//Load public key from a certificate file into key manager xmlSecKeysMngrPtr load_key_from_certfile(xmlSecKeysMngrPtr* keys_manager, const char* certfile) { xmlSecKeysMngrPtr keys_mngr; if((keys_manager != NULL) && (*keys_manager != NULL)) keys_mngr = *keys_manager; else { keys_mngr = xmlSecKeysMngrCreate(); //initialize keys manager if (xmlSecCryptoAppDefaultKeysMngrInit(keys_mngr)<0) { std::cerr<<"Can not initialize xmlSecKeysMngr object"<<std::endl; xmlSecKeysMngrDestroy(keys_mngr); return NULL; } } if(keys_mngr == NULL) { std::cerr<<"Can not create xmlSecKeysMngr object"<<std::endl; return NULL;} std::string cert_str; cert_str = get_cert_str(certfile); xmlSecKeyPtr key = get_key_from_certstr(cert_str); if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(keys_mngr, key) < 0) { std::cerr<<"Failed to add key from "<<certfile<<" to keys manager"<<std::endl; xmlSecKeyDestroy(key); xmlSecKeysMngrDestroy(keys_mngr); return NULL; } if(keys_manager != NULL) keys_manager = &keys_mngr; return keys_mngr; }
CAMLprim value xmlsecml_xmlSecKeysMngrCreate(value unit) { CAMLparam1(unit); xmlSecKeysMngrPtr km; km = xmlSecKeysMngrCreate(); assert(km!=NULL); CAMLreturn(alloc_keymngr(km)); }
/** * load_des_keys: * @files: the list of filenames. * @files_size: the number of filenames in #files. * * Creates simple keys manager and load DES keys from #files in it. * The caller is responsible for destroing returned keys manager using * @xmlSecKeysMngrDestroy. * * Returns the pointer to newly created keys manager or NULL if an error * occurs. */ xmlSecKeysMngrPtr load_des_keys(char** files, int files_size) { xmlSecKeysMngrPtr mngr; xmlSecKeyPtr key; int i; assert(files); assert(files_size > 0); /* create and initialize keys manager, we use a simple list based * keys manager, implement your own xmlSecKeysStore klass if you need * something more sophisticated */ mngr = xmlSecKeysMngrCreate(); if(mngr == NULL) { fprintf(stderr, "Error: failed to create keys manager.\n"); return(NULL); } if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) { fprintf(stderr, "Error: failed to initialize keys manager.\n"); xmlSecKeysMngrDestroy(mngr); return(NULL); } for(i = 0; i < files_size; ++i) { assert(files[i]); /* load DES key */ key = xmlSecKeyReadBinaryFile(xmlSecKeyDataDesId, files[i]); if(key == NULL) { fprintf(stderr,"Error: failed to load des key from binary file \"%s\"\n", files[i]); xmlSecKeysMngrDestroy(mngr); return(NULL); } /* set key name to the file name, this is just an example! */ if(xmlSecKeySetName(key, BAD_CAST files[i]) < 0) { fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", files[i]); xmlSecKeyDestroy(key); xmlSecKeysMngrDestroy(mngr); return(NULL); } /* add key to keys manager, from now on keys manager is responsible * for destroying key */ if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0) { fprintf(stderr,"Error: failed to add key from \"%s\" to keys manager\n", files[i]); xmlSecKeyDestroy(key); xmlSecKeysMngrDestroy(mngr); return(NULL); } } return(mngr); }
static xmlSecKeysMngrPtr getKeyManager(VALUE rb_hash) { xmlSecKeysMngrPtr keyManager = xmlSecKeysMngrCreate(); if (keyManager == NULL) return NULL; if (xmlSecCryptoAppDefaultKeysMngrInit(keyManager) < 0) { rb_raise(rb_eKeystoreError, "could not initialize key manager"); xmlSecKeysMngrDestroy(keyManager); return NULL; } rb_hash_foreach(rb_hash, addRubyKeyToManager, (VALUE)keyManager); return keyManager; }
/**Funkcja weryfikuje poprawność podpisu xades. Weryfikacja obejmuje obliczenia matematyczne * oraz weryfikację poszczególnych pól formualarza i certyfikatu. * \retval -109 Certyfikat poza terminem ważności. * */ long xades_verify(const char * buffer, const long buffer_len, GenBuf_t *timestamp) { xmlSecKeysMngrPtr mngr = NULL; long ret = 0; long status = 0; if (buffer == NULL) { PRINT_DEBUG("Wrong argument 1!\n"); return ERR_arg+1; } if (timestamp == NULL) { PRINT_DEBUG("Wrong argument 3!\n"); return ERR_arg+3; } /* Init libxml and libxslt libraries */ xades_init(); /* create keys manager and load trusted certificates */ mngr = xmlSecKeysMngrCreate(); if(mngr == NULL) { PRINT_DEBUG( "Error: failed to create keys manager.\n"); ret = -1; } if (mngr != NULL) { status = xmlSecCryptoAppDefaultKeysMngrInit(mngr); if(status < 0) { PRINT_DEBUG( "Error: failed to initialize keys manager: %li\n",status); ret = -2; } else { status = verify_memory(mngr,buffer, buffer_len); if (status != 0) { PRINT_ERROR("XAdES memory verification result: %li\n",status); ret = -4; } status = verify_fields(buffer, buffer_len, timestamp); if (status < 0) { PRINT_ERROR("XAdES tags verification result: %li\n", status); ret = -100+status; } } } xmlSecKeysMngrDestroy(mngr); xades_destroy(); return ret; }
xmlSecKeysMngrPtr load_certificates_verify() { xmlSecKeysMngrPtr key_manager; /* create and initialize keys manager */ key_manager = xmlSecKeysMngrCreate(); if (key_manager == NULL) { return(NULL); } if (xmlSecCryptoAppDefaultKeysMngrInit(key_manager) < 0) { xmlSecKeysMngrDestroy(key_manager); return(NULL); } return(key_manager); }
// --------------------------------------------------------------------------- // Second phase constructor // --------------------------------------------------------------------------- // void CXmlSecKeyManager::ConstructL() { iKeyManager = xmlSecKeysMngrCreate(); if(!iKeyManager) { XmlEngOOMTestL(); XmlSecErrorFlagTestL(); User::Leave(KErrKeyManagerInit); } if(xmlSecCryptoAppDefaultKeysMngrInit(iKeyManager) < 0) { xmlSecKeysMngrDestroy(iKeyManager); iKeyManager = NULL; XmlEngOOMTestL(); XmlSecErrorFlagTestL(); User::Leave(KErrKeyManagerInit); } }
static xmlSecKeysMngrPtr getKeyManager(VALUE rb_certs) { int i, numCerts = RARRAY_LEN(rb_certs); xmlSecKeysMngrPtr keyManager = xmlSecKeysMngrCreate(); VALUE rb_cert; char *cert; unsigned int certLength; int numSuccessful = 0; if (keyManager == NULL) return NULL; if (xmlSecCryptoAppDefaultKeysMngrInit(keyManager) < 0) { rb_raise(rb_eKeystoreError, "could not initialize key manager"); xmlSecKeysMngrDestroy(keyManager); return NULL; } for (i = 0; i < numCerts; i++) { rb_cert = RARRAY_PTR(rb_certs)[i]; Check_Type(rb_cert, T_STRING); cert = RSTRING_PTR(rb_cert); certLength = RSTRING_LEN(rb_cert); if(xmlSecCryptoAppKeysMngrCertLoadMemory(keyManager, (xmlSecByte *)cert, certLength, xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) { rb_warn("failed to load certificate at index %d", i); } else { numSuccessful++; } } // note, numCerts could be zero, meaning that we should use system SSL certs if (numSuccessful == 0 && numCerts != 0) { rb_raise(rb_eKeystoreError, "Could not load any of the specified certificates for signature verification"); xmlSecKeysMngrDestroy(keyManager); return NULL; } return keyManager; }
//Load trusted certificate from file xmlSecKeysMngrPtr load_trusted_cert_file(xmlSecKeysMngrPtr* keys_manager, const char* cert_file) { xmlSecKeysMngrPtr keys_mngr; if((keys_manager != NULL) && (*keys_manager != NULL)) keys_mngr = *keys_manager; else { keys_mngr = xmlSecKeysMngrCreate(); //initialize keys manager if (xmlSecCryptoAppDefaultKeysMngrInit(keys_mngr)<0) { std::cerr<<"Can not initialize xmlSecKeysMngr object"<<std::endl; xmlSecKeysMngrDestroy(keys_mngr); return NULL; } } if(keys_mngr == NULL) { std::cerr<<"Can not create xmlSecKeysMngr object"<<std::endl; return NULL;} //load cert from file if(cert_file && (strlen(cert_file) != 0)) if(xmlSecCryptoAppKeysMngrCertLoad(keys_mngr, cert_file, xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) { xmlSecKeysMngrDestroy(keys_mngr); return NULL; } if(keys_manager != NULL) keys_manager = &keys_mngr; return keys_mngr; }
/** * create_files_keys_mngr: * * Creates a files based keys manager: we assume that key name is * the key file name, * * Returns pointer to newly created keys manager or NULL if an error occurs. */ xmlSecKeysMngrPtr create_files_keys_mngr(void) { xmlSecKeyStorePtr keysStore; xmlSecKeysMngrPtr mngr; /* create files based keys store */ keysStore = xmlSecKeyStoreCreate(files_keys_store_get_klass()); if(keysStore == NULL) { fprintf(stderr, "Error: failed to create keys store.\n"); return(NULL); } /* create keys manager */ mngr = xmlSecKeysMngrCreate(); if(mngr == NULL) { fprintf(stderr, "Error: failed to create keys manager.\n"); xmlSecKeyStoreDestroy(keysStore); return(NULL); } /* add store to keys manager, from now on keys manager destroys the store if needed */ if(xmlSecKeysMngrAdoptKeysStore(mngr, keysStore) < 0) { fprintf(stderr, "Error: failed to add keys store to keys manager.\n"); xmlSecKeyStoreDestroy(keysStore); xmlSecKeysMngrDestroy(mngr); return(NULL); } /* initialize crypto library specific data in keys manager */ if(xmlSecCryptoKeysMngrInit(mngr) < 0) { fprintf(stderr, "Error: failed to initialize crypto data in keys manager.\n"); xmlSecKeysMngrDestroy(mngr); return(NULL); } /* set the get key callback */ mngr->getKey = xmlSecKeysMngrGetKey; return(mngr); }
//Load trusted cetificates into key manager xmlSecKeysMngrPtr load_trusted_certs(xmlSecKeysMngrPtr* keys_manager, const char* cafile, const char* capath) { xmlSecKeysMngrPtr keys_mngr; if((keys_manager != NULL) && (*keys_manager != NULL)) keys_mngr = *keys_manager; else { keys_mngr = xmlSecKeysMngrCreate(); //initialize keys manager if (xmlSecCryptoAppDefaultKeysMngrInit(keys_mngr)<0) { std::cerr<<"Can not initialize xmlSecKeysMngr object"<<std::endl; xmlSecKeysMngrDestroy(keys_mngr); return NULL; } } if(keys_mngr == NULL) { std::cerr<<"Can not create xmlSecKeysMngr object"<<std::endl; return NULL;} //load ca certs into keys manager, the two method used here could not work in some old xmlsec verion, //because of some bug about X509_FILETYPE_DEFAULT and X509_FILETYPE_PEM //load a ca path if(capath && (strlen(capath) != 0)) if(xmlSecOpenSSLAppKeysMngrAddCertsPath(keys_mngr, capath) < 0) { xmlSecKeysMngrDestroy(keys_mngr); return NULL; } #if 0 //load a ca file TODO: can only be used in some new version of xmlsec if(cafile && (strlen(cafile) != 0)) if(xmlSecOpenSSLAppKeysMngrAddCertsFile(keys_mngr, cafile) < 0) { xmlSecKeysMngrDestroy(keys_mngr); return NULL; } #endif if(cafile && (strlen(cafile) != 0)) if(xmlSecCryptoAppKeysMngrCertLoad(keys_mngr, cafile, xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) { xmlSecKeysMngrDestroy(keys_mngr); return NULL; } if(keys_manager != NULL) keys_manager = &keys_mngr; return keys_mngr; }
//Could be used for many trusted certificates in string xmlSecKeysMngrPtr load_trusted_cert_str(xmlSecKeysMngrPtr* keys_manager, const std::string& cert_str) { xmlSecKeysMngrPtr keys_mngr; if((keys_manager != NULL) && (*keys_manager != NULL)) keys_mngr = *keys_manager; else { keys_mngr = xmlSecKeysMngrCreate(); //initialize keys manager if (xmlSecCryptoAppDefaultKeysMngrInit(keys_mngr)<0) { std::cerr<<"Can not initialize xmlSecKeysMngr object"<<std::endl; xmlSecKeysMngrDestroy(keys_mngr); return NULL; } } if(keys_mngr == NULL) { std::cerr<<"Can not create xmlSecKeysMngr object"<<std::endl; return NULL;} //load cert from memory if(!cert_str.empty()) if(xmlSecCryptoAppKeysMngrCertLoadMemory(keys_mngr, (const xmlSecByte*)(cert_str.c_str()), (xmlSecSize)(cert_str.size()), xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) { xmlSecKeysMngrDestroy(keys_mngr); return NULL; } if(keys_manager != NULL) keys_manager = &keys_mngr; return keys_mngr; }
/** * load_trusted_certs: * @files: the list of filenames. * @files_size: the number of filenames in #files. * * Creates simple keys manager and load trusted certificates from PEM #files. * The caller is responsible for destroing returned keys manager using * @xmlSecKeysMngrDestroy. * * Returns the pointer to newly created keys manager or NULL if an error * occurs. */ xmlSecKeysMngrPtr load_trusted_certs(char** files, int files_size) { xmlSecKeysMngrPtr mngr; int i; assert(files); assert(files_size > 0); /* create and initialize keys manager, we use a simple list based * keys manager, implement your own xmlSecKeysStore klass if you need * something more sophisticated */ mngr = xmlSecKeysMngrCreate(); if(mngr == NULL) { fprintf(stderr, "Error: failed to create keys manager.\n"); return(NULL); } if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) { fprintf(stderr, "Error: failed to initialize keys manager.\n"); xmlSecKeysMngrDestroy(mngr); return(NULL); } for(i = 0; i < files_size; ++i) { assert(files[i]); /* load trusted cert */ if(xmlSecCryptoAppKeysMngrCertLoad(mngr, files[i], xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) { fprintf(stderr,"Error: failed to load pem certificate from \"%s\"\n", files[i]); xmlSecKeysMngrDestroy(mngr); return(NULL); } } return(mngr); }
xmlSecKeysMngrPtr load_trusted_certs(const char** files) { const char **f; xmlSecKeysMngrPtr mngr, mngr_test; char valid_cert; FILE *file; char *pi, *pf, *data; size_t size; char **a, *all_files[10000]; struct stat stat_struct; DIR *dir; struct dirent *dir_file; char name[10000]; assert(files); /* Create keys manager */ mngr = xmlSecKeysMngrCreate(); if(mngr == NULL) { fprintf(stderr, "XmlSecError: failed to create keys manager.\n"); return(NULL); } if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) { fprintf(stderr, "XmlSecError: failed to initialize keys manager.\n"); xmlSecKeysMngrDestroy(mngr); return(NULL); } /* Create a list of files scanning directories */ for (f = files, a = all_files; *f; f++) { if (stat(*f, &stat_struct)) perror(*f); else if (S_ISDIR(stat_struct.st_mode)) { dir = opendir(*f); while ((dir_file = readdir(dir))) { sprintf(name, "%s/%s", *f, dir_file->d_name); if (stat(name, &stat_struct)) perror(name); else if (!(S_ISDIR(stat_struct.st_mode))) *(a++) = strdup(name); } closedir(dir); } else *(a++) = strdup(*f); } *a = NULL; /* Open each file, read data and add the certificates to keys manager, because * when load from file directly, just add the first certificate, then we need * read data and add each certificate in it. Other problem is when I have a invalid * certificate, the manager brokes, then I test with a other manager. */ for (a = all_files; *a; a++) { /* Open a file and read content data */ file = fopen(*a, "r"); if (file == NULL){ perror(*a); free(*a); continue; } fseek(file, 0, SEEK_END); size = ftell(file); fseek(file, 0, SEEK_SET); data = (char*)malloc(size + 1); fread(data, size, 1, file); fclose(file); data[size] = '\0'; /* Set pi to start of certificate and pf to end */ pf = pi = data; pf = strstr(pi, "-----END CERTIFICATE-----"); if (!pf) pf = pi + size; while (pf) { /* Test manager for test the certificate */ mngr_test = xmlSecKeysMngrCreate(); valid_cert = 1; if(mngr_test == NULL) { fprintf(stderr, "XmlSecError: failed to create keys manager.\n"); valid_cert = 0; } else if(xmlSecCryptoAppDefaultKeysMngrInit(mngr_test) < 0) { fprintf(stderr, "XmlSecError: failed to initialize keys manager.\n"); valid_cert = 0; } else if (xmlSecCryptoAppKeysMngrCertLoadMemory(mngr_test, (xmlSecByte*)pi, pf - pi + 25, xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) { fprintf(stderr,"XmlSecError: failed to load pem certificate from \"%s\" at %i.\n", *a, pi - data + 1); valid_cert = 0; } xmlSecKeysMngrDestroy(mngr_test); /* If certificate is valid, add this to keys manager for future use */ if (valid_cert && xmlSecCryptoAppKeysMngrCertLoadMemory( mngr, (xmlSecByte*)pi, pf - pi + 25, xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) fprintf(stderr,"XmlSecError: maybe duplicate pem certificate from \"%s\" at %i.\n", *a, pi - data + 1); pi = pf + 25; pf = strstr(pi, "-----END CERTIFICATE-----"); } /* Free allocated memory */ free(*a); free(data); } return(mngr); }
int main(int argc, char **argv) { xmlSecKeysMngrPtr mngr; #ifndef XMLSEC_NO_XSLT xsltSecurityPrefsPtr xsltSecPrefs = NULL; #endif /* XMLSEC_NO_XSLT */ /* start response */ fprintf(stdout, "Content-type: text/plain\n"); fprintf(stdout, "\n"); /* Init libxml and libxslt libraries */ xmlInitParser(); LIBXML_TEST_VERSION xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS; xmlSubstituteEntitiesDefault(1); #ifndef XMLSEC_NO_XSLT xmlIndentTreeOutput = 1; #endif /* XMLSEC_NO_XSLT */ /* make sure that we print out everything to stdout */ xmlGenericErrorContext = stdout; /* Init libxslt */ #ifndef XMLSEC_NO_XSLT /* disable everything */ xsltSecPrefs = xsltNewSecurityPrefs(); xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid); xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid); xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid); xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid); xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid); xsltSetDefaultSecurityPrefs(xsltSecPrefs); #endif /* XMLSEC_NO_XSLT */ /* Init xmlsec library */ if(xmlSecInit() < 0) { fprintf(stdout, "Error: xmlsec initialization failed.\n"); return(-1); } /* Check loaded library version */ if(xmlSecCheckVersion() != 1) { fprintf(stdout, "Error: loaded xmlsec library version is not compatible.\n"); return(-1); } /* Load default crypto engine if we are supporting dynamic * loading for xmlsec-crypto libraries. Use the crypto library * name ("openssl", "nss", etc.) to load corresponding * xmlsec-crypto library. */ #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING if(xmlSecCryptoDLLoadLibrary(NULL) < 0) { fprintf(stdout, "Error: unable to load default xmlsec-crypto library. Make sure\n" "that you have it installed and check shared libraries path\n" "(LD_LIBRARY_PATH) envornment variable.\n"); return(-1); } #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */ /* Init crypto library */ if(xmlSecCryptoAppInit(XMLDSIGVERIFY_DEFAULT_TRUSTED_CERTS_FOLDER) < 0) { fprintf(stdout, "Error: crypto initialization failed.\n"); return(-1); } /* Init xmlsec-crypto library */ if(xmlSecCryptoInit() < 0) { fprintf(stdout, "Error: xmlsec-crypto initialization failed.\n"); return(-1); } /* create keys manager */ mngr = xmlSecKeysMngrCreate(); if(mngr == NULL) { fprintf(stdout, "Error: failed to create keys manager.\n"); return(-1); } if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) { fprintf(stdout, "Error: failed to initialize keys manager.\n"); return(-1); } if(load_keys(mngr, XMLDSIGVERIFY_KEY_AND_CERTS_FOLDER, 0) < 0) { xmlSecKeysMngrDestroy(mngr); return(-1); } if(load_trusted_certs(mngr, XMLDSIGVERIFY_KEY_AND_CERTS_FOLDER, 0) < 0) { xmlSecKeysMngrDestroy(mngr); return(-1); } if(verify_request(mngr) < 0) { xmlSecKeysMngrDestroy(mngr); return(-1); } /* Destroy keys manager */ xmlSecKeysMngrDestroy(mngr); /* Shutdown xmlsec-crypto library */ xmlSecCryptoShutdown(); /* Shutdown crypto library */ xmlSecCryptoAppShutdown(); /* Shutdown xmlsec library */ xmlSecShutdown(); /* Shutdown libxslt/libxml */ #ifndef XMLSEC_NO_XSLT xsltFreeSecurityPrefs(xsltSecPrefs); xsltCleanupGlobals(); #endif /* XMLSEC_NO_XSLT */ xmlCleanupParser(); return(0); }
PyObject *xmlsec_KeysMngrCreate(PyObject *self, PyObject *args) { return (wrap_xmlSecKeysMngrPtr(xmlSecKeysMngrCreate())); }
xmlSecKeysMngrPtr load_certificates_sign(opendcp_t *opendcp) { xmlSecKeysMngrPtr key_manager; xmlSecKeyPtr key; /* create and initialize keys manager */ key_manager = xmlSecKeysMngrCreate(); if (key_manager == NULL) { fprintf(stderr, "Error: failed to create keys manager.\n"); return(NULL); } if (xmlSecCryptoAppDefaultKeysMngrInit(key_manager) < 0) { fprintf(stderr, "Error: failed to initialize keys manager.\n"); xmlSecKeysMngrDestroy(key_manager); return(NULL); } /* read key file */ if (opendcp->xml_signature.private_key) { key = xmlSecCryptoAppKeyLoad(opendcp->xml_signature.private_key, xmlSecKeyDataFormatPem, NULL, NULL, NULL); } else { key = xmlSecCryptoAppKeyLoadMemory(opendcp_private_key, strlen((char *)opendcp_private_key),xmlSecKeyDataFormatPem, NULL, NULL, NULL); } if (xmlSecCryptoAppDefaultKeysMngrAdoptKey(key_manager, key) < 0) { fprintf(stderr, "Error: failed to initialize keys manager.\n"); xmlSecKeysMngrDestroy(key_manager); return(NULL); } /* load root certificate */ if (opendcp->xml_signature.root) { if (xmlSecCryptoAppKeysMngrCertLoad(key_manager, opendcp->xml_signature.root, xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) { fprintf(stderr,"Error: failed to load pem certificate \"%s\"\n", opendcp->xml_signature.root); xmlSecKeysMngrDestroy(key_manager); return(NULL); } } else { if (xmlSecCryptoAppKeysMngrCertLoadMemory(key_manager, opendcp_root_cert, strlen((char* )opendcp_root_cert), xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) { fprintf(stderr,"Error: failed to load pem certificate from memory\n"); xmlSecKeysMngrDestroy(key_manager); return(NULL); } } /* load ca (intermediate) certificate */ if (opendcp->xml_signature.ca) { if (xmlSecCryptoAppKeysMngrCertLoad(key_manager, opendcp->xml_signature.ca, xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) { fprintf(stderr,"Error: failed to load pem certificate \"%s\"\n", opendcp->xml_signature.ca); xmlSecKeysMngrDestroy(key_manager); return(NULL); } } else { if (xmlSecCryptoAppKeysMngrCertLoadMemory(key_manager, opendcp_ca_cert, strlen((char *)opendcp_ca_cert), xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) { fprintf(stderr,"Error: failed to load pem certificate from memory\n"); xmlSecKeysMngrDestroy(key_manager); return(NULL); } } return(key_manager); }
/** * xmlSecNssAppliedKeysMngrCreate: * @slot: array of pointers to NSS PKCS#11 slot information. * @cSlots: number of slots in the array * @handler: the pointer to NSS certificate database. * * Create and load NSS crypto slot and certificate database into keys manager * * Returns keys manager pointer on success or NULL otherwise. */ xmlSecKeysMngrPtr xmlSecNssAppliedKeysMngrCreate( PK11SlotInfo** slots, int cSlots, CERTCertDBHandle* handler ) { xmlSecKeyDataStorePtr certStore = NULL ; xmlSecKeysMngrPtr keyMngr = NULL ; xmlSecKeyStorePtr keyStore = NULL ; int islot = 0; keyStore = xmlSecKeyStoreCreate( xmlSecNssKeysStoreId ) ; if( keyStore == NULL ) { xmlSecError( XMLSEC_ERRORS_HERE , NULL , "xmlSecKeyStoreCreate" , XMLSEC_ERRORS_R_XMLSEC_FAILED , XMLSEC_ERRORS_NO_MESSAGE ) ; return NULL ; } for (islot = 0; islot < cSlots; islot++) { xmlSecNssKeySlotPtr keySlot ; /* Create a key slot */ keySlot = xmlSecNssKeySlotCreate() ; if( keySlot == NULL ) { xmlSecError( XMLSEC_ERRORS_HERE , xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , "xmlSecNssKeySlotCreate" , XMLSEC_ERRORS_R_XMLSEC_FAILED , XMLSEC_ERRORS_NO_MESSAGE ) ; xmlSecKeyStoreDestroy( keyStore ) ; return NULL ; } /* Set slot */ if( xmlSecNssKeySlotSetSlot( keySlot , slots[islot] ) < 0 ) { xmlSecError( XMLSEC_ERRORS_HERE , xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , "xmlSecNssKeySlotSetSlot" , XMLSEC_ERRORS_R_XMLSEC_FAILED , XMLSEC_ERRORS_NO_MESSAGE ) ; xmlSecKeyStoreDestroy( keyStore ) ; xmlSecNssKeySlotDestroy( keySlot ) ; return NULL ; } /* Adopt keySlot */ if( xmlSecNssKeysStoreAdoptKeySlot( keyStore , keySlot ) < 0 ) { xmlSecError( XMLSEC_ERRORS_HERE , xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , "xmlSecNssKeysStoreAdoptKeySlot" , XMLSEC_ERRORS_R_XMLSEC_FAILED , XMLSEC_ERRORS_NO_MESSAGE ) ; xmlSecKeyStoreDestroy( keyStore ) ; xmlSecNssKeySlotDestroy( keySlot ) ; return NULL ; } } keyMngr = xmlSecKeysMngrCreate() ; if( keyMngr == NULL ) { xmlSecError( XMLSEC_ERRORS_HERE , NULL , "xmlSecKeysMngrCreate" , XMLSEC_ERRORS_R_XMLSEC_FAILED , XMLSEC_ERRORS_NO_MESSAGE ) ; xmlSecKeyStoreDestroy( keyStore ) ; return NULL ; } /*- * Add key store to manager, from now on keys manager destroys the store if * needed */ if( xmlSecKeysMngrAdoptKeysStore( keyMngr, keyStore ) < 0 ) { xmlSecError( XMLSEC_ERRORS_HERE , xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , "xmlSecKeysMngrAdoptKeyStore" , XMLSEC_ERRORS_R_XMLSEC_FAILED , XMLSEC_ERRORS_NO_MESSAGE ) ; xmlSecKeyStoreDestroy( keyStore ) ; xmlSecKeysMngrDestroy( keyMngr ) ; return NULL ; } /*- * Initialize crypto library specific data in keys manager */ if( xmlSecNssKeysMngrInit( keyMngr ) < 0 ) { xmlSecError( XMLSEC_ERRORS_HERE , NULL , "xmlSecKeysMngrCreate" , XMLSEC_ERRORS_R_XMLSEC_FAILED , XMLSEC_ERRORS_NO_MESSAGE ) ; xmlSecKeysMngrDestroy( keyMngr ) ; return NULL ; } /*- * Set certificate databse to X509 key data store */ /** * Because Tej's implementation of certDB use the default DB, so I ignore * the certDB handler at present. I'll modify the cert store sources to * accept particular certDB instead of default ones. certStore = xmlSecKeysMngrGetDataStore( keyMngr , xmlSecNssKeyDataStoreX509Id ) ; if( certStore == NULL ) { xmlSecError( XMLSEC_ERRORS_HERE , xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , "xmlSecKeysMngrGetDataStore" , XMLSEC_ERRORS_R_XMLSEC_FAILED , XMLSEC_ERRORS_NO_MESSAGE ) ; xmlSecKeysMngrDestroy( keyMngr ) ; return NULL ; } if( xmlSecNssKeyDataStoreX509SetCertDb( certStore , handler ) < 0 ) { xmlSecError( XMLSEC_ERRORS_HERE , xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , "xmlSecNssKeyDataStoreX509SetCertDb" , XMLSEC_ERRORS_R_XMLSEC_FAILED , XMLSEC_ERRORS_NO_MESSAGE ) ; xmlSecKeysMngrDestroy( keyMngr ) ; return NULL ; } */ /*- * Set the getKey callback */ keyMngr->getKey = xmlSecKeysMngrGetKey ; return keyMngr ; }
VALUE xmlsec_is_valid_by_x509_file(VALUE self, xmlDocPtr doc, VALUE x509_file ) { xmlSecKeysMngrPtr mngr; VALUE v; xmlNodePtr node = NULL; xmlSecDSigCtxPtr dsigCtx = NULL; long i; mngr = xmlSecKeysMngrCreate(); if(mngr == NULL) { if(doc != NULL) xmlFreeDoc(doc); rb_raise(rb_eRuntimeError, "Error: failed to create keys manager.\n"); return Qnil; } if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) { if(doc != NULL) xmlFreeDoc(doc); if(mngr != NULL) xmlSecKeysMngrDestroy(mngr); rb_raise(rb_eRuntimeError, "Error: failed to initialize keys manager.\n"); return Qnil; } if (TYPE(x509_file) == T_STRING){ /* load trusted cert */ if(xmlSecCryptoAppKeysMngrCertLoad(mngr, StringValuePtr(x509_file), xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) { if(doc != NULL) xmlFreeDoc(doc); if(mngr != NULL) xmlSecKeysMngrDestroy(mngr); rb_raise(rb_eRuntimeError, "Error: failed to load pem certificate from \"%s\"\n", StringValuePtr(x509_file)); return Qnil; } } if (TYPE(x509_file) == T_ARRAY) { for (i =0; i < RARRAY_LEN(x509_file); i++) { v = rb_ary_entry(x509_file, i); StringValue(v); if(xmlSecCryptoAppKeysMngrCertLoad(mngr, RSTRING_PTR(v), xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) { if(doc != NULL) xmlFreeDoc(doc); if(mngr != NULL) xmlSecKeysMngrDestroy(mngr); rb_raise(rb_eRuntimeError, "Error: failed to load pem certificate from \"%s\"\n", RSTRING_PTR(v)); return Qnil; } } //rb_ary_entry } /* find start node */ node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs); if(node == NULL) { if(doc != NULL) xmlFreeDoc(doc); rb_raise(rb_eRuntimeError, "Error: start node not found\n"); return Qnil; } /* create signature context*/ dsigCtx = xmlSecDSigCtxCreate(mngr); if(dsigCtx == NULL) { if(doc != NULL) xmlFreeDoc(doc); if(mngr != NULL) xmlSecKeysMngrDestroy(mngr); rb_raise(rb_eRuntimeError, "Error: failed to create signature context\n"); return Qnil; } /* limit the Reference URI attributes to empty or NULL */ dsigCtx->enabledReferenceUris = xmlSecTransformUriTypeEmpty; /* Verify signature */ if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) { if(dsigCtx != NULL) xmlSecDSigCtxDestroy(dsigCtx); if(doc != NULL) xmlFreeDoc(doc); if(mngr != NULL) xmlSecKeysMngrDestroy(mngr); rb_raise(rb_eRuntimeError, "Error: signature verify \"%s\"\n"); return Qnil; } /* verification result*/ if(dsigCtx->status == xmlSecDSigStatusSucceeded) { if(dsigCtx != NULL) xmlSecDSigCtxDestroy(dsigCtx); if(doc != NULL) xmlFreeDoc(doc); if(mngr != NULL) xmlSecKeysMngrDestroy(mngr); return Qtrue; } else { if(dsigCtx != NULL) xmlSecDSigCtxDestroy(dsigCtx); if(doc != NULL) xmlFreeDoc(doc); if(mngr != NULL) xmlSecKeysMngrDestroy(mngr); return Qfalse; } }