You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by ka...@apache.org on 2007/03/05 07:25:05 UTC
svn commit: r514564 - in /webservices/axis2/trunk/c/rampart:
include/openssl_sign.h include/oxs_signature.h src/omxmlsec/signature.c
src/omxmlsec/xml_signature.c test/omxmlsec/test.c test/openssl/sign/test.c
Author: kaushalye
Date: Sun Mar 4 22:25:04 2007
New Revision: 514564
URL: http://svn.apache.org/viewvc?view=rev&rev=514564
Log:
XML-Signature in OMXMLSecurity
Modified:
webservices/axis2/trunk/c/rampart/include/openssl_sign.h
webservices/axis2/trunk/c/rampart/include/oxs_signature.h
webservices/axis2/trunk/c/rampart/src/omxmlsec/signature.c
webservices/axis2/trunk/c/rampart/src/omxmlsec/xml_signature.c
webservices/axis2/trunk/c/rampart/test/omxmlsec/test.c
webservices/axis2/trunk/c/rampart/test/openssl/sign/test.c
Modified: webservices/axis2/trunk/c/rampart/include/openssl_sign.h
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/c/rampart/include/openssl_sign.h?view=diff&rev=514564&r1=514563&r2=514564
==============================================================================
--- webservices/axis2/trunk/c/rampart/include/openssl_sign.h (original)
+++ webservices/axis2/trunk/c/rampart/include/openssl_sign.h Sun Mar 4 22:25:04 2007
@@ -35,13 +35,20 @@
* @ingroup
* @{
*/
-
+/**
+ * Signs a content a @input_buf using the private key @prvkey
+ * The result would be placed in the @output_buf
+ */
AXIS2_EXTERN int AXIS2_CALL
openssl_sig_sign(const axis2_env_t *env,
openssl_pkey_t *prvkey,
oxs_buffer_t *input_buf,
oxs_buffer_t *output_buf);
-
+/**
+ * Verifies a signature placed in @sig_buf with
+ * the content placed in the @input_buf
+ * using the public key @pubkey
+ */
AXIS2_EXTERN axis2_status_t AXIS2_CALL
openssl_sig_verify(const axis2_env_t *env,
openssl_pkey_t *pubkey,
Modified: webservices/axis2/trunk/c/rampart/include/oxs_signature.h
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/c/rampart/include/oxs_signature.h?view=diff&rev=514564&r1=514563&r2=514564
==============================================================================
--- webservices/axis2/trunk/c/rampart/include/oxs_signature.h (original)
+++ webservices/axis2/trunk/c/rampart/include/oxs_signature.h Sun Mar 4 22:25:04 2007
@@ -44,7 +44,10 @@
oxs_buffer_t *output);
/**
- * Sign
+ * Signs a content placed in @input buf using the information
+ * available in the signature context @sign_ctx.
+ * The result will be placed in the buffer @output.
+ * Note that the result is base64 encoded.
*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
oxs_sig_sign(const axis2_env_t *env,
@@ -53,7 +56,9 @@
oxs_buffer_t *output);
/**
- * Verify
+ * Verifies a @signature with @content using the information
+ * available in the signature content @sign_ctx.
+ * Note that the signature should be the base64 encoded value of a digital signature.
*/
AXIS2_EXTERN axis2_status_t AXIS2_CALL
oxs_sig_verify(const axis2_env_t *env,
Modified: webservices/axis2/trunk/c/rampart/src/omxmlsec/signature.c
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/c/rampart/src/omxmlsec/signature.c?view=diff&rev=514564&r1=514563&r2=514564
==============================================================================
--- webservices/axis2/trunk/c/rampart/src/omxmlsec/signature.c (original)
+++ webservices/axis2/trunk/c/rampart/src/omxmlsec/signature.c Sun Mar 4 22:25:04 2007
@@ -117,10 +117,11 @@
decoded_len = axis2_base64_decode_binary(decoded_data, signature );
if (decoded_len < 0)
{
- oxs_error(env, ERROR_LOCATION, OXS_ERROR_SIG_VERIFICATION_FAILED,
+ oxs_error(env, ERROR_LOCATION, OXS_ERROR_SIG_VERIFICATION_FAILED,
"axis2_base64_decode_binary failed");
- return AXIS2_FAILURE;
+ return AXIS2_FAILURE;
}
+
/*Create the signature buffer*/
sig_buf = oxs_buffer_create(env);
ret = OXS_BUFFER_POPULATE(sig_buf, env, decoded_data, decoded_len);
Modified: webservices/axis2/trunk/c/rampart/src/omxmlsec/xml_signature.c
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/c/rampart/src/omxmlsec/xml_signature.c?view=diff&rev=514564&r1=514563&r2=514564
==============================================================================
--- webservices/axis2/trunk/c/rampart/src/omxmlsec/xml_signature.c (original)
+++ webservices/axis2/trunk/c/rampart/src/omxmlsec/xml_signature.c Sun Mar 4 22:25:04 2007
@@ -62,7 +62,7 @@
/*Build the KeyInfo node*/
key_info_node = oxs_token_build_key_info_element(env, parent);
- /*TODO: Right now we support only X509Data. But should support other patterns as well*/
+ /*Right now we support only X509Data. But should support other patterns as well*/
cert = oxs_sign_ctx_get_certificate(sign_ctx, env);
if(!cert){
oxs_error(env, ERROR_LOCATION, OXS_ERROR_SIGN_FAILED,"Cannot get the certificate to build <ds:KeyInfo> element" );
@@ -91,8 +91,8 @@
axis2_char_t *serialized_node = NULL;
axis2_char_t *digest = NULL;
int i = 0;
-
- printf("oxs_xml_sig_transform_n_digest\n");
+
+ printf("oxs_xml_sig_transform_n_digest\n %s", axiom_node_to_string(node, env));
if((transforms) && (0 < AXIS2_ARRAY_LIST_SIZE(transforms, env))){
oxs_tr_dtype_t output_dtype = OXS_TRANSFORM_TYPE_UNKNOWN;/*This will always be the current dtype*/
void *tr_output = NULL;
@@ -114,7 +114,6 @@
tr_func = oxs_transform_get_transform_function(tr, env);
input_dtype = oxs_transform_get_input_data_type(tr, env);
- printf("Transform required = %s", tr_id);
/*Prepare the input*/
/*If the required input type is CHAR and what we have is a NODE*/
if((input_dtype == OXS_TRANSFORM_TYPE_CHAR) && (output_dtype == OXS_TRANSFORM_TYPE_NODE)){
@@ -122,7 +121,8 @@
tr_input = axiom_node_to_string((axiom_node_t*)tr_output, env);
/*If the required input type is NODE and what we have is a CHAR*/
}else if((input_dtype == OXS_TRANSFORM_TYPE_NODE) && (output_dtype == OXS_TRANSFORM_TYPE_CHAR)){
- /*TODO De-serialize*/
+ /*De-serialize*/
+ tr_input = oxs_axiom_deserialize_node(env, (axis2_char_t *)tr_output);
}else{
/*Let it go as it is. */
tr_input = tr_output;
@@ -136,7 +136,7 @@
/*If the output data type is unknown OR the output is NULL its an error*/
if((output_dtype == OXS_TRANSFORM_TYPE_UNKNOWN) || (!tr_output)){
oxs_error(env, ERROR_LOCATION, OXS_ERROR_TRANSFORM_FAILED,"Transform failed for %s", tr_id);
- /*return AXIS2_FAILURE*/
+ return NULL;
}
}/*eof for loop*/
/*We have applied all our transforms now*/
@@ -147,14 +147,18 @@
serialized_node = (axis2_char_t*)tr_output;
}else{
/*Error*/
+ oxs_error(env, ERROR_LOCATION, OXS_ERROR_TRANSFORM_FAILED,"Unsupported transform data type %d", output_dtype);
}
}else{
/*No transforms defined. Thus we simply direct the node, to make the digest*/
serialized_node = AXIOM_NODE_TO_STRING(node, env);
}
- /*TODO Check digest type. We support SHA-1 only*/
- digest = openssl_sha1(env, serialized_node, axis2_strlen(serialized_node));
-
+ if(0 == axis2_strcmp( OXS_HREF_SHA1 , digest_mtd)){
+ digest = openssl_sha1(env, serialized_node, axis2_strlen(serialized_node));
+ }else{
+ oxs_error(env, ERROR_LOCATION, OXS_ERROR_TRANSFORM_FAILED,"Unsupported digest method %s", digest_mtd);
+ return NULL;
+ }
return digest;
}
@@ -236,6 +240,8 @@
c14n_algo = oxs_sign_ctx_get_c14n_mtd(sign_ctx, env);
doc = axiom_node_get_document(signed_info_node, env);
oxs_c14n_apply(env, doc, AXIS2_FALSE, &c14nized, AXIS2_TRUE, NULL, signed_info_node);
+
+ AXIS2_LOG_INFO(env->log, "[oxs][xml_sig] C14N (sig)= %s ", c14nized );
/*Then serialize <SignedInfo>*/
serialized_signed_info = c14nized; /*AXIOM_NODE_TO_STRING(signed_info_node, env);*/
@@ -317,6 +323,7 @@
axiom_node_t *scope_node)
{
axis2_char_t *ref_id = NULL;
+ axis2_char_t *ref_id2 = NULL;
axis2_char_t *child_node_name = NULL;
axiom_node_t *reffed_node = NULL;
axiom_node_t *child_node = NULL;
@@ -325,14 +332,16 @@
oxs_sign_part_set_id(sign_part, env, ref_id);
/*Remove the # from the id*/
- ref_id = axis2_string_substring_starting_at(ref_id, 1);
+ AXIS2_LOG_INFO(env->log, "[oxs][xml_sig] XXX1 node= %s ", axiom_node_to_string(scope_node, env) );
+ ref_id2 = axis2_string_substring_starting_at(axis2_strdup(ref_id, env), 1);
+ AXIS2_LOG_INFO(env->log, "[oxs][xml_sig] XXX2 node= %s ", axiom_node_to_string(scope_node, env) );
- /*Find the node refered by this ref_id and set to the sign part*/
- reffed_node = oxs_axiom_get_node_by_id(env, scope_node, "wsu:Id", ref_id );
+ /*Find the node refered by this ref_id2 and set to the sign part*/
+ reffed_node = oxs_axiom_get_node_by_id(env, scope_node, "wsu:Id", ref_id2 );
if(reffed_node){
oxs_sign_part_set_node(sign_part, env, reffed_node);
}else{
- oxs_error(env, ERROR_LOCATION, OXS_ERROR_SIG_VERIFICATION_FAILED,"Cannot find node with Id=%s ", ref_id );
+ oxs_error(env, ERROR_LOCATION, OXS_ERROR_SIG_VERIFICATION_FAILED,"Cannot find node with Id=%s ", ref_id2 );
return AXIS2_FAILURE; /*No such node. Its an error*/
}
@@ -481,7 +490,7 @@
axis2_array_list_add(sign_part_list, env, sign_part);
}else{
- printf("oxs_sig : We do not process cur node name %s", localname);
+ /*We do not process*/
}
cur_node = AXIOM_NODE_GET_NEXT_SIBLING(cur_node, env);
}
@@ -502,8 +511,6 @@
return AXIS2_FAILURE;
}
- /*We need to process the KeyInfo node. Do we???*/
- /*TODO*/
return AXIS2_SUCCESS;
}
@@ -564,6 +571,7 @@
return status;
}
+
AXIS2_EXTERN axis2_status_t AXIS2_CALL
oxs_xml_sig_verify(const axis2_env_t *env,
oxs_sign_ctx_t *sign_ctx,
@@ -587,13 +595,19 @@
oxs_error(env, ERROR_LOCATION, OXS_ERROR_SIG_VERIFICATION_FAILED,"<ds:Signature> node processing failed " );
return AXIS2_FAILURE;
}
+ /*TODO Process KeyInfo if available*/
+
+ /*-----------------------------------------------------------------------------------------*/
/*At this point we have a ready to process signature context. So start verification process*/
+ /*-----------------------------------------------------------------------------------------*/
/*Verify the integrity of the signed parts by comparing the digest values of each and every reference.*/
status = oxs_xml_sig_verify_digests(env, sign_ctx);
if(AXIS2_FAILURE == status){
return AXIS2_FAILURE;
+ }else{
+ AXIS2_LOG_INFO(env->log, "[oxs][xml_sig] Digests verification SUCCESS " );
}
/*At this point we have compared the digest. Next step is to compare the Signature value */
@@ -605,7 +619,11 @@
OXS_NODE_SIGNEDINFO, OXS_DSIG_NS, OXS_DS );
c14n_mtd = oxs_sign_ctx_get_c14n_mtd(sign_ctx, env);
doc = axiom_node_get_document(signed_info_node, env);
+
+ AXIS2_LOG_INFO(env->log, "[oxs][xml_sig] C14N (verif1)= %s ", axiom_node_to_string(signed_info_node, env) );
oxs_c14n_apply(env, doc, AXIS2_FALSE, &content, AXIS2_TRUE, NULL, signed_info_node);
+
+ AXIS2_LOG_INFO(env->log, "[oxs][xml_sig] C14N (verif2)= %s ", content );
/*In the final step we Verify*/
status = oxs_sig_verify(env, sign_ctx, content , signature_val);
Modified: webservices/axis2/trunk/c/rampart/test/omxmlsec/test.c
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/c/rampart/test/omxmlsec/test.c?view=diff&rev=514564&r1=514563&r2=514564
==============================================================================
--- webservices/axis2/trunk/c/rampart/test/omxmlsec/test.c (original)
+++ webservices/axis2/trunk/c/rampart/test/omxmlsec/test.c Sun Mar 4 22:25:04 2007
@@ -101,10 +101,11 @@
/*We need to sign this node add an ID to it*/
node = axiom_node_get_first_element(tmpl, env);
- id = "Sig-ID-EFG"; /*oxs_util_generate_id(env,(axis2_char_t*)OXS_SIG_ID);*/
+ id = /*"Sig-ID-EFG";*/ oxs_util_generate_id(env,(axis2_char_t*)OXS_SIG_ID);
oxs_axiom_add_attribute(env, node, OXS_WSU, OXS_WSSE_XMLNS, OXS_ATTR_ID, id);
status = oxs_sign_part_set_node(sign_part, env,node);
+ status = oxs_sign_part_set_digest_mtd(sign_part, env, OXS_HREF_SHA1);
sign_parts = axis2_array_list_create(env, 1);
axis2_array_list_add(sign_parts, env, sign_part);
@@ -135,16 +136,16 @@
}
axis2_status_t verify(axis2_env_t *env,
- axis2_char_t *filename,
+ axis2_char_t *filename,
openssl_pkey_t *prvkey ,
- oxs_x509_cert_t *cert
- )
+ oxs_x509_cert_t *cert)
{
oxs_sign_ctx_t *sign_ctx = NULL;
axiom_node_t *tmpl = NULL;
axis2_status_t status = AXIS2_FAILURE;
tmpl = load_sample_xml(env , tmpl, filename);
+ printf("File : \n%s\n", axiom_node_to_string(tmpl, env));
sign_ctx = oxs_sign_ctx_create(env);
if(sign_ctx){
axiom_node_t *sig_node = NULL;
@@ -162,9 +163,9 @@
/*Verify*/
status = oxs_xml_sig_verify(env, sign_ctx, sig_node, tmpl);
if(AXIS2_SUCCESS != status){
- printf("Signature Failed :-(\n");
+ printf("\nSignature Failed :-(\n");
}else{
- printf("Signature Verified :-)\n");
+ printf("\nSignature Verified :-)\n");
}
}
@@ -188,7 +189,7 @@
certfile = argv[3];
operation = argv[4];
}else{
- printf("Usage ./test inputfile prvkey certificate operation\n");
+ printf("Usage ./test inputfile prvkey certificate operation[S/V]\n");
return -1;
}
Modified: webservices/axis2/trunk/c/rampart/test/openssl/sign/test.c
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/c/rampart/test/openssl/sign/test.c?view=diff&rev=514564&r1=514563&r2=514564
==============================================================================
--- webservices/axis2/trunk/c/rampart/test/openssl/sign/test.c (original)
+++ webservices/axis2/trunk/c/rampart/test/openssl/sign/test.c Sun Mar 4 22:25:04 2007
@@ -45,15 +45,17 @@
env = axis2_env_create_all("./openssl.log", AXIS2_LOG_LEVEL_TRACE);
/*Load private key*/
- prvkey = oxs_key_mgr_load_private_key_from_file(env, "rsakey.pem", "");
+ prvkey = oxs_key_mgr_load_private_key_from_file(env, "key.pem", "");
if(!prvkey){
printf("Cannot load private key");
+ return 0;
}
/*Load certificate*/
- cert = oxs_key_mgr_load_x509_cert_from_pem_file(env, "rsacert.pem");
+ cert = oxs_key_mgr_load_x509_cert_from_pem_file(env, "cert.pem");
if(!cert){
printf("Cannot load certificate");
+ return 0;
}
inbuf = oxs_buffer_create(env);
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-cvs-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-cvs-help@ws.apache.org