From b383e021ae585cf97bf24285f65ae1e451b893e8 Mon Sep 17 00:00:00 2001 From: cantor Date: Wed, 17 Oct 2007 04:12:00 +0000 Subject: [PATCH] Move credential usage enum to Credential class. Add credential usage property and enforce during lookup. git-svn-id: https://svn.middleware.georgetown.edu/cpp-xmltooling/trunk@400 de75baf8-a10c-0410-a50a-987c0e22f00f --- xmltooling/encryption/impl/Decrypter.cpp | 12 ++++++------ xmltooling/security/BasicX509Credential.h | 3 +++ xmltooling/security/Credential.h | 17 +++++++++++++++++ xmltooling/security/CredentialCriteria.h | 20 +++++--------------- xmltooling/security/impl/AbstractPKIXTrustEngine.cpp | 4 ++-- xmltooling/security/impl/CredentialCriteria.cpp | 7 +++++++ xmltooling/security/impl/ExplicitKeyTrustEngine.cpp | 14 +++++++------- xmltooling/soap/impl/CURLSOAPTransport.cpp | 4 ++-- xmltoolingtest/EncryptionTest.h | 2 +- xmltoolingtest/MarshallingTest.h | 4 ++++ xmltoolingtest/SignatureTest.h | 2 +- 11 files changed, 55 insertions(+), 34 deletions(-) diff --git a/xmltooling/encryption/impl/Decrypter.cpp b/xmltooling/encryption/impl/Decrypter.cpp index 47ed588..c68d1cd 100644 --- a/xmltooling/encryption/impl/Decrypter.cpp +++ b/xmltooling/encryption/impl/Decrypter.cpp @@ -92,7 +92,7 @@ DOMDocumentFragment* Decrypter::decryptData(const EncryptedData& encryptedData, CredentialCriteria::KEYINFO_EXTRACTION_KEYNAMES | CredentialCriteria::KEYINFO_EXTRACTION_IMPLICIT_KEYNAMES; if (m_criteria) { - m_criteria->setUsage(CredentialCriteria::ENCRYPTION_CREDENTIAL); + m_criteria->setUsage(Credential::ENCRYPTION_CREDENTIAL); m_criteria->setKeyInfo(encryptedData.getKeyInfo(), types); const EncryptionMethod* meth = encryptedData.getEncryptionMethod(); if (meth) @@ -101,7 +101,7 @@ DOMDocumentFragment* Decrypter::decryptData(const EncryptedData& encryptedData, } else { CredentialCriteria criteria; - criteria.setUsage(CredentialCriteria::ENCRYPTION_CREDENTIAL); + criteria.setUsage(Credential::ENCRYPTION_CREDENTIAL); criteria.setKeyInfo(encryptedData.getKeyInfo(), types); const EncryptionMethod* meth = encryptedData.getEncryptionMethod(); if (meth) @@ -192,7 +192,7 @@ void Decrypter::decryptData(ostream& out, const EncryptedData& encryptedData, co CredentialCriteria::KEYINFO_EXTRACTION_KEYNAMES | CredentialCriteria::KEYINFO_EXTRACTION_IMPLICIT_KEYNAMES; if (m_criteria) { - m_criteria->setUsage(CredentialCriteria::ENCRYPTION_CREDENTIAL); + m_criteria->setUsage(Credential::ENCRYPTION_CREDENTIAL); m_criteria->setKeyInfo(encryptedData.getKeyInfo(), types); const EncryptionMethod* meth = encryptedData.getEncryptionMethod(); if (meth) @@ -201,7 +201,7 @@ void Decrypter::decryptData(ostream& out, const EncryptedData& encryptedData, co } else { CredentialCriteria criteria; - criteria.setUsage(CredentialCriteria::ENCRYPTION_CREDENTIAL); + criteria.setUsage(Credential::ENCRYPTION_CREDENTIAL); criteria.setKeyInfo(encryptedData.getKeyInfo(), types); const EncryptionMethod* meth = encryptedData.getEncryptionMethod(); if (meth) @@ -276,7 +276,7 @@ XSECCryptoKey* Decrypter::decryptKey(const EncryptedKey& encryptedKey, const XML CredentialCriteria::KEYINFO_EXTRACTION_IMPLICIT_KEYNAMES; vector creds; if (m_criteria) { - m_criteria->setUsage(CredentialCriteria::ENCRYPTION_CREDENTIAL); + m_criteria->setUsage(Credential::ENCRYPTION_CREDENTIAL); m_criteria->setKeyInfo(encryptedKey.getKeyInfo(), types); const EncryptionMethod* meth = encryptedKey.getEncryptionMethod(); if (meth) @@ -285,7 +285,7 @@ XSECCryptoKey* Decrypter::decryptKey(const EncryptedKey& encryptedKey, const XML } else { CredentialCriteria criteria; - criteria.setUsage(CredentialCriteria::ENCRYPTION_CREDENTIAL); + criteria.setUsage(Credential::ENCRYPTION_CREDENTIAL); criteria.setKeyInfo(encryptedKey.getKeyInfo(), types); const EncryptionMethod* meth = encryptedKey.getEncryptionMethod(); if (meth) diff --git a/xmltooling/security/BasicX509Credential.h b/xmltooling/security/BasicX509Credential.h index 6b4b486..f76465b 100644 --- a/xmltooling/security/BasicX509Credential.h +++ b/xmltooling/security/BasicX509Credential.h @@ -84,6 +84,9 @@ namespace xmltooling { public: virtual ~BasicX509Credential(); + UsageTypes getUsage() const { + return UNSPECIFIED_CREDENTIAL; + } const char* getAlgorithm() const; unsigned int getKeySize() const; diff --git a/xmltooling/security/Credential.h b/xmltooling/security/Credential.h index 8fa7bb4..36c8b1a 100644 --- a/xmltooling/security/Credential.h +++ b/xmltooling/security/Credential.h @@ -62,6 +62,23 @@ namespace xmltooling { }; /** + * Enumeration of use cases for credentials. + */ + enum UsageTypes { + UNSPECIFIED_CREDENTIAL, + SIGNING_CREDENTIAL, + TLS_CREDENTIAL, + ENCRYPTION_CREDENTIAL + }; + + /** + * Get the credential usage type. + * + * @return the usage + */ + virtual UsageTypes getUsage() const=0; + + /** * Returns an algorithm identifier for the Credential. * * @return the Credential algorithm, or NULL if indeterminate diff --git a/xmltooling/security/CredentialCriteria.h b/xmltooling/security/CredentialCriteria.h index d331c89..2936f1a 100644 --- a/xmltooling/security/CredentialCriteria.h +++ b/xmltooling/security/CredentialCriteria.h @@ -42,7 +42,7 @@ namespace xmltooling { { MAKE_NONCOPYABLE(CredentialCriteria); public: - CredentialCriteria() : m_keyUsage(UNSPECIFIED_CREDENTIAL), m_keySize(0), m_key(NULL), + CredentialCriteria() : m_keyUsage(Credential::UNSPECIFIED_CREDENTIAL), m_keySize(0), m_key(NULL), m_keyInfo(NULL), m_nativeKeyInfo(NULL), m_credential(NULL) { } virtual ~CredentialCriteria() { @@ -56,23 +56,13 @@ namespace xmltooling { * @return true iff the Credential is consistent with this criteria */ virtual bool matches(const Credential& credential) const; - - /** - * Enumeration of use cases for credentials. - */ - enum UsageType { - UNSPECIFIED_CREDENTIAL, - SIGNING_CREDENTIAL, - TLS_CREDENTIAL, - ENCRYPTION_CREDENTIAL - }; - + /** * Get the key usage criteria. * * @return the usage. */ - UsageType getUsage() const { + Credential::UsageTypes getUsage() const { return m_keyUsage; } @@ -81,7 +71,7 @@ namespace xmltooling { * * @param usage the usage to set */ - void setUsage(UsageType usage) { + void setUsage(Credential::UsageTypes usage) { m_keyUsage = usage; } @@ -301,7 +291,7 @@ namespace xmltooling { } private: - UsageType m_keyUsage; + Credential::UsageTypes m_keyUsage; unsigned int m_keySize; std::string m_peerName,m_keyAlgorithm; std::set m_keyNames; diff --git a/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp b/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp index d3c9449..69e24f3 100644 --- a/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp +++ b/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp @@ -262,8 +262,8 @@ bool AbstractPKIXTrustEngine::validate( if (criteria && criteria->getPeerName() && *(criteria->getPeerName())) { log.debug("checking that the certificate name is acceptable"); - if (criteria->getUsage()==CredentialCriteria::UNSPECIFIED_CREDENTIAL) - criteria->setUsage(CredentialCriteria::SIGNING_CREDENTIAL); + if (criteria->getUsage()==Credential::UNSPECIFIED_CREDENTIAL) + criteria->setUsage(Credential::SIGNING_CREDENTIAL); if (!checkEntityNames(certEE,credResolver,*criteria)) { log.error("certificate name was not acceptable"); return false; diff --git a/xmltooling/security/impl/CredentialCriteria.cpp b/xmltooling/security/impl/CredentialCriteria.cpp index ae4f1ea..b70227d 100644 --- a/xmltooling/security/impl/CredentialCriteria.cpp +++ b/xmltooling/security/impl/CredentialCriteria.cpp @@ -36,6 +36,13 @@ using namespace std; bool CredentialCriteria::matches(const Credential& credential) const { + // Usage check, if specified and we have one. + if (getUsage() != Credential::UNSPECIFIED_CREDENTIAL) { + if (credential.getUsage() != Credential::UNSPECIFIED_CREDENTIAL) + if (getUsage() != credential.getUsage()) + return false; + } + // Algorithm check, if specified and we have one. const char* alg = getKeyAlgorithm(); if (alg && *alg) { diff --git a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp index bed55d5..346c35f 100644 --- a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp +++ b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp @@ -94,13 +94,13 @@ bool ExplicitKeyTrustEngine::validate( vector credentials; if (criteria) { - criteria->setUsage(CredentialCriteria::SIGNING_CREDENTIAL); + criteria->setUsage(Credential::SIGNING_CREDENTIAL); criteria->setSignature(sig, CredentialCriteria::KEYINFO_EXTRACTION_KEY); credResolver.resolve(credentials,criteria); } else { CredentialCriteria cc; - cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL); + cc.setUsage(Credential::SIGNING_CREDENTIAL); cc.setSignature(sig, CredentialCriteria::KEYINFO_EXTRACTION_KEY); credResolver.resolve(credentials,&cc); } @@ -144,14 +144,14 @@ bool ExplicitKeyTrustEngine::validate( vector credentials; if (criteria) { - criteria->setUsage(CredentialCriteria::SIGNING_CREDENTIAL); + criteria->setUsage(Credential::SIGNING_CREDENTIAL); criteria->setKeyInfo(keyInfo, CredentialCriteria::KEYINFO_EXTRACTION_KEY); criteria->setXMLAlgorithm(sigAlgorithm); credResolver.resolve(credentials,criteria); } else { CredentialCriteria cc; - cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL); + cc.setUsage(Credential::SIGNING_CREDENTIAL); cc.setKeyInfo(keyInfo, CredentialCriteria::KEYINFO_EXTRACTION_KEY); cc.setXMLAlgorithm(sigAlgorithm); credResolver.resolve(credentials,&cc); @@ -223,13 +223,13 @@ bool ExplicitKeyTrustEngine::validate( vector credentials; if (criteria) { - if (criteria->getUsage()==CredentialCriteria::UNSPECIFIED_CREDENTIAL) - criteria->setUsage(CredentialCriteria::SIGNING_CREDENTIAL); + if (criteria->getUsage()==Credential::UNSPECIFIED_CREDENTIAL) + criteria->setUsage(Credential::SIGNING_CREDENTIAL); credResolver.resolve(credentials,criteria); } else { CredentialCriteria cc; - cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL); + cc.setUsage(Credential::SIGNING_CREDENTIAL); credResolver.resolve(credentials,&cc); } if (credentials.empty()) { diff --git a/xmltooling/soap/impl/CURLSOAPTransport.cpp b/xmltooling/soap/impl/CURLSOAPTransport.cpp index 190d6a1..6f8f11f 100644 --- a/xmltooling/soap/impl/CURLSOAPTransport.cpp +++ b/xmltooling/soap/impl/CURLSOAPTransport.cpp @@ -546,7 +546,7 @@ int xmltooling::verify_callback(X509_STORE_CTX* x509_ctx, void* arg) bool success=false; if (ctx->m_criteria) { - ctx->m_criteria->setUsage(CredentialCriteria::TLS_CREDENTIAL); + ctx->m_criteria->setUsage(Credential::TLS_CREDENTIAL); // Bypass name check (handled for us by curl). ctx->m_criteria->setPeerName(NULL); success = ctx->m_trustEngine->validate(x509_ctx->cert,x509_ctx->untrusted,*(ctx->m_peerResolver),ctx->m_criteria); @@ -554,7 +554,7 @@ int xmltooling::verify_callback(X509_STORE_CTX* x509_ctx, void* arg) else { // Bypass name check (handled for us by curl). CredentialCriteria cc; - cc.setUsage(CredentialCriteria::TLS_CREDENTIAL); + cc.setUsage(Credential::TLS_CREDENTIAL); success = ctx->m_trustEngine->validate(x509_ctx->cert,x509_ctx->untrusted,*(ctx->m_peerResolver),&cc); } diff --git a/xmltoolingtest/EncryptionTest.h b/xmltoolingtest/EncryptionTest.h index 3d6c79a..7cd05e6 100644 --- a/xmltoolingtest/EncryptionTest.h +++ b/xmltoolingtest/EncryptionTest.h @@ -56,7 +56,7 @@ public: try { CredentialCriteria cc; - cc.setUsage(CredentialCriteria::ENCRYPTION_CREDENTIAL); + cc.setUsage(Credential::ENCRYPTION_CREDENTIAL); Locker locker(m_resolver); const Credential* cred=m_resolver->resolve(&cc); TSM_ASSERT("Retrieved credential was null", cred!=NULL); diff --git a/xmltoolingtest/MarshallingTest.h b/xmltoolingtest/MarshallingTest.h index a686026..38ddafd 100644 --- a/xmltoolingtest/MarshallingTest.h +++ b/xmltoolingtest/MarshallingTest.h @@ -66,6 +66,10 @@ public: DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(fs); TS_ASSERT(doc!=NULL); + string buf; + XMLHelper::serialize(rootElement, buf); + cout << buf; + TS_ASSERT(rootElement->isEqualNode(doc->getDocumentElement())); doc->release(); } diff --git a/xmltoolingtest/SignatureTest.h b/xmltoolingtest/SignatureTest.h index 8e05cce..fc682e1 100644 --- a/xmltoolingtest/SignatureTest.h +++ b/xmltoolingtest/SignatureTest.h @@ -119,7 +119,7 @@ public: sig->setContentReference(new TestContext(&chNull)); CredentialCriteria cc; - cc.setUsage(CredentialCriteria::SIGNING_CREDENTIAL); + cc.setUsage(Credential::SIGNING_CREDENTIAL); Locker locker(m_resolver); const Credential* cred = m_resolver->resolve(&cc); TSM_ASSERT("Retrieved credential was null", cred!=NULL); -- 2.1.4