From: cantor Date: Tue, 23 Sep 2008 14:40:22 +0000 (+0000) Subject: https://bugs.internet2.edu/jira/browse/CPPOST-17 X-Git-Tag: 1.4.1~306 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fxmltooling.git;a=commitdiff_plain;h=19790c7f457fcbc9b43ea78e6e41e181ddfcc8ed https://bugs.internet2.edu/jira/browse/CPPOST-17 https://bugs.internet2.edu/jira/browse/CPPXT-22 https://bugs.internet2.edu/jira/browse/CPPXT-23 git-svn-id: https://svn.middleware.georgetown.edu/cpp-xmltooling/branches/REL_1@525 de75baf8-a10c-0410-a50a-987c0e22f00f --- diff --git a/xmltooling/security/AbstractPKIXTrustEngine.h b/xmltooling/security/AbstractPKIXTrustEngine.h index 9c60888..617bb47 100644 --- a/xmltooling/security/AbstractPKIXTrustEngine.h +++ b/xmltooling/security/AbstractPKIXTrustEngine.h @@ -43,6 +43,7 @@ namespace xmltooling { * If a DOM is supplied, the following XML content is supported: * * * @@ -50,7 +51,9 @@ namespace xmltooling { * * @param e DOM to supply configuration for provider */ - AbstractPKIXTrustEngine(const xercesc::DOMElement* e=NULL) : TrustEngine(e) {} + AbstractPKIXTrustEngine(const xercesc::DOMElement* e=NULL); + + bool m_fullCRLChain; /** * Checks that either the name of the peer with the given credentials or the names @@ -63,7 +66,7 @@ namespace xmltooling { * @return true the name check succeeds, false if not */ bool checkEntityNames(X509* certEE, const CredentialResolver& credResolver, const CredentialCriteria& criteria) const; - + public: virtual ~AbstractPKIXTrustEngine() {} @@ -160,6 +163,15 @@ namespace xmltooling { virtual PKIXValidationInfoIterator* getPKIXValidationInfoIterator( const CredentialResolver& pkixSource, CredentialCriteria* criteria=NULL ) const=0; + + private: + bool validateWithCRLs( + X509* certEE, + STACK_OF(X509)* certChain, + const CredentialResolver& credResolver, + CredentialCriteria* criteria=NULL, + const std::vector* inlineCRLs=NULL + ) const; }; }; diff --git a/xmltooling/security/BasicX509Credential.h b/xmltooling/security/BasicX509Credential.h index 9241fd0..ac58933 100644 --- a/xmltooling/security/BasicX509Credential.h +++ b/xmltooling/security/BasicX509Credential.h @@ -41,7 +41,7 @@ namespace xmltooling { * * @param ownCerts true iff any certificates subsequently stored should be freed by destructor */ - BasicX509Credential(bool ownCerts) : m_key(NULL), m_ownCerts(ownCerts), m_crl(NULL), m_keyInfo(NULL), m_compactKeyInfo(NULL) { + BasicX509Credential(bool ownCerts) : m_key(NULL), m_ownCerts(ownCerts), m_keyInfo(NULL), m_compactKeyInfo(NULL) { } /** @@ -52,7 +52,20 @@ namespace xmltooling { * @param crl optional CRL */ BasicX509Credential(XSECCryptoKey* key, const std::vector& certs, XSECCryptoX509CRL* crl=NULL) - : m_key(key), m_xseccerts(certs), m_ownCerts(true), m_crl(crl), m_keyInfo(NULL), m_compactKeyInfo(NULL) { + : m_key(key), m_xseccerts(certs), m_ownCerts(true), m_keyInfo(NULL), m_compactKeyInfo(NULL) { + if (crl) + m_crls.push_back(crl); + } + + /** + * Constructor. + * + * @param key key pair or secret key + * @param certs array of X.509 certificates, the first entry being the entity certificate + * @param crls array of X.509 CRLs + */ + BasicX509Credential(XSECCryptoKey* key, const std::vector& certs, const std::vector& crls) + : m_key(key), m_xseccerts(certs), m_ownCerts(true), m_crls(crls), m_keyInfo(NULL), m_compactKeyInfo(NULL) { } /** The private/secret key/keypair. */ @@ -76,8 +89,8 @@ namespace xmltooling { /** Indicates whether to destroy certificates. */ bool m_ownCerts; - /** The X.509 CRL. */ - XSECCryptoX509CRL* m_crl; + /** The X.509 CRLs. */ + std::vector m_crls; /** The KeyInfo object representing the information. */ xmlsignature::KeyInfo* m_keyInfo; @@ -134,7 +147,11 @@ namespace xmltooling { } XSECCryptoX509CRL* getCRL() const { - return m_crl; + return m_crls.empty() ? NULL : m_crls.front(); + } + + const std::vector& getCRLs() const { + return m_crls; } const char* getSubjectName() const { diff --git a/xmltooling/security/X509Credential.h b/xmltooling/security/X509Credential.h index 59dcd07..edd83f4 100644 --- a/xmltooling/security/X509Credential.h +++ b/xmltooling/security/X509Credential.h @@ -67,6 +67,8 @@ namespace xmltooling { virtual const std::vector& getEntityCertificateChain() const=0; /** + * @deprecated + * * Gets a CRL associated with the credential. * * @return CRL associated with the credential @@ -74,6 +76,14 @@ namespace xmltooling { virtual XSECCryptoX509CRL* getCRL() const=0; /** + * Gets an immutable collection of all CRLs associated with the credential. + * + * @return CRLs associated with the credential + */ + virtual const std::vector& getCRLs() const=0; + + + /** * Gets the subject name of the first certificate in the chain. * * @return the Subject DN diff --git a/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp b/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp index fdd249c..2d5dcb0 100644 --- a/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp +++ b/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp @@ -35,6 +35,7 @@ #include #include #include +#include #include using namespace xmlsignature; @@ -52,13 +53,17 @@ namespace { } static bool XMLTOOL_DLLLOCAL validate( - X509* EE, STACK_OF(X509)* untrusted, AbstractPKIXTrustEngine::PKIXValidationInfoIterator* pkixInfo + X509* EE, + STACK_OF(X509)* untrusted, + AbstractPKIXTrustEngine::PKIXValidationInfoIterator* pkixInfo, + bool fullCRLChain, + const vector* inlineCRLs=NULL ) { Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine"); // First we build a stack of CA certs. These objects are all referenced in place. - log.debug("building CA list from PKIX Validation information"); + log.debug("supplying PKIX Validation information"); // We need this for CRL support. X509_STORE* store=X509_STORE_new(); @@ -66,32 +71,53 @@ namespace { log_openssl(); return false; } - #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) - X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); - #endif STACK_OF(X509)* CAstack = sk_X509_new_null(); // This contains the state of the validate operation. + int count=0; X509_STORE_CTX ctx; const vector& CAcerts = pkixInfo->getTrustAnchors(); for (vector::const_iterator i=CAcerts.begin(); i!=CAcerts.end(); ++i) { if ((*i)->getProviderName()==DSIGConstants::s_unicodeStrPROVOpenSSL) { sk_X509_push(CAstack,static_cast(*i)->getOpenSSLX509()); + ++count; } } + log.debug("supplied (%d) CA certificate(s)", count); + +#if (OPENSSL_VERSION_NUMBER >= 0x00907000L) + count=0; + if (inlineCRLs) { + for (vector::const_iterator j=inlineCRLs->begin(); j!=inlineCRLs->end(); ++j) { + if ((*j)->getProviderName()==DSIGConstants::s_unicodeStrPROVOpenSSL) { + // owned by store + X509_STORE_add_crl(store, X509_CRL_dup(static_cast(*j)->getOpenSSLX509CRL())); + ++count; + } + } + } const vector& crls = pkixInfo->getCRLs(); for (vector::const_iterator j=crls.begin(); j!=crls.end(); ++j) { if ((*j)->getProviderName()==DSIGConstants::s_unicodeStrPROVOpenSSL) { // owned by store X509_STORE_add_crl(store, X509_CRL_dup(static_cast(*j)->getOpenSSLX509CRL())); + ++count; } } - + log.debug("supplied (%d) CRL(s)", count); + if (count > 0) + X509_STORE_set_flags(store, fullCRLChain ? (X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL) : (X509_V_FLAG_CRL_CHECK)); +#else + if ((inlineCRLs && !inlineCRLs->empty()) || !pkixInfo->getCRLs().empty()) { + log.warn("OpenSSL versions < 0.9.7 do not support CRL checking"); + } +#endif + // AFAICT, EE and untrusted are passed in but not owned by the ctx. - #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) +#if (OPENSSL_VERSION_NUMBER >= 0x00907000L) if (X509_STORE_CTX_init(&ctx,store,EE,untrusted)!=1) { log_openssl(); log.error("unable to initialize X509_STORE_CTX"); @@ -99,9 +125,9 @@ namespace { X509_STORE_free(store); return false; } - #else +#else X509_STORE_CTX_init(&ctx,store,EE,untrusted); - #endif +#endif // Seems to be most efficient to just pass in the CA stack. X509_STORE_CTX_trusted_stack(&ctx,CAstack); @@ -136,6 +162,13 @@ namespace { } }; +AbstractPKIXTrustEngine::AbstractPKIXTrustEngine(const DOMElement* e) : TrustEngine(e), m_fullCRLChain(false) +{ + static XMLCh fullCRLChain[] = UNICODE_LITERAL_12(f,u,l,l,C,R,L,C,h,a,i,n); + const XMLCh* flag = e ? e->getAttributeNS(NULL, fullCRLChain) : NULL; + m_fullCRLChain = (flag && (*flag == chLatin_t || *flag == chDigit_1)); +} + bool AbstractPKIXTrustEngine::checkEntityNames( X509* certEE, const CredentialResolver& credResolver, const CredentialCriteria& criteria ) const @@ -243,15 +276,16 @@ bool AbstractPKIXTrustEngine::checkEntityNames( return false; } -bool AbstractPKIXTrustEngine::validate( +bool AbstractPKIXTrustEngine::validateWithCRLs( X509* certEE, STACK_OF(X509)* certChain, const CredentialResolver& credResolver, - CredentialCriteria* criteria + CredentialCriteria* criteria, + const std::vector* inlineCRLs ) const { #ifdef _DEBUG - NDC ndc("validate"); + NDC ndc("validateWithCRLs"); #endif Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.PKIX"); @@ -274,7 +308,7 @@ bool AbstractPKIXTrustEngine::validate( auto_ptr pkix(getPKIXValidationInfoIterator(credResolver, criteria)); while (pkix->next()) { - if (::validate(certEE,certChain,pkix.get())) { + if (::validate(certEE,certChain,pkix.get(),m_fullCRLChain,inlineCRLs)) { return true; } } @@ -284,6 +318,16 @@ bool AbstractPKIXTrustEngine::validate( } bool AbstractPKIXTrustEngine::validate( + X509* certEE, + STACK_OF(X509)* certChain, + const CredentialResolver& credResolver, + CredentialCriteria* criteria + ) const +{ + return validateWithCRLs(certEE,certChain,credResolver,criteria); +} + +bool AbstractPKIXTrustEngine::validate( XSECCryptoX509* certEE, const vector& certChain, const CredentialResolver& credResolver, @@ -332,7 +376,7 @@ bool AbstractPKIXTrustEngine::validate( // Pull the certificate chain out of the signature. X509Credential* x509cred; - auto_ptr cred(inlineResolver->resolve(&sig,X509Credential::RESOLVE_CERTS)); + auto_ptr cred(inlineResolver->resolve(&sig,X509Credential::RESOLVE_CERTS|X509Credential::RESOLVE_CRLS)); if (!cred.get() || !(x509cred=dynamic_cast(cred.get()))) { log.error("unable to perform PKIX validation, signature does not contain any certificates"); return false; @@ -362,11 +406,22 @@ bool AbstractPKIXTrustEngine::validate( } } - if (certEE) - return validate(certEE,certs,credResolver,criteria); - - log.debug("failed to verify signature with embedded certificates"); - return false; + if (!certEE) { + log.debug("failed to verify signature with embedded certificates"); + return false; + } + else if (certEE->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) { + log.error("only the OpenSSL XSEC provider is supported"); + return false; + } + + STACK_OF(X509)* untrusted=sk_X509_new_null(); + for (vector::const_iterator i=certs.begin(); i!=certs.end(); ++i) + sk_X509_push(untrusted,static_cast(*i)->getOpenSSLX509()); + const vector& crls = x509cred->getCRLs(); + bool ret = validateWithCRLs(static_cast(certEE)->getOpenSSLX509(), untrusted, credResolver, criteria, &crls); + sk_X509_free(untrusted); + return ret; } bool AbstractPKIXTrustEngine::validate( diff --git a/xmltooling/security/impl/BasicX509Credential.cpp b/xmltooling/security/impl/BasicX509Credential.cpp index 50da3ed..570b682 100644 --- a/xmltooling/security/impl/BasicX509Credential.cpp +++ b/xmltooling/security/impl/BasicX509Credential.cpp @@ -37,7 +37,7 @@ BasicX509Credential::~BasicX509Credential() delete m_key; if (m_ownCerts) for_each(m_xseccerts.begin(), m_xseccerts.end(), xmltooling::cleanup()); - delete m_crl; + for_each(m_crls.begin(), m_crls.end(), xmltooling::cleanup()); delete m_keyInfo; delete m_compactKeyInfo; } diff --git a/xmltooling/security/impl/FilesystemCredentialResolver.cpp b/xmltooling/security/impl/FilesystemCredentialResolver.cpp index b36eef0..34b7bee 100644 --- a/xmltooling/security/impl/FilesystemCredentialResolver.cpp +++ b/xmltooling/security/impl/FilesystemCredentialResolver.cpp @@ -356,7 +356,7 @@ FilesystemCredentialResolver::FilesystemCredentialResolver(const DOMElement* e) in = NULL; } - // Load the key. + // Load the CRL. crl = loadCRL(); } diff --git a/xmltooling/security/impl/InlineKeyResolver.cpp b/xmltooling/security/impl/InlineKeyResolver.cpp index 6b71a9a..eb5d937 100644 --- a/xmltooling/security/impl/InlineKeyResolver.cpp +++ b/xmltooling/security/impl/InlineKeyResolver.cpp @@ -108,7 +108,7 @@ namespace xmltooling { private: bool resolveCerts(const KeyInfo* keyInfo); bool resolveKey(const KeyInfo* keyInfo); - bool resolveCRL(const KeyInfo* keyInfo); + bool resolveCRLs(const KeyInfo* keyInfo); KeyInfoCredentialContext* m_credctx; }; @@ -182,7 +182,7 @@ void InlineCredential::resolve(const KeyInfo* keyInfo, int types) } if (types & X509Credential::RESOLVE_CRLS) - resolveCRL(keyInfo); + resolveCRLs(keyInfo); const XMLCh* n; char* kn; @@ -319,7 +319,7 @@ bool InlineCredential::resolveCerts(const KeyInfo* keyInfo) return !m_xseccerts.empty(); } -bool InlineCredential::resolveCRL(const KeyInfo* keyInfo) +bool InlineCredential::resolveCRLs(const KeyInfo* keyInfo) { Category& log = Category::getInstance(XMLTOOLING_LOGCAT".KeyInfoResolver."INLINE_KEYINFO_RESOLVER); @@ -337,8 +337,7 @@ bool InlineCredential::resolveCRL(const KeyInfo* keyInfo) log.debug("resolving ds:X509CRL"); auto_ptr crl(XMLToolingConfig::getConfig().X509CRL()); crl->loadX509CRLBase64Bin(x.get(), strlen(x.get())); - m_crl = crl.release(); - return true; + m_crls.push_back(crl.release()); } } catch(XSECException& e) { @@ -351,7 +350,8 @@ bool InlineCredential::resolveCRL(const KeyInfo* keyInfo) } } - return false; + log.debug("resolved %d CRL(s)", m_crls.size()); + return !m_crls.empty(); } void InlineCredential::resolve(DSIGKeyInfoList* keyInfo, int types) @@ -399,8 +399,7 @@ void InlineCredential::resolve(DSIGKeyInfoList* keyInfo, int types) try { auto_ptr crlobj(XMLToolingConfig::getConfig().X509CRL()); crlobj->loadX509CRLBase64Bin(buf.get(), strlen(buf.get())); - m_crl = crlobj.release(); - break; + m_crls.push_back(crlobj.release()); } catch(XSECException& e) { auto_ptr_char temp(e.getMsg()); diff --git a/xmltooling/security/impl/StaticPKIXTrustEngine.cpp b/xmltooling/security/impl/StaticPKIXTrustEngine.cpp index 8df6c68..43699e3 100644 --- a/xmltooling/security/impl/StaticPKIXTrustEngine.cpp +++ b/xmltooling/security/impl/StaticPKIXTrustEngine.cpp @@ -38,13 +38,13 @@ using namespace std; namespace xmltooling { - static const XMLCh _CredentialResolver[] = UNICODE_LITERAL_18(C,r,e,d,e,n,t,i,a,l,R,e,s,o,l,v,e,r); - static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e); - static const XMLCh certificate[] = UNICODE_LITERAL_11(c,e,r,t,i,f,i,c,a,t,e); - static const XMLCh Certificate[] = UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e); - static const XMLCh Path[] = UNICODE_LITERAL_4(P,a,t,h); + static const XMLCh _CredentialResolver[] = UNICODE_LITERAL_18(C,r,e,d,e,n,t,i,a,l,R,e,s,o,l,v,e,r); + static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e); + static const XMLCh certificate[] = UNICODE_LITERAL_11(c,e,r,t,i,f,i,c,a,t,e); + static const XMLCh Certificate[] = UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e); + static const XMLCh Path[] = UNICODE_LITERAL_4(P,a,t,h); static const XMLCh verifyDepth[] = UNICODE_LITERAL_11(v,e,r,i,f,y,D,e,p,t,h); - + class XMLTOOL_DLLLOCAL StaticPKIXTrustEngine : public AbstractPKIXTrustEngine { public: @@ -120,21 +120,21 @@ StaticPKIXTrustEngine::StaticPKIXTrustEngine(const DOMElement* e) : AbstractPKIX else m_depth = 1; - if (e && e->hasAttributeNS(NULL,certificate)) { - // Simple File resolver config rooted here. - m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER,e); - } - else { - e = e ? XMLHelper::getFirstChildElement(e, _CredentialResolver) : NULL; - auto_ptr_char t(e ? e->getAttributeNS(NULL,type) : NULL); - if (t.get()) { - m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(t.get(),e); - } - else - throw XMLSecurityException("Missing element, or no type attribute found"); - } - - m_credResolver->lock(); + if (e && e->hasAttributeNS(NULL,certificate)) { + // Simple File resolver config rooted here. + m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER,e); + } + else { + e = e ? XMLHelper::getFirstChildElement(e, _CredentialResolver) : NULL; + auto_ptr_char t(e ? e->getAttributeNS(NULL,type) : NULL); + if (t.get()) { + m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(t.get(),e); + } + else + throw XMLSecurityException("Missing element, or no type attribute found"); + } + + m_credResolver->lock(); // Merge together all X509Credentials we can resolve. try { @@ -144,8 +144,7 @@ StaticPKIXTrustEngine::StaticPKIXTrustEngine(const DOMElement* e) : AbstractPKIX const X509Credential* xcred = dynamic_cast(*i); if (xcred) { m_certs.insert(m_certs.end(), xcred->getEntityCertificateChain().begin(), xcred->getEntityCertificateChain().end()); - if (xcred->getCRL()) - m_crls.push_back(xcred->getCRL()); + m_crls.insert(m_crls.end(), xcred->getCRLs().begin(), xcred->getCRLs().end()); } } }