/*
* Lasso - A free implementation of the Liberty Alliance specifications.
*
* Copyright (C) 2004-2011 Entr'ouvert
* http://lasso.entrouvert.org
*
* Authors: See AUTHORS file in top-level directory.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include "key.h"
#include "keyprivate.h"
#include "xml/private.h"
#include "xmlsec/xmltree.h"
/*****************************************************************************/
/* private methods */
/*****************************************************************************/
struct _LassoKeyPrivate {
enum _LassoKeyType type;
union {
LassoSignatureContext signature;
} context;
};
#define LASSO_KEY_GET_PRIVATE(o) \
(G_TYPE_INSTANCE_GET_PRIVATE ((o), LASSO_TYPE_KEY, LassoKeyPrivate))
static struct XmlSnippet schema_snippets[] = {
{NULL, 0, 0, NULL, NULL, NULL}
};
static LassoNodeClass *parent_class = NULL;
/*****************************************************************************/
/* instance and class init functions */
/*****************************************************************************/
static void
instance_init(LassoKey *key)
{
key->private_data = LASSO_KEY_GET_PRIVATE(key);
}
static void
dispose(GObject *g_object)
{
LassoKey *key = (LassoKey*)g_object;
if (key->private_data) {
switch (key->private_data->type) {
case LASSO_KEY_TYPE_FOR_SIGNATURE:
lasso_assign_new_signature_context(
key->private_data->context.signature,
LASSO_SIGNATURE_CONTEXT_NONE);
break;
}
}
G_OBJECT_CLASS(parent_class)->dispose(G_OBJECT(key));
}
static void
class_init(LassoKeyClass *klass)
{
LassoNodeClass *nclass = LASSO_NODE_CLASS(klass);
parent_class = g_type_class_peek_parent(klass);
nclass->node_data = g_new0(LassoNodeClassData, 1);
lasso_node_class_set_nodename(nclass, "Key");
lasso_node_class_set_ns(nclass, LASSO_LASSO_HREF, LASSO_LASSO_PREFIX);
lasso_node_class_add_snippets(nclass, schema_snippets);
g_type_class_add_private(klass, sizeof(LassoKeyPrivate));
G_OBJECT_CLASS(klass)->dispose = dispose;
}
GType
lasso_key_get_type()
{
static GType this_type = 0;
if (!this_type) {
static const GTypeInfo this_info = {
sizeof (LassoKeyClass),
NULL,
NULL,
(GClassInitFunc) class_init,
NULL,
NULL,
sizeof(LassoKey),
0,
(GInstanceInitFunc) instance_init,
NULL
};
this_type = g_type_register_static(LASSO_TYPE_NODE,
"LassoKey", &this_info, 0);
}
return this_type;
}
static LassoKey*
lasso_key_new()
{
return g_object_new(LASSO_TYPE_KEY, NULL);
}
static LassoKey*
lasso_key_new_for_signature_from_context(LassoSignatureContext context) {
LassoKey *key = lasso_key_new();
key->private_data->type = LASSO_KEY_TYPE_FOR_SIGNATURE;
lasso_assign_new_signature_context(
key->private_data->context.signature, context);
if (! lasso_validate_signature_context(key->private_data->context.signature)) {
lasso_release_gobject(key);
}
return key;
}
/**
* lasso_key_new_for_signature_from_file:
* @filename_or_buffer: a file path of a string containing the key PEM or Base64 encoded
* @password: an eventual password to decoded the private key contained in @buffer
* @signature_method: the signature method to associate to this key
* @certificate: a certificate as a file path or PEM encoded in a NULL-terminated string, to
* associate with the key, it will be used to fill the KeyInfo node in an eventual signature.
*
* Create a new #LassoKey object, you can use it to sign XML message or to specify the key of a
* provider.
*
* Return value:(transfer full): a newly allocated #LassoKey object
*/
LassoKey*
lasso_key_new_for_signature_from_file(char *filename_or_buffer,
char *password,
LassoSignatureMethod signature_method,
char *certificate) {
return lasso_key_new_for_signature_from_context(
lasso_make_signature_context_from_path_or_string(filename_or_buffer,
password,
signature_method,
certificate));
}
/**
* lasso_key_new_for_signature_from_memory:
* @buffer: a byte buffer of size @size
* @size: the size of @buffer
* @password: an eventual password to decoded the private key contained in @buffer
* @signature_method: the signature method to associate to this key
* @certificate: a certificate as a file path or PEM encoded in a NULL-terminated string, to
* associate with the key, it will be used to fill the KeyInfo node in an eventual signature.
*
* Create a new #LassoKey object, you can use it to sign XML message or to specify the key of a
* provider.
*
* Return value:(transfer full): a newly allocated #LassoKey object
*/
LassoKey*
lasso_key_new_for_signature_from_memory(const void *buffer,
size_t size,
char *password,
LassoSignatureMethod signature_method,
char *certificate)
{
return lasso_key_new_for_signature_from_context(
lasso_make_signature_context_from_buffer(buffer,
size,
password,
signature_method,
certificate));
}
/**
* lasso_key_new_for_signature_from_base64_string:
* @base64_string: a NULL-terminated string containing a base64 encode representation of the key
* @password: an eventual password to decoded the private key contained in @buffer
* @signature_method: the signature method to associate to this key
* @certificate: a certificate as a file path or PEM encoded in a NULL-terminated string, to
* associate with the key, it will be used to fill the KeyInfo node in an eventual signature.
*
* Create a new #LassoKey object, you can use it to sign XML message or to specify the key of a
* provider.
*
* Return value:(transfer full): a newly allocated #LassoKey object
*/
LassoKey*
lasso_key_new_for_signature_from_base64_string(char *base64_string,
char *password,
LassoSignatureMethod signature_method,
char *certificate)
{
LassoKey *key = NULL;
char *buffer = NULL;
int length = 0;
if (lasso_base64_decode(base64_string, &buffer, &length)) {
key = lasso_key_new_for_signature_from_context(
lasso_make_signature_context_from_buffer(buffer,
length,
password,
signature_method,
certificate));
lasso_release_string(buffer);
}
return key;
}
static xmlNode *
find_xmlnode_with_saml2_id(xmlNode *xmlnode, const char *id)
{
xmlNode *found = NULL;
xmlNode *t;
if (! xmlnode)
return NULL;
if (xmlHasProp(xmlnode, BAD_CAST "ID")) {
xmlChar *value;
value = xmlGetProp(xmlnode, BAD_CAST "ID");
if (lasso_strisequal((char*)value, id)) {
found = xmlnode;
}
xmlFree(value);
}
if (found) {
return found;
}
t = xmlSecGetNextElementNode(xmlnode->children);
while (t) {
found = find_xmlnode_with_saml2_id(t, id);
if (found) {
return found;
}
t = xmlSecGetNextElementNode(t->next);
}
return NULL;
}
/**
* lasso_key_saml2_xml_verify:
* @key: a #LassoKey object
* @id: the value of the ID attribute of signed node
* @document: the document containing the signed node
*
* Verify the first signature node child of the node with the given id. It follows from the profile
* of XMLDsig used by the SAML 2.0 specification.
*
* Return value: 0 if the signature validate, an error code otherwise.
*/
lasso_error_t
lasso_key_saml2_xml_verify(LassoKey *key, char *id, xmlNode *document)
{
xmlNode *signed_node;
LassoSignatureContext signature_context;
signed_node = find_xmlnode_with_saml2_id(document, id);
if (! signed_node) {
return LASSO_DS_ERROR_INVALID_REFERENCE_FOR_SAML;
}
signature_context = lasso_key_get_signature_context(key);
return lasso_verify_signature(signed_node, signed_node->doc, "ID", NULL,
signature_context.signature_key, NO_OPTION, NULL);
}
/**
* lasso_key_saml2_xml_sign:
* @key: a #LassoKey object
* @id: the value of the ID attribute of signed node
* @document: the document containing the signed node
*
* Sign the first signature node child of the node with the given id. It no signature node is found
* a new one is added at the end of the children list of the signed node.
*
* The passed document node is modified in-place.
*
* Return value: The modified xmlNode object, or NULL if the signature failed.
*/
xmlNode*
lasso_key_saml2_xml_sign(LassoKey *key, const char *id, xmlNode *document)
{
xmlNode *signed_node;
LassoSignatureContext signature_context;
signed_node = find_xmlnode_with_saml2_id(document, id);
if (! signed_node) {
return NULL;
}
signature_context = lasso_key_get_signature_context(key);
lasso_xmlnode_add_saml2_signature_template(signed_node, signature_context, id);
if (lasso_sign_node(signed_node, signature_context,
"ID", id) == 0) {
return document;
} else {
return NULL;
}
}
/**
* lasso_key_query_verify:
* key: a #LassoKey object
* query: a raw HTTP query string
*
* Check if this query string contains a proper SAML2 signature for this key.
*
* Return value: 0 if a valid signature was found, an error code otherwise.
*/
lasso_error_t
lasso_key_query_verify(LassoKey *key, const char *query)
{
LassoSignatureContext signature_context;
lasso_bad_param(KEY, key);
signature_context = lasso_key_get_signature_context(key);
if (! lasso_validate_signature_context(signature_context))
return LASSO_ERROR_UNDEFINED;
return lasso_saml2_query_verify_signature(query, signature_context.signature_key);
}
/**
* lasso_key_query_verify:
* key: a #LassoKey object
* query: a raw HTTP query string
*
* Sign the given query string using the given key.
*
* Return value: the signed query string.
*/
char*
lasso_key_query_sign(LassoKey *key, const char *query)
{
LassoSignatureContext signature_context;
if (! LASSO_IS_KEY(key))
return NULL;
signature_context = lasso_key_get_signature_context(key);
if (! lasso_validate_signature_context(signature_context))
return NULL;
return lasso_query_sign((char*)query, signature_context);
}
/**
* lasso_key_get_signature_context:
* @key: a #LassoKey object
*
* Private method to extract the signature context embedded in a LassoKey object.
*
* Return value: a #LassoSignatureContext structure value.
*/
LassoSignatureContext
lasso_key_get_signature_context(LassoKey *key) {
if (key->private_data && key->private_data->type == LASSO_KEY_TYPE_FOR_SIGNATURE) {
return key->private_data->context.signature;
}
return LASSO_SIGNATURE_CONTEXT_NONE;
}
/**
* lasso_key_get_key_type:
* @key: a #LassoKey object
*
* Return the type of key, i.e. which operation it supports.
*/
LassoKeyType
lasso_key_get_key_type(LassoKey *key) {
lasso_return_val_if_fail(LASSO_IS_KEY(key),
LASSO_KEY_TYPE_FOR_SIGNATURE);
return key->private_data->type;
}