[xmltooling] 06/15: CPPXT-114 Allow EC keys for the ExplicitKeyTrustEngine
Ferenc Wágner
wferi at moszumanska.debian.org
Fri Sep 8 22:04:27 UTC 2017
This is an automated email from the git hooks/post-receive script.
wferi pushed a commit to branch master
in repository xmltooling.
commit 65cbff564464ead62e1f7b3053b5a0655883436a
Author: Rod Widdowson <rdw at steadingsoftware.com>
Date: Mon Feb 13 16:14:55 2017 +0000
CPPXT-114 Allow EC keys for the ExplicitKeyTrustEngine
https://issues.shibboleth.net/jira/browse/CPPXT-114
A reasonably complex change due to some refactoring to bring in some commonality
between various places that used to look inside XSECCryptoKey.
1) Introduce a new module impl/OpenSSLSecurityHelper which knows how to
compare bare OpenSSL types (RSA*, EC_KEY*, DSA*) against a XSECCryptoKey.
2) Use this to refactor SecurityHelper::matches (which compares two XSECCryptoKey&)
3) Also use this to refactor ExplicitKeyTrustEngine::validate (which compares a
EVP_PKEY with a XSECCryptoKey).
The last is a fairly dramatic refactor since we can flatten out a bit of code,
bail early in a lot of cases, and exbed a
X509_PUBKEY_get(X509_get_X509_PUBKEY(certEE)) / EVP_PKEY_free
pair to outside the loop.
Note that this relies on the comparison being commutative, which I have convinced
myself is true.
Update the VC15 and VC10 build and the automake build to teach them about the
new header ans siurce files (the last two being 'blind changes')
Finally this checkin turns on the EC test which was previously supressed.
---
Projects/vc10/xmltooling/xmltooling.vcxproj | 1 +
.../vc10/xmltooling/xmltooling.vcxproj.filters | 7 +-
Projects/vc14/xmltooling/xmltooling.vcxproj | 1 +
.../vc14/xmltooling/xmltooling.vcxproj.filters | 10 +-
xmltooling/Makefile.am | 2 +
xmltooling/security/OpenSSLSecurityHelper.h | 65 ++++++++++++
.../security/impl/ExplicitKeyTrustEngine.cpp | 86 ++++++++--------
xmltooling/security/impl/OpenSSLSecurityHelper.cpp | 113 +++++++++++++++++++++
xmltooling/security/impl/SecurityHelper.cpp | 52 ++--------
xmltoolingtest/ExplicitKeyTrustEngineTest.h | 3 +-
10 files changed, 250 insertions(+), 90 deletions(-)
diff --git a/Projects/vc10/xmltooling/xmltooling.vcxproj b/Projects/vc10/xmltooling/xmltooling.vcxproj
index 3aa749f..73a1db1 100644
--- a/Projects/vc10/xmltooling/xmltooling.vcxproj
+++ b/Projects/vc10/xmltooling/xmltooling.vcxproj
@@ -194,6 +194,7 @@
<ClCompile Include="..\..\..\XMLTooling\Lockable.cpp" />
<ClCompile Include="..\..\..\XMLTooling\Namespace.cpp" />
<ClCompile Include="..\..\..\XMLTooling\QName.cpp" />
+ <ClCompile Include="..\..\..\xmltooling\security\impl\OpenSSLSecurityHelper.cpp" />
<ClCompile Include="..\..\..\xmltooling\security\impl\OpenSSLSupport.cpp" />
<ClCompile Include="..\..\..\XMLTooling\security\impl\PKIXPathValidator.cpp" />
<ClCompile Include="..\..\..\XMLTooling\unicode.cpp" />
diff --git a/Projects/vc10/xmltooling/xmltooling.vcxproj.filters b/Projects/vc10/xmltooling/xmltooling.vcxproj.filters
index a3e2882..2c89814 100644
--- a/Projects/vc10/xmltooling/xmltooling.vcxproj.filters
+++ b/Projects/vc10/xmltooling/xmltooling.vcxproj.filters
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
@@ -276,6 +276,9 @@
<ClCompile Include="..\..\..\xmltooling\security\impl\OpenSSLSupport.cpp">
<Filter>Source Files\security\impl</Filter>
</ClCompile>
+ <ClCompile Include="..\..\..\xmltooling\security\impl\OpenSSLSecurityHelper.cpp">
+ <Filter>Source Files\security\impl</Filter>
+ </ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="..\..\..\XMLTooling\AbstractAttributeExtensibleXMLObject.h">
@@ -540,4 +543,4 @@
<None Include="..\..\..\XMLTooling\config_pub.h.in" />
<None Include="..\..\..\XMLTooling\Makefile.am" />
</ItemGroup>
-</Project>
\ No newline at end of file
+</Project>
diff --git a/Projects/vc14/xmltooling/xmltooling.vcxproj b/Projects/vc14/xmltooling/xmltooling.vcxproj
index b195cf0..a6f88e7 100644
--- a/Projects/vc14/xmltooling/xmltooling.vcxproj
+++ b/Projects/vc14/xmltooling/xmltooling.vcxproj
@@ -209,6 +209,7 @@
<ClCompile Include="..\..\..\XMLTooling\Lockable.cpp" />
<ClCompile Include="..\..\..\XMLTooling\Namespace.cpp" />
<ClCompile Include="..\..\..\XMLTooling\QName.cpp" />
+ <ClCompile Include="..\..\..\xmltooling\security\impl\OpenSSLSecurityHelper.cpp" />
<ClCompile Include="..\..\..\XMLTooling\security\impl\PKIXPathValidator.cpp" />
<ClCompile Include="..\..\..\XMLTooling\unicode.cpp" />
<ClCompile Include="..\..\..\XMLTooling\util\CloneInputStream.cpp" />
diff --git a/Projects/vc14/xmltooling/xmltooling.vcxproj.filters b/Projects/vc14/xmltooling/xmltooling.vcxproj.filters
index 40ac451..53a6400 100644
--- a/Projects/vc14/xmltooling/xmltooling.vcxproj.filters
+++ b/Projects/vc14/xmltooling/xmltooling.vcxproj.filters
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
@@ -270,6 +270,12 @@
<ClCompile Include="..\..\..\XMLTooling\util\CloneInputStream.cpp">
<Filter>Source Files\util</Filter>
</ClCompile>
+ <ClCompile Include="..\..\..\xmltooling\security\impl\OpenSSLSupport.cpp">
+ <Filter>Source Files</Filter>
+ </ClCompile>
+ <ClCompile Include="..\..\..\xmltooling\security\impl\OpenSSLSecurityHelper.cpp">
+ <Filter>Source Files\security\impl</Filter>
+ </ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="..\..\..\XMLTooling\AbstractAttributeExtensibleXMLObject.h">
@@ -531,4 +537,4 @@
<None Include="..\..\..\XMLTooling\config_pub.h.in" />
<None Include="..\..\..\XMLTooling\Makefile.am" />
</ItemGroup>
-</Project>
+</Project>
\ No newline at end of file
diff --git a/xmltooling/Makefile.am b/xmltooling/Makefile.am
index 6737261..6c8f8f2 100644
--- a/xmltooling/Makefile.am
+++ b/xmltooling/Makefile.am
@@ -58,6 +58,7 @@ encinclude_HEADERS = \
implinclude_HEADERS = \
impl/AnyElement.h \
security/impl/OpenSSLSupport.h \
+ security/OpenSSLSecurityHelper.h \
impl/UnknownElement.h
ioinclude_HEADERS = \
@@ -149,6 +150,7 @@ xmlsec_sources = \
security/impl/KeyInfoResolver.cpp \
security/impl/OpenSSLCryptoX509CRL.cpp \
security/impl/OpenSSLSupport.cpp \
+ security/impl/OpenSSLSecurityHelper.cpp \
security/impl/PKIXPathValidator.cpp \
security/impl/SecurityHelper.cpp \
security/impl/StaticPKIXTrustEngine.cpp \
diff --git a/xmltooling/security/OpenSSLSecurityHelper.h b/xmltooling/security/OpenSSLSecurityHelper.h
new file mode 100644
index 0000000..0ed6d89
--- /dev/null
+++ b/xmltooling/security/OpenSSLSecurityHelper.h
@@ -0,0 +1,65 @@
+/**
+ * Licensed to the University Corporation for Advanced Internet
+ * Development, Inc. (UCAID) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for
+ * additional information regarding copyright ownership.
+ *
+ * UCAID licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the
+ * License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the License.
+ */
+
+/**
+ * @file xmltooling/security/OpenSSLSecurityHelper.h
+ *
+ * A helper class for working with OpenSSL keys.
+ */
+
+#if !defined(__xmltooling_opensslsechelper_h__) && !defined(XMLTOOLING_NO_XMLSEC) && defined (XSEC_HAVE_OPENSSL)
+#define __xmltooling_opensslsechelper_h__
+
+#include <xmltooling/base.h>
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+
+#if defined(XMLTOOLING_XMLSEC_ECC) && defined(XMLTOOLING_OPENSSL_HAVE_EC)
+# include <xsec/enc/OpenSSL/OpenSSLCryptoKeyEC.hpp>
+#endif
+
+
+namespace xmltooling {
+ /**
+ * A helper class for working with OpenSSL keys.
+ */
+ class XMLTOOL_API OpenSSLSecurityHelper
+ {
+ public:
+ /**
+ * Compares two keys for equality.
+ *
+ * @param key1 first key to compare
+ * @param key2 second key to compare
+ * @return true iff the keys match
+ */
+ static bool matchesPublic(const RSA* rsa, const XSECCryptoKey& key);
+ static bool matchesPrivate(const RSA* rsa, const XSECCryptoKey& key);
+ static bool matchesPublic(const DSA* dsa1, const XSECCryptoKey& key);
+ static bool matchesPrivate(const DSA* dsa, const XSECCryptoKey& key);
+#if defined(XMLTOOLING_XMLSEC_ECC) && defined(XMLTOOLING_OPENSSL_HAVE_EC)
+ static bool matchesPublic(const EC_KEY* ec, const XSECCryptoKey& key);
+ static bool matchesPrivate(const EC_KEY* ec, const XSECCryptoKey& key);
+#endif
+ };
+};
+
+#endif /* __xmltooling_sechelper_h__ */
diff --git a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
index a4a5dd2..75a782e 100644
--- a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
+++ b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
@@ -41,6 +41,14 @@
#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
#include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
+#ifdef WIN32
+# if (OPENSSL_VERSION_NUMBER >= 0x00907000)
+# define XMLTOOLING_OPENSSL_HAVE_EC 1
+# endif
+#endif
+
+#include "security/OpenSSLSecurityHelper.h"
+#include <openssl/ec.h>
using namespace xmlsignature;
using namespace xmltooling::logging;
@@ -251,51 +259,43 @@ bool ExplicitKeyTrustEngine::validate(
// peer resolver to verify the EE certificate.
log.debug("attempting to match credentials from peer with end-entity certificate");
- for (vector<const Credential*>::const_iterator c=credentials.begin(); c!=credentials.end(); ++c) {
+ bool found = false;
+ EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(certEE));
+ if (!evp)
+ return false;
+
+ for (vector<const Credential*>::const_iterator c=credentials.begin(); c != credentials.end(); ++c) {
XSECCryptoKey* key = (*c)->getPublicKey();
- if (key) {
- if (key->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
- log.error("only the OpenSSL XSEC provider is supported");
- continue;
- }
- switch (key->getKeyType()) {
- case XSECCryptoKey::KEY_RSA_PUBLIC:
- {
- RSA* rsa = static_cast<OpenSSLCryptoKeyRSA*>(key)->getOpenSSLRSA();
- EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(certEE));
- if (rsa && evp && EVP_PKEY_id(evp) == EVP_PKEY_RSA &&
- BN_cmp(RSA_get0_n(rsa),RSA_get0_n(EVP_PKEY_get0_RSA(evp))) == 0 && BN_cmp(RSA_get0_e(rsa), RSA_get0_e(EVP_PKEY_get0_RSA(evp))) == 0) {
- if (evp)
- EVP_PKEY_free(evp);
- log.debug("end-entity certificate matches peer RSA key information");
- return true;
- }
- if (evp)
- EVP_PKEY_free(evp);
- break;
- }
-
- case XSECCryptoKey::KEY_DSA_PUBLIC:
- {
- DSA* dsa = static_cast<OpenSSLCryptoKeyDSA*>(key)->getOpenSSLDSA();
- EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(certEE));
- if (dsa && evp && EVP_PKEY_id(evp) == EVP_PKEY_DSA && BN_cmp(DSA_get0_pubkey(dsa),DSA_get0_pubkey(EVP_PKEY_get0_DSA(evp))) == 0) {
- if (evp)
- EVP_PKEY_free(evp);
- log.debug("end-entity certificate matches peer DSA key information");
- return true;
- }
- if (evp)
- EVP_PKEY_free(evp);
- break;
- }
+ if (!key)
+ continue;
+ if (key->getProviderName() != DSIGConstants::s_unicodeStrPROVOpenSSL) {
+ log.error("only the OpenSSL XSEC provider is supported");
+ continue;
+ }
- default:
- log.warn("unknown peer key type, skipping...");
+ if (EVP_PKEY_id(evp) == EVP_PKEY_RSA) {
+ found = OpenSSLSecurityHelper::matchesPublic(EVP_PKEY_get0_RSA(evp), *key);
+ if (found) {
+ log.debug("end-entity certificate matches peer RSA key information");
+ break;
}
- }
+ } else if (EVP_PKEY_id(evp) == EVP_PKEY_DSA) {
+ found = OpenSSLSecurityHelper::matchesPublic(EVP_PKEY_get0_DSA(evp), *key);
+ if (found) {
+ log.debug("end-entity certificate matches peer RSA key information");
+ break;
+ }
+ } else if (EVP_PKEY_id(evp) == EVP_PKEY_EC) {
+ found = OpenSSLSecurityHelper::matchesPublic(EVP_PKEY_get0_EC_KEY(evp), *key);
+ if (found) {
+ log.debug("end-entity certificate matches peer RSA key information");
+ break;
+ }
+ } else
+ log.warn("unknown peer key type, skipping...");
}
-
- log.debug("no keys within this peer's key information matched the given end-entity certificate");
- return false;
+ EVP_PKEY_free(evp);
+ if (!found)
+ log.debug("no keys within this peer's key information matched the given end-entity certificate");
+ return found;
}
diff --git a/xmltooling/security/impl/OpenSSLSecurityHelper.cpp b/xmltooling/security/impl/OpenSSLSecurityHelper.cpp
new file mode 100644
index 0000000..7c241d0
--- /dev/null
+++ b/xmltooling/security/impl/OpenSSLSecurityHelper.cpp
@@ -0,0 +1,113 @@
+/**
+* Licensed to the University Corporation for Advanced Internet
+* Development, Inc. (UCAID) under one or more contributor license
+* agreements. See the NOTICE file distributed with this work for
+* additional information regarding copyright ownership.
+*
+* UCAID licenses this file to you under the Apache License,
+* Version 2.0 (the "License"); you may not use this file except
+* in compliance with the License. You may obtain a copy of the
+* License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing,
+* software distributed under the License is distributed on an
+* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+* either express or implied. See the License for the specific
+* language governing permissions and limitations under the License.
+*/
+
+/**
+* @file xmltooling/security/OpenSSLSecurityHelper.cpp
+*
+* A helper class for working with OpenSSL keys.
+*/
+#include "internal.h"
+#include "logging.h"
+#include "security/impl/OpenSSLSupport.h"
+
+#include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
+#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
+#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
+
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+
+#ifdef WIN32
+# if (OPENSSL_VERSION_NUMBER >= 0x00907000)
+# define XMLTOOLING_OPENSSL_HAVE_EC 1
+# endif
+#endif
+
+#include "security/OpenSSLSecurityHelper.h"
+
+#if !defined(XMLTOOLING_NO_XMLSEC) && defined (XSEC_HAVE_OPENSSL)
+
+using namespace xmltooling::logging;
+using namespace xmltooling;
+
+bool OpenSSLSecurityHelper::matchesPublic(const RSA* rsa, const XSECCryptoKey& key)
+{
+ // If one key is public or both, just compare the public key half.
+ if (key.getKeyType() != XSECCryptoKey::KEY_RSA_PUBLIC && key.getKeyType() != XSECCryptoKey::KEY_RSA_PAIR)
+ return false;
+
+ const RSA* rsa1 = static_cast<const OpenSSLCryptoKeyRSA&>(key).getOpenSSLRSA();
+ return (rsa1 && rsa && BN_cmp(RSA_get0_n(rsa1), RSA_get0_n(rsa)) == 0 && BN_cmp(RSA_get0_e(rsa1), RSA_get0_e(rsa)) == 0);
+}
+bool OpenSSLSecurityHelper::matchesPrivate(const RSA* rsa, const XSECCryptoKey& key)
+{
+ // For a private key, compare the private half.
+ if (key.getKeyType() != XSECCryptoKey::KEY_RSA_PRIVATE && key.getKeyType() != XSECCryptoKey::KEY_RSA_PAIR)
+ return false;
+
+ const RSA* rsa2 = static_cast<const OpenSSLCryptoKeyRSA&>(key).getOpenSSLRSA();
+ return (rsa && rsa2 && BN_cmp(RSA_get0_n(rsa), RSA_get0_n(rsa2)) == 0 && BN_cmp(RSA_get0_d(rsa), RSA_get0_d(rsa2)) == 0);
+}
+bool OpenSSLSecurityHelper::matchesPublic(const DSA* dsa, const XSECCryptoKey& key)
+{
+ // If one key is public or both, just compare the public key half.
+ if (key.getKeyType() != XSECCryptoKey::KEY_DSA_PUBLIC && key.getKeyType() != XSECCryptoKey::KEY_DSA_PAIR)
+ return false;
+
+ const DSA* dsa2 = static_cast<const OpenSSLCryptoKeyDSA&>(key).getOpenSSLDSA();
+ return (dsa && dsa2 && BN_cmp(DSA_get0_pubkey(dsa), DSA_get0_pubkey(dsa2)) == 0);
+}
+bool OpenSSLSecurityHelper::matchesPrivate(const DSA* dsa, const XSECCryptoKey& key)
+{
+ // For a private key, compare the private half.
+ if (key.getKeyType() != XSECCryptoKey::KEY_DSA_PRIVATE && key.getKeyType() != XSECCryptoKey::KEY_DSA_PAIR)
+ return false;
+
+ const DSA* dsa2 = static_cast<const OpenSSLCryptoKeyDSA&>(key).getOpenSSLDSA();
+ return (dsa && dsa2 && BN_cmp(DSA_get0_privkey(dsa), DSA_get0_privkey(dsa2)) == 0);
+}
+#if defined(XMLTOOLING_XMLSEC_ECC) && defined(XMLTOOLING_OPENSSL_HAVE_EC)
+bool OpenSSLSecurityHelper::matchesPublic(const EC_KEY* ec, const XSECCryptoKey& key)
+{
+ // If one key is public or both, just compare the public key half.
+ if (key.getKeyType() != XSECCryptoKey::KEY_EC_PUBLIC && key.getKeyType() != XSECCryptoKey::KEY_EC_PAIR)
+ return false;
+
+ const EC_KEY* ec2 = static_cast<const OpenSSLCryptoKeyEC&>(key).getOpenSSLEC();
+ if (!ec || !ec2)
+ return false;
+
+ if (EC_GROUP_cmp(EC_KEY_get0_group(ec), EC_KEY_get0_group(ec2), nullptr) != 0)
+ return false;
+
+ return (EC_POINT_cmp(EC_KEY_get0_group(ec), EC_KEY_get0_public_key(ec), EC_KEY_get0_public_key(ec2), nullptr) == 0);
+}
+bool OpenSSLSecurityHelper::matchesPrivate(const EC_KEY* ec, const XSECCryptoKey& key)
+{
+ // For a private key, compare the private half.
+ if (key.getKeyType() != XSECCryptoKey::KEY_EC_PRIVATE && key.getKeyType() != XSECCryptoKey::KEY_EC_PAIR)
+ return false;
+
+ const EC_KEY* ec2 = static_cast<const OpenSSLCryptoKeyEC&>(key).getOpenSSLEC();
+ return (ec && ec2 && BN_cmp(EC_KEY_get0_private_key(ec), EC_KEY_get0_private_key(ec2)) == 0);
+}
+#endif
+#endif
diff --git a/xmltooling/security/impl/SecurityHelper.cpp b/xmltooling/security/impl/SecurityHelper.cpp
index e53ed8d..9dc7f18 100644
--- a/xmltooling/security/impl/SecurityHelper.cpp
+++ b/xmltooling/security/impl/SecurityHelper.cpp
@@ -54,6 +54,8 @@
# include <xsec/enc/OpenSSL/OpenSSLCryptoKeyEC.hpp>
#endif
+#include "security/OpenSSLSecurityHelper.h"
+
using namespace xmltooling::logging;
using namespace xmltooling;
using namespace std;
@@ -481,63 +483,29 @@ bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key
return false;
}
- // If one key is public or both, just compare the public key half.
if (key1.getKeyType()==XSECCryptoKey::KEY_RSA_PUBLIC || key1.getKeyType()==XSECCryptoKey::KEY_RSA_PAIR) {
- if (key2.getKeyType()!=XSECCryptoKey::KEY_RSA_PUBLIC && key2.getKeyType()!=XSECCryptoKey::KEY_RSA_PAIR)
- return false;
- const RSA* rsa1 = static_cast<const OpenSSLCryptoKeyRSA&>(key1).getOpenSSLRSA();
- const RSA* rsa2 = static_cast<const OpenSSLCryptoKeyRSA&>(key2).getOpenSSLRSA();
- return (rsa1 && rsa2 && BN_cmp(RSA_get0_n(rsa1),RSA_get0_n(rsa2)) == 0 && BN_cmp(RSA_get0_e(rsa1),RSA_get0_e(rsa2)) == 0);
+ return OpenSSLSecurityHelper::matchesPublic(static_cast<const OpenSSLCryptoKeyRSA&>(key1).getOpenSSLRSA(), key2);
}
- // For a private key, compare the private half.
if (key1.getKeyType()==XSECCryptoKey::KEY_RSA_PRIVATE) {
- if (key2.getKeyType()!=XSECCryptoKey::KEY_RSA_PRIVATE && key2.getKeyType()!=XSECCryptoKey::KEY_RSA_PAIR)
- return false;
- const RSA* rsa1 = static_cast<const OpenSSLCryptoKeyRSA&>(key1).getOpenSSLRSA();
- const RSA* rsa2 = static_cast<const OpenSSLCryptoKeyRSA&>(key2).getOpenSSLRSA();
- return (rsa1 && rsa2 && BN_cmp(RSA_get0_n(rsa1),RSA_get0_n(rsa2)) == 0 && BN_cmp(RSA_get0_d(rsa1),RSA_get0_d(rsa2)) == 0);
+ return OpenSSLSecurityHelper::matchesPrivate(static_cast<const OpenSSLCryptoKeyRSA&>(key1).getOpenSSLRSA(), key2);
}
- // If one key is public or both, just compare the public key half.
if (key1.getKeyType()==XSECCryptoKey::KEY_DSA_PUBLIC || key1.getKeyType()==XSECCryptoKey::KEY_DSA_PAIR) {
- if (key2.getKeyType()!=XSECCryptoKey::KEY_DSA_PUBLIC && key2.getKeyType()!=XSECCryptoKey::KEY_DSA_PAIR)
- return false;
- const DSA* dsa1 = static_cast<const OpenSSLCryptoKeyDSA&>(key1).getOpenSSLDSA();
- const DSA* dsa2 = static_cast<const OpenSSLCryptoKeyDSA&>(key2).getOpenSSLDSA();
- return (dsa1 && dsa2 && BN_cmp(DSA_get0_pubkey(dsa1),DSA_get0_pubkey(dsa2)) == 0);
+ return OpenSSLSecurityHelper::matchesPublic(static_cast<const OpenSSLCryptoKeyDSA&>(key1).getOpenSSLDSA(), key2);
}
- // For a private key, compare the private half.
if (key1.getKeyType()==XSECCryptoKey::KEY_DSA_PRIVATE) {
- if (key2.getKeyType()!=XSECCryptoKey::KEY_DSA_PRIVATE && key2.getKeyType()!=XSECCryptoKey::KEY_DSA_PAIR)
- return false;
- const DSA* dsa1 = static_cast<const OpenSSLCryptoKeyDSA&>(key1).getOpenSSLDSA();
- const DSA* dsa2 = static_cast<const OpenSSLCryptoKeyDSA&>(key2).getOpenSSLDSA();
- return (dsa1 && dsa2 && BN_cmp(DSA_get0_privkey(dsa1),DSA_get0_privkey(dsa2)) == 0);
+ return OpenSSLSecurityHelper::matchesPrivate(static_cast<const OpenSSLCryptoKeyDSA&>(key1).getOpenSSLDSA(), key2);
}
#if defined(XMLTOOLING_XMLSEC_ECC) && defined(XMLTOOLING_OPENSSL_HAVE_EC)
- // If one key is public or both, just compare the public key half.
if (key1.getKeyType()==XSECCryptoKey::KEY_EC_PUBLIC || key1.getKeyType()==XSECCryptoKey::KEY_EC_PAIR) {
- if (key2.getKeyType()!=XSECCryptoKey::KEY_EC_PUBLIC && key2.getKeyType()!=XSECCryptoKey::KEY_EC_PAIR)
- return false;
- const EC_KEY* ec1 = static_cast<const OpenSSLCryptoKeyEC&>(key1).getOpenSSLEC();
- const EC_KEY* ec2 = static_cast<const OpenSSLCryptoKeyEC&>(key2).getOpenSSLEC();
- if (!ec1 || !ec2)
- return false;
- if (EC_GROUP_cmp(EC_KEY_get0_group(ec1), EC_KEY_get0_group(ec2), nullptr) != 0)
- return false;
- return (EC_POINT_cmp(EC_KEY_get0_group(ec1), EC_KEY_get0_public_key(ec1), EC_KEY_get0_public_key(ec2), nullptr) == 0);
- }
-
- // For a private key, compare the private half.
+ return OpenSSLSecurityHelper::matchesPublic(static_cast<const OpenSSLCryptoKeyEC&>(key1).getOpenSSLEC(), key2);
+ }
+
if (key1.getKeyType()==XSECCryptoKey::KEY_EC_PRIVATE) {
- if (key2.getKeyType()!=XSECCryptoKey::KEY_EC_PRIVATE && key2.getKeyType()!=XSECCryptoKey::KEY_EC_PAIR)
- return false;
- const EC_KEY* ec1 = static_cast<const OpenSSLCryptoKeyEC&>(key1).getOpenSSLEC();
- const EC_KEY* ec2 = static_cast<const OpenSSLCryptoKeyEC&>(key2).getOpenSSLEC();
- return (ec1 && ec2 && BN_cmp(EC_KEY_get0_private_key(ec1), EC_KEY_get0_private_key(ec2)) == 0);
+ return OpenSSLSecurityHelper::matchesPrivate(static_cast<const OpenSSLCryptoKeyEC&>(key1).getOpenSSLEC(), key2);
}
#endif
diff --git a/xmltoolingtest/ExplicitKeyTrustEngineTest.h b/xmltoolingtest/ExplicitKeyTrustEngineTest.h
index 8af3b72..f45e350 100644
--- a/xmltoolingtest/ExplicitKeyTrustEngineTest.h
+++ b/xmltoolingtest/ExplicitKeyTrustEngineTest.h
@@ -79,7 +79,8 @@ public:
SecurityHelper::loadCertificatesFromFile(certs, pathname.c_str());
pathname = data_path + "dsa-cert.pem";
SecurityHelper::loadCertificatesFromFile(certs, pathname.c_str());
- // no EC CPPXT-114
+ pathname = data_path + "ec-cert.pem";
+ SecurityHelper::loadCertificatesFromFile(certs, pathname.c_str());
for (vector<XSECCryptoX509*>::const_iterator cert=certs.begin(); cert!=certs.end(); ++cert) {
// certs is ignore but must be present
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/xmltooling.git
More information about the Pkg-shibboleth-devel
mailing list