XSECAlgorithmMapper::~XSECAlgorithmMapper() {
MapperEntryVectorType::iterator it = m_mapping.begin();
while (it != m_mapping.end()) {
XSEC_RELEASE_XMLCH(((*it)->mp_uri));
delete (*it)->mp_handler;
delete (*it);
it++;
}
m_mapping.clear();
XMLCh* ptr;
for (WhitelistVectorType::const_iterator i = m_whitelist.begin(); i != m_whitelist.end(); ++i) {
ptr = *i;
XSEC_RELEASE_XMLCH(ptr);
}
m_whitelist.clear();
for (WhitelistVectorType::const_iterator i = m_blacklist.begin(); i != m_blacklist.end(); ++i) {
ptr = *i;
XSEC_RELEASE_XMLCH(ptr);
}
m_blacklist.clear();
}
XSECEnv::~XSECEnv() {
if (mp_formatter != NULL) {
delete mp_formatter;
}
if (mp_prefixNS != NULL) {
XSEC_RELEASE_XMLCH(mp_prefixNS);
}
if (mp_11PrefixNS != NULL) {
XSEC_RELEASE_XMLCH(mp_11PrefixNS);
}
if (mp_ecPrefixNS != NULL) {
XSEC_RELEASE_XMLCH(mp_ecPrefixNS);
}
if (mp_xpfPrefixNS != NULL) {
XSEC_RELEASE_XMLCH(mp_xpfPrefixNS);
}
if (mp_xencPrefixNS != NULL) {
XSEC_RELEASE_XMLCH(mp_xencPrefixNS);
}
if (mp_xenc11PrefixNS != NULL) {
XSEC_RELEASE_XMLCH(mp_xenc11PrefixNS);
}
if (mp_xkmsPrefixNS != NULL) {
XSEC_RELEASE_XMLCH(mp_xkmsPrefixNS);
}
if (mp_URIResolver != NULL) {
delete mp_URIResolver;
}
// Clean up Id attribute names
IdNameVectorType::iterator it;
for (it = m_idAttributeNameList.begin(); it != m_idAttributeNameList.end(); it++) {
IdAttributeType * i = *it;
if (i->mp_namespace != NULL)
XSEC_RELEASE_XMLCH((i->mp_namespace));
if (i->mp_name)
XSEC_RELEASE_XMLCH((i->mp_name));
delete *it;
}
m_idAttributeNameList.empty();
}
// ---------------------------------------------------------------------------
// ostream << DOMString
//
// Stream out a DOM string. Doing this requires that we first transcode
// to char * form in the default code page for the system
// ---------------------------------------------------------------------------
ostream& operator<< (ostream& target, const DOMString& s)
{
char *p = s.transcode();
target << p;
XSEC_RELEASE_XMLCH(p);
return target;
}
DOMElement * DSIGKeyInfoName::createBlankKeyName(const XMLCh * name, bool isDName) {
// Create the DOM Structure
safeBuffer str;
DOMDocument *doc = mp_env->getParentDocument();
const XMLCh * prefix = mp_env->getDSIGNSPrefix();
makeQName(str, prefix, "KeyName");
DOMElement *ret = doc->createElementNS(DSIGConstants::s_unicodeStrURIDSIG, str.rawXMLChBuffer());
mp_keyInfoDOMNode = ret;
// Check whether to encode prior to adding
if (isDName == true) {
// Treat as a distinguished name
mp_decodedDName = XMLString::replicate(name);
XMLCh * encodedName = encodeDName(name);
mp_keyNameTextNode = doc->createTextNode(encodedName);
XSEC_RELEASE_XMLCH(encodedName);
}
else
mp_keyNameTextNode = doc->createTextNode(name);
ret->appendChild(mp_keyNameTextNode);
mp_name = mp_keyNameTextNode->getNodeValue();
return ret;
}
void XSECURIResolverGenericUnix::setBaseURI(const XMLCh * uri) {
if (mp_baseURI != NULL)
XSEC_RELEASE_XMLCH(mp_baseURI);
mp_baseURI = XMLString::replicate(uri);
}
void XSECEnv::setXKMSNSPrefix(const XMLCh * prefix) {
if (mp_xkmsPrefixNS != NULL)
XSEC_RELEASE_XMLCH(mp_xkmsPrefixNS);
mp_xkmsPrefixNS = XMLString::replicate(prefix);
}
void safeBuffer::sbXMLChCat8(const char * str) {
checkBufferType(BUFFER_UNICODE);
XMLCh * toAdd = transcodeFromUTF8((const unsigned char *) str);
sbXMLChCat(toAdd);
XSEC_RELEASE_XMLCH(toAdd);
}
const XMLCh * safeBuffer::sbStrToXMLCh(void) const {
checkBufferType(BUFFER_CHAR);
if (mp_XMLCh != NULL)
XSEC_RELEASE_XMLCH(mp_XMLCh);
mp_XMLCh = XMLString::transcode((char *) buffer);
return mp_XMLCh;
}
safeBuffer::~safeBuffer() {
if (buffer != NULL) {
if (m_isSensitive == true)
cleanseBuffer();
delete[] buffer;
}
if (mp_XMLCh != NULL)
XSEC_RELEASE_XMLCH(mp_XMLCh);
}
void DSIGKeyInfoName::setKeyName(const XMLCh * name, bool isDName) {
if (mp_keyNameTextNode == 0) {
// Attempt to load an empty element
throw XSECException(XSECException::LoadEmptySignature,
MAKE_UNICODE_STRING("KeyInfoName::set() called prior to load() or createBlank()"));
}
if (mp_decodedDName != NULL) {
XSEC_RELEASE_XMLCH(mp_decodedDName);
mp_decodedDName = NULL;
}
if (isDName == true) {
// This name should be treated as a Distinguished Name - so do the
// required encoding
mp_decodedDName = XMLString::replicate(name);
XMLCh * encodedName = encodeDName(name);
mp_keyNameTextNode->setNodeValue(encodedName);
XSEC_RELEASE_XMLCH(encodedName);
}
else {
mp_keyNameTextNode->setNodeValue(name);
}
mp_name = mp_keyNameTextNode->getNodeValue();
}
bool XSECEnv::deregisterIdAttributeName(const XMLCh * name) {
IdNameVectorType::iterator it;
for (it = m_idAttributeNameList.begin(); it != m_idAttributeNameList.end(); it++) {
if (!((*it)->m_useNamespace) && strEquals((*it)->mp_name, name)) {
// Remove this item
XSEC_RELEASE_XMLCH(((*it)->mp_name));
delete *it;
m_idAttributeNameList.erase(it);
return true;
}
}
return false;
}
void safeBuffer::sbXMLChCat(const char * str) {
checkBufferType(BUFFER_UNICODE);
xsecsize_t len = XMLString::stringLen((XMLCh *) buffer) * size_XMLCh;
XMLCh * t = XMLString::transcode(str);
assert (t != NULL);
len += XMLString::stringLen(t);
len += (xsecsize_t) (2 * size_XMLCh);
checkAndExpand(len);
XMLString::catString((XMLCh *) buffer, t);
XSEC_RELEASE_XMLCH(t);
}
void safeBuffer::sbTranscodeIn(const char * inStr) {
// Transcode the string to the local code page and store in the buffer
XMLCh * t;
t = XMLString::transcode(inStr);
assert (t != 0);
// Copy into local buffer
xsecsize_t len = XMLString::stringLen(t) + 1;
len *= (xsecsize_t) size_XMLCh;
checkAndExpand(len);
XMLString::copyString((XMLCh *) buffer, t);
m_bufferType = BUFFER_UNICODE;
XSEC_RELEASE_XMLCH(t);
}
void safeBuffer::sbTranscodeIn(const XMLCh * inStr) {
// Transcode the string to the local code page and store in the buffer
char * t;
t = XMLString::transcode(inStr);
assert (t != 0);
// Now copy into our local buffer - a bit inefficient but better in the long run
// as a buffer that is the exact size is likely to be deleted anyway during a
// concat operation
xsecsize_t len = (xsecsize_t) strlen(t) + 1;
checkAndExpand(len);
strcpy((char *) buffer, t);
m_bufferType = BUFFER_CHAR;
XSEC_RELEASE_XMLCH(t);
}
XSECCryptoKey * InteropResolver::openCertURI(const XMLCh * uri) {
// Open a certificate from a file URI relative to the signature file
BIO * bioCert;
if ((bioCert = BIO_new(BIO_s_file())) == NULL) {
return NULL;
}
safeBuffer fname;
char * u = XMLString::transcode(uri);
fname.sbTranscodeIn(mp_baseURI);
fname.sbStrcatIn("/");
fname.sbStrcatIn(u);
XSEC_RELEASE_XMLCH(u);
#if defined(_WIN32)
reverseSlash(fname);
#endif
if (BIO_read_filename(bioCert, fname.rawCharBuffer()) <= 0) {
return NULL;
}
X509 * x509 = d2i_X509_bio(bioCert, NULL);
BIO_free(bioCert);
OpenSSLCryptoX509 oX509(x509);
X509_free(x509);
return oX509.clonePublicKey();
}
XSECCryptoKey * InteropResolver::resolveKey(DSIGKeyInfoList * lst) {
// First check if this has an X509 cert + an X509 CRL
const XMLCh * b64cert = NULL;
const XMLCh * b64crl = NULL;
int lstSize = (int) lst->getSize();
for (int i = 0; i < lstSize; ++i) {
DSIGKeyInfo * ki;
ki = lst->item(i);
const XMLCh * rawuri;
if (ki->getKeyInfoType() == DSIGKeyInfo::KEYINFO_X509) {
DSIGKeyInfoX509 * kix509 = static_cast<DSIGKeyInfoX509 *>(ki);
if ((rawuri = kix509->getRawRetrievalURI()) != NULL) {
// We have a raw certificate by de-reference
// Assume it is just a file dereference and open the cert
return openCertURI(rawuri);
}
if (kix509->getCertificateListSize() == 1) {
b64cert = kix509->getCertificateItem(0);
}
if (b64crl == NULL) {
b64crl = kix509->getX509CRL();
}
}
else if (ki->getKeyInfoType() == DSIGKeyInfo::KEYINFO_NAME) {
DSIGKeyInfoName * kn = static_cast<DSIGKeyInfoName *>(ki);
if (kn->getKeyName() != NULL) {
static XMLCh certStr[] = {
XERCES_CPP_NAMESPACE_QUALIFIER chLatin_c,
XERCES_CPP_NAMESPACE_QUALIFIER chLatin_e,
XERCES_CPP_NAMESPACE_QUALIFIER chLatin_r,
XERCES_CPP_NAMESPACE_QUALIFIER chLatin_t,
XERCES_CPP_NAMESPACE_QUALIFIER chLatin_s,
XERCES_CPP_NAMESPACE_QUALIFIER chForwardSlash,
XERCES_CPP_NAMESPACE_QUALIFIER chNull
};
static XMLCh extStr[] = {
XERCES_CPP_NAMESPACE_QUALIFIER chPeriod,
XERCES_CPP_NAMESPACE_QUALIFIER chLatin_c,
XERCES_CPP_NAMESPACE_QUALIFIER chLatin_r,
XERCES_CPP_NAMESPACE_QUALIFIER chLatin_t,
XERCES_CPP_NAMESPACE_QUALIFIER chNull
};
safeBuffer fname;
fname = certStr;
fname.sbXMLChCat(kn->getKeyName());
fname.sbXMLChCat(extStr);
fname.sbStrlwr();
return openCertURI(fname.rawXMLChBuffer());
}
}
}
if (b64cert != NULL && b64crl != NULL) {
// We have a certificate and a crl, lets get the cert and check in the crl
OpenSSLCryptoBase64 b64;
char * transb64cert = XMLString::transcode(b64cert);
unsigned char * x509buf = new unsigned char[strlen(transb64cert)];
ArrayJanitor<unsigned char> j_x509buf(x509buf);
int x509bufLen;
X509 *x;
b64.decodeInit();
x509bufLen = b64.decode((unsigned char *) transb64cert, (unsigned int) strlen(transb64cert), x509buf, (unsigned int) strlen(transb64cert));
x509bufLen += b64.decodeFinish(&x509buf[x509bufLen], (unsigned int) strlen(transb64cert) - x509bufLen);
XSEC_RELEASE_XMLCH(transb64cert);
if (x509bufLen > 0) {
#if defined(XSEC_OPENSSL_D2IX509_CONST_BUFFER)
x = d2i_X509(NULL, (const unsigned char **) (&x509buf), x509bufLen
);
#else
x = d2i_X509(NULL, &x509buf, x509bufLen);
#endif
}
else
return NULL; // Something has gone wrong
if (x == NULL)
return NULL;
// Now the CRL
char * transb64crl = XMLString::transcode(b64crl);
unsigned char * crlbuf = new unsigned char[strlen(transb64crl)];
ArrayJanitor<unsigned char> j_crlbuf(crlbuf);
int crlbufLen;
X509_CRL * c;
b64.decodeInit();
crlbufLen = b64.decode((unsigned char*) transb64crl, (unsigned int) strlen(transb64crl), crlbuf, (unsigned int) strlen(transb64crl));
crlbufLen += b64.decodeFinish(&crlbuf[crlbufLen], (unsigned int) strlen(transb64crl) - crlbufLen);
XSEC_RELEASE_XMLCH(transb64crl);
if (crlbufLen > 0) {
#if defined(XSEC_OPENSSL_D2IX509_CONST_BUFFER)
c = d2i_X509_CRL(NULL, (const unsigned char **) (&crlbuf), crlbufLen);
#else
c = d2i_X509_CRL(NULL, &crlbuf, crlbufLen);
#endif
}
else
return NULL; // Something has gone wrong
if (c == NULL)
return NULL;
// Now check if the cert is in the CRL (code lifted from OpenSSL x509_vfy.c
int idx;
X509_REVOKED rtmp;
/* Look for serial number of certificate in CRL */
rtmp.serialNumber = X509_get_serialNumber(x);
idx = sk_X509_REVOKED_find(c->crl->revoked, &rtmp);
/* Not found: OK */
if(idx != -1) {
std::cerr << "Warning - certificate revoked in attached CRL" << std::endl;
}
OpenSSLCryptoX509 ox(x);
X509_free(x);
X509_CRL_free(c);
return ox.clonePublicKey();
}
// Do a run through each match in the directory
while (m_searchFinished == false) {
X509 * x = nextFile2Cert();
if (x != NULL) {
if (checkMatch(lst, x)) {
OpenSSLCryptoX509 ox(x);
X509_free(x);
return ox.clonePublicKey();
}
}
X509_free(x);
}
return false;
}
DSIGKeyInfoName::~DSIGKeyInfoName() {
if (mp_decodedDName != NULL)
XSEC_RELEASE_XMLCH(mp_decodedDName);
};
BinInputStream * XSECURIResolverGenericUnix::resolveURI(const XMLCh * uri) {
XSEC_USING_XERCES(BinInputStream);
XSEC_USING_XERCES(XMLUri);
XSEC_USING_XERCES(XMLUni);
XSEC_USING_XERCES(Janitor);
XSEC_USING_XERCES(BinFileInputStream);
XMLUri * xmluri;
if (uri == NULL) {
throw XSECException(XSECException::ErrorOpeningURI,
"XSECURIResolverGenericUnix - anonymous references not supported in default URI Resolvers");
}
// Create the appropriate XMLUri objects
if (mp_baseURI != NULL) {
XMLUri * turi;
#if XERCES_VERSION_MAJOR == 2 && XERCES_VERSION_MINOR < 3
// XMLUri relative paths are broken, so we need to strip out ".."
XSECAutoPtrXMLCh b(mp_baseURI);
XSECAutoPtrXMLCh r(uri);
int index = 0;
while (XMLString::startsWith(&(r.get()[index]), DOTDOT_SLASH)) {
// Strip the last segment of the base
int lastIndex = XMLString::lastIndexOf(b.get(), XERCES_CPP_NAMESPACE_QUALIFIER chForwardSlash);
if (lastIndex > 0)
const_cast<XMLCh*>(b.get())[lastIndex] = 0;
index += 3;
}
XSECnew(turi, XMLUri(b.get()));
Janitor<XMLUri> j_turi(turi);
XSECnew(xmluri, XMLUri(turi, &(r.get()[index])));
#else
XSECnew(turi, XMLUri(mp_baseURI));
Janitor<XMLUri> j_turi(turi);
XSECnew(xmluri, XMLUri(turi, uri));
#endif
}
else {
XSECnew(xmluri, XMLUri(uri));
}
Janitor<XMLUri> j_xmluri(xmluri);
// Determine what kind of URI this is and how to handle it.
if (!XMLString::compareIString(xmluri->getScheme(), gFileScheme)) {
// This is a file. We only really understand if this is localhost
// XMLUri has already cleaned of escape characters (%xx)
if (xmluri->getHost() == NULL || xmluri->getHost()[0] == chNull ||
!XMLString::compareIString(xmluri->getHost(), XMLUni::fgLocalHostString)) {
// Clean hex escapes
XMLCh * realPath = cleanURIEscapes(xmluri->getPath());
// Localhost
BinFileInputStream* retStrm = new BinFileInputStream(realPath);
XSEC_RELEASE_XMLCH(realPath);
if (!retStrm->getIsOpen())
{
delete retStrm;
return 0;
}
return retStrm;
}
else {
throw XSECException(XSECException::ErrorOpeningURI,
"XSECURIResolverGenericUnix - unable to open non-localhost file");
}
}
// Is the scheme a HTTP?
if (!XMLString::compareIString(xmluri->getScheme(), gHttpScheme)) {
// Pass straight to our local XSECBinHTTPUriInputStream
XSECBinHTTPURIInputStream *ret;
XSECnew(ret, XSECBinHTTPURIInputStream(*xmluri));
return ret;
}
throw XSECException(XSECException::ErrorOpeningURI,
"XSECURIResolverGenericUnix - unknown URI scheme");
}
XSECURIResolverGenericUnix::~XSECURIResolverGenericUnix() {
if (mp_baseURI != NULL)
XSEC_RELEASE_XMLCH(mp_baseURI);
}
bool InteropResolver::checkMatch(DSIGKeyInfoList * lst, X509 * x) {
// Check if the parameters in x match the required certificate
int sz = (int) lst->getSize();
DSIGKeyInfo* k;
for (int i = 0; i < sz; ++i) {
k = lst->item(i);
if (k->getKeyInfoType() == DSIGKeyInfo::KEYINFO_X509) {
DSIGKeyInfoX509 * kx = static_cast<DSIGKeyInfoX509 *>(k);
const XMLCh * serial = kx->getX509IssuerSerialNumber();
if (serial != NULL) {
char * cserial = XMLString::transcode(serial);
char * xserial;
BIGNUM * bnserial = ASN1_INTEGER_to_BN(x->cert_info->serialNumber, NULL);
xserial = BN_bn2dec(bnserial);
BN_free(bnserial);
if (strcmp(xserial, cserial) == 0) {
OPENSSL_free(xserial);
XSEC_RELEASE_XMLCH(cserial);
return true;
}
//delete[] xserial;
XSEC_RELEASE_XMLCH(cserial);
OPENSSL_free(xserial);
}
/*
* Either it's not a serial number, or we didn't pass, so lets
* look at the next option.
*/
const XMLCh * ski = kx->getX509SKI();
if (ski != NULL) {
char * cski = XMLString::transcode(ski);
int clen = (int) strlen(cski);
unsigned char * xski = new unsigned char[clen];
ArrayJanitor <unsigned char> j_xski(xski);
// Decode
OpenSSLCryptoBase64 b64;
b64.decodeInit();
int xlen = b64.decode((unsigned char *) cski, clen, xski, clen);
xlen += b64.decodeFinish(&xski[xlen], clen - xlen);
XSEC_RELEASE_XMLCH(cski);
if (xlen != 0) {
// Have a buffer with a number in it
STACK_OF(X509_EXTENSION) *exts;
exts = x->cert_info->extensions;
if (exts != NULL) {
// Find the Subject Key Identifier OID
X509_EXTENSION * ext;
ASN1_OBJECT * objski = OBJ_nid2obj(NID_subject_key_identifier);
int extn = X509v3_get_ext_by_OBJ(exts, objski, -1);
if (extn != -1) {
// Dummy up an OCTET_STRING from the xski
unsigned char * octxski = new unsigned char[xlen + 2];
ArrayJanitor<unsigned char> j_octxski(octxski);
octxski[0] = 4;
octxski[1] = xlen;
memcpy(&octxski[2], xski, xlen);
ext = sk_X509_EXTENSION_value(exts,extn);
ASN1_OCTET_STRING *skid = ext->value;
ASN1_OCTET_STRING * xskid = M_ASN1_OCTET_STRING_new();
ASN1_STRING_set(xskid, octxski, xlen+2);
if (ASN1_OCTET_STRING_cmp(xskid, skid) == 0) {
ASN1_OCTET_STRING_free(xskid);
return true;
}
}
}
}
}
/* Not a subject key identifier */
const XMLCh *sn = kx->getX509SubjectName();
if (sn != NULL) {
char * csn = XMLString::transcode(sn);
X509_NAME * x509name = X509_get_subject_name(x);
X509_NAME * snname = X509_NAME_create_from_txt(csn);
XSEC_RELEASE_XMLCH(csn);
if (snname != NULL) {
if (!X509_NAME_cmp(x509name, snname)) {
X509_NAME_free(snname);
return true;
}
X509_NAME_free(snname);
}
}
}
}
return false;
}
X509 * InteropResolver::nextFile2Cert(void) {
if (m_searchFinished)
return NULL;
int res;
if (!m_searchStarted) {
char * base = XMLString::transcode(mp_baseURI);
safeBuffer path = base;
XSEC_RELEASE_XMLCH(base);
path.sbStrcatIn("/certs/*.crt");
#if defined(_WIN32)
// Reverse the "backslash" characters
reverseSlash(path);
m_handle = (long) _findfirst(path.rawCharBuffer(), &m_finder);
res = m_handle;
#else
if (glob(path.rawCharBuffer(), 0, NULL, &m_globbuf) != 0)
res = -1;
else
res = 0;
#endif
m_searchStarted = true;
}
else {
#if defined(_WIN32)
res = _findnext(m_handle, &m_finder);
#else
if (m_fcount == (int) m_globbuf.gl_pathc)
res = -1;
else
res = 0;
#endif
}
if (res == -1) {
m_searchFinished = true;
return NULL;
}
/*
* Create the OpenSSL BIOs necessary to read in the X509 cert
*/
BIO * bioCert;
if ((bioCert = BIO_new(BIO_s_file())) == NULL) {
std::cerr << "Error opening certificate file\n\n";
exit (1);
}
// Create the filename
safeBuffer fname;
#if defined(_WIN32)
fname.sbTranscodeIn(mp_baseURI);
fname.sbStrcatIn("/certs/");
fname.sbStrcatIn(m_finder.name);
reverseSlash(fname);
#else
fname.sbStrcpyIn(m_globbuf.gl_pathv[m_fcount++]);
#endif
if (BIO_read_filename(bioCert, fname.rawCharBuffer()) <= 0) {
std::cerr << "Error opening certificate file\n" << fname.rawCharBuffer() << std::endl;
return NULL;
}
X509 * x509 = d2i_X509_bio(bioCert, NULL);
BIO_free(bioCert);
return x509;
}
InteropResolver::~InteropResolver() {
if (mp_baseURI != NULL)
XSEC_RELEASE_XMLCH(mp_baseURI);
}
