//Load public key from a certificate file into key manager
xmlSecKeysMngrPtr load_key_from_certfile(xmlSecKeysMngrPtr* keys_manager, const char* certfile) {
xmlSecKeysMngrPtr keys_mngr;
if((keys_manager != NULL) && (*keys_manager != NULL)) keys_mngr = *keys_manager;
else {
keys_mngr = xmlSecKeysMngrCreate();
//initialize keys manager
if (xmlSecCryptoAppDefaultKeysMngrInit(keys_mngr)<0) {
std::cerr<<"Can not initialize xmlSecKeysMngr object"<<std::endl;
xmlSecKeysMngrDestroy(keys_mngr); return NULL;
}
}
if(keys_mngr == NULL) { std::cerr<<"Can not create xmlSecKeysMngr object"<<std::endl; return NULL;}
std::string cert_str;
cert_str = get_cert_str(certfile);
xmlSecKeyPtr key = get_key_from_certstr(cert_str);
if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(keys_mngr, key) < 0) {
std::cerr<<"Failed to add key from "<<certfile<<" to keys manager"<<std::endl;
xmlSecKeyDestroy(key);
xmlSecKeysMngrDestroy(keys_mngr);
return NULL;
}
if(keys_manager != NULL) keys_manager = &keys_mngr;
return keys_mngr;
}
CAMLprim value xmlsecml_xmlSecKeysMngrCreate(value unit)
{
CAMLparam1(unit);
xmlSecKeysMngrPtr km;
km = xmlSecKeysMngrCreate();
assert(km!=NULL);
CAMLreturn(alloc_keymngr(km));
}
/**
* load_des_keys:
* @files: the list of filenames.
* @files_size: the number of filenames in #files.
*
* Creates simple keys manager and load DES keys from #files in it.
* The caller is responsible for destroing returned keys manager using
* @xmlSecKeysMngrDestroy.
*
* Returns the pointer to newly created keys manager or NULL if an error
* occurs.
*/
xmlSecKeysMngrPtr
load_des_keys(char** files, int files_size) {
xmlSecKeysMngrPtr mngr;
xmlSecKeyPtr key;
int i;
assert(files);
assert(files_size > 0);
/* create and initialize keys manager, we use a simple list based
* keys manager, implement your own xmlSecKeysStore klass if you need
* something more sophisticated
*/
mngr = xmlSecKeysMngrCreate();
if(mngr == NULL) {
fprintf(stderr, "Error: failed to create keys manager.\n");
return(NULL);
}
if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) {
fprintf(stderr, "Error: failed to initialize keys manager.\n");
xmlSecKeysMngrDestroy(mngr);
return(NULL);
}
for(i = 0; i < files_size; ++i) {
assert(files[i]);
/* load DES key */
key = xmlSecKeyReadBinaryFile(xmlSecKeyDataDesId, files[i]);
if(key == NULL) {
fprintf(stderr,"Error: failed to load des key from binary file \"%s\"\n", files[i]);
xmlSecKeysMngrDestroy(mngr);
return(NULL);
}
/* set key name to the file name, this is just an example! */
if(xmlSecKeySetName(key, BAD_CAST files[i]) < 0) {
fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", files[i]);
xmlSecKeyDestroy(key);
xmlSecKeysMngrDestroy(mngr);
return(NULL);
}
/* add key to keys manager, from now on keys manager is responsible
* for destroying key
*/
if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0) {
fprintf(stderr,"Error: failed to add key from \"%s\" to keys manager\n", files[i]);
xmlSecKeyDestroy(key);
xmlSecKeysMngrDestroy(mngr);
return(NULL);
}
}
return(mngr);
}
static xmlSecKeysMngrPtr getKeyManager(VALUE rb_hash) {
xmlSecKeysMngrPtr keyManager = xmlSecKeysMngrCreate();
if (keyManager == NULL) return NULL;
if (xmlSecCryptoAppDefaultKeysMngrInit(keyManager) < 0) {
rb_raise(rb_eKeystoreError, "could not initialize key manager");
xmlSecKeysMngrDestroy(keyManager);
return NULL;
}
rb_hash_foreach(rb_hash, addRubyKeyToManager, (VALUE)keyManager);
return keyManager;
}
/**Funkcja weryfikuje poprawność podpisu xades. Weryfikacja obejmuje obliczenia matematyczne
* oraz weryfikację poszczególnych pól formualarza i certyfikatu.
* \retval -109 Certyfikat poza terminem ważności.
* */
long xades_verify(const char * buffer, const long buffer_len, GenBuf_t *timestamp)
{
xmlSecKeysMngrPtr mngr = NULL;
long ret = 0;
long status = 0;
if (buffer == NULL)
{
PRINT_DEBUG("Wrong argument 1!\n");
return ERR_arg+1;
}
if (timestamp == NULL)
{
PRINT_DEBUG("Wrong argument 3!\n");
return ERR_arg+3;
}
/* Init libxml and libxslt libraries */
xades_init();
/* create keys manager and load trusted certificates */
mngr = xmlSecKeysMngrCreate();
if(mngr == NULL) {
PRINT_DEBUG( "Error: failed to create keys manager.\n");
ret = -1;
}
if (mngr != NULL) {
status = xmlSecCryptoAppDefaultKeysMngrInit(mngr);
if(status < 0) {
PRINT_DEBUG( "Error: failed to initialize keys manager: %li\n",status);
ret = -2;
} else {
status = verify_memory(mngr,buffer, buffer_len);
if (status != 0) {
PRINT_ERROR("XAdES memory verification result: %li\n",status);
ret = -4;
}
status = verify_fields(buffer, buffer_len, timestamp);
if (status < 0)
{
PRINT_ERROR("XAdES tags verification result: %li\n", status);
ret = -100+status;
}
}
}
xmlSecKeysMngrDestroy(mngr);
xades_destroy();
return ret;
}
xmlSecKeysMngrPtr load_certificates_verify() {
xmlSecKeysMngrPtr key_manager;
/* create and initialize keys manager */
key_manager = xmlSecKeysMngrCreate();
if (key_manager == NULL) {
return(NULL);
}
if (xmlSecCryptoAppDefaultKeysMngrInit(key_manager) < 0) {
xmlSecKeysMngrDestroy(key_manager);
return(NULL);
}
return(key_manager);
}
// ---------------------------------------------------------------------------
// Second phase constructor
// ---------------------------------------------------------------------------
//
void CXmlSecKeyManager::ConstructL()
{
iKeyManager = xmlSecKeysMngrCreate();
if(!iKeyManager)
{
XmlEngOOMTestL();
XmlSecErrorFlagTestL();
User::Leave(KErrKeyManagerInit);
}
if(xmlSecCryptoAppDefaultKeysMngrInit(iKeyManager) < 0)
{
xmlSecKeysMngrDestroy(iKeyManager);
iKeyManager = NULL;
XmlEngOOMTestL();
XmlSecErrorFlagTestL();
User::Leave(KErrKeyManagerInit);
}
}
static xmlSecKeysMngrPtr getKeyManager(VALUE rb_certs) {
int i, numCerts = RARRAY_LEN(rb_certs);
xmlSecKeysMngrPtr keyManager = xmlSecKeysMngrCreate();
VALUE rb_cert;
char *cert;
unsigned int certLength;
int numSuccessful = 0;
if (keyManager == NULL) return NULL;
if (xmlSecCryptoAppDefaultKeysMngrInit(keyManager) < 0) {
rb_raise(rb_eKeystoreError, "could not initialize key manager");
xmlSecKeysMngrDestroy(keyManager);
return NULL;
}
for (i = 0; i < numCerts; i++) {
rb_cert = RARRAY_PTR(rb_certs)[i];
Check_Type(rb_cert, T_STRING);
cert = RSTRING_PTR(rb_cert);
certLength = RSTRING_LEN(rb_cert);
if(xmlSecCryptoAppKeysMngrCertLoadMemory(keyManager,
(xmlSecByte *)cert,
certLength,
xmlSecKeyDataFormatPem,
xmlSecKeyDataTypeTrusted) < 0) {
rb_warn("failed to load certificate at index %d", i);
} else {
numSuccessful++;
}
}
// note, numCerts could be zero, meaning that we should use system SSL certs
if (numSuccessful == 0 && numCerts != 0) {
rb_raise(rb_eKeystoreError, "Could not load any of the specified certificates for signature verification");
xmlSecKeysMngrDestroy(keyManager);
return NULL;
}
return keyManager;
}
//Load trusted certificate from file
xmlSecKeysMngrPtr load_trusted_cert_file(xmlSecKeysMngrPtr* keys_manager, const char* cert_file) {
xmlSecKeysMngrPtr keys_mngr;
if((keys_manager != NULL) && (*keys_manager != NULL)) keys_mngr = *keys_manager;
else {
keys_mngr = xmlSecKeysMngrCreate();
//initialize keys manager
if (xmlSecCryptoAppDefaultKeysMngrInit(keys_mngr)<0) {
std::cerr<<"Can not initialize xmlSecKeysMngr object"<<std::endl;
xmlSecKeysMngrDestroy(keys_mngr); return NULL;
}
}
if(keys_mngr == NULL) { std::cerr<<"Can not create xmlSecKeysMngr object"<<std::endl; return NULL;}
//load cert from file
if(cert_file && (strlen(cert_file) != 0))
if(xmlSecCryptoAppKeysMngrCertLoad(keys_mngr, cert_file, xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
xmlSecKeysMngrDestroy(keys_mngr);
return NULL;
}
if(keys_manager != NULL) keys_manager = &keys_mngr;
return keys_mngr;
}
/**
* create_files_keys_mngr:
*
* Creates a files based keys manager: we assume that key name is
* the key file name,
*
* Returns pointer to newly created keys manager or NULL if an error occurs.
*/
xmlSecKeysMngrPtr
create_files_keys_mngr(void) {
xmlSecKeyStorePtr keysStore;
xmlSecKeysMngrPtr mngr;
/* create files based keys store */
keysStore = xmlSecKeyStoreCreate(files_keys_store_get_klass());
if(keysStore == NULL) {
fprintf(stderr, "Error: failed to create keys store.\n");
return(NULL);
}
/* create keys manager */
mngr = xmlSecKeysMngrCreate();
if(mngr == NULL) {
fprintf(stderr, "Error: failed to create keys manager.\n");
xmlSecKeyStoreDestroy(keysStore);
return(NULL);
}
/* add store to keys manager, from now on keys manager destroys the store if needed */
if(xmlSecKeysMngrAdoptKeysStore(mngr, keysStore) < 0) {
fprintf(stderr, "Error: failed to add keys store to keys manager.\n");
xmlSecKeyStoreDestroy(keysStore);
xmlSecKeysMngrDestroy(mngr);
return(NULL);
}
/* initialize crypto library specific data in keys manager */
if(xmlSecCryptoKeysMngrInit(mngr) < 0) {
fprintf(stderr, "Error: failed to initialize crypto data in keys manager.\n");
xmlSecKeysMngrDestroy(mngr);
return(NULL);
}
/* set the get key callback */
mngr->getKey = xmlSecKeysMngrGetKey;
return(mngr);
}
//Load trusted cetificates into key manager
xmlSecKeysMngrPtr load_trusted_certs(xmlSecKeysMngrPtr* keys_manager, const char* cafile, const char* capath) {
xmlSecKeysMngrPtr keys_mngr;
if((keys_manager != NULL) && (*keys_manager != NULL)) keys_mngr = *keys_manager;
else {
keys_mngr = xmlSecKeysMngrCreate();
//initialize keys manager
if (xmlSecCryptoAppDefaultKeysMngrInit(keys_mngr)<0) {
std::cerr<<"Can not initialize xmlSecKeysMngr object"<<std::endl;
xmlSecKeysMngrDestroy(keys_mngr); return NULL;
}
}
if(keys_mngr == NULL) { std::cerr<<"Can not create xmlSecKeysMngr object"<<std::endl; return NULL;}
//load ca certs into keys manager, the two method used here could not work in some old xmlsec verion,
//because of some bug about X509_FILETYPE_DEFAULT and X509_FILETYPE_PEM
//load a ca path
if(capath && (strlen(capath) != 0))
if(xmlSecOpenSSLAppKeysMngrAddCertsPath(keys_mngr, capath) < 0) {
xmlSecKeysMngrDestroy(keys_mngr);
return NULL;
}
#if 0
//load a ca file TODO: can only be used in some new version of xmlsec
if(cafile && (strlen(cafile) != 0))
if(xmlSecOpenSSLAppKeysMngrAddCertsFile(keys_mngr, cafile) < 0) {
xmlSecKeysMngrDestroy(keys_mngr);
return NULL;
}
#endif
if(cafile && (strlen(cafile) != 0))
if(xmlSecCryptoAppKeysMngrCertLoad(keys_mngr, cafile, xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
xmlSecKeysMngrDestroy(keys_mngr);
return NULL;
}
if(keys_manager != NULL) keys_manager = &keys_mngr;
return keys_mngr;
}
//Could be used for many trusted certificates in string
xmlSecKeysMngrPtr load_trusted_cert_str(xmlSecKeysMngrPtr* keys_manager, const std::string& cert_str) {
xmlSecKeysMngrPtr keys_mngr;
if((keys_manager != NULL) && (*keys_manager != NULL)) keys_mngr = *keys_manager;
else {
keys_mngr = xmlSecKeysMngrCreate();
//initialize keys manager
if (xmlSecCryptoAppDefaultKeysMngrInit(keys_mngr)<0) {
std::cerr<<"Can not initialize xmlSecKeysMngr object"<<std::endl;
xmlSecKeysMngrDestroy(keys_mngr); return NULL;
}
}
if(keys_mngr == NULL) { std::cerr<<"Can not create xmlSecKeysMngr object"<<std::endl; return NULL;}
//load cert from memory
if(!cert_str.empty())
if(xmlSecCryptoAppKeysMngrCertLoadMemory(keys_mngr, (const xmlSecByte*)(cert_str.c_str()),
(xmlSecSize)(cert_str.size()), xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
xmlSecKeysMngrDestroy(keys_mngr);
return NULL;
}
if(keys_manager != NULL) keys_manager = &keys_mngr;
return keys_mngr;
}
/**
* load_trusted_certs:
* @files: the list of filenames.
* @files_size: the number of filenames in #files.
*
* Creates simple keys manager and load trusted certificates from PEM #files.
* The caller is responsible for destroing returned keys manager using
* @xmlSecKeysMngrDestroy.
*
* Returns the pointer to newly created keys manager or NULL if an error
* occurs.
*/
xmlSecKeysMngrPtr
load_trusted_certs(char** files, int files_size) {
xmlSecKeysMngrPtr mngr;
int i;
assert(files);
assert(files_size > 0);
/* create and initialize keys manager, we use a simple list based
* keys manager, implement your own xmlSecKeysStore klass if you need
* something more sophisticated
*/
mngr = xmlSecKeysMngrCreate();
if(mngr == NULL) {
fprintf(stderr, "Error: failed to create keys manager.\n");
return(NULL);
}
if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) {
fprintf(stderr, "Error: failed to initialize keys manager.\n");
xmlSecKeysMngrDestroy(mngr);
return(NULL);
}
for(i = 0; i < files_size; ++i) {
assert(files[i]);
/* load trusted cert */
if(xmlSecCryptoAppKeysMngrCertLoad(mngr, files[i], xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
fprintf(stderr,"Error: failed to load pem certificate from \"%s\"\n", files[i]);
xmlSecKeysMngrDestroy(mngr);
return(NULL);
}
}
return(mngr);
}
xmlSecKeysMngrPtr
load_trusted_certs(const char** files) {
const char **f;
xmlSecKeysMngrPtr mngr, mngr_test;
char valid_cert;
FILE *file;
char *pi, *pf, *data;
size_t size;
char **a, *all_files[10000];
struct stat stat_struct;
DIR *dir;
struct dirent *dir_file;
char name[10000];
assert(files);
/* Create keys manager */
mngr = xmlSecKeysMngrCreate();
if(mngr == NULL) {
fprintf(stderr, "XmlSecError: failed to create keys manager.\n");
return(NULL);
}
if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) {
fprintf(stderr, "XmlSecError: failed to initialize keys manager.\n");
xmlSecKeysMngrDestroy(mngr);
return(NULL);
}
/* Create a list of files scanning directories */
for (f = files, a = all_files; *f; f++) {
if (stat(*f, &stat_struct))
perror(*f);
else if (S_ISDIR(stat_struct.st_mode)) {
dir = opendir(*f);
while ((dir_file = readdir(dir))) {
sprintf(name, "%s/%s", *f, dir_file->d_name);
if (stat(name, &stat_struct))
perror(name);
else if (!(S_ISDIR(stat_struct.st_mode)))
*(a++) = strdup(name);
}
closedir(dir);
}
else
*(a++) = strdup(*f);
}
*a = NULL;
/* Open each file, read data and add the certificates to keys manager, because
* when load from file directly, just add the first certificate, then we need
* read data and add each certificate in it. Other problem is when I have a invalid
* certificate, the manager brokes, then I test with a other manager.
*/
for (a = all_files; *a; a++) {
/* Open a file and read content data */
file = fopen(*a, "r");
if (file == NULL){
perror(*a);
free(*a);
continue;
}
fseek(file, 0, SEEK_END);
size = ftell(file);
fseek(file, 0, SEEK_SET);
data = (char*)malloc(size + 1);
fread(data, size, 1, file);
fclose(file);
data[size] = '\0';
/* Set pi to start of certificate and pf to end */
pf = pi = data;
pf = strstr(pi, "-----END CERTIFICATE-----");
if (!pf) pf = pi + size;
while (pf) {
/* Test manager for test the certificate */
mngr_test = xmlSecKeysMngrCreate();
valid_cert = 1;
if(mngr_test == NULL) {
fprintf(stderr, "XmlSecError: failed to create keys manager.\n");
valid_cert = 0;
}
else if(xmlSecCryptoAppDefaultKeysMngrInit(mngr_test) < 0) {
fprintf(stderr, "XmlSecError: failed to initialize keys manager.\n");
valid_cert = 0;
}
else if (xmlSecCryptoAppKeysMngrCertLoadMemory(mngr_test, (xmlSecByte*)pi, pf - pi + 25, xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
fprintf(stderr,"XmlSecError: failed to load pem certificate from \"%s\" at %i.\n", *a, pi - data + 1);
valid_cert = 0;
}
xmlSecKeysMngrDestroy(mngr_test);
/* If certificate is valid, add this to keys manager for future use */
if (valid_cert && xmlSecCryptoAppKeysMngrCertLoadMemory(
mngr, (xmlSecByte*)pi, pf - pi + 25, xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0)
fprintf(stderr,"XmlSecError: maybe duplicate pem certificate from \"%s\" at %i.\n",
*a, pi - data + 1);
pi = pf + 25;
pf = strstr(pi, "-----END CERTIFICATE-----");
}
/* Free allocated memory */
free(*a);
free(data);
}
return(mngr);
}
int
main(int argc, char **argv) {
xmlSecKeysMngrPtr mngr;
#ifndef XMLSEC_NO_XSLT
xsltSecurityPrefsPtr xsltSecPrefs = NULL;
#endif /* XMLSEC_NO_XSLT */
/* start response */
fprintf(stdout, "Content-type: text/plain\n");
fprintf(stdout, "\n");
/* Init libxml and libxslt libraries */
xmlInitParser();
LIBXML_TEST_VERSION
xmlLoadExtDtdDefaultValue = XML_DETECT_IDS | XML_COMPLETE_ATTRS;
xmlSubstituteEntitiesDefault(1);
#ifndef XMLSEC_NO_XSLT
xmlIndentTreeOutput = 1;
#endif /* XMLSEC_NO_XSLT */
/* make sure that we print out everything to stdout */
xmlGenericErrorContext = stdout;
/* Init libxslt */
#ifndef XMLSEC_NO_XSLT
/* disable everything */
xsltSecPrefs = xsltNewSecurityPrefs();
xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid);
xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid);
xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid);
xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid);
xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid);
xsltSetDefaultSecurityPrefs(xsltSecPrefs);
#endif /* XMLSEC_NO_XSLT */
/* Init xmlsec library */
if(xmlSecInit() < 0) {
fprintf(stdout, "Error: xmlsec initialization failed.\n");
return(-1);
}
/* Check loaded library version */
if(xmlSecCheckVersion() != 1) {
fprintf(stdout, "Error: loaded xmlsec library version is not compatible.\n");
return(-1);
}
/* Load default crypto engine if we are supporting dynamic
* loading for xmlsec-crypto libraries. Use the crypto library
* name ("openssl", "nss", etc.) to load corresponding
* xmlsec-crypto library.
*/
#ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
if(xmlSecCryptoDLLoadLibrary(NULL) < 0) {
fprintf(stdout, "Error: unable to load default xmlsec-crypto library. Make sure\n"
"that you have it installed and check shared libraries path\n"
"(LD_LIBRARY_PATH) envornment variable.\n");
return(-1);
}
#endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
/* Init crypto library */
if(xmlSecCryptoAppInit(XMLDSIGVERIFY_DEFAULT_TRUSTED_CERTS_FOLDER) < 0) {
fprintf(stdout, "Error: crypto initialization failed.\n");
return(-1);
}
/* Init xmlsec-crypto library */
if(xmlSecCryptoInit() < 0) {
fprintf(stdout, "Error: xmlsec-crypto initialization failed.\n");
return(-1);
}
/* create keys manager */
mngr = xmlSecKeysMngrCreate();
if(mngr == NULL) {
fprintf(stdout, "Error: failed to create keys manager.\n");
return(-1);
}
if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) {
fprintf(stdout, "Error: failed to initialize keys manager.\n");
return(-1);
}
if(load_keys(mngr, XMLDSIGVERIFY_KEY_AND_CERTS_FOLDER, 0) < 0) {
xmlSecKeysMngrDestroy(mngr);
return(-1);
}
if(load_trusted_certs(mngr, XMLDSIGVERIFY_KEY_AND_CERTS_FOLDER, 0) < 0) {
xmlSecKeysMngrDestroy(mngr);
return(-1);
}
if(verify_request(mngr) < 0) {
xmlSecKeysMngrDestroy(mngr);
return(-1);
}
/* Destroy keys manager */
xmlSecKeysMngrDestroy(mngr);
/* Shutdown xmlsec-crypto library */
xmlSecCryptoShutdown();
/* Shutdown crypto library */
xmlSecCryptoAppShutdown();
/* Shutdown xmlsec library */
xmlSecShutdown();
/* Shutdown libxslt/libxml */
#ifndef XMLSEC_NO_XSLT
xsltFreeSecurityPrefs(xsltSecPrefs);
xsltCleanupGlobals();
#endif /* XMLSEC_NO_XSLT */
xmlCleanupParser();
return(0);
}
PyObject *xmlsec_KeysMngrCreate(PyObject *self, PyObject *args) {
return (wrap_xmlSecKeysMngrPtr(xmlSecKeysMngrCreate()));
}
xmlSecKeysMngrPtr load_certificates_sign(opendcp_t *opendcp) {
xmlSecKeysMngrPtr key_manager;
xmlSecKeyPtr key;
/* create and initialize keys manager */
key_manager = xmlSecKeysMngrCreate();
if (key_manager == NULL) {
fprintf(stderr, "Error: failed to create keys manager.\n");
return(NULL);
}
if (xmlSecCryptoAppDefaultKeysMngrInit(key_manager) < 0) {
fprintf(stderr, "Error: failed to initialize keys manager.\n");
xmlSecKeysMngrDestroy(key_manager);
return(NULL);
}
/* read key file */
if (opendcp->xml_signature.private_key) {
key = xmlSecCryptoAppKeyLoad(opendcp->xml_signature.private_key, xmlSecKeyDataFormatPem, NULL, NULL, NULL);
} else {
key = xmlSecCryptoAppKeyLoadMemory(opendcp_private_key, strlen((char *)opendcp_private_key),xmlSecKeyDataFormatPem, NULL, NULL, NULL);
}
if (xmlSecCryptoAppDefaultKeysMngrAdoptKey(key_manager, key) < 0) {
fprintf(stderr, "Error: failed to initialize keys manager.\n");
xmlSecKeysMngrDestroy(key_manager);
return(NULL);
}
/* load root certificate */
if (opendcp->xml_signature.root) {
if (xmlSecCryptoAppKeysMngrCertLoad(key_manager, opendcp->xml_signature.root, xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
fprintf(stderr,"Error: failed to load pem certificate \"%s\"\n", opendcp->xml_signature.root);
xmlSecKeysMngrDestroy(key_manager);
return(NULL);
}
} else {
if (xmlSecCryptoAppKeysMngrCertLoadMemory(key_manager, opendcp_root_cert, strlen((char* )opendcp_root_cert), xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
fprintf(stderr,"Error: failed to load pem certificate from memory\n");
xmlSecKeysMngrDestroy(key_manager);
return(NULL);
}
}
/* load ca (intermediate) certificate */
if (opendcp->xml_signature.ca) {
if (xmlSecCryptoAppKeysMngrCertLoad(key_manager, opendcp->xml_signature.ca, xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
fprintf(stderr,"Error: failed to load pem certificate \"%s\"\n", opendcp->xml_signature.ca);
xmlSecKeysMngrDestroy(key_manager);
return(NULL);
}
} else {
if (xmlSecCryptoAppKeysMngrCertLoadMemory(key_manager, opendcp_ca_cert, strlen((char *)opendcp_ca_cert), xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
fprintf(stderr,"Error: failed to load pem certificate from memory\n");
xmlSecKeysMngrDestroy(key_manager);
return(NULL);
}
}
return(key_manager);
}
/**
* xmlSecNssAppliedKeysMngrCreate:
* @slot: array of pointers to NSS PKCS#11 slot information.
* @cSlots: number of slots in the array
* @handler: the pointer to NSS certificate database.
*
* Create and load NSS crypto slot and certificate database into keys manager
*
* Returns keys manager pointer on success or NULL otherwise.
*/
xmlSecKeysMngrPtr
xmlSecNssAppliedKeysMngrCreate(
PK11SlotInfo** slots,
int cSlots,
CERTCertDBHandle* handler
) {
xmlSecKeyDataStorePtr certStore = NULL ;
xmlSecKeysMngrPtr keyMngr = NULL ;
xmlSecKeyStorePtr keyStore = NULL ;
int islot = 0;
keyStore = xmlSecKeyStoreCreate( xmlSecNssKeysStoreId ) ;
if( keyStore == NULL ) {
xmlSecError( XMLSEC_ERRORS_HERE ,
NULL ,
"xmlSecKeyStoreCreate" ,
XMLSEC_ERRORS_R_XMLSEC_FAILED ,
XMLSEC_ERRORS_NO_MESSAGE ) ;
return NULL ;
}
for (islot = 0; islot < cSlots; islot++)
{
xmlSecNssKeySlotPtr keySlot ;
/* Create a key slot */
keySlot = xmlSecNssKeySlotCreate() ;
if( keySlot == NULL ) {
xmlSecError( XMLSEC_ERRORS_HERE ,
xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
"xmlSecNssKeySlotCreate" ,
XMLSEC_ERRORS_R_XMLSEC_FAILED ,
XMLSEC_ERRORS_NO_MESSAGE ) ;
xmlSecKeyStoreDestroy( keyStore ) ;
return NULL ;
}
/* Set slot */
if( xmlSecNssKeySlotSetSlot( keySlot , slots[islot] ) < 0 ) {
xmlSecError( XMLSEC_ERRORS_HERE ,
xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
"xmlSecNssKeySlotSetSlot" ,
XMLSEC_ERRORS_R_XMLSEC_FAILED ,
XMLSEC_ERRORS_NO_MESSAGE ) ;
xmlSecKeyStoreDestroy( keyStore ) ;
xmlSecNssKeySlotDestroy( keySlot ) ;
return NULL ;
}
/* Adopt keySlot */
if( xmlSecNssKeysStoreAdoptKeySlot( keyStore , keySlot ) < 0 ) {
xmlSecError( XMLSEC_ERRORS_HERE ,
xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
"xmlSecNssKeysStoreAdoptKeySlot" ,
XMLSEC_ERRORS_R_XMLSEC_FAILED ,
XMLSEC_ERRORS_NO_MESSAGE ) ;
xmlSecKeyStoreDestroy( keyStore ) ;
xmlSecNssKeySlotDestroy( keySlot ) ;
return NULL ;
}
}
keyMngr = xmlSecKeysMngrCreate() ;
if( keyMngr == NULL ) {
xmlSecError( XMLSEC_ERRORS_HERE ,
NULL ,
"xmlSecKeysMngrCreate" ,
XMLSEC_ERRORS_R_XMLSEC_FAILED ,
XMLSEC_ERRORS_NO_MESSAGE ) ;
xmlSecKeyStoreDestroy( keyStore ) ;
return NULL ;
}
/*-
* Add key store to manager, from now on keys manager destroys the store if
* needed
*/
if( xmlSecKeysMngrAdoptKeysStore( keyMngr, keyStore ) < 0 ) {
xmlSecError( XMLSEC_ERRORS_HERE ,
xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
"xmlSecKeysMngrAdoptKeyStore" ,
XMLSEC_ERRORS_R_XMLSEC_FAILED ,
XMLSEC_ERRORS_NO_MESSAGE ) ;
xmlSecKeyStoreDestroy( keyStore ) ;
xmlSecKeysMngrDestroy( keyMngr ) ;
return NULL ;
}
/*-
* Initialize crypto library specific data in keys manager
*/
if( xmlSecNssKeysMngrInit( keyMngr ) < 0 ) {
xmlSecError( XMLSEC_ERRORS_HERE ,
NULL ,
"xmlSecKeysMngrCreate" ,
XMLSEC_ERRORS_R_XMLSEC_FAILED ,
XMLSEC_ERRORS_NO_MESSAGE ) ;
xmlSecKeysMngrDestroy( keyMngr ) ;
return NULL ;
}
/*-
* Set certificate databse to X509 key data store
*/
/**
* Because Tej's implementation of certDB use the default DB, so I ignore
* the certDB handler at present. I'll modify the cert store sources to
* accept particular certDB instead of default ones.
certStore = xmlSecKeysMngrGetDataStore( keyMngr , xmlSecNssKeyDataStoreX509Id ) ;
if( certStore == NULL ) {
xmlSecError( XMLSEC_ERRORS_HERE ,
xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
"xmlSecKeysMngrGetDataStore" ,
XMLSEC_ERRORS_R_XMLSEC_FAILED ,
XMLSEC_ERRORS_NO_MESSAGE ) ;
xmlSecKeysMngrDestroy( keyMngr ) ;
return NULL ;
}
if( xmlSecNssKeyDataStoreX509SetCertDb( certStore , handler ) < 0 ) {
xmlSecError( XMLSEC_ERRORS_HERE ,
xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
"xmlSecNssKeyDataStoreX509SetCertDb" ,
XMLSEC_ERRORS_R_XMLSEC_FAILED ,
XMLSEC_ERRORS_NO_MESSAGE ) ;
xmlSecKeysMngrDestroy( keyMngr ) ;
return NULL ;
}
*/
/*-
* Set the getKey callback
*/
keyMngr->getKey = xmlSecKeysMngrGetKey ;
return keyMngr ;
}
VALUE xmlsec_is_valid_by_x509_file(VALUE self, xmlDocPtr doc, VALUE x509_file ) {
xmlSecKeysMngrPtr mngr;
VALUE v;
xmlNodePtr node = NULL;
xmlSecDSigCtxPtr dsigCtx = NULL;
long i;
mngr = xmlSecKeysMngrCreate();
if(mngr == NULL) {
if(doc != NULL) xmlFreeDoc(doc);
rb_raise(rb_eRuntimeError, "Error: failed to create keys manager.\n");
return Qnil;
}
if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) {
if(doc != NULL) xmlFreeDoc(doc);
if(mngr != NULL) xmlSecKeysMngrDestroy(mngr);
rb_raise(rb_eRuntimeError, "Error: failed to initialize keys manager.\n");
return Qnil;
}
if (TYPE(x509_file) == T_STRING){
/* load trusted cert */
if(xmlSecCryptoAppKeysMngrCertLoad(mngr, StringValuePtr(x509_file), xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
if(doc != NULL) xmlFreeDoc(doc);
if(mngr != NULL) xmlSecKeysMngrDestroy(mngr);
rb_raise(rb_eRuntimeError, "Error: failed to load pem certificate from \"%s\"\n", StringValuePtr(x509_file));
return Qnil;
}
}
if (TYPE(x509_file) == T_ARRAY) {
for (i =0; i < RARRAY_LEN(x509_file); i++) {
v = rb_ary_entry(x509_file, i);
StringValue(v);
if(xmlSecCryptoAppKeysMngrCertLoad(mngr, RSTRING_PTR(v), xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
if(doc != NULL) xmlFreeDoc(doc);
if(mngr != NULL) xmlSecKeysMngrDestroy(mngr);
rb_raise(rb_eRuntimeError, "Error: failed to load pem certificate from \"%s\"\n", RSTRING_PTR(v));
return Qnil;
}
}
//rb_ary_entry
}
/* find start node */
node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
if(node == NULL) {
if(doc != NULL) xmlFreeDoc(doc);
rb_raise(rb_eRuntimeError, "Error: start node not found\n");
return Qnil;
}
/* create signature context*/
dsigCtx = xmlSecDSigCtxCreate(mngr);
if(dsigCtx == NULL) {
if(doc != NULL) xmlFreeDoc(doc);
if(mngr != NULL) xmlSecKeysMngrDestroy(mngr);
rb_raise(rb_eRuntimeError, "Error: failed to create signature context\n");
return Qnil;
}
/* limit the Reference URI attributes to empty or NULL */
dsigCtx->enabledReferenceUris = xmlSecTransformUriTypeEmpty;
/* Verify signature */
if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
if(dsigCtx != NULL) xmlSecDSigCtxDestroy(dsigCtx);
if(doc != NULL) xmlFreeDoc(doc);
if(mngr != NULL) xmlSecKeysMngrDestroy(mngr);
rb_raise(rb_eRuntimeError, "Error: signature verify \"%s\"\n");
return Qnil;
}
/* verification result*/
if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
if(dsigCtx != NULL) xmlSecDSigCtxDestroy(dsigCtx);
if(doc != NULL) xmlFreeDoc(doc);
if(mngr != NULL) xmlSecKeysMngrDestroy(mngr);
return Qtrue;
} else {
if(dsigCtx != NULL) xmlSecDSigCtxDestroy(dsigCtx);
if(doc != NULL) xmlFreeDoc(doc);
if(mngr != NULL) xmlSecKeysMngrDestroy(mngr);
return Qfalse;
}
}
