Author: milinda
Date: Wed Jun 11 03:42:46 2008
New Revision: 666614
URL: http://svn.apache.org/viewvc?rev=666614&view=rev
Log:
Adding multiple client handling support using PKCS12 Key Store and adding
support for ceating PKCS12 key store from character buffer.
Modified:
webservices/rampart/trunk/c/include/openssl_pkcs12.h
webservices/rampart/trunk/c/include/openssl_pkcs12_keystore.h
webservices/rampart/trunk/c/include/oxs_key_mgr.h
webservices/rampart/trunk/c/include/rampart_context.h
webservices/rampart/trunk/c/src/omxmlsec/asym_ctx.c
webservices/rampart/trunk/c/src/omxmlsec/key_mgr.c
webservices/rampart/trunk/c/src/omxmlsec/openssl/pkcs12.c
webservices/rampart/trunk/c/src/omxmlsec/openssl/pkcs12_keystore.c
webservices/rampart/trunk/c/src/omxmlsec/sign_ctx.c
webservices/rampart/trunk/c/src/util/rampart_context.c
webservices/rampart/trunk/c/src/util/rampart_encryption.c
webservices/rampart/trunk/c/src/util/rampart_engine.c
webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
Modified: webservices/rampart/trunk/c/include/openssl_pkcs12.h
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/openssl_pkcs12.h?rev=666614&r1=666613&r2=666614&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/openssl_pkcs12.h (original)
+++ webservices/rampart/trunk/c/include/openssl_pkcs12.h Wed Jun 11 03:42:46
2008
@@ -49,7 +49,8 @@
AXIS2_EXTERN axis2_status_t AXIS2_CALL
openssl_pkcs12_load_from_buffer(const axutil_env_t *env,
axis2_char_t *buffer,
- PKCS12 **p12);
+ PKCS12 **p12,
+ int len);
/*Parse*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
Modified: webservices/rampart/trunk/c/include/openssl_pkcs12_keystore.h
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/openssl_pkcs12_keystore.h?rev=666614&r1=666613&r2=666614&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/openssl_pkcs12_keystore.h (original)
+++ webservices/rampart/trunk/c/include/openssl_pkcs12_keystore.h Wed Jun 11
03:42:46 2008
@@ -50,12 +50,6 @@
axis2_char_t *filename,
axis2_char_t *password);
- AXIS2_EXTERN pkcs12_keystore_t * AXIS2_CALL
- pkcs12_keystore_create_from_buffer(
- const axutil_env_t *env,
- axis2_char_t *buffer,
- axis2_char_t *password);
-
axutil_array_list_t * AXIS2_CALL pkcs12_keystore_populate_cert_array(
const axutil_env_t *env,
STACK_OF(X509) *other_certs);
@@ -88,10 +82,18 @@
const axutil_env_t *env,
axis2_char_t *ski);
- AXIS2_EXTERN oxs_x509_cert_t * AXIS2_CALL
+ AXIS2_EXTERN oxs_x509_cert_t * AXIS2_CALL
pkcs12_keystore_get_other_certificate(
pkcs12_keystore_t *keystore,
const axutil_env_t *env);
+
+ AXIS2_EXTERN pkcs12_keystore_t * AXIS2_CALL
+ pkcs12_keystore_create_from_buffer(
+ const axutil_env_t *env,
+ axis2_char_t *buffer,
+ axis2_char_t *password,
+ int len);
+
#ifdef __cplusplus
Modified: webservices/rampart/trunk/c/include/oxs_key_mgr.h
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/oxs_key_mgr.h?rev=666614&r1=666613&r2=666614&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/oxs_key_mgr.h (original)
+++ webservices/rampart/trunk/c/include/oxs_key_mgr.h Wed Jun 11 03:42:46 2008
@@ -318,11 +318,31 @@
oxs_key_mgr_t *key_mgr,
const axutil_env_t *env);
+ AXIS2_EXTERN oxs_x509_cert_t * AXIS2_CALL
+ oxs_key_mgr_get_receiver_certificate_from_ski(
+ oxs_key_mgr_t *key_mgr,
+ const axutil_env_t *env,
+ axis2_char_t *ski);
+
+ AXIS2_EXTERN oxs_x509_cert_t * AXIS2_CALL
+ oxs_key_mgr_get_receiver_certificate_from_issuer_serial(
+ oxs_key_mgr_t *key_mgr,
+ const axutil_env_t *env,
+ axis2_char_t *issuer,
+ int serial);
+
+ AXIS2_EXTERN int AXIS2_CALL
+ oxs_key_mgr_get_key_store_buff_len(
+ oxs_key_mgr_t *key_mgr,
+ const axutil_env_t *env);
+
AXIS2_EXTERN axis2_status_t AXIS2_CALL
oxs_key_mgr_set_key_store_buff(
oxs_key_mgr_t *key_mgr,
const axutil_env_t *env,
- void *key_store_buf);
+ void *key_store_buf,
+ int len);
+
/** @} */
#ifdef __cplusplus
Modified: webservices/rampart/trunk/c/include/rampart_context.h
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/include/rampart_context.h?rev=666614&r1=666613&r2=666614&view=diff
==============================================================================
--- webservices/rampart/trunk/c/include/rampart_context.h (original)
+++ webservices/rampart/trunk/c/include/rampart_context.h Wed Jun 11 03:42:46
2008
@@ -1443,10 +1443,11 @@
* AXIS2_SUCCESS on success and AXIS2_FAILURE on error
*/
- AXIS2_EXTERN axis2_status_t AXIS2_CALL
- rampart_context_set_saml_tokens(rampart_context_t *rampart_context,
- const axutil_env_t *env,
- axutil_array_list_t *tokens);
+ AXIS2_EXTERN axis2_status_t AXIS2_CALL
+ rampart_context_set_saml_tokens(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env,
+ axutil_array_list_t *tokens);
/**
*
* @param rampart_context
@@ -1455,10 +1456,10 @@
* AXIS2_SUCCESS on success and AXIS2_FAILURE on error
*/
- AXIS2_EXTERN issued_token_callback_func AXIS2_CALL
- rampart_context_get_issued_token_aquire_function(
-
rampart_context_t *rampart_context,
- const
axutil_env_t *env);
+ AXIS2_EXTERN issued_token_callback_func AXIS2_CALL
+ rampart_context_get_issued_token_aquire_function(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env);
/**
*
* @param rampart_context
@@ -1468,11 +1469,11 @@
* AXIS2_SUCCESS on success and AXIS2_FAILURE on error
*/
- AXIS2_EXTERN axis2_status_t AXIS2_CALL
- rampart_context_set_issued_token_aquire_function(
-
rampart_context_t *rampart_context,
- const
axutil_env_t *env,
-
issued_token_callback_func issued_token_aquire);
+ AXIS2_EXTERN axis2_status_t AXIS2_CALL
+ rampart_context_set_issued_token_aquire_function(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env,
+ issued_token_callback_func issued_token_aquire);
/**
*
* @param rampart_context
@@ -1509,17 +1510,37 @@
rampart_context_get_algorithmsuite(
rampart_context_t *rampart_context,
const axutil_env_t *env);
-
- AXIS2_EXTERN oxs_key_mgr_t * AXIS2_CALL
+
+ /**
+ * Get the key manager from rampart context.
+ * @param rampart_context Pointer to rampart context struct.
+ * @param Pointer to environment struct
+ * @returns pointer Key manager struct
+ */
+ AXIS2_EXTERN oxs_key_mgr_t * AXIS2_CALL
rampart_context_get_key_mgr(
rampart_context_t *rampart_context,
const axutil_env_t *env);
+ /**
+ * Set the key manager to rampart context.
+ * @param rampart_context Pointer to rampart context struct.
+ * @param Pointer to environment struct
+ * @param key_mgr Pointer to key manager struct.
+ * @returns status of the operation. AXIS2_SUCCESS on success
AXIS2_FAILURE otherwise.
+ */
AXIS2_EXTERN axis2_status_t AXIS2_CALL
- rampart_context_set_key_mgr(rampart_context_t *rampart_context,
- const axutil_env_t
*env,
- oxs_key_mgr_t *key_mgr);
+ rampart_context_set_key_mgr(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env,
+ oxs_key_mgr_t *key_mgr);
+ /**
+ * Get the pkcs12 file name from rampart context.
+ * @param rampart_context Pointer to rampart context struct.
+ * @param Pointer to environment struct
+ * @returns PKCS12 file name
+ */
AXIS2_EXTERN axis2_char_t *AXIS2_CALL
rampart_context_get_pkcs12_file_name(
rampart_context_t *rampart_context,
@@ -1550,22 +1571,77 @@
rampart_context_get_custom_tokens(rampart_context_t *rampart_context,
const axutil_env_t *env);
- AXIS2_EXTERN axis2_char_t *AXIS2_CALL
- rampart_context_get_receiver_certificate_file(
- rampart_context_t *rampart_context,
- const axutil_env_t *env);
-
-
- AXIS2_EXTERN void * AXIS2_CALL
- rampart_context_get_key_store_buff(
- rampart_context_t *rampart_context,
- const axutil_env_t *env);
-
- AXIS2_EXTERN axis2_status_t AXIS2_CALL
- rampart_context_set_key_store_buff(
- rampart_context_t *rampart_context,
- const axutil_env_t *env,
- void *key_store_buf);
+ /**
+ * Get the receiver certificate file name from rampart context.
+ * @param rampart_context Pointer to rampart context struct.
+ * @param env Pointer to environment struct
+ * @returns Receiver certificate file name
+ */
+ AXIS2_EXTERN axis2_char_t *AXIS2_CALL
+ rampart_context_get_receiver_certificate_file(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env);
+
+ /**
+ * Get the found_cert_in_shp from rampart context.
+ * @param rampart_context Pointer to rampart context struct.
+ * @param env Pointer to environment struct
+ * @returns axis2_bool_t
+ */
+ AXIS2_EXTERN axis2_bool_t AXIS2_CALL
+ rampart_context_get_found_cert_in_shp(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env);
+
+ /**
+ * Set the certificate found status to rampart context.
+ * @param rampart_context Pointer to rampart context struct.
+ * @param env Pointer to environment struct
+ * @param found_cert_in_shp boolean value which specify the certificate
found status
+ * @returns status of the operation
+ */
+ AXIS2_EXTERN axis2_status_t AXIS2_CALL
+ rampart_context_set_found_cert_in_shp(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env,
+ axis2_bool_t found_cert_in_shp);
+
+ /**
+ * Get the certificate found in shp from rampart context.
+ * @param rampart_context Pointer to rampart context struct.
+ * @param env Pointer to environment struct
+ * @returns oxs_x509_cert_t Client certificate found when processing sec
header, otherwise NULL
+ */
+ AXIS2_EXTERN oxs_x509_cert_t *AXIS2_CALL
+ rampart_context_get_receiver_cert_found_in_shp(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env);
+
+ /**
+ * Set the found_cert_in_shp to rampart context.
+ * @param rampart_context Pointer to rampart context struct.
+ * @param env Pointer to environment struct
+ * @param cert pointer to the certficate
+ * @returns status of the operation
+ */
+ AXIS2_EXTERN axis2_status_t AXIS2_CALL
+ rampart_context_set_receiver_cert_found_in_shp(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env,
+ oxs_x509_cert_t *cert);
+
+ AXIS2_EXTERN void * AXIS2_CALL
+ rampart_context_get_key_store_buff(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env);
+
+ AXIS2_EXTERN axis2_status_t AXIS2_CALL
+ rampart_context_set_key_store_buff(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env,
+ void *key_store_buf,
+ int length);
+
#ifdef __cplusplus
}
#endif
Modified: webservices/rampart/trunk/c/src/omxmlsec/asym_ctx.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/asym_ctx.c?rev=666614&r1=666613&r2=666614&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/asym_ctx.c (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/asym_ctx.c Wed Jun 11 03:42:46 2008
@@ -75,12 +75,18 @@
AXIS2_FREE(env->allocator, asym_ctx->st_ref_pattern);
asym_ctx->st_ref_pattern = NULL;
}
-
- if (asym_ctx->certificate)
+
+ /**
+ * in current impleemtnation we set the certificate found in the signature
processing
+ * to rampart context. Because of that rampart context must free the cert.
But have to
+ * fix the free logic when we use certificate directly from file.
+ */
+
+ /*if (asym_ctx->certificate)
{
oxs_x509_cert_free(asym_ctx->certificate, env);
asym_ctx->certificate = NULL;
- }
+ }*/
if (asym_ctx->private_key)
{
Modified: webservices/rampart/trunk/c/src/omxmlsec/key_mgr.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/key_mgr.c?rev=666614&r1=666613&r2=666614&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/key_mgr.c (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/key_mgr.c Wed Jun 11 03:42:46 2008
@@ -58,6 +58,8 @@
pkcs12_keystore_t *key_store;
void *pkcs12_buf;
+
+ int pkcs12_buff_len;
/* Buffer holding keys and certs */
void *pem_buf;
@@ -105,7 +107,7 @@
oxs_x509_cert_free(key_mgr->receiver_certificate, env);
key_mgr->receiver_certificate = NULL;
}
- AXIS2_FREE(env->allocator, key_mgr);
+ AXIS2_FREE(env->allocator, key_mgr);
return AXIS2_SUCCESS;
}
@@ -910,16 +912,52 @@
return key_mgr->pkcs12_buf;
}
+AXIS2_EXTERN int AXIS2_CALL
+oxs_key_mgr_get_key_store_buff_len(
+ oxs_key_mgr_t *key_mgr,
+ const axutil_env_t *env)
+{
+ return key_mgr->pkcs12_buff_len;
+}
+
AXIS2_EXTERN axis2_status_t AXIS2_CALL
oxs_key_mgr_set_key_store_buff(
oxs_key_mgr_t *key_mgr,
const axutil_env_t *env,
- void *key_store_buf)
+ void *key_store_buf,
+ int len)
{
AXIS2_PARAM_CHECK(env->error, key_store_buf, AXIS2_FAILURE);
key_mgr->pkcs12_buf = key_store_buf;
+ key_mgr->pkcs12_buff_len = len;
return AXIS2_SUCCESS;
}
+
+AXIS2_EXTERN oxs_x509_cert_t * AXIS2_CALL
+oxs_key_mgr_get_receiver_certificate_from_ski(
+ oxs_key_mgr_t *key_mgr,
+ const axutil_env_t *env,
+ axis2_char_t *ski)
+{
+ AXIS2_PARAM_CHECK(env->error, ski, NULL);
+
+ return
pkcs12_keystore_get_certificate_for_subject_key_id(key_mgr->key_store, env,
ski);
+}
+
+AXIS2_EXTERN oxs_x509_cert_t * AXIS2_CALL
+oxs_key_mgr_get_receiver_certificate_from_issuer_serial(
+ oxs_key_mgr_t *key_mgr,
+ const axutil_env_t *env,
+ axis2_char_t *issuer,
+ int serial)
+{
+ AXIS2_PARAM_CHECK(env->error, issuer, NULL);
+ AXIS2_PARAM_CHECK(env->error, serial, NULL)
+
+ return
pkcs12_keystore_get_certificate_for_issuer_serial(key_mgr->key_store, env,
issuer, serial);
+}
+
+
Modified: webservices/rampart/trunk/c/src/omxmlsec/openssl/pkcs12.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/openssl/pkcs12.c?rev=666614&r1=666613&r2=666614&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/openssl/pkcs12.c (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/openssl/pkcs12.c Wed Jun 11
03:42:46 2008
@@ -52,19 +52,18 @@
}
AXIS2_EXTERN axis2_status_t AXIS2_CALL
-openssl_pkcs12_load_from_buffer(const axutil_env_t *env,
- axis2_char_t *buffer,
- PKCS12 **p12)
+openssl_pkcs12_load_from_buffer(
+ const axutil_env_t *env,
+ axis2_char_t *buffer,
+ PKCS12 **p12,
+ int len)
{
- int len = 0;
BIO *in = NULL;
BUF_MEM* bm = NULL;
SSLeay_add_all_algorithms();
ERR_load_crypto_strings();
- len = axutil_strlen(buffer);
-
if (!(in = BIO_new(BIO_s_mem())))
{
oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_CREATION_FAILED, "Memory
allocation error!");
Modified: webservices/rampart/trunk/c/src/omxmlsec/openssl/pkcs12_keystore.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/openssl/pkcs12_keystore.c?rev=666614&r1=666613&r2=666614&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/openssl/pkcs12_keystore.c
(original)
+++ webservices/rampart/trunk/c/src/omxmlsec/openssl/pkcs12_keystore.c Wed Jun
11 03:42:46 2008
@@ -80,7 +80,8 @@
pkcs12_keystore_create_from_buffer(
const axutil_env_t *env,
axis2_char_t *buffer,
- axis2_char_t *password)
+ axis2_char_t *password,
+ int len)
{
pkcs12_keystore_t *keystore = NULL;
EVP_PKEY *pvt_key = NULL;
@@ -100,7 +101,7 @@
keystore->cert = NULL;
keystore->pvt_key = NULL;
- if (!openssl_pkcs12_load_from_buffer(env, buffer, &keystore->keystore)) {
+ if (!openssl_pkcs12_load_from_buffer(env, buffer, &keystore->keystore,
len)) {
oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_DEFAULT,
"Error loading pkcs12 keystore from file");
return NULL;
Modified: webservices/rampart/trunk/c/src/omxmlsec/sign_ctx.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/sign_ctx.c?rev=666614&r1=666613&r2=666614&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/sign_ctx.c (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/sign_ctx.c Wed Jun 11 03:42:46 2008
@@ -332,10 +332,17 @@
sign_ctx->sign_parts = NULL;
}
+ /**
+ * in current impleemtnation we set the certificate found in the signature
processing
+ * to rampart context. Because of that rampart context must free the cert.
But have to
+ * fix the free logic when we use certificate directly from file.
+ */
+ /*
if(sign_ctx->certificate){
oxs_x509_cert_free(sign_ctx->certificate, env);
sign_ctx->certificate = NULL;
- }
+ }*/
+
sign_ctx->operation = OXS_SIGN_OPERATION_NONE;
AXIS2_FREE(env->allocator, sign_ctx);
Modified: webservices/rampart/trunk/c/src/util/rampart_context.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_context.c?rev=666614&r1=666613&r2=666614&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_context.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_context.c Wed Jun 11 03:42:46
2008
@@ -73,6 +73,11 @@
/*This is used in callback functions.*/
void *ctx;
+ /* Used to store and track whether we found the clients certificate while
processing
+ * the security headers key info element. found_cert_in_shp is used to
track the status.
+ */
+ axis2_bool_t found_cert_in_shp;
+ oxs_x509_cert_t *receiver_cert;
};
/*void rampart_context_set_callback_fn(axutil_env_t *env,
@@ -194,6 +199,9 @@
rampart_context->key_list = axutil_array_list_create(env, 2);
rampart_context->key_mgr = oxs_key_mgr_create(env);
+ rampart_context->found_cert_in_shp = AXIS2_FALSE;
+ rampart_context->receiver_cert = NULL;
+
return rampart_context;
}
@@ -323,6 +331,13 @@
axutil_array_list_free(rampart_context->custom_tokens, env);
rampart_context->custom_tokens = NULL;
}
+
+ /* Free receiver certificate we found when processing incoming
security header */
+ if(rampart_context->receiver_cert &&
rampart_context->found_cert_in_shp)
+ {
+ oxs_x509_cert_free(rampart_context->receiver_cert, env);
+ rampart_context->receiver_cert = NULL;
+ }
AXIS2_FREE(env->allocator,rampart_context);
rampart_context = NULL;
@@ -2955,12 +2970,57 @@
rampart_context_set_key_store_buff(
rampart_context_t *rampart_context,
const axutil_env_t *env,
- void *key_store_buf)
+ void *key_store_buf,
+ int len)
{
AXIS2_PARAM_CHECK(env->error, key_store_buf, AXIS2_FAILURE);
- oxs_key_mgr_set_key_store_buff(rampart_context->key_mgr, env,
key_store_buf);
+ oxs_key_mgr_set_key_store_buff(rampart_context->key_mgr, env,
key_store_buf, len);
return AXIS2_SUCCESS;
}
+AXIS2_EXTERN axis2_bool_t AXIS2_CALL
+rampart_context_get_found_cert_in_shp(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env)
+{
+ return rampart_context->found_cert_in_shp;
+}
+
+AXIS2_EXTERN axis2_status_t AXIS2_CALL
+rampart_context_set_found_cert_in_shp(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env,
+ axis2_bool_t found_cert_in_shp)
+{
+ rampart_context->found_cert_in_shp = found_cert_in_shp;
+ return AXIS2_SUCCESS;
+}
+
+/* This certificate is set to rampart context when we process the incoming
security header
+ * with key info
+ */
+AXIS2_EXTERN oxs_x509_cert_t *AXIS2_CALL
+rampart_context_get_receiver_cert_found_in_shp(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env)
+{
+ return rampart_context->receiver_cert;
+}
+
+
+AXIS2_EXTERN axis2_status_t AXIS2_CALL
+rampart_context_set_receiver_cert_found_in_shp(
+ rampart_context_t *rampart_context,
+ const axutil_env_t *env,
+ oxs_x509_cert_t *cert)
+{
+ AXIS2_PARAM_CHECK(env->error, cert, AXIS2_FAILURE);
+
+ rampart_context->receiver_cert = cert;
+
+ return AXIS2_SUCCESS;
+}
+
+
Modified: webservices/rampart/trunk/c/src/util/rampart_encryption.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_encryption.c?rev=666614&r1=666613&r2=666614&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_encryption.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_encryption.c Wed Jun 11
03:42:46 2008
@@ -122,14 +122,21 @@
/*Create asymmetric encryption context*/
asym_ctx = oxs_asym_ctx_create(env);
oxs_asym_ctx_set_algorithm(asym_ctx, env, enc_asym_algo);
- certificate = oxs_key_mgr_get_receiver_certificate(key_mgr, env);
- if (!certificate)
- {
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][rampart_encryption] Receiver certificate
cannot be loaded.");
- return AXIS2_FAILURE;
- }
- oxs_asym_ctx_set_certificate(asym_ctx, env, certificate);
+ if(rampart_context_get_found_cert_in_shp(rampart_context, env))
+ {
+ certificate =
rampart_context_get_receiver_cert_found_in_shp(rampart_context, env);
+ }
+ else
+ {
+ certificate = oxs_key_mgr_get_receiver_certificate(key_mgr, env);
+ }
+ if (!certificate)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][rampart_encryption] Receiver certificate cannot
be loaded.");
+ return AXIS2_FAILURE;
+ }
+ oxs_asym_ctx_set_certificate(asym_ctx, env, certificate);
oxs_asym_ctx_set_operation(asym_ctx, env,
OXS_ASYM_CTX_OPERATION_PUB_ENCRYPT);
oxs_asym_ctx_set_st_ref_pattern(asym_ctx, env, eki);
Modified: webservices/rampart/trunk/c/src/util/rampart_engine.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_engine.c?rev=666614&r1=666613&r2=666614&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_engine.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_engine.c Wed Jun 11 03:42:46
2008
@@ -247,7 +247,8 @@
}
else if(pkcs12_password && (pkcs12_buf =
(axis2_char_t*)rampart_context_get_key_store_buff(rampart_context, env)))
{
- key_store = pkcs12_keystore_create_from_buffer(env, pkcs12_buf,
password);
+ key_store = pkcs12_keystore_create_from_buffer(env, pkcs12_buf,
password,
+ oxs_key_mgr_get_key_store_buff_len(key_mgr, env));
if(!key_store)
{
AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
Modified: webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
URL:
http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c?rev=666614&r1=666613&r2=666614&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c
(original)
+++ webservices/rampart/trunk/c/src/util/rampart_sec_header_processor.c Wed Jun
11 03:42:46 2008
@@ -26,6 +26,7 @@
#include <rampart_handler_util.h>
#include <rampart_token_processor.h>
#include <rampart_policy_validator.h>
+#include <oxs_constants.h>
#include <oxs_ctx.h>
#include <oxs_error.h>
#include <oxs_utility.h>
@@ -76,6 +77,127 @@
return AXIS2_SUCCESS;
}
+/* Get the client certificaate from key manager by giving
+ * subject key identifier
+ */
+static oxs_x509_cert_t * get_certificate_by_key_identifier(
+ const axutil_env_t *env,
+ rampart_context_t *rampart_ctx,
+ axiom_node_t *key_id_node)
+{
+ oxs_x509_cert_t *cert = NULL;
+ axis2_char_t *value_type = NULL;
+ axiom_element_t *key_id_element = NULL;
+ axis2_char_t *ski = NULL;
+ oxs_key_mgr_t *key_mgr = NULL;
+
+ if(rampart_context_get_receiver_certificate_file(rampart_ctx, env))
+ {
+ /* In the client side, it is prefered to use certificate files instead
+ * of key store, because one client normally interact with only one
+ * service. To handle this scenario, if we found reciever certificate
file
+ * specified in rampart_context we directly call the
get_reciever_certificate.
+ */
+ return rampart_context_get_receiver_certificate(rampart_ctx, env);
+ }
+
+ key_id_element = axiom_node_get_data_element(key_id_node, env);
+ value_type = axiom_element_get_attribute_value_by_name(key_id_element,
env, "ValueType");
+
+ key_mgr = rampart_context_get_key_mgr(rampart_ctx, env);
+ if(strcmp(value_type, OXS_X509_SUBJ_KI) == 0)
+ {
+ ski = axiom_element_get_text(key_id_element, env, key_id_node);
+ cert = oxs_key_mgr_get_receiver_certificate_from_ski(key_mgr, env,
ski);
+ }
+ else
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][shp] Other KeyIdentifier ValueTypes are
not supported.");
+ return NULL;
+ }
+
+ return cert;
+}
+
+/* Get the client certificaate from key manager by giving
+ * issuer and serial number of the certificate
+ */
+static oxs_x509_cert_t * get_certificate_by_issuer_serial(
+ const axutil_env_t *env,
+ rampart_context_t *rampart_ctx,
+ axiom_node_t *x509_data_node)
+{
+ oxs_x509_cert_t *cert = NULL;
+ axiom_node_t *issuer_serial_node = NULL;
+ axiom_element_t *issuer_serial_ele = NULL;
+ axiom_child_element_iterator_t *child_itr = NULL;
+ axiom_node_t *child_node = NULL;
+ axiom_element_t *child_ele = NULL;
+ axis2_char_t *ele_name = NULL;
+ axis2_char_t *issuer_name_str = NULL;
+ axis2_char_t *serial_num_str = NULL;
+ int serial_num = -1;
+ oxs_key_mgr_t *key_mgr = NULL;
+
+ if(rampart_context_get_receiver_certificate_file(rampart_ctx, env))
+ {
+ /* In the client side, it is prefered to use certificate files instead
+ * of key store, because one client normally interact with only one
+ * service. To handle this scenario, if we found reciever certificate
file
+ * specified in rampart_context we directly call the
get_reciever_certificate.
+ */
+ return rampart_context_get_receiver_certificate(rampart_ctx, env);
+ }
+
+ issuer_serial_node = axiom_node_get_first_child(x509_data_node, env);
+ issuer_serial_ele = axiom_node_get_data_element(issuer_serial_node, env);
+
+ child_itr = axiom_element_get_child_elements(issuer_serial_ele, env,
issuer_serial_node);
+ while(axiom_child_element_iterator_has_next(child_itr, env))
+ {
+ child_node = axiom_child_element_iterator_next(child_itr,env);
+ child_ele = axiom_node_get_data_element(child_node, env);
+ ele_name = axiom_element_get_localname(child_ele, env);
+ if(axutil_strcmp(ele_name, OXS_NODE_X509_ISSUER_NAME) == 0)
+ {
+ issuer_name_str = axiom_element_get_text(child_ele, env,
child_node);
+ if(!issuer_name_str)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][shp]Issuer Name cannot be NULL.");
+ return NULL;
+ }
+ AXIS2_LOG_INFO(env->log, AXIS2_LOG_SI,
+ "[rampart][shp]X509 Certificate Issuer Name Found: %s",
issuer_name_str);
+ }
+ else if(axutil_strcmp(ele_name, OXS_NODE_X509_SERIAL_NUMBER) == 0)
+ {
+ serial_num_str = axiom_element_get_text(child_ele, env,
child_node);
+ if(!serial_num_str)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][shp]Serial number cannot be null.");
+ }
+ AXIS2_LOG_INFO(env->log, AXIS2_LOG_SI,
+ "[rampart][shp]X509 Certificate Serial Number Found: %s",
serial_num_str);
+ }
+ else
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][shp]Error in incoming key info. These types not
supported: %", ele_name);
+ return NULL;
+ }
+ }
+
+ serial_num = atoi(serial_num_str);
+ key_mgr = rampart_context_get_key_mgr(rampart_ctx, env);
+
+ cert = oxs_key_mgr_get_receiver_certificate_from_issuer_serial(key_mgr,
env, issuer_name_str, serial_num);
+
+ return cert;
+}
+
static void
rampart_shp_store_token_id(const axutil_env_t *env,
axiom_node_t *key_info_node,
@@ -284,7 +406,7 @@
key = rampart_saml_token_get_session_key(saml, env);
if (!key)
{
- key = saml_assertion_get_session_key(env,
assertion,
+ key = saml_assertion_get_session_key(env,
assertion,
pvt_key);
rampart_saml_token_set_session_key(saml, env,
key);
oxs_key_set_name(key, env, "for-algo");
@@ -414,12 +536,12 @@
return AXIS2_FALSE;
}
-static oxs_x509_cert_t *get_receiver_x509_cert(
+/*static oxs_x509_cert_t *get_receiver_x509_cert(
const axutil_env_t *env,
rampart_context_t *rampart_context)
{
return rampart_context_get_receiver_certificate(rampart_context, env);
-}
+}*/
static axis2_status_t
rampart_shp_process_signature_confirmation(const axutil_env_t *env,
@@ -1198,6 +1320,16 @@
if(str_node)
{
+ /* A <wsse:SecurityTokenReference> element MAY reference an X.509
token type
+ * by one of the following means:
+ * - Reference to a Subject Key Identifier (<wsse:KeyIdentifier>)
+ * - Reference to a Binary Security Token (<wsse:Reference> element
that
+ * references a local <wsse:BinarySecurityToken> element or a
remote data
+ * source that contains the token data itself)
+ * - Reference to an Issuer and Serial Number (<ds:X509Data> element
that
+ * contains a <ds:X509IssuerSerial> element that uniquely
identifies an
+ * end entity certificate)
+ */
str_child_node = axiom_node_get_first_element(str_node,env);
if(str_child_node)
{
@@ -1206,6 +1338,9 @@
{
if(is_include_token)
{
+ /* The <wsse:Reference> element is used to reference
+ * an X.509 security token value by means of a URI
reference.
+ */
if(axutil_strcmp(str_child_name, OXS_NODE_REFERENCE)!=0)
{
rampart_create_fault_envelope(env,
RAMPART_FAULT_INVALID_SECURITY,
@@ -1217,6 +1352,22 @@
}
cert = oxs_x509_cert_create(env);
status = rampart_token_process_direct_ref(env,
str_child_node, sec_node, cert);
+ if(status == AXIS2_FAILURE)
+ {
+ rampart_create_fault_envelope(env,
RAMPART_FAULT_INVALID_SECURITY,
+ "Processing Direct
Reference Failed .", RAMPART_FAULT_IN_SIGNATURE, msg_ctx);
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[Rampart][shp]Processing Direct
Reference Failed.");
+ return AXIS2_FAILURE;
+ }
+ status =
rampart_context_set_found_cert_in_shp(rampart_context, env, AXIS2_TRUE);
+ if(status == AXIS2_FAILURE)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[Rampart][shp]Setting Certificate
into rmapart context failed.");
+ return AXIS2_FAILURE;
+ }
+ status =
rampart_context_set_receiver_cert_found_in_shp(rampart_context, env, cert);
}
else
{
@@ -1233,6 +1384,22 @@
}
cert = oxs_x509_cert_create(env);
status = rampart_token_process_embedded(env,
str_child_node, cert);
+ if(status == AXIS2_FAILURE)
+ {
+ rampart_create_fault_envelope(env,
RAMPART_FAULT_INVALID_SECURITY,
+ "Processing Embedded
Token Failed .", RAMPART_FAULT_IN_SIGNATURE, msg_ctx);
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[Rampart][shp]Processing Embedded
Token Failed.");
+ return AXIS2_FAILURE;
+ }
+ status =
rampart_context_set_found_cert_in_shp(rampart_context, env, AXIS2_TRUE);
+ if(status == AXIS2_FAILURE)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[Rampart][shp]Setting Certificate
into rmapart context failed.");
+ return AXIS2_FAILURE;
+ }
+ status =
rampart_context_set_receiver_cert_found_in_shp(rampart_context, env, cert);
}
else if(0 == axutil_strcmp(str_child_name,
OXS_NODE_KEY_IDENTIFIER))
{
@@ -1245,11 +1412,25 @@
"[Rampart][shp]Key Reference Info
mismatch (%s, %s)", str_child_name, OXS_NODE_KEY_IDENTIFIER);
return AXIS2_FAILURE;
}
- cert = get_receiver_x509_cert(env, rampart_context);
+ cert = get_certificate_by_key_identifier(env,
rampart_context, str_child_node);
+ if(!cert)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[Rampart][shp]Couldn't find a
certificate which matched given key information.");
+ return AXIS2_FAILURE;
+ }
+
+ rampart_context_set_found_cert_in_shp(rampart_context,
env, AXIS2_TRUE);
+
rampart_context_set_receiver_cert_found_in_shp(rampart_context, env, cert);
status = AXIS2_SUCCESS;
}
else if(0 == axutil_strcmp(str_child_name,
OXS_NODE_X509_DATA))
{
+ /* The <ds:X509IssuerSerial> element is used to
specify
+ * a reference to an X.509 security token by means of
+ * the certificate issuer name and serial number.
+ */
+
if(!rampart_context_is_key_identifier_type_supported(
rampart_context, token,
RAMPART_STR_ISSUER_SERIAL, env))
{
@@ -1259,7 +1440,16 @@
"[Rampart][shp]Key Reference Info
mismatch (%s, %s)", str_child_name, OXS_NODE_X509_DATA);
return AXIS2_FAILURE;
}
- cert = get_receiver_x509_cert(env,rampart_context);
+ cert = get_certificate_by_issuer_serial(env,
rampart_context, str_child_node);
+ if(!cert)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[Rampart][shp]Couldn't find a
certificate which matched given key information.");
+ return AXIS2_FAILURE;
+ }
+
+ rampart_context_set_found_cert_in_shp(rampart_context,
env, AXIS2_TRUE);
+
rampart_context_set_receiver_cert_found_in_shp(rampart_context, env, cert);
status = AXIS2_SUCCESS;
}
else
@@ -1573,11 +1763,11 @@
axis2_char_t *sub_conf = NULL;
server_side = axis2_msg_ctx_get_server_side(msg_ctx, env);
- if (AXIS2_FAILURE == rampart_saml_token_validate(env, rampart_context,
saml_node))
- {
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][shp] SAML Signature Verification Failed");
- return AXIS2_FAILURE;
+ if (AXIS2_FAILURE == rampart_saml_token_validate(env, rampart_context,
saml_node))
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][shp] SAML Signature Verification Failed");
+ return AXIS2_FAILURE;
}
sub_conf = rampart_saml_token_get_subject_confirmation(env, saml_node);
if (sub_conf && axutil_strcmp(sub_conf,
SAML_SUB_CONFIRMATION_SENDER_VOUCHES) == 0)
