                RelativePath=".\KeyInfoTest.h"\r
                                >\r
                                <FileConfiguration\r