axiom_node_t * AXIS2_CALL create_key_info(const axutil_env_t *env, rampart_saml_token_t *saml) { axiom_node_t *key_info = NULL; oxs_key_t *session_key = NULL; axis2_status_t status = AXIS2_FAILURE; oxs_asym_ctx_t * asym_ctx = NULL; axis2_char_t *key_info_str = NULL; oxs_x509_cert_t *cert = NULL; /* Set the receiver certificate file. This public key will be used to encrypt the session key.*/ axis2_char_t *certificate_file = axutil_stracat(env, axis2c_home, RECEIVER_CERTIFICATE_FILE); session_key = oxs_key_create(env); status = oxs_key_for_algo(session_key, env, NULL); key_info = oxs_token_build_key_info_element(env, NULL); /* Create the asym_ctx_t and populate it.*/ asym_ctx = oxs_asym_ctx_create(env); oxs_asym_ctx_set_algorithm(asym_ctx, env, OXS_HREF_RSA_PKCS1); oxs_asym_ctx_set_operation(asym_ctx, env, OXS_ASYM_CTX_OPERATION_PUB_ENCRYPT); cert = oxs_key_mgr_load_x509_cert_from_pem_file(env, certificate_file); if (!cert) { AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "Certificate cannot be loaded"); return NULL; } oxs_asym_ctx_set_certificate(asym_ctx, env, cert); status = oxs_xml_enc_encrypt_key(env, asym_ctx, key_info, session_key, NULL); rampart_saml_token_set_session_key(saml, env, session_key); key_info_str = axiom_node_to_string(key_info, env); return key_info; }
/** * extract certificate/key using key identifier */ static axis2_status_t rampart_token_process_key_identifier( const axutil_env_t *env, axiom_node_t *key_identifier_node, axiom_node_t *scope_node, axiom_node_t *str_node, rampart_context_t *rampart_context, axis2_bool_t is_signature, oxs_x509_cert_t **cert, oxs_key_t **key, axis2_char_t **token_type) { axis2_char_t *value_type = NULL; value_type = oxs_axiom_get_attribute_value_of_node_by_name(env, key_identifier_node, OXS_ATTR_VALUE_TYPE, NULL); if(axutil_strcmp(value_type, OXS_X509_SUBJ_KI) == 0)/* X509 Token */ { /* In the client side, it is preferred to use certificate files instead of key store, * because one client normally interact with only one service. To handle this scenario, * if we found receiver certificate file specified in rampart_context we directly call the * get_reciever_certificate. */ *cert = rampart_context_get_receiver_certificate(rampart_context, env); if(!*cert) { axis2_char_t *ski = NULL; oxs_key_mgr_t *key_mgr = NULL; key_mgr = rampart_context_get_key_mgr(rampart_context, env); ski = oxs_axiom_get_node_content(env, key_identifier_node); *cert = oxs_key_mgr_get_receiver_certificate_from_ski(key_mgr, env, ski); if(!*cert) { AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "Cannot retrieve certificate using key identifier"); return AXIS2_FAILURE; } } } else if(axutil_strcmp(value_type, OXS_X509_ENCRYPTED_KEY_SHA1) == 0) /* EncryptedKey */ { axis2_char_t *hash_value = NULL; hash_value = oxs_axiom_get_node_content(env, key_identifier_node); if(!hash_value) { AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "Failed to get value of EncryptedKeySHA1"); return AXIS2_FAILURE; } *key = rampart_context_get_key_using_hash(rampart_context, env, hash_value); if(!*key) { AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "Cannot get key corresponding to EncryptedKeySHA1"); return AXIS2_FAILURE; } } else if(axutil_strcmp(value_type, OXS_ST_KEY_ID_VALUE_TYPE) == 0) /* SAML token reference */ { axiom_node_t *assertion = NULL; rampart_saml_token_t *saml = NULL; rampart_st_type_t tok_type; oxs_key_mgr_t *key_mgr = NULL; openssl_pkey_t *pvt_key = NULL; key_mgr = rampart_context_get_key_mgr(rampart_context, env); pvt_key = oxs_key_mgr_get_prv_key(key_mgr, env); if(!pvt_key) { AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "Cannot load private key"); return AXIS2_FAILURE; } assertion = oxs_saml_token_get_from_key_identifer_reference(env, key_identifier_node, NULL); if(!assertion) { AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "Cannot get key SAML Assertion"); return AXIS2_FAILURE; } if(is_signature) { tok_type = RAMPART_ST_TYPE_SIGNATURE_TOKEN; } else { tok_type = RAMPART_ST_TYPE_ENCRYPTION_TOKEN; } saml = rampart_saml_add_token(rampart_context, env, assertion, str_node, tok_type); *key = rampart_saml_token_get_session_key(saml, env); if(!*key) { *key = saml_assertion_get_session_key(env, assertion, pvt_key); rampart_saml_token_set_session_key(saml, env, *key); oxs_key_set_name(*key, env, "for-algo"); } if(!*key) { AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "Cannot get key corresponding to SAML Token"); return AXIS2_FAILURE; } } else { AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "Failed to identify Key Identifier %s", value_type); return AXIS2_FAILURE; } return AXIS2_SUCCESS; }