You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by bl...@apache.org on 2005/07/05 13:52:43 UTC
cvs commit: xml-security/c/src/dsig DSIGReference.cpp DSIGReference.hpp DSIGSignature.cpp DSIGSignature.hpp DSIGSignedInfo.cpp DSIGSignedInfo.hpp
blautenb 2005/07/05 04:52:43
Modified: c/src/dsig DSIGReference.cpp DSIGReference.hpp
DSIGSignature.cpp DSIGSignature.hpp
DSIGSignedInfo.cpp DSIGSignedInfo.hpp
Log:
Add methods to create signatures using URIs rather than enums + deprecate enum based methods
Revision Changes Path
1.28 +52 -78 xml-security/c/src/dsig/DSIGReference.cpp
Index: DSIGReference.cpp
===================================================================
RCS file: /home/cvs/xml-security/c/src/dsig/DSIGReference.cpp,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -r1.27 -r1.28
--- DSIGReference.cpp 14 May 2005 04:33:46 -0000 1.27
+++ DSIGReference.cpp 5 Jul 2005 11:52:43 -0000 1.28
@@ -50,6 +50,8 @@
#include <xsec/framework/XSECError.hpp>
#include <xsec/framework/XSECEnv.hpp>
+#include <xsec/framework/XSECAlgorithmHandler.hpp>
+#include <xsec/framework/XSECAlgorithmMapper.hpp>
#include <xsec/utils/XSECPlatformUtils.hpp>
#include <xsec/utils/XSECDOMUtils.hpp>
#include <xsec/utils/XSECBinTXFMInputStream.hpp>
@@ -261,6 +263,16 @@
}
+DSIGTransformC14n * DSIGReference::appendCanonicalizationTransform(
+ const XMLCh * canonicalizationAlgorithmURI) {
+
+ canonicalizationMethod cm;
+ XSECmapURIToCanonicalizationMethod(canonicalizationAlgorithmURI, cm);
+
+ return appendCanonicalizationTransform(cm);
+
+}
+
DSIGTransformXPath * DSIGReference::appendXPathTransform(const char * expr) {
DOMElement *txfmElt;
@@ -298,15 +310,33 @@
DOMElement *DSIGReference::createBlankReference(const XMLCh * URI, hashMethod hm, char * type) {
+ // Deprecated - use the algorithm URI based method instead
+
+ safeBuffer hURI;
+
+ if (hashMethod2URI(hURI, hm) == false) {
+ throw XSECException(XSECException::UnknownSignatureAlgorithm,
+ "DSIGReference::createBlankReference - Hash method unknown");
+ }
+
+ return createBlankReference(URI, hURI.sbStrToXMLCh(), MAKE_UNICODE_STRING(type));
+
+}
+
+DOMElement *DSIGReference::createBlankReference(const XMLCh * URI,
+ const XMLCh * hashAlgorithmURI,
+ const XMLCh * type) {
+
// Reset this Reference just in case
- me_hashMethod = hm;
m_isManifest = false;
mp_preHash = NULL;
mp_manifestList = NULL;
mp_transformsNode = NULL;
mp_transformList = NULL;
+ XSECmapURIToHashMethod(hashAlgorithmURI, me_hashMethod);
+
safeBuffer str;
DOMDocument *doc = mp_env->getParentDocument();
const XMLCh * prefix = mp_env->getDSIGNSPrefix();
@@ -318,8 +348,7 @@
// Set type
if (type != NULL)
- ret->setAttributeNS(NULL, MAKE_UNICODE_STRING("Type"),
- MAKE_UNICODE_STRING(type));
+ ret->setAttributeNS(NULL, MAKE_UNICODE_STRING("Type"), type);
// Set URI
if (URI != NULL) {
@@ -338,14 +367,13 @@
ret->appendChild(digestMethod);
mp_env->doPrettyPrint(ret);
- if (!hashMethod2URI(str, hm)) {
-
- throw XSECException(XSECException::SignatureCreationError,
- "Attempt to use undefined Digest Method in SignedInfo Creation");
+ digestMethod->setAttributeNS(NULL, DSIGConstants::s_unicodeStrAlgorithm,
+ hashAlgorithmURI);
- }
+ // Retrieve the attribute value for later use
+ mp_algorithmURI =
+ digestMethod->getAttributeNS(NULL, DSIGConstants::s_unicodeStrAlgorithm);
- digestMethod->setAttributeNS(NULL, DSIGConstants::s_unicodeStrAlgorithm, str.sbStrToXMLCh());
// DigestValue
@@ -627,58 +655,10 @@
}
- // Determine hashing algorithm
-
- if (strEquals(atts->item(i)->getNodeValue(), DSIGConstants::s_unicodeStrURISHA1)) {
-
- me_hashMethod = HASH_SHA1;
-
- }
-
- else if (strEquals(atts->item(i)->getNodeValue(), DSIGConstants::s_unicodeStrURISHA224)) {
-
- me_hashMethod = HASH_SHA224;
-
- }
-
- else if (strEquals(atts->item(i)->getNodeValue(), DSIGConstants::s_unicodeStrURISHA256)) {
-
- me_hashMethod = HASH_SHA256;
-
- }
-
- else if (strEquals(atts->item(i)->getNodeValue(), DSIGConstants::s_unicodeStrURISHA384)) {
-
- me_hashMethod = HASH_SHA384;
-
- }
-
- else if (strEquals(atts->item(i)->getNodeValue(), DSIGConstants::s_unicodeStrURISHA512)) {
-
- me_hashMethod = HASH_SHA512;
-
- }
-
- else if (strEquals(atts->item(i)->getNodeValue(), DSIGConstants::s_unicodeStrURIMD5)) {
-
- me_hashMethod = HASH_MD5;
-
- }
-
- else {
-
- safeBuffer tmp, error;
-
- error << (*mp_formatter << atts->item(0)->getNodeValue());
-
- tmp.sbStrcpyIn("Unknown DigestMethod Algorithm : '");
- tmp.sbStrcatIn(error);
- tmp.sbStrcatIn("'.");
-
- throw XSECException(XSECException::UnknownTransform, tmp.rawCharBuffer());
-
- }
+ mp_algorithmURI = atts->item(i)->getNodeValue();
+ // Determine hashing algorithm
+ XSECmapURIToHashMethod(mp_algorithmURI, me_hashMethod);
// Find the hash value node
@@ -1265,34 +1245,28 @@
#endif
- // Determine what the digest method actually is
+ // Get the mapping for the hash transform
- switch (me_hashMethod) {
+ XSECAlgorithmHandler * handler =
+ XSECPlatformUtils::g_algorithmMapper->mapURIToHandler(mp_algorithmURI);
- case HASH_SHA1 :
- case HASH_SHA224 :
- case HASH_SHA256 :
- case HASH_SHA384 :
- case HASH_SHA512 :
+ if (handler == NULL) {
- XSECnew(currentTxfm, TXFMSHA1(d, me_hashMethod));
- break;
-
- case HASH_MD5 :
- XSECnew(currentTxfm, TXFMMD5(d));
- break;
+ throw XSECException(XSECException::SigVfyError,
+ "Hash method unknown in DSIGReference::calculateHash()");
+
+ }
- default :
+ if (!handler->appendHashTxfm(chain, mp_algorithmURI)) {
- throw XSECException(XSECException::UnknownTransform,
- "Unknown Hash type in <Reference> node");
+ throw XSECException(XSECException::SigVfyError,
+ "Unexpected error in handler whilst appending Hash transform");
}
// Now we have the hashing transform, run it.
- chain->appendTxfm(currentTxfm);
size = chain->getLastTxfm()->readBytes(toFill, maxToFill);
// Clean out document if necessary
1.18 +39 -1 xml-security/c/src/dsig/DSIGReference.hpp
Index: DSIGReference.hpp
===================================================================
RCS file: /home/cvs/xml-security/c/src/dsig/DSIGReference.hpp,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- DSIGReference.hpp 4 Jun 2005 11:30:25 -0000 1.17
+++ DSIGReference.hpp 5 Jul 2005 11:52:43 -0000 1.18
@@ -148,12 +148,37 @@
* @param hm The type of Digest to be used (generally SHA-1)
* @param type A type string (as defined by XML Signature).
* @returns The root Reference element of the newly created DOM structure.
+ * @deprecated Use the URI based creation method instead
*/
XERCES_CPP_NAMESPACE_QUALIFIER DOMElement *
createBlankReference(const XMLCh * URI, hashMethod hm, char * type);
/**
+ * \brief Create a Reference structure in the document.
+ *
+ * <p>This function will create a Reference structure in the owner
+ * document. In some cases, a call to this function will be sufficient
+ * to put the required Reference in place. In other cases, calls will
+ * also need to be made to the various append*Transform methods.</p>
+ *
+ * @note The XSEC Library currently makes very little use of <em>type</em>
+ * attributes in \<Reference\> Elements. However this may of use to calling
+ * applications.
+ *
+ * @param URI The URI (data source) for this reference. Set to NULL for
+ * an anonymous reference.
+ * @param hashAlgorithmURI The type of Digest to be used (generally SHA-1)
+ * @param type A type string (as defined by XML Signature).
+ * @returns The root Reference element of the newly created DOM structure.
+ */
+
+ XERCES_CPP_NAMESPACE_QUALIFIER DOMElement *
+ createBlankReference(const XMLCh * URI,
+ const XMLCh * hashAlgorithmURI,
+ const XMLCh * type);
+
+ /**
* \brief Append an Enveloped Signature Transform to the Reference.
*
* Appends a simple enveloped-signature transform to the list of transforms
@@ -213,8 +238,20 @@
/**
* \brief Append a Canonicalization Transform to the Reference.
*
+ * @param canonicalizationAlgorithmURI The type of canonicalisation to be added.
+ * @returns The newly create canonicalisation transform
+ */
+
+ DSIGTransformC14n * appendCanonicalizationTransform(
+ const XMLCh * canonicalizationAlgorithmURI
+ );
+
+ /**
+ * \brief Append a Canonicalization Transform to the Reference.
+ *
* @param cm The type of canonicalisation to be added.
* @returns The newly create canonicalisation transform
+ * @deprecated Use the AlgorithmURI based method instead
*/
DSIGTransformC14n * appendCanonicalizationTransform(canonicalizationMethod cm);
@@ -494,6 +531,7 @@
* mp_hashValueNode; // Node where the Hash value is stored
const XSECEnv * mp_env;
DSIGTransformList * mp_transformList; // List of transforms
+ const XMLCh * mp_algorithmURI; // Hash algorithm for this reference
bool m_loaded;
1.41 +145 -235 xml-security/c/src/dsig/DSIGSignature.cpp
Index: DSIGSignature.cpp
===================================================================
RCS file: /home/cvs/xml-security/c/src/dsig/DSIGSignature.cpp,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -r1.40 -r1.41
--- DSIGSignature.cpp 15 May 2005 09:09:58 -0000 1.40
+++ DSIGSignature.cpp 5 Jul 2005 11:52:43 -0000 1.41
@@ -39,6 +39,8 @@
#include <xsec/transformers/TXFMC14n.hpp>
#include <xsec/transformers/TXFMChain.hpp>
#include <xsec/framework/XSECError.hpp>
+#include <xsec/framework/XSECAlgorithmHandler.hpp>
+#include <xsec/framework/XSECAlgorithmMapper.hpp>
#include <xsec/enc/XSECCryptoKeyDSA.hpp>
#include <xsec/enc/XSECCryptoKeyRSA.hpp>
#include <xsec/utils/XSECDOMUtils.hpp>
@@ -51,6 +53,7 @@
#include <xsec/dsig/DSIGKeyInfoPGPData.hpp>
#include <xsec/dsig/DSIGKeyInfoSPKIData.hpp>
#include <xsec/dsig/DSIGKeyInfoMgmtData.hpp>
+#include <xsec/dsig/DSIGAlgorithmHandlerDefault.hpp>
#include <xsec/framework/XSECEnv.hpp>
// Xerces includes
@@ -61,10 +64,46 @@
XERCES_CPP_NAMESPACE_USE
// --------------------------------------------------------------------------------
+// Init
+// --------------------------------------------------------------------------------
+
+
+void DSIGSignature::Initialise(void) {
+
+ DSIGAlgorithmHandlerDefault def;
+
+ // Register default signature algorithm handlers
+
+ XSECPlatformUtils::registerAlgorithmHandler(DSIGConstants::s_unicodeStrURIRSA_SHA1, def);
+ XSECPlatformUtils::registerAlgorithmHandler(DSIGConstants::s_unicodeStrURIRSA_SHA224, def);
+ XSECPlatformUtils::registerAlgorithmHandler(DSIGConstants::s_unicodeStrURIRSA_SHA256, def);
+ XSECPlatformUtils::registerAlgorithmHandler(DSIGConstants::s_unicodeStrURIRSA_SHA384, def);
+ XSECPlatformUtils::registerAlgorithmHandler(DSIGConstants::s_unicodeStrURIRSA_SHA512, def);
+ XSECPlatformUtils::registerAlgorithmHandler(DSIGConstants::s_unicodeStrURIDSA_SHA1, def);
+ XSECPlatformUtils::registerAlgorithmHandler(DSIGConstants::s_unicodeStrURIHMAC_SHA1, def);
+ XSECPlatformUtils::registerAlgorithmHandler(DSIGConstants::s_unicodeStrURIHMAC_SHA224, def);
+ XSECPlatformUtils::registerAlgorithmHandler(DSIGConstants::s_unicodeStrURIHMAC_SHA256, def);
+ XSECPlatformUtils::registerAlgorithmHandler(DSIGConstants::s_unicodeStrURIHMAC_SHA384, def);
+ XSECPlatformUtils::registerAlgorithmHandler(DSIGConstants::s_unicodeStrURIHMAC_SHA512, def);
+
+ // Register default hashing algorithm handlers
+
+ XSECPlatformUtils::registerAlgorithmHandler(DSIGConstants::s_unicodeStrURISHA1, def);
+ XSECPlatformUtils::registerAlgorithmHandler(DSIGConstants::s_unicodeStrURISHA224, def);
+ XSECPlatformUtils::registerAlgorithmHandler(DSIGConstants::s_unicodeStrURISHA256, def);
+ XSECPlatformUtils::registerAlgorithmHandler(DSIGConstants::s_unicodeStrURISHA384, def);
+ XSECPlatformUtils::registerAlgorithmHandler(DSIGConstants::s_unicodeStrURISHA512, def);
+ XSECPlatformUtils::registerAlgorithmHandler(DSIGConstants::s_unicodeStrURIMD5, def);
+
+}
+
+// --------------------------------------------------------------------------------
// Some useful utility functions
// --------------------------------------------------------------------------------
+#if 0
+
bool compareBase64StringToRaw(safeBuffer &b64SB,
unsigned char * raw,
unsigned int rawLen,
@@ -202,6 +241,9 @@
b64SB.sbStrcpyIn((char *) b64Str);
}
+
+#endif /* 0 */
+
// --------------------------------------------------------------------------------
// Get the Canonicalised BYTE_STREAM of the SignedInfo
// --------------------------------------------------------------------------------
@@ -509,12 +551,44 @@
}
+// --------------------------------------------------------------------------------
+// Creating Blank Signature
+// --------------------------------------------------------------------------------
DOMElement *DSIGSignature::createBlankSignature(DOMDocument *doc,
canonicalizationMethod cm,
signatureMethod sm,
hashMethod hm) {
+ // This is now deprecated. Because this is so, we go the long way - translate
+ // to URI and then call the "standard" method, which will translate back to
+ // internal enums if possible
+
+ const XMLCh * cURI;
+ safeBuffer sURI;
+
+ if ((cURI = canonicalizationMethod2UNICODEURI(cm)) == NULL) {
+ throw XSECException(XSECException::UnknownCanonicalization,
+ "DSIGSignature::createBlankSignature - Canonicalisation method unknown");
+ }
+
+ if (signatureHashMethod2URI(sURI, sm, hm) == false) {
+ throw XSECException(XSECException::UnknownSignatureAlgorithm,
+ "DSIGSignature::createBlankSignature - Signature/Hash method unknown");
+ }
+
+ return createBlankSignature(doc, cURI, sURI.sbStrToXMLCh());
+
+}
+
+
+DOMElement *DSIGSignature::createBlankSignature(
+ DOMDocument *doc,
+ const XMLCh * canonicalizationAlgorithmURI,
+ const XMLCh * signatureAlgorithmURI) {
+
+ // "New" method to create a blank signature, based on URIs.
+
mp_doc = doc;
mp_env->setParentDocument(doc);
@@ -545,7 +619,8 @@
// Create the skeleton SignedInfo
XSECnew(mp_signedInfo, DSIGSignedInfo(mp_doc, mp_formatter, mp_env));
- mp_sigNode->appendChild(mp_signedInfo->createBlankSignedInfo(cm, sm, hm));
+ mp_sigNode->appendChild(mp_signedInfo->createBlankSignedInfo(
+ canonicalizationAlgorithmURI, signatureAlgorithmURI));
mp_env->doPrettyPrint(mp_sigNode);
// Create a dummy signature value (dummy until signed)
@@ -565,6 +640,8 @@
return sigNode;
}
+
+
// --------------------------------------------------------------------------------
// Creating References
// --------------------------------------------------------------------------------
@@ -577,6 +654,15 @@
}
+DSIGReference * DSIGSignature::createReference(
+ const XMLCh * URI,
+ const XMLCh * hashAlgorithmURI,
+ const XMLCh * type) {
+
+ return mp_signedInfo->createReference(URI, hashAlgorithmURI, type);
+
+}
+
// --------------------------------------------------------------------------------
// Manipulation of KeyInfo elements
// --------------------------------------------------------------------------------
@@ -802,10 +888,7 @@
*/
}
-unsigned int DSIGSignature::calculateSignedInfoHash(unsigned char * hashBuf,
- unsigned int hashBufLen) {
-
- // Calculate the hash and store in the hashBuf
+TXFMChain * DSIGSignature::getSignedInfoInput(void) {
TXFMBase * txfm;
TXFMChain * chain;
@@ -861,93 +944,41 @@
"Canonicalisation method unknown in DSIGSignature::calculateSignedInfoHash()");
}
+
+ j_chain.release();
+ return chain;
- // Setup Hash
-
- switch (mp_signedInfo->getHashMethod()) {
-
- case HASH_SHA1 :
-
- if (mp_signedInfo->getSignatureMethod() == SIGNATURE_HMAC){
- if (mp_signingKey->getKeyType() != XSECCryptoKey::KEY_HMAC) {
- throw XSECException(XSECException::SigVfyError,
- "DSIGSignature::calculateSignedInfoHash - non HMAC key passed in to HMAC signature");
- }
- XSECnew(txfm, TXFMSHA1(mp_doc, HASH_SHA1, mp_signingKey));
- }
- else {
- XSECnew(txfm, TXFMSHA1(mp_doc));
- }
-
- break;
-
- case HASH_SHA224 :
-
- if (mp_signedInfo->getSignatureMethod() == SIGNATURE_HMAC){
- if (mp_signingKey->getKeyType() != XSECCryptoKey::KEY_HMAC) {
- throw XSECException(XSECException::SigVfyError,
- "DSIGSignature::calculateSignedInfoHash - non HMAC key passed in to HMAC signature");
- }
- XSECnew(txfm, TXFMSHA1(mp_doc, HASH_SHA224, mp_signingKey));
- }
- else {
- XSECnew(txfm, TXFMSHA1(mp_doc, HASH_SHA224));
- }
-
- break;
-
- case HASH_SHA256 :
-
- if (mp_signedInfo->getSignatureMethod() == SIGNATURE_HMAC){
- if (mp_signingKey->getKeyType() != XSECCryptoKey::KEY_HMAC) {
- throw XSECException(XSECException::SigVfyError,
- "DSIGSignature::calculateSignedInfoHash - non HMAC key passed in to HMAC signature");
- }
- XSECnew(txfm, TXFMSHA1(mp_doc, HASH_SHA256, mp_signingKey));
- }
- else {
- XSECnew(txfm, TXFMSHA1(mp_doc, HASH_SHA256));
- }
+}
- break;
+unsigned int DSIGSignature::calculateSignedInfoHash(unsigned char * hashBuf,
+ unsigned int hashBufLen) {
- case HASH_SHA384 :
+ // Get the SignedInfo input bytes
+ TXFMChain * chain = getSignedInfoInput();
+ Janitor<TXFMChain> j_chain(chain);
- if (mp_signedInfo->getSignatureMethod() == SIGNATURE_HMAC){
- if (mp_signingKey->getKeyType() != XSECCryptoKey::KEY_HMAC) {
- throw XSECException(XSECException::SigVfyError,
- "DSIGSignature::calculateSignedInfoHash - non HMAC key passed in to HMAC signature");
- }
- XSECnew(txfm, TXFMSHA1(mp_doc, HASH_SHA384, mp_signingKey));
- }
- else {
- XSECnew(txfm, TXFMSHA1(mp_doc, HASH_SHA384));
- }
+ // Setup Hash
+ // First find the appropriate handler for the URI
+ XSECAlgorithmHandler * handler =
+ XSECPlatformUtils::g_algorithmMapper->mapURIToHandler(
+ mp_signedInfo->getAlgorithmURI());
- break;
+ if (handler == NULL) {
- case HASH_SHA512 :
- if (mp_signedInfo->getSignatureMethod() == SIGNATURE_HMAC){
- if (mp_signingKey->getKeyType() != XSECCryptoKey::KEY_HMAC) {
- throw XSECException(XSECException::SigVfyError,
- "DSIGSignature::calculateSignedInfoHash - non HMAC key passed in to HMAC signature");
- }
- XSECnew(txfm, TXFMSHA1(mp_doc, HASH_SHA512, mp_signingKey));
- }
- else {
- XSECnew(txfm, TXFMSHA1(mp_doc, HASH_SHA512));
- }
+ throw XSECException(XSECException::SigVfyError,
+ "Hash method unknown in DSIGSignature::calculateSignedInfoHash()");
- break;
+ }
- default :
+ if (!handler->appendSignatureHashTxfm(chain, mp_signedInfo->getAlgorithmURI(), mp_signingKey)) {
throw XSECException(XSECException::SigVfyError,
- "Hash method unknown in DSIGSignature::calculateSignedInfoHash()");
+ "Unexpected error in handler whilst appending Signature Hash transform");
}
+
#if 0
TXFMOutputFile * of = new TXFMOutputFile(mp_doc);
@@ -956,8 +987,6 @@
hashVal=of;
#endif
- chain->appendTxfm(txfm);
-
// Write hash to the buffer
int hashLen;
@@ -1018,78 +1047,34 @@
}
+ // Get the SignedInfo input bytes
+ TXFMChain * chain = getSignedInfoInput();
+ Janitor<TXFMChain> j_chain(chain);
hashLen = calculateSignedInfoHash(hash, 4096);
// Now set up to verify
- bool sigVfyRet = false;
+ // First find the appropriate handler for the URI
+ XSECAlgorithmHandler * handler =
+ XSECPlatformUtils::g_algorithmMapper->mapURIToHandler(
+ mp_signedInfo->getAlgorithmURI());
- switch (mp_signingKey->getKeyType()) {
-
- case (XSECCryptoKey::KEY_DSA_PUBLIC) :
- case (XSECCryptoKey::KEY_DSA_PAIR) :
-
- if (mp_signedInfo == NULL || mp_signedInfo->getSignatureMethod() != SIGNATURE_DSA) {
-
- throw XSECException(XSECException::SigVfyError,
- "Key type does not match <SignedInfo> signature type");
-
- }
-
- sigVfyRet = ((XSECCryptoKeyDSA *) mp_signingKey)->verifyBase64Signature(
- hash,
- hashLen,
- (char *) m_signatureValueSB.rawBuffer(),
- m_signatureValueSB.sbStrlen());
-
- if (!sigVfyRet)
- m_errStr.sbXMLChCat("DSA Validation of <SignedInfo> failed");
-
- break;
-
- case (XSECCryptoKey::KEY_RSA_PUBLIC) :
- case (XSECCryptoKey::KEY_RSA_PAIR) :
-
- if (mp_signedInfo == NULL || mp_signedInfo->getSignatureMethod() != SIGNATURE_RSA) {
-
- throw XSECException(XSECException::SigVfyError,
- "Key type does not match <SignedInfo> signature type");
-
- }
-
- sigVfyRet = ((XSECCryptoKeyRSA *) mp_signingKey)->verifySHA1PKCS1Base64Signature(
- hash,
- hashLen,
- m_signatureValueSB.rawCharBuffer(),
- m_signatureValueSB.sbStrlen());
-
- if (sigVfyRet == false) {
-
- m_errStr.sbXMLChCat("RSA Validation of <SignedInfo> failed");
-
- }
-
- break;
-
- case (XSECCryptoKey::KEY_HMAC) :
-
- // Already done - just compare calculated value with read value
- sigVfyRet = compareBase64StringToRaw(m_signatureValueSB,
- hash,
- hashLen,
- mp_signedInfo->getHMACOutputLength());
- if (!sigVfyRet)
- m_errStr.sbXMLChCat("HMAC Validation of <SignedInfo> failed");
-
- break;
-
- default :
+ if (handler == NULL) {
throw XSECException(XSECException::SigVfyError,
- "Key found, but don't know how to check the signature using it");
+ "Hash method unknown in DSIGSignature::verifySignatureOnlyInternal()");
}
+ bool sigVfyRet = handler->verifyBase64Signature(chain,
+ mp_signedInfo->getAlgorithmURI(),
+ m_signatureValueSB.rawCharBuffer(),
+ mp_signedInfo->getHMACOutputLength(),
+ mp_signingKey);
+
+ if (!sigVfyRet)
+ m_errStr.sbXMLChCat("Validation of <SignedInfo> failed");
+
return sigVfyRet;
}
@@ -1162,106 +1147,31 @@
// Set up the reference list hashes - including any manifests
mp_signedInfo->hash();
- // Calculate the hash to be signed
-
- unsigned char hash[4096];
- int hashLen;
-
- hashLen = calculateSignedInfoHash(hash, 4096);
-
- // Now check the calculated hash
-
- char b64Buf[1024];
- unsigned int b64Len;
- safeBuffer b64SB;
-
- switch (mp_signingKey->getKeyType()) {
-
- case (XSECCryptoKey::KEY_DSA_PRIVATE) :
- case (XSECCryptoKey::KEY_DSA_PAIR) :
-
- if (mp_signedInfo == NULL || mp_signedInfo->getSignatureMethod() != SIGNATURE_DSA) {
-
- throw XSECException(XSECException::SigningError,
- "Key type does not match <SignedInfo> signature type");
-
- }
-
- b64Len = ((XSECCryptoKeyDSA *) mp_signingKey)->signBase64Signature(
- hash,
- hashLen,
- (char *) b64Buf,
- 1024);
-
- if (b64Len <= 0) {
-
- throw XSECException(XSECException::SigningError,
- "Unknown error occured during a DSA Signing operation");
-
- }
-
- if (b64Buf[b64Len-1] == '\n')
- b64Buf[b64Len-1] = '\0';
- else
- b64Buf[b64Len] = '\0';
-
- break;
-
- case (XSECCryptoKey::KEY_RSA_PRIVATE) :
- case (XSECCryptoKey::KEY_RSA_PAIR) :
-
- if (mp_signedInfo == NULL || mp_signedInfo->getSignatureMethod() != SIGNATURE_RSA) {
-
- throw XSECException(XSECException::SigningError,
- "Key type does not match <SignedInfo> signature type");
-
- }
-
- b64Len = ((XSECCryptoKeyRSA *) mp_signingKey)->signSHA1PKCS1Base64Signature(
- hash,
- hashLen,
- (char *) b64Buf,
- 1024);
-
- if (b64Len <= 0) {
-
- throw XSECException(XSECException::SigningError,
- "Unknown error occured during a RSA Signing operation");
-
- }
-
- // Clean up some "funnies" and make sure the string is NULL terminated
+ // Get the SignedInfo input bytes
+ TXFMChain * chain = getSignedInfoInput();
+ Janitor<TXFMChain> j_chain(chain);
- if (b64Buf[b64Len-1] == '\n')
- b64Buf[b64Len-1] = '\0';
- else
- b64Buf[b64Len] = '\0';
+ // Calculate the hash to be signed
- break;
+ safeBuffer b64Buf;
- case (XSECCryptoKey::KEY_HMAC) :
+ XSECAlgorithmHandler * handler =
+ XSECPlatformUtils::g_algorithmMapper->mapURIToHandler(
+ mp_signedInfo->getAlgorithmURI());
- if (mp_signedInfo == NULL || mp_signedInfo->getSignatureMethod() != SIGNATURE_HMAC) {
+ if (handler == NULL) {
- throw XSECException(XSECException::SigningError,
- "Key type does not match <SignedInfo> signature type");
- }
+ throw XSECException(XSECException::SigVfyError,
+ "Hash method unknown in DSIGSignature::sign()");
- // Signature already created, so just translate to base 64 and enter string
-
- convertRawToBase64String(b64SB,
- hash,
- hashLen,
- mp_signedInfo->getHMACOutputLength());
-
- strncpy(b64Buf, (char *) b64SB.rawBuffer(), 1024);
- break;
+ }
- default :
+ if (!handler->signToSafeBuffer(chain, mp_signedInfo->getAlgorithmURI(),
+ mp_signingKey, mp_signedInfo->getHMACOutputLength(), b64Buf)) {
throw XSECException(XSECException::SigVfyError,
- "Key found, but don't know how to sign the document using it");
+ "Unexpected error in handler whilst appending Signature Hash transform");
}
@@ -1275,11 +1185,11 @@
if (tmpElt == NULL) {
// Need to create the underlying TEXT_NODE
DOMDocument * doc = mp_signatureValueNode->getOwnerDocument();
- tmpElt = doc->createTextNode(MAKE_UNICODE_STRING(b64Buf));
+ tmpElt = doc->createTextNode(b64Buf.sbStrToXMLCh());
mp_signatureValueNode->appendChild(tmpElt);
}
else {
- tmpElt->setNodeValue(MAKE_UNICODE_STRING(b64Buf));
+ tmpElt->setNodeValue(b64Buf.sbStrToXMLCh());
}
// And copy to the local buffer
1.27 +63 -1 xml-security/c/src/dsig/DSIGSignature.hpp
Index: DSIGSignature.hpp
===================================================================
RCS file: /home/cvs/xml-security/c/src/dsig/DSIGSignature.hpp,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- DSIGSignature.hpp 4 Jun 2005 11:30:25 -0000 1.26
+++ DSIGSignature.hpp 5 Jul 2005 11:52:43 -0000 1.27
@@ -294,11 +294,41 @@
* Different hash methods can be used for reference elements.
*
* @param doc The document the Signature DOM structure will be inserted into.
+ * @param canonicalizationAlgorithmURI The canonicalisation method to use.
+ * @param signatureAlgorithmURI The Signature algorithm (defined by URI) to use
+ * @returns The newly created \<Signature\> element that the caller should insert in
+ * the document.
+ */
+
+ XERCES_CPP_NAMESPACE_QUALIFIER DOMElement *createBlankSignature(
+ XERCES_CPP_NAMESPACE_QUALIFIER DOMDocument *doc,
+ const XMLCh * canonicalizationAlgorithmURI,
+ const XMLCh * signatureAlgorithmURI
+ );
+
+ /**
+ * \brief Create a \<Signature\> DOM structure.
+ *
+ * <p>The DOM structure created is still divorced from the document. The callee
+ * needs to take the returned \<Signature\> Element node and insert it at the
+ * appropriate place in their document.</p>
+ *
+ * <p>The signature is a skeleton only. There are no references or KeyInfo
+ * elements inserted. However the DSIGSignature structures are set up with the
+ * new information, so once an element has been created and a signing key has been
+ * set, a call to #sign will sign appropriately.
+ *
+ * @note The digest method (hash method) set here is for the signing function only.
+ * Different hash methods can be used for reference elements.
+ *
+ * @param doc The document the Signature DOM structure will be inserted into.
* @param cm The canonicalisation method to use.
* @param sm The signature algorithm to be used.
* @param hm The Digest function to be used for the actual signatures.
* @returns The newly created \<Signature\> element that the caller should insert in
* the document.
+ * @deprecated Use the URI based creation method instead, as this supports
+ * signature algorithms that are not known to the library directly.
*/
XERCES_CPP_NAMESPACE_QUALIFIER DOMElement *createBlankSignature(
@@ -324,6 +354,7 @@
* @param hm The hashing (digest) method to be used for this reference
* @param type A "type" string (as defined in XML Signature).
* @returns The newly created DSIGReference element.
+ * @deprecated Use the URI based creation method instead
*
*/
@@ -334,6 +365,31 @@
char * type = NULL
);
+ /**
+ * \brief Add a new reference to the end of the list of \<Reference\> nodes.
+ *
+ * <p>Creates a new DSIGReference, adds it to the list of references handled
+ * by the owning DSIGSignature and also creates the skeleton DOM structure into
+ * the document.</p>
+ *
+ * @note The XSEC Library currently makes very little use of <em>type</em>
+ * attributes in \<Reference\> Elements. However this may of use to calling
+ * applications.
+ *
+ * @see DSIGReference
+ * @param URI The Data that this Reference node refers to.
+ * @param hm The hashing (digest) method to be used for this reference
+ * @param type A "type" string (as defined in XML Signature).
+ * @returns The newly created DSIGReference element.
+ * @deprecated Use the URI based creation method instead
+ *
+ */
+
+ DSIGReference * createReference(
+ const XMLCh * URI,
+ const XMLCh * hashAlgorithmURI,
+ const XMLCh * type = NULL
+ );
//@}
/** @name General and Information functions. */
@@ -826,6 +882,10 @@
// Internal functions
void createKeyInfoElement(void);
bool verifySignatureOnlyInternal(void);
+ TXFMChain * getSignedInfoInput(void);
+
+ // Initialisation
+ static void Initialise(void);
XSECSafeBufferFormatter * mp_formatter;
bool m_loaded; // Have we already loaded?
@@ -858,6 +918,8 @@
// Not implemented constructors
DSIGSignature();
+
+ friend class XSECPlatformUtils;
/*\@}*/
};
1.13 +57 -22 xml-security/c/src/dsig/DSIGSignedInfo.cpp
Index: DSIGSignedInfo.cpp
===================================================================
RCS file: /home/cvs/xml-security/c/src/dsig/DSIGSignedInfo.cpp,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- DSIGSignedInfo.cpp 20 Feb 2005 10:35:51 -0000 1.12
+++ DSIGSignedInfo.cpp 5 Jul 2005 11:52:43 -0000 1.13
@@ -143,11 +143,26 @@
hashMethod hm,
char * type) {
+ safeBuffer hURI;
+
+ if (hashMethod2URI(hURI, hm) == false) {
+ throw XSECException(XSECException::UnknownSignatureAlgorithm,
+ "DSIGSignedInfo::createReference - Hash method unknown");
+ }
+
+ return createReference(URI, hURI.sbStrToXMLCh(), MAKE_UNICODE_STRING(type));;
+}
+
+DSIGReference * DSIGSignedInfo::createReference(
+ const XMLCh * URI,
+ const XMLCh * hashAlgorithmURI,
+ const XMLCh * type) {
+
DSIGReference * ref;
XSECnew(ref, DSIGReference(mp_env));
Janitor<DSIGReference> j_ref(ref);
- DOMNode *refNode = ref->createBlankReference(URI, hm, type);
+ DOMNode *refNode = ref->createBlankReference(URI, hashAlgorithmURI, type);
// Add the node to the end of the childeren
mp_signedInfoNode->appendChild(refNode);
@@ -160,14 +175,42 @@
return ref;
}
+
// --------------------------------------------------------------------------------
// Create an empty SignedInfo
// --------------------------------------------------------------------------------
+// deprecated
+
DOMElement *DSIGSignedInfo::createBlankSignedInfo(canonicalizationMethod cm,
signatureMethod sm,
hashMethod hm) {
+ // This is now deprecated. Because this is so, we go the long way - translate
+ // to URI and then call the "standard" method, which will translate back to
+ // internal enums if possible
+
+ const XMLCh * cURI;
+ safeBuffer sURI;
+
+ if ((cURI = canonicalizationMethod2UNICODEURI(cm)) == NULL) {
+ throw XSECException(XSECException::UnknownCanonicalization,
+ "DSIGSignature::createBlankSignature - Canonicalisation method unknown");
+ }
+
+ if (signatureHashMethod2URI(sURI, sm, hm) == false) {
+ throw XSECException(XSECException::UnknownSignatureAlgorithm,
+ "DSIGSignature::createBlankSignature - Signature/Hash method unknown");
+ }
+
+ return createBlankSignedInfo(cURI, sURI.sbStrToXMLCh());
+
+}
+
+DOMElement * DSIGSignedInfo::createBlankSignedInfo(
+ const XMLCh * canonicalizationAlgorithmURI,
+ const XMLCh * signatureAlgorithmURI) {
+
safeBuffer str;
const XMLCh * prefixNS = mp_env->getDSIGNSPrefix();
@@ -179,9 +222,8 @@
mp_signedInfoNode = ret;
// Now create the algorithm parts
- m_canonicalizationMethod = cm;
- m_signatureMethod = sm;
- m_hashMethod = hm;
+ XSECmapURIToCanonicalizationMethod(canonicalizationAlgorithmURI, m_canonicalizationMethod);
+ XSECmapURIToSignatureMethods(signatureAlgorithmURI, m_signatureMethod, m_hashMethod);
// Canonicalisation
@@ -192,14 +234,8 @@
mp_signedInfoNode->appendChild(canMeth);
mp_env->doPrettyPrint(mp_signedInfoNode);
- if (!canonicalizationMethod2URI(str, cm)) {
-
- throw XSECException(XSECException::SignatureCreationError,
- "Attempt to use undefined Canonicalisation Algorithm in SignedInfo Creation");
-
- }
-
- canMeth->setAttribute(DSIGConstants::s_unicodeStrAlgorithm, str.sbStrToXMLCh());
+ canMeth->setAttribute(DSIGConstants::s_unicodeStrAlgorithm,
+ canonicalizationAlgorithmURI);
// Now the SignatureMethod
@@ -209,14 +245,11 @@
mp_signedInfoNode->appendChild(sigMeth);
mp_env->doPrettyPrint(mp_signedInfoNode);
- if (!signatureHashMethod2URI(str, sm, hm)) {
-
- throw XSECException(XSECException::SignatureCreationError,
- "Attempt to use undefined Signature/Algorithm combination in SignedInfo Creation");
-
- }
+ sigMeth->setAttributeNS(NULL, DSIGConstants::s_unicodeStrAlgorithm,
+ signatureAlgorithmURI);
- sigMeth->setAttribute(DSIGConstants::s_unicodeStrAlgorithm, str.sbStrToXMLCh());
+ // Store the algorithm URI internally
+ mp_algorithmURI = sigMeth->getAttributeNS(NULL, DSIGConstants::s_unicodeStrAlgorithm);
// Create an empty reference list
@@ -226,6 +259,7 @@
}
+
// --------------------------------------------------------------------------------
// Load the SignedInfo
// --------------------------------------------------------------------------------
@@ -332,9 +366,10 @@
"Expected Algorithm attribute in <SignatureMethod>");
}
+
+ mp_algorithmURI = algorithm->getNodeValue();
-
- tmpSB << (*mp_formatter << algorithm->getNodeValue());
+ tmpSB << (*mp_formatter << mp_algorithmURI);
if (tmpSB.sbStrcmp(URI_ID_DSA_SHA1) == 0) {
1.15 +49 -1 xml-security/c/src/dsig/DSIGSignedInfo.hpp
Index: DSIGSignedInfo.hpp
===================================================================
RCS file: /home/cvs/xml-security/c/src/dsig/DSIGSignedInfo.hpp,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- DSIGSignedInfo.hpp 4 Jun 2005 11:30:25 -0000 1.14
+++ DSIGSignedInfo.hpp 5 Jul 2005 11:52:43 -0000 1.15
@@ -155,9 +155,29 @@
* Builds the DOM structures and sets the control
* structures of the SignedInfo
*
+ * @param canonicalizationAlgorithmURI The canonicalisation method to set the SignedInfo as
+ * @param signatureAlgorithmURI Signature Method to use
+ * @param hm Hash method to use (for the SignedInfo, not the references)
+ */
+
+ XERCES_CPP_NAMESPACE_QUALIFIER DOMElement *
+ createBlankSignedInfo(
+ const XMLCh * canonicalizationAlgorithmURI,
+ const XMLCh * signatureAlgorithmURI
+ );
+
+ /**
+ * \brief Create an empty SignedInfo
+ *
+ * Creates the DOM structure for a SignedInfo
+ *
+ * Builds the DOM structures and sets the control
+ * structures of the SignedInfo
+ *
* @param cm The canonicalisation method to set the SignedInfo as
* @param sm Signature Method to use
* @param hm Hash method to use (for the SignedInfo, not the references)
+ * @deprecated Use URI based creation method instead
*/
XERCES_CPP_NAMESPACE_QUALIFIER DOMElement *
@@ -174,11 +194,29 @@
* @param URI What the reference references
* @param hm Digest method to use for the reference
* @param type Reference type
+ * @deprecated Use the algorithmURI based call instead
*/
DSIGReference * createReference(const XMLCh * URI,
hashMethod hm, char * type);
+
+ /**
+ * \brief Create a reference to add to the SignedInfo
+ *
+ * Called by DSIGSignature to create and enter a new reference element
+ *
+ * @param URI What the reference references
+ * @param hashAlgorithmURI Digest method to use for the reference
+ * @param type Reference type
+ */
+
+ DSIGReference * createReference(
+ const XMLCh * URI,
+ const XMLCh * hashAlgorithmURI,
+ const XMLCh * type
+ );
+
//@}
/** @name Getter functions */
@@ -193,6 +231,15 @@
XERCES_CPP_NAMESPACE_QUALIFIER DOMNode *getDOMNode(void);
/**
+ * \brief Get the Algorithm URI
+ *
+ * @returns the URI associated with the Algorithm used to generate
+ * the signature
+ */
+
+ const XMLCh * getAlgorithmURI() {return mp_algorithmURI;}
+
+ /**
* \brief Get the canonicalisation method
*
* @returns Canonicalisation method
@@ -250,6 +297,7 @@
hashMethod m_hashMethod;
DSIGReferenceList * mp_referenceList;
int m_HMACOutputLength;
+ const XMLCh * mp_algorithmURI;
const XSECEnv * mp_env;
// Not implemented constructors