xmlsig 0.0.1

data/ext/xmlsig/Verifier.h

@@ -0,0 +1,313 @@
+/*
+ * (C) Copyright 2006 VeriSign, Inc.
+ * Developed by Sxip Identity
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef _VERIFIER_H
+#define _VERIFIER_H
+#include <vector>
+#include "Key.h"
+#include "XmlDoc.h"
+#include "XPath.h"
+#include "KeyStore.h"
+#include "X509Certificate.h"
+#include "XmlElement.h"
+#include "Exceptions.h"
+#include "NodeSet.h"
+using namespace std;
+
+
+/**
+ * Verifier verifies XML signatures according to the W3C XML-Signature specification (http://www.w3.org/2000/09/xmldsig#).
+ *
+ * A DOM document may contain several signatures. This class can
+ * verify all signatures in a document, one at a time, with either the
+ * verification key supplied in the document, or with a user-supplied
+ * key.
+ * 
+ * Usage:
+ * 
+ * -# Construct the Verifier. You must provide the Verifier with 
+ *    -# the XML document that contains the signature 
+ *    -# (optional) the location of the signature within the XML
+ *       document. To provide the location of the signature within an
+ *       XML document, you must use an XPath expression. For more on
+ *       constructing XPaths, see http://www.w3.org/TR/xpath. If no
+ *       location is specified, Verifier will attempt to verify the
+ *       first Signature element it finds in the document.
+ * -# Supply the verification key. This key may be taken from the
+ *    document (if available) by default, or a specific key may be
+ *    supplied by the user.
+ * -# Verify the signature. Note that the Verifier will locate and
+ *    verify the signature specified in Step 1.
+ * 
+ * Note: An XML document may contain several signatures, but this API
+ * only supports verification of one signature per Verifier. If you
+ * need to verify multiple signatures, create a new Verifier for each
+ * signature.
+ * 
+ * Example use (C++):
+ *
+ * @code
+ *       XPath signatureLocation("//ds:Signature");
+ *       signatureLocation.addNamespace("ds", "http://www.w3.org/2000/09/xmldsig#");
+ *       Verifier verifier(doc, signatureLocation);       
+ *       bool isVerified = verifier.verify();
+ * @endcode
+ *
+ * In the above example, we try to verify the signature by
+ * \e signatureLocation using the key found within the signature at
+ * \e signatureLocation. If \e signatureLocation does not contain a single
+ * signature, an exception is thrown. To set the key used to verify
+ * the signature:
+ *
+ * @code
+ *       XPath signatureLocation("//ds:Signature");
+ *       signatureLocation.addNamespace("ds", "http://www.w3.org/2000/09/xmldsig#");
+ *       Verifier verifier(doc, signatureLocation);       
+ *       Key verifyingKey = some_public_key;
+ *       bool isVerified = verifier.verify(verifyingKey);
+ * @endcode
+ * 
+ * If exceptions are enabled, error codes will not be returned.
+ */
+class Verifier
+{
+public:
+    /**
+     * Creates a Verifier that points to the first Signature in the document.
+     * @param doc An XML document
+     * @throws MemoryError
+     */
+    Verifier (XmlDocClassPtr doc);
+    /**
+     * Creates a Verifier that points to a single Signature within the document.
+     * @param doc An XML document
+     * @param xpath  An XPath expression that points to a single signature
+     * @throws MemoryError
+     */
+    Verifier (XmlDocClassPtr doc, XPathPtr xpath);
+    /**
+     * Destroy the Verifier object.
+     */
+    ~Verifier ();
+
+    /**
+     * Use trusted certificates from a KeyStore to verify the signature.
+     * @param keyStore A key store
+     * @return 0 on success, -1 on error
+     * @throws ValueError If the keyStore is invalid
+     */
+    int setKeyStore (KeyStorePtr keyStore);
+    /**
+     * Verifies the signature using the public key embedded in the document.
+     * @return 1 if signature valid, 0 if not valid, -1 on error
+     * @throws DocError The document to verify is invalid in some way
+     * @throws KeyError No verifying key is available
+     * @throws XMLError A signature couldn't be found in the document
+     */
+    int verify ();
+    /**
+     * Verifies the signature at the previously given signature
+     * location using the supplied key. Note that all keying
+     * information in the signature being verified is ignored, and the
+     * supplied key will be used.
+     * @param key A public key
+     * @return 1 if signature valid, 0 if not valid, -1 on error
+     * @throws DocError The document to verify is invalid in some way
+     * @throws KeyError The verifying key is invalid
+     * @throws XMLError A signature couldn't be found in the document
+     */
+    int verify (KeyPtr key);
+    /**
+     * Returns the verification key in the document. The verifying key
+     * will be retrieved from the Signature element pointed to by the
+     * XPath supplied in the constructor.  If no XPath was specified, 
+     * uses the first Signature element found in the document.
+     * @return Pointer to the key, or null if none is found, or for cases 
+	 *     where both a key and a certificate are part of the signature's
+	 *     keying information, null is returned, if the key is not equal
+	 *     to the certificate's key.
+     * @throws DocError The document to verify is invalid in some way
+     * @throws XMLError A signature couldn't be found in the document
+     * @throws LibError An error occurred in one of the base libraries
+     */
+    KeyPtr getVerifyingKey ();
+    /**
+     * Returns whether the element at the given XPath is contained by
+     * one of the Signature references, i.e., whether it is signed.
+     * @param xpath  An XPath expression pointing to the signature
+     * @return 1 if element is referenced, 0 if not, -1 on error
+     */
+    int isReferenced (XPathPtr xpath);
+    /**
+     * Returns all elements referenced by the Signature.
+     * @return a (possibly empty) list of elements
+     */ 
+    vector<XmlElementPtr> getReferencedElements ();
+
+    /**
+     * Returns the certificate in the document. If there are multiple
+     * certificates available, only the first (in document order) will
+     * be returned.
+     * @return Pointer to the certificate found at the XPath
+     *     expression; null if no certificate can be found, or if both
+     *     a key and a certificate is part of the signature's keying
+     *     information, and the key is not equal to the certificate's
+     *     key.
+     * @throws DocError The document to verify is invalid in some way
+     * @throws XMLError A signature couldn't be found in the document
+     * @throws LibError An error occurred in one of the base libraries
+     * @throws XPathError if xpath results in no usable certificate 
+     *     (as defined by http://www.w3.org/2000/09/xmldsig:KeyInfo/X509Data)
+     */
+    X509CertificatePtr getCertificate ();
+    /**
+     * Retrieve the certificate chain from the signature element.
+     * @return the certificate chain found at the xpath expression;
+     *     null if no certificate chain can be found, or if both a key
+     *     and at least one certificate is part of the signature's
+     *     keying information, and the key is not equal to the leaf
+     *     certificate's key.  If there is a single certificate found,
+     *     a vector of size 1 will be returned.
+     * @throws XPathError if xpath results in no usable certificate 
+     *     (as defined by http://www.w3.org/2000/09/xmldsig:KeyInfo/X509Data)
+     */
+    vector<X509CertificatePtr> getCertificateChain ();
+    /**
+     * Set whether or not to check certificate chain on verify.
+     * (default is to do so.)  
+     * @param skip 1 to NOT check certificate chain on verify, 0 to do so
+     */
+    void skipCertCheck (int skip = 1) { skipCertCheckFlag = (skip != 0); }
+    
+    /// @cond NO_INTERFACE
+
+protected:
+    /**
+     * The XML document to verify.
+     */
+    XmlDocClassPtr mXmlDoc;
+    /**
+     * The (possibly null) XPath expression pointing to a signature.
+     */
+    XPathPtr xPath;
+    /**
+     * The KeyStore.
+     */
+    KeyStorePtr mKeyStore;
+    /**
+     * Default keystore created internally.
+     */
+    KeyStorePtr mDefaultKeyStore;
+    /**
+     * Don't check certificate chain on verification.
+     */
+    bool skipCertCheckFlag;
+
+    /**
+     * Get internal representation of keystore.
+     */
+    xmlSecKeysMngrPtr getKeysMngr ();
+    /**
+     * Set node to the first one returned by the xpath expression.
+     */
+    int findSignatureXPath (xmlDocPtr doc, xmlNodePtr* node);
+    /**
+     * Find the signature node.
+     */
+    int findStartNode (xmlDocPtr doc, xmlNodePtr* node);
+    /**
+     * Verify a signature specified by the node.
+     */
+    int verifyNode (xmlDocPtr doc, xmlNodePtr node, KeyPtr key);
+    /**
+     * Verify a signature specified by the node (internal method called by verify(*)
+     */
+    int doVerify (KeyPtr verifyingKey);
+    /**
+     * Initialiser.
+     */
+    void verifierInit ();
+    /**
+     * Check if element referred to by XPath expression is contained
+     * in the nodeset.
+     */
+    int isContained (xmlSecNodeSetPtr nodeSet, XPathPtr xPathElem);
+    /**
+     * Get a nodeset for the initial transform context.
+     */
+    xmlSecNodeSetPtr nodeSetFromTransformCtx (xmlSecTransformCtxPtr ctx,
+            xmlDocPtr doc);
+    /**
+     * Get certificates from X509Data element.
+     * @param node Signature data node under which X509Data node exists
+     * @return list of X509 certificates
+     */
+    vector<X509CertificatePtr> getX509Data (xmlNodePtr node);
+    /**
+     * Get the X509 certificate from the X509Certificate node.
+     * @param node X509Certificate element
+     * @return certificate pointer, null on error
+     */
+    X509CertificatePtr getX509CertificateNode (xmlNodePtr node);
+    /**
+     * Callback type for Verifier::refNodes().
+     * @param nset node set for referenced nodes
+     * @param verifier verifier object we're operating on
+     * @param data user data pointer
+     * @return nonzero to abort (negative is an error)
+     */
+    typedef int (*refNodesCallback) (xmlSecNodeSetPtr nset, Verifier* verifier, void* data);
+    /**
+     * Callback for Verifier::isReferenced(), passed to Verifier::refNodes().
+     * @param nset node set for referenced nodes
+     * @param verifier verifier object we're operating on
+     * @param data pointer to XPathPtr object
+     * @return nonzero if XPath expression is contained (negative is an error)
+     */
+    static int isReferencedCallback (xmlSecNodeSetPtr nset, Verifier* verifier, void* data);
+    /**
+     * Callback for xmlSecNodeSetWalk, running through elements and adding copies
+     * of them to the vector in the user data pointer.
+     * @param cur the current node
+     * @param data pointer to vector<XmlElementPtr>
+     * @return 0, keep running through referenced nodesets or -1 on error
+     */
+    static int getElementsCallback (xmlSecNodeSetPtr, xmlNodePtr cur, xmlNodePtr, void *data);
+    /**
+     * Callback for Verifier::getReferencedElements(), passed to Verifier::refNodes().
+     * @param nset node set for referenced nodes
+     * @param verifier verifier object we're operating on
+     * @param data pointer to vector<XmlElementPtr>
+     * @return 0, keep running through referenced nodesets or -1 on error
+     * @throw LibError if the node set walk call fails
+     */
+    static int getReferencedElementsCallback (xmlSecNodeSetPtr nset, Verifier* verifier, void* data);
+    /**
+     * Get the set of nodes referenced by the signature, executing the callback
+     * for each node set.
+     * @param callbackFn function to call for each reference node set
+     * @data data pointer to pass to callback
+     * @return set of nodes, null on error
+     * @throws DocError if no document
+     * @throws XMLError if the signature can't be found
+     * @throws LibError on various xmlsec errors
+     */
+    int refNodes (refNodesCallback callbackFn, void* data);
+
+/// @endcond
+};
+
+#endif

data/ext/xmlsig/X509Certificate.cpp

@@ -0,0 +1,362 @@
+/*
+ * (C) Copyright 2006 VeriSign, Inc.
+ * Developed by Sxip Identity
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include "X509Certificate.h"
+#include <libxml/tree.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <xmlsec/openssl/x509.h>
+#include <xmlsec/openssl/app.h>
+#include <xmlsec/openssl/evp.h>
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/errors.h>
+#include <iostream>
+#include "BioWrap.h"
+
+X509Certificate::X509Certificate ()
+    : ptr(0)
+{}
+
+
+X509Certificate::X509Certificate (X509* x509ptr)
+    : ptr(0)
+{
+    if (x509ptr)
+    {
+        ptr = X509_dup(x509ptr);
+        if (ptr == NULL)
+        {
+            THROW_NORET(MemoryError, "Unable to copy certificate data");
+        }
+    }
+}
+
+
+X509Certificate::X509Certificate (const X509Certificate& cert)
+    : ptr(0)
+{
+    operator=(cert);
+}
+
+
+const X509Certificate& X509Certificate::operator= (const X509Certificate& cert)
+{
+    if (&cert != this)
+    {
+        ptr = cert.getDup();
+    }
+    return *this;
+}
+
+
+X509Certificate::~X509Certificate ()
+{
+    if (ptr)
+    {
+        X509_free(ptr);
+    }
+}
+
+
+X509* X509Certificate::getDup () const
+{
+    X509* dupCert = X509_dup(ptr);
+    if (dupCert == NULL)
+    {
+        THROW(MemoryError, "Unable to copy certificate data", 0);
+    }
+    return dupCert;
+}
+
+
+KeyPtr X509Certificate::getKey () const
+{
+    KeyPtr keyPtr;
+    if (!ptr)
+    {
+        return 0;
+    }
+    xmlSecKeyDataPtr keyDataPtr = xmlSecOpenSSLX509CertGetKey(ptr);
+    if (!keyDataPtr)
+    {
+        return 0;
+    }
+    keyPtr = KeyPtr(new Key);
+    keyPtr->create();
+    if (xmlSecKeySetValue(*keyPtr, keyDataPtr) < 0)
+    {
+        THROW(LibError, "Couldn't set key value", 0);
+    }
+
+    xmlSecKeyDataPtr certData = xmlSecKeyEnsureData(*keyPtr,
+                                xmlSecOpenSSLKeyDataX509Id);
+    if (certData == NULL)
+    {
+        THROW(LibError, "Couldn't create cert data", 0);
+    }
+    if (xmlSecOpenSSLKeyDataX509AdoptCert(certData, getDup()) < 0)
+    {
+        THROW(LibError, "Unable to adopt cert data", 0);
+    }
+    return keyPtr;
+}
+
+int X509Certificate::loadFromFile (string fileName, string format)
+{
+    Key key;
+    if (ptr)
+    {
+        X509_free(ptr);
+    }
+    int ret = key.loadFromFile(fileName, format, "");
+    if (ret < 0)
+    {
+        THROW(IOError, "Unable to load X509 certificate key", ret);
+    }
+    X509CertificatePtr cert = key.getCertificate();
+    if (cert)
+    {
+        operator=(*cert);
+    }
+    else
+    {
+        return -1;
+    }
+    return 0;
+}
+
+string X509Certificate::getSubjectDN()
+{
+    string name;
+    if (!ptr) {
+        THROW(LibError, "Certificate not loaded", name);
+    }
+    const xmlChar* buf = nameToString(X509_get_subject_name(ptr));
+    if (buf) {
+        name = string((const char*)buf);
+    }
+    return name;
+}
+
+string X509Certificate::getIssuerDN()
+{
+    string name;
+    if (!ptr) {
+        THROW(LibError, "Certificate not loaded", name);
+    }
+    const xmlChar* buf = nameToString(X509_get_issuer_name(ptr));
+    if (buf) {
+        name = string((const char*)buf);
+    }
+    return name;
+}
+
+int X509Certificate::getVersion()
+{
+    if (!ptr) {
+        THROW(LibError, "Certificate not loaded", -1);
+    }
+    return X509_get_version(ptr)+1;
+}
+
+int X509Certificate::isValid()
+{
+    if (!ptr) {
+        THROW(LibError, "Certificate not loaded", -1);
+    }
+    int i = X509_cmp_time(X509_get_notBefore(ptr), NULL);
+    if (i == 0) {
+        THROW(LibError, "Invalid data in certificate notBefore field", 0);
+    }
+    if (i > 0) {
+        return 0;
+    }
+    i = X509_cmp_time(X509_get_notAfter(ptr), NULL);
+    if (i == 0) {
+        THROW(LibError, "Invalid data in certificate notAfter field", 0);
+    }
+    if (i < 0) {
+        return 0;
+    }
+    return 1;
+}
+
+// yanked from xmlsec/src/openssl/x509.c
+xmlChar*
+X509Certificate::nameToString(X509_NAME* nm) {
+    xmlChar *res = NULL;
+    BIO *mem = NULL;
+    long size;
+
+    xmlSecAssert2(nm != NULL, NULL);
+
+    mem = BIO_new(BIO_s_mem());
+    if(mem == NULL) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+        	    NULL,
+        	    "BIO_new",
+        	    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+        	    "BIO_s_mem");
+        return(NULL);
+    }
+
+    if (X509_NAME_print_ex(mem, nm, 0, XN_FLAG_RFC2253) <=0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+        	    NULL,
+        	    "X509_NAME_print_ex",
+        	    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+        	    XMLSEC_ERRORS_NO_MESSAGE);
+        BIO_free_all(mem);
+        return(NULL);
+    }
+
+    BIO_flush(mem); /* should call flush ? */
+
+    size = BIO_pending(mem);
+    res = (xmlChar*) xmlMalloc(size + 1);
+    if(res == NULL) {
+	xmlSecError(XMLSEC_ERRORS_HERE,
+		    NULL,
+		    "xmlMalloc",
+		    XMLSEC_ERRORS_R_MALLOC_FAILED,
+		    XMLSEC_ERRORS_NO_MESSAGE);
+	BIO_free_all(mem);
+	return(NULL);
+    }
+
+    size = BIO_read(mem, res, size);
+    res[size] = '\0';
+
+    BIO_free_all(mem);
+    return(res);
+}
+
+
+int X509Certificate::verify (KeyPtr key)
+{
+    if (!key || !key->isValid())
+    {
+        THROW(KeyError, "Invalid key", -1);
+    }
+    xmlSecKeyPtr secKey = key->getKey();
+    if (!secKey || !secKey->value)
+    {
+        THROW(KeyError, "Invalid key", -1);
+    }
+    EVP_PKEY* evp_pkey = xmlSecOpenSSLEvpKeyDataGetEvp(secKey->value);
+    if (!evp_pkey)
+    {
+        THROW(KeyError, "Key is not a public key", -1);
+    }
+    int ret = X509_verify(ptr, evp_pkey);
+    if (ret < 0)
+    {
+        THROW(LibError, "X509 verify failed", -1);
+    }
+    return ret;
+}
+
+#ifdef WIN32
+#define strncasecmp _strnicmp
+#endif
+
+int X509Certificate::getBasicConstraints () {
+    if (!ptr) {
+        THROW(LibError, "Certificate not loaded", -1);
+    }
+    X509_EXTENSION *ext = NULL;
+    int pathlen = -1;
+    X509V3_EXT_METHOD *method = NULL;
+    STACK_OF(CONF_VALUE) *vals = NULL;
+    void *ext_str = NULL;
+
+    int index = X509_get_ext_by_NID(ptr, NID_basic_constraints, -1);
+    if((index >= 0)  && (ext = X509_get_ext(ptr, index))) {
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+        const unsigned char **ext_value_data;
+        ext_value_data = (const_cast<const unsigned char **> (&ext->value->data));
+#else
+        unsigned char **ext_value_data = &ext->value->data;
+#endif
+        if (!ext_value_data) {
+            goto end;
+        }
+        method = X509V3_EXT_get(ext);
+        if (!method || !method->i2v) {
+            goto end;
+        }
+        ext_str = ASN1_item_d2i(NULL, ext_value_data, ext->value->length, ASN1_ITEM_ptr(method->it));
+        if (!ext_str) {
+            goto end;
+        }
+        vals = method->i2v(method, ext_str, NULL);
+        if (!vals) {
+            goto end;
+        }
+        int isCA = 0;
+        for(int i = 0; i < sk_CONF_VALUE_num(vals); i++) {
+            CONF_VALUE *val = sk_CONF_VALUE_value(vals, i);
+            if (!val) {
+                goto end;
+            }
+            if ((strncasecmp(val->name,"CA", 2)==0) && (strncasecmp(val->value, "TRUE", 4)==0))
+                isCA=1;
+            if ((strncasecmp(val->name,"pathlen", 2)==0))
+                 pathlen=atoi(val->value);
+        }
+        if (isCA) {
+            if (pathlen == -1) {
+                pathlen = 0x7fffffff;
+            }
+        }
+    }
+    end:
+        if (ext_str) ASN1_item_free((ASN1_VALUE*)ext_str, ASN1_ITEM_ptr(method->it));
+        if (vals) sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
+        return pathlen;
+}
+
+
+int X509Certificate::isEqualTo (X509Certificate& other)
+{
+    BioWrap bioSelf, bioOther;
+
+    i2d_X509_bio(bioSelf, ptr);
+    BIO_flush(bioSelf);
+
+    i2d_X509_bio(bioOther, other.ptr);
+    BIO_flush(bioOther);
+
+    xmlSecByte *memSelf=0, *memOther=0;
+    long sizeSelf=0, sizeOther=0;
+    sizeSelf = BIO_get_mem_data(bioSelf, &memSelf);
+    sizeOther = BIO_get_mem_data(bioOther, &memOther);
+
+    if (sizeSelf != sizeOther)
+    {
+        return 0;
+    }
+
+    while (sizeSelf)
+    {
+        if (*memSelf++ != *memOther++)
+        {
+            return 0;
+        }
+        sizeSelf--;
+    }
+    return 1;
+}