You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by ka...@apache.org on 2007/10/18 08:04:10 UTC
svn commit: r585880 - in /webservices/rampart/trunk/c/src:
omxmlsec/openssl/hmac.c omxmlsec/signature.c
util/rampart_sec_header_builder.c util/rampart_signature.c
Author: kaushalye
Date: Wed Oct 17 23:04:09 2007
New Revision: 585880
URL: http://svn.apache.org/viewvc?rev=585880&view=rev
Log:
1. A bug fix in the Data Signature impl in OMXMLSecurity
2. Supporting symmetric binding in the signature level
3. More error checks in the Hmac-Sha1 algo in the openssl wrapper
Modified:
webservices/rampart/trunk/c/src/omxmlsec/openssl/hmac.c
webservices/rampart/trunk/c/src/omxmlsec/signature.c
webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c
webservices/rampart/trunk/c/src/util/rampart_signature.c
Modified: webservices/rampart/trunk/c/src/omxmlsec/openssl/hmac.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/openssl/hmac.c?rev=585880&r1=585879&r2=585880&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/openssl/hmac.c (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/openssl/hmac.c Wed Oct 17 23:04:09 2007
@@ -32,13 +32,32 @@
oxs_buffer_t *output)
{
HMAC_CTX ctx;
- unsigned char hmac[MD5_DIGEST_LENGTH];
+ unsigned char hmac[EVP_MAX_MD_SIZE + 1];
unsigned int hashed_len;
+ if(!secret){
+ oxs_error(env, ERROR_LOCATION, OXS_ERROR_SIGN_FAILED,"[oxs][openssl] No key to sign ");
+ return AXIS2_FAILURE;
+ }
+
+ if(!input){
+ oxs_error(env, ERROR_LOCATION, OXS_ERROR_SIGN_FAILED,"[oxs][openssl] Nothing to sign ");
+ return AXIS2_FAILURE;
+ }
+
+ if(!output){
+ oxs_error(env, ERROR_LOCATION, OXS_ERROR_SIGN_FAILED,"[oxs][openssl] The buffer to place signature is NULL ");
+ return AXIS2_FAILURE;
+ }
+
HMAC_CTX_init(&ctx);
HMAC_Init_ex(&ctx, oxs_key_get_data(secret, env), oxs_key_get_size(secret, env), EVP_sha1(), NULL);
HMAC_Update(&ctx, oxs_buffer_get_data(input, env), oxs_buffer_get_size(input, env));
HMAC_Final(&ctx, hmac, &hashed_len);
+
+ /*Fill the output buffer*/
+ oxs_buffer_populate(output, env, hmac, hashed_len);
+
HMAC_cleanup(&ctx);
HMAC_CTX_cleanup(&ctx);
Modified: webservices/rampart/trunk/c/src/omxmlsec/signature.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/omxmlsec/signature.c?rev=585880&r1=585879&r2=585880&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/omxmlsec/signature.c (original)
+++ webservices/rampart/trunk/c/src/omxmlsec/signature.c Wed Oct 17 23:04:09 2007
@@ -50,6 +50,7 @@
status = openssl_hmac_sha1(env, secret, input, signed_result_buf);
if(AXIS2_FAILURE == status){
oxs_error(env, ERROR_LOCATION, OXS_ERROR_SIGN_FAILED,"Signature failed. using HMAC-SHA1 ");
+ return AXIS2_FAILURE;
}
/*Base64 encode*/
@@ -131,7 +132,7 @@
{
oxs_sig_sign_rsa_sha1(env, sign_ctx, input, output);
}
- else if ((axutil_strcmp(sign_algo, OXS_HREF_DSA_SHA1)) == 0)
+ else if ((axutil_strcmp(sign_algo, OXS_HREF_HMAC_SHA1)) == 0)
{
oxs_sig_sign_hmac_sha1(env, sign_ctx, input, output);
}
Modified: webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c?rev=585880&r1=585879&r2=585880&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_sec_header_builder.c Wed Oct 17 23:04:09 2007
@@ -100,7 +100,13 @@
is_encrypt_before_sign = AXIS2_FALSE;
/*TODO First do signature specific stuff using Symmetric key*/
-
+ status = rampart_sig_sign_message(env, msg_ctx, rampart_context, soap_envelope, sec_node);
+ if(status != AXIS2_SUCCESS)
+ {
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[rampart][shb] Signing failed. ERROR");
+ return AXIS2_FAILURE;
+ }
/*Then Handle Encryption stuff*/
status = rampart_enc_dk_encrypt_message(env, msg_ctx, rampart_context, soap_envelope, sec_node);
Modified: webservices/rampart/trunk/c/src/util/rampart_signature.c
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/c/src/util/rampart_signature.c?rev=585880&r1=585879&r2=585880&view=diff
==============================================================================
--- webservices/rampart/trunk/c/src/util/rampart_signature.c (original)
+++ webservices/rampart/trunk/c/src/util/rampart_signature.c Wed Oct 17 23:04:09 2007
@@ -284,6 +284,7 @@
/*axutil_array_list_t *tr_list = NULL;*/
axis2_bool_t server_side = AXIS2_FALSE;
rp_property_type_t token_type;
+ rp_property_type_t binding_type;
rp_property_t *token = NULL;
axiom_node_t *sig_node = NULL;
axis2_char_t *eki = NULL;
@@ -376,14 +377,6 @@
return AXIS2_FAILURE;
}
- if(rampart_context_check_is_derived_keys(env,token))
- {
- AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
- "[rampart][rampart_signature] We still do not support derived keys");
- axutil_array_list_free(nodes_to_sign, env);
- nodes_to_sign = NULL;
- return AXIS2_FAILURE;
- }
/*If the requirement is to include the token we should build the binary security
* token element here.*/
@@ -484,9 +477,20 @@
nodes_to_sign = NULL;
sign_ctx = oxs_sign_ctx_create(env);
+ /*Get the binding type. Either symmetric or asymmetric for signature*/
+ binding_type = rampart_context_get_binding_type(rampart_context,env);
- /* Pack for asymmetric signature*/
- status = rampart_sig_pack_for_asym(env, rampart_context, sign_ctx);
+ if(RP_PROPERTY_ASYMMETRIC_BINDING == binding_type){
+ /* Pack for asymmetric signature*/
+ status = rampart_sig_pack_for_asym(env, rampart_context, sign_ctx);
+ }else if(RP_PROPERTY_SYMMETRIC_BINDING == binding_type){
+ /* Pack for symmetric signature*/
+ status = rampart_sig_pack_for_sym(env, rampart_context, sign_ctx);
+ }else{
+ /*We do not support*/
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,"[rampart][rampart_signature] Signature support only symmetric and asymmetric bindings.");
+ return AXIS2_FAILURE;
+ }
/* Set which parts to be signed*/
oxs_sign_ctx_set_sign_parts(sign_ctx, env, sign_parts);