1 /* 2 * XML Security Library (http://www.aleksey.com/xmlsec). 3 * 4 * <dsig:KeyInfo> element processing 5 * (http://www.w3.org/TR/xmlSec-core/#sec-KeyInfo: 6 * 7 * This is free software; see Copyright file in the source 8 * distribution for preciese wording. 9 * 10 * Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved. 11 */ 12 #ifndef __XMLSEC_KEYINFO_H__ 13 #define __XMLSEC_KEYINFO_H__ 14 15 #include <time.h> 16 17 #include <libxml/tree.h> 18 19 #include <xmlsec/xmlsec.h> 20 #include <xmlsec/list.h> 21 #include <xmlsec/keysdata.h> 22 #include <xmlsec/keys.h> 23 #include <xmlsec/transforms.h> 24 25 #ifdef __cplusplus 26 extern "C" { 27 #endif /* __cplusplus */ 28 29 /**************************************************************************** 30 * 31 * High-level functions 32 * 33 ****************************************************************************/ 34 XMLSEC_EXPORT int xmlSecKeyInfoNodeRead (xmlNodePtr keyInfoNode, 35 xmlSecKeyPtr key, 36 xmlSecKeyInfoCtxPtr keyInfoCtx); 37 XMLSEC_EXPORT int xmlSecKeyInfoNodeWrite (xmlNodePtr keyInfoNode, 38 xmlSecKeyPtr key, 39 xmlSecKeyInfoCtxPtr keyInfoCtx); 40 41 /** 42 * xmlSecKeyInfoMode: 43 * @xmlSecKeyInfoModeRead: read <dsig:KeyInfo /> element. 44 * @xmlSecKeyInfoModeWrite: write <dsig:KeyInfo /> element. 45 * 46 * The @xmlSecKeyInfoCtx operation mode (read or write). 47 */ 48 typedef enum { 49 xmlSecKeyInfoModeRead = 0, 50 xmlSecKeyInfoModeWrite 51 } xmlSecKeyInfoMode; 52 53 /** 54 * XMLSEC_KEYINFO_FLAGS_DONT_STOP_ON_KEY_FOUND: 55 * 56 * If flag is set then we will continue reading <dsig:KeyInfo /> 57 * element even when key is already found. 58 */ 59 #define XMLSEC_KEYINFO_FLAGS_DONT_STOP_ON_KEY_FOUND 0x00000001 60 61 /** 62 * XMLSEC_KEYINFO_FLAGS_STOP_ON_UNKNOWN_CHILD: 63 * 64 * If flag is set then we abort if an unknown <dsig:KeyInfo /> 65 * child is found. 66 */ 67 #define XMLSEC_KEYINFO_FLAGS_STOP_ON_UNKNOWN_CHILD 0x00000002 68 69 /** 70 * XMLSEC_KEYINFO_FLAGS_KEYNAME_STOP_ON_UNKNOWN: 71 * 72 * If flags is set then we abort if an unknown key name 73 * (content of <dsig:KeyName /> element) is found. 74 */ 75 #define XMLSEC_KEYINFO_FLAGS_KEYNAME_STOP_ON_UNKNOWN 0x00000004 76 77 /** 78 * XMLSEC_KEYINFO_FLAGS_KEYVALUE_STOP_ON_UNKNOWN_CHILD: 79 * 80 * If flags is set then we abort if an unknown <dsig:KeyValue /> 81 * child is found. 82 */ 83 #define XMLSEC_KEYINFO_FLAGS_KEYVALUE_STOP_ON_UNKNOWN_CHILD 0x00000008 84 85 /** 86 * XMLSEC_KEYINFO_FLAGS_RETRMETHOD_STOP_ON_UNKNOWN_HREF: 87 * 88 * If flag is set then we abort if an unknown href attribute 89 * of <dsig:RetrievalMethod /> element is found. 90 */ 91 #define XMLSEC_KEYINFO_FLAGS_RETRMETHOD_STOP_ON_UNKNOWN_HREF 0x00000010 92 93 /** 94 * XMLSEC_KEYINFO_FLAGS_RETRMETHOD_STOP_ON_MISMATCH_HREF: 95 * 96 * If flag is set then we abort if an href attribute <dsig:RetrievalMethod /> 97 * element does not match the real key data type. 98 */ 99 #define XMLSEC_KEYINFO_FLAGS_RETRMETHOD_STOP_ON_MISMATCH_HREF 0x00000020 100 101 /** 102 * XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_UNKNOWN_CHILD: 103 * 104 * If flags is set then we abort if an unknown <dsig:X509Data /> 105 * child is found. 106 */ 107 #define XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_UNKNOWN_CHILD 0x00000100 108 109 /** 110 * XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS: 111 * 112 * If flag is set then we'll load certificates from <dsig:X509Data /> 113 * element without verification. 114 */ 115 #define XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS 0x00000200 116 117 /** 118 * XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_UNKNOWN_CERT: 119 * 120 * If flag is set then we'll stop when we could not resolve reference 121 * to certificate from <dsig:X509IssuerSerial />, <dsig:X509SKI /> or 122 * <dsig:X509SubjectName /> elements. 123 */ 124 #define XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_UNKNOWN_CERT 0x00000400 125 126 /** 127 * XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_INVALID_CERT: 128 * 129 * If the flag is set then we'll stop when <dsig:X509Data /> element 130 * processing does not return a verified certificate. 131 */ 132 #define XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_INVALID_CERT 0x00000800 133 134 /** 135 * XMLSEC_KEYINFO_FLAGS_ENCKEY_DONT_STOP_ON_FAILED_DECRYPTION: 136 * 137 * If the flag is set then we'll stop when <enc:EncryptedKey /> element 138 * processing fails. 139 */ 140 #define XMLSEC_KEYINFO_FLAGS_ENCKEY_DONT_STOP_ON_FAILED_DECRYPTION 0x00001000 141 142 /** 143 * XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE: 144 * 145 * If the flag is set then we'll stop when we found an empty node. 146 * Otherwise we just ignore it. 147 */ 148 #define XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE 0x00002000 149 150 /** 151 * XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS: 152 * 153 * If the flag is set then we'll skip strict checking of certs and CRLs 154 */ 155 #define XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS 0x00004000 156 157 /** 158 * xmlSecKeyInfoCtx: 159 * @userData: the pointer to user data (xmlsec and xmlsec-crypto 160 * never touch this). 161 * @flags: the bit mask for flags that control processin. 162 * @flags2: reserved for future. 163 * @mode: do we read or write <dsig:KeyInfo /> element. 164 * @keysMngr: the pointer to current keys manager. 165 * @enabledKeyData: the list of enabled @xmlSecKeyDataId (if list is 166 * empty then all data ids are enabled). 167 * @base64LineSize: the max columns size for base64 encoding. 168 * @retrievalMethodCtx: the transforms context for <dsig:RetrievalMethod /> 169 * element processing. 170 * @maxRetrievalMethodLevel: the max recursion level when processing 171 * <dsig:RetrievalMethod /> element; default level is 1 172 * (see also @curRetrievalMethodLevel). 173 * @encCtx: the encryption context for <dsig:EncryptedKey /> element 174 * processing. 175 * @maxEncryptedKeyLevel: the max recursion level when processing 176 * <enc:EncryptedKey /> element; default level is 1 177 * (see @curEncryptedKeyLevel). 178 * @certsVerificationTime: the time to use for X509 certificates verification 179 * ("not valid before" and "not valid after" checks); 180 * if @certsVerificationTime is equal to 0 (default) 181 * then we verify certificates against the system's 182 * clock "now". 183 * @certsVerificationDepth: the max certifications chain length (default is 9). 184 * @pgpReserved: reserved for PGP. 185 * @curRetrievalMethodLevel: the current <dsig:RetrievalMethod /> element 186 * processing level (see @maxRetrievalMethodLevel). 187 * @curEncryptedKeyLevel: the current <enc:EncryptedKey /> element 188 * processing level (see @maxEncryptedKeyLevel). 189 * @keyReq: the current key requirements. 190 * @reserved0: reserved for the future. 191 * @reserved1: reserved for the future. 192 * 193 * The <dsig:KeyInfo /> reading or writing context. 194 */ 195 struct _xmlSecKeyInfoCtx { 196 void* userData; 197 unsigned int flags; 198 unsigned int flags2; 199 xmlSecKeysMngrPtr keysMngr; 200 xmlSecKeyInfoMode mode; 201 xmlSecPtrList enabledKeyData; 202 int base64LineSize; 203 204 /* RetrievalMethod */ 205 xmlSecTransformCtx retrievalMethodCtx; 206 int maxRetrievalMethodLevel; 207 208 #ifndef XMLSEC_NO_XMLENC 209 /* EncryptedKey */ 210 xmlSecEncCtxPtr encCtx; 211 int maxEncryptedKeyLevel; 212 #endif /* XMLSEC_NO_XMLENC */ 213 214 #ifndef XMLSEC_NO_X509 215 /* x509 certificates */ 216 time_t certsVerificationTime; 217 int certsVerificationDepth; 218 #endif /* XMLSEC_NO_X509 */ 219 220 /* PGP */ 221 void* pgpReserved; /* TODO */ 222 223 /* internal data */ 224 int curRetrievalMethodLevel; 225 int curEncryptedKeyLevel; 226 xmlSecKeyReq keyReq; 227 228 /* for the future */ 229 void* reserved0; 230 void* reserved1; 231 }; 232 233 XMLSEC_EXPORT xmlSecKeyInfoCtxPtr xmlSecKeyInfoCtxCreate (xmlSecKeysMngrPtr keysMngr); 234 XMLSEC_EXPORT void xmlSecKeyInfoCtxDestroy (xmlSecKeyInfoCtxPtr keyInfoCtx); 235 XMLSEC_EXPORT int xmlSecKeyInfoCtxInitialize (xmlSecKeyInfoCtxPtr keyInfoCtx, 236 xmlSecKeysMngrPtr keysMngr); 237 XMLSEC_EXPORT void xmlSecKeyInfoCtxFinalize (xmlSecKeyInfoCtxPtr keyInfoCtx); 238 XMLSEC_EXPORT void xmlSecKeyInfoCtxReset (xmlSecKeyInfoCtxPtr keyInfoCtx); 239 XMLSEC_EXPORT int xmlSecKeyInfoCtxCopyUserPref (xmlSecKeyInfoCtxPtr dst, 240 xmlSecKeyInfoCtxPtr src); 241 XMLSEC_EXPORT int xmlSecKeyInfoCtxCreateEncCtx (xmlSecKeyInfoCtxPtr keyInfoCtx); 242 XMLSEC_EXPORT void xmlSecKeyInfoCtxDebugDump (xmlSecKeyInfoCtxPtr keyInfoCtx, 243 FILE* output); 244 XMLSEC_EXPORT void xmlSecKeyInfoCtxDebugXmlDump (xmlSecKeyInfoCtxPtr keyInfoCtx, 245 FILE* output); 246 /** 247 * xmlSecKeyDataNameId 248 * 249 * The <dsig:KeyName> processing class. 250 */ 251 #define xmlSecKeyDataNameId xmlSecKeyDataNameGetKlass() 252 XMLSEC_EXPORT xmlSecKeyDataId xmlSecKeyDataNameGetKlass (void); 253 254 /** 255 * xmlSecKeyDataValueId 256 * 257 * The <dsig:KeyValue> processing class. 258 */ 259 #define xmlSecKeyDataValueId xmlSecKeyDataValueGetKlass() 260 XMLSEC_EXPORT xmlSecKeyDataId xmlSecKeyDataValueGetKlass (void); 261 262 /** 263 * xmlSecKeyDataRetrievalMethodId 264 * 265 * The <dsig:RetrievalMethod> processing class. 266 */ 267 #define xmlSecKeyDataRetrievalMethodId xmlSecKeyDataRetrievalMethodGetKlass() 268 XMLSEC_EXPORT xmlSecKeyDataId xmlSecKeyDataRetrievalMethodGetKlass(void); 269 270 #ifndef XMLSEC_NO_XMLENC 271 /** 272 * xmlSecKeyDataEncryptedKeyId 273 * 274 * The <enc:EncryptedKey> processing class. 275 */ 276 #define xmlSecKeyDataEncryptedKeyId xmlSecKeyDataEncryptedKeyGetKlass() 277 XMLSEC_EXPORT xmlSecKeyDataId xmlSecKeyDataEncryptedKeyGetKlass(void); 278 #endif /* XMLSEC_NO_XMLENC */ 279 280 #ifdef __cplusplus 281 } 282 #endif /* __cplusplus */ 283 284 #endif /* __XMLSEC_KEYINFO_H__ */ 285 286