XSECAlgorithmMapper::~XSECAlgorithmMapper() { MapperEntryVectorType::iterator it = m_mapping.begin(); while (it != m_mapping.end()) { XSEC_RELEASE_XMLCH(((*it)->mp_uri)); delete (*it)->mp_handler; delete (*it); it++; } m_mapping.clear(); XMLCh* ptr; for (WhitelistVectorType::const_iterator i = m_whitelist.begin(); i != m_whitelist.end(); ++i) { ptr = *i; XSEC_RELEASE_XMLCH(ptr); } m_whitelist.clear(); for (WhitelistVectorType::const_iterator i = m_blacklist.begin(); i != m_blacklist.end(); ++i) { ptr = *i; XSEC_RELEASE_XMLCH(ptr); } m_blacklist.clear(); }
XSECEnv::~XSECEnv() { if (mp_formatter != NULL) { delete mp_formatter; } if (mp_prefixNS != NULL) { XSEC_RELEASE_XMLCH(mp_prefixNS); } if (mp_11PrefixNS != NULL) { XSEC_RELEASE_XMLCH(mp_11PrefixNS); } if (mp_ecPrefixNS != NULL) { XSEC_RELEASE_XMLCH(mp_ecPrefixNS); } if (mp_xpfPrefixNS != NULL) { XSEC_RELEASE_XMLCH(mp_xpfPrefixNS); } if (mp_xencPrefixNS != NULL) { XSEC_RELEASE_XMLCH(mp_xencPrefixNS); } if (mp_xenc11PrefixNS != NULL) { XSEC_RELEASE_XMLCH(mp_xenc11PrefixNS); } if (mp_xkmsPrefixNS != NULL) { XSEC_RELEASE_XMLCH(mp_xkmsPrefixNS); } if (mp_URIResolver != NULL) { delete mp_URIResolver; } // Clean up Id attribute names IdNameVectorType::iterator it; for (it = m_idAttributeNameList.begin(); it != m_idAttributeNameList.end(); it++) { IdAttributeType * i = *it; if (i->mp_namespace != NULL) XSEC_RELEASE_XMLCH((i->mp_namespace)); if (i->mp_name) XSEC_RELEASE_XMLCH((i->mp_name)); delete *it; } m_idAttributeNameList.empty(); }
// --------------------------------------------------------------------------- // ostream << DOMString // // Stream out a DOM string. Doing this requires that we first transcode // to char * form in the default code page for the system // --------------------------------------------------------------------------- ostream& operator<< (ostream& target, const DOMString& s) { char *p = s.transcode(); target << p; XSEC_RELEASE_XMLCH(p); return target; }
DOMElement * DSIGKeyInfoName::createBlankKeyName(const XMLCh * name, bool isDName) { // Create the DOM Structure safeBuffer str; DOMDocument *doc = mp_env->getParentDocument(); const XMLCh * prefix = mp_env->getDSIGNSPrefix(); makeQName(str, prefix, "KeyName"); DOMElement *ret = doc->createElementNS(DSIGConstants::s_unicodeStrURIDSIG, str.rawXMLChBuffer()); mp_keyInfoDOMNode = ret; // Check whether to encode prior to adding if (isDName == true) { // Treat as a distinguished name mp_decodedDName = XMLString::replicate(name); XMLCh * encodedName = encodeDName(name); mp_keyNameTextNode = doc->createTextNode(encodedName); XSEC_RELEASE_XMLCH(encodedName); } else mp_keyNameTextNode = doc->createTextNode(name); ret->appendChild(mp_keyNameTextNode); mp_name = mp_keyNameTextNode->getNodeValue(); return ret; }
void XSECURIResolverGenericUnix::setBaseURI(const XMLCh * uri) { if (mp_baseURI != NULL) XSEC_RELEASE_XMLCH(mp_baseURI); mp_baseURI = XMLString::replicate(uri); }
void XSECEnv::setXKMSNSPrefix(const XMLCh * prefix) { if (mp_xkmsPrefixNS != NULL) XSEC_RELEASE_XMLCH(mp_xkmsPrefixNS); mp_xkmsPrefixNS = XMLString::replicate(prefix); }
void safeBuffer::sbXMLChCat8(const char * str) { checkBufferType(BUFFER_UNICODE); XMLCh * toAdd = transcodeFromUTF8((const unsigned char *) str); sbXMLChCat(toAdd); XSEC_RELEASE_XMLCH(toAdd); }
const XMLCh * safeBuffer::sbStrToXMLCh(void) const { checkBufferType(BUFFER_CHAR); if (mp_XMLCh != NULL) XSEC_RELEASE_XMLCH(mp_XMLCh); mp_XMLCh = XMLString::transcode((char *) buffer); return mp_XMLCh; }
safeBuffer::~safeBuffer() { if (buffer != NULL) { if (m_isSensitive == true) cleanseBuffer(); delete[] buffer; } if (mp_XMLCh != NULL) XSEC_RELEASE_XMLCH(mp_XMLCh); }
void DSIGKeyInfoName::setKeyName(const XMLCh * name, bool isDName) { if (mp_keyNameTextNode == 0) { // Attempt to load an empty element throw XSECException(XSECException::LoadEmptySignature, MAKE_UNICODE_STRING("KeyInfoName::set() called prior to load() or createBlank()")); } if (mp_decodedDName != NULL) { XSEC_RELEASE_XMLCH(mp_decodedDName); mp_decodedDName = NULL; } if (isDName == true) { // This name should be treated as a Distinguished Name - so do the // required encoding mp_decodedDName = XMLString::replicate(name); XMLCh * encodedName = encodeDName(name); mp_keyNameTextNode->setNodeValue(encodedName); XSEC_RELEASE_XMLCH(encodedName); } else { mp_keyNameTextNode->setNodeValue(name); } mp_name = mp_keyNameTextNode->getNodeValue(); }
bool XSECEnv::deregisterIdAttributeName(const XMLCh * name) { IdNameVectorType::iterator it; for (it = m_idAttributeNameList.begin(); it != m_idAttributeNameList.end(); it++) { if (!((*it)->m_useNamespace) && strEquals((*it)->mp_name, name)) { // Remove this item XSEC_RELEASE_XMLCH(((*it)->mp_name)); delete *it; m_idAttributeNameList.erase(it); return true; } } return false; }
void safeBuffer::sbXMLChCat(const char * str) { checkBufferType(BUFFER_UNICODE); xsecsize_t len = XMLString::stringLen((XMLCh *) buffer) * size_XMLCh; XMLCh * t = XMLString::transcode(str); assert (t != NULL); len += XMLString::stringLen(t); len += (xsecsize_t) (2 * size_XMLCh); checkAndExpand(len); XMLString::catString((XMLCh *) buffer, t); XSEC_RELEASE_XMLCH(t); }
void safeBuffer::sbTranscodeIn(const char * inStr) { // Transcode the string to the local code page and store in the buffer XMLCh * t; t = XMLString::transcode(inStr); assert (t != 0); // Copy into local buffer xsecsize_t len = XMLString::stringLen(t) + 1; len *= (xsecsize_t) size_XMLCh; checkAndExpand(len); XMLString::copyString((XMLCh *) buffer, t); m_bufferType = BUFFER_UNICODE; XSEC_RELEASE_XMLCH(t); }
void safeBuffer::sbTranscodeIn(const XMLCh * inStr) { // Transcode the string to the local code page and store in the buffer char * t; t = XMLString::transcode(inStr); assert (t != 0); // Now copy into our local buffer - a bit inefficient but better in the long run // as a buffer that is the exact size is likely to be deleted anyway during a // concat operation xsecsize_t len = (xsecsize_t) strlen(t) + 1; checkAndExpand(len); strcpy((char *) buffer, t); m_bufferType = BUFFER_CHAR; XSEC_RELEASE_XMLCH(t); }
XSECCryptoKey * InteropResolver::openCertURI(const XMLCh * uri) { // Open a certificate from a file URI relative to the signature file BIO * bioCert; if ((bioCert = BIO_new(BIO_s_file())) == NULL) { return NULL; } safeBuffer fname; char * u = XMLString::transcode(uri); fname.sbTranscodeIn(mp_baseURI); fname.sbStrcatIn("/"); fname.sbStrcatIn(u); XSEC_RELEASE_XMLCH(u); #if defined(_WIN32) reverseSlash(fname); #endif if (BIO_read_filename(bioCert, fname.rawCharBuffer()) <= 0) { return NULL; } X509 * x509 = d2i_X509_bio(bioCert, NULL); BIO_free(bioCert); OpenSSLCryptoX509 oX509(x509); X509_free(x509); return oX509.clonePublicKey(); }
XSECCryptoKey * InteropResolver::resolveKey(DSIGKeyInfoList * lst) { // First check if this has an X509 cert + an X509 CRL const XMLCh * b64cert = NULL; const XMLCh * b64crl = NULL; int lstSize = (int) lst->getSize(); for (int i = 0; i < lstSize; ++i) { DSIGKeyInfo * ki; ki = lst->item(i); const XMLCh * rawuri; if (ki->getKeyInfoType() == DSIGKeyInfo::KEYINFO_X509) { DSIGKeyInfoX509 * kix509 = static_cast<DSIGKeyInfoX509 *>(ki); if ((rawuri = kix509->getRawRetrievalURI()) != NULL) { // We have a raw certificate by de-reference // Assume it is just a file dereference and open the cert return openCertURI(rawuri); } if (kix509->getCertificateListSize() == 1) { b64cert = kix509->getCertificateItem(0); } if (b64crl == NULL) { b64crl = kix509->getX509CRL(); } } else if (ki->getKeyInfoType() == DSIGKeyInfo::KEYINFO_NAME) { DSIGKeyInfoName * kn = static_cast<DSIGKeyInfoName *>(ki); if (kn->getKeyName() != NULL) { static XMLCh certStr[] = { XERCES_CPP_NAMESPACE_QUALIFIER chLatin_c, XERCES_CPP_NAMESPACE_QUALIFIER chLatin_e, XERCES_CPP_NAMESPACE_QUALIFIER chLatin_r, XERCES_CPP_NAMESPACE_QUALIFIER chLatin_t, XERCES_CPP_NAMESPACE_QUALIFIER chLatin_s, XERCES_CPP_NAMESPACE_QUALIFIER chForwardSlash, XERCES_CPP_NAMESPACE_QUALIFIER chNull }; static XMLCh extStr[] = { XERCES_CPP_NAMESPACE_QUALIFIER chPeriod, XERCES_CPP_NAMESPACE_QUALIFIER chLatin_c, XERCES_CPP_NAMESPACE_QUALIFIER chLatin_r, XERCES_CPP_NAMESPACE_QUALIFIER chLatin_t, XERCES_CPP_NAMESPACE_QUALIFIER chNull }; safeBuffer fname; fname = certStr; fname.sbXMLChCat(kn->getKeyName()); fname.sbXMLChCat(extStr); fname.sbStrlwr(); return openCertURI(fname.rawXMLChBuffer()); } } } if (b64cert != NULL && b64crl != NULL) { // We have a certificate and a crl, lets get the cert and check in the crl OpenSSLCryptoBase64 b64; char * transb64cert = XMLString::transcode(b64cert); unsigned char * x509buf = new unsigned char[strlen(transb64cert)]; ArrayJanitor<unsigned char> j_x509buf(x509buf); int x509bufLen; X509 *x; b64.decodeInit(); x509bufLen = b64.decode((unsigned char *) transb64cert, (unsigned int) strlen(transb64cert), x509buf, (unsigned int) strlen(transb64cert)); x509bufLen += b64.decodeFinish(&x509buf[x509bufLen], (unsigned int) strlen(transb64cert) - x509bufLen); XSEC_RELEASE_XMLCH(transb64cert); if (x509bufLen > 0) { #if defined(XSEC_OPENSSL_D2IX509_CONST_BUFFER) x = d2i_X509(NULL, (const unsigned char **) (&x509buf), x509bufLen ); #else x = d2i_X509(NULL, &x509buf, x509bufLen); #endif } else return NULL; // Something has gone wrong if (x == NULL) return NULL; // Now the CRL char * transb64crl = XMLString::transcode(b64crl); unsigned char * crlbuf = new unsigned char[strlen(transb64crl)]; ArrayJanitor<unsigned char> j_crlbuf(crlbuf); int crlbufLen; X509_CRL * c; b64.decodeInit(); crlbufLen = b64.decode((unsigned char*) transb64crl, (unsigned int) strlen(transb64crl), crlbuf, (unsigned int) strlen(transb64crl)); crlbufLen += b64.decodeFinish(&crlbuf[crlbufLen], (unsigned int) strlen(transb64crl) - crlbufLen); XSEC_RELEASE_XMLCH(transb64crl); if (crlbufLen > 0) { #if defined(XSEC_OPENSSL_D2IX509_CONST_BUFFER) c = d2i_X509_CRL(NULL, (const unsigned char **) (&crlbuf), crlbufLen); #else c = d2i_X509_CRL(NULL, &crlbuf, crlbufLen); #endif } else return NULL; // Something has gone wrong if (c == NULL) return NULL; // Now check if the cert is in the CRL (code lifted from OpenSSL x509_vfy.c int idx; X509_REVOKED rtmp; /* Look for serial number of certificate in CRL */ rtmp.serialNumber = X509_get_serialNumber(x); idx = sk_X509_REVOKED_find(c->crl->revoked, &rtmp); /* Not found: OK */ if(idx != -1) { std::cerr << "Warning - certificate revoked in attached CRL" << std::endl; } OpenSSLCryptoX509 ox(x); X509_free(x); X509_CRL_free(c); return ox.clonePublicKey(); } // Do a run through each match in the directory while (m_searchFinished == false) { X509 * x = nextFile2Cert(); if (x != NULL) { if (checkMatch(lst, x)) { OpenSSLCryptoX509 ox(x); X509_free(x); return ox.clonePublicKey(); } } X509_free(x); } return false; }
DSIGKeyInfoName::~DSIGKeyInfoName() { if (mp_decodedDName != NULL) XSEC_RELEASE_XMLCH(mp_decodedDName); };
BinInputStream * XSECURIResolverGenericUnix::resolveURI(const XMLCh * uri) { XSEC_USING_XERCES(BinInputStream); XSEC_USING_XERCES(XMLUri); XSEC_USING_XERCES(XMLUni); XSEC_USING_XERCES(Janitor); XSEC_USING_XERCES(BinFileInputStream); XMLUri * xmluri; if (uri == NULL) { throw XSECException(XSECException::ErrorOpeningURI, "XSECURIResolverGenericUnix - anonymous references not supported in default URI Resolvers"); } // Create the appropriate XMLUri objects if (mp_baseURI != NULL) { XMLUri * turi; #if XERCES_VERSION_MAJOR == 2 && XERCES_VERSION_MINOR < 3 // XMLUri relative paths are broken, so we need to strip out ".." XSECAutoPtrXMLCh b(mp_baseURI); XSECAutoPtrXMLCh r(uri); int index = 0; while (XMLString::startsWith(&(r.get()[index]), DOTDOT_SLASH)) { // Strip the last segment of the base int lastIndex = XMLString::lastIndexOf(b.get(), XERCES_CPP_NAMESPACE_QUALIFIER chForwardSlash); if (lastIndex > 0) const_cast<XMLCh*>(b.get())[lastIndex] = 0; index += 3; } XSECnew(turi, XMLUri(b.get())); Janitor<XMLUri> j_turi(turi); XSECnew(xmluri, XMLUri(turi, &(r.get()[index]))); #else XSECnew(turi, XMLUri(mp_baseURI)); Janitor<XMLUri> j_turi(turi); XSECnew(xmluri, XMLUri(turi, uri)); #endif } else { XSECnew(xmluri, XMLUri(uri)); } Janitor<XMLUri> j_xmluri(xmluri); // Determine what kind of URI this is and how to handle it. if (!XMLString::compareIString(xmluri->getScheme(), gFileScheme)) { // This is a file. We only really understand if this is localhost // XMLUri has already cleaned of escape characters (%xx) if (xmluri->getHost() == NULL || xmluri->getHost()[0] == chNull || !XMLString::compareIString(xmluri->getHost(), XMLUni::fgLocalHostString)) { // Clean hex escapes XMLCh * realPath = cleanURIEscapes(xmluri->getPath()); // Localhost BinFileInputStream* retStrm = new BinFileInputStream(realPath); XSEC_RELEASE_XMLCH(realPath); if (!retStrm->getIsOpen()) { delete retStrm; return 0; } return retStrm; } else { throw XSECException(XSECException::ErrorOpeningURI, "XSECURIResolverGenericUnix - unable to open non-localhost file"); } } // Is the scheme a HTTP? if (!XMLString::compareIString(xmluri->getScheme(), gHttpScheme)) { // Pass straight to our local XSECBinHTTPUriInputStream XSECBinHTTPURIInputStream *ret; XSECnew(ret, XSECBinHTTPURIInputStream(*xmluri)); return ret; } throw XSECException(XSECException::ErrorOpeningURI, "XSECURIResolverGenericUnix - unknown URI scheme"); }
XSECURIResolverGenericUnix::~XSECURIResolverGenericUnix() { if (mp_baseURI != NULL) XSEC_RELEASE_XMLCH(mp_baseURI); }
bool InteropResolver::checkMatch(DSIGKeyInfoList * lst, X509 * x) { // Check if the parameters in x match the required certificate int sz = (int) lst->getSize(); DSIGKeyInfo* k; for (int i = 0; i < sz; ++i) { k = lst->item(i); if (k->getKeyInfoType() == DSIGKeyInfo::KEYINFO_X509) { DSIGKeyInfoX509 * kx = static_cast<DSIGKeyInfoX509 *>(k); const XMLCh * serial = kx->getX509IssuerSerialNumber(); if (serial != NULL) { char * cserial = XMLString::transcode(serial); char * xserial; BIGNUM * bnserial = ASN1_INTEGER_to_BN(x->cert_info->serialNumber, NULL); xserial = BN_bn2dec(bnserial); BN_free(bnserial); if (strcmp(xserial, cserial) == 0) { OPENSSL_free(xserial); XSEC_RELEASE_XMLCH(cserial); return true; } //delete[] xserial; XSEC_RELEASE_XMLCH(cserial); OPENSSL_free(xserial); } /* * Either it's not a serial number, or we didn't pass, so lets * look at the next option. */ const XMLCh * ski = kx->getX509SKI(); if (ski != NULL) { char * cski = XMLString::transcode(ski); int clen = (int) strlen(cski); unsigned char * xski = new unsigned char[clen]; ArrayJanitor <unsigned char> j_xski(xski); // Decode OpenSSLCryptoBase64 b64; b64.decodeInit(); int xlen = b64.decode((unsigned char *) cski, clen, xski, clen); xlen += b64.decodeFinish(&xski[xlen], clen - xlen); XSEC_RELEASE_XMLCH(cski); if (xlen != 0) { // Have a buffer with a number in it STACK_OF(X509_EXTENSION) *exts; exts = x->cert_info->extensions; if (exts != NULL) { // Find the Subject Key Identifier OID X509_EXTENSION * ext; ASN1_OBJECT * objski = OBJ_nid2obj(NID_subject_key_identifier); int extn = X509v3_get_ext_by_OBJ(exts, objski, -1); if (extn != -1) { // Dummy up an OCTET_STRING from the xski unsigned char * octxski = new unsigned char[xlen + 2]; ArrayJanitor<unsigned char> j_octxski(octxski); octxski[0] = 4; octxski[1] = xlen; memcpy(&octxski[2], xski, xlen); ext = sk_X509_EXTENSION_value(exts,extn); ASN1_OCTET_STRING *skid = ext->value; ASN1_OCTET_STRING * xskid = M_ASN1_OCTET_STRING_new(); ASN1_STRING_set(xskid, octxski, xlen+2); if (ASN1_OCTET_STRING_cmp(xskid, skid) == 0) { ASN1_OCTET_STRING_free(xskid); return true; } } } } } /* Not a subject key identifier */ const XMLCh *sn = kx->getX509SubjectName(); if (sn != NULL) { char * csn = XMLString::transcode(sn); X509_NAME * x509name = X509_get_subject_name(x); X509_NAME * snname = X509_NAME_create_from_txt(csn); XSEC_RELEASE_XMLCH(csn); if (snname != NULL) { if (!X509_NAME_cmp(x509name, snname)) { X509_NAME_free(snname); return true; } X509_NAME_free(snname); } } } } return false; }
X509 * InteropResolver::nextFile2Cert(void) { if (m_searchFinished) return NULL; int res; if (!m_searchStarted) { char * base = XMLString::transcode(mp_baseURI); safeBuffer path = base; XSEC_RELEASE_XMLCH(base); path.sbStrcatIn("/certs/*.crt"); #if defined(_WIN32) // Reverse the "backslash" characters reverseSlash(path); m_handle = (long) _findfirst(path.rawCharBuffer(), &m_finder); res = m_handle; #else if (glob(path.rawCharBuffer(), 0, NULL, &m_globbuf) != 0) res = -1; else res = 0; #endif m_searchStarted = true; } else { #if defined(_WIN32) res = _findnext(m_handle, &m_finder); #else if (m_fcount == (int) m_globbuf.gl_pathc) res = -1; else res = 0; #endif } if (res == -1) { m_searchFinished = true; return NULL; } /* * Create the OpenSSL BIOs necessary to read in the X509 cert */ BIO * bioCert; if ((bioCert = BIO_new(BIO_s_file())) == NULL) { std::cerr << "Error opening certificate file\n\n"; exit (1); } // Create the filename safeBuffer fname; #if defined(_WIN32) fname.sbTranscodeIn(mp_baseURI); fname.sbStrcatIn("/certs/"); fname.sbStrcatIn(m_finder.name); reverseSlash(fname); #else fname.sbStrcpyIn(m_globbuf.gl_pathv[m_fcount++]); #endif if (BIO_read_filename(bioCert, fname.rawCharBuffer()) <= 0) { std::cerr << "Error opening certificate file\n" << fname.rawCharBuffer() << std::endl; return NULL; } X509 * x509 = d2i_X509_bio(bioCert, NULL); BIO_free(bioCert); return x509; }
InteropResolver::~InteropResolver() { if (mp_baseURI != NULL) XSEC_RELEASE_XMLCH(mp_baseURI); }