diff options
author | Anas Nashif <anas.nashif@intel.com> | 2013-09-20 04:45:41 -0400 |
---|---|---|
committer | Anas Nashif <anas.nashif@intel.com> | 2013-09-20 04:45:41 -0400 |
commit | 6b6383d52bc147134bb6b60b07e924b176c67e3a (patch) | |
tree | 9753a1ec40b1fbe2acfaa881af46e3c0f7da6401 /examples | |
parent | 07bb297329b9e9754d09dcb6d70417272a626619 (diff) | |
download | xmlsec1-6b6383d52bc147134bb6b60b07e924b176c67e3a.tar.gz xmlsec1-6b6383d52bc147134bb6b60b07e924b176c67e3a.tar.bz2 xmlsec1-6b6383d52bc147134bb6b60b07e924b176c67e3a.zip |
Imported Upstream version 1.2.19
Diffstat (limited to 'examples')
-rw-r--r-- | examples/Makefile | 2 | ||||
-rw-r--r-- | examples/decrypt1.c | 102 | ||||
-rw-r--r-- | examples/decrypt2.c | 164 | ||||
-rw-r--r-- | examples/decrypt3.c | 181 | ||||
-rw-r--r-- | examples/encrypt1.c | 93 | ||||
-rw-r--r-- | examples/encrypt2.c | 100 | ||||
-rw-r--r-- | examples/encrypt3.c | 137 | ||||
-rw-r--r-- | examples/mywin32make.bat | 2 | ||||
-rw-r--r-- | examples/sign1.c | 86 | ||||
-rw-r--r-- | examples/sign2.c | 104 | ||||
-rw-r--r-- | examples/sign3.c | 108 | ||||
-rw-r--r-- | examples/verify1.c | 88 | ||||
-rw-r--r-- | examples/verify2.c | 150 | ||||
-rw-r--r-- | examples/verify3.c | 113 | ||||
-rw-r--r-- | examples/verify4.c | 129 | ||||
-rw-r--r-- | examples/xkms-server.c | 447 | ||||
-rw-r--r-- | examples/xmldsigverify.c | 212 |
17 files changed, 1241 insertions, 977 deletions
diff --git a/examples/Makefile b/examples/Makefile index 5c87150f..a237b987 100644 --- a/examples/Makefile +++ b/examples/Makefile @@ -11,7 +11,7 @@ PROGRAMS = \ CC = gcc CFLAGS += -g $(shell xmlsec1-config --cflags) -DUNIX_SOCKETS -LDFLAGS += -g $(shell xmlsec1-config --libs) +LDLIBS += -g $(shell xmlsec1-config --libs) all: $(PROGRAMS) diff --git a/examples/decrypt1.c b/examples/decrypt1.c index bfc1dd03..39ad1039 100644 --- a/examples/decrypt1.c +++ b/examples/decrypt1.c @@ -4,11 +4,11 @@ * Decrypts encrypted XML file using a single DES key from a binary file * * Usage: - * ./decrypt1 <xml-enc> <des-key-file> + * ./decrypt1 <xml-enc> <des-key-file> * * Example: - * ./decrypt1 encrypt1-res.xml deskey.bin - * ./decrypt1 encrypt2-res.xml deskey.bin + * ./decrypt1 encrypt1-res.xml deskey.bin + * ./decrypt1 encrypt2-res.xml deskey.bin * * This is free software; see Copyright file in the source * distribution for preciese wording. @@ -25,6 +25,7 @@ #ifndef XMLSEC_NO_XSLT #include <libxslt/xslt.h> +#include <libxslt/security.h> #endif /* XMLSEC_NO_XSLT */ #include <xmlsec/xmlsec.h> @@ -36,12 +37,16 @@ int decrypt_file(const char* enc_file, const char* key_file); int main(int argc, char **argv) { +#ifndef XMLSEC_NO_XSLT + xsltSecurityPrefsPtr xsltSecPrefs = NULL; +#endif /* XMLSEC_NO_XSLT */ + assert(argv); if(argc != 3) { - fprintf(stderr, "Error: wrong number of arguments.\n"); - fprintf(stderr, "Usage: %s <enc-file> <key-file>\n", argv[0]); - return(1); + fprintf(stderr, "Error: wrong number of arguments.\n"); + fprintf(stderr, "Usage: %s <enc-file> <key-file>\n", argv[0]); + return(1); } /* Init libxml and libxslt libraries */ @@ -52,17 +57,30 @@ main(int argc, char **argv) { #ifndef XMLSEC_NO_XSLT xmlIndentTreeOutput = 1; #endif /* XMLSEC_NO_XSLT */ - + + /* Init libxslt */ +#ifndef XMLSEC_NO_XSLT + /* disable everything */ + xsltSecPrefs = xsltNewSecurityPrefs(); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid); + xsltSetDefaultSecurityPrefs(xsltSecPrefs); +#endif /* XMLSEC_NO_XSLT */ + + /* Init xmlsec library */ if(xmlSecInit() < 0) { - fprintf(stderr, "Error: xmlsec initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec initialization failed.\n"); + return(-1); } /* Check loaded library version */ if(xmlSecCheckVersion() != 1) { - fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); - return(-1); + fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); + return(-1); } /* Load default crypto engine if we are supporting dynamic @@ -72,27 +90,27 @@ main(int argc, char **argv) { */ #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) { - fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" - "that you have it installed and check shared libraries path\n" - "(LD_LIBRARY_PATH) envornment variable.\n"); - return(-1); + fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" + "that you have it installed and check shared libraries path\n" + "(LD_LIBRARY_PATH) envornment variable.\n"); + return(-1); } #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */ /* Init crypto library */ if(xmlSecCryptoAppInit(NULL) < 0) { - fprintf(stderr, "Error: crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: crypto initialization failed.\n"); + return(-1); } /* Init xmlsec-crypto library */ if(xmlSecCryptoInit() < 0) { - fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); + return(-1); } if(decrypt_file(argv[1], argv[2]) < 0) { - return(-1); + return(-1); } /* Shutdown xmlsec-crypto library */ @@ -115,8 +133,8 @@ main(int argc, char **argv) { /** * decrypt_file: - * @enc_file: the encrypted XML file name. - * @key_file: the Triple DES key file. + * @enc_file: the encrypted XML file name. + * @key_file: the Triple DES key file. * * Decrypts the XML file #enc_file using DES key from #key_file and * prints results to stdout. @@ -136,55 +154,55 @@ decrypt_file(const char* enc_file, const char* key_file) { /* load template */ doc = xmlParseFile(enc_file); if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){ - fprintf(stderr, "Error: unable to parse file \"%s\"\n", enc_file); - goto done; + fprintf(stderr, "Error: unable to parse file \"%s\"\n", enc_file); + goto done; } /* find start node */ node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeEncryptedData, xmlSecEncNs); if(node == NULL) { - fprintf(stderr, "Error: start node not found in \"%s\"\n", enc_file); - goto done; + fprintf(stderr, "Error: start node not found in \"%s\"\n", enc_file); + goto done; } /* create encryption context, we don't need keys manager in this example */ encCtx = xmlSecEncCtxCreate(NULL); if(encCtx == NULL) { fprintf(stderr,"Error: failed to create encryption context\n"); - goto done; + goto done; } /* load DES key */ encCtx->encKey = xmlSecKeyReadBinaryFile(xmlSecKeyDataDesId, key_file); if(encCtx->encKey == NULL) { fprintf(stderr,"Error: failed to load des key from binary file \"%s\"\n", key_file); - goto done; + goto done; } /* set key name to the file name, this is just an example! */ if(xmlSecKeySetName(encCtx->encKey, key_file) < 0) { - fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file); - goto done; + fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file); + goto done; } /* decrypt the data */ if((xmlSecEncCtxDecrypt(encCtx, node) < 0) || (encCtx->result == NULL)) { fprintf(stderr,"Error: decryption failed\n"); - goto done; + goto done; } /* print decrypted data to stdout */ if(encCtx->resultReplaced != 0) { - fprintf(stdout, "Decrypted XML data:\n"); - xmlDocDump(stdout, doc); + fprintf(stdout, "Decrypted XML data:\n"); + xmlDocDump(stdout, doc); } else { - fprintf(stdout, "Decrypted binary data (%d bytes):\n", xmlSecBufferGetSize(encCtx->result)); - if(xmlSecBufferGetData(encCtx->result) != NULL) { - fwrite(xmlSecBufferGetData(encCtx->result), - 1, - xmlSecBufferGetSize(encCtx->result), - stdout); - } + fprintf(stdout, "Decrypted binary data (%d bytes):\n", xmlSecBufferGetSize(encCtx->result)); + if(xmlSecBufferGetData(encCtx->result) != NULL) { + fwrite(xmlSecBufferGetData(encCtx->result), + 1, + xmlSecBufferGetSize(encCtx->result), + stdout); + } } fprintf(stdout, "\n"); @@ -194,11 +212,11 @@ decrypt_file(const char* enc_file, const char* key_file) { done: /* cleanup */ if(encCtx != NULL) { - xmlSecEncCtxDestroy(encCtx); + xmlSecEncCtxDestroy(encCtx); } if(doc != NULL) { - xmlFreeDoc(doc); + xmlFreeDoc(doc); } return(res); } diff --git a/examples/decrypt2.c b/examples/decrypt2.c index 051cbf97..49513e12 100644 --- a/examples/decrypt2.c +++ b/examples/decrypt2.c @@ -5,11 +5,11 @@ * DES key from a binary file * * Usage: - * ./decrypt2 <xml-enc> <des-key-file1> [<des-key-file2> [...]] + * ./decrypt2 <xml-enc> <des-key-file1> [<des-key-file2> [...]] * * Example: - * ./decrypt2 encrypt1-res.xml deskey.bin - * ./decrypt2 encrypt2-res.xml deskey.bin + * ./decrypt2 encrypt1-res.xml deskey.bin + * ./decrypt2 encrypt2-res.xml deskey.bin * * This is free software; see Copyright file in the source * distribution for preciese wording. @@ -26,6 +26,7 @@ #ifndef XMLSEC_NO_XSLT #include <libxslt/xslt.h> +#include <libxslt/security.h> #endif /* XMLSEC_NO_XSLT */ #include <xmlsec/xmlsec.h> @@ -39,13 +40,16 @@ int decrypt_file(xmlSecKeysMngrPtr mngr, const char* enc_file); int main(int argc, char **argv) { xmlSecKeysMngrPtr mngr; +#ifndef XMLSEC_NO_XSLT + xsltSecurityPrefsPtr xsltSecPrefs = NULL; +#endif /* XMLSEC_NO_XSLT */ assert(argv); if(argc != 3) { - fprintf(stderr, "Error: wrong number of arguments.\n"); - fprintf(stderr, "Usage: %s <enc-file> <key-file1> [<key-file2> [...]]\n", argv[0]); - return(1); + fprintf(stderr, "Error: wrong number of arguments.\n"); + fprintf(stderr, "Usage: %s <enc-file> <key-file1> [<key-file2> [...]]\n", argv[0]); + return(1); } /* Init libxml and libxslt libraries */ @@ -56,17 +60,30 @@ main(int argc, char **argv) { #ifndef XMLSEC_NO_XSLT xmlIndentTreeOutput = 1; #endif /* XMLSEC_NO_XSLT */ - + + /* Init libxslt */ +#ifndef XMLSEC_NO_XSLT + /* disable everything */ + xsltSecPrefs = xsltNewSecurityPrefs(); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid); + xsltSetDefaultSecurityPrefs(xsltSecPrefs); +#endif /* XMLSEC_NO_XSLT */ + + /* Init xmlsec library */ if(xmlSecInit() < 0) { - fprintf(stderr, "Error: xmlsec initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec initialization failed.\n"); + return(-1); } /* Check loaded library version */ if(xmlSecCheckVersion() != 1) { - fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); - return(-1); + fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); + return(-1); } /* Load default crypto engine if we are supporting dynamic @@ -76,34 +93,34 @@ main(int argc, char **argv) { */ #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) { - fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" - "that you have it installed and check shared libraries path\n" - "(LD_LIBRARY_PATH) envornment variable.\n"); - return(-1); + fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" + "that you have it installed and check shared libraries path\n" + "(LD_LIBRARY_PATH) envornment variable.\n"); + return(-1); } #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */ /* Init crypto library */ if(xmlSecCryptoAppInit(NULL) < 0) { - fprintf(stderr, "Error: crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: crypto initialization failed.\n"); + return(-1); } /* Init xmlsec-crypto library */ if(xmlSecCryptoInit() < 0) { - fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); + return(-1); } /* create keys manager and load keys */ mngr = load_des_keys(&(argv[2]), argc - 2); if(mngr == NULL) { - return(-1); + return(-1); } if(decrypt_file(mngr, argv[1]) < 0) { - xmlSecKeysMngrDestroy(mngr); - return(-1); + xmlSecKeysMngrDestroy(mngr); + return(-1); } /* destroy keys manager */ @@ -120,6 +137,7 @@ main(int argc, char **argv) { /* Shutdown libxslt/libxml */ #ifndef XMLSEC_NO_XSLT + xsltFreeSecurityPrefs(xsltSecPrefs); xsltCleanupGlobals(); #endif /* XMLSEC_NO_XSLT */ xmlCleanupParser(); @@ -129,8 +147,8 @@ main(int argc, char **argv) { /** * load_des_keys: - * @files: the list of filenames. - * @files_size: the number of filenames in #files. + * @files: the list of filenames. + * @files_size: the number of filenames in #files. * * Creates simple keys manager and load DES keys from #files in it. * The caller is responsible for destroing returned keys manager using @@ -154,43 +172,43 @@ load_des_keys(char** files, int files_size) { */ mngr = xmlSecKeysMngrCreate(); if(mngr == NULL) { - fprintf(stderr, "Error: failed to create keys manager.\n"); - return(NULL); + fprintf(stderr, "Error: failed to create keys manager.\n"); + return(NULL); } if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) { - fprintf(stderr, "Error: failed to initialize keys manager.\n"); - xmlSecKeysMngrDestroy(mngr); - return(NULL); + fprintf(stderr, "Error: failed to initialize keys manager.\n"); + xmlSecKeysMngrDestroy(mngr); + return(NULL); } for(i = 0; i < files_size; ++i) { - assert(files[i]); + assert(files[i]); - /* load DES key */ - key = xmlSecKeyReadBinaryFile(xmlSecKeyDataDesId, files[i]); - if(key == NULL) { - fprintf(stderr,"Error: failed to load des key from binary file \"%s\"\n", files[i]); - xmlSecKeysMngrDestroy(mngr); - return(NULL); - } + /* load DES key */ + key = xmlSecKeyReadBinaryFile(xmlSecKeyDataDesId, files[i]); + if(key == NULL) { + fprintf(stderr,"Error: failed to load des key from binary file \"%s\"\n", files[i]); + xmlSecKeysMngrDestroy(mngr); + return(NULL); + } - /* set key name to the file name, this is just an example! */ - if(xmlSecKeySetName(key, BAD_CAST files[i]) < 0) { - fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", files[i]); - xmlSecKeyDestroy(key); - xmlSecKeysMngrDestroy(mngr); - return(NULL); - } - - /* add key to keys manager, from now on keys manager is responsible - * for destroying key - */ - if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0) { - fprintf(stderr,"Error: failed to add key from \"%s\" to keys manager\n", files[i]); - xmlSecKeyDestroy(key); - xmlSecKeysMngrDestroy(mngr); - return(NULL); - } + /* set key name to the file name, this is just an example! */ + if(xmlSecKeySetName(key, BAD_CAST files[i]) < 0) { + fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", files[i]); + xmlSecKeyDestroy(key); + xmlSecKeysMngrDestroy(mngr); + return(NULL); + } + + /* add key to keys manager, from now on keys manager is responsible + * for destroying key + */ + if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0) { + fprintf(stderr,"Error: failed to add key from \"%s\" to keys manager\n", files[i]); + xmlSecKeyDestroy(key); + xmlSecKeysMngrDestroy(mngr); + return(NULL); + } } return(mngr); @@ -198,8 +216,8 @@ load_des_keys(char** files, int files_size) { /** * decrypt_file: - * @mngr: the pointer to keys manager. - * @enc_file: the encrypted XML file name. + * @mngr: the pointer to keys manager. + * @enc_file: the encrypted XML file name. * * Decrypts the XML file #enc_file using DES key from #key_file and * prints results to stdout. @@ -219,42 +237,42 @@ decrypt_file(xmlSecKeysMngrPtr mngr, const char* enc_file) { /* load template */ doc = xmlParseFile(enc_file); if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){ - fprintf(stderr, "Error: unable to parse file \"%s\"\n", enc_file); - goto done; + fprintf(stderr, "Error: unable to parse file \"%s\"\n", enc_file); + goto done; } /* find start node */ node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeEncryptedData, xmlSecEncNs); if(node == NULL) { - fprintf(stderr, "Error: start node not found in \"%s\"\n", enc_file); - goto done; + fprintf(stderr, "Error: start node not found in \"%s\"\n", enc_file); + goto done; } /* create encryption context */ encCtx = xmlSecEncCtxCreate(mngr); if(encCtx == NULL) { fprintf(stderr,"Error: failed to create encryption context\n"); - goto done; + goto done; } /* decrypt the data */ if((xmlSecEncCtxDecrypt(encCtx, node) < 0) || (encCtx->result == NULL)) { fprintf(stderr,"Error: decryption failed\n"); - goto done; + goto done; } /* print decrypted data to stdout */ if(encCtx->resultReplaced != 0) { - fprintf(stdout, "Decrypted XML data:\n"); - xmlDocDump(stdout, doc); + fprintf(stdout, "Decrypted XML data:\n"); + xmlDocDump(stdout, doc); } else { - fprintf(stdout, "Decrypted binary data (%d bytes):\n", xmlSecBufferGetSize(encCtx->result)); - if(xmlSecBufferGetData(encCtx->result) != NULL) { - fwrite(xmlSecBufferGetData(encCtx->result), - 1, - xmlSecBufferGetSize(encCtx->result), - stdout); - } + fprintf(stdout, "Decrypted binary data (%d bytes):\n", xmlSecBufferGetSize(encCtx->result)); + if(xmlSecBufferGetData(encCtx->result) != NULL) { + fwrite(xmlSecBufferGetData(encCtx->result), + 1, + xmlSecBufferGetSize(encCtx->result), + stdout); + } } fprintf(stdout, "\n"); @@ -264,11 +282,11 @@ decrypt_file(xmlSecKeysMngrPtr mngr, const char* enc_file) { done: /* cleanup */ if(encCtx != NULL) { - xmlSecEncCtxDestroy(encCtx); + xmlSecEncCtxDestroy(encCtx); } if(doc != NULL) { - xmlFreeDoc(doc); + xmlFreeDoc(doc); } return(res); } diff --git a/examples/decrypt3.c b/examples/decrypt3.c index eb0d581a..253920fb 100644 --- a/examples/decrypt3.c +++ b/examples/decrypt3.c @@ -6,11 +6,11 @@ * key's file name in the current folder. * * Usage: - * ./decrypt3 <xml-enc> + * ./decrypt3 <xml-enc> * * Example: - * ./decrypt3 encrypt1-res.xml - * ./decrypt3 encrypt2-res.xml + * ./decrypt3 encrypt1-res.xml + * ./decrypt3 encrypt2-res.xml * * This is free software; see Copyright file in the source * distribution for preciese wording. @@ -28,6 +28,7 @@ #ifndef XMLSEC_NO_XSLT #include <libxslt/xslt.h> +#include <libxslt/security.h> #endif /* XMLSEC_NO_XSLT */ #include <xmlsec/xmlsec.h> @@ -42,13 +43,16 @@ int decrypt_file(xmlSecKeysMngrPtr mngr, const char* enc_file); int main(int argc, char **argv) { xmlSecKeysMngrPtr mngr; +#ifndef XMLSEC_NO_XSLT + xsltSecurityPrefsPtr xsltSecPrefs = NULL; +#endif /* XMLSEC_NO_XSLT */ assert(argv); if(argc != 2) { - fprintf(stderr, "Error: wrong number of arguments.\n"); - fprintf(stderr, "Usage: %s <enc-file>\n", argv[0]); - return(1); + fprintf(stderr, "Error: wrong number of arguments.\n"); + fprintf(stderr, "Usage: %s <enc-file>\n", argv[0]); + return(1); } /* Init libxml and libxslt libraries */ @@ -59,17 +63,29 @@ main(int argc, char **argv) { #ifndef XMLSEC_NO_XSLT xmlIndentTreeOutput = 1; #endif /* XMLSEC_NO_XSLT */ - + + /* Init libxslt */ +#ifndef XMLSEC_NO_XSLT + /* disable everything */ + xsltSecPrefs = xsltNewSecurityPrefs(); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid); + xsltSetDefaultSecurityPrefs(xsltSecPrefs); +#endif /* XMLSEC_NO_XSLT */ + /* Init xmlsec library */ if(xmlSecInit() < 0) { - fprintf(stderr, "Error: xmlsec initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec initialization failed.\n"); + return(-1); } /* Check loaded library version */ if(xmlSecCheckVersion() != 1) { - fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); - return(-1); + fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); + return(-1); } /* Load default crypto engine if we are supporting dynamic @@ -79,34 +95,34 @@ main(int argc, char **argv) { */ #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) { - fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" - "that you have it installed and check shared libraries path\n" - "(LD_LIBRARY_PATH) envornment variable.\n"); - return(-1); + fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" + "that you have it installed and check shared libraries path\n" + "(LD_LIBRARY_PATH) envornment variable.\n"); + return(-1); } #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */ /* Init crypto library */ if(xmlSecCryptoAppInit(NULL) < 0) { - fprintf(stderr, "Error: crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: crypto initialization failed.\n"); + return(-1); } /* Init xmlsec-crypto library */ if(xmlSecCryptoInit() < 0) { - fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); + return(-1); } /* create keys manager and load keys */ mngr = create_files_keys_mngr(); if(mngr == NULL) { - return(-1); + return(-1); } if(decrypt_file(mngr, argv[1]) < 0) { - xmlSecKeysMngrDestroy(mngr); - return(-1); + xmlSecKeysMngrDestroy(mngr); + return(-1); } /* destroy keys manager */ @@ -123,6 +139,7 @@ main(int argc, char **argv) { /* Shutdown libxslt/libxml */ #ifndef XMLSEC_NO_XSLT + xsltFreeSecurityPrefs(xsltSecPrefs); xsltCleanupGlobals(); #endif /* XMLSEC_NO_XSLT */ xmlCleanupParser(); @@ -132,8 +149,8 @@ main(int argc, char **argv) { /** * decrypt_file: - * @mngr: the pointer to keys manager. - * @enc_file: the encrypted XML file name. + * @mngr: the pointer to keys manager. + * @enc_file: the encrypted XML file name. * * Decrypts the XML file #enc_file using DES key from #key_file and * prints results to stdout. @@ -153,42 +170,42 @@ decrypt_file(xmlSecKeysMngrPtr mngr, const char* enc_file) { /* load template */ doc = xmlParseFile(enc_file); if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){ - fprintf(stderr, "Error: unable to parse file \"%s\"\n", enc_file); - goto done; + fprintf(stderr, "Error: unable to parse file \"%s\"\n", enc_file); + goto done; } /* find start node */ node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeEncryptedData, xmlSecEncNs); if(node == NULL) { - fprintf(stderr, "Error: start node not found in \"%s\"\n", enc_file); - goto done; + fprintf(stderr, "Error: start node not found in \"%s\"\n", enc_file); + goto done; } /* create encryption context */ encCtx = xmlSecEncCtxCreate(mngr); if(encCtx == NULL) { fprintf(stderr,"Error: failed to create encryption context\n"); - goto done; + goto done; } /* decrypt the data */ if((xmlSecEncCtxDecrypt(encCtx, node) < 0) || (encCtx->result == NULL)) { fprintf(stderr,"Error: decryption failed\n"); - goto done; + goto done; } /* print decrypted data to stdout */ if(encCtx->resultReplaced != 0) { - fprintf(stdout, "Decrypted XML data:\n"); - xmlDocDump(stdout, doc); + fprintf(stdout, "Decrypted XML data:\n"); + xmlDocDump(stdout, doc); } else { - fprintf(stdout, "Decrypted binary data (%d bytes):\n", xmlSecBufferGetSize(encCtx->result)); - if(xmlSecBufferGetData(encCtx->result) != NULL) { - fwrite(xmlSecBufferGetData(encCtx->result), - 1, - xmlSecBufferGetSize(encCtx->result), - stdout); - } + fprintf(stdout, "Decrypted binary data (%d bytes):\n", xmlSecBufferGetSize(encCtx->result)); + if(xmlSecBufferGetData(encCtx->result) != NULL) { + fwrite(xmlSecBufferGetData(encCtx->result), + 1, + xmlSecBufferGetSize(encCtx->result), + stdout); + } } fprintf(stdout, "\n"); @@ -198,11 +215,11 @@ decrypt_file(xmlSecKeysMngrPtr mngr, const char* enc_file) { done: /* cleanup */ if(encCtx != NULL) { - xmlSecEncCtxDestroy(encCtx); + xmlSecEncCtxDestroy(encCtx); } if(doc != NULL) { - xmlFreeDoc(doc); + xmlFreeDoc(doc); } return(res); } @@ -223,31 +240,31 @@ create_files_keys_mngr(void) { /* create files based keys store */ keysStore = xmlSecKeyStoreCreate(files_keys_store_get_klass()); if(keysStore == NULL) { - fprintf(stderr, "Error: failed to create keys store.\n"); - return(NULL); + fprintf(stderr, "Error: failed to create keys store.\n"); + return(NULL); } /* create keys manager */ mngr = xmlSecKeysMngrCreate(); if(mngr == NULL) { - fprintf(stderr, "Error: failed to create keys manager.\n"); - xmlSecKeyStoreDestroy(keysStore); - return(NULL); + fprintf(stderr, "Error: failed to create keys manager.\n"); + xmlSecKeyStoreDestroy(keysStore); + return(NULL); } /* add store to keys manager, from now on keys manager destroys the store if needed */ if(xmlSecKeysMngrAdoptKeysStore(mngr, keysStore) < 0) { - fprintf(stderr, "Error: failed to add keys store to keys manager.\n"); - xmlSecKeyStoreDestroy(keysStore); - xmlSecKeysMngrDestroy(mngr); - return(NULL); + fprintf(stderr, "Error: failed to add keys store to keys manager.\n"); + xmlSecKeyStoreDestroy(keysStore); + xmlSecKeysMngrDestroy(mngr); + return(NULL); } /* initialize crypto library specific data in keys manager */ if(xmlSecCryptoKeysMngrInit(mngr) < 0) { - fprintf(stderr, "Error: failed to initialize crypto data in keys manager.\n"); - xmlSecKeysMngrDestroy(mngr); - return(NULL); + fprintf(stderr, "Error: failed to initialize crypto data in keys manager.\n"); + xmlSecKeysMngrDestroy(mngr); + return(NULL); } /* set the get key callback */ @@ -263,20 +280,20 @@ create_files_keys_mngr(void) { * Attention: this probably not a good solution for high traffic systems. * ***************************************************************************/ -static xmlSecKeyPtr files_keys_store_find_key (xmlSecKeyStorePtr store, - const xmlChar* name, - xmlSecKeyInfoCtxPtr keyInfoCtx); +static xmlSecKeyPtr files_keys_store_find_key (xmlSecKeyStorePtr store, + const xmlChar* name, + xmlSecKeyInfoCtxPtr keyInfoCtx); static xmlSecKeyStoreKlass files_keys_store_klass = { sizeof(xmlSecKeyStoreKlass), sizeof(xmlSecKeyStore), - BAD_CAST "files-based-keys-store", /* const xmlChar* name; */ - NULL, /* xmlSecKeyStoreInitializeMethod initialize; */ - NULL, /* xmlSecKeyStoreFinalizeMethod finalize; */ - files_keys_store_find_key, /* xmlSecKeyStoreFindKeyMethod findKey; */ + BAD_CAST "files-based-keys-store", /* const xmlChar* name; */ + NULL, /* xmlSecKeyStoreInitializeMethod initialize; */ + NULL, /* xmlSecKeyStoreFinalizeMethod finalize; */ + files_keys_store_find_key, /* xmlSecKeyStoreFindKeyMethod findKey; */ /* reserved for the future */ - NULL, /* void* reserved0; */ - NULL, /* void* reserved1; */ + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ }; /** @@ -294,9 +311,9 @@ files_keys_store_get_klass(void) { /** * files_keys_store_find_key: - * @store: the pointer to simple keys store. - * @name: the desired key name. - * @keyInfoCtx: the pointer to <dsig:KeyInfo/> node processing context. + * @store: the pointer to simple keys store. + * @name: the desired key name. + * @keyInfoCtx: the pointer to <dsig:KeyInfo/> node processing context. * * Lookups key in the @store. The caller is responsible for destroying * returned key with #xmlSecKeyDestroy function. @@ -314,7 +331,7 @@ files_keys_store_find_key(xmlSecKeyStorePtr store, const xmlChar* name, xmlSecKe /* it's possible to do not have the key name or desired key type * but we could do nothing in this case */ if((name == NULL) || (keyInfoCtx->keyReq.keyId == xmlSecKeyDataIdUnknown)){ - return(NULL); + return(NULL); } /* we don't want to open files in a folder other than "current"; @@ -322,32 +339,32 @@ files_keys_store_find_key(xmlSecKeyStorePtr store, const xmlChar* name, xmlSecKe * '.', '-' or '_'. */ for(p = name; (*p) != '\0'; ++p) { - if(!isalnum((*p)) && ((*p) != '.') && ((*p) != '-') && ((*p) != '_')) { - return(NULL); - } + if(!isalnum((*p)) && ((*p) != '.') && ((*p) != '-') && ((*p) != '_')) { + return(NULL); + } } if((keyInfoCtx->keyReq.keyId == xmlSecKeyDataDsaId) || (keyInfoCtx->keyReq.keyId == xmlSecKeyDataRsaId)) { - /* load key from a pem file, if key is not found then it's an error (is it?) */ - key = xmlSecCryptoAppKeyLoad(name, xmlSecKeyDataFormatPem, NULL, NULL, NULL); - if(key == NULL) { - fprintf(stderr,"Error: failed to load public pem key from \"%s\"\n", name); - return(NULL); - } + /* load key from a pem file, if key is not found then it's an error (is it?) */ + key = xmlSecCryptoAppKeyLoad(name, xmlSecKeyDataFormatPem, NULL, NULL, NULL); + if(key == NULL) { + fprintf(stderr,"Error: failed to load public pem key from \"%s\"\n", name); + return(NULL); + } } else { - /* otherwise it's a binary key, if key is not found then it's an error (is it?) */ - key = xmlSecKeyReadBinaryFile(keyInfoCtx->keyReq.keyId, name); - if(key == NULL) { - fprintf(stderr,"Error: failed to load key from binary file \"%s\"\n", name); - return(NULL); - } + /* otherwise it's a binary key, if key is not found then it's an error (is it?) */ + key = xmlSecKeyReadBinaryFile(keyInfoCtx->keyReq.keyId, name); + if(key == NULL) { + fprintf(stderr,"Error: failed to load key from binary file \"%s\"\n", name); + return(NULL); + } } /* set key name */ if(xmlSecKeySetName(key, name) < 0) { fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", name); xmlSecKeyDestroy(key); - return(NULL); + return(NULL); } return(key); diff --git a/examples/encrypt1.c b/examples/encrypt1.c index bdd16b14..fb4d103f 100644 --- a/examples/encrypt1.c +++ b/examples/encrypt1.c @@ -4,13 +4,13 @@ * Encrypts binary data using a template file and a DES key from a binary file * * Usage: - * ./encrypt1 <xml-tmpl> <des-key-file> + * ./encrypt1 <xml-tmpl> <des-key-file> * * Example: - * ./encrypt1 encrypt1-tmpl.xml deskey.bin > encrypt1-res.xml + * ./encrypt1 encrypt1-tmpl.xml deskey.bin > encrypt1-res.xml * * The result could be decrypted with decrypt1 example: - * ./decrypt1 encrypt1-res.xml deskey.bin + * ./decrypt1 encrypt1-res.xml deskey.bin * * This is free software; see Copyright file in the source * distribution for preciese wording. @@ -27,6 +27,7 @@ #ifndef XMLSEC_NO_XSLT #include <libxslt/xslt.h> +#include <libxslt/security.h> #endif /* XMLSEC_NO_XSLT */ #include <xmlsec/xmlsec.h> @@ -35,17 +36,20 @@ #include <xmlsec/crypto.h> int encrypt_file(const char* tmpl_file, const char* key_file, - const unsigned char* data, size_t dataSize); + const unsigned char* data, size_t dataSize); int main(int argc, char **argv) { static const char secret_data[] = "Big secret"; - +#ifndef XMLSEC_NO_XSLT + xsltSecurityPrefsPtr xsltSecPrefs = NULL; +#endif /* XMLSEC_NO_XSLT */ + assert(argv); if(argc != 3) { - fprintf(stderr, "Error: wrong number of arguments.\n"); - fprintf(stderr, "Usage: %s <tmpl-file> <key-file>\n", argv[0]); - return(1); + fprintf(stderr, "Error: wrong number of arguments.\n"); + fprintf(stderr, "Usage: %s <tmpl-file> <key-file>\n", argv[0]); + return(1); } /* Init libxml and libxslt libraries */ @@ -56,17 +60,29 @@ main(int argc, char **argv) { #ifndef XMLSEC_NO_XSLT xmlIndentTreeOutput = 1; #endif /* XMLSEC_NO_XSLT */ - + + /* Init libxslt */ +#ifndef XMLSEC_NO_XSLT + /* disable everything */ + xsltSecPrefs = xsltNewSecurityPrefs(); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid); + xsltSetDefaultSecurityPrefs(xsltSecPrefs); +#endif /* XMLSEC_NO_XSLT */ + /* Init xmlsec library */ if(xmlSecInit() < 0) { - fprintf(stderr, "Error: xmlsec initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec initialization failed.\n"); + return(-1); } /* Check loaded library version */ if(xmlSecCheckVersion() != 1) { - fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); - return(-1); + fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); + return(-1); } /* Load default crypto engine if we are supporting dynamic @@ -76,27 +92,27 @@ main(int argc, char **argv) { */ #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) { - fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" - "that you have it installed and check shared libraries path\n" - "(LD_LIBRARY_PATH) envornment variable.\n"); - return(-1); + fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" + "that you have it installed and check shared libraries path\n" + "(LD_LIBRARY_PATH) envornment variable.\n"); + return(-1); } #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */ /* Init crypto library */ if(xmlSecCryptoAppInit(NULL) < 0) { - fprintf(stderr, "Error: crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: crypto initialization failed.\n"); + return(-1); } /* Init xmlsec-crypto library */ if(xmlSecCryptoInit() < 0) { - fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); + return(-1); } if(encrypt_file(argv[1], argv[2], secret_data, strlen(secret_data)) < 0) { - return(-1); + return(-1); } /* Shutdown xmlsec-crypto library */ @@ -110,6 +126,7 @@ main(int argc, char **argv) { /* Shutdown libxslt/libxml */ #ifndef XMLSEC_NO_XSLT + xsltFreeSecurityPrefs(xsltSecPrefs); xsltCleanupGlobals(); #endif /* XMLSEC_NO_XSLT */ xmlCleanupParser(); @@ -119,10 +136,10 @@ main(int argc, char **argv) { /** * encrypt_file: - * @tmpl_file: the encryption template file name. - * @key_file: the Triple DES key file. - * @data: the binary data to encrypt. - * @dataSize: the binary data size. + * @tmpl_file: the encryption template file name. + * @key_file: the Triple DES key file. + * @data: the binary data to encrypt. + * @dataSize: the binary data size. * * Encrypts binary #data using template from #tmpl_file and DES key from * #key_file. @@ -131,7 +148,7 @@ main(int argc, char **argv) { */ int encrypt_file(const char* tmpl_file, const char* key_file, - const unsigned char* data, size_t dataSize) { + const unsigned char* data, size_t dataSize) { xmlDocPtr doc = NULL; xmlNodePtr node = NULL; xmlSecEncCtxPtr encCtx = NULL; @@ -144,41 +161,41 @@ encrypt_file(const char* tmpl_file, const char* key_file, /* load template */ doc = xmlParseFile(tmpl_file); if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){ - fprintf(stderr, "Error: unable to parse file \"%s\"\n", tmpl_file); - goto done; + fprintf(stderr, "Error: unable to parse file \"%s\"\n", tmpl_file); + goto done; } /* find start node */ node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeEncryptedData, xmlSecEncNs); if(node == NULL) { - fprintf(stderr, "Error: start node not found in \"%s\"\n", tmpl_file); - goto done; + fprintf(stderr, "Error: start node not found in \"%s\"\n", tmpl_file); + goto done; } /* create encryption context, we don't need keys manager in this example */ encCtx = xmlSecEncCtxCreate(NULL); if(encCtx == NULL) { fprintf(stderr,"Error: failed to create encryption context\n"); - goto done; + goto done; } /* load DES key, assuming that there is not password */ encCtx->encKey = xmlSecKeyReadBinaryFile(xmlSecKeyDataDesId, key_file); if(encCtx->encKey == NULL) { fprintf(stderr,"Error: failed to load des key from binary file \"%s\"\n", key_file); - goto done; + goto done; } /* set key name to the file name, this is just an example! */ if(xmlSecKeySetName(encCtx->encKey, key_file) < 0) { - fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file); - goto done; + fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file); + goto done; } /* encrypt the data */ if(xmlSecEncCtxBinaryEncrypt(encCtx, node, data, dataSize) < 0) { fprintf(stderr,"Error: encryption failed\n"); - goto done; + goto done; } /* print encrypted data with document to stdout */ @@ -191,11 +208,11 @@ done: /* cleanup */ if(encCtx != NULL) { - xmlSecEncCtxDestroy(encCtx); + xmlSecEncCtxDestroy(encCtx); } if(doc != NULL) { - xmlFreeDoc(doc); + xmlFreeDoc(doc); } return(res); } diff --git a/examples/encrypt2.c b/examples/encrypt2.c index 9bbd52ff..4f1ad588 100644 --- a/examples/encrypt2.c +++ b/examples/encrypt2.c @@ -5,13 +5,13 @@ * from a binary file * * Usage: - * ./encrypt2 <xml-doc> <des-key-file> + * ./encrypt2 <xml-doc> <des-key-file> * * Example: - * ./encrypt2 encrypt2-doc.xml deskey.bin > encrypt2-res.xml + * ./encrypt2 encrypt2-doc.xml deskey.bin > encrypt2-res.xml * * The result could be decrypted with decrypt1 example: - * ./decrypt1 encrypt2-res.xml deskey.bin + * ./decrypt1 encrypt2-res.xml deskey.bin * * This is free software; see Copyright file in the source * distribution for preciese wording. @@ -28,6 +28,7 @@ #ifndef XMLSEC_NO_XSLT #include <libxslt/xslt.h> +#include <libxslt/security.h> #endif /* XMLSEC_NO_XSLT */ #include <xmlsec/xmlsec.h> @@ -40,12 +41,16 @@ int encrypt_file(const char* xml_file, const char* key_file); int main(int argc, char **argv) { +#ifndef XMLSEC_NO_XSLT + xsltSecurityPrefsPtr xsltSecPrefs = NULL; +#endif /* XMLSEC_NO_XSLT */ + assert(argv); if(argc != 3) { - fprintf(stderr, "Error: wrong number of arguments.\n"); - fprintf(stderr, "Usage: %s <xml-file> <key-file>\n", argv[0]); - return(1); + fprintf(stderr, "Error: wrong number of arguments.\n"); + fprintf(stderr, "Usage: %s <xml-file> <key-file>\n", argv[0]); + return(1); } /* Init libxml and libxslt libraries */ @@ -56,17 +61,29 @@ main(int argc, char **argv) { #ifndef XMLSEC_NO_XSLT xmlIndentTreeOutput = 1; #endif /* XMLSEC_NO_XSLT */ - + + /* Init libxslt */ +#ifndef XMLSEC_NO_XSLT + /* disable everything */ + xsltSecPrefs = xsltNewSecurityPrefs(); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid); + xsltSetDefaultSecurityPrefs(xsltSecPrefs); +#endif /* XMLSEC_NO_XSLT */ + /* Init xmlsec library */ if(xmlSecInit() < 0) { - fprintf(stderr, "Error: xmlsec initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec initialization failed.\n"); + return(-1); } /* Check loaded library version */ if(xmlSecCheckVersion() != 1) { - fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); - return(-1); + fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); + return(-1); } /* Load default crypto engine if we are supporting dynamic @@ -76,27 +93,27 @@ main(int argc, char **argv) { */ #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) { - fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" - "that you have it installed and check shared libraries path\n" - "(LD_LIBRARY_PATH) envornment variable.\n"); - return(-1); + fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" + "that you have it installed and check shared libraries path\n" + "(LD_LIBRARY_PATH) envornment variable.\n"); + return(-1); } #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */ /* Init crypto library */ if(xmlSecCryptoAppInit(NULL) < 0) { - fprintf(stderr, "Error: crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: crypto initialization failed.\n"); + return(-1); } /* Init xmlsec-crypto library */ if(xmlSecCryptoInit() < 0) { - fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); + return(-1); } if(encrypt_file(argv[1], argv[2]) < 0) { - return(-1); + return(-1); } /* Shutdown xmlsec-crypto library */ @@ -110,6 +127,7 @@ main(int argc, char **argv) { /* Shutdown libxslt/libxml */ #ifndef XMLSEC_NO_XSLT + xsltFreeSecurityPrefs(xsltSecPrefs); xsltCleanupGlobals(); #endif /* XMLSEC_NO_XSLT */ xmlCleanupParser(); @@ -119,8 +137,8 @@ main(int argc, char **argv) { /** * encrypt_file: - * @xml_file: the encryption template file name. - * @key_file: the Triple DES key file. + * @xml_file: the encryption template file name. + * @key_file: the Triple DES key file. * * Encrypts #xml_file using a dynamicaly created template and DES key from * #key_file. @@ -141,61 +159,61 @@ encrypt_file(const char* xml_file, const char* key_file) { /* load template */ doc = xmlParseFile(xml_file); if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){ - fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); - goto done; + fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); + goto done; } /* create encryption template to encrypt XML file and replace * its content with encryption result */ encDataNode = xmlSecTmplEncDataCreate(doc, xmlSecTransformDes3CbcId, - NULL, xmlSecTypeEncElement, NULL, NULL); + NULL, xmlSecTypeEncElement, NULL, NULL); if(encDataNode == NULL) { - fprintf(stderr, "Error: failed to create encryption template\n"); - goto done; + fprintf(stderr, "Error: failed to create encryption template\n"); + goto done; } /* we want to put encrypted data in the <enc:CipherValue/> node */ if(xmlSecTmplEncDataEnsureCipherValue(encDataNode) == NULL) { - fprintf(stderr, "Error: failed to add CipherValue node\n"); - goto done; + fprintf(stderr, "Error: failed to add CipherValue node\n"); + goto done; } /* add <dsig:KeyInfo/> and <dsig:KeyName/> nodes to put key name in the signed document */ keyInfoNode = xmlSecTmplEncDataEnsureKeyInfo(encDataNode, NULL); if(keyInfoNode == NULL) { - fprintf(stderr, "Error: failed to add key info\n"); - goto done; + fprintf(stderr, "Error: failed to add key info\n"); + goto done; } if(xmlSecTmplKeyInfoAddKeyName(keyInfoNode, NULL) == NULL) { - fprintf(stderr, "Error: failed to add key name\n"); - goto done; + fprintf(stderr, "Error: failed to add key name\n"); + goto done; } /* create encryption context, we don't need keys manager in this example */ encCtx = xmlSecEncCtxCreate(NULL); if(encCtx == NULL) { fprintf(stderr,"Error: failed to create encryption context\n"); - goto done; + goto done; } /* load DES key, assuming that there is not password */ encCtx->encKey = xmlSecKeyReadBinaryFile(xmlSecKeyDataDesId, key_file); if(encCtx->encKey == NULL) { fprintf(stderr,"Error: failed to load des key from binary file \"%s\"\n", key_file); - goto done; + goto done; } /* set key name to the file name, this is just an example! */ if(xmlSecKeySetName(encCtx->encKey, key_file) < 0) { - fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file); - goto done; + fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file); + goto done; } /* encrypt the data */ if(xmlSecEncCtxXmlEncrypt(encCtx, encDataNode, xmlDocGetRootElement(doc)) < 0) { fprintf(stderr,"Error: encryption failed\n"); - goto done; + goto done; } /* we template is inserted in the doc */ @@ -211,15 +229,15 @@ done: /* cleanup */ if(encCtx != NULL) { - xmlSecEncCtxDestroy(encCtx); + xmlSecEncCtxDestroy(encCtx); } if(encDataNode != NULL) { - xmlFreeNode(encDataNode); + xmlFreeNode(encDataNode); } if(doc != NULL) { - xmlFreeDoc(doc); + xmlFreeDoc(doc); } return(res); } diff --git a/examples/encrypt3.c b/examples/encrypt3.c index 788c964e..aa9465a2 100644 --- a/examples/encrypt3.c +++ b/examples/encrypt3.c @@ -5,13 +5,13 @@ * DES key (encrypted with an RSA key). * * Usage: - * ./encrypt3 <xml-doc> <rsa-pem-key-file> + * ./encrypt3 <xml-doc> <rsa-pem-key-file> * * Example: - * ./encrypt3 encrypt3-doc.xml rsakey.pem > encrypt3-res.xml + * ./encrypt3 encrypt3-doc.xml rsakey.pem > encrypt3-res.xml * * The result could be decrypted with decrypt3 example: - * ./decrypt3 encrypt3-res.xml + * ./decrypt3 encrypt3-res.xml * * This is free software; see Copyright file in the source * distribution for preciese wording. @@ -28,6 +28,7 @@ #ifndef XMLSEC_NO_XSLT #include <libxslt/xslt.h> +#include <libxslt/security.h> #endif /* XMLSEC_NO_XSLT */ #include <xmlsec/xmlsec.h> @@ -42,13 +43,16 @@ int encrypt_file(xmlSecKeysMngrPtr mngr, const char* xml_file, const char* key_n int main(int argc, char **argv) { xmlSecKeysMngrPtr mngr; +#ifndef XMLSEC_NO_XSLT + xsltSecurityPrefsPtr xsltSecPrefs = NULL; +#endif /* XMLSEC_NO_XSLT */ assert(argv); if(argc != 3) { - fprintf(stderr, "Error: wrong number of arguments.\n"); - fprintf(stderr, "Usage: %s <xml-file> <key-file>\n", argv[0]); - return(1); + fprintf(stderr, "Error: wrong number of arguments.\n"); + fprintf(stderr, "Usage: %s <xml-file> <key-file>\n", argv[0]); + return(1); } /* Init libxml and libxslt libraries */ @@ -59,17 +63,29 @@ main(int argc, char **argv) { #ifndef XMLSEC_NO_XSLT xmlIndentTreeOutput = 1; #endif /* XMLSEC_NO_XSLT */ - + + /* Init libxslt */ +#ifndef XMLSEC_NO_XSLT + /* disable everything */ + xsltSecPrefs = xsltNewSecurityPrefs(); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid); + xsltSetDefaultSecurityPrefs(xsltSecPrefs); +#endif /* XMLSEC_NO_XSLT */ + /* Init xmlsec library */ if(xmlSecInit() < 0) { - fprintf(stderr, "Error: xmlsec initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec initialization failed.\n"); + return(-1); } /* Check loaded library version */ if(xmlSecCheckVersion() != 1) { - fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); - return(-1); + fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); + return(-1); } /* Load default crypto engine if we are supporting dynamic @@ -79,35 +95,35 @@ main(int argc, char **argv) { */ #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) { - fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" - "that you have it installed and check shared libraries path\n" - "(LD_LIBRARY_PATH) envornment variable.\n"); - return(-1); + fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" + "that you have it installed and check shared libraries path\n" + "(LD_LIBRARY_PATH) envornment variable.\n"); + return(-1); } #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */ /* Init crypto library */ if(xmlSecCryptoAppInit(NULL) < 0) { - fprintf(stderr, "Error: crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: crypto initialization failed.\n"); + return(-1); } /* Init xmlsec-crypto library */ if(xmlSecCryptoInit() < 0) { - fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); + return(-1); } /* create keys manager and load keys */ mngr = load_rsa_keys(argv[2]); if(mngr == NULL) { - return(-1); + return(-1); } /* we use key filename as key name here */ if(encrypt_file(mngr, argv[1], argv[2]) < 0) { - xmlSecKeysMngrDestroy(mngr); - return(-1); + xmlSecKeysMngrDestroy(mngr); + return(-1); } /* destroy keys manager */ @@ -124,6 +140,7 @@ main(int argc, char **argv) { /* Shutdown libxslt/libxml */ #ifndef XMLSEC_NO_XSLT + xsltFreeSecurityPrefs(xsltSecPrefs); xsltCleanupGlobals(); #endif /* XMLSEC_NO_XSLT */ xmlCleanupParser(); @@ -133,7 +150,7 @@ main(int argc, char **argv) { /** * load_rsa_keys: - * @key_file: the key filename. + * @key_file: the key filename. * * Creates simple keys manager and load RSA key from #key_file in it. * The caller is responsible for destroing returned keys manager using @@ -155,13 +172,13 @@ load_rsa_keys(char* key_file) { */ mngr = xmlSecKeysMngrCreate(); if(mngr == NULL) { - fprintf(stderr, "Error: failed to create keys manager.\n"); - return(NULL); + fprintf(stderr, "Error: failed to create keys manager.\n"); + return(NULL); } if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) { - fprintf(stderr, "Error: failed to initialize keys manager.\n"); - xmlSecKeysMngrDestroy(mngr); - return(NULL); + fprintf(stderr, "Error: failed to initialize keys manager.\n"); + xmlSecKeysMngrDestroy(mngr); + return(NULL); } /* load private RSA key */ @@ -175,11 +192,11 @@ load_rsa_keys(char* key_file) { /* set key name to the file name, this is just an example! */ if(xmlSecKeySetName(key, BAD_CAST key_file) < 0) { fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file); - xmlSecKeyDestroy(key); - xmlSecKeysMngrDestroy(mngr); - return(NULL); + xmlSecKeyDestroy(key); + xmlSecKeysMngrDestroy(mngr); + return(NULL); } - + /* add key to keys manager, from now on keys manager is responsible * for destroying key */ @@ -195,9 +212,9 @@ load_rsa_keys(char* key_file) { /** * encrypt_file: - * @mngr: the pointer to keys manager. - * @xml_file: the encryption template file name. - * @key_name: the RSA key name. + * @mngr: the pointer to keys manager. + * @xml_file: the encryption template file name. + * @key_name: the RSA key name. * * Encrypts #xml_file using a dynamicaly created template, a session DES key * and an RSA key from keys manager. @@ -221,78 +238,78 @@ encrypt_file(xmlSecKeysMngrPtr mngr, const char* xml_file, const char* key_name) /* load template */ doc = xmlParseFile(xml_file); if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){ - fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); - goto done; + fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); + goto done; } /* create encryption template to encrypt XML file and replace * its content with encryption result */ encDataNode = xmlSecTmplEncDataCreate(doc, xmlSecTransformDes3CbcId, - NULL, xmlSecTypeEncElement, NULL, NULL); + NULL, xmlSecTypeEncElement, NULL, NULL); if(encDataNode == NULL) { - fprintf(stderr, "Error: failed to create encryption template\n"); - goto done; + fprintf(stderr, "Error: failed to create encryption template\n"); + goto done; } /* we want to put encrypted data in the <enc:CipherValue/> node */ if(xmlSecTmplEncDataEnsureCipherValue(encDataNode) == NULL) { - fprintf(stderr, "Error: failed to add CipherValue node\n"); - goto done; + fprintf(stderr, "Error: failed to add CipherValue node\n"); + goto done; } /* add <dsig:KeyInfo/> */ keyInfoNode = xmlSecTmplEncDataEnsureKeyInfo(encDataNode, NULL); if(keyInfoNode == NULL) { - fprintf(stderr, "Error: failed to add key info\n"); - goto done; + fprintf(stderr, "Error: failed to add key info\n"); + goto done; } /* add <enc:EncryptedKey/> to store the encrypted session key */ encKeyNode = xmlSecTmplKeyInfoAddEncryptedKey(keyInfoNode, - xmlSecTransformRsaPkcs1Id, - NULL, NULL, NULL); + xmlSecTransformRsaPkcs1Id, + NULL, NULL, NULL); if(encKeyNode == NULL) { - fprintf(stderr, "Error: failed to add key info\n"); - goto done; + fprintf(stderr, "Error: failed to add key info\n"); + goto done; } /* we want to put encrypted key in the <enc:CipherValue/> node */ if(xmlSecTmplEncDataEnsureCipherValue(encKeyNode) == NULL) { - fprintf(stderr, "Error: failed to add CipherValue node\n"); - goto done; + fprintf(stderr, "Error: failed to add CipherValue node\n"); + goto done; } /* add <dsig:KeyInfo/> and <dsig:KeyName/> nodes to <enc:EncryptedKey/> */ keyInfoNode2 = xmlSecTmplEncDataEnsureKeyInfo(encKeyNode, NULL); if(keyInfoNode2 == NULL) { - fprintf(stderr, "Error: failed to add key info\n"); - goto done; + fprintf(stderr, "Error: failed to add key info\n"); + goto done; } /* set key name so we can lookup key when needed */ if(xmlSecTmplKeyInfoAddKeyName(keyInfoNode2, key_name) == NULL) { - fprintf(stderr, "Error: failed to add key name\n"); - goto done; + fprintf(stderr, "Error: failed to add key name\n"); + goto done; } /* create encryption context */ encCtx = xmlSecEncCtxCreate(mngr); if(encCtx == NULL) { fprintf(stderr,"Error: failed to create encryption context\n"); - goto done; + goto done; } /* generate a Triple DES key */ encCtx->encKey = xmlSecKeyGenerate(xmlSecKeyDataDesId, 192, xmlSecKeyDataTypeSession); if(encCtx->encKey == NULL) { fprintf(stderr,"Error: failed to generate session des key\n"); - goto done; + goto done; } /* encrypt the data */ if(xmlSecEncCtxXmlEncrypt(encCtx, encDataNode, xmlDocGetRootElement(doc)) < 0) { fprintf(stderr,"Error: encryption failed\n"); - goto done; + goto done; } /* we template is inserted in the doc */ @@ -308,15 +325,15 @@ done: /* cleanup */ if(encCtx != NULL) { - xmlSecEncCtxDestroy(encCtx); + xmlSecEncCtxDestroy(encCtx); } if(encDataNode != NULL) { - xmlFreeNode(encDataNode); + xmlFreeNode(encDataNode); } if(doc != NULL) { - xmlFreeDoc(doc); + xmlFreeDoc(doc); } return(res); } diff --git a/examples/mywin32make.bat b/examples/mywin32make.bat index 84c5777e..a7d22803 100644 --- a/examples/mywin32make.bat +++ b/examples/mywin32make.bat @@ -8,7 +8,7 @@ REM REM Aleksey Sanin <aleksey@aleksey.com> REM -SET XMLSEC_PREFIX=d:\sdk +SET XMLSEC_PREFIX=C:\cygwin\home\local SET XMLSEC_INCLUDE=%XMLSEC_PREFIX%\include SET XMLSEC_LIB=%XMLSEC_PREFIX%\lib diff --git a/examples/sign1.c b/examples/sign1.c index f17bf96f..e545843f 100644 --- a/examples/sign1.c +++ b/examples/sign1.c @@ -4,13 +4,13 @@ * Signs a template file using a key from PEM file * * Usage: - * ./sign1 <xml-tmpl> <pem-key> + * ./sign1 <xml-tmpl> <pem-key> * * Example: - * ./sign1 sign1-tmpl.xml rsakey.pem > sign1-res.xml + * ./sign1 sign1-tmpl.xml rsakey.pem > sign1-res.xml * * The result signature could be validated using verify1 example: - * ./verify1 sign1-res.xml rsapub.pem + * ./verify1 sign1-res.xml rsapub.pem * * This is free software; see Copyright file in the source * distribution for preciese wording. @@ -27,6 +27,7 @@ #ifndef XMLSEC_NO_XSLT #include <libxslt/xslt.h> +#include <libxslt/security.h> #endif /* XMLSEC_NO_XSLT */ #include <xmlsec/xmlsec.h> @@ -38,12 +39,16 @@ int sign_file(const char* tmpl_file, const char* key_file); int main(int argc, char **argv) { +#ifndef XMLSEC_NO_XSLT + xsltSecurityPrefsPtr xsltSecPrefs = NULL; +#endif /* XMLSEC_NO_XSLT */ + assert(argv); if(argc != 3) { - fprintf(stderr, "Error: wrong number of arguments.\n"); - fprintf(stderr, "Usage: %s <tmpl-file> <key-file>\n", argv[0]); - return(1); + fprintf(stderr, "Error: wrong number of arguments.\n"); + fprintf(stderr, "Usage: %s <tmpl-file> <key-file>\n", argv[0]); + return(1); } /* Init libxml and libxslt libraries */ @@ -54,17 +59,29 @@ main(int argc, char **argv) { #ifndef XMLSEC_NO_XSLT xmlIndentTreeOutput = 1; #endif /* XMLSEC_NO_XSLT */ - + + /* Init libxslt */ +#ifndef XMLSEC_NO_XSLT + /* disable everything */ + xsltSecPrefs = xsltNewSecurityPrefs(); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid); + xsltSetDefaultSecurityPrefs(xsltSecPrefs); +#endif /* XMLSEC_NO_XSLT */ + /* Init xmlsec library */ if(xmlSecInit() < 0) { - fprintf(stderr, "Error: xmlsec initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec initialization failed.\n"); + return(-1); } /* Check loaded library version */ if(xmlSecCheckVersion() != 1) { - fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); - return(-1); + fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); + return(-1); } /* Load default crypto engine if we are supporting dynamic @@ -74,27 +91,27 @@ main(int argc, char **argv) { */ #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) { - fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" - "that you have it installed and check shared libraries path\n" - "(LD_LIBRARY_PATH) envornment variable.\n"); - return(-1); + fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" + "that you have it installed and check shared libraries path\n" + "(LD_LIBRARY_PATH) envornment variable.\n"); + return(-1); } #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */ /* Init crypto library */ if(xmlSecCryptoAppInit(NULL) < 0) { - fprintf(stderr, "Error: crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: crypto initialization failed.\n"); + return(-1); } /* Init xmlsec-crypto library */ if(xmlSecCryptoInit() < 0) { - fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); + return(-1); } if(sign_file(argv[1], argv[2]) < 0) { - return(-1); + return(-1); } /* Shutdown xmlsec-crypto library */ @@ -108,7 +125,8 @@ main(int argc, char **argv) { /* Shutdown libxslt/libxml */ #ifndef XMLSEC_NO_XSLT - xsltCleanupGlobals(); + xsltFreeSecurityPrefs(xsltSecPrefs); + xsltCleanupGlobals(); #endif /* XMLSEC_NO_XSLT */ xmlCleanupParser(); @@ -117,8 +135,8 @@ main(int argc, char **argv) { /** * sign_file: - * @tmpl_file: the signature template file name. - * @key_file: the PEM private key file name. + * @tmpl_file: the signature template file name. + * @key_file: the PEM private key file name. * * Signs the #tmpl_file using private key from #key_file. * @@ -137,41 +155,41 @@ sign_file(const char* tmpl_file, const char* key_file) { /* load template */ doc = xmlParseFile(tmpl_file); if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){ - fprintf(stderr, "Error: unable to parse file \"%s\"\n", tmpl_file); - goto done; + fprintf(stderr, "Error: unable to parse file \"%s\"\n", tmpl_file); + goto done; } /* find start node */ node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs); if(node == NULL) { - fprintf(stderr, "Error: start node not found in \"%s\"\n", tmpl_file); - goto done; + fprintf(stderr, "Error: start node not found in \"%s\"\n", tmpl_file); + goto done; } /* create signature context, we don't need keys manager in this example */ dsigCtx = xmlSecDSigCtxCreate(NULL); if(dsigCtx == NULL) { fprintf(stderr,"Error: failed to create signature context\n"); - goto done; + goto done; } /* load private key, assuming that there is not password */ dsigCtx->signKey = xmlSecCryptoAppKeyLoad(key_file, xmlSecKeyDataFormatPem, NULL, NULL, NULL); if(dsigCtx->signKey == NULL) { fprintf(stderr,"Error: failed to load private pem key from \"%s\"\n", key_file); - goto done; + goto done; } /* set key name to the file name, this is just an example! */ if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) { - fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file); - goto done; + fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file); + goto done; } /* sign the template */ if(xmlSecDSigCtxSign(dsigCtx, node) < 0) { fprintf(stderr,"Error: signature failed\n"); - goto done; + goto done; } /* print signed document to stdout */ @@ -183,11 +201,11 @@ sign_file(const char* tmpl_file, const char* key_file) { done: /* cleanup */ if(dsigCtx != NULL) { - xmlSecDSigCtxDestroy(dsigCtx); + xmlSecDSigCtxDestroy(dsigCtx); } if(doc != NULL) { - xmlFreeDoc(doc); + xmlFreeDoc(doc); } return(res); } diff --git a/examples/sign2.c b/examples/sign2.c index 3bb858ce..146bbbaa 100644 --- a/examples/sign2.c +++ b/examples/sign2.c @@ -6,13 +6,13 @@ * the whole document except the <dsig:Signature/> node itself. * * Usage: - * sign2 <xml-doc> <pem-key> + * sign2 <xml-doc> <pem-key> * * Example: - * ./sign2 sign2-doc.xml rsakey.pem > sign2-res.xml + * ./sign2 sign2-doc.xml rsakey.pem > sign2-res.xml * * The result signature could be validated using verify1 example: - * ./verify1 sign2-res.xml rsapub.pem + * ./verify1 sign2-res.xml rsapub.pem * * This is free software; see Copyright file in the source * distribution for preciese wording. @@ -29,6 +29,7 @@ #ifndef XMLSEC_NO_XSLT #include <libxslt/xslt.h> +#include <libxslt/security.h> #endif /* XMLSEC_NO_XSLT */ #include <xmlsec/xmlsec.h> @@ -41,12 +42,16 @@ int sign_file(const char* xml_file, const char* key_file); int main(int argc, char **argv) { +#ifndef XMLSEC_NO_XSLT + xsltSecurityPrefsPtr xsltSecPrefs = NULL; +#endif /* XMLSEC_NO_XSLT */ + assert(argv); if(argc != 3) { - fprintf(stderr, "Error: wrong number of arguments.\n"); - fprintf(stderr, "Usage: %s <xml-file> <key-file>\n", argv[0]); - return(1); + fprintf(stderr, "Error: wrong number of arguments.\n"); + fprintf(stderr, "Usage: %s <xml-file> <key-file>\n", argv[0]); + return(1); } /* Init libxml and libxslt libraries */ @@ -57,17 +62,29 @@ main(int argc, char **argv) { #ifndef XMLSEC_NO_XSLT xmlIndentTreeOutput = 1; #endif /* XMLSEC_NO_XSLT */ - + + /* Init libxslt */ +#ifndef XMLSEC_NO_XSLT + /* disable everything */ + xsltSecPrefs = xsltNewSecurityPrefs(); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid); + xsltSetDefaultSecurityPrefs(xsltSecPrefs); +#endif /* XMLSEC_NO_XSLT */ + /* Init xmlsec library */ if(xmlSecInit() < 0) { - fprintf(stderr, "Error: xmlsec initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec initialization failed.\n"); + return(-1); } /* Check loaded library version */ if(xmlSecCheckVersion() != 1) { - fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); - return(-1); + fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); + return(-1); } /* Load default crypto engine if we are supporting dynamic @@ -77,27 +94,27 @@ main(int argc, char **argv) { */ #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) { - fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" - "that you have it installed and check shared libraries path\n" - "(LD_LIBRARY_PATH) envornment variable.\n"); - return(-1); + fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" + "that you have it installed and check shared libraries path\n" + "(LD_LIBRARY_PATH) envornment variable.\n"); + return(-1); } #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */ /* Init crypto library */ if(xmlSecCryptoAppInit(NULL) < 0) { - fprintf(stderr, "Error: crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: crypto initialization failed.\n"); + return(-1); } /* Init xmlsec-crypto library */ if(xmlSecCryptoInit() < 0) { - fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); + return(-1); } if(sign_file(argv[1], argv[2]) < 0) { - return(-1); + return(-1); } /* Shutdown xmlsec-crypto library */ @@ -111,6 +128,7 @@ main(int argc, char **argv) { /* Shutdown libxslt/libxml */ #ifndef XMLSEC_NO_XSLT + xsltFreeSecurityPrefs(xsltSecPrefs); xsltCleanupGlobals(); #endif /* XMLSEC_NO_XSLT */ xmlCleanupParser(); @@ -120,8 +138,8 @@ main(int argc, char **argv) { /** * sign_file: - * @xml_file: the XML file name. - * @key_file: the PEM private key file name. + * @xml_file: the XML file name. + * @key_file: the PEM private key file name. * * Signs the #xml_file using private key from #key_file and dynamicaly * created enveloped signature template. @@ -143,16 +161,16 @@ sign_file(const char* xml_file, const char* key_file) { /* load doc file */ doc = xmlParseFile(xml_file); if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){ - fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); - goto done; + fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); + goto done; } /* create signature template for RSA-SHA1 enveloped signature */ signNode = xmlSecTmplSignatureCreate(doc, xmlSecTransformExclC14NId, - xmlSecTransformRsaSha1Id, NULL); + xmlSecTransformRsaSha1Id, NULL); if(signNode == NULL) { - fprintf(stderr, "Error: failed to create signature template\n"); - goto done; + fprintf(stderr, "Error: failed to create signature template\n"); + goto done; } /* add <dsig:Signature/> node to the doc */ @@ -160,54 +178,54 @@ sign_file(const char* xml_file, const char* key_file) { /* add reference */ refNode = xmlSecTmplSignatureAddReference(signNode, xmlSecTransformSha1Id, - NULL, NULL, NULL); + NULL, NULL, NULL); if(refNode == NULL) { - fprintf(stderr, "Error: failed to add reference to signature template\n"); - goto done; + fprintf(stderr, "Error: failed to add reference to signature template\n"); + goto done; } /* add enveloped transform */ if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId) == NULL) { - fprintf(stderr, "Error: failed to add enveloped transform to reference\n"); - goto done; + fprintf(stderr, "Error: failed to add enveloped transform to reference\n"); + goto done; } /* add <dsig:KeyInfo/> and <dsig:KeyName/> nodes to put key name in the signed document */ keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL); if(keyInfoNode == NULL) { - fprintf(stderr, "Error: failed to add key info\n"); - goto done; + fprintf(stderr, "Error: failed to add key info\n"); + goto done; } if(xmlSecTmplKeyInfoAddKeyName(keyInfoNode, NULL) == NULL) { - fprintf(stderr, "Error: failed to add key name\n"); - goto done; + fprintf(stderr, "Error: failed to add key name\n"); + goto done; } /* create signature context, we don't need keys manager in this example */ dsigCtx = xmlSecDSigCtxCreate(NULL); if(dsigCtx == NULL) { fprintf(stderr,"Error: failed to create signature context\n"); - goto done; + goto done; } /* load private key, assuming that there is not password */ dsigCtx->signKey = xmlSecCryptoAppKeyLoad(key_file, xmlSecKeyDataFormatPem, NULL, NULL, NULL); if(dsigCtx->signKey == NULL) { fprintf(stderr,"Error: failed to load private pem key from \"%s\"\n", key_file); - goto done; + goto done; } /* set key name to the file name, this is just an example! */ if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) { - fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file); - goto done; + fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file); + goto done; } /* sign the template */ if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) { fprintf(stderr,"Error: signature failed\n"); - goto done; + goto done; } /* print signed document to stdout */ @@ -219,11 +237,11 @@ sign_file(const char* xml_file, const char* key_file) { done: /* cleanup */ if(dsigCtx != NULL) { - xmlSecDSigCtxDestroy(dsigCtx); + xmlSecDSigCtxDestroy(dsigCtx); } if(doc != NULL) { - xmlFreeDoc(doc); + xmlFreeDoc(doc); } return(res); } diff --git a/examples/sign3.c b/examples/sign3.c index 8a367083..9d16cf72 100644 --- a/examples/sign3.c +++ b/examples/sign3.c @@ -10,13 +10,13 @@ * certificates management policies for another crypto library may break it. * * Usage: - * sign3 <xml-doc> <pem-key> + * sign3 <xml-doc> <pem-key> * * Example: - * ./sign3 sign3-doc.xml rsakey.pem rsacert.pem > sign3-res.xml + * ./sign3 sign3-doc.xml rsakey.pem rsacert.pem > sign3-res.xml * * The result signature could be validated using verify3 example: - * ./verify3 sign3-res.xml rootcert.pem + * ./verify3 sign3-res.xml rootcert.pem * * This is free software; see Copyright file in the source * distribution for preciese wording. @@ -33,6 +33,7 @@ #ifndef XMLSEC_NO_XSLT #include <libxslt/xslt.h> +#include <libxslt/security.h> #endif /* XMLSEC_NO_XSLT */ #include <xmlsec/xmlsec.h> @@ -45,12 +46,16 @@ int sign_file(const char* xml_file, const char* key_file, const char* cert_file) int main(int argc, char **argv) { +#ifndef XMLSEC_NO_XSLT + xsltSecurityPrefsPtr xsltSecPrefs = NULL; +#endif /* XMLSEC_NO_XSLT */ + assert(argv); if(argc != 4) { - fprintf(stderr, "Error: wrong number of arguments.\n"); - fprintf(stderr, "Usage: %s <xml-file> <key-file> <cert-file>\n", argv[0]); - return(1); + fprintf(stderr, "Error: wrong number of arguments.\n"); + fprintf(stderr, "Usage: %s <xml-file> <key-file> <cert-file>\n", argv[0]); + return(1); } /* Init libxml and libxslt libraries */ @@ -61,17 +66,29 @@ main(int argc, char **argv) { #ifndef XMLSEC_NO_XSLT xmlIndentTreeOutput = 1; #endif /* XMLSEC_NO_XSLT */ - + + /* Init libxslt */ +#ifndef XMLSEC_NO_XSLT + /* disable everything */ + xsltSecPrefs = xsltNewSecurityPrefs(); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid); + xsltSetDefaultSecurityPrefs(xsltSecPrefs); +#endif /* XMLSEC_NO_XSLT */ + /* Init xmlsec library */ if(xmlSecInit() < 0) { - fprintf(stderr, "Error: xmlsec initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec initialization failed.\n"); + return(-1); } /* Check loaded library version */ if(xmlSecCheckVersion() != 1) { - fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); - return(-1); + fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); + return(-1); } /* Load default crypto engine if we are supporting dynamic @@ -81,27 +98,27 @@ main(int argc, char **argv) { */ #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) { - fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" - "that you have it installed and check shared libraries path\n" - "(LD_LIBRARY_PATH) envornment variable.\n"); - return(-1); + fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" + "that you have it installed and check shared libraries path\n" + "(LD_LIBRARY_PATH) envornment variable.\n"); + return(-1); } #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */ /* Init crypto library */ if(xmlSecCryptoAppInit(NULL) < 0) { - fprintf(stderr, "Error: crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: crypto initialization failed.\n"); + return(-1); } /* Init xmlsec-crypto library */ if(xmlSecCryptoInit() < 0) { - fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); + return(-1); } if(sign_file(argv[1], argv[2], argv[3]) < 0) { - return(-1); + return(-1); } /* Shutdown xmlsec-crypto library */ @@ -115,6 +132,7 @@ main(int argc, char **argv) { /* Shutdown libxslt/libxml */ #ifndef XMLSEC_NO_XSLT + xsltFreeSecurityPrefs(xsltSecPrefs); xsltCleanupGlobals(); #endif /* XMLSEC_NO_XSLT */ xmlCleanupParser(); @@ -124,9 +142,9 @@ main(int argc, char **argv) { /** * sign_file: - * @xml_file: the XML file name. - * @key_file: the PEM private key file name. - * @cert_file: the x509 certificate PEM file. + * @xml_file: the XML file name. + * @key_file: the PEM private key file name. + * @cert_file: the x509 certificate PEM file. * * Signs the @xml_file using private key from @key_file and dynamicaly * created enveloped signature template. The certificate from @cert_file @@ -150,16 +168,16 @@ sign_file(const char* xml_file, const char* key_file, const char* cert_file) { /* load doc file */ doc = xmlParseFile(xml_file); if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){ - fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); - goto done; + fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); + goto done; } /* create signature template for RSA-SHA1 enveloped signature */ signNode = xmlSecTmplSignatureCreate(doc, xmlSecTransformExclC14NId, - xmlSecTransformRsaSha1Id, NULL); + xmlSecTransformRsaSha1Id, NULL); if(signNode == NULL) { - fprintf(stderr, "Error: failed to create signature template\n"); - goto done; + fprintf(stderr, "Error: failed to create signature template\n"); + goto done; } /* add <dsig:Signature/> node to the doc */ @@ -167,60 +185,60 @@ sign_file(const char* xml_file, const char* key_file, const char* cert_file) { /* add reference */ refNode = xmlSecTmplSignatureAddReference(signNode, xmlSecTransformSha1Id, - NULL, NULL, NULL); + NULL, NULL, NULL); if(refNode == NULL) { - fprintf(stderr, "Error: failed to add reference to signature template\n"); - goto done; + fprintf(stderr, "Error: failed to add reference to signature template\n"); + goto done; } /* add enveloped transform */ if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId) == NULL) { - fprintf(stderr, "Error: failed to add enveloped transform to reference\n"); - goto done; + fprintf(stderr, "Error: failed to add enveloped transform to reference\n"); + goto done; } /* add <dsig:KeyInfo/> and <dsig:X509Data/> */ keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL); if(keyInfoNode == NULL) { - fprintf(stderr, "Error: failed to add key info\n"); - goto done; + fprintf(stderr, "Error: failed to add key info\n"); + goto done; } if(xmlSecTmplKeyInfoAddX509Data(keyInfoNode) == NULL) { - fprintf(stderr, "Error: failed to add X509Data node\n"); - goto done; + fprintf(stderr, "Error: failed to add X509Data node\n"); + goto done; } /* create signature context, we don't need keys manager in this example */ dsigCtx = xmlSecDSigCtxCreate(NULL); if(dsigCtx == NULL) { fprintf(stderr,"Error: failed to create signature context\n"); - goto done; + goto done; } /* load private key, assuming that there is not password */ dsigCtx->signKey = xmlSecCryptoAppKeyLoad(key_file, xmlSecKeyDataFormatPem, NULL, NULL, NULL); if(dsigCtx->signKey == NULL) { fprintf(stderr,"Error: failed to load private pem key from \"%s\"\n", key_file); - goto done; + goto done; } /* load certificate and add to the key */ if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file, xmlSecKeyDataFormatPem) < 0) { fprintf(stderr,"Error: failed to load pem certificate \"%s\"\n", cert_file); - goto done; + goto done; } /* set key name to the file name, this is just an example! */ if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) { - fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file); - goto done; + fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file); + goto done; } /* sign the template */ if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) { fprintf(stderr,"Error: signature failed\n"); - goto done; + goto done; } /* print signed document to stdout */ @@ -232,11 +250,11 @@ sign_file(const char* xml_file, const char* key_file, const char* cert_file) { done: /* cleanup */ if(dsigCtx != NULL) { - xmlSecDSigCtxDestroy(dsigCtx); + xmlSecDSigCtxDestroy(dsigCtx); } if(doc != NULL) { - xmlFreeDoc(doc); + xmlFreeDoc(doc); } return(res); } diff --git a/examples/verify1.c b/examples/verify1.c index 9f2eff5b..04917e5a 100644 --- a/examples/verify1.c +++ b/examples/verify1.c @@ -4,11 +4,11 @@ * Verifies a file using a key from PEM file. * * Usage: - * verify1 <signed-file> <pem-key> + * verify1 <signed-file> <pem-key> * * Example: - * ./verify1 sign1-res.xml rsapub.pem - * ./verify1 sign2-res.xml rsapub.pem + * ./verify1 sign1-res.xml rsapub.pem + * ./verify1 sign2-res.xml rsapub.pem * * This is free software; see Copyright file in the source * distribution for preciese wording. @@ -25,6 +25,7 @@ #ifndef XMLSEC_NO_XSLT #include <libxslt/xslt.h> +#include <libxslt/security.h> #endif /* XMLSEC_NO_XSLT */ #include <xmlsec/xmlsec.h> @@ -36,12 +37,16 @@ int verify_file(const char* xml_file, const char* key_file); int main(int argc, char **argv) { +#ifndef XMLSEC_NO_XSLT + xsltSecurityPrefsPtr xsltSecPrefs = NULL; +#endif /* XMLSEC_NO_XSLT */ + assert(argv); if(argc != 3) { - fprintf(stderr, "Error: wrong number of arguments.\n"); - fprintf(stderr, "Usage: %s <xml-file> <key-file>\n", argv[0]); - return(1); + fprintf(stderr, "Error: wrong number of arguments.\n"); + fprintf(stderr, "Usage: %s <xml-file> <key-file>\n", argv[0]); + return(1); } /* Init libxml and libxslt libraries */ @@ -52,17 +57,29 @@ main(int argc, char **argv) { #ifndef XMLSEC_NO_XSLT xmlIndentTreeOutput = 1; #endif /* XMLSEC_NO_XSLT */ - + + /* Init libxslt */ +#ifndef XMLSEC_NO_XSLT + /* disable everything */ + xsltSecPrefs = xsltNewSecurityPrefs(); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid); + xsltSetDefaultSecurityPrefs(xsltSecPrefs); +#endif /* XMLSEC_NO_XSLT */ + /* Init xmlsec library */ if(xmlSecInit() < 0) { - fprintf(stderr, "Error: xmlsec initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec initialization failed.\n"); + return(-1); } /* Check loaded library version */ if(xmlSecCheckVersion() != 1) { - fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); - return(-1); + fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); + return(-1); } /* Load default crypto engine if we are supporting dynamic @@ -72,27 +89,27 @@ main(int argc, char **argv) { */ #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) { - fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" - "that you have it installed and check shared libraries path\n" - "(LD_LIBRARY_PATH) envornment variable.\n"); - return(-1); + fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" + "that you have it installed and check shared libraries path\n" + "(LD_LIBRARY_PATH) envornment variable.\n"); + return(-1); } #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */ /* Init crypto library */ if(xmlSecCryptoAppInit(NULL) < 0) { - fprintf(stderr, "Error: crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: crypto initialization failed.\n"); + return(-1); } /* Init xmlsec-crypto library */ if(xmlSecCryptoInit() < 0) { - fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); + return(-1); } if(verify_file(argv[1], argv[2]) < 0) { - return(-1); + return(-1); } /* Shutdown xmlsec-crypto library */ @@ -106,6 +123,7 @@ main(int argc, char **argv) { /* Shutdown libxslt/libxml */ #ifndef XMLSEC_NO_XSLT + xsltFreeSecurityPrefs(xsltSecPrefs); xsltCleanupGlobals(); #endif /* XMLSEC_NO_XSLT */ xmlCleanupParser(); @@ -115,8 +133,8 @@ main(int argc, char **argv) { /** * verify_file: - * @xml_file: the signed XML file name. - * @key_file: the PEM public key file name. + * @xml_file: the signed XML file name. + * @key_file: the PEM public key file name. * * Verifies XML signature in #xml_file using public key from #key_file. * @@ -135,48 +153,48 @@ verify_file(const char* xml_file, const char* key_file) { /* load file */ doc = xmlParseFile(xml_file); if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){ - fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); - goto done; + fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); + goto done; } /* find start node */ node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs); if(node == NULL) { - fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file); - goto done; + fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file); + goto done; } /* create signature context, we don't need keys manager in this example */ dsigCtx = xmlSecDSigCtxCreate(NULL); if(dsigCtx == NULL) { fprintf(stderr,"Error: failed to create signature context\n"); - goto done; + goto done; } /* load public key */ dsigCtx->signKey = xmlSecCryptoAppKeyLoad(key_file, xmlSecKeyDataFormatPem, NULL, NULL, NULL); if(dsigCtx->signKey == NULL) { fprintf(stderr,"Error: failed to load public pem key from \"%s\"\n", key_file); - goto done; + goto done; } /* set key name to the file name, this is just an example! */ if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) { - fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file); - goto done; + fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file); + goto done; } /* Verify signature */ if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) { fprintf(stderr,"Error: signature verify\n"); - goto done; + goto done; } /* print verification result to stdout */ if(dsigCtx->status == xmlSecDSigStatusSucceeded) { - fprintf(stdout, "Signature is OK\n"); + fprintf(stdout, "Signature is OK\n"); } else { - fprintf(stdout, "Signature is INVALID\n"); + fprintf(stdout, "Signature is INVALID\n"); } /* success */ @@ -185,11 +203,11 @@ verify_file(const char* xml_file, const char* key_file) { done: /* cleanup */ if(dsigCtx != NULL) { - xmlSecDSigCtxDestroy(dsigCtx); + xmlSecDSigCtxDestroy(dsigCtx); } if(doc != NULL) { - xmlFreeDoc(doc); + xmlFreeDoc(doc); } return(res); } diff --git a/examples/verify2.c b/examples/verify2.c index a56bb551..36fde2d3 100644 --- a/examples/verify2.c +++ b/examples/verify2.c @@ -4,11 +4,11 @@ * Verifies a file using keys manager * * Usage: - * verify2 <signed-file> <public-pem-key1> [<public-pem-key2> [...]] + * verify2 <signed-file> <public-pem-key1> [<public-pem-key2> [...]] * * Example: - * ./verify2 sign1-res.xml rsapub.pem - * ./verify2 sign2-res.xml rsapub.pem + * ./verify2 sign1-res.xml rsapub.pem + * ./verify2 sign2-res.xml rsapub.pem * * This is free software; see Copyright file in the source * distribution for preciese wording. @@ -25,6 +25,7 @@ #ifndef XMLSEC_NO_XSLT #include <libxslt/xslt.h> +#include <libxslt/security.h> #endif /* XMLSEC_NO_XSLT */ #include <xmlsec/xmlsec.h> @@ -37,14 +38,18 @@ int verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file); int main(int argc, char **argv) { +#ifndef XMLSEC_NO_XSLT + xsltSecurityPrefsPtr xsltSecPrefs = NULL; +#endif /* XMLSEC_NO_XSLT */ + xmlSecKeysMngrPtr mngr; assert(argv); if(argc < 3) { - fprintf(stderr, "Error: wrong number of arguments.\n"); - fprintf(stderr, "Usage: %s <xml-file> <key-file1> [<key-file2> [...]]\n", argv[0]); - return(1); + fprintf(stderr, "Error: wrong number of arguments.\n"); + fprintf(stderr, "Usage: %s <xml-file> <key-file1> [<key-file2> [...]]\n", argv[0]); + return(1); } /* Init libxml and libxslt libraries */ @@ -55,17 +60,29 @@ main(int argc, char **argv) { #ifndef XMLSEC_NO_XSLT xmlIndentTreeOutput = 1; #endif /* XMLSEC_NO_XSLT */ - + + /* Init libxslt */ +#ifndef XMLSEC_NO_XSLT + /* disable everything */ + xsltSecPrefs = xsltNewSecurityPrefs(); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid); + xsltSetDefaultSecurityPrefs(xsltSecPrefs); +#endif /* XMLSEC_NO_XSLT */ + /* Init xmlsec library */ if(xmlSecInit() < 0) { - fprintf(stderr, "Error: xmlsec initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec initialization failed.\n"); + return(-1); } /* Check loaded library version */ if(xmlSecCheckVersion() != 1) { - fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); - return(-1); + fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); + return(-1); } /* Load default crypto engine if we are supporting dynamic @@ -75,35 +92,35 @@ main(int argc, char **argv) { */ #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) { - fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" - "that you have it installed and check shared libraries path\n" - "(LD_LIBRARY_PATH) envornment variable.\n"); - return(-1); + fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" + "that you have it installed and check shared libraries path\n" + "(LD_LIBRARY_PATH) envornment variable.\n"); + return(-1); } #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */ /* Init crypto library */ if(xmlSecCryptoAppInit(NULL) < 0) { - fprintf(stderr, "Error: crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: crypto initialization failed.\n"); + return(-1); } /* Init xmlsec-crypto library */ if(xmlSecCryptoInit() < 0) { - fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); + return(-1); } /* create keys manager and load keys */ mngr = load_keys(&(argv[2]), argc - 2); if(mngr == NULL) { - return(-1); + return(-1); } /* verify file */ if(verify_file(mngr, argv[1]) < 0) { - xmlSecKeysMngrDestroy(mngr); - return(-1); + xmlSecKeysMngrDestroy(mngr); + return(-1); } /* destroy keys manager */ @@ -120,6 +137,7 @@ main(int argc, char **argv) { /* Shutdown libxslt/libxml */ #ifndef XMLSEC_NO_XSLT + xsltFreeSecurityPrefs(xsltSecPrefs); xsltCleanupGlobals(); #endif /* XMLSEC_NO_XSLT */ xmlCleanupParser(); @@ -129,8 +147,8 @@ main(int argc, char **argv) { /** * load_keys: - * @files: the list of filenames. - * @files_size: the number of filenames in #files. + * @files: the list of filenames. + * @files_size: the number of filenames in #files. * * Creates simple keys manager and load PEM keys from #files in it. * The caller is responsible for destroing returned keys manager using @@ -154,43 +172,43 @@ load_keys(char** files, int files_size) { */ mngr = xmlSecKeysMngrCreate(); if(mngr == NULL) { - fprintf(stderr, "Error: failed to create keys manager.\n"); - return(NULL); + fprintf(stderr, "Error: failed to create keys manager.\n"); + return(NULL); } if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) { - fprintf(stderr, "Error: failed to initialize keys manager.\n"); - xmlSecKeysMngrDestroy(mngr); - return(NULL); + fprintf(stderr, "Error: failed to initialize keys manager.\n"); + xmlSecKeysMngrDestroy(mngr); + return(NULL); } for(i = 0; i < files_size; ++i) { - assert(files[i]); + assert(files[i]); - /* load key */ - key = xmlSecCryptoAppKeyLoad(files[i], xmlSecKeyDataFormatPem, NULL, NULL, NULL); - if(key == NULL) { - fprintf(stderr,"Error: failed to load pem key from \"%s\"\n", files[i]); - xmlSecKeysMngrDestroy(mngr); - return(NULL); - } + /* load key */ + key = xmlSecCryptoAppKeyLoad(files[i], xmlSecKeyDataFormatPem, NULL, NULL, NULL); + if(key == NULL) { + fprintf(stderr,"Error: failed to load pem key from \"%s\"\n", files[i]); + xmlSecKeysMngrDestroy(mngr); + return(NULL); + } - /* set key name to the file name, this is just an example! */ - if(xmlSecKeySetName(key, BAD_CAST files[i]) < 0) { - fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", files[i]); - xmlSecKeyDestroy(key); - xmlSecKeysMngrDestroy(mngr); - return(NULL); - } - - /* add key to keys manager, from now on keys manager is responsible - * for destroying key - */ - if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0) { - fprintf(stderr,"Error: failed to add key from \"%s\" to keys manager\n", files[i]); - xmlSecKeyDestroy(key); - xmlSecKeysMngrDestroy(mngr); - return(NULL); - } + /* set key name to the file name, this is just an example! */ + if(xmlSecKeySetName(key, BAD_CAST files[i]) < 0) { + fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", files[i]); + xmlSecKeyDestroy(key); + xmlSecKeysMngrDestroy(mngr); + return(NULL); + } + + /* add key to keys manager, from now on keys manager is responsible + * for destroying key + */ + if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0) { + fprintf(stderr,"Error: failed to add key from \"%s\" to keys manager\n", files[i]); + xmlSecKeyDestroy(key); + xmlSecKeysMngrDestroy(mngr); + return(NULL); + } } return(mngr); @@ -198,8 +216,8 @@ load_keys(char** files, int files_size) { /** * verify_file: - * @mngr: the pointer to keys manager. - * @xml_file: the signed XML file name. + * @mngr: the pointer to keys manager. + * @xml_file: the signed XML file name. * * Verifies XML signature in #xml_file. * @@ -218,35 +236,35 @@ verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file) { /* load file */ doc = xmlParseFile(xml_file); if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){ - fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); - goto done; + fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); + goto done; } /* find start node */ node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs); if(node == NULL) { - fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file); - goto done; + fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file); + goto done; } /* create signature context */ dsigCtx = xmlSecDSigCtxCreate(mngr); if(dsigCtx == NULL) { fprintf(stderr,"Error: failed to create signature context\n"); - goto done; + goto done; } /* Verify signature */ if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) { fprintf(stderr,"Error: signature verify\n"); - goto done; + goto done; } /* print verification result to stdout */ if(dsigCtx->status == xmlSecDSigStatusSucceeded) { - fprintf(stdout, "Signature is OK\n"); + fprintf(stdout, "Signature is OK\n"); } else { - fprintf(stdout, "Signature is INVALID\n"); + fprintf(stdout, "Signature is INVALID\n"); } /* success */ @@ -255,11 +273,11 @@ verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file) { done: /* cleanup */ if(dsigCtx != NULL) { - xmlSecDSigCtxDestroy(dsigCtx); + xmlSecDSigCtxDestroy(dsigCtx); } if(doc != NULL) { - xmlFreeDoc(doc); + xmlFreeDoc(doc); } return(res); } diff --git a/examples/verify3.c b/examples/verify3.c index b7746a0d..5f0666bb 100644 --- a/examples/verify3.c +++ b/examples/verify3.c @@ -7,10 +7,10 @@ * certificates management policies for another crypto library may break it. * * Usage: - * verify3 <signed-file> <trusted-cert-pem-file1> [<trusted-cert-pem-file2> [...]] + * verify3 <signed-file> <trusted-cert-pem-file1> [<trusted-cert-pem-file2> [...]] * * Example: - * ./verify3 sign3-res.xml rootcert.pem + * ./verify3 sign3-res.xml rootcert.pem * * This is free software; see Copyright file in the source * distribution for preciese wording. @@ -27,6 +27,7 @@ #ifndef XMLSEC_NO_XSLT #include <libxslt/xslt.h> +#include <libxslt/security.h> #endif /* XMLSEC_NO_XSLT */ #include <xmlsec/xmlsec.h> @@ -39,14 +40,17 @@ int verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file); int main(int argc, char **argv) { +#ifndef XMLSEC_NO_XSLT + xsltSecurityPrefsPtr xsltSecPrefs = NULL; +#endif /* XMLSEC_NO_XSLT */ xmlSecKeysMngrPtr mngr; assert(argv); if(argc < 3) { - fprintf(stderr, "Error: wrong number of arguments.\n"); - fprintf(stderr, "Usage: %s <xml-file> <cert-file1> [<cert-file2> [...]]\n", argv[0]); - return(1); + fprintf(stderr, "Error: wrong number of arguments.\n"); + fprintf(stderr, "Usage: %s <xml-file> <cert-file1> [<cert-file2> [...]]\n", argv[0]); + return(1); } /* Init libxml and libxslt libraries */ @@ -57,17 +61,29 @@ main(int argc, char **argv) { #ifndef XMLSEC_NO_XSLT xmlIndentTreeOutput = 1; #endif /* XMLSEC_NO_XSLT */ - + + /* Init libxslt */ +#ifndef XMLSEC_NO_XSLT + /* disable everything */ + xsltSecPrefs = xsltNewSecurityPrefs(); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid); + xsltSetDefaultSecurityPrefs(xsltSecPrefs); +#endif /* XMLSEC_NO_XSLT */ + /* Init xmlsec library */ if(xmlSecInit() < 0) { - fprintf(stderr, "Error: xmlsec initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec initialization failed.\n"); + return(-1); } /* Check loaded library version */ if(xmlSecCheckVersion() != 1) { - fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); - return(-1); + fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); + return(-1); } /* Load default crypto engine if we are supporting dynamic @@ -77,35 +93,35 @@ main(int argc, char **argv) { */ #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) { - fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" - "that you have it installed and check shared libraries path\n" - "(LD_LIBRARY_PATH) envornment variable.\n"); - return(-1); + fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" + "that you have it installed and check shared libraries path\n" + "(LD_LIBRARY_PATH) envornment variable.\n"); + return(-1); } #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */ /* Init crypto library */ if(xmlSecCryptoAppInit(NULL) < 0) { - fprintf(stderr, "Error: crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: crypto initialization failed.\n"); + return(-1); } /* Init xmlsec-crypto library */ if(xmlSecCryptoInit() < 0) { - fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); + return(-1); } /* create keys manager and load trusted certificates */ mngr = load_trusted_certs(&(argv[2]), argc - 2); if(mngr == NULL) { - return(-1); + return(-1); } /* verify file */ if(verify_file(mngr, argv[1]) < 0) { - xmlSecKeysMngrDestroy(mngr); - return(-1); + xmlSecKeysMngrDestroy(mngr); + return(-1); } /* destroy keys manager */ @@ -122,6 +138,7 @@ main(int argc, char **argv) { /* Shutdown libxslt/libxml */ #ifndef XMLSEC_NO_XSLT + xsltFreeSecurityPrefs(xsltSecPrefs); xsltCleanupGlobals(); #endif /* XMLSEC_NO_XSLT */ xmlCleanupParser(); @@ -131,8 +148,8 @@ main(int argc, char **argv) { /** * load_trusted_certs: - * @files: the list of filenames. - * @files_size: the number of filenames in #files. + * @files: the list of filenames. + * @files_size: the number of filenames in #files. * * Creates simple keys manager and load trusted certificates from PEM #files. * The caller is responsible for destroing returned keys manager using @@ -155,24 +172,24 @@ load_trusted_certs(char** files, int files_size) { */ mngr = xmlSecKeysMngrCreate(); if(mngr == NULL) { - fprintf(stderr, "Error: failed to create keys manager.\n"); - return(NULL); + fprintf(stderr, "Error: failed to create keys manager.\n"); + return(NULL); } if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) { - fprintf(stderr, "Error: failed to initialize keys manager.\n"); - xmlSecKeysMngrDestroy(mngr); - return(NULL); + fprintf(stderr, "Error: failed to initialize keys manager.\n"); + xmlSecKeysMngrDestroy(mngr); + return(NULL); } for(i = 0; i < files_size; ++i) { - assert(files[i]); - - /* load trusted cert */ - if(xmlSecCryptoAppKeysMngrCertLoad(mngr, files[i], xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) { - fprintf(stderr,"Error: failed to load pem certificate from \"%s\"\n", files[i]); - xmlSecKeysMngrDestroy(mngr); - return(NULL); - } + assert(files[i]); + + /* load trusted cert */ + if(xmlSecCryptoAppKeysMngrCertLoad(mngr, files[i], xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) { + fprintf(stderr,"Error: failed to load pem certificate from \"%s\"\n", files[i]); + xmlSecKeysMngrDestroy(mngr); + return(NULL); + } } return(mngr); @@ -180,8 +197,8 @@ load_trusted_certs(char** files, int files_size) { /** * verify_file: - * @mngr: the pointer to keys manager. - * @xml_file: the signed XML file name. + * @mngr: the pointer to keys manager. + * @xml_file: the signed XML file name. * * Verifies XML signature in #xml_file. * @@ -200,35 +217,35 @@ verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file) { /* load file */ doc = xmlParseFile(xml_file); if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){ - fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); - goto done; + fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); + goto done; } /* find start node */ node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs); if(node == NULL) { - fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file); - goto done; + fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file); + goto done; } /* create signature context */ dsigCtx = xmlSecDSigCtxCreate(mngr); if(dsigCtx == NULL) { fprintf(stderr,"Error: failed to create signature context\n"); - goto done; + goto done; } /* Verify signature */ if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) { fprintf(stderr,"Error: signature verify\n"); - goto done; + goto done; } /* print verification result to stdout */ if(dsigCtx->status == xmlSecDSigStatusSucceeded) { - fprintf(stdout, "Signature is OK\n"); + fprintf(stdout, "Signature is OK\n"); } else { - fprintf(stdout, "Signature is INVALID\n"); + fprintf(stdout, "Signature is INVALID\n"); } /* success */ @@ -237,11 +254,11 @@ verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file) { done: /* cleanup */ if(dsigCtx != NULL) { - xmlSecDSigCtxDestroy(dsigCtx); + xmlSecDSigCtxDestroy(dsigCtx); } if(doc != NULL) { - xmlFreeDoc(doc); + xmlFreeDoc(doc); } return(res); } diff --git a/examples/verify4.c b/examples/verify4.c index 3d82af69..f55f58c5 100644 --- a/examples/verify4.c +++ b/examples/verify4.c @@ -10,15 +10,15 @@ * certificates management policies for another crypto library may break it. * * Usage: - * verify4 <signed-file> <trusted-cert-pem-file1> [<trusted-cert-pem-file2> [...]] + * verify4 <signed-file> <trusted-cert-pem-file1> [<trusted-cert-pem-file2> [...]] * * Example (sucecess): - * ./verify4 verify4-res.xml rootcert.pem + * ./verify4 verify4-res.xml rootcert.pem * * Example (failure): - * ./verify4 verify4-bad-res.xml rootcert.pem + * ./verify4 verify4-bad-res.xml rootcert.pem * In the same time, verify3 example successfuly verifies this signature: - * ./verify3 verify4-bad-res.xml rootcert.pem + * ./verify3 verify4-bad-res.xml rootcert.pem * * This is free software; see Copyright file in the source * distribution for preciese wording. @@ -35,6 +35,7 @@ #ifndef XMLSEC_NO_XSLT #include <libxslt/xslt.h> +#include <libxslt/security.h> #endif /* XMLSEC_NO_XSLT */ #include <xmlsec/xmlsec.h> @@ -47,14 +48,17 @@ int verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file); int main(int argc, char **argv) { +#ifndef XMLSEC_NO_XSLT + xsltSecurityPrefsPtr xsltSecPrefs = NULL; +#endif /* XMLSEC_NO_XSLT */ xmlSecKeysMngrPtr mngr; assert(argv); if(argc < 3) { - fprintf(stderr, "Error: wrong number of arguments.\n"); - fprintf(stderr, "Usage: %s <xml-file> <cert-file1> [<cert-file2> [...]]\n", argv[0]); - return(1); + fprintf(stderr, "Error: wrong number of arguments.\n"); + fprintf(stderr, "Usage: %s <xml-file> <cert-file1> [<cert-file2> [...]]\n", argv[0]); + return(1); } /* Init libxml and libxslt libraries */ @@ -65,17 +69,29 @@ main(int argc, char **argv) { #ifndef XMLSEC_NO_XSLT xmlIndentTreeOutput = 1; #endif /* XMLSEC_NO_XSLT */ - + + /* Init libxslt */ +#ifndef XMLSEC_NO_XSLT + /* disable everything */ + xsltSecPrefs = xsltNewSecurityPrefs(); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid); + xsltSetDefaultSecurityPrefs(xsltSecPrefs); +#endif /* XMLSEC_NO_XSLT */ + /* Init xmlsec library */ if(xmlSecInit() < 0) { - fprintf(stderr, "Error: xmlsec initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec initialization failed.\n"); + return(-1); } /* Check loaded library version */ if(xmlSecCheckVersion() != 1) { - fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); - return(-1); + fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n"); + return(-1); } /* Load default crypto engine if we are supporting dynamic @@ -85,35 +101,35 @@ main(int argc, char **argv) { */ #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) { - fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" - "that you have it installed and check shared libraries path\n" - "(LD_LIBRARY_PATH) envornment variable.\n"); - return(-1); + fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n" + "that you have it installed and check shared libraries path\n" + "(LD_LIBRARY_PATH) envornment variable.\n"); + return(-1); } #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */ /* Init crypto library */ if(xmlSecCryptoAppInit(NULL) < 0) { - fprintf(stderr, "Error: crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: crypto initialization failed.\n"); + return(-1); } /* Init xmlsec-crypto library */ if(xmlSecCryptoInit() < 0) { - fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); - return(-1); + fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n"); + return(-1); } /* create keys manager and load trusted certificates */ mngr = load_trusted_certs(&(argv[2]), argc - 2); if(mngr == NULL) { - return(-1); + return(-1); } /* verify file */ if(verify_file(mngr, argv[1]) < 0) { - xmlSecKeysMngrDestroy(mngr); - return(-1); + xmlSecKeysMngrDestroy(mngr); + return(-1); } /* destroy keys manager */ @@ -130,6 +146,7 @@ main(int argc, char **argv) { /* Shutdown libxslt/libxml */ #ifndef XMLSEC_NO_XSLT + xsltFreeSecurityPrefs(xsltSecPrefs); xsltCleanupGlobals(); #endif /* XMLSEC_NO_XSLT */ xmlCleanupParser(); @@ -139,8 +156,8 @@ main(int argc, char **argv) { /** * load_trusted_certs: - * @files: the list of filenames. - * @files_size: the number of filenames in #files. + * @files: the list of filenames. + * @files_size: the number of filenames in #files. * * Creates simple keys manager and load trusted certificates from PEM #files. * The caller is responsible for destroing returned keys manager using @@ -163,24 +180,24 @@ load_trusted_certs(char** files, int files_size) { */ mngr = xmlSecKeysMngrCreate(); if(mngr == NULL) { - fprintf(stderr, "Error: failed to create keys manager.\n"); - return(NULL); + fprintf(stderr, "Error: failed to create keys manager.\n"); + return(NULL); } if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) { - fprintf(stderr, "Error: failed to initialize keys manager.\n"); - xmlSecKeysMngrDestroy(mngr); - return(NULL); + fprintf(stderr, "Error: failed to initialize keys manager.\n"); + xmlSecKeysMngrDestroy(mngr); + return(NULL); } for(i = 0; i < files_size; ++i) { - assert(files[i]); + assert(files[i]); - /* load trusted cert */ - if(xmlSecCryptoAppKeysMngrCertLoad(mngr, files[i], xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) { - fprintf(stderr,"Error: failed to load pem certificate from \"%s\"\n", files[i]); - xmlSecKeysMngrDestroy(mngr); - return(NULL); - } + /* load trusted cert */ + if(xmlSecCryptoAppKeysMngrCertLoad(mngr, files[i], xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) { + fprintf(stderr,"Error: failed to load pem certificate from \"%s\"\n", files[i]); + xmlSecKeysMngrDestroy(mngr); + return(NULL); + } } return(mngr); @@ -188,8 +205,8 @@ load_trusted_certs(char** files, int files_size) { /** * verify_file: - * @mngr: the pointer to keys manager. - * @xml_file: the signed XML file name. + * @mngr: the pointer to keys manager. + * @xml_file: the signed XML file name. * * Verifies XML signature in #xml_file. * @@ -208,35 +225,35 @@ verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file) { /* load file */ doc = xmlParseFile(xml_file); if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){ - fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); - goto done; + fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file); + goto done; } /* find start node */ node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs); if(node == NULL) { - fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file); - goto done; + fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file); + goto done; } /* create signature context */ dsigCtx = xmlSecDSigCtxCreate(mngr); if(dsigCtx == NULL) { fprintf(stderr,"Error: failed to create signature context\n"); - goto done; + goto done; } /* limit the Reference URI attributes to empty or NULL */ dsigCtx->enabledReferenceUris = xmlSecTransformUriTypeEmpty; - /* limit allowed transforms for siganture and reference processing */ + /* limit allowed transforms for signature and reference processing */ if((xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14NId) < 0) || (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformExclC14NId) < 0) || (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha1Id) < 0) || (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha1Id) < 0)) { - fprintf(stderr,"Error: failed to limit allowed siganture transforms\n"); - goto done; + fprintf(stderr,"Error: failed to limit allowed signature transforms\n"); + goto done; } if((xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformInclC14NId) < 0) || (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformExclC14NId) < 0) || @@ -244,34 +261,34 @@ verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file) { (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformEnvelopedId) < 0)) { fprintf(stderr,"Error: failed to limit allowed reference transforms\n"); - goto done; + goto done; } /* in addition, limit possible key data to valid X509 certificates only */ if(xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData), BAD_CAST xmlSecKeyDataX509Id) < 0) { fprintf(stderr,"Error: failed to limit allowed key data\n"); - goto done; + goto done; } /* Verify signature */ if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) { fprintf(stderr,"Error: signature verify\n"); - goto done; + goto done; } /* check that we have only one Reference */ if((dsigCtx->status == xmlSecDSigStatusSucceeded) && (xmlSecPtrListGetSize(&(dsigCtx->signedInfoReferences)) != 1)) { - + fprintf(stderr,"Error: only one reference is allowed\n"); - goto done; + goto done; } /* print verification result to stdout */ if(dsigCtx->status == xmlSecDSigStatusSucceeded) { - fprintf(stdout, "Signature is OK\n"); + fprintf(stdout, "Signature is OK\n"); } else { - fprintf(stdout, "Signature is INVALID\n"); + fprintf(stdout, "Signature is INVALID\n"); } /* success */ @@ -280,11 +297,11 @@ verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file) { done: /* cleanup */ if(dsigCtx != NULL) { - xmlSecDSigCtxDestroy(dsigCtx); + xmlSecDSigCtxDestroy(dsigCtx); } if(doc != NULL) { - xmlFreeDoc(doc); + xmlFreeDoc(doc); } return(res); } diff --git a/examples/xkms-server.c b/examples/xkms-server.c index 1021b182..188d5c73 100644 --- a/examples/xkms-server.c +++ b/examples/xkms-server.c @@ -4,10 +4,10 @@ * Starts XKMS server on specified port. * * Usage: - * ./xkms-server [--port <port>] [--format plain|soap-1.1|soap-1.2] <keys-file> + * ./xkms-server [--port <port>] [--format plain|soap-1.1|soap-1.2] <keys-file> * * Example: - * ./xkms-server --port 8080 --format soap-1.1 keys.xml + * ./xkms-server --port 8080 --format soap-1.1 keys.xml * * This is free software; see Copyright file in the source * distribution for preciese wording. @@ -23,8 +23,8 @@ #ifdef XMLSEC_NO_XKMS int main(int argc, char** argv) { - fprintf(stderr, "ERROR: XKMS is disabled.\n"); - return 1; + fprintf(stderr, "ERROR: XKMS is disabled.\n"); + return 1; } #else /* XMLSEC_NO_XKMS */ @@ -35,6 +35,7 @@ int main(int argc, char** argv) { #ifndef XMLSEC_NO_XSLT #include <libxslt/xslt.h> +#include <libxslt/security.h> #endif /* XMLSEC_NO_XSLT */ #include <xmlsec/xmlsec.h> @@ -64,13 +65,13 @@ int main(int argc, char** argv) { #endif /* WIN32_SOCKETS */ #endif /* UNIX_SOCKETS */ -#define DEFAULT_PORT 1234 -#define PENDING_QUEUE_SIZE 100 +#define DEFAULT_PORT 1234 +#define PENDING_QUEUE_SIZE 100 -#define LOG_LEVEL_SILENT 0 -#define LOG_LEVEL_INFO 1 -#define LOG_LEVEL_DATA 2 -#define LOG_LEVEL_DEBUG 3 +#define LOG_LEVEL_SILENT 0 +#define LOG_LEVEL_INFO 1 +#define LOG_LEVEL_DATA 2 +#define LOG_LEVEL_DEBUG 3 #ifdef UNIX_SOCKETS static int sockfd = -1; @@ -91,7 +92,7 @@ static const xmlChar* my_strnstr(const xmlChar* str, xmlSecSize strLen, const xm static int handle_connection(int fd, xmlSecXkmsServerCtxPtr xkmsCtx, xmlSecXkmsServerFormat format); static int read_request(int fd, const char* in_ip, xmlSecBufferPtr buffer); static int send_response(int fd, const char* in_ip, int resp_code, - const char* body, int body_size); + const char* body, int body_size); static char usage[] = "[--port <port>] [--format plain|soap-1.1|soap-1.2] <keys-file>"; static char http_header[] = @@ -105,6 +106,9 @@ static char http_503[] = int main(int argc, char** argv) { int argpos; unsigned short port = DEFAULT_PORT; +#ifndef XMLSEC_NO_XSLT + xsltSecurityPrefsPtr xsltSecPrefs = NULL; +#endif /* XMLSEC_NO_XSLT */ xmlSecKeysMngrPtr mngr = NULL; xmlSecXkmsServerCtxPtr xkmsCtx = NULL; xmlSecXkmsServerFormat format = xmlSecXkmsServerFormatPlain; @@ -120,17 +124,29 @@ int main(int argc, char** argv) { #ifndef XMLSEC_NO_XSLT xmlIndentTreeOutput = 1; #endif /* XMLSEC_NO_XSLT */ - + + /* Init libxslt */ +#ifndef XMLSEC_NO_XSLT + /* disable everything */ + xsltSecPrefs = xsltNewSecurityPrefs(); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid); + xsltSetDefaultSecurityPrefs(xsltSecPrefs); +#endif /* XMLSEC_NO_XSLT */ + /* Init xmlsec library */ if(xmlSecInit() < 0) { - fprintf(stderr, "Error %d: xmlsec initialization failed.\n", errno); - return(-1); + fprintf(stderr, "Error %d: xmlsec initialization failed.\n", errno); + return(-1); } /* Check loaded library version */ if(xmlSecCheckVersion() != 1) { - fprintf(stderr, "Error %d: loaded xmlsec library version is not compatible.\n", errno); - return(-1); + fprintf(stderr, "Error %d: loaded xmlsec library version is not compatible.\n", errno); + return(-1); } /* Load default crypto engine if we are supporting dynamic @@ -140,115 +156,115 @@ int main(int argc, char** argv) { */ #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) { - fprintf(stderr, "Error %d: unable to load default xmlsec-crypto library. Make sure\n" - "that you have it installed and check shared libraries path\n" - "(LD_LIBRARY_PATH) envornment variable.\n", errno); - return(-1); + fprintf(stderr, "Error %d: unable to load default xmlsec-crypto library. Make sure\n" + "that you have it installed and check shared libraries path\n" + "(LD_LIBRARY_PATH) envornment variable.\n", errno); + return(-1); } #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */ /* Init crypto library */ if(xmlSecCryptoAppInit(NULL) < 0) { - fprintf(stderr, "Error %d: crypto initialization failed.\n", errno); - return(-1); + fprintf(stderr, "Error %d: crypto initialization failed.\n", errno); + return(-1); } /* Init xmlsec-crypto library */ if(xmlSecCryptoInit() < 0) { - fprintf(stderr, "Error %d: xmlsec-crypto initialization failed.\n", errno); - return(-1); + fprintf(stderr, "Error %d: xmlsec-crypto initialization failed.\n", errno); + return(-1); } /* Create and initialize keys manager */ mngr = xmlSecKeysMngrCreate(); if(mngr == NULL) { - fprintf(stderr, "Error %d: failed to create keys manager.\n", errno); - goto done; + fprintf(stderr, "Error %d: failed to create keys manager.\n", errno); + goto done; } if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) { - fprintf(stderr, "Error %d: failed to initialize keys manager.\n", errno); - goto done; + fprintf(stderr, "Error %d: failed to initialize keys manager.\n", errno); + goto done; } /* Create XKMS server context */ xkmsCtx = xmlSecXkmsServerCtxCreate(mngr); if(xkmsCtx == NULL) { - fprintf(stderr, "Error %d: XKMS server context initialization failed\n", errno); - goto done; + fprintf(stderr, "Error %d: XKMS server context initialization failed\n", errno); + goto done; } /* Process input parameters */ for(argpos = 1; (argpos < argc) && (argv[argpos][0] == '-'); argpos++) { - if((strcmp(argv[argpos], "--port") == 0) || (strcmp(argv[argpos], "-p") == 0)) { - argpos++; - port = atoi(argv[argpos]); - if(port == 0) { - fprintf(stderr, "Error %d: invalid port number \"%s\".\nUsage: %s %s\n", errno, argv[argpos], argv[0], usage); - goto done; - } - } else if((strcmp(argv[argpos], "--format") == 0) || (strcmp(argv[argpos], "-f") == 0)) { - argpos++; - format = xmlSecXkmsServerFormatFromString(BAD_CAST argv[argpos]); - if(format == xmlSecXkmsServerFormatUnknown) { - fprintf(stderr, "Error %d: invalid format \"%s\".\nUsage: %s %s\n", errno, argv[argpos], argv[0], usage); - goto done; - } - } else if((strcmp(argv[argpos], "--log-level") == 0) || (strcmp(argv[argpos], "-l") == 0)) { - argpos++; - log_level = atoi(argv[argpos]); - } else { - fprintf(stderr, "Error %d: unknown parameter \"%s\".\nUsage: %s %s\n", errno, argv[argpos], argv[0], usage); - goto done; - } + if((strcmp(argv[argpos], "--port") == 0) || (strcmp(argv[argpos], "-p") == 0)) { + argpos++; + port = atoi(argv[argpos]); + if(port == 0) { + fprintf(stderr, "Error %d: invalid port number \"%s\".\nUsage: %s %s\n", errno, argv[argpos], argv[0], usage); + goto done; + } + } else if((strcmp(argv[argpos], "--format") == 0) || (strcmp(argv[argpos], "-f") == 0)) { + argpos++; + format = xmlSecXkmsServerFormatFromString(BAD_CAST argv[argpos]); + if(format == xmlSecXkmsServerFormatUnknown) { + fprintf(stderr, "Error %d: invalid format \"%s\".\nUsage: %s %s\n", errno, argv[argpos], argv[0], usage); + goto done; + } + } else if((strcmp(argv[argpos], "--log-level") == 0) || (strcmp(argv[argpos], "-l") == 0)) { + argpos++; + log_level = atoi(argv[argpos]); + } else { + fprintf(stderr, "Error %d: unknown parameter \"%s\".\nUsage: %s %s\n", errno, argv[argpos], argv[0], usage); + goto done; + } } if(argpos >= argc) { - fprintf(stderr, "Error %d: keys file is not specified.\nUsage: %s %s\n", errno, argv[0], usage); - goto done; + fprintf(stderr, "Error %d: keys file is not specified.\nUsage: %s %s\n", errno, argv[0], usage); + goto done; } /* Load keys */ for(; argpos < argc; argpos++) { if(xmlSecCryptoAppDefaultKeysMngrLoad(mngr, argv[argpos]) < 0) { - fprintf(stderr, "Error %d: failed to load xml keys file \"%s\".\nUsage: %s %s\n", errno, argv[argpos], argv[0], usage); - goto done; - } - if(log_level >= LOG_LEVEL_INFO) { - fprintf(stdout, "Log: loaded keys from \"%s\"\n", argv[argpos]); - } + fprintf(stderr, "Error %d: failed to load xml keys file \"%s\".\nUsage: %s %s\n", errno, argv[argpos], argv[0], usage); + goto done; + } + if(log_level >= LOG_LEVEL_INFO) { + fprintf(stdout, "Log: loaded keys from \"%s\"\n", argv[argpos]); + } } /* Startup TCP server */ if(init_server(port) < 0) { - fprintf(stderr, "Error, errno: server initialization failed\n", errno); - goto done; + fprintf(stderr, "Error, errno: server initialization failed\n", errno); + goto done; } assert(sockfd != -1); /* main loop: accept connections and process requests */ while(finished == 0) { - fd_set fds; + fd_set fds; struct timeval timeout; - - /* Set up polling using select() */ - FD_ZERO(&fds); - FD_SET(sockfd, &fds); - memset(&timeout, 0, sizeof(timeout)); - timeout.tv_sec = 1; - ret = select(sockfd + 1, &fds, NULL, NULL, &timeout); - if((ret <= 0) || !FD_ISSET(sockfd, &fds)) { - /* error, timed out or not our socket: try again */ - continue; - } - - if(handle_connection(sockfd, xkmsCtx, format) < 0) { - fprintf(stderr, "Error %d: unable to accept incomming connection\n"); - goto done; - } + + /* Set up polling using select() */ + FD_ZERO(&fds); + FD_SET(sockfd, &fds); + memset(&timeout, 0, sizeof(timeout)); + timeout.tv_sec = 1; + ret = select(sockfd + 1, &fds, NULL, NULL, &timeout); + if((ret <= 0) || !FD_ISSET(sockfd, &fds)) { + /* error, timed out or not our socket: try again */ + continue; + } + + if(handle_connection(sockfd, xkmsCtx, format) < 0) { + fprintf(stderr, "Error %d: unable to accept incomming connection\n"); + goto done; + } } done: if(log_level >= LOG_LEVEL_INFO) { - fprintf(stdout, "Log: server is shutting down\n"); + fprintf(stdout, "Log: server is shutting down\n"); } /* Shutdown TCP server */ @@ -256,14 +272,14 @@ done: /* Destroy xkms server context */ if(xkmsCtx != NULL) { - xmlSecXkmsServerCtxDestroy(xkmsCtx); - xkmsCtx = NULL; + xmlSecXkmsServerCtxDestroy(xkmsCtx); + xkmsCtx = NULL; } /* Destroy keys manager */ if(mngr != NULL) { xmlSecKeysMngrDestroy(mngr); - mngr = NULL; + mngr = NULL; } /* Shutdown xmlsec-crypto library */ @@ -277,6 +293,7 @@ done: /* Shutdown libxslt/libxml */ #ifndef XMLSEC_NO_XSLT + xsltFreeSecurityPrefs(xsltSecPrefs); xsltCleanupGlobals(); #endif /* XMLSEC_NO_XSLT */ xmlCleanupParser(); @@ -287,7 +304,7 @@ done: /** * init_server: - * @port: the server'xmlSecBufferGetData(buffer) TCP port number. + * @port: the server'xmlSecBufferGetData(buffer) TCP port number. * * Starts up a TCP server listening on given @port. * @@ -303,8 +320,8 @@ init_server(unsigned short port) { #ifdef WIN32_SOCKETS if(WSAStartup(MAKEWORD(1,1), &data)) { - fprintf(stderr, "Error %d: WSAStartup() failed\n", errno); - return(-1); + fprintf(stderr, "Error %d: WSAStartup() failed\n", errno); + return(-1); } #endif /* WIN32_SOCKETS */ @@ -318,44 +335,44 @@ init_server(unsigned short port) { if(sockfd == INVALID_SOCKET) { #endif /* WIN32_SOCKETS */ - fprintf(stderr, "Error %d: socket() failed\n", errno); - return(-1); + fprintf(stderr, "Error %d: socket() failed\n", errno); + return(-1); } /* enable reuse of address */ flags = 1; if(setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, (char *)&flags, sizeof(flags)) != 0) { - fprintf(stderr, "Error %d: setsockopt(SO_REUSEADDR) failed\n", errno); - return(-1); + fprintf(stderr, "Error %d: setsockopt(SO_REUSEADDR) failed\n", errno); + return(-1); } #ifdef UNIX_SOCKETS /* set non-blocking */ flags = fcntl(sockfd, F_GETFL); if(flags < 0) { - fprintf(stderr, "Error %d: fcntl(F_GETFL) failed\n", errno); - return(-1); + fprintf(stderr, "Error %d: fcntl(F_GETFL) failed\n", errno); + return(-1); } if(fcntl(sockfd, F_SETFL, flags | O_NONBLOCK) < 0) { - fprintf(stderr, "Error %d: fcntl(F_SETFL) failed\n", errno); - return(-1); + fprintf(stderr, "Error %d: fcntl(F_SETFL) failed\n", errno); + return(-1); } #endif /* UNIX_SOCKETS */ /* preset socket structure for socket binding */ memset(&saddr, 0, sizeof(saddr)); - saddr.sin_family = AF_INET; - saddr.sin_port = htons(port); - saddr.sin_addr.s_addr = INADDR_ANY; + saddr.sin_family = AF_INET; + saddr.sin_port = htons(port); + saddr.sin_addr.s_addr = INADDR_ANY; if(bind(sockfd, (struct sockaddr *)&saddr, sizeof(struct sockaddr)) != 0) { - fprintf(stderr, "Error %d: bind() failed\n", errno); - return(-1); + fprintf(stderr, "Error %d: bind() failed\n", errno); + return(-1); } /* prepare for listening */ if(listen(sockfd, PENDING_QUEUE_SIZE) != 0) { - fprintf(stderr, "Error %d: listen() failed\n", errno); - return(-1); + fprintf(stderr, "Error %d: listen() failed\n", errno); + return(-1); } #ifdef UNIX_SOCKETS @@ -386,8 +403,8 @@ stop_server() { #ifdef WIN32_SOCKETS if(sockfd != -1) { - close(sockfd); - sockfd = -1; + close(sockfd); + sockfd = -1; } #endif /* WIN32_SOCKETS */ if(log_level >= LOG_LEVEL_INFO) { @@ -397,7 +414,7 @@ stop_server() { /** * int_signal_handler: - * @sig_num: the signal number. + * @sig_num: the signal number. * * Unix's Ctrl-C signal handler that stops the server. */ @@ -411,9 +428,9 @@ int_signal_handler(int sig_num) { /** * handle_connection: - * @sockfd: the server's socket. - * @xkmsCtx: the template XKMS server context. - * @format: the expected format of XKMS requests. + * @sockfd: the server's socket. + * @xkmsCtx: the template XKMS server context. + * @format: the expected format of XKMS requests. * * Establishs a connection, forks a child process (onUnix), reads the request, * processes it and writes back the response. @@ -457,8 +474,8 @@ handle_connection(int sockfd, xmlSecXkmsServerCtxPtr xkmsCtx, xmlSecXkmsServerFo if(sockfd == INVALID_SOCKET) { #endif /* WIN32_SOCKETS */ - fprintf(stderr, "Error %d: accept() failed\n", errno); - return(-1); + fprintf(stderr, "Error %d: accept() failed\n", errno); + return(-1); } if(log_level >= LOG_LEVEL_INFO) { fprintf(stdout, "Log [%s]: got connection\n", inet_ntoa(saddr.sin_addr)); @@ -467,19 +484,19 @@ handle_connection(int sockfd, xmlSecXkmsServerCtxPtr xkmsCtx, xmlSecXkmsServerFo /* Create a copy of XKMS server context */ xkmsCtx2 = xmlSecXkmsServerCtxCreate(NULL); if(xkmsCtx2 == NULL) { - fprintf(stderr, "Error %d [%s]: a copy of XKMS server context initialization failed\n", errno, inet_ntoa(saddr.sin_addr)); - goto done; + fprintf(stderr, "Error %d [%s]: a copy of XKMS server context initialization failed\n", errno, inet_ntoa(saddr.sin_addr)); + goto done; } if(xmlSecXkmsServerCtxCopyUserPref(xkmsCtx2, xkmsCtx) < 0) { - fprintf(stderr, "Error %d [%s]: XKMS server context copy failed\n", errno, inet_ntoa(saddr.sin_addr)); - goto done; + fprintf(stderr, "Error %d [%s]: XKMS server context copy failed\n", errno, inet_ntoa(saddr.sin_addr)); + goto done; } #ifdef UNIX_SOCKETS /* on Unix we use child process to process requests */ if(fork()) { - /* parent process */ - return(0); + /* parent process */ + return(0); } /* child process */ @@ -489,36 +506,36 @@ handle_connection(int sockfd, xmlSecXkmsServerCtxPtr xkmsCtx, xmlSecXkmsServerFo buffer = xmlSecBufferCreate(0); if(buffer == NULL) { - fprintf(stderr, "Error %d [%s]: xmlSecBufferCreate() failed\n", errno, inet_ntoa(saddr.sin_addr)); - goto done; + fprintf(stderr, "Error %d [%s]: xmlSecBufferCreate() failed\n", errno, inet_ntoa(saddr.sin_addr)); + goto done; } /* read input request */ ret = read_request(fd, inet_ntoa(saddr.sin_addr), buffer); if(ret < 0) { - fprintf(stderr, "Error %d [%s]: read_request() failed\n", errno, inet_ntoa(saddr.sin_addr)); - goto done; + fprintf(stderr, "Error %d [%s]: read_request() failed\n", errno, inet_ntoa(saddr.sin_addr)); + goto done; } /* parse request */ inDoc = xmlParseMemory(xmlSecBufferGetData(buffer), xmlSecBufferGetSize(buffer) ); if((inDoc == NULL) || (xmlDocGetRootElement(inDoc) == NULL)) { - fprintf(stderr, "Error %d [%s]: failed to parse request\n", errno, inet_ntoa(saddr.sin_addr)); - goto done; + fprintf(stderr, "Error %d [%s]: failed to parse request\n", errno, inet_ntoa(saddr.sin_addr)); + goto done; } xmlSecBufferEmpty(buffer); /* prepare result document */ outDoc = xmlNewDoc(BAD_CAST "1.0"); if(outDoc == NULL) { - fprintf(stderr, "Error %d [%s]: failed to create result doc\n", errno, inet_ntoa(saddr.sin_addr)); - goto done; + fprintf(stderr, "Error %d [%s]: failed to create result doc\n", errno, inet_ntoa(saddr.sin_addr)); + goto done; } result = xmlSecXkmsServerCtxProcess(xkmsCtx2, xmlDocGetRootElement(inDoc), format, outDoc); if(result == NULL) { - fprintf(stderr, "Error %d [%s]: failed to process xkms server request\n", errno, inet_ntoa(saddr.sin_addr)); - goto done; + fprintf(stderr, "Error %d [%s]: failed to process xkms server request\n", errno, inet_ntoa(saddr.sin_addr)); + goto done; } /* apppend returned result node to the output document */ @@ -527,8 +544,8 @@ handle_connection(int sockfd, xmlSecXkmsServerCtxPtr xkmsCtx, xmlSecXkmsServerFo /* create LibXML2 output buffer */ output = xmlSecBufferCreateOutputBuffer(buffer); if(output == NULL) { - fprintf(stderr, "Error %d [%s]: xmlSecBufferCreateOutputBuffer() failed\n", errno, inet_ntoa(saddr.sin_addr)); - goto done; + fprintf(stderr, "Error %d [%s]: xmlSecBufferCreateOutputBuffer() failed\n", errno, inet_ntoa(saddr.sin_addr)); + goto done; } xmlNodeDumpOutput(output, result->doc, result, 0, 0, NULL); @@ -537,72 +554,72 @@ handle_connection(int sockfd, xmlSecXkmsServerCtxPtr xkmsCtx, xmlSecXkmsServerFo done: /* send back response */ if((resp_ready == 1) && (xmlSecBufferGetData(buffer) != NULL)) { - ret = send_response(fd, inet_ntoa(saddr.sin_addr), 200, xmlSecBufferGetData(buffer), xmlSecBufferGetSize(buffer)); - if(log_level >= LOG_LEVEL_INFO) { - fprintf(stdout, "Log [%s]: processed request\n", inet_ntoa(saddr.sin_addr)); - } + ret = send_response(fd, inet_ntoa(saddr.sin_addr), 200, xmlSecBufferGetData(buffer), xmlSecBufferGetSize(buffer)); + if(log_level >= LOG_LEVEL_INFO) { + fprintf(stdout, "Log [%s]: processed request\n", inet_ntoa(saddr.sin_addr)); + } } else if(fd >= 0) { - ret = send_response(fd, inet_ntoa(saddr.sin_addr), 503, http_503, strlen(http_503)); + ret = send_response(fd, inet_ntoa(saddr.sin_addr), 503, http_503, strlen(http_503)); if(log_level >= LOG_LEVEL_INFO) { - fprintf(stdout, "Log [%s]: failed to process request\n", inet_ntoa(saddr.sin_addr)); - } + fprintf(stdout, "Log [%s]: failed to process request\n", inet_ntoa(saddr.sin_addr)); + } } else { - ret = -1; + ret = -1; } if(ret < 0) { - fprintf(stderr, "Error %d [%s]: send_response() failed\n", errno, inet_ntoa(saddr.sin_addr)); + fprintf(stderr, "Error %d [%s]: send_response() failed\n", errno, inet_ntoa(saddr.sin_addr)); } /* cleanup */ if(output != NULL) { - xmlOutputBufferClose(output); - output = NULL; + xmlOutputBufferClose(output); + output = NULL; } if(outDoc != NULL) { - xmlFreeDoc(outDoc); - outDoc = NULL; + xmlFreeDoc(outDoc); + outDoc = NULL; } if(inDoc != NULL) { - xmlFreeDoc(inDoc); - inDoc = NULL; + xmlFreeDoc(inDoc); + inDoc = NULL; } if(buffer != NULL) { - xmlSecBufferDestroy(buffer); - buffer = NULL; + xmlSecBufferDestroy(buffer); + buffer = NULL; } if(xkmsCtx2 != NULL) { - xmlSecXkmsServerCtxDestroy(xkmsCtx2); - xkmsCtx2 = NULL; + xmlSecXkmsServerCtxDestroy(xkmsCtx2); + xkmsCtx2 = NULL; } if(fd >= 0) { #ifdef UNIX_SOCKETS - shutdown(fd, SHUT_RDWR); - close(fd); + shutdown(fd, SHUT_RDWR); + close(fd); #endif /* UNIX_SCOKETS */ #ifdef WIN32_SOCKETS - close(fd); + close(fd); #endif /* WIN32_SCOKETS */ - fd = -1; + fd = -1; } if(in_child_process) { - exit(0); + exit(0); } return(0); } /** * read_request: - * @fd: the request's socket. - * @in_ip: the request's IP address (for logging). - * @buffer: the output buffer. + * @fd: the request's socket. + * @in_ip: the request's IP address (for logging). + * @buffer: the output buffer. * * Reads the request from socket @fd and stores it in the @buffer. * @@ -625,16 +642,16 @@ read_request(int fd, const char* in_ip, xmlSecBufferPtr buffer) { /* first read the http headers */ counter = 5; while(my_strnstr(xmlSecBufferGetData(buffer), xmlSecBufferGetSize(buffer), BAD_CAST "\r\n\r\n", 4) == NULL) { - nread = recv(fd, buf, sizeof(buf), 0); - if(nread < 0) { - fprintf(stderr, "Error %d [%s]: read() failed\n", errno, in_ip); - return(-1); - } + nread = recv(fd, buf, sizeof(buf), 0); + if(nread < 0) { + fprintf(stderr, "Error %d [%s]: read() failed\n", errno, in_ip); + return(-1); + } - if((nread > 0) && (xmlSecBufferAppend(buffer, buf, nread) < 0)) { - fprintf(stderr, "Error %d [%s]: xmlSecBufferAppend(%d) failed\n", errno, in_ip, nread); - return(-1); - } + if((nread > 0) && (xmlSecBufferAppend(buffer, buf, nread) < 0)) { + fprintf(stderr, "Error %d [%s]: xmlSecBufferAppend(%d) failed\n", errno, in_ip, nread); + return(-1); + } if(nread < sizeof(buffer)) { counter--; @@ -646,13 +663,13 @@ read_request(int fd, const char* in_ip, xmlSecBufferPtr buffer) { if(xmlSecBufferGetData(buffer) == NULL) { fprintf(stderr, "Error %d [%s]: no bytes read\n", errno, in_ip); - return(-1); + return(-1); } if(log_level >= LOG_LEVEL_DEBUG) { - xmlSecBufferAppend(buffer, BAD_CAST "\0", 1); + xmlSecBufferAppend(buffer, BAD_CAST "\0", 1); fprintf(stdout, "Debug [%s]: request headers:\n%s\n", in_ip, xmlSecBufferGetData(buffer)); - xmlSecBufferRemoveTail(buffer, 1); + xmlSecBufferRemoveTail(buffer, 1); } /* Parse the request and extract the body. We expect the request to look @@ -660,37 +677,37 @@ read_request(int fd, const char* in_ip, xmlSecBufferPtr buffer) { * POST <path> HTTP/1.x\r\n * <header1>\r\n * <header2>\r\n - * ... + * ... * <headerN>\r\n - * \r\n - * <body> + * \r\n + * <body> */ /* analyze the first line */ p = my_strnstr(xmlSecBufferGetData(buffer), xmlSecBufferGetSize(buffer), BAD_CAST "\r\n", 2); if(p == NULL) { - fprintf(stderr, "Error %d [%s]: there is no HTTP header\n", errno, in_ip); - return(-1); + fprintf(stderr, "Error %d [%s]: there is no HTTP header\n", errno, in_ip); + return(-1); } if(xmlStrncasecmp(xmlSecBufferGetData(buffer), BAD_CAST "POST ", 5) != 0) { - fprintf(stderr, "Error %d [%s]: not a POST request\n", errno, in_ip); - return(-1); + fprintf(stderr, "Error %d [%s]: not a POST request\n", errno, in_ip); + return(-1); } /* "POST " + " HTTP/1.x" == 14 */ s = xmlSecBufferGetData(buffer); if(p - s <= 14) { - fprintf(stderr, "Error %d [%s]: first line has bad length\n", errno, in_ip); - return(-1); + fprintf(stderr, "Error %d [%s]: first line has bad length\n", errno, in_ip); + return(-1); } if((xmlStrncasecmp(p - 9, BAD_CAST " HTTP/1.0", 9) != 0) && (xmlStrncasecmp(p - 9, BAD_CAST " HTTP/1.1", 9) != 0)) { - + fprintf(stderr, "Error %d [%s]: first line does not end with \" HTTP/1.x\"\n", errno, in_ip); - return(-1); + return(-1); } if(xmlSecBufferRemoveHead(buffer, p - xmlSecBufferGetData(buffer) + 2) < 0) { - fprintf(stderr, "Error %d [%s]: failed to skip first line\n", errno, in_ip); - return(-1); + fprintf(stderr, "Error %d [%s]: failed to skip first line\n", errno, in_ip); + return(-1); } /* now skip all the headers (i.e. everything until empty line) */ @@ -699,19 +716,19 @@ read_request(int fd, const char* in_ip, xmlSecBufferPtr buffer) { p = my_strnstr(xmlSecBufferGetData(buffer), xmlSecBufferGetSize(buffer), BAD_CAST "\r\n", 2); if(p == NULL) { fprintf(stderr, "Error %d [%s]: there is no HTTP body\n", errno, in_ip); - return(-1); - } - - if(p == xmlSecBufferGetData(buffer)) { - found = 1; - } else if(xmlStrncasecmp(xmlSecBufferGetData(buffer), BAD_CAST "Content-length: ", 16) == 0) { - length = atoi(xmlSecBufferGetData(buffer) + 16); - } - - if(xmlSecBufferRemoveHead(buffer, p - xmlSecBufferGetData(buffer) + 2) < 0) { - fprintf(stderr, "Error %d [%s]: failed to skip header line\n", errno, in_ip); - return(-1); - } + return(-1); + } + + if(p == xmlSecBufferGetData(buffer)) { + found = 1; + } else if(xmlStrncasecmp(xmlSecBufferGetData(buffer), BAD_CAST "Content-length: ", 16) == 0) { + length = atoi(xmlSecBufferGetData(buffer) + 16); + } + + if(xmlSecBufferRemoveHead(buffer, p - xmlSecBufferGetData(buffer) + 2) < 0) { + fprintf(stderr, "Error %d [%s]: failed to skip header line\n", errno, in_ip); + return(-1); + } } /* remove the trailing \0 we added */ @@ -720,16 +737,16 @@ read_request(int fd, const char* in_ip, xmlSecBufferPtr buffer) { /* now read the body */ counter = 5; while(xmlSecBufferGetSize(buffer) < length) { - nread = recv(fd, buf, sizeof(buf), 0); - if(nread < 0) { - fprintf(stderr, "Error %d [%s]: read() failed\n", errno, in_ip); - return(-1); - } - - if((nread > 0) && (xmlSecBufferAppend(buffer, buf, nread) < 0)) { - fprintf(stderr, "Error %d [%s]: xmlSecBufferAppend(%d) failed\n", errno, in_ip, nread); - return(-1); - } + nread = recv(fd, buf, sizeof(buf), 0); + if(nread < 0) { + fprintf(stderr, "Error %d [%s]: read() failed\n", errno, in_ip); + return(-1); + } + + if((nread > 0) && (xmlSecBufferAppend(buffer, buf, nread) < 0)) { + fprintf(stderr, "Error %d [%s]: xmlSecBufferAppend(%d) failed\n", errno, in_ip, nread); + return(-1); + } if(nread < sizeof(buffer)) { counter--; if(counter <= 0) { @@ -738,23 +755,23 @@ read_request(int fd, const char* in_ip, xmlSecBufferPtr buffer) { } } if(log_level >= LOG_LEVEL_INFO) { - fprintf(stdout, "Log [%s]: body size is %d bytes\n", in_ip, xmlSecBufferGetSize(buffer)); + fprintf(stdout, "Log [%s]: body size is %d bytes\n", in_ip, xmlSecBufferGetSize(buffer)); } if(log_level >= LOG_LEVEL_DATA) { - xmlSecBufferAppend(buffer, BAD_CAST "\0", 1); + xmlSecBufferAppend(buffer, BAD_CAST "\0", 1); fprintf(stdout, "Log [%s]: request body:\n%s\n", in_ip, xmlSecBufferGetData(buffer)); - xmlSecBufferRemoveTail(buffer, 1); + xmlSecBufferRemoveTail(buffer, 1); } return(0); } /** * send_response: - * @fd: the request's socket. - * @in_ip: the request's IP address (for logging). - * @resp_code: the HTTP response code. - * @body: the response body. - * @body_len: the response body length. + * @fd: the request's socket. + * @in_ip: the request's IP address (for logging). + * @resp_code: the HTTP response code. + * @body: the response body. + * @body_len: the response body length. * * Writes HTTP response headers and @body to the @socket. * @@ -772,20 +789,20 @@ send_response(int fd, const char* in_ip, int resp_code, const char* body, int bo /* prepare and send http header */ sprintf(header, http_header, resp_code, body_size); if(send(fd, header, strlen(header), 0) == -1) { - fprintf(stderr, "Error %d [%s]: send(header) failed\n", errno, in_ip); - return(-1); + fprintf(stderr, "Error %d [%s]: send(header) failed\n", errno, in_ip); + return(-1); } if(log_level >= LOG_LEVEL_DATA) { - xmlChar* tmp = xmlStrndup(body, body_size); + xmlChar* tmp = xmlStrndup(body, body_size); fprintf(stdout, "Log [%s]: response is\n%s\n", in_ip, tmp); - xmlFree(tmp); + xmlFree(tmp); } /* send body */ if(send(fd, body, body_size, 0) == -1) { - fprintf(stderr, "Error %d [%s]: send(body) failed\n", errno, in_ip); - return(-1); + fprintf(stderr, "Error %d [%s]: send(body) failed\n", errno, in_ip); + return(-1); } return(0); diff --git a/examples/xmldsigverify.c b/examples/xmldsigverify.c index a4c9f532..f4c376ea 100644 --- a/examples/xmldsigverify.c +++ b/examples/xmldsigverify.c @@ -17,6 +17,7 @@ #ifndef XMLSEC_NO_XSLT #include <libxslt/xslt.h> +#include <libxslt/security.h> #endif /* XMLSEC_NO_XSLT */ #include <xmlsec/xmlsec.h> @@ -24,9 +25,9 @@ #include <xmlsec/xmldsig.h> #include <xmlsec/crypto.h> -/* #define XMLDSIGVERIFY_DEFAULT_TRUSTED_CERTS_FOLDER "/etc/httpd/conf/ssl.crt" */ -#define XMLDSIGVERIFY_DEFAULT_TRUSTED_CERTS_FOLDER "/var/www/cgi-bin/keys-certs.def" -#define XMLDSIGVERIFY_KEY_AND_CERTS_FOLDER "/var/www/cgi-bin/keys-certs" +/* #define XMLDSIGVERIFY_DEFAULT_TRUSTED_CERTS_FOLDER "/etc/httpd/conf/ssl.crt" */ +#define XMLDSIGVERIFY_DEFAULT_TRUSTED_CERTS_FOLDER "/var/www/cgi-bin/keys-certs.def" +#define XMLDSIGVERIFY_KEY_AND_CERTS_FOLDER "/var/www/cgi-bin/keys-certs" int load_keys(xmlSecKeysMngrPtr mngr, const char* path, int report_loaded_keys); @@ -37,7 +38,10 @@ int url_decode(char *buf, size_t size); int main(int argc, char **argv) { xmlSecKeysMngrPtr mngr; - +#ifndef XMLSEC_NO_XSLT + xsltSecurityPrefsPtr xsltSecPrefs = NULL; +#endif /* XMLSEC_NO_XSLT */ + /* start response */ fprintf(stdout, "Content-type: text/plain\n"); fprintf(stdout, "\n"); @@ -53,17 +57,29 @@ main(int argc, char **argv) { /* make sure that we print out everything to stdout */ xmlGenericErrorContext = stdout; - + + /* Init libxslt */ +#ifndef XMLSEC_NO_XSLT + /* disable everything */ + xsltSecPrefs = xsltNewSecurityPrefs(); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid); + xsltSetDefaultSecurityPrefs(xsltSecPrefs); +#endif /* XMLSEC_NO_XSLT */ + /* Init xmlsec library */ if(xmlSecInit() < 0) { - fprintf(stdout, "Error: xmlsec initialization failed.\n"); - return(-1); + fprintf(stdout, "Error: xmlsec initialization failed.\n"); + return(-1); } /* Check loaded library version */ if(xmlSecCheckVersion() != 1) { - fprintf(stdout, "Error: loaded xmlsec library version is not compatible.\n"); - return(-1); + fprintf(stdout, "Error: loaded xmlsec library version is not compatible.\n"); + return(-1); } /* Load default crypto engine if we are supporting dynamic @@ -73,49 +89,49 @@ main(int argc, char **argv) { */ #ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) { - fprintf(stdout, "Error: unable to load default xmlsec-crypto library. Make sure\n" - "that you have it installed and check shared libraries path\n" - "(LD_LIBRARY_PATH) envornment variable.\n"); - return(-1); + fprintf(stdout, "Error: unable to load default xmlsec-crypto library. Make sure\n" + "that you have it installed and check shared libraries path\n" + "(LD_LIBRARY_PATH) envornment variable.\n"); + return(-1); } #endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */ /* Init crypto library */ if(xmlSecCryptoAppInit(XMLDSIGVERIFY_DEFAULT_TRUSTED_CERTS_FOLDER) < 0) { - fprintf(stdout, "Error: crypto initialization failed.\n"); - return(-1); + fprintf(stdout, "Error: crypto initialization failed.\n"); + return(-1); } /* Init xmlsec-crypto library */ if(xmlSecCryptoInit() < 0) { - fprintf(stdout, "Error: xmlsec-crypto initialization failed.\n"); - return(-1); + fprintf(stdout, "Error: xmlsec-crypto initialization failed.\n"); + return(-1); } /* create keys manager */ mngr = xmlSecKeysMngrCreate(); if(mngr == NULL) { - fprintf(stdout, "Error: failed to create keys manager.\n"); - return(-1); + fprintf(stdout, "Error: failed to create keys manager.\n"); + return(-1); } if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) { - fprintf(stdout, "Error: failed to initialize keys manager.\n"); - return(-1); + fprintf(stdout, "Error: failed to initialize keys manager.\n"); + return(-1); } if(load_keys(mngr, XMLDSIGVERIFY_KEY_AND_CERTS_FOLDER, 0) < 0) { - xmlSecKeysMngrDestroy(mngr); - return(-1); + xmlSecKeysMngrDestroy(mngr); + return(-1); } if(load_trusted_certs(mngr, XMLDSIGVERIFY_KEY_AND_CERTS_FOLDER, 0) < 0) { - xmlSecKeysMngrDestroy(mngr); - return(-1); + xmlSecKeysMngrDestroy(mngr); + return(-1); } if(verify_request(mngr) < 0) { - xmlSecKeysMngrDestroy(mngr); - return(-1); + xmlSecKeysMngrDestroy(mngr); + return(-1); } /* Destroy keys manager */ @@ -132,8 +148,10 @@ main(int argc, char **argv) { /* Shutdown libxslt/libxml */ #ifndef XMLSEC_NO_XSLT + xsltFreeSecurityPrefs(xsltSecPrefs); xsltCleanupGlobals(); #endif /* XMLSEC_NO_XSLT */ + xmlCleanupParser(); return(0); @@ -141,8 +159,8 @@ main(int argc, char **argv) { /** * load_trusted_certs: - * @mngr: the keys manager. - * @path: the path to a folder that contains trusted certificates. + * @mngr: the keys manager. + * @path: the path to a folder that contains trusted certificates. * * Loads trusted certificates from @path. * @@ -159,33 +177,33 @@ int load_trusted_certs(xmlSecKeysMngrPtr mngr, const char* path, int report_load dir = opendir(path); if(dir == NULL) { - fprintf(stdout, "Error: failed to open folder \"%s\".\n", path); - return(-1); + fprintf(stdout, "Error: failed to open folder \"%s\".\n", path); + return(-1); } while((entry = readdir(dir)) != NULL) { - assert(entry->d_name); - len = strlen(entry->d_name); - if((len > 4) && (strcmp(entry->d_name + len - 4, ".pem") == 0)) { - snprintf(filename, sizeof(filename), "%s/%s", path, entry->d_name); - if(xmlSecCryptoAppKeysMngrCertLoad(mngr, filename, xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) { - fprintf(stdout,"Error: failed to load pem certificate from \"%s\"\n", filename); - closedir(dir); - return(-1); - } - if(report_loaded_certs) { - fprintf(stdout, "Loaded trusted certificate from \"%s\"...\n", filename); - } - } else if((len > 4) && (strcmp(entry->d_name + len - 4, ".der") == 0)) { - snprintf(filename, sizeof(filename), "%s/%s", path, entry->d_name); - if(xmlSecCryptoAppKeysMngrCertLoad(mngr, filename, xmlSecKeyDataFormatDer, xmlSecKeyDataTypeTrusted) < 0) { - fprintf(stdout,"Error: failed to load der certificate from \"%s\"\n", filename); - closedir(dir); - return(-1); - } - if(report_loaded_certs) { - fprintf(stdout, "Loaded trusted certificate from \"%s\"...\n", filename); - } - } + assert(entry->d_name); + len = strlen(entry->d_name); + if((len > 4) && (strcmp(entry->d_name + len - 4, ".pem") == 0)) { + snprintf(filename, sizeof(filename), "%s/%s", path, entry->d_name); + if(xmlSecCryptoAppKeysMngrCertLoad(mngr, filename, xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) { + fprintf(stdout,"Error: failed to load pem certificate from \"%s\"\n", filename); + closedir(dir); + return(-1); + } + if(report_loaded_certs) { + fprintf(stdout, "Loaded trusted certificate from \"%s\"...\n", filename); + } + } else if((len > 4) && (strcmp(entry->d_name + len - 4, ".der") == 0)) { + snprintf(filename, sizeof(filename), "%s/%s", path, entry->d_name); + if(xmlSecCryptoAppKeysMngrCertLoad(mngr, filename, xmlSecKeyDataFormatDer, xmlSecKeyDataTypeTrusted) < 0) { + fprintf(stdout,"Error: failed to load der certificate from \"%s\"\n", filename); + closedir(dir); + return(-1); + } + if(report_loaded_certs) { + fprintf(stdout, "Loaded trusted certificate from \"%s\"...\n", filename); + } + } } closedir(dir); return(0); @@ -198,8 +216,8 @@ int load_keys(xmlSecKeysMngrPtr mngr, const char* path, int report_loaded_keys) snprintf(filename, sizeof(filename), "%s/keys.xml", path); if(xmlSecCryptoAppDefaultKeysMngrLoad(mngr, filename) < 0) { - fprintf(stdout,"Error: failed to load keys from \"%s\"\n", filename); - return(-1); + fprintf(stdout,"Error: failed to load keys from \"%s\"\n", filename); + return(-1); } if(report_loaded_keys) { @@ -211,7 +229,7 @@ int load_keys(xmlSecKeysMngrPtr mngr, const char* path, int report_loaded_keys) /** * verify_request: - * @mng: the keys manager + * @mng: the keys manager * * Verifies XML signature in the request (stdin). * @@ -232,35 +250,35 @@ verify_request(xmlSecKeysMngrPtr mngr) { /* load request in the buffer */ buffer = xmlBufferCreate(); if(buffer == NULL) { - fprintf(stdout,"Error: failed to create buffer\n"); - goto done; + fprintf(stdout,"Error: failed to create buffer\n"); + goto done; } while(!feof(stdin)) { - ret = fread(buf, 1, sizeof(buf), stdin); - if(ret < 0) { - fprintf(stdout,"Error: read failed\n"); - goto done; - } - xmlBufferAdd(buffer, buf, ret); + ret = fread(buf, 1, sizeof(buf), stdin); + if(ret < 0) { + fprintf(stdout,"Error: read failed\n"); + goto done; + } + xmlBufferAdd(buffer, buf, ret); } /* is the document subbmitted from the form? */ if(strncmp((char*)xmlBufferContent(buffer), "_xmldoc=", 8) == 0) { - xmlBufferShrink(buffer, 8); - buffer->use = url_decode((char*)xmlBufferContent(buffer), xmlBufferLength(buffer)); + xmlBufferShrink(buffer, 8); + buffer->use = url_decode((char*)xmlBufferContent(buffer), xmlBufferLength(buffer)); } /** * Load doc */ doc = xmlReadMemory(xmlBufferContent(buffer), xmlBufferLength(buffer), - NULL, NULL, - XML_PARSE_NOENT | XML_PARSE_NOCDATA | - XML_PARSE_PEDANTIC | XML_PARSE_NOCDATA); + NULL, NULL, + XML_PARSE_NOENT | XML_PARSE_NOCDATA | + XML_PARSE_PEDANTIC | XML_PARSE_NOCDATA); if (doc == NULL) { - fprintf(stdout, "Error: unable to parse xml document (syntax error)\n"); - goto done; + fprintf(stdout, "Error: unable to parse xml document (syntax error)\n"); + goto done; } /* @@ -268,41 +286,41 @@ verify_request(xmlSecKeysMngrPtr mngr) { */ if(xmlDocGetRootElement(doc) == NULL) { fprintf(stdout,"Error: empty document\n"); - goto done; + goto done; } /* find start node */ node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs); if(node == NULL) { - fprintf(stdout, "Error: start <dsig:Signature/> node not found\n"); - goto done; + fprintf(stdout, "Error: start <dsig:Signature/> node not found\n"); + goto done; } /* create signature context */ dsigCtx = xmlSecDSigCtxCreate(mngr); if(dsigCtx == NULL) { fprintf(stdout,"Error: failed to create signature context\n"); - goto done; + goto done; } /* we would like to store and print out everything */ /* actually we would not because it opens a security hole dsigCtx->flags = XMLSEC_DSIG_FLAGS_STORE_SIGNEDINFO_REFERENCES | - XMLSEC_DSIG_FLAGS_STORE_MANIFEST_REFERENCES | - XMLSEC_DSIG_FLAGS_STORE_SIGNATURE; + XMLSEC_DSIG_FLAGS_STORE_MANIFEST_REFERENCES | + XMLSEC_DSIG_FLAGS_STORE_SIGNATURE; */ /* Verify signature */ if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) { fprintf(stdout,"Error: signature verification failed\n"); - goto done; + goto done; } /* print verification result to stdout */ if(dsigCtx->status == xmlSecDSigStatusSucceeded) { - fprintf(stdout, "RESULT: Signature is OK\n"); + fprintf(stdout, "RESULT: Signature is OK\n"); } else { - fprintf(stdout, "RESULT: Signature is INVALID\n"); + fprintf(stdout, "RESULT: Signature is INVALID\n"); } fprintf(stdout, "---------------------------------------------------\n"); xmlSecDSigCtxDebugDump(dsigCtx, stdout); @@ -313,30 +331,30 @@ verify_request(xmlSecKeysMngrPtr mngr) { done: /* cleanup */ if(dsigCtx != NULL) { - xmlSecDSigCtxDestroy(dsigCtx); + xmlSecDSigCtxDestroy(dsigCtx); } if(doc != NULL) { - xmlFreeDoc(doc); + xmlFreeDoc(doc); } if(buffer != NULL) { - xmlBufferFree(buffer); + xmlBufferFree(buffer); } return(res); } /* not the best way to do it */ #define toHex(c) ( ( ('0' <= (c)) && ((c) <= '9') ) ? (c) - '0' : \ - ( ( ('A' <= (c)) && ((c) <= 'F') ) ? (c) - 'A' + 10 : 0 ) ) + ( ( ('A' <= (c)) && ((c) <= 'F') ) ? (c) - 'A' + 10 : 0 ) ) /** * url_decode: - * @buf: the input buffer. - * @size: the input buffer size. + * @buf: the input buffer. + * @size: the input buffer size. * * Does url decoding in-place. - * + * * Returns length of the decoded result on success or * a negative value if an error occurs. */ @@ -347,15 +365,15 @@ int url_decode(char *buf, size_t size) { p1 = p2 = buf; while(p1 - buf < size) { - if(((*p1) == '%') && ((p1 - buf) <= (size - 3))) { - *(p2++) = (char)(toHex(p1[1]) * 16 + toHex(p1[2])); - p1 += 3; - } else if((*p1) == '+') { - *(p2++) = ' '; - p1++; - } else { - *(p2++) = *(p1++); - } + if(((*p1) == '%') && ((p1 - buf) <= (size - 3))) { + *(p2++) = (char)(toHex(p1[1]) * 16 + toHex(p1[2])); + p1 += 3; + } else if((*p1) == '+') { + *(p2++) = ' '; + p1++; + } else { + *(p2++) = *(p1++); + } } return(p2 - buf); } |