1 /** 2 * Licensed to the Apache Software Foundation (ASF) under one 3 * or more contributor license agreements. See the NOTICE file 4 * distributed with this work for additional information 5 * regarding copyright ownership. The ASF licenses this file 6 * to you under the Apache License, Version 2.0 (the 7 * "License"); you may not use this file except in compliance 8 * with the License. You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, 13 * software distributed under the License is distributed on an 14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 * KIND, either express or implied. See the License for the 16 * specific language governing permissions and limitations 17 * under the License. 18 */ 19 20 /* 21 * XSEC 22 * 23 * DSIGKeyInfoX509 := A "Super" key that defines a certificate with a sub-key that defines 24 * the signing key 25 * 26 * $Id: DSIGKeyInfoX509.hpp 1808174 2017-09-12 21:50:30Z scantor $ 27 * 28 */ 29 30 #ifndef DSIGKEYINFOX509_INCLUDE 31 #define DSIGKEYINFOX509_INCLUDE 32 33 #include <xsec/utils/XSECSafeBuffer.hpp> 34 #include <xsec/dsig/DSIGKeyInfo.hpp> 35 #include <xsec/enc/XSECCryptoX509.hpp> 36 37 #include <vector> 38 39 XSEC_USING_XERCES(DOMElement); 40 41 /** 42 * @ingroup pubsig 43 */ 44 45 /** 46 * @brief The class for \<X509Data\> nodes in a KeyInfo list. 47 * 48 * Class for holding information on a X509Data node as well as setting 49 * such a node in a signature. 50 * 51 */ 52 53 54 class XSEC_EXPORT DSIGKeyInfoX509 : public DSIGKeyInfo { 55 56 public: 57 58 59 struct X509Holder { 60 61 const XMLCh * mp_encodedX509; // Base64 encoding 62 XSECCryptoX509 * mp_cryptoX509; // The certificate 63 64 }; 65 66 #if defined(XSEC_NO_NAMESPACES) 67 typedef vector<X509Holder *> X509ListType; 68 typedef vector<const XMLCh *> X509CRLListType; 69 #else 70 typedef std::vector<X509Holder *> X509ListType; 71 typedef std::vector<const XMLCh *> X509CRLListType; 72 #endif 73 74 #if defined(XSEC_SIZE_T_IN_NAMESPACE_STD) 75 typedef std::size_t size_type; 76 #else 77 typedef size_t size_type; 78 #endif 79 80 /** @name Constructors and Destructors */ 81 //@{ 82 83 /** 84 * \brief Constructor used when XML structures exist. 85 * 86 * Constructor called by interface class when loading an 87 * X509Data element from DOM nodes. 88 * 89 * @param env Operating environment 90 * @param X509Data DOMNode at start of data 91 */ 92 93 DSIGKeyInfoX509(const XSECEnv * env, XERCES_CPP_NAMESPACE_QUALIFIER DOMNode *X509Data); 94 95 /** 96 * \brief Constructor called when building XML structures 97 * 98 * Constructor called by interface class when an XML 99 * structure is being built by a user calling the API 100 * 101 * @param env Operating environment 102 */ 103 104 DSIGKeyInfoX509(const XSECEnv * env); 105 106 /** 107 * \brief Destructor 108 */ 109 110 virtual ~DSIGKeyInfoX509(); 111 112 //@} 113 114 /** @name Load function and get methods */ 115 //@{ 116 117 /** 118 * \brief Function called to load an XML structure 119 * 120 * Function called by intercace class to load an X509Data structure 121 * from DOMNodes. 122 */ 123 124 virtual void load(); 125 126 /** 127 * \brief Get the name of the certificate 128 * 129 * Get the name stored in the X509SubjectName element (if it 130 * exists). 131 * 132 * @returns A pointer to a buffer containing the name 133 * (NULL if not set.) 134 */ 135 136 const XMLCh * getX509SubjectName(void) const; 137 138 /** 139 * \brief Get the name of the certificate (interface function) 140 * 141 * Get the name stored in the X509SubjectName element (if it 142 * exists). 143 * 144 * @returns A pointer to the buffer containing the name (or NULL if not set). 145 * The decoded string is returned. 146 * @see setX509SubjectName(void) 147 */ 148 149 const XMLCh * getKeyName(void) const; 150 151 /** 152 * \brief Get the X509Digest Algorithm 153 * 154 * Get the Algorithm for the X509Digest. 155 * 156 * @returns A pointer to the buffer containing the algorithm 157 * (0 if not set.) 158 */ 159 160 const XMLCh* getX509DigestAlgorithm(void) const; 161 162 /** 163 * \brief Get the X509Digest value 164 * 165 * Get the value for the X509Digest. 166 * 167 * @returns A pointer to the buffer containing the digest 168 * (0 if not set.) 169 */ 170 171 const XMLCh* getX509DigestValue(void) const; 172 173 /** 174 * \brief Get the IssuerSerialName 175 * 176 * Get the name of the Issuer (stored in the X509IssuerSerial element). 177 * 178 * @returns A pointer to the buffer containing the issuer name. 179 * (0 if not set.) 180 */ 181 182 const XMLCh * getX509IssuerName(void) const; 183 184 /** 185 * \brief Get the IsserSerialNumber 186 * 187 * Get the serial number of the certificate of the issuer of the 188 * signing certificate. 189 * 190 * @returns A pointer to the string containing the IssuerSerialNumber. 191 * (0 if not set.) This is the decoded string. 192 * @see setX509IssuerSerial 193 */ 194 195 const XMLCh * getX509IssuerSerialNumber(void) const; 196 197 /** 198 * \brief Get the first associated CRL 199 * 200 * Return the string containing the base64 encoded CRL that was held in 201 * the first X509CRL node 202 * 203 * @returns A pointer to the string containing the CRL 204 * (0 if not set) 205 */ 206 207 const XMLCh * getX509CRL(void) const; 208 209 /** 210 * \brief Find the number of CRLs held 211 * 212 * Find the number of CRLs held in the X509Data structures. 213 * 214 * @returns The number of CRLs 215 */ 216 217 int getX509CRLListSize(void) const; 218 219 /** 220 * \brief Get the DER encoded CRL pointed to in the list. 221 * 222 * Use the index to find the required CRL and return a pointer 223 * to the buffer containing the encoded CRL. 224 * 225 * @returns A pointer to the buffer containing the CRL or 0 if 226 * no CRL exists at that point in the list. 227 */ 228 229 const XMLCh * getX509CRLItem(int item) const; 230 231 /** 232 * \brief Get the SKI value (if set) 233 * 234 * The SKI (Subject Key Identifier) can be used to reference a 235 * required certificate. If this was set in the KeyInfo element, 236 * this function will return the value 237 * 238 * @returns the base64 encoded (plan - not DER) encoded SKI value 239 */ 240 241 const XMLCh * getX509SKI(void) const; 242 243 /** 244 * \brief Return the raw Retrieval method to find this certificate 245 * 246 * In some cases, the KeyInfo RetrievalMethod references a raw certificate 247 * In such cases, the library simply creates a KeyInfoX509 object and sets 248 * this string to allow others to find the certificate 249 */ 250 251 const XMLCh * getRawRetrievalURI(void) const; 252 253 /** 254 * \brief Find the number of certificates held 255 * 256 * Find the number of certificates held in the X509Data structures. 257 * 258 * @returns The number of certificates 259 */ 260 261 int getCertificateListSize(void) const; 262 263 /** 264 * \brief Get the DER encoded certificate pointed to in the list. 265 * 266 * Use the index to find the required certificate and return a pointer 267 * to the buffer containing the encoded certificate. 268 * 269 * @returns A pointer to the buffer containing the certificate or 0 if 270 * no certificate exists at that point in the list. 271 */ 272 273 const XMLCh * getCertificateItem(int item) const; 274 275 /** 276 * \brief Get the Crypto Interface X509 structure version of the certificate 277 * 278 * Use the index to find the required certificate and return a pointer 279 * to the XSECCryptoX509 cert 280 * 281 * @returns A pointer to the XSECCryptoX509 cert structure 282 */ 283 284 XSECCryptoX509 * getCertificateCryptoItem(int item); 285 286 /** 287 * \brief Get the Crypto Interface X509 structure version of the certificate 288 * 289 * Use the index to find the required certificate and return a pointer 290 * to the XSECCryptoX509 cert 291 * 292 * @returns A pointer to the XSECCryptoX509 cert structure 293 */ 294 295 const XSECCryptoX509 * getCertificateCryptoItem(int item) const; 296 297 /** 298 * \brief Interface function to find the type of this KeyInfo 299 */ 300 getKeyInfoType(void) const301 virtual keyInfoType getKeyInfoType(void) const {return DSIGKeyInfo::KEYINFO_X509;} 302 303 //@} 304 305 /** @name Create and Set functions */ 306 //@{ 307 308 /** 309 * \brief Create a new X509 data element. 310 * 311 * Create a blank (empty) X509Data element that can then be used 312 * by the application to add X509Data elements. 313 * 314 * @returns A pointer to the new X509Data element. 315 */ 316 317 XERCES_CPP_NAMESPACE_QUALIFIER DOMElement * 318 createBlankX509Data(void); 319 320 /** 321 * \brief Set the X509SubjectName element in the KeyInfo element. 322 * 323 * If a X509SubjectName element exists, replace the text with the 324 * provided text. Otherwise create the element and set the text. 325 * 326 * @note XMLDSIG requires Distinguished Names be encoded in a defined 327 * manner (escaping '<' characters etc.). This method will perform 328 * this encoding prior to creating the DOM nodes. 329 * 330 * @param name The name to set. 331 */ 332 333 void setX509SubjectName(const XMLCh * name); 334 335 /** 336 * \brief Set the IssuerSerial element 337 * 338 * If an X509IssuerSerial exists, replace the values with those provided, 339 * otherwise create a new element and set the values appropriately. 340 * 341 * @note XMLDSIG requires Distinguished Names be encoded in a defined 342 * manner (escaping '<' characters etc.). This method will perform 343 * this encoding prior to creating the DOM nodes. 344 * 345 * @param name The name of the issuer. 346 * @param serial The serial number of the issuer's certificate 347 */ 348 349 void setX509IssuerSerial(const XMLCh * name, const XMLCh * serial); 350 351 /** 352 * \brief Set the dsig11:X509Digest element 353 * 354 * If a dsig11:X509Digest exists, replace the values with those provided, 355 * otherwise create a new element and set the values appropriately. 356 * 357 * @param algorithm The algorithm type 358 * @param value The digest value 359 */ 360 361 void setX509Digest(const XMLCh * algorithm, const XMLCh * value); 362 363 /** 364 * \brief Add a CRL. 365 * 366 * Append an X509CRL element to the list of CRLs 367 * stored at the end of this KeyInfo element. 368 * 369 * @param crl A pointer to the base64 encoded CRL, 370 * exactly as it will appear in the XML structure. 371 */ 372 373 void setX509CRL(const XMLCh * crl); 374 375 /** 376 * \brief Add a CRL. 377 * 378 * Append an X509CRL element to the list of CRLs 379 * stored at the end of this KeyInfo element. 380 * 381 * @param crl A pointer to the base64 encoded CRL, 382 * exactly as it will appear in the XML structure. 383 */ 384 385 void appendX509CRL(const XMLCh * crl); 386 387 /** 388 * \brief Set the SKI element 389 * 390 * The SKI node provides a reference to the Subject Key Identifier of 391 * a certificate. 392 * 393 * This function takes a base64 encoded ski and sets it into the 394 * appropriate node 395 * 396 * @param ski The base64 plain (non-DER) encoded SKI value 397 */ 398 399 void setX509SKI(const XMLCh * ski); 400 401 /** 402 * \brief set the retrieval URI 403 * 404 * Generally to be used by internal library processes only. 405 * This sets the retrieval URI - but does _not_ manipulate the DOM 406 * in any way. 407 * 408 * @param uri The URI string to use 409 */ 410 411 void setRawRetrievalURI(const XMLCh * uri); 412 413 /** 414 * \brief Add a certificate. 415 * 416 * Append an X509Certificate element to the list of certificates 417 * stored at the end of this KeyInfo element. 418 * 419 * @param base64Certificate A pointer to the base64 encoded certificate, 420 * exactly as it will appear in the XML structure. 421 */ 422 423 void appendX509Certificate(const XMLCh * base64Certificate); 424 425 //@} 426 427 428 private: 429 430 DSIGKeyInfoX509(); 431 432 X509ListType m_X509List; // The X509 structures 433 X509CRLListType m_X509CRLList; // The X509CRL list 434 XMLCh * mp_X509IssuerName; // Parameters from KeyInfo (not cert) 435 const XMLCh * mp_X509SerialNumber; 436 XMLCh * mp_X509SubjectName; 437 const XMLCh * mp_X509SKI; 438 XMLCh * mp_rawRetrievalURI; 439 440 // Text nodes holding information 441 442 XERCES_CPP_NAMESPACE_QUALIFIER DOMNode * mp_X509SubjectNameTextNode; 443 XERCES_CPP_NAMESPACE_QUALIFIER DOMNode * mp_X509IssuerNameTextNode; 444 XERCES_CPP_NAMESPACE_QUALIFIER DOMNode * mp_X509SerialNumberTextNode; 445 XERCES_CPP_NAMESPACE_QUALIFIER DOMNode * mp_X509SKITextNode; 446 XERCES_CPP_NAMESPACE_QUALIFIER DOMNode * mp_X509DigestTextNode; 447 448 }; 449 450 451 452 #endif /* #define DSIGKEYX509_INCLUDE */ 453