1 /**
2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
6 *
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
10 * License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
19 */
20
21 /**
22 * XMLToolingConfig.cpp
23 *
24 * Library configuration.
25 */
26
27 #include "internal.h"
28 #include "exceptions.h"
29 #include "logging.h"
30 #include "XMLToolingConfig.h"
31 #include "encryption/Encryption.h"
32 #include "encryption/Encrypter.h"
33 #include "impl/UnknownElement.h"
34 #include "io/HTTPResponse.h"
35 #include "security/CredentialResolver.h"
36 #include "security/DataSealer.h"
37 #include "security/KeyInfoResolver.h"
38 #include "security/OpenSSLCryptoX509CRL.h"
39 #include "security/PathValidator.h"
40 #include "security/TrustEngine.h"
41 #include "signature/KeyInfo.h"
42 #include "signature/Signature.h"
43 #include "soap/SOAP.h"
44 #include "soap/SOAPTransport.h"
45 #include "util/NDC.h"
46 #include "util/PathResolver.h"
47 #include "util/ReplayCache.h"
48 #include "util/StorageService.h"
49 #include "util/TemplateEngine.h"
50 #include "util/Threads.h"
51 #include "util/URLEncoder.h"
52 #include "validation/ValidatorSuite.h"
53
54 #ifdef HAVE_DLFCN_H
55 # include <dlfcn.h>
56 #endif
57
58 #include <stdexcept>
59 #include <boost/ptr_container/ptr_vector.hpp>
60
61 #if defined(XMLTOOLING_LOG4SHIB)
62 # include <log4shib/PropertyConfigurator.hh>
63 # include <log4shib/OstreamAppender.hh>
64 #elif defined(XMLTOOLING_LOG4CPP)
65 # include <log4cpp/PropertyConfigurator.hh>
66 # include <log4cpp/OstreamAppender.hh>
67 #endif
68 #include <xercesc/util/PlatformUtils.hpp>
69 #include <xercesc/util/XMLUniDefs.hpp>
70 #ifndef XMLTOOLING_NO_XMLSEC
71 # include <curl/curl.h>
72 # include <openssl/err.h>
73 # include <openssl/evp.h>
74 # include <xsec/framework/XSECAlgorithmMapper.hpp>
75 # include <xsec/framework/XSECException.hpp>
76 # include <xsec/framework/XSECProvider.hpp>
77 # include <xsec/transformers/TXFMBase.hpp>
78 #endif
79
80 using namespace soap11;
81 using namespace xmltooling::logging;
82 using namespace xmltooling;
83 using namespace xercesc;
84 using namespace boost;
85 using namespace std;
86
87 DECL_XMLTOOLING_EXCEPTION_FACTORY(XMLParserException,xmltooling);
88 DECL_XMLTOOLING_EXCEPTION_FACTORY(XMLObjectException,xmltooling);
89 DECL_XMLTOOLING_EXCEPTION_FACTORY(MarshallingException,xmltooling);
90 DECL_XMLTOOLING_EXCEPTION_FACTORY(UnmarshallingException,xmltooling);
91 DECL_XMLTOOLING_EXCEPTION_FACTORY(UnknownElementException,xmltooling);
92 DECL_XMLTOOLING_EXCEPTION_FACTORY(UnknownAttributeException,xmltooling);
93 DECL_XMLTOOLING_EXCEPTION_FACTORY(UnknownExtensionException,xmltooling);
94 DECL_XMLTOOLING_EXCEPTION_FACTORY(ValidationException,xmltooling);
95 DECL_XMLTOOLING_EXCEPTION_FACTORY(IOException,xmltooling);
96
97 #ifndef XMLTOOLING_NO_XMLSEC
98 using namespace xmlencryption;
99 using namespace xmlsignature;
100 DECL_XMLTOOLING_EXCEPTION_FACTORY(XMLSecurityException,xmltooling);
101 DECL_XMLTOOLING_EXCEPTION_FACTORY(SignatureException,xmlsignature);
102 DECL_XMLTOOLING_EXCEPTION_FACTORY(EncryptionException,xmlencryption);
103 #endif
104
105 namespace {
106 static XMLToolingInternalConfig g_config;
107 #ifndef XMLTOOLING_NO_XMLSEC
108 // NOTE:
109 // "The old locking functions have been removed completely without compatibility macros"
110 // see:
111 // https://www.openssl.org/docs/manmaster/crypto/CRYPTO_THREAD_lock_free.html
112 //
113 // For now we just make the callback compile. More work TBD
114 #ifndef CRYPTO_LOCK
115 #define CRYPTO_LOCK 1
116 #endif
117 static ptr_vector<Mutex> g_openssl_locks;
118
openssl_locking_callback(int mode,int n,const char * file,int line)119 extern "C" void openssl_locking_callback(int mode,int n,const char *file,int line)
120 {
121 if (mode & CRYPTO_LOCK)
122 g_openssl_locks[n].lock();
123 else
124 g_openssl_locks[n].unlock();
125 }
126
127 # ifndef WIN32
openssl_thread_id(void)128 extern "C" unsigned long openssl_thread_id(void)
129 {
130 return (unsigned long)(pthread_self());
131 }
132 # endif
133
134 class TXFMOutputLog : public TXFMBase {
135 TXFMOutputLog();
136 public:
TXFMOutputLog(DOMDocument * doc)137 TXFMOutputLog(DOMDocument* doc) : TXFMBase(doc), m_log(Category::getInstance(XMLTOOLING_LOGCAT ".Signature.Debugger")) {
138 input = nullptr;
139 }
~TXFMOutputLog()140 ~TXFMOutputLog() {
141 m_log.debug("\n----- END SIGNATURE DEBUG -----\n");
142 }
143
setInput(TXFMBase * newInput)144 void setInput(TXFMBase *newInput) {
145 input = newInput;
146 if (newInput->getOutputType() != TXFMBase::BYTE_STREAM)
147 throw XSECException(XSECException::TransformInputOutputFail, "OutputLog transform requires BYTE_STREAM input");
148 keepComments = input->getCommentsStatus();
149 m_log.debug("\n----- BEGIN SIGNATURE DEBUG -----\n");
150 }
151
getInputType() const152 TXFMBase::ioType getInputType() const {
153 return TXFMBase::BYTE_STREAM;
154 }
getOutputType() const155 TXFMBase::ioType getOutputType() const {
156 return TXFMBase::BYTE_STREAM;
157 }
getNodeType() const158 TXFMBase::nodeType getNodeType() const {
159 return TXFMBase::DOM_NODE_NONE;
160 }
161
readBytes(XMLByte * const toFill,const unsigned int maxToFill)162 unsigned int readBytes(XMLByte * const toFill, const unsigned int maxToFill) {
163 unsigned int sz = input->readBytes(toFill, maxToFill);
164 m_log.debug(string(reinterpret_cast<char* const>(toFill), sz));
165 return sz;
166 }
167
168 private:
169 Category& m_log;
170 };
171
TXFMOutputLogFactory(DOMDocument * doc)172 TXFMBase* TXFMOutputLogFactory(DOMDocument* doc) {
173 if (Category::getInstance(XMLTOOLING_LOGCAT ".Signature.Debugger").isDebugEnabled())
174 return new TXFMOutputLog(doc);
175 return nullptr;
176 }
177
178 #endif
179
180 #ifdef WIN32
LogEvent(LPCSTR lpUNCServerName,WORD wType,DWORD dwEventID,PSID lpUserSid,LPCSTR message)181 BOOL LogEvent(
182 LPCSTR lpUNCServerName,
183 WORD wType,
184 DWORD dwEventID,
185 PSID lpUserSid,
186 LPCSTR message)
187 {
188 LPCSTR messages[] = {message, nullptr};
189
190 HANDLE hElog = RegisterEventSource(lpUNCServerName, "OpenSAML XMLTooling Library");
191 BOOL res = ReportEvent(hElog, wType, 0, dwEventID, lpUserSid, 1, 0, messages, nullptr);
192 return (DeregisterEventSource(hElog) && res);
193 }
194 #endif
195 }
196
getConfig()197 XMLToolingConfig& XMLToolingConfig::getConfig()
198 {
199 return g_config;
200 }
201
getInternalConfig()202 XMLToolingInternalConfig& XMLToolingInternalConfig::getInternalConfig()
203 {
204 return g_config;
205 }
206
XMLToolingConfig()207 XMLToolingConfig::XMLToolingConfig() : clock_skew_secs(180)
208 {
209 }
210
~XMLToolingConfig()211 XMLToolingConfig::~XMLToolingConfig()
212 {
213 }
214
215 #ifndef XMLTOOLING_LITE
getKeyInfoResolver() const216 const KeyInfoResolver* XMLToolingConfig::getKeyInfoResolver() const
217 {
218 return m_keyInfoResolver.get();
219 }
220
getReplayCache() const221 ReplayCache* XMLToolingConfig::getReplayCache() const
222 {
223 return m_replayCache.get();
224 }
225
getDataSealer() const226 const DataSealer* XMLToolingConfig::getDataSealer() const
227 {
228 return m_dataSealer.get();
229 }
230
setKeyInfoResolver(xmltooling::KeyInfoResolver * keyInfoResolver)231 void XMLToolingConfig::setKeyInfoResolver(xmltooling::KeyInfoResolver *keyInfoResolver)
232 {
233 m_keyInfoResolver.reset(keyInfoResolver);
234 }
235
setReplayCache(ReplayCache * replayCache)236 void XMLToolingConfig::setReplayCache(ReplayCache* replayCache)
237 {
238 m_replayCache.reset(replayCache);
239 }
240
setDataSealer(DataSealer * dataSealer)241 void XMLToolingConfig::setDataSealer(DataSealer* dataSealer)
242 {
243 m_dataSealer.reset(dataSealer);
244 }
245 #endif
246
getPathResolver() const247 PathResolver* XMLToolingConfig::getPathResolver() const
248 {
249 return m_pathResolver.get();
250 }
251
getTemplateEngine() const252 TemplateEngine* XMLToolingConfig::getTemplateEngine() const
253 {
254 return m_templateEngine.get();
255 }
256
getURLEncoder() const257 const URLEncoder* XMLToolingConfig::getURLEncoder() const
258 {
259 return m_urlEncoder.get();
260 }
261
setPathResolver(PathResolver * pathResolver)262 void XMLToolingConfig::setPathResolver(PathResolver* pathResolver)
263 {
264 m_pathResolver.reset(pathResolver);
265 }
266
setTemplateEngine(TemplateEngine * templateEngine)267 void XMLToolingConfig::setTemplateEngine(TemplateEngine* templateEngine)
268 {
269 m_templateEngine.reset(templateEngine);
270 }
271
setURLEncoder(URLEncoder * urlEncoder)272 void XMLToolingConfig::setURLEncoder(URLEncoder* urlEncoder)
273 {
274 m_urlEncoder.reset(urlEncoder);
275 }
276
XMLToolingInternalConfig()277 XMLToolingInternalConfig::XMLToolingInternalConfig() : m_initCount(0), m_lock(Mutex::create())
278 {
279 }
280
~XMLToolingInternalConfig()281 XMLToolingInternalConfig::~XMLToolingInternalConfig()
282 {
283 }
284
log_config(const char * config)285 bool XMLToolingInternalConfig::log_config(const char* config)
286 {
287 try {
288 if (!config || !*config)
289 config=getenv("XMLTOOLING_LOG_CONFIG");
290 if (!config || !*config)
291 config="WARN";
292
293 bool level=false;
294 Category& root = Category::getRoot();
295 if (!strcmp(config,"DEBUG")) {
296 root.setPriority(Priority::DEBUG);
297 level=true;
298 }
299 else if (!strcmp(config,"INFO")) {
300 root.setPriority(Priority::INFO);
301 level=true;
302 }
303 else if (!strcmp(config,"NOTICE")) {
304 root.setPriority(Priority::NOTICE);
305 level=true;
306 }
307 else if (!strcmp(config,"WARN")) {
308 root.setPriority(Priority::WARN);
309 level=true;
310 }
311 else if (!strcmp(config,"ERROR")) {
312 root.setPriority(Priority::ERROR);
313 level=true;
314 }
315 else if (!strcmp(config,"CRIT")) {
316 root.setPriority(Priority::CRIT);
317 level=true;
318 }
319 else if (!strcmp(config,"ALERT")) {
320 root.setPriority(Priority::ALERT);
321 level=true;
322 }
323 else if (!strcmp(config,"EMERG")) {
324 root.setPriority(Priority::EMERG);
325 level=true;
326 }
327 else if (!strcmp(config,"FATAL")) {
328 root.setPriority(Priority::FATAL);
329 level=true;
330 }
331 if (level) {
332 root.setAppender(new OstreamAppender("default",&cerr));
333 }
334 else {
335 string path(config);
336 PropertyConfigurator::configure(m_pathResolver.get() ? m_pathResolver->resolve(path, PathResolver::XMLTOOLING_CFG_FILE) : path);
337 }
338
339 #ifndef XMLTOOLING_NO_XMLSEC
340 Category::getInstance(XMLTOOLING_LOGCAT ".Signature.Debugger").setAdditivity(false);
341 #endif
342 }
343 catch (const ConfigureFailure& e) {
344 string msg = string("error in file permissions or logging configuration: ") + e.what();
345 Category::getInstance(XMLTOOLING_LOGCAT ".Logging").crit(msg);
346 #ifdef WIN32
347 LogEvent(nullptr, EVENTLOG_ERROR_TYPE, 2100, nullptr, msg.c_str());
348 #endif
349 return false;
350 }
351
352 return true;
353 }
354
init(bool deprecationSupport)355 bool XMLToolingInternalConfig::init(bool deprecationSupport)
356 {
357 #ifdef _DEBUG
358 xmltooling::NDC ndc("init");
359 #endif
360 Category& log=Category::getInstance(XMLTOOLING_LOGCAT ".Config");
361
362 Lock initLock(m_lock);
363
364 if (m_initCount == INT_MAX) {
365 log.crit("library initialized too many times");
366 return false;
367 }
368
369 if (m_initCount >= 1) {
370 ++m_initCount;
371 return true;
372 }
373
374 try {
375 log.debug("library initialization started");
376
377 #ifndef XMLTOOLING_NO_XMLSEC
378 if (curl_global_init(CURL_GLOBAL_ALL)) {
379 log.fatal("failed to initialize libcurl, OpenSSL, or Winsock");
380 return false;
381 }
382 curl_version_info_data* curlver = curl_version_info(CURLVERSION_NOW);
383 if (curlver) {
384 log.debug("libcurl %s initialization complete", curlver->version);
385 if (!(curlver->features & CURL_VERSION_SSL)) {
386 log.crit("libcurl lacks TLS/SSL support, this will greatly limit functionality");
387 } else if (curlver->ssl_version && !strstr(curlver->ssl_version, "OpenSSL")) {
388 log.crit("libcurl lacks OpenSSL-specific options, this will greatly limit functionality");
389 }
390 }
391 else {
392 log.debug("libcurl %s initialization complete", LIBCURL_VERSION);
393 }
394 #endif
395
396 XMLPlatformUtils::Initialize();
397 log.debug("Xerces %s initialization complete", XERCES_FULLVERSIONDOT);
398
399 #ifndef XMLTOOLING_NO_XMLSEC
400 XSECPlatformUtils::Initialise();
401 XSECPlatformUtils::SetReferenceLoggingSink(TXFMOutputLogFactory);
402 m_xsecProvider.reset(new XSECProvider());
403 log.debug("XML-Security %s initialization complete", XSEC_FULLVERSIONDOT);
404 #endif
405
406 m_parserPool.reset(new ParserPool());
407 m_validatingPool.reset(new ParserPool(true,true));
408
409 m_pathResolver.reset(new PathResolver());
410 m_urlEncoder.reset(new URLEncoder());
411
412 // default registrations
413 XMLObjectBuilder::registerDefaultBuilder(new UnknownElementBuilder());
414
415 registerSOAPClasses();
416
417 REGISTER_XMLTOOLING_EXCEPTION_FACTORY(XMLParserException,xmltooling);
418 REGISTER_XMLTOOLING_EXCEPTION_FACTORY(XMLObjectException,xmltooling);
419 REGISTER_XMLTOOLING_EXCEPTION_FACTORY(MarshallingException,xmltooling);
420 REGISTER_XMLTOOLING_EXCEPTION_FACTORY(UnmarshallingException,xmltooling);
421 REGISTER_XMLTOOLING_EXCEPTION_FACTORY(UnknownElementException,xmltooling);
422 REGISTER_XMLTOOLING_EXCEPTION_FACTORY(UnknownAttributeException,xmltooling);
423 REGISTER_XMLTOOLING_EXCEPTION_FACTORY(ValidationException,xmltooling);
424 REGISTER_XMLTOOLING_EXCEPTION_FACTORY(IOException,xmltooling);
425
426 #ifndef XMLTOOLING_NO_XMLSEC
427 XMLObjectBuilder::registerBuilder(QName(xmlconstants::XMLSIG_NS,Signature::LOCAL_NAME),new SignatureBuilder());
428 REGISTER_XMLTOOLING_EXCEPTION_FACTORY(XMLSecurityException,xmltooling);
429 REGISTER_XMLTOOLING_EXCEPTION_FACTORY(SignatureException,xmlsignature);
430 REGISTER_XMLTOOLING_EXCEPTION_FACTORY(EncryptionException,xmlencryption);
431 registerDataSealerKeyStrategies();
432 registerKeyInfoClasses();
433 registerEncryptionClasses();
434 registerCredentialResolvers();
435 registerKeyInfoResolvers();
436 registerPathValidators();
437 registerTrustEngines();
438 registerXMLAlgorithms();
439 m_keyInfoResolver.reset(KeyInfoResolverManager.newPlugin(INLINE_KEYINFO_RESOLVER,nullptr,deprecationSupport));
440 #endif
441
442 #ifndef XMLTOOLING_LITE
443 registerStorageServices();
444 #endif
445 registerSOAPTransports();
446 initSOAPTransports();
447
448 HTTPResponse::getAllowedSchemes().push_back("https");
449 HTTPResponse::getAllowedSchemes().push_back("http");
450
451 // Register xml:id as an ID attribute.
452 static const XMLCh xmlid[] = UNICODE_LITERAL_2(i,d);
453 AttributeExtensibleXMLObject::registerIDAttribute(QName(xmlconstants::XML_NS, xmlid));
454 }
455 catch (const xercesc::XMLException&) {
456 log.fatal("caught exception while initializing Xerces");
457 #ifndef XMLTOOLING_NO_XMLSEC
458 curl_global_cleanup();
459 #endif
460 return false;
461 }
462
463 #ifndef XMLTOOLING_NO_XMLSEC
464 // Set up OpenSSL locking.
465 for (int i=0; i<CRYPTO_num_locks(); i++)
466 g_openssl_locks.push_back(Mutex::create());
467 CRYPTO_set_locking_callback(openssl_locking_callback);
468 # ifndef WIN32
469 CRYPTO_set_id_callback(openssl_thread_id);
470 # endif
471 #endif
472
473 log.info("%s library initialization complete", PACKAGE_STRING);
474 ++m_initCount;
475 return true;
476 }
477
term()478 void XMLToolingInternalConfig::term()
479 {
480 #ifdef _DEBUG
481 xmltooling::NDC ndc("term");
482 #endif
483
484 Lock initLock(m_lock);
485 if (m_initCount == 0) {
486 Category::getInstance(XMLTOOLING_LOGCAT ".Config").crit("term without corresponding init");
487 return;
488 }
489 else if (--m_initCount > 0) {
490 return;
491 }
492
493 #ifndef XMLTOOLING_NO_XMLSEC
494 CRYPTO_set_locking_callback(nullptr);
495 g_openssl_locks.clear();
496 #endif
497
498 SchemaValidators.destroyValidators();
499 XMLObjectBuilder::destroyBuilders();
500 XMLToolingException::deregisterFactories();
501 AttributeExtensibleXMLObject::deregisterIDAttributes();
502
503 termSOAPTransports();
504 SOAPTransportManager.deregisterFactories();
505
506 #ifndef XMLTOOLING_LITE
507 StorageServiceManager.deregisterFactories();
508 #endif
509
510 #ifndef XMLTOOLING_NO_XMLSEC
511 TrustEngineManager.deregisterFactories();
512 CredentialResolverManager.deregisterFactories();
513 KeyInfoResolverManager.deregisterFactories();
514 DataSealerKeyStrategyManager.deregisterFactories();
515 m_algorithmMap.clear();
516
517 m_keyInfoResolver.reset();
518 m_replayCache.reset();
519 m_dataSealer.reset();
520 #endif
521
522 m_pathResolver.reset();
523 m_templateEngine.reset();
524 m_urlEncoder.reset();
525
526 for (vector<void*>::reverse_iterator i=m_libhandles.rbegin(); i!=m_libhandles.rend(); i++) {
527 #if defined(WIN32)
528 FARPROC fn=GetProcAddress(static_cast<HMODULE>(*i),"xmltooling_extension_term");
529 if (fn)
530 fn();
531 FreeLibrary(static_cast<HMODULE>(*i));
532 #elif defined(HAVE_DLFCN_H)
533 void (*fn)()=(void (*)())dlsym(*i,"xmltooling_extension_term");
534 if (fn)
535 fn();
536 dlclose(*i);
537 #else
538 # error "Don't know about dynamic loading on this platform!"
539 #endif
540 }
541 m_libhandles.clear();
542
543 m_parserPool.reset();
544 m_validatingPool.reset();
545
546 for_each(m_namedLocks.begin(), m_namedLocks.end(), cleanup_pair<string,Mutex>());
547 m_namedLocks.clear();
548
549 #ifndef XMLTOOLING_NO_XMLSEC
550 m_xsecProvider.reset();
551 XSECPlatformUtils::Terminate();
552 #endif
553
554 XMLPlatformUtils::Terminate();
555
556 #ifndef XMLTOOLING_NO_XMLSEC
557 curl_global_cleanup();
558 #endif
559 Category::getInstance(XMLTOOLING_LOGCAT ".Config").info("%s library shutdown complete", PACKAGE_STRING);
560 Category::shutdown();
561 }
562
lock()563 Lockable* XMLToolingInternalConfig::lock()
564 {
565 m_lock->lock();
566 return this;
567 }
568
unlock()569 void XMLToolingInternalConfig::unlock()
570 {
571 m_lock->unlock();
572 }
573
getNamedMutex(const char * name)574 Mutex& XMLToolingInternalConfig::getNamedMutex(const char* name)
575 {
576 Locker glock(this);
577 map<string,Mutex*>::const_iterator m = m_namedLocks.find(name);
578 if (m != m_namedLocks.end())
579 return *(m->second);
580 Mutex* newlock = Mutex::create();
581 m_namedLocks[name] = newlock;
582 return *newlock;
583 }
584
load_library(const char * path,void * context)585 bool XMLToolingInternalConfig::load_library(const char* path, void* context)
586 {
587 #ifdef _DEBUG
588 xmltooling::NDC ndc("LoadLibrary");
589 #endif
590 Category& log=Category::getInstance(XMLTOOLING_LOGCAT ".Config");
591 log.info("loading extension: %s", path);
592
593 Locker locker(this);
594
595 string resolved(path);
596 m_pathResolver->resolve(resolved, PathResolver::XMLTOOLING_LIB_FILE);
597
598 #if defined(WIN32)
599 HMODULE handle=nullptr;
600 for (string::iterator i = resolved.begin(); i != resolved.end(); ++i)
601 if (*i == '/')
602 *i = '\\';
603
604 UINT em=SetErrorMode(SEM_FAILCRITICALERRORS);
605 try {
606 handle=LoadLibraryEx(resolved.c_str(),nullptr,LOAD_WITH_ALTERED_SEARCH_PATH);
607 if (!handle)
608 handle=LoadLibraryEx(resolved.c_str(),nullptr,0);
609 if (!handle)
610 throw runtime_error(string("unable to load extension library: ") + resolved);
611 FARPROC fn=GetProcAddress(handle,"xmltooling_extension_init");
612 if (!fn)
613 throw runtime_error(string("unable to locate xmltooling_extension_init entry point: ") + resolved);
614 if (reinterpret_cast<int(*)(void*)>(fn)(context)!=0)
615 throw runtime_error(string("detected error in xmltooling_extension_init: ") + resolved);
616 SetErrorMode(em);
617 }
618 catch(std::exception&) {
619 if (handle)
620 FreeLibrary(handle);
621 SetErrorMode(em);
622 throw;
623 }
624
625 #elif defined(HAVE_DLFCN_H)
626 void* handle=dlopen(resolved.c_str(),RTLD_LAZY);
627 if (!handle)
628 throw runtime_error(string("unable to load extension library '") + resolved + "': " + dlerror());
629 int (*fn)(void*)=(int (*)(void*))(dlsym(handle,"xmltooling_extension_init"));
630 if (!fn) {
631 dlclose(handle);
632 throw runtime_error(
633 string("unable to locate xmltooling_extension_init entry point in '") + resolved + "': " +
634 (dlerror() ? dlerror() : "unknown error")
635 );
636 }
637 try {
638 if (fn(context)!=0)
639 throw runtime_error(string("detected error in xmltooling_extension_init in ") + resolved);
640 }
641 catch(std::exception&) {
642 if (handle)
643 dlclose(handle);
644 throw;
645 }
646 #else
647 # error "Don't know about dynamic loading on this platform!"
648 #endif
649 m_libhandles.push_back(handle);
650 log.info("loaded extension: %s", resolved.c_str());
651 return true;
652 }
653
654 #ifndef XMLTOOLING_NO_XMLSEC
655
log_openssl()656 void xmltooling::log_openssl()
657 {
658 const char* file;
659 const char* data;
660 int flags,line;
661
662 unsigned long code=ERR_get_error_line_data(&file,&line,&data,&flags);
663 while (code) {
664 Category& log=Category::getInstance("OpenSSL");
665 log.errorStream() << "error code: " << code << " in " << file << ", line " << line << logging::eol;
666 if (data && (flags & ERR_TXT_STRING))
667 log.errorStream() << "error data: " << data << logging::eol;
668 code=ERR_get_error_line_data(&file,&line,&data,&flags);
669 }
670 }
671
X509CRL() const672 XSECCryptoX509CRL* XMLToolingInternalConfig::X509CRL() const
673 {
674 return new OpenSSLCryptoX509CRL();
675 }
676
mapXMLAlgorithmToKeyAlgorithm(const XMLCh * xmlAlgorithm) const677 pair<const char*,unsigned int> XMLToolingInternalConfig::mapXMLAlgorithmToKeyAlgorithm(const XMLCh* xmlAlgorithm) const
678 {
679 for (algmap_t::const_iterator i = m_algorithmMap.begin(); i != m_algorithmMap.end(); ++i) {
680 algmap_t::value_type::second_type::const_iterator j = i->second.find(xmlAlgorithm);
681 if (j != i->second.end())
682 return pair<const char*,unsigned int>(j->second.first.c_str(), j->second.second);
683 }
684 return pair<const char*,unsigned int>(nullptr, 0);
685 }
686
registerXMLAlgorithm(const XMLCh * xmlAlgorithm,const char * keyAlgorithm,unsigned int size,XMLSecurityAlgorithmType type)687 void XMLToolingInternalConfig::registerXMLAlgorithm(
688 const XMLCh* xmlAlgorithm, const char* keyAlgorithm, unsigned int size, XMLSecurityAlgorithmType type
689 )
690 {
691 m_algorithmMap[type][xmlAlgorithm] = pair<string,unsigned int>((keyAlgorithm ? keyAlgorithm : ""), size);
692 // Authenticated encryption algorithms are also generic encryption algorithms.
693 if (type == ALGTYPE_AUTHNENCRYPT)
694 m_algorithmMap[ALGTYPE_ENCRYPT][xmlAlgorithm] = pair<string,unsigned int>((keyAlgorithm ? keyAlgorithm : ""), size);
695 }
696
isXMLAlgorithmSupported(const XMLCh * xmlAlgorithm,XMLSecurityAlgorithmType type)697 bool XMLToolingInternalConfig::isXMLAlgorithmSupported(const XMLCh* xmlAlgorithm, XMLSecurityAlgorithmType type)
698 {
699 try {
700 // First check for basic support from the xmlsec layer.
701 if (XSECPlatformUtils::g_algorithmMapper->mapURIToHandler(xmlAlgorithm)) {
702 // Make sure the algorithm is registered.
703 algmap_t::const_iterator i = m_algorithmMap.find(type);
704 if (i != m_algorithmMap.end()) {
705 algmap_t::value_type::second_type::const_iterator j = i->second.find(xmlAlgorithm);
706 if (j != i->second.end())
707 return true;
708 }
709 }
710 }
711 catch (XSECException&) {
712 }
713 return false;
714 }
715
registerXMLAlgorithms()716 void XMLToolingInternalConfig::registerXMLAlgorithms()
717 {
718 // The deal with all the macros is to try and figure out with no false positives whether
719 // the OpenSSL version *and* the XML-Security version support the algorithms.
720
721 // With ECDSA, XML-Security exports a public macro for OpenSSL's support, and any
722 // versions of XML-Security that didn't provide the macro don't handle ECDSA anyway.
723 // However, the SHA-224 variant was left out of the initial XML-Security release.
724
725 // With AES and GCM, all supported XML-Security versions export a macro for OpenSSL's support.
726
727 // With SHA2, only the very latest XML-Security exports a macro, but all the versions
728 // will handle SHA2 *if* OpenSSL does. So we use our own macro to check OpenSSL's
729 // support, and then add checks to see if specific versions are compiled out.
730
731 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIMD5, nullptr, 0, ALGTYPE_DIGEST);
732 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURISHA1, nullptr, 0, ALGTYPE_DIGEST);
733 #if defined(XSEC_OPENSSL_HAVE_SHA2) && !defined(OPENSSL_NO_SHA256)
734 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURISHA224, nullptr, 0, ALGTYPE_DIGEST);
735 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURISHA256, nullptr, 0, ALGTYPE_DIGEST);
736 #endif
737 #if defined(XSEC_OPENSSL_HAVE_SHA2) && !defined(OPENSSL_NO_SHA512)
738 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURISHA384, nullptr, 0, ALGTYPE_DIGEST);
739 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURISHA512, nullptr, 0, ALGTYPE_DIGEST);
740 #endif
741
742 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIDSA_SHA1, "DSA", 0, ALGTYPE_SIGN);
743 #if defined(URI_ID_DSA_SHA256) && defined(XSEC_OPENSSL_HAVE_SHA2) && !defined(OPENSSL_NO_SHA256)
744 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIDSA_SHA256, "DSA", 0, ALGTYPE_SIGN);
745 #endif
746
747 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_MD5, "RSA", 0, ALGTYPE_SIGN);
748 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_SHA1, "RSA", 0, ALGTYPE_SIGN);
749 #if defined(XSEC_OPENSSL_HAVE_SHA2) && !defined(OPENSSL_NO_SHA256)
750 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_SHA224, "RSA", 0, ALGTYPE_SIGN);
751 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_SHA256, "RSA", 0, ALGTYPE_SIGN);
752 #endif
753 #if defined(XSEC_OPENSSL_HAVE_SHA2) && !defined(OPENSSL_NO_SHA512)
754 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_SHA384, "RSA", 0, ALGTYPE_SIGN);
755 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_SHA512, "RSA", 0, ALGTYPE_SIGN);
756 #endif
757
758 #ifdef XSEC_OPENSSL_HAVE_EC
759 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIECDSA_SHA1, "EC", 0, ALGTYPE_SIGN);
760 # if defined(XSEC_OPENSSL_HAVE_SHA2) && !defined(OPENSSL_NO_SHA256)
761 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIECDSA_SHA256, "EC", 0, ALGTYPE_SIGN);
762 # ifdef URI_ID_ECDSA_SHA224
763 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIECDSA_SHA224, "EC", 0, ALGTYPE_SIGN);
764 # endif
765 # endif
766 # if defined(XSEC_OPENSSL_HAVE_SHA2) && !defined(OPENSSL_NO_SHA512)
767 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIECDSA_SHA384, "EC", 0, ALGTYPE_SIGN);
768 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIECDSA_SHA512, "EC", 0, ALGTYPE_SIGN);
769 # endif
770 #endif
771
772 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIHMAC_SHA1, "HMAC", 0, ALGTYPE_SIGN);
773 #if defined(XSEC_OPENSSL_HAVE_SHA2) && !defined(OPENSSL_NO_SHA256)
774 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIHMAC_SHA224, "HMAC", 0, ALGTYPE_SIGN);
775 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIHMAC_SHA256, "HMAC", 0, ALGTYPE_SIGN);
776 #endif
777 #if defined(XSEC_OPENSSL_HAVE_SHA2) && !defined(OPENSSL_NO_SHA512)
778 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIHMAC_SHA384, "HMAC", 0, ALGTYPE_SIGN);
779 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIHMAC_SHA512, "HMAC", 0, ALGTYPE_SIGN);
780 #endif
781
782 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_1_5, "RSA", 0, ALGTYPE_KEYENCRYPT);
783 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_OAEP_MGFP1, "RSA", 0, ALGTYPE_KEYENCRYPT);
784 #ifdef URI_ID_RSA_OAEP
785 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIRSA_OAEP, "RSA", 0, ALGTYPE_KEYENCRYPT);
786 #endif
787
788 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURI3DES_CBC, "DESede", 192, ALGTYPE_ENCRYPT);
789 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIKW_3DES, "DESede", 192, ALGTYPE_KEYENCRYPT);
790
791 #ifdef XSEC_OPENSSL_HAVE_AES
792 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIAES128_CBC, "AES", 128, ALGTYPE_ENCRYPT);
793 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIKW_AES128, "AES", 128, ALGTYPE_KEYENCRYPT);
794
795 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIAES192_CBC, "AES", 192, ALGTYPE_ENCRYPT);
796 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIKW_AES192, "AES", 192, ALGTYPE_KEYENCRYPT);
797
798 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIAES256_CBC, "AES", 256, ALGTYPE_ENCRYPT);
799 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIKW_AES256, "AES", 256, ALGTYPE_KEYENCRYPT);
800
801 # ifdef URI_ID_KW_AES128_PAD
802 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIKW_AES128_PAD, "AES", 128, ALGTYPE_KEYENCRYPT);
803 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIKW_AES192_PAD, "AES", 192, ALGTYPE_KEYENCRYPT);
804 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIKW_AES256_PAD, "AES", 256, ALGTYPE_KEYENCRYPT);
805 # endif
806 #endif
807
808 #ifdef XSEC_OPENSSL_HAVE_GCM
809 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIAES128_GCM, "AES", 128, ALGTYPE_AUTHNENCRYPT);
810 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIAES192_GCM, "AES", 192, ALGTYPE_AUTHNENCRYPT);
811 registerXMLAlgorithm(DSIGConstants::s_unicodeStrURIAES256_GCM, "AES", 256, ALGTYPE_AUTHNENCRYPT);
812 #endif
813 }
814
815 #endif
816
817 #ifdef WIN32
818
DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID)819 extern "C" __declspec(dllexport) BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID)
820 {
821 if (fdwReason == DLL_THREAD_DETACH || fdwReason == DLL_PROCESS_DETACH)
822 ThreadKey::onDetach();
823 return TRUE;
824 }
825
826 #endif
827