summaryrefslogtreecommitdiff
path: root/examples
diff options
context:
space:
mode:
Diffstat (limited to 'examples')
-rw-r--r--examples/Makefile2
-rw-r--r--examples/decrypt1.c102
-rw-r--r--examples/decrypt2.c164
-rw-r--r--examples/decrypt3.c181
-rw-r--r--examples/encrypt1.c93
-rw-r--r--examples/encrypt2.c100
-rw-r--r--examples/encrypt3.c137
-rw-r--r--examples/mywin32make.bat2
-rw-r--r--examples/sign1.c86
-rw-r--r--examples/sign2.c104
-rw-r--r--examples/sign3.c108
-rw-r--r--examples/verify1.c88
-rw-r--r--examples/verify2.c150
-rw-r--r--examples/verify3.c113
-rw-r--r--examples/verify4.c129
-rw-r--r--examples/xkms-server.c447
-rw-r--r--examples/xmldsigverify.c212
17 files changed, 1241 insertions, 977 deletions
diff --git a/examples/Makefile b/examples/Makefile
index 5c87150f..a237b987 100644
--- a/examples/Makefile
+++ b/examples/Makefile
@@ -11,7 +11,7 @@ PROGRAMS = \
CC = gcc
CFLAGS += -g $(shell xmlsec1-config --cflags) -DUNIX_SOCKETS
-LDFLAGS += -g $(shell xmlsec1-config --libs)
+LDLIBS += -g $(shell xmlsec1-config --libs)
all: $(PROGRAMS)
diff --git a/examples/decrypt1.c b/examples/decrypt1.c
index bfc1dd03..39ad1039 100644
--- a/examples/decrypt1.c
+++ b/examples/decrypt1.c
@@ -4,11 +4,11 @@
* Decrypts encrypted XML file using a single DES key from a binary file
*
* Usage:
- * ./decrypt1 <xml-enc> <des-key-file>
+ * ./decrypt1 <xml-enc> <des-key-file>
*
* Example:
- * ./decrypt1 encrypt1-res.xml deskey.bin
- * ./decrypt1 encrypt2-res.xml deskey.bin
+ * ./decrypt1 encrypt1-res.xml deskey.bin
+ * ./decrypt1 encrypt2-res.xml deskey.bin
*
* This is free software; see Copyright file in the source
* distribution for preciese wording.
@@ -25,6 +25,7 @@
#ifndef XMLSEC_NO_XSLT
#include <libxslt/xslt.h>
+#include <libxslt/security.h>
#endif /* XMLSEC_NO_XSLT */
#include <xmlsec/xmlsec.h>
@@ -36,12 +37,16 @@ int decrypt_file(const char* enc_file, const char* key_file);
int
main(int argc, char **argv) {
+#ifndef XMLSEC_NO_XSLT
+ xsltSecurityPrefsPtr xsltSecPrefs = NULL;
+#endif /* XMLSEC_NO_XSLT */
+
assert(argv);
if(argc != 3) {
- fprintf(stderr, "Error: wrong number of arguments.\n");
- fprintf(stderr, "Usage: %s <enc-file> <key-file>\n", argv[0]);
- return(1);
+ fprintf(stderr, "Error: wrong number of arguments.\n");
+ fprintf(stderr, "Usage: %s <enc-file> <key-file>\n", argv[0]);
+ return(1);
}
/* Init libxml and libxslt libraries */
@@ -52,17 +57,30 @@ main(int argc, char **argv) {
#ifndef XMLSEC_NO_XSLT
xmlIndentTreeOutput = 1;
#endif /* XMLSEC_NO_XSLT */
-
+
+ /* Init libxslt */
+#ifndef XMLSEC_NO_XSLT
+ /* disable everything */
+ xsltSecPrefs = xsltNewSecurityPrefs();
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid);
+ xsltSetDefaultSecurityPrefs(xsltSecPrefs);
+#endif /* XMLSEC_NO_XSLT */
+
+
/* Init xmlsec library */
if(xmlSecInit() < 0) {
- fprintf(stderr, "Error: xmlsec initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec initialization failed.\n");
+ return(-1);
}
/* Check loaded library version */
if(xmlSecCheckVersion() != 1) {
- fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
- return(-1);
+ fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
+ return(-1);
}
/* Load default crypto engine if we are supporting dynamic
@@ -72,27 +90,27 @@ main(int argc, char **argv) {
*/
#ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
- fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
- "that you have it installed and check shared libraries path\n"
- "(LD_LIBRARY_PATH) envornment variable.\n");
- return(-1);
+ fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
+ "that you have it installed and check shared libraries path\n"
+ "(LD_LIBRARY_PATH) envornment variable.\n");
+ return(-1);
}
#endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
/* Init crypto library */
if(xmlSecCryptoAppInit(NULL) < 0) {
- fprintf(stderr, "Error: crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: crypto initialization failed.\n");
+ return(-1);
}
/* Init xmlsec-crypto library */
if(xmlSecCryptoInit() < 0) {
- fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
+ return(-1);
}
if(decrypt_file(argv[1], argv[2]) < 0) {
- return(-1);
+ return(-1);
}
/* Shutdown xmlsec-crypto library */
@@ -115,8 +133,8 @@ main(int argc, char **argv) {
/**
* decrypt_file:
- * @enc_file: the encrypted XML file name.
- * @key_file: the Triple DES key file.
+ * @enc_file: the encrypted XML file name.
+ * @key_file: the Triple DES key file.
*
* Decrypts the XML file #enc_file using DES key from #key_file and
* prints results to stdout.
@@ -136,55 +154,55 @@ decrypt_file(const char* enc_file, const char* key_file) {
/* load template */
doc = xmlParseFile(enc_file);
if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
- fprintf(stderr, "Error: unable to parse file \"%s\"\n", enc_file);
- goto done;
+ fprintf(stderr, "Error: unable to parse file \"%s\"\n", enc_file);
+ goto done;
}
/* find start node */
node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeEncryptedData, xmlSecEncNs);
if(node == NULL) {
- fprintf(stderr, "Error: start node not found in \"%s\"\n", enc_file);
- goto done;
+ fprintf(stderr, "Error: start node not found in \"%s\"\n", enc_file);
+ goto done;
}
/* create encryption context, we don't need keys manager in this example */
encCtx = xmlSecEncCtxCreate(NULL);
if(encCtx == NULL) {
fprintf(stderr,"Error: failed to create encryption context\n");
- goto done;
+ goto done;
}
/* load DES key */
encCtx->encKey = xmlSecKeyReadBinaryFile(xmlSecKeyDataDesId, key_file);
if(encCtx->encKey == NULL) {
fprintf(stderr,"Error: failed to load des key from binary file \"%s\"\n", key_file);
- goto done;
+ goto done;
}
/* set key name to the file name, this is just an example! */
if(xmlSecKeySetName(encCtx->encKey, key_file) < 0) {
- fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file);
- goto done;
+ fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file);
+ goto done;
}
/* decrypt the data */
if((xmlSecEncCtxDecrypt(encCtx, node) < 0) || (encCtx->result == NULL)) {
fprintf(stderr,"Error: decryption failed\n");
- goto done;
+ goto done;
}
/* print decrypted data to stdout */
if(encCtx->resultReplaced != 0) {
- fprintf(stdout, "Decrypted XML data:\n");
- xmlDocDump(stdout, doc);
+ fprintf(stdout, "Decrypted XML data:\n");
+ xmlDocDump(stdout, doc);
} else {
- fprintf(stdout, "Decrypted binary data (%d bytes):\n", xmlSecBufferGetSize(encCtx->result));
- if(xmlSecBufferGetData(encCtx->result) != NULL) {
- fwrite(xmlSecBufferGetData(encCtx->result),
- 1,
- xmlSecBufferGetSize(encCtx->result),
- stdout);
- }
+ fprintf(stdout, "Decrypted binary data (%d bytes):\n", xmlSecBufferGetSize(encCtx->result));
+ if(xmlSecBufferGetData(encCtx->result) != NULL) {
+ fwrite(xmlSecBufferGetData(encCtx->result),
+ 1,
+ xmlSecBufferGetSize(encCtx->result),
+ stdout);
+ }
}
fprintf(stdout, "\n");
@@ -194,11 +212,11 @@ decrypt_file(const char* enc_file, const char* key_file) {
done:
/* cleanup */
if(encCtx != NULL) {
- xmlSecEncCtxDestroy(encCtx);
+ xmlSecEncCtxDestroy(encCtx);
}
if(doc != NULL) {
- xmlFreeDoc(doc);
+ xmlFreeDoc(doc);
}
return(res);
}
diff --git a/examples/decrypt2.c b/examples/decrypt2.c
index 051cbf97..49513e12 100644
--- a/examples/decrypt2.c
+++ b/examples/decrypt2.c
@@ -5,11 +5,11 @@
* DES key from a binary file
*
* Usage:
- * ./decrypt2 <xml-enc> <des-key-file1> [<des-key-file2> [...]]
+ * ./decrypt2 <xml-enc> <des-key-file1> [<des-key-file2> [...]]
*
* Example:
- * ./decrypt2 encrypt1-res.xml deskey.bin
- * ./decrypt2 encrypt2-res.xml deskey.bin
+ * ./decrypt2 encrypt1-res.xml deskey.bin
+ * ./decrypt2 encrypt2-res.xml deskey.bin
*
* This is free software; see Copyright file in the source
* distribution for preciese wording.
@@ -26,6 +26,7 @@
#ifndef XMLSEC_NO_XSLT
#include <libxslt/xslt.h>
+#include <libxslt/security.h>
#endif /* XMLSEC_NO_XSLT */
#include <xmlsec/xmlsec.h>
@@ -39,13 +40,16 @@ int decrypt_file(xmlSecKeysMngrPtr mngr, const char* enc_file);
int
main(int argc, char **argv) {
xmlSecKeysMngrPtr mngr;
+#ifndef XMLSEC_NO_XSLT
+ xsltSecurityPrefsPtr xsltSecPrefs = NULL;
+#endif /* XMLSEC_NO_XSLT */
assert(argv);
if(argc != 3) {
- fprintf(stderr, "Error: wrong number of arguments.\n");
- fprintf(stderr, "Usage: %s <enc-file> <key-file1> [<key-file2> [...]]\n", argv[0]);
- return(1);
+ fprintf(stderr, "Error: wrong number of arguments.\n");
+ fprintf(stderr, "Usage: %s <enc-file> <key-file1> [<key-file2> [...]]\n", argv[0]);
+ return(1);
}
/* Init libxml and libxslt libraries */
@@ -56,17 +60,30 @@ main(int argc, char **argv) {
#ifndef XMLSEC_NO_XSLT
xmlIndentTreeOutput = 1;
#endif /* XMLSEC_NO_XSLT */
-
+
+ /* Init libxslt */
+#ifndef XMLSEC_NO_XSLT
+ /* disable everything */
+ xsltSecPrefs = xsltNewSecurityPrefs();
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid);
+ xsltSetDefaultSecurityPrefs(xsltSecPrefs);
+#endif /* XMLSEC_NO_XSLT */
+
+
/* Init xmlsec library */
if(xmlSecInit() < 0) {
- fprintf(stderr, "Error: xmlsec initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec initialization failed.\n");
+ return(-1);
}
/* Check loaded library version */
if(xmlSecCheckVersion() != 1) {
- fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
- return(-1);
+ fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
+ return(-1);
}
/* Load default crypto engine if we are supporting dynamic
@@ -76,34 +93,34 @@ main(int argc, char **argv) {
*/
#ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
- fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
- "that you have it installed and check shared libraries path\n"
- "(LD_LIBRARY_PATH) envornment variable.\n");
- return(-1);
+ fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
+ "that you have it installed and check shared libraries path\n"
+ "(LD_LIBRARY_PATH) envornment variable.\n");
+ return(-1);
}
#endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
/* Init crypto library */
if(xmlSecCryptoAppInit(NULL) < 0) {
- fprintf(stderr, "Error: crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: crypto initialization failed.\n");
+ return(-1);
}
/* Init xmlsec-crypto library */
if(xmlSecCryptoInit() < 0) {
- fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
+ return(-1);
}
/* create keys manager and load keys */
mngr = load_des_keys(&(argv[2]), argc - 2);
if(mngr == NULL) {
- return(-1);
+ return(-1);
}
if(decrypt_file(mngr, argv[1]) < 0) {
- xmlSecKeysMngrDestroy(mngr);
- return(-1);
+ xmlSecKeysMngrDestroy(mngr);
+ return(-1);
}
/* destroy keys manager */
@@ -120,6 +137,7 @@ main(int argc, char **argv) {
/* Shutdown libxslt/libxml */
#ifndef XMLSEC_NO_XSLT
+ xsltFreeSecurityPrefs(xsltSecPrefs);
xsltCleanupGlobals();
#endif /* XMLSEC_NO_XSLT */
xmlCleanupParser();
@@ -129,8 +147,8 @@ main(int argc, char **argv) {
/**
* load_des_keys:
- * @files: the list of filenames.
- * @files_size: the number of filenames in #files.
+ * @files: the list of filenames.
+ * @files_size: the number of filenames in #files.
*
* Creates simple keys manager and load DES keys from #files in it.
* The caller is responsible for destroing returned keys manager using
@@ -154,43 +172,43 @@ load_des_keys(char** files, int files_size) {
*/
mngr = xmlSecKeysMngrCreate();
if(mngr == NULL) {
- fprintf(stderr, "Error: failed to create keys manager.\n");
- return(NULL);
+ fprintf(stderr, "Error: failed to create keys manager.\n");
+ return(NULL);
}
if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) {
- fprintf(stderr, "Error: failed to initialize keys manager.\n");
- xmlSecKeysMngrDestroy(mngr);
- return(NULL);
+ fprintf(stderr, "Error: failed to initialize keys manager.\n");
+ xmlSecKeysMngrDestroy(mngr);
+ return(NULL);
}
for(i = 0; i < files_size; ++i) {
- assert(files[i]);
+ assert(files[i]);
- /* load DES key */
- key = xmlSecKeyReadBinaryFile(xmlSecKeyDataDesId, files[i]);
- if(key == NULL) {
- fprintf(stderr,"Error: failed to load des key from binary file \"%s\"\n", files[i]);
- xmlSecKeysMngrDestroy(mngr);
- return(NULL);
- }
+ /* load DES key */
+ key = xmlSecKeyReadBinaryFile(xmlSecKeyDataDesId, files[i]);
+ if(key == NULL) {
+ fprintf(stderr,"Error: failed to load des key from binary file \"%s\"\n", files[i]);
+ xmlSecKeysMngrDestroy(mngr);
+ return(NULL);
+ }
- /* set key name to the file name, this is just an example! */
- if(xmlSecKeySetName(key, BAD_CAST files[i]) < 0) {
- fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", files[i]);
- xmlSecKeyDestroy(key);
- xmlSecKeysMngrDestroy(mngr);
- return(NULL);
- }
-
- /* add key to keys manager, from now on keys manager is responsible
- * for destroying key
- */
- if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0) {
- fprintf(stderr,"Error: failed to add key from \"%s\" to keys manager\n", files[i]);
- xmlSecKeyDestroy(key);
- xmlSecKeysMngrDestroy(mngr);
- return(NULL);
- }
+ /* set key name to the file name, this is just an example! */
+ if(xmlSecKeySetName(key, BAD_CAST files[i]) < 0) {
+ fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", files[i]);
+ xmlSecKeyDestroy(key);
+ xmlSecKeysMngrDestroy(mngr);
+ return(NULL);
+ }
+
+ /* add key to keys manager, from now on keys manager is responsible
+ * for destroying key
+ */
+ if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0) {
+ fprintf(stderr,"Error: failed to add key from \"%s\" to keys manager\n", files[i]);
+ xmlSecKeyDestroy(key);
+ xmlSecKeysMngrDestroy(mngr);
+ return(NULL);
+ }
}
return(mngr);
@@ -198,8 +216,8 @@ load_des_keys(char** files, int files_size) {
/**
* decrypt_file:
- * @mngr: the pointer to keys manager.
- * @enc_file: the encrypted XML file name.
+ * @mngr: the pointer to keys manager.
+ * @enc_file: the encrypted XML file name.
*
* Decrypts the XML file #enc_file using DES key from #key_file and
* prints results to stdout.
@@ -219,42 +237,42 @@ decrypt_file(xmlSecKeysMngrPtr mngr, const char* enc_file) {
/* load template */
doc = xmlParseFile(enc_file);
if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
- fprintf(stderr, "Error: unable to parse file \"%s\"\n", enc_file);
- goto done;
+ fprintf(stderr, "Error: unable to parse file \"%s\"\n", enc_file);
+ goto done;
}
/* find start node */
node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeEncryptedData, xmlSecEncNs);
if(node == NULL) {
- fprintf(stderr, "Error: start node not found in \"%s\"\n", enc_file);
- goto done;
+ fprintf(stderr, "Error: start node not found in \"%s\"\n", enc_file);
+ goto done;
}
/* create encryption context */
encCtx = xmlSecEncCtxCreate(mngr);
if(encCtx == NULL) {
fprintf(stderr,"Error: failed to create encryption context\n");
- goto done;
+ goto done;
}
/* decrypt the data */
if((xmlSecEncCtxDecrypt(encCtx, node) < 0) || (encCtx->result == NULL)) {
fprintf(stderr,"Error: decryption failed\n");
- goto done;
+ goto done;
}
/* print decrypted data to stdout */
if(encCtx->resultReplaced != 0) {
- fprintf(stdout, "Decrypted XML data:\n");
- xmlDocDump(stdout, doc);
+ fprintf(stdout, "Decrypted XML data:\n");
+ xmlDocDump(stdout, doc);
} else {
- fprintf(stdout, "Decrypted binary data (%d bytes):\n", xmlSecBufferGetSize(encCtx->result));
- if(xmlSecBufferGetData(encCtx->result) != NULL) {
- fwrite(xmlSecBufferGetData(encCtx->result),
- 1,
- xmlSecBufferGetSize(encCtx->result),
- stdout);
- }
+ fprintf(stdout, "Decrypted binary data (%d bytes):\n", xmlSecBufferGetSize(encCtx->result));
+ if(xmlSecBufferGetData(encCtx->result) != NULL) {
+ fwrite(xmlSecBufferGetData(encCtx->result),
+ 1,
+ xmlSecBufferGetSize(encCtx->result),
+ stdout);
+ }
}
fprintf(stdout, "\n");
@@ -264,11 +282,11 @@ decrypt_file(xmlSecKeysMngrPtr mngr, const char* enc_file) {
done:
/* cleanup */
if(encCtx != NULL) {
- xmlSecEncCtxDestroy(encCtx);
+ xmlSecEncCtxDestroy(encCtx);
}
if(doc != NULL) {
- xmlFreeDoc(doc);
+ xmlFreeDoc(doc);
}
return(res);
}
diff --git a/examples/decrypt3.c b/examples/decrypt3.c
index eb0d581a..253920fb 100644
--- a/examples/decrypt3.c
+++ b/examples/decrypt3.c
@@ -6,11 +6,11 @@
* key's file name in the current folder.
*
* Usage:
- * ./decrypt3 <xml-enc>
+ * ./decrypt3 <xml-enc>
*
* Example:
- * ./decrypt3 encrypt1-res.xml
- * ./decrypt3 encrypt2-res.xml
+ * ./decrypt3 encrypt1-res.xml
+ * ./decrypt3 encrypt2-res.xml
*
* This is free software; see Copyright file in the source
* distribution for preciese wording.
@@ -28,6 +28,7 @@
#ifndef XMLSEC_NO_XSLT
#include <libxslt/xslt.h>
+#include <libxslt/security.h>
#endif /* XMLSEC_NO_XSLT */
#include <xmlsec/xmlsec.h>
@@ -42,13 +43,16 @@ int decrypt_file(xmlSecKeysMngrPtr mngr, const char* enc_file);
int
main(int argc, char **argv) {
xmlSecKeysMngrPtr mngr;
+#ifndef XMLSEC_NO_XSLT
+ xsltSecurityPrefsPtr xsltSecPrefs = NULL;
+#endif /* XMLSEC_NO_XSLT */
assert(argv);
if(argc != 2) {
- fprintf(stderr, "Error: wrong number of arguments.\n");
- fprintf(stderr, "Usage: %s <enc-file>\n", argv[0]);
- return(1);
+ fprintf(stderr, "Error: wrong number of arguments.\n");
+ fprintf(stderr, "Usage: %s <enc-file>\n", argv[0]);
+ return(1);
}
/* Init libxml and libxslt libraries */
@@ -59,17 +63,29 @@ main(int argc, char **argv) {
#ifndef XMLSEC_NO_XSLT
xmlIndentTreeOutput = 1;
#endif /* XMLSEC_NO_XSLT */
-
+
+ /* Init libxslt */
+#ifndef XMLSEC_NO_XSLT
+ /* disable everything */
+ xsltSecPrefs = xsltNewSecurityPrefs();
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid);
+ xsltSetDefaultSecurityPrefs(xsltSecPrefs);
+#endif /* XMLSEC_NO_XSLT */
+
/* Init xmlsec library */
if(xmlSecInit() < 0) {
- fprintf(stderr, "Error: xmlsec initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec initialization failed.\n");
+ return(-1);
}
/* Check loaded library version */
if(xmlSecCheckVersion() != 1) {
- fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
- return(-1);
+ fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
+ return(-1);
}
/* Load default crypto engine if we are supporting dynamic
@@ -79,34 +95,34 @@ main(int argc, char **argv) {
*/
#ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
- fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
- "that you have it installed and check shared libraries path\n"
- "(LD_LIBRARY_PATH) envornment variable.\n");
- return(-1);
+ fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
+ "that you have it installed and check shared libraries path\n"
+ "(LD_LIBRARY_PATH) envornment variable.\n");
+ return(-1);
}
#endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
/* Init crypto library */
if(xmlSecCryptoAppInit(NULL) < 0) {
- fprintf(stderr, "Error: crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: crypto initialization failed.\n");
+ return(-1);
}
/* Init xmlsec-crypto library */
if(xmlSecCryptoInit() < 0) {
- fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
+ return(-1);
}
/* create keys manager and load keys */
mngr = create_files_keys_mngr();
if(mngr == NULL) {
- return(-1);
+ return(-1);
}
if(decrypt_file(mngr, argv[1]) < 0) {
- xmlSecKeysMngrDestroy(mngr);
- return(-1);
+ xmlSecKeysMngrDestroy(mngr);
+ return(-1);
}
/* destroy keys manager */
@@ -123,6 +139,7 @@ main(int argc, char **argv) {
/* Shutdown libxslt/libxml */
#ifndef XMLSEC_NO_XSLT
+ xsltFreeSecurityPrefs(xsltSecPrefs);
xsltCleanupGlobals();
#endif /* XMLSEC_NO_XSLT */
xmlCleanupParser();
@@ -132,8 +149,8 @@ main(int argc, char **argv) {
/**
* decrypt_file:
- * @mngr: the pointer to keys manager.
- * @enc_file: the encrypted XML file name.
+ * @mngr: the pointer to keys manager.
+ * @enc_file: the encrypted XML file name.
*
* Decrypts the XML file #enc_file using DES key from #key_file and
* prints results to stdout.
@@ -153,42 +170,42 @@ decrypt_file(xmlSecKeysMngrPtr mngr, const char* enc_file) {
/* load template */
doc = xmlParseFile(enc_file);
if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
- fprintf(stderr, "Error: unable to parse file \"%s\"\n", enc_file);
- goto done;
+ fprintf(stderr, "Error: unable to parse file \"%s\"\n", enc_file);
+ goto done;
}
/* find start node */
node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeEncryptedData, xmlSecEncNs);
if(node == NULL) {
- fprintf(stderr, "Error: start node not found in \"%s\"\n", enc_file);
- goto done;
+ fprintf(stderr, "Error: start node not found in \"%s\"\n", enc_file);
+ goto done;
}
/* create encryption context */
encCtx = xmlSecEncCtxCreate(mngr);
if(encCtx == NULL) {
fprintf(stderr,"Error: failed to create encryption context\n");
- goto done;
+ goto done;
}
/* decrypt the data */
if((xmlSecEncCtxDecrypt(encCtx, node) < 0) || (encCtx->result == NULL)) {
fprintf(stderr,"Error: decryption failed\n");
- goto done;
+ goto done;
}
/* print decrypted data to stdout */
if(encCtx->resultReplaced != 0) {
- fprintf(stdout, "Decrypted XML data:\n");
- xmlDocDump(stdout, doc);
+ fprintf(stdout, "Decrypted XML data:\n");
+ xmlDocDump(stdout, doc);
} else {
- fprintf(stdout, "Decrypted binary data (%d bytes):\n", xmlSecBufferGetSize(encCtx->result));
- if(xmlSecBufferGetData(encCtx->result) != NULL) {
- fwrite(xmlSecBufferGetData(encCtx->result),
- 1,
- xmlSecBufferGetSize(encCtx->result),
- stdout);
- }
+ fprintf(stdout, "Decrypted binary data (%d bytes):\n", xmlSecBufferGetSize(encCtx->result));
+ if(xmlSecBufferGetData(encCtx->result) != NULL) {
+ fwrite(xmlSecBufferGetData(encCtx->result),
+ 1,
+ xmlSecBufferGetSize(encCtx->result),
+ stdout);
+ }
}
fprintf(stdout, "\n");
@@ -198,11 +215,11 @@ decrypt_file(xmlSecKeysMngrPtr mngr, const char* enc_file) {
done:
/* cleanup */
if(encCtx != NULL) {
- xmlSecEncCtxDestroy(encCtx);
+ xmlSecEncCtxDestroy(encCtx);
}
if(doc != NULL) {
- xmlFreeDoc(doc);
+ xmlFreeDoc(doc);
}
return(res);
}
@@ -223,31 +240,31 @@ create_files_keys_mngr(void) {
/* create files based keys store */
keysStore = xmlSecKeyStoreCreate(files_keys_store_get_klass());
if(keysStore == NULL) {
- fprintf(stderr, "Error: failed to create keys store.\n");
- return(NULL);
+ fprintf(stderr, "Error: failed to create keys store.\n");
+ return(NULL);
}
/* create keys manager */
mngr = xmlSecKeysMngrCreate();
if(mngr == NULL) {
- fprintf(stderr, "Error: failed to create keys manager.\n");
- xmlSecKeyStoreDestroy(keysStore);
- return(NULL);
+ fprintf(stderr, "Error: failed to create keys manager.\n");
+ xmlSecKeyStoreDestroy(keysStore);
+ return(NULL);
}
/* add store to keys manager, from now on keys manager destroys the store if needed */
if(xmlSecKeysMngrAdoptKeysStore(mngr, keysStore) < 0) {
- fprintf(stderr, "Error: failed to add keys store to keys manager.\n");
- xmlSecKeyStoreDestroy(keysStore);
- xmlSecKeysMngrDestroy(mngr);
- return(NULL);
+ fprintf(stderr, "Error: failed to add keys store to keys manager.\n");
+ xmlSecKeyStoreDestroy(keysStore);
+ xmlSecKeysMngrDestroy(mngr);
+ return(NULL);
}
/* initialize crypto library specific data in keys manager */
if(xmlSecCryptoKeysMngrInit(mngr) < 0) {
- fprintf(stderr, "Error: failed to initialize crypto data in keys manager.\n");
- xmlSecKeysMngrDestroy(mngr);
- return(NULL);
+ fprintf(stderr, "Error: failed to initialize crypto data in keys manager.\n");
+ xmlSecKeysMngrDestroy(mngr);
+ return(NULL);
}
/* set the get key callback */
@@ -263,20 +280,20 @@ create_files_keys_mngr(void) {
* Attention: this probably not a good solution for high traffic systems.
*
***************************************************************************/
-static xmlSecKeyPtr files_keys_store_find_key (xmlSecKeyStorePtr store,
- const xmlChar* name,
- xmlSecKeyInfoCtxPtr keyInfoCtx);
+static xmlSecKeyPtr files_keys_store_find_key (xmlSecKeyStorePtr store,
+ const xmlChar* name,
+ xmlSecKeyInfoCtxPtr keyInfoCtx);
static xmlSecKeyStoreKlass files_keys_store_klass = {
sizeof(xmlSecKeyStoreKlass),
sizeof(xmlSecKeyStore),
- BAD_CAST "files-based-keys-store", /* const xmlChar* name; */
- NULL, /* xmlSecKeyStoreInitializeMethod initialize; */
- NULL, /* xmlSecKeyStoreFinalizeMethod finalize; */
- files_keys_store_find_key, /* xmlSecKeyStoreFindKeyMethod findKey; */
+ BAD_CAST "files-based-keys-store", /* const xmlChar* name; */
+ NULL, /* xmlSecKeyStoreInitializeMethod initialize; */
+ NULL, /* xmlSecKeyStoreFinalizeMethod finalize; */
+ files_keys_store_find_key, /* xmlSecKeyStoreFindKeyMethod findKey; */
/* reserved for the future */
- NULL, /* void* reserved0; */
- NULL, /* void* reserved1; */
+ NULL, /* void* reserved0; */
+ NULL, /* void* reserved1; */
};
/**
@@ -294,9 +311,9 @@ files_keys_store_get_klass(void) {
/**
* files_keys_store_find_key:
- * @store: the pointer to simple keys store.
- * @name: the desired key name.
- * @keyInfoCtx: the pointer to <dsig:KeyInfo/> node processing context.
+ * @store: the pointer to simple keys store.
+ * @name: the desired key name.
+ * @keyInfoCtx: the pointer to <dsig:KeyInfo/> node processing context.
*
* Lookups key in the @store. The caller is responsible for destroying
* returned key with #xmlSecKeyDestroy function.
@@ -314,7 +331,7 @@ files_keys_store_find_key(xmlSecKeyStorePtr store, const xmlChar* name, xmlSecKe
/* it's possible to do not have the key name or desired key type
* but we could do nothing in this case */
if((name == NULL) || (keyInfoCtx->keyReq.keyId == xmlSecKeyDataIdUnknown)){
- return(NULL);
+ return(NULL);
}
/* we don't want to open files in a folder other than "current";
@@ -322,32 +339,32 @@ files_keys_store_find_key(xmlSecKeyStorePtr store, const xmlChar* name, xmlSecKe
* '.', '-' or '_'.
*/
for(p = name; (*p) != '\0'; ++p) {
- if(!isalnum((*p)) && ((*p) != '.') && ((*p) != '-') && ((*p) != '_')) {
- return(NULL);
- }
+ if(!isalnum((*p)) && ((*p) != '.') && ((*p) != '-') && ((*p) != '_')) {
+ return(NULL);
+ }
}
if((keyInfoCtx->keyReq.keyId == xmlSecKeyDataDsaId) || (keyInfoCtx->keyReq.keyId == xmlSecKeyDataRsaId)) {
- /* load key from a pem file, if key is not found then it's an error (is it?) */
- key = xmlSecCryptoAppKeyLoad(name, xmlSecKeyDataFormatPem, NULL, NULL, NULL);
- if(key == NULL) {
- fprintf(stderr,"Error: failed to load public pem key from \"%s\"\n", name);
- return(NULL);
- }
+ /* load key from a pem file, if key is not found then it's an error (is it?) */
+ key = xmlSecCryptoAppKeyLoad(name, xmlSecKeyDataFormatPem, NULL, NULL, NULL);
+ if(key == NULL) {
+ fprintf(stderr,"Error: failed to load public pem key from \"%s\"\n", name);
+ return(NULL);
+ }
} else {
- /* otherwise it's a binary key, if key is not found then it's an error (is it?) */
- key = xmlSecKeyReadBinaryFile(keyInfoCtx->keyReq.keyId, name);
- if(key == NULL) {
- fprintf(stderr,"Error: failed to load key from binary file \"%s\"\n", name);
- return(NULL);
- }
+ /* otherwise it's a binary key, if key is not found then it's an error (is it?) */
+ key = xmlSecKeyReadBinaryFile(keyInfoCtx->keyReq.keyId, name);
+ if(key == NULL) {
+ fprintf(stderr,"Error: failed to load key from binary file \"%s\"\n", name);
+ return(NULL);
+ }
}
/* set key name */
if(xmlSecKeySetName(key, name) < 0) {
fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", name);
xmlSecKeyDestroy(key);
- return(NULL);
+ return(NULL);
}
return(key);
diff --git a/examples/encrypt1.c b/examples/encrypt1.c
index bdd16b14..fb4d103f 100644
--- a/examples/encrypt1.c
+++ b/examples/encrypt1.c
@@ -4,13 +4,13 @@
* Encrypts binary data using a template file and a DES key from a binary file
*
* Usage:
- * ./encrypt1 <xml-tmpl> <des-key-file>
+ * ./encrypt1 <xml-tmpl> <des-key-file>
*
* Example:
- * ./encrypt1 encrypt1-tmpl.xml deskey.bin > encrypt1-res.xml
+ * ./encrypt1 encrypt1-tmpl.xml deskey.bin > encrypt1-res.xml
*
* The result could be decrypted with decrypt1 example:
- * ./decrypt1 encrypt1-res.xml deskey.bin
+ * ./decrypt1 encrypt1-res.xml deskey.bin
*
* This is free software; see Copyright file in the source
* distribution for preciese wording.
@@ -27,6 +27,7 @@
#ifndef XMLSEC_NO_XSLT
#include <libxslt/xslt.h>
+#include <libxslt/security.h>
#endif /* XMLSEC_NO_XSLT */
#include <xmlsec/xmlsec.h>
@@ -35,17 +36,20 @@
#include <xmlsec/crypto.h>
int encrypt_file(const char* tmpl_file, const char* key_file,
- const unsigned char* data, size_t dataSize);
+ const unsigned char* data, size_t dataSize);
int
main(int argc, char **argv) {
static const char secret_data[] = "Big secret";
-
+#ifndef XMLSEC_NO_XSLT
+ xsltSecurityPrefsPtr xsltSecPrefs = NULL;
+#endif /* XMLSEC_NO_XSLT */
+
assert(argv);
if(argc != 3) {
- fprintf(stderr, "Error: wrong number of arguments.\n");
- fprintf(stderr, "Usage: %s <tmpl-file> <key-file>\n", argv[0]);
- return(1);
+ fprintf(stderr, "Error: wrong number of arguments.\n");
+ fprintf(stderr, "Usage: %s <tmpl-file> <key-file>\n", argv[0]);
+ return(1);
}
/* Init libxml and libxslt libraries */
@@ -56,17 +60,29 @@ main(int argc, char **argv) {
#ifndef XMLSEC_NO_XSLT
xmlIndentTreeOutput = 1;
#endif /* XMLSEC_NO_XSLT */
-
+
+ /* Init libxslt */
+#ifndef XMLSEC_NO_XSLT
+ /* disable everything */
+ xsltSecPrefs = xsltNewSecurityPrefs();
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid);
+ xsltSetDefaultSecurityPrefs(xsltSecPrefs);
+#endif /* XMLSEC_NO_XSLT */
+
/* Init xmlsec library */
if(xmlSecInit() < 0) {
- fprintf(stderr, "Error: xmlsec initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec initialization failed.\n");
+ return(-1);
}
/* Check loaded library version */
if(xmlSecCheckVersion() != 1) {
- fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
- return(-1);
+ fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
+ return(-1);
}
/* Load default crypto engine if we are supporting dynamic
@@ -76,27 +92,27 @@ main(int argc, char **argv) {
*/
#ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
- fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
- "that you have it installed and check shared libraries path\n"
- "(LD_LIBRARY_PATH) envornment variable.\n");
- return(-1);
+ fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
+ "that you have it installed and check shared libraries path\n"
+ "(LD_LIBRARY_PATH) envornment variable.\n");
+ return(-1);
}
#endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
/* Init crypto library */
if(xmlSecCryptoAppInit(NULL) < 0) {
- fprintf(stderr, "Error: crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: crypto initialization failed.\n");
+ return(-1);
}
/* Init xmlsec-crypto library */
if(xmlSecCryptoInit() < 0) {
- fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
+ return(-1);
}
if(encrypt_file(argv[1], argv[2], secret_data, strlen(secret_data)) < 0) {
- return(-1);
+ return(-1);
}
/* Shutdown xmlsec-crypto library */
@@ -110,6 +126,7 @@ main(int argc, char **argv) {
/* Shutdown libxslt/libxml */
#ifndef XMLSEC_NO_XSLT
+ xsltFreeSecurityPrefs(xsltSecPrefs);
xsltCleanupGlobals();
#endif /* XMLSEC_NO_XSLT */
xmlCleanupParser();
@@ -119,10 +136,10 @@ main(int argc, char **argv) {
/**
* encrypt_file:
- * @tmpl_file: the encryption template file name.
- * @key_file: the Triple DES key file.
- * @data: the binary data to encrypt.
- * @dataSize: the binary data size.
+ * @tmpl_file: the encryption template file name.
+ * @key_file: the Triple DES key file.
+ * @data: the binary data to encrypt.
+ * @dataSize: the binary data size.
*
* Encrypts binary #data using template from #tmpl_file and DES key from
* #key_file.
@@ -131,7 +148,7 @@ main(int argc, char **argv) {
*/
int
encrypt_file(const char* tmpl_file, const char* key_file,
- const unsigned char* data, size_t dataSize) {
+ const unsigned char* data, size_t dataSize) {
xmlDocPtr doc = NULL;
xmlNodePtr node = NULL;
xmlSecEncCtxPtr encCtx = NULL;
@@ -144,41 +161,41 @@ encrypt_file(const char* tmpl_file, const char* key_file,
/* load template */
doc = xmlParseFile(tmpl_file);
if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
- fprintf(stderr, "Error: unable to parse file \"%s\"\n", tmpl_file);
- goto done;
+ fprintf(stderr, "Error: unable to parse file \"%s\"\n", tmpl_file);
+ goto done;
}
/* find start node */
node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeEncryptedData, xmlSecEncNs);
if(node == NULL) {
- fprintf(stderr, "Error: start node not found in \"%s\"\n", tmpl_file);
- goto done;
+ fprintf(stderr, "Error: start node not found in \"%s\"\n", tmpl_file);
+ goto done;
}
/* create encryption context, we don't need keys manager in this example */
encCtx = xmlSecEncCtxCreate(NULL);
if(encCtx == NULL) {
fprintf(stderr,"Error: failed to create encryption context\n");
- goto done;
+ goto done;
}
/* load DES key, assuming that there is not password */
encCtx->encKey = xmlSecKeyReadBinaryFile(xmlSecKeyDataDesId, key_file);
if(encCtx->encKey == NULL) {
fprintf(stderr,"Error: failed to load des key from binary file \"%s\"\n", key_file);
- goto done;
+ goto done;
}
/* set key name to the file name, this is just an example! */
if(xmlSecKeySetName(encCtx->encKey, key_file) < 0) {
- fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file);
- goto done;
+ fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file);
+ goto done;
}
/* encrypt the data */
if(xmlSecEncCtxBinaryEncrypt(encCtx, node, data, dataSize) < 0) {
fprintf(stderr,"Error: encryption failed\n");
- goto done;
+ goto done;
}
/* print encrypted data with document to stdout */
@@ -191,11 +208,11 @@ done:
/* cleanup */
if(encCtx != NULL) {
- xmlSecEncCtxDestroy(encCtx);
+ xmlSecEncCtxDestroy(encCtx);
}
if(doc != NULL) {
- xmlFreeDoc(doc);
+ xmlFreeDoc(doc);
}
return(res);
}
diff --git a/examples/encrypt2.c b/examples/encrypt2.c
index 9bbd52ff..4f1ad588 100644
--- a/examples/encrypt2.c
+++ b/examples/encrypt2.c
@@ -5,13 +5,13 @@
* from a binary file
*
* Usage:
- * ./encrypt2 <xml-doc> <des-key-file>
+ * ./encrypt2 <xml-doc> <des-key-file>
*
* Example:
- * ./encrypt2 encrypt2-doc.xml deskey.bin > encrypt2-res.xml
+ * ./encrypt2 encrypt2-doc.xml deskey.bin > encrypt2-res.xml
*
* The result could be decrypted with decrypt1 example:
- * ./decrypt1 encrypt2-res.xml deskey.bin
+ * ./decrypt1 encrypt2-res.xml deskey.bin
*
* This is free software; see Copyright file in the source
* distribution for preciese wording.
@@ -28,6 +28,7 @@
#ifndef XMLSEC_NO_XSLT
#include <libxslt/xslt.h>
+#include <libxslt/security.h>
#endif /* XMLSEC_NO_XSLT */
#include <xmlsec/xmlsec.h>
@@ -40,12 +41,16 @@ int encrypt_file(const char* xml_file, const char* key_file);
int
main(int argc, char **argv) {
+#ifndef XMLSEC_NO_XSLT
+ xsltSecurityPrefsPtr xsltSecPrefs = NULL;
+#endif /* XMLSEC_NO_XSLT */
+
assert(argv);
if(argc != 3) {
- fprintf(stderr, "Error: wrong number of arguments.\n");
- fprintf(stderr, "Usage: %s <xml-file> <key-file>\n", argv[0]);
- return(1);
+ fprintf(stderr, "Error: wrong number of arguments.\n");
+ fprintf(stderr, "Usage: %s <xml-file> <key-file>\n", argv[0]);
+ return(1);
}
/* Init libxml and libxslt libraries */
@@ -56,17 +61,29 @@ main(int argc, char **argv) {
#ifndef XMLSEC_NO_XSLT
xmlIndentTreeOutput = 1;
#endif /* XMLSEC_NO_XSLT */
-
+
+ /* Init libxslt */
+#ifndef XMLSEC_NO_XSLT
+ /* disable everything */
+ xsltSecPrefs = xsltNewSecurityPrefs();
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid);
+ xsltSetDefaultSecurityPrefs(xsltSecPrefs);
+#endif /* XMLSEC_NO_XSLT */
+
/* Init xmlsec library */
if(xmlSecInit() < 0) {
- fprintf(stderr, "Error: xmlsec initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec initialization failed.\n");
+ return(-1);
}
/* Check loaded library version */
if(xmlSecCheckVersion() != 1) {
- fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
- return(-1);
+ fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
+ return(-1);
}
/* Load default crypto engine if we are supporting dynamic
@@ -76,27 +93,27 @@ main(int argc, char **argv) {
*/
#ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
- fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
- "that you have it installed and check shared libraries path\n"
- "(LD_LIBRARY_PATH) envornment variable.\n");
- return(-1);
+ fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
+ "that you have it installed and check shared libraries path\n"
+ "(LD_LIBRARY_PATH) envornment variable.\n");
+ return(-1);
}
#endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
/* Init crypto library */
if(xmlSecCryptoAppInit(NULL) < 0) {
- fprintf(stderr, "Error: crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: crypto initialization failed.\n");
+ return(-1);
}
/* Init xmlsec-crypto library */
if(xmlSecCryptoInit() < 0) {
- fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
+ return(-1);
}
if(encrypt_file(argv[1], argv[2]) < 0) {
- return(-1);
+ return(-1);
}
/* Shutdown xmlsec-crypto library */
@@ -110,6 +127,7 @@ main(int argc, char **argv) {
/* Shutdown libxslt/libxml */
#ifndef XMLSEC_NO_XSLT
+ xsltFreeSecurityPrefs(xsltSecPrefs);
xsltCleanupGlobals();
#endif /* XMLSEC_NO_XSLT */
xmlCleanupParser();
@@ -119,8 +137,8 @@ main(int argc, char **argv) {
/**
* encrypt_file:
- * @xml_file: the encryption template file name.
- * @key_file: the Triple DES key file.
+ * @xml_file: the encryption template file name.
+ * @key_file: the Triple DES key file.
*
* Encrypts #xml_file using a dynamicaly created template and DES key from
* #key_file.
@@ -141,61 +159,61 @@ encrypt_file(const char* xml_file, const char* key_file) {
/* load template */
doc = xmlParseFile(xml_file);
if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
- fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file);
- goto done;
+ fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file);
+ goto done;
}
/* create encryption template to encrypt XML file and replace
* its content with encryption result */
encDataNode = xmlSecTmplEncDataCreate(doc, xmlSecTransformDes3CbcId,
- NULL, xmlSecTypeEncElement, NULL, NULL);
+ NULL, xmlSecTypeEncElement, NULL, NULL);
if(encDataNode == NULL) {
- fprintf(stderr, "Error: failed to create encryption template\n");
- goto done;
+ fprintf(stderr, "Error: failed to create encryption template\n");
+ goto done;
}
/* we want to put encrypted data in the <enc:CipherValue/> node */
if(xmlSecTmplEncDataEnsureCipherValue(encDataNode) == NULL) {
- fprintf(stderr, "Error: failed to add CipherValue node\n");
- goto done;
+ fprintf(stderr, "Error: failed to add CipherValue node\n");
+ goto done;
}
/* add <dsig:KeyInfo/> and <dsig:KeyName/> nodes to put key name in the signed document */
keyInfoNode = xmlSecTmplEncDataEnsureKeyInfo(encDataNode, NULL);
if(keyInfoNode == NULL) {
- fprintf(stderr, "Error: failed to add key info\n");
- goto done;
+ fprintf(stderr, "Error: failed to add key info\n");
+ goto done;
}
if(xmlSecTmplKeyInfoAddKeyName(keyInfoNode, NULL) == NULL) {
- fprintf(stderr, "Error: failed to add key name\n");
- goto done;
+ fprintf(stderr, "Error: failed to add key name\n");
+ goto done;
}
/* create encryption context, we don't need keys manager in this example */
encCtx = xmlSecEncCtxCreate(NULL);
if(encCtx == NULL) {
fprintf(stderr,"Error: failed to create encryption context\n");
- goto done;
+ goto done;
}
/* load DES key, assuming that there is not password */
encCtx->encKey = xmlSecKeyReadBinaryFile(xmlSecKeyDataDesId, key_file);
if(encCtx->encKey == NULL) {
fprintf(stderr,"Error: failed to load des key from binary file \"%s\"\n", key_file);
- goto done;
+ goto done;
}
/* set key name to the file name, this is just an example! */
if(xmlSecKeySetName(encCtx->encKey, key_file) < 0) {
- fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file);
- goto done;
+ fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file);
+ goto done;
}
/* encrypt the data */
if(xmlSecEncCtxXmlEncrypt(encCtx, encDataNode, xmlDocGetRootElement(doc)) < 0) {
fprintf(stderr,"Error: encryption failed\n");
- goto done;
+ goto done;
}
/* we template is inserted in the doc */
@@ -211,15 +229,15 @@ done:
/* cleanup */
if(encCtx != NULL) {
- xmlSecEncCtxDestroy(encCtx);
+ xmlSecEncCtxDestroy(encCtx);
}
if(encDataNode != NULL) {
- xmlFreeNode(encDataNode);
+ xmlFreeNode(encDataNode);
}
if(doc != NULL) {
- xmlFreeDoc(doc);
+ xmlFreeDoc(doc);
}
return(res);
}
diff --git a/examples/encrypt3.c b/examples/encrypt3.c
index 788c964e..aa9465a2 100644
--- a/examples/encrypt3.c
+++ b/examples/encrypt3.c
@@ -5,13 +5,13 @@
* DES key (encrypted with an RSA key).
*
* Usage:
- * ./encrypt3 <xml-doc> <rsa-pem-key-file>
+ * ./encrypt3 <xml-doc> <rsa-pem-key-file>
*
* Example:
- * ./encrypt3 encrypt3-doc.xml rsakey.pem > encrypt3-res.xml
+ * ./encrypt3 encrypt3-doc.xml rsakey.pem > encrypt3-res.xml
*
* The result could be decrypted with decrypt3 example:
- * ./decrypt3 encrypt3-res.xml
+ * ./decrypt3 encrypt3-res.xml
*
* This is free software; see Copyright file in the source
* distribution for preciese wording.
@@ -28,6 +28,7 @@
#ifndef XMLSEC_NO_XSLT
#include <libxslt/xslt.h>
+#include <libxslt/security.h>
#endif /* XMLSEC_NO_XSLT */
#include <xmlsec/xmlsec.h>
@@ -42,13 +43,16 @@ int encrypt_file(xmlSecKeysMngrPtr mngr, const char* xml_file, const char* key_n
int
main(int argc, char **argv) {
xmlSecKeysMngrPtr mngr;
+#ifndef XMLSEC_NO_XSLT
+ xsltSecurityPrefsPtr xsltSecPrefs = NULL;
+#endif /* XMLSEC_NO_XSLT */
assert(argv);
if(argc != 3) {
- fprintf(stderr, "Error: wrong number of arguments.\n");
- fprintf(stderr, "Usage: %s <xml-file> <key-file>\n", argv[0]);
- return(1);
+ fprintf(stderr, "Error: wrong number of arguments.\n");
+ fprintf(stderr, "Usage: %s <xml-file> <key-file>\n", argv[0]);
+ return(1);
}
/* Init libxml and libxslt libraries */
@@ -59,17 +63,29 @@ main(int argc, char **argv) {
#ifndef XMLSEC_NO_XSLT
xmlIndentTreeOutput = 1;
#endif /* XMLSEC_NO_XSLT */
-
+
+ /* Init libxslt */
+#ifndef XMLSEC_NO_XSLT
+ /* disable everything */
+ xsltSecPrefs = xsltNewSecurityPrefs();
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid);
+ xsltSetDefaultSecurityPrefs(xsltSecPrefs);
+#endif /* XMLSEC_NO_XSLT */
+
/* Init xmlsec library */
if(xmlSecInit() < 0) {
- fprintf(stderr, "Error: xmlsec initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec initialization failed.\n");
+ return(-1);
}
/* Check loaded library version */
if(xmlSecCheckVersion() != 1) {
- fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
- return(-1);
+ fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
+ return(-1);
}
/* Load default crypto engine if we are supporting dynamic
@@ -79,35 +95,35 @@ main(int argc, char **argv) {
*/
#ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
- fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
- "that you have it installed and check shared libraries path\n"
- "(LD_LIBRARY_PATH) envornment variable.\n");
- return(-1);
+ fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
+ "that you have it installed and check shared libraries path\n"
+ "(LD_LIBRARY_PATH) envornment variable.\n");
+ return(-1);
}
#endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
/* Init crypto library */
if(xmlSecCryptoAppInit(NULL) < 0) {
- fprintf(stderr, "Error: crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: crypto initialization failed.\n");
+ return(-1);
}
/* Init xmlsec-crypto library */
if(xmlSecCryptoInit() < 0) {
- fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
+ return(-1);
}
/* create keys manager and load keys */
mngr = load_rsa_keys(argv[2]);
if(mngr == NULL) {
- return(-1);
+ return(-1);
}
/* we use key filename as key name here */
if(encrypt_file(mngr, argv[1], argv[2]) < 0) {
- xmlSecKeysMngrDestroy(mngr);
- return(-1);
+ xmlSecKeysMngrDestroy(mngr);
+ return(-1);
}
/* destroy keys manager */
@@ -124,6 +140,7 @@ main(int argc, char **argv) {
/* Shutdown libxslt/libxml */
#ifndef XMLSEC_NO_XSLT
+ xsltFreeSecurityPrefs(xsltSecPrefs);
xsltCleanupGlobals();
#endif /* XMLSEC_NO_XSLT */
xmlCleanupParser();
@@ -133,7 +150,7 @@ main(int argc, char **argv) {
/**
* load_rsa_keys:
- * @key_file: the key filename.
+ * @key_file: the key filename.
*
* Creates simple keys manager and load RSA key from #key_file in it.
* The caller is responsible for destroing returned keys manager using
@@ -155,13 +172,13 @@ load_rsa_keys(char* key_file) {
*/
mngr = xmlSecKeysMngrCreate();
if(mngr == NULL) {
- fprintf(stderr, "Error: failed to create keys manager.\n");
- return(NULL);
+ fprintf(stderr, "Error: failed to create keys manager.\n");
+ return(NULL);
}
if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) {
- fprintf(stderr, "Error: failed to initialize keys manager.\n");
- xmlSecKeysMngrDestroy(mngr);
- return(NULL);
+ fprintf(stderr, "Error: failed to initialize keys manager.\n");
+ xmlSecKeysMngrDestroy(mngr);
+ return(NULL);
}
/* load private RSA key */
@@ -175,11 +192,11 @@ load_rsa_keys(char* key_file) {
/* set key name to the file name, this is just an example! */
if(xmlSecKeySetName(key, BAD_CAST key_file) < 0) {
fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file);
- xmlSecKeyDestroy(key);
- xmlSecKeysMngrDestroy(mngr);
- return(NULL);
+ xmlSecKeyDestroy(key);
+ xmlSecKeysMngrDestroy(mngr);
+ return(NULL);
}
-
+
/* add key to keys manager, from now on keys manager is responsible
* for destroying key
*/
@@ -195,9 +212,9 @@ load_rsa_keys(char* key_file) {
/**
* encrypt_file:
- * @mngr: the pointer to keys manager.
- * @xml_file: the encryption template file name.
- * @key_name: the RSA key name.
+ * @mngr: the pointer to keys manager.
+ * @xml_file: the encryption template file name.
+ * @key_name: the RSA key name.
*
* Encrypts #xml_file using a dynamicaly created template, a session DES key
* and an RSA key from keys manager.
@@ -221,78 +238,78 @@ encrypt_file(xmlSecKeysMngrPtr mngr, const char* xml_file, const char* key_name)
/* load template */
doc = xmlParseFile(xml_file);
if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
- fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file);
- goto done;
+ fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file);
+ goto done;
}
/* create encryption template to encrypt XML file and replace
* its content with encryption result */
encDataNode = xmlSecTmplEncDataCreate(doc, xmlSecTransformDes3CbcId,
- NULL, xmlSecTypeEncElement, NULL, NULL);
+ NULL, xmlSecTypeEncElement, NULL, NULL);
if(encDataNode == NULL) {
- fprintf(stderr, "Error: failed to create encryption template\n");
- goto done;
+ fprintf(stderr, "Error: failed to create encryption template\n");
+ goto done;
}
/* we want to put encrypted data in the <enc:CipherValue/> node */
if(xmlSecTmplEncDataEnsureCipherValue(encDataNode) == NULL) {
- fprintf(stderr, "Error: failed to add CipherValue node\n");
- goto done;
+ fprintf(stderr, "Error: failed to add CipherValue node\n");
+ goto done;
}
/* add <dsig:KeyInfo/> */
keyInfoNode = xmlSecTmplEncDataEnsureKeyInfo(encDataNode, NULL);
if(keyInfoNode == NULL) {
- fprintf(stderr, "Error: failed to add key info\n");
- goto done;
+ fprintf(stderr, "Error: failed to add key info\n");
+ goto done;
}
/* add <enc:EncryptedKey/> to store the encrypted session key */
encKeyNode = xmlSecTmplKeyInfoAddEncryptedKey(keyInfoNode,
- xmlSecTransformRsaPkcs1Id,
- NULL, NULL, NULL);
+ xmlSecTransformRsaPkcs1Id,
+ NULL, NULL, NULL);
if(encKeyNode == NULL) {
- fprintf(stderr, "Error: failed to add key info\n");
- goto done;
+ fprintf(stderr, "Error: failed to add key info\n");
+ goto done;
}
/* we want to put encrypted key in the <enc:CipherValue/> node */
if(xmlSecTmplEncDataEnsureCipherValue(encKeyNode) == NULL) {
- fprintf(stderr, "Error: failed to add CipherValue node\n");
- goto done;
+ fprintf(stderr, "Error: failed to add CipherValue node\n");
+ goto done;
}
/* add <dsig:KeyInfo/> and <dsig:KeyName/> nodes to <enc:EncryptedKey/> */
keyInfoNode2 = xmlSecTmplEncDataEnsureKeyInfo(encKeyNode, NULL);
if(keyInfoNode2 == NULL) {
- fprintf(stderr, "Error: failed to add key info\n");
- goto done;
+ fprintf(stderr, "Error: failed to add key info\n");
+ goto done;
}
/* set key name so we can lookup key when needed */
if(xmlSecTmplKeyInfoAddKeyName(keyInfoNode2, key_name) == NULL) {
- fprintf(stderr, "Error: failed to add key name\n");
- goto done;
+ fprintf(stderr, "Error: failed to add key name\n");
+ goto done;
}
/* create encryption context */
encCtx = xmlSecEncCtxCreate(mngr);
if(encCtx == NULL) {
fprintf(stderr,"Error: failed to create encryption context\n");
- goto done;
+ goto done;
}
/* generate a Triple DES key */
encCtx->encKey = xmlSecKeyGenerate(xmlSecKeyDataDesId, 192, xmlSecKeyDataTypeSession);
if(encCtx->encKey == NULL) {
fprintf(stderr,"Error: failed to generate session des key\n");
- goto done;
+ goto done;
}
/* encrypt the data */
if(xmlSecEncCtxXmlEncrypt(encCtx, encDataNode, xmlDocGetRootElement(doc)) < 0) {
fprintf(stderr,"Error: encryption failed\n");
- goto done;
+ goto done;
}
/* we template is inserted in the doc */
@@ -308,15 +325,15 @@ done:
/* cleanup */
if(encCtx != NULL) {
- xmlSecEncCtxDestroy(encCtx);
+ xmlSecEncCtxDestroy(encCtx);
}
if(encDataNode != NULL) {
- xmlFreeNode(encDataNode);
+ xmlFreeNode(encDataNode);
}
if(doc != NULL) {
- xmlFreeDoc(doc);
+ xmlFreeDoc(doc);
}
return(res);
}
diff --git a/examples/mywin32make.bat b/examples/mywin32make.bat
index 84c5777e..a7d22803 100644
--- a/examples/mywin32make.bat
+++ b/examples/mywin32make.bat
@@ -8,7 +8,7 @@ REM
REM Aleksey Sanin <aleksey@aleksey.com>
REM
-SET XMLSEC_PREFIX=d:\sdk
+SET XMLSEC_PREFIX=C:\cygwin\home\local
SET XMLSEC_INCLUDE=%XMLSEC_PREFIX%\include
SET XMLSEC_LIB=%XMLSEC_PREFIX%\lib
diff --git a/examples/sign1.c b/examples/sign1.c
index f17bf96f..e545843f 100644
--- a/examples/sign1.c
+++ b/examples/sign1.c
@@ -4,13 +4,13 @@
* Signs a template file using a key from PEM file
*
* Usage:
- * ./sign1 <xml-tmpl> <pem-key>
+ * ./sign1 <xml-tmpl> <pem-key>
*
* Example:
- * ./sign1 sign1-tmpl.xml rsakey.pem > sign1-res.xml
+ * ./sign1 sign1-tmpl.xml rsakey.pem > sign1-res.xml
*
* The result signature could be validated using verify1 example:
- * ./verify1 sign1-res.xml rsapub.pem
+ * ./verify1 sign1-res.xml rsapub.pem
*
* This is free software; see Copyright file in the source
* distribution for preciese wording.
@@ -27,6 +27,7 @@
#ifndef XMLSEC_NO_XSLT
#include <libxslt/xslt.h>
+#include <libxslt/security.h>
#endif /* XMLSEC_NO_XSLT */
#include <xmlsec/xmlsec.h>
@@ -38,12 +39,16 @@ int sign_file(const char* tmpl_file, const char* key_file);
int
main(int argc, char **argv) {
+#ifndef XMLSEC_NO_XSLT
+ xsltSecurityPrefsPtr xsltSecPrefs = NULL;
+#endif /* XMLSEC_NO_XSLT */
+
assert(argv);
if(argc != 3) {
- fprintf(stderr, "Error: wrong number of arguments.\n");
- fprintf(stderr, "Usage: %s <tmpl-file> <key-file>\n", argv[0]);
- return(1);
+ fprintf(stderr, "Error: wrong number of arguments.\n");
+ fprintf(stderr, "Usage: %s <tmpl-file> <key-file>\n", argv[0]);
+ return(1);
}
/* Init libxml and libxslt libraries */
@@ -54,17 +59,29 @@ main(int argc, char **argv) {
#ifndef XMLSEC_NO_XSLT
xmlIndentTreeOutput = 1;
#endif /* XMLSEC_NO_XSLT */
-
+
+ /* Init libxslt */
+#ifndef XMLSEC_NO_XSLT
+ /* disable everything */
+ xsltSecPrefs = xsltNewSecurityPrefs();
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid);
+ xsltSetDefaultSecurityPrefs(xsltSecPrefs);
+#endif /* XMLSEC_NO_XSLT */
+
/* Init xmlsec library */
if(xmlSecInit() < 0) {
- fprintf(stderr, "Error: xmlsec initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec initialization failed.\n");
+ return(-1);
}
/* Check loaded library version */
if(xmlSecCheckVersion() != 1) {
- fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
- return(-1);
+ fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
+ return(-1);
}
/* Load default crypto engine if we are supporting dynamic
@@ -74,27 +91,27 @@ main(int argc, char **argv) {
*/
#ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
- fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
- "that you have it installed and check shared libraries path\n"
- "(LD_LIBRARY_PATH) envornment variable.\n");
- return(-1);
+ fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
+ "that you have it installed and check shared libraries path\n"
+ "(LD_LIBRARY_PATH) envornment variable.\n");
+ return(-1);
}
#endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
/* Init crypto library */
if(xmlSecCryptoAppInit(NULL) < 0) {
- fprintf(stderr, "Error: crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: crypto initialization failed.\n");
+ return(-1);
}
/* Init xmlsec-crypto library */
if(xmlSecCryptoInit() < 0) {
- fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
+ return(-1);
}
if(sign_file(argv[1], argv[2]) < 0) {
- return(-1);
+ return(-1);
}
/* Shutdown xmlsec-crypto library */
@@ -108,7 +125,8 @@ main(int argc, char **argv) {
/* Shutdown libxslt/libxml */
#ifndef XMLSEC_NO_XSLT
- xsltCleanupGlobals();
+ xsltFreeSecurityPrefs(xsltSecPrefs);
+ xsltCleanupGlobals();
#endif /* XMLSEC_NO_XSLT */
xmlCleanupParser();
@@ -117,8 +135,8 @@ main(int argc, char **argv) {
/**
* sign_file:
- * @tmpl_file: the signature template file name.
- * @key_file: the PEM private key file name.
+ * @tmpl_file: the signature template file name.
+ * @key_file: the PEM private key file name.
*
* Signs the #tmpl_file using private key from #key_file.
*
@@ -137,41 +155,41 @@ sign_file(const char* tmpl_file, const char* key_file) {
/* load template */
doc = xmlParseFile(tmpl_file);
if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
- fprintf(stderr, "Error: unable to parse file \"%s\"\n", tmpl_file);
- goto done;
+ fprintf(stderr, "Error: unable to parse file \"%s\"\n", tmpl_file);
+ goto done;
}
/* find start node */
node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
if(node == NULL) {
- fprintf(stderr, "Error: start node not found in \"%s\"\n", tmpl_file);
- goto done;
+ fprintf(stderr, "Error: start node not found in \"%s\"\n", tmpl_file);
+ goto done;
}
/* create signature context, we don't need keys manager in this example */
dsigCtx = xmlSecDSigCtxCreate(NULL);
if(dsigCtx == NULL) {
fprintf(stderr,"Error: failed to create signature context\n");
- goto done;
+ goto done;
}
/* load private key, assuming that there is not password */
dsigCtx->signKey = xmlSecCryptoAppKeyLoad(key_file, xmlSecKeyDataFormatPem, NULL, NULL, NULL);
if(dsigCtx->signKey == NULL) {
fprintf(stderr,"Error: failed to load private pem key from \"%s\"\n", key_file);
- goto done;
+ goto done;
}
/* set key name to the file name, this is just an example! */
if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
- fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file);
- goto done;
+ fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file);
+ goto done;
}
/* sign the template */
if(xmlSecDSigCtxSign(dsigCtx, node) < 0) {
fprintf(stderr,"Error: signature failed\n");
- goto done;
+ goto done;
}
/* print signed document to stdout */
@@ -183,11 +201,11 @@ sign_file(const char* tmpl_file, const char* key_file) {
done:
/* cleanup */
if(dsigCtx != NULL) {
- xmlSecDSigCtxDestroy(dsigCtx);
+ xmlSecDSigCtxDestroy(dsigCtx);
}
if(doc != NULL) {
- xmlFreeDoc(doc);
+ xmlFreeDoc(doc);
}
return(res);
}
diff --git a/examples/sign2.c b/examples/sign2.c
index 3bb858ce..146bbbaa 100644
--- a/examples/sign2.c
+++ b/examples/sign2.c
@@ -6,13 +6,13 @@
* the whole document except the <dsig:Signature/> node itself.
*
* Usage:
- * sign2 <xml-doc> <pem-key>
+ * sign2 <xml-doc> <pem-key>
*
* Example:
- * ./sign2 sign2-doc.xml rsakey.pem > sign2-res.xml
+ * ./sign2 sign2-doc.xml rsakey.pem > sign2-res.xml
*
* The result signature could be validated using verify1 example:
- * ./verify1 sign2-res.xml rsapub.pem
+ * ./verify1 sign2-res.xml rsapub.pem
*
* This is free software; see Copyright file in the source
* distribution for preciese wording.
@@ -29,6 +29,7 @@
#ifndef XMLSEC_NO_XSLT
#include <libxslt/xslt.h>
+#include <libxslt/security.h>
#endif /* XMLSEC_NO_XSLT */
#include <xmlsec/xmlsec.h>
@@ -41,12 +42,16 @@ int sign_file(const char* xml_file, const char* key_file);
int
main(int argc, char **argv) {
+#ifndef XMLSEC_NO_XSLT
+ xsltSecurityPrefsPtr xsltSecPrefs = NULL;
+#endif /* XMLSEC_NO_XSLT */
+
assert(argv);
if(argc != 3) {
- fprintf(stderr, "Error: wrong number of arguments.\n");
- fprintf(stderr, "Usage: %s <xml-file> <key-file>\n", argv[0]);
- return(1);
+ fprintf(stderr, "Error: wrong number of arguments.\n");
+ fprintf(stderr, "Usage: %s <xml-file> <key-file>\n", argv[0]);
+ return(1);
}
/* Init libxml and libxslt libraries */
@@ -57,17 +62,29 @@ main(int argc, char **argv) {
#ifndef XMLSEC_NO_XSLT
xmlIndentTreeOutput = 1;
#endif /* XMLSEC_NO_XSLT */
-
+
+ /* Init libxslt */
+#ifndef XMLSEC_NO_XSLT
+ /* disable everything */
+ xsltSecPrefs = xsltNewSecurityPrefs();
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid);
+ xsltSetDefaultSecurityPrefs(xsltSecPrefs);
+#endif /* XMLSEC_NO_XSLT */
+
/* Init xmlsec library */
if(xmlSecInit() < 0) {
- fprintf(stderr, "Error: xmlsec initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec initialization failed.\n");
+ return(-1);
}
/* Check loaded library version */
if(xmlSecCheckVersion() != 1) {
- fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
- return(-1);
+ fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
+ return(-1);
}
/* Load default crypto engine if we are supporting dynamic
@@ -77,27 +94,27 @@ main(int argc, char **argv) {
*/
#ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
- fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
- "that you have it installed and check shared libraries path\n"
- "(LD_LIBRARY_PATH) envornment variable.\n");
- return(-1);
+ fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
+ "that you have it installed and check shared libraries path\n"
+ "(LD_LIBRARY_PATH) envornment variable.\n");
+ return(-1);
}
#endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
/* Init crypto library */
if(xmlSecCryptoAppInit(NULL) < 0) {
- fprintf(stderr, "Error: crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: crypto initialization failed.\n");
+ return(-1);
}
/* Init xmlsec-crypto library */
if(xmlSecCryptoInit() < 0) {
- fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
+ return(-1);
}
if(sign_file(argv[1], argv[2]) < 0) {
- return(-1);
+ return(-1);
}
/* Shutdown xmlsec-crypto library */
@@ -111,6 +128,7 @@ main(int argc, char **argv) {
/* Shutdown libxslt/libxml */
#ifndef XMLSEC_NO_XSLT
+ xsltFreeSecurityPrefs(xsltSecPrefs);
xsltCleanupGlobals();
#endif /* XMLSEC_NO_XSLT */
xmlCleanupParser();
@@ -120,8 +138,8 @@ main(int argc, char **argv) {
/**
* sign_file:
- * @xml_file: the XML file name.
- * @key_file: the PEM private key file name.
+ * @xml_file: the XML file name.
+ * @key_file: the PEM private key file name.
*
* Signs the #xml_file using private key from #key_file and dynamicaly
* created enveloped signature template.
@@ -143,16 +161,16 @@ sign_file(const char* xml_file, const char* key_file) {
/* load doc file */
doc = xmlParseFile(xml_file);
if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
- fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file);
- goto done;
+ fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file);
+ goto done;
}
/* create signature template for RSA-SHA1 enveloped signature */
signNode = xmlSecTmplSignatureCreate(doc, xmlSecTransformExclC14NId,
- xmlSecTransformRsaSha1Id, NULL);
+ xmlSecTransformRsaSha1Id, NULL);
if(signNode == NULL) {
- fprintf(stderr, "Error: failed to create signature template\n");
- goto done;
+ fprintf(stderr, "Error: failed to create signature template\n");
+ goto done;
}
/* add <dsig:Signature/> node to the doc */
@@ -160,54 +178,54 @@ sign_file(const char* xml_file, const char* key_file) {
/* add reference */
refNode = xmlSecTmplSignatureAddReference(signNode, xmlSecTransformSha1Id,
- NULL, NULL, NULL);
+ NULL, NULL, NULL);
if(refNode == NULL) {
- fprintf(stderr, "Error: failed to add reference to signature template\n");
- goto done;
+ fprintf(stderr, "Error: failed to add reference to signature template\n");
+ goto done;
}
/* add enveloped transform */
if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId) == NULL) {
- fprintf(stderr, "Error: failed to add enveloped transform to reference\n");
- goto done;
+ fprintf(stderr, "Error: failed to add enveloped transform to reference\n");
+ goto done;
}
/* add <dsig:KeyInfo/> and <dsig:KeyName/> nodes to put key name in the signed document */
keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL);
if(keyInfoNode == NULL) {
- fprintf(stderr, "Error: failed to add key info\n");
- goto done;
+ fprintf(stderr, "Error: failed to add key info\n");
+ goto done;
}
if(xmlSecTmplKeyInfoAddKeyName(keyInfoNode, NULL) == NULL) {
- fprintf(stderr, "Error: failed to add key name\n");
- goto done;
+ fprintf(stderr, "Error: failed to add key name\n");
+ goto done;
}
/* create signature context, we don't need keys manager in this example */
dsigCtx = xmlSecDSigCtxCreate(NULL);
if(dsigCtx == NULL) {
fprintf(stderr,"Error: failed to create signature context\n");
- goto done;
+ goto done;
}
/* load private key, assuming that there is not password */
dsigCtx->signKey = xmlSecCryptoAppKeyLoad(key_file, xmlSecKeyDataFormatPem, NULL, NULL, NULL);
if(dsigCtx->signKey == NULL) {
fprintf(stderr,"Error: failed to load private pem key from \"%s\"\n", key_file);
- goto done;
+ goto done;
}
/* set key name to the file name, this is just an example! */
if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
- fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file);
- goto done;
+ fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file);
+ goto done;
}
/* sign the template */
if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
fprintf(stderr,"Error: signature failed\n");
- goto done;
+ goto done;
}
/* print signed document to stdout */
@@ -219,11 +237,11 @@ sign_file(const char* xml_file, const char* key_file) {
done:
/* cleanup */
if(dsigCtx != NULL) {
- xmlSecDSigCtxDestroy(dsigCtx);
+ xmlSecDSigCtxDestroy(dsigCtx);
}
if(doc != NULL) {
- xmlFreeDoc(doc);
+ xmlFreeDoc(doc);
}
return(res);
}
diff --git a/examples/sign3.c b/examples/sign3.c
index 8a367083..9d16cf72 100644
--- a/examples/sign3.c
+++ b/examples/sign3.c
@@ -10,13 +10,13 @@
* certificates management policies for another crypto library may break it.
*
* Usage:
- * sign3 <xml-doc> <pem-key>
+ * sign3 <xml-doc> <pem-key>
*
* Example:
- * ./sign3 sign3-doc.xml rsakey.pem rsacert.pem > sign3-res.xml
+ * ./sign3 sign3-doc.xml rsakey.pem rsacert.pem > sign3-res.xml
*
* The result signature could be validated using verify3 example:
- * ./verify3 sign3-res.xml rootcert.pem
+ * ./verify3 sign3-res.xml rootcert.pem
*
* This is free software; see Copyright file in the source
* distribution for preciese wording.
@@ -33,6 +33,7 @@
#ifndef XMLSEC_NO_XSLT
#include <libxslt/xslt.h>
+#include <libxslt/security.h>
#endif /* XMLSEC_NO_XSLT */
#include <xmlsec/xmlsec.h>
@@ -45,12 +46,16 @@ int sign_file(const char* xml_file, const char* key_file, const char* cert_file)
int
main(int argc, char **argv) {
+#ifndef XMLSEC_NO_XSLT
+ xsltSecurityPrefsPtr xsltSecPrefs = NULL;
+#endif /* XMLSEC_NO_XSLT */
+
assert(argv);
if(argc != 4) {
- fprintf(stderr, "Error: wrong number of arguments.\n");
- fprintf(stderr, "Usage: %s <xml-file> <key-file> <cert-file>\n", argv[0]);
- return(1);
+ fprintf(stderr, "Error: wrong number of arguments.\n");
+ fprintf(stderr, "Usage: %s <xml-file> <key-file> <cert-file>\n", argv[0]);
+ return(1);
}
/* Init libxml and libxslt libraries */
@@ -61,17 +66,29 @@ main(int argc, char **argv) {
#ifndef XMLSEC_NO_XSLT
xmlIndentTreeOutput = 1;
#endif /* XMLSEC_NO_XSLT */
-
+
+ /* Init libxslt */
+#ifndef XMLSEC_NO_XSLT
+ /* disable everything */
+ xsltSecPrefs = xsltNewSecurityPrefs();
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid);
+ xsltSetDefaultSecurityPrefs(xsltSecPrefs);
+#endif /* XMLSEC_NO_XSLT */
+
/* Init xmlsec library */
if(xmlSecInit() < 0) {
- fprintf(stderr, "Error: xmlsec initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec initialization failed.\n");
+ return(-1);
}
/* Check loaded library version */
if(xmlSecCheckVersion() != 1) {
- fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
- return(-1);
+ fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
+ return(-1);
}
/* Load default crypto engine if we are supporting dynamic
@@ -81,27 +98,27 @@ main(int argc, char **argv) {
*/
#ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
- fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
- "that you have it installed and check shared libraries path\n"
- "(LD_LIBRARY_PATH) envornment variable.\n");
- return(-1);
+ fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
+ "that you have it installed and check shared libraries path\n"
+ "(LD_LIBRARY_PATH) envornment variable.\n");
+ return(-1);
}
#endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
/* Init crypto library */
if(xmlSecCryptoAppInit(NULL) < 0) {
- fprintf(stderr, "Error: crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: crypto initialization failed.\n");
+ return(-1);
}
/* Init xmlsec-crypto library */
if(xmlSecCryptoInit() < 0) {
- fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
+ return(-1);
}
if(sign_file(argv[1], argv[2], argv[3]) < 0) {
- return(-1);
+ return(-1);
}
/* Shutdown xmlsec-crypto library */
@@ -115,6 +132,7 @@ main(int argc, char **argv) {
/* Shutdown libxslt/libxml */
#ifndef XMLSEC_NO_XSLT
+ xsltFreeSecurityPrefs(xsltSecPrefs);
xsltCleanupGlobals();
#endif /* XMLSEC_NO_XSLT */
xmlCleanupParser();
@@ -124,9 +142,9 @@ main(int argc, char **argv) {
/**
* sign_file:
- * @xml_file: the XML file name.
- * @key_file: the PEM private key file name.
- * @cert_file: the x509 certificate PEM file.
+ * @xml_file: the XML file name.
+ * @key_file: the PEM private key file name.
+ * @cert_file: the x509 certificate PEM file.
*
* Signs the @xml_file using private key from @key_file and dynamicaly
* created enveloped signature template. The certificate from @cert_file
@@ -150,16 +168,16 @@ sign_file(const char* xml_file, const char* key_file, const char* cert_file) {
/* load doc file */
doc = xmlParseFile(xml_file);
if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
- fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file);
- goto done;
+ fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file);
+ goto done;
}
/* create signature template for RSA-SHA1 enveloped signature */
signNode = xmlSecTmplSignatureCreate(doc, xmlSecTransformExclC14NId,
- xmlSecTransformRsaSha1Id, NULL);
+ xmlSecTransformRsaSha1Id, NULL);
if(signNode == NULL) {
- fprintf(stderr, "Error: failed to create signature template\n");
- goto done;
+ fprintf(stderr, "Error: failed to create signature template\n");
+ goto done;
}
/* add <dsig:Signature/> node to the doc */
@@ -167,60 +185,60 @@ sign_file(const char* xml_file, const char* key_file, const char* cert_file) {
/* add reference */
refNode = xmlSecTmplSignatureAddReference(signNode, xmlSecTransformSha1Id,
- NULL, NULL, NULL);
+ NULL, NULL, NULL);
if(refNode == NULL) {
- fprintf(stderr, "Error: failed to add reference to signature template\n");
- goto done;
+ fprintf(stderr, "Error: failed to add reference to signature template\n");
+ goto done;
}
/* add enveloped transform */
if(xmlSecTmplReferenceAddTransform(refNode, xmlSecTransformEnvelopedId) == NULL) {
- fprintf(stderr, "Error: failed to add enveloped transform to reference\n");
- goto done;
+ fprintf(stderr, "Error: failed to add enveloped transform to reference\n");
+ goto done;
}
/* add <dsig:KeyInfo/> and <dsig:X509Data/> */
keyInfoNode = xmlSecTmplSignatureEnsureKeyInfo(signNode, NULL);
if(keyInfoNode == NULL) {
- fprintf(stderr, "Error: failed to add key info\n");
- goto done;
+ fprintf(stderr, "Error: failed to add key info\n");
+ goto done;
}
if(xmlSecTmplKeyInfoAddX509Data(keyInfoNode) == NULL) {
- fprintf(stderr, "Error: failed to add X509Data node\n");
- goto done;
+ fprintf(stderr, "Error: failed to add X509Data node\n");
+ goto done;
}
/* create signature context, we don't need keys manager in this example */
dsigCtx = xmlSecDSigCtxCreate(NULL);
if(dsigCtx == NULL) {
fprintf(stderr,"Error: failed to create signature context\n");
- goto done;
+ goto done;
}
/* load private key, assuming that there is not password */
dsigCtx->signKey = xmlSecCryptoAppKeyLoad(key_file, xmlSecKeyDataFormatPem, NULL, NULL, NULL);
if(dsigCtx->signKey == NULL) {
fprintf(stderr,"Error: failed to load private pem key from \"%s\"\n", key_file);
- goto done;
+ goto done;
}
/* load certificate and add to the key */
if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file, xmlSecKeyDataFormatPem) < 0) {
fprintf(stderr,"Error: failed to load pem certificate \"%s\"\n", cert_file);
- goto done;
+ goto done;
}
/* set key name to the file name, this is just an example! */
if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
- fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file);
- goto done;
+ fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file);
+ goto done;
}
/* sign the template */
if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
fprintf(stderr,"Error: signature failed\n");
- goto done;
+ goto done;
}
/* print signed document to stdout */
@@ -232,11 +250,11 @@ sign_file(const char* xml_file, const char* key_file, const char* cert_file) {
done:
/* cleanup */
if(dsigCtx != NULL) {
- xmlSecDSigCtxDestroy(dsigCtx);
+ xmlSecDSigCtxDestroy(dsigCtx);
}
if(doc != NULL) {
- xmlFreeDoc(doc);
+ xmlFreeDoc(doc);
}
return(res);
}
diff --git a/examples/verify1.c b/examples/verify1.c
index 9f2eff5b..04917e5a 100644
--- a/examples/verify1.c
+++ b/examples/verify1.c
@@ -4,11 +4,11 @@
* Verifies a file using a key from PEM file.
*
* Usage:
- * verify1 <signed-file> <pem-key>
+ * verify1 <signed-file> <pem-key>
*
* Example:
- * ./verify1 sign1-res.xml rsapub.pem
- * ./verify1 sign2-res.xml rsapub.pem
+ * ./verify1 sign1-res.xml rsapub.pem
+ * ./verify1 sign2-res.xml rsapub.pem
*
* This is free software; see Copyright file in the source
* distribution for preciese wording.
@@ -25,6 +25,7 @@
#ifndef XMLSEC_NO_XSLT
#include <libxslt/xslt.h>
+#include <libxslt/security.h>
#endif /* XMLSEC_NO_XSLT */
#include <xmlsec/xmlsec.h>
@@ -36,12 +37,16 @@ int verify_file(const char* xml_file, const char* key_file);
int
main(int argc, char **argv) {
+#ifndef XMLSEC_NO_XSLT
+ xsltSecurityPrefsPtr xsltSecPrefs = NULL;
+#endif /* XMLSEC_NO_XSLT */
+
assert(argv);
if(argc != 3) {
- fprintf(stderr, "Error: wrong number of arguments.\n");
- fprintf(stderr, "Usage: %s <xml-file> <key-file>\n", argv[0]);
- return(1);
+ fprintf(stderr, "Error: wrong number of arguments.\n");
+ fprintf(stderr, "Usage: %s <xml-file> <key-file>\n", argv[0]);
+ return(1);
}
/* Init libxml and libxslt libraries */
@@ -52,17 +57,29 @@ main(int argc, char **argv) {
#ifndef XMLSEC_NO_XSLT
xmlIndentTreeOutput = 1;
#endif /* XMLSEC_NO_XSLT */
-
+
+ /* Init libxslt */
+#ifndef XMLSEC_NO_XSLT
+ /* disable everything */
+ xsltSecPrefs = xsltNewSecurityPrefs();
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid);
+ xsltSetDefaultSecurityPrefs(xsltSecPrefs);
+#endif /* XMLSEC_NO_XSLT */
+
/* Init xmlsec library */
if(xmlSecInit() < 0) {
- fprintf(stderr, "Error: xmlsec initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec initialization failed.\n");
+ return(-1);
}
/* Check loaded library version */
if(xmlSecCheckVersion() != 1) {
- fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
- return(-1);
+ fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
+ return(-1);
}
/* Load default crypto engine if we are supporting dynamic
@@ -72,27 +89,27 @@ main(int argc, char **argv) {
*/
#ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
- fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
- "that you have it installed and check shared libraries path\n"
- "(LD_LIBRARY_PATH) envornment variable.\n");
- return(-1);
+ fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
+ "that you have it installed and check shared libraries path\n"
+ "(LD_LIBRARY_PATH) envornment variable.\n");
+ return(-1);
}
#endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
/* Init crypto library */
if(xmlSecCryptoAppInit(NULL) < 0) {
- fprintf(stderr, "Error: crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: crypto initialization failed.\n");
+ return(-1);
}
/* Init xmlsec-crypto library */
if(xmlSecCryptoInit() < 0) {
- fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
+ return(-1);
}
if(verify_file(argv[1], argv[2]) < 0) {
- return(-1);
+ return(-1);
}
/* Shutdown xmlsec-crypto library */
@@ -106,6 +123,7 @@ main(int argc, char **argv) {
/* Shutdown libxslt/libxml */
#ifndef XMLSEC_NO_XSLT
+ xsltFreeSecurityPrefs(xsltSecPrefs);
xsltCleanupGlobals();
#endif /* XMLSEC_NO_XSLT */
xmlCleanupParser();
@@ -115,8 +133,8 @@ main(int argc, char **argv) {
/**
* verify_file:
- * @xml_file: the signed XML file name.
- * @key_file: the PEM public key file name.
+ * @xml_file: the signed XML file name.
+ * @key_file: the PEM public key file name.
*
* Verifies XML signature in #xml_file using public key from #key_file.
*
@@ -135,48 +153,48 @@ verify_file(const char* xml_file, const char* key_file) {
/* load file */
doc = xmlParseFile(xml_file);
if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
- fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file);
- goto done;
+ fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file);
+ goto done;
}
/* find start node */
node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
if(node == NULL) {
- fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file);
- goto done;
+ fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file);
+ goto done;
}
/* create signature context, we don't need keys manager in this example */
dsigCtx = xmlSecDSigCtxCreate(NULL);
if(dsigCtx == NULL) {
fprintf(stderr,"Error: failed to create signature context\n");
- goto done;
+ goto done;
}
/* load public key */
dsigCtx->signKey = xmlSecCryptoAppKeyLoad(key_file, xmlSecKeyDataFormatPem, NULL, NULL, NULL);
if(dsigCtx->signKey == NULL) {
fprintf(stderr,"Error: failed to load public pem key from \"%s\"\n", key_file);
- goto done;
+ goto done;
}
/* set key name to the file name, this is just an example! */
if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
- fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file);
- goto done;
+ fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", key_file);
+ goto done;
}
/* Verify signature */
if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
fprintf(stderr,"Error: signature verify\n");
- goto done;
+ goto done;
}
/* print verification result to stdout */
if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
- fprintf(stdout, "Signature is OK\n");
+ fprintf(stdout, "Signature is OK\n");
} else {
- fprintf(stdout, "Signature is INVALID\n");
+ fprintf(stdout, "Signature is INVALID\n");
}
/* success */
@@ -185,11 +203,11 @@ verify_file(const char* xml_file, const char* key_file) {
done:
/* cleanup */
if(dsigCtx != NULL) {
- xmlSecDSigCtxDestroy(dsigCtx);
+ xmlSecDSigCtxDestroy(dsigCtx);
}
if(doc != NULL) {
- xmlFreeDoc(doc);
+ xmlFreeDoc(doc);
}
return(res);
}
diff --git a/examples/verify2.c b/examples/verify2.c
index a56bb551..36fde2d3 100644
--- a/examples/verify2.c
+++ b/examples/verify2.c
@@ -4,11 +4,11 @@
* Verifies a file using keys manager
*
* Usage:
- * verify2 <signed-file> <public-pem-key1> [<public-pem-key2> [...]]
+ * verify2 <signed-file> <public-pem-key1> [<public-pem-key2> [...]]
*
* Example:
- * ./verify2 sign1-res.xml rsapub.pem
- * ./verify2 sign2-res.xml rsapub.pem
+ * ./verify2 sign1-res.xml rsapub.pem
+ * ./verify2 sign2-res.xml rsapub.pem
*
* This is free software; see Copyright file in the source
* distribution for preciese wording.
@@ -25,6 +25,7 @@
#ifndef XMLSEC_NO_XSLT
#include <libxslt/xslt.h>
+#include <libxslt/security.h>
#endif /* XMLSEC_NO_XSLT */
#include <xmlsec/xmlsec.h>
@@ -37,14 +38,18 @@ int verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file);
int
main(int argc, char **argv) {
+#ifndef XMLSEC_NO_XSLT
+ xsltSecurityPrefsPtr xsltSecPrefs = NULL;
+#endif /* XMLSEC_NO_XSLT */
+
xmlSecKeysMngrPtr mngr;
assert(argv);
if(argc < 3) {
- fprintf(stderr, "Error: wrong number of arguments.\n");
- fprintf(stderr, "Usage: %s <xml-file> <key-file1> [<key-file2> [...]]\n", argv[0]);
- return(1);
+ fprintf(stderr, "Error: wrong number of arguments.\n");
+ fprintf(stderr, "Usage: %s <xml-file> <key-file1> [<key-file2> [...]]\n", argv[0]);
+ return(1);
}
/* Init libxml and libxslt libraries */
@@ -55,17 +60,29 @@ main(int argc, char **argv) {
#ifndef XMLSEC_NO_XSLT
xmlIndentTreeOutput = 1;
#endif /* XMLSEC_NO_XSLT */
-
+
+ /* Init libxslt */
+#ifndef XMLSEC_NO_XSLT
+ /* disable everything */
+ xsltSecPrefs = xsltNewSecurityPrefs();
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid);
+ xsltSetDefaultSecurityPrefs(xsltSecPrefs);
+#endif /* XMLSEC_NO_XSLT */
+
/* Init xmlsec library */
if(xmlSecInit() < 0) {
- fprintf(stderr, "Error: xmlsec initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec initialization failed.\n");
+ return(-1);
}
/* Check loaded library version */
if(xmlSecCheckVersion() != 1) {
- fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
- return(-1);
+ fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
+ return(-1);
}
/* Load default crypto engine if we are supporting dynamic
@@ -75,35 +92,35 @@ main(int argc, char **argv) {
*/
#ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
- fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
- "that you have it installed and check shared libraries path\n"
- "(LD_LIBRARY_PATH) envornment variable.\n");
- return(-1);
+ fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
+ "that you have it installed and check shared libraries path\n"
+ "(LD_LIBRARY_PATH) envornment variable.\n");
+ return(-1);
}
#endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
/* Init crypto library */
if(xmlSecCryptoAppInit(NULL) < 0) {
- fprintf(stderr, "Error: crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: crypto initialization failed.\n");
+ return(-1);
}
/* Init xmlsec-crypto library */
if(xmlSecCryptoInit() < 0) {
- fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
+ return(-1);
}
/* create keys manager and load keys */
mngr = load_keys(&(argv[2]), argc - 2);
if(mngr == NULL) {
- return(-1);
+ return(-1);
}
/* verify file */
if(verify_file(mngr, argv[1]) < 0) {
- xmlSecKeysMngrDestroy(mngr);
- return(-1);
+ xmlSecKeysMngrDestroy(mngr);
+ return(-1);
}
/* destroy keys manager */
@@ -120,6 +137,7 @@ main(int argc, char **argv) {
/* Shutdown libxslt/libxml */
#ifndef XMLSEC_NO_XSLT
+ xsltFreeSecurityPrefs(xsltSecPrefs);
xsltCleanupGlobals();
#endif /* XMLSEC_NO_XSLT */
xmlCleanupParser();
@@ -129,8 +147,8 @@ main(int argc, char **argv) {
/**
* load_keys:
- * @files: the list of filenames.
- * @files_size: the number of filenames in #files.
+ * @files: the list of filenames.
+ * @files_size: the number of filenames in #files.
*
* Creates simple keys manager and load PEM keys from #files in it.
* The caller is responsible for destroing returned keys manager using
@@ -154,43 +172,43 @@ load_keys(char** files, int files_size) {
*/
mngr = xmlSecKeysMngrCreate();
if(mngr == NULL) {
- fprintf(stderr, "Error: failed to create keys manager.\n");
- return(NULL);
+ fprintf(stderr, "Error: failed to create keys manager.\n");
+ return(NULL);
}
if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) {
- fprintf(stderr, "Error: failed to initialize keys manager.\n");
- xmlSecKeysMngrDestroy(mngr);
- return(NULL);
+ fprintf(stderr, "Error: failed to initialize keys manager.\n");
+ xmlSecKeysMngrDestroy(mngr);
+ return(NULL);
}
for(i = 0; i < files_size; ++i) {
- assert(files[i]);
+ assert(files[i]);
- /* load key */
- key = xmlSecCryptoAppKeyLoad(files[i], xmlSecKeyDataFormatPem, NULL, NULL, NULL);
- if(key == NULL) {
- fprintf(stderr,"Error: failed to load pem key from \"%s\"\n", files[i]);
- xmlSecKeysMngrDestroy(mngr);
- return(NULL);
- }
+ /* load key */
+ key = xmlSecCryptoAppKeyLoad(files[i], xmlSecKeyDataFormatPem, NULL, NULL, NULL);
+ if(key == NULL) {
+ fprintf(stderr,"Error: failed to load pem key from \"%s\"\n", files[i]);
+ xmlSecKeysMngrDestroy(mngr);
+ return(NULL);
+ }
- /* set key name to the file name, this is just an example! */
- if(xmlSecKeySetName(key, BAD_CAST files[i]) < 0) {
- fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", files[i]);
- xmlSecKeyDestroy(key);
- xmlSecKeysMngrDestroy(mngr);
- return(NULL);
- }
-
- /* add key to keys manager, from now on keys manager is responsible
- * for destroying key
- */
- if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0) {
- fprintf(stderr,"Error: failed to add key from \"%s\" to keys manager\n", files[i]);
- xmlSecKeyDestroy(key);
- xmlSecKeysMngrDestroy(mngr);
- return(NULL);
- }
+ /* set key name to the file name, this is just an example! */
+ if(xmlSecKeySetName(key, BAD_CAST files[i]) < 0) {
+ fprintf(stderr,"Error: failed to set key name for key from \"%s\"\n", files[i]);
+ xmlSecKeyDestroy(key);
+ xmlSecKeysMngrDestroy(mngr);
+ return(NULL);
+ }
+
+ /* add key to keys manager, from now on keys manager is responsible
+ * for destroying key
+ */
+ if(xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr, key) < 0) {
+ fprintf(stderr,"Error: failed to add key from \"%s\" to keys manager\n", files[i]);
+ xmlSecKeyDestroy(key);
+ xmlSecKeysMngrDestroy(mngr);
+ return(NULL);
+ }
}
return(mngr);
@@ -198,8 +216,8 @@ load_keys(char** files, int files_size) {
/**
* verify_file:
- * @mngr: the pointer to keys manager.
- * @xml_file: the signed XML file name.
+ * @mngr: the pointer to keys manager.
+ * @xml_file: the signed XML file name.
*
* Verifies XML signature in #xml_file.
*
@@ -218,35 +236,35 @@ verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file) {
/* load file */
doc = xmlParseFile(xml_file);
if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
- fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file);
- goto done;
+ fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file);
+ goto done;
}
/* find start node */
node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
if(node == NULL) {
- fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file);
- goto done;
+ fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file);
+ goto done;
}
/* create signature context */
dsigCtx = xmlSecDSigCtxCreate(mngr);
if(dsigCtx == NULL) {
fprintf(stderr,"Error: failed to create signature context\n");
- goto done;
+ goto done;
}
/* Verify signature */
if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
fprintf(stderr,"Error: signature verify\n");
- goto done;
+ goto done;
}
/* print verification result to stdout */
if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
- fprintf(stdout, "Signature is OK\n");
+ fprintf(stdout, "Signature is OK\n");
} else {
- fprintf(stdout, "Signature is INVALID\n");
+ fprintf(stdout, "Signature is INVALID\n");
}
/* success */
@@ -255,11 +273,11 @@ verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file) {
done:
/* cleanup */
if(dsigCtx != NULL) {
- xmlSecDSigCtxDestroy(dsigCtx);
+ xmlSecDSigCtxDestroy(dsigCtx);
}
if(doc != NULL) {
- xmlFreeDoc(doc);
+ xmlFreeDoc(doc);
}
return(res);
}
diff --git a/examples/verify3.c b/examples/verify3.c
index b7746a0d..5f0666bb 100644
--- a/examples/verify3.c
+++ b/examples/verify3.c
@@ -7,10 +7,10 @@
* certificates management policies for another crypto library may break it.
*
* Usage:
- * verify3 <signed-file> <trusted-cert-pem-file1> [<trusted-cert-pem-file2> [...]]
+ * verify3 <signed-file> <trusted-cert-pem-file1> [<trusted-cert-pem-file2> [...]]
*
* Example:
- * ./verify3 sign3-res.xml rootcert.pem
+ * ./verify3 sign3-res.xml rootcert.pem
*
* This is free software; see Copyright file in the source
* distribution for preciese wording.
@@ -27,6 +27,7 @@
#ifndef XMLSEC_NO_XSLT
#include <libxslt/xslt.h>
+#include <libxslt/security.h>
#endif /* XMLSEC_NO_XSLT */
#include <xmlsec/xmlsec.h>
@@ -39,14 +40,17 @@ int verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file);
int
main(int argc, char **argv) {
+#ifndef XMLSEC_NO_XSLT
+ xsltSecurityPrefsPtr xsltSecPrefs = NULL;
+#endif /* XMLSEC_NO_XSLT */
xmlSecKeysMngrPtr mngr;
assert(argv);
if(argc < 3) {
- fprintf(stderr, "Error: wrong number of arguments.\n");
- fprintf(stderr, "Usage: %s <xml-file> <cert-file1> [<cert-file2> [...]]\n", argv[0]);
- return(1);
+ fprintf(stderr, "Error: wrong number of arguments.\n");
+ fprintf(stderr, "Usage: %s <xml-file> <cert-file1> [<cert-file2> [...]]\n", argv[0]);
+ return(1);
}
/* Init libxml and libxslt libraries */
@@ -57,17 +61,29 @@ main(int argc, char **argv) {
#ifndef XMLSEC_NO_XSLT
xmlIndentTreeOutput = 1;
#endif /* XMLSEC_NO_XSLT */
-
+
+ /* Init libxslt */
+#ifndef XMLSEC_NO_XSLT
+ /* disable everything */
+ xsltSecPrefs = xsltNewSecurityPrefs();
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid);
+ xsltSetDefaultSecurityPrefs(xsltSecPrefs);
+#endif /* XMLSEC_NO_XSLT */
+
/* Init xmlsec library */
if(xmlSecInit() < 0) {
- fprintf(stderr, "Error: xmlsec initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec initialization failed.\n");
+ return(-1);
}
/* Check loaded library version */
if(xmlSecCheckVersion() != 1) {
- fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
- return(-1);
+ fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
+ return(-1);
}
/* Load default crypto engine if we are supporting dynamic
@@ -77,35 +93,35 @@ main(int argc, char **argv) {
*/
#ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
- fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
- "that you have it installed and check shared libraries path\n"
- "(LD_LIBRARY_PATH) envornment variable.\n");
- return(-1);
+ fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
+ "that you have it installed and check shared libraries path\n"
+ "(LD_LIBRARY_PATH) envornment variable.\n");
+ return(-1);
}
#endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
/* Init crypto library */
if(xmlSecCryptoAppInit(NULL) < 0) {
- fprintf(stderr, "Error: crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: crypto initialization failed.\n");
+ return(-1);
}
/* Init xmlsec-crypto library */
if(xmlSecCryptoInit() < 0) {
- fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
+ return(-1);
}
/* create keys manager and load trusted certificates */
mngr = load_trusted_certs(&(argv[2]), argc - 2);
if(mngr == NULL) {
- return(-1);
+ return(-1);
}
/* verify file */
if(verify_file(mngr, argv[1]) < 0) {
- xmlSecKeysMngrDestroy(mngr);
- return(-1);
+ xmlSecKeysMngrDestroy(mngr);
+ return(-1);
}
/* destroy keys manager */
@@ -122,6 +138,7 @@ main(int argc, char **argv) {
/* Shutdown libxslt/libxml */
#ifndef XMLSEC_NO_XSLT
+ xsltFreeSecurityPrefs(xsltSecPrefs);
xsltCleanupGlobals();
#endif /* XMLSEC_NO_XSLT */
xmlCleanupParser();
@@ -131,8 +148,8 @@ main(int argc, char **argv) {
/**
* load_trusted_certs:
- * @files: the list of filenames.
- * @files_size: the number of filenames in #files.
+ * @files: the list of filenames.
+ * @files_size: the number of filenames in #files.
*
* Creates simple keys manager and load trusted certificates from PEM #files.
* The caller is responsible for destroing returned keys manager using
@@ -155,24 +172,24 @@ load_trusted_certs(char** files, int files_size) {
*/
mngr = xmlSecKeysMngrCreate();
if(mngr == NULL) {
- fprintf(stderr, "Error: failed to create keys manager.\n");
- return(NULL);
+ fprintf(stderr, "Error: failed to create keys manager.\n");
+ return(NULL);
}
if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) {
- fprintf(stderr, "Error: failed to initialize keys manager.\n");
- xmlSecKeysMngrDestroy(mngr);
- return(NULL);
+ fprintf(stderr, "Error: failed to initialize keys manager.\n");
+ xmlSecKeysMngrDestroy(mngr);
+ return(NULL);
}
for(i = 0; i < files_size; ++i) {
- assert(files[i]);
-
- /* load trusted cert */
- if(xmlSecCryptoAppKeysMngrCertLoad(mngr, files[i], xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
- fprintf(stderr,"Error: failed to load pem certificate from \"%s\"\n", files[i]);
- xmlSecKeysMngrDestroy(mngr);
- return(NULL);
- }
+ assert(files[i]);
+
+ /* load trusted cert */
+ if(xmlSecCryptoAppKeysMngrCertLoad(mngr, files[i], xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
+ fprintf(stderr,"Error: failed to load pem certificate from \"%s\"\n", files[i]);
+ xmlSecKeysMngrDestroy(mngr);
+ return(NULL);
+ }
}
return(mngr);
@@ -180,8 +197,8 @@ load_trusted_certs(char** files, int files_size) {
/**
* verify_file:
- * @mngr: the pointer to keys manager.
- * @xml_file: the signed XML file name.
+ * @mngr: the pointer to keys manager.
+ * @xml_file: the signed XML file name.
*
* Verifies XML signature in #xml_file.
*
@@ -200,35 +217,35 @@ verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file) {
/* load file */
doc = xmlParseFile(xml_file);
if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
- fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file);
- goto done;
+ fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file);
+ goto done;
}
/* find start node */
node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
if(node == NULL) {
- fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file);
- goto done;
+ fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file);
+ goto done;
}
/* create signature context */
dsigCtx = xmlSecDSigCtxCreate(mngr);
if(dsigCtx == NULL) {
fprintf(stderr,"Error: failed to create signature context\n");
- goto done;
+ goto done;
}
/* Verify signature */
if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
fprintf(stderr,"Error: signature verify\n");
- goto done;
+ goto done;
}
/* print verification result to stdout */
if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
- fprintf(stdout, "Signature is OK\n");
+ fprintf(stdout, "Signature is OK\n");
} else {
- fprintf(stdout, "Signature is INVALID\n");
+ fprintf(stdout, "Signature is INVALID\n");
}
/* success */
@@ -237,11 +254,11 @@ verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file) {
done:
/* cleanup */
if(dsigCtx != NULL) {
- xmlSecDSigCtxDestroy(dsigCtx);
+ xmlSecDSigCtxDestroy(dsigCtx);
}
if(doc != NULL) {
- xmlFreeDoc(doc);
+ xmlFreeDoc(doc);
}
return(res);
}
diff --git a/examples/verify4.c b/examples/verify4.c
index 3d82af69..f55f58c5 100644
--- a/examples/verify4.c
+++ b/examples/verify4.c
@@ -10,15 +10,15 @@
* certificates management policies for another crypto library may break it.
*
* Usage:
- * verify4 <signed-file> <trusted-cert-pem-file1> [<trusted-cert-pem-file2> [...]]
+ * verify4 <signed-file> <trusted-cert-pem-file1> [<trusted-cert-pem-file2> [...]]
*
* Example (sucecess):
- * ./verify4 verify4-res.xml rootcert.pem
+ * ./verify4 verify4-res.xml rootcert.pem
*
* Example (failure):
- * ./verify4 verify4-bad-res.xml rootcert.pem
+ * ./verify4 verify4-bad-res.xml rootcert.pem
* In the same time, verify3 example successfuly verifies this signature:
- * ./verify3 verify4-bad-res.xml rootcert.pem
+ * ./verify3 verify4-bad-res.xml rootcert.pem
*
* This is free software; see Copyright file in the source
* distribution for preciese wording.
@@ -35,6 +35,7 @@
#ifndef XMLSEC_NO_XSLT
#include <libxslt/xslt.h>
+#include <libxslt/security.h>
#endif /* XMLSEC_NO_XSLT */
#include <xmlsec/xmlsec.h>
@@ -47,14 +48,17 @@ int verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file);
int
main(int argc, char **argv) {
+#ifndef XMLSEC_NO_XSLT
+ xsltSecurityPrefsPtr xsltSecPrefs = NULL;
+#endif /* XMLSEC_NO_XSLT */
xmlSecKeysMngrPtr mngr;
assert(argv);
if(argc < 3) {
- fprintf(stderr, "Error: wrong number of arguments.\n");
- fprintf(stderr, "Usage: %s <xml-file> <cert-file1> [<cert-file2> [...]]\n", argv[0]);
- return(1);
+ fprintf(stderr, "Error: wrong number of arguments.\n");
+ fprintf(stderr, "Usage: %s <xml-file> <cert-file1> [<cert-file2> [...]]\n", argv[0]);
+ return(1);
}
/* Init libxml and libxslt libraries */
@@ -65,17 +69,29 @@ main(int argc, char **argv) {
#ifndef XMLSEC_NO_XSLT
xmlIndentTreeOutput = 1;
#endif /* XMLSEC_NO_XSLT */
-
+
+ /* Init libxslt */
+#ifndef XMLSEC_NO_XSLT
+ /* disable everything */
+ xsltSecPrefs = xsltNewSecurityPrefs();
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid);
+ xsltSetDefaultSecurityPrefs(xsltSecPrefs);
+#endif /* XMLSEC_NO_XSLT */
+
/* Init xmlsec library */
if(xmlSecInit() < 0) {
- fprintf(stderr, "Error: xmlsec initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec initialization failed.\n");
+ return(-1);
}
/* Check loaded library version */
if(xmlSecCheckVersion() != 1) {
- fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
- return(-1);
+ fprintf(stderr, "Error: loaded xmlsec library version is not compatible.\n");
+ return(-1);
}
/* Load default crypto engine if we are supporting dynamic
@@ -85,35 +101,35 @@ main(int argc, char **argv) {
*/
#ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
- fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
- "that you have it installed and check shared libraries path\n"
- "(LD_LIBRARY_PATH) envornment variable.\n");
- return(-1);
+ fprintf(stderr, "Error: unable to load default xmlsec-crypto library. Make sure\n"
+ "that you have it installed and check shared libraries path\n"
+ "(LD_LIBRARY_PATH) envornment variable.\n");
+ return(-1);
}
#endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
/* Init crypto library */
if(xmlSecCryptoAppInit(NULL) < 0) {
- fprintf(stderr, "Error: crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: crypto initialization failed.\n");
+ return(-1);
}
/* Init xmlsec-crypto library */
if(xmlSecCryptoInit() < 0) {
- fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
- return(-1);
+ fprintf(stderr, "Error: xmlsec-crypto initialization failed.\n");
+ return(-1);
}
/* create keys manager and load trusted certificates */
mngr = load_trusted_certs(&(argv[2]), argc - 2);
if(mngr == NULL) {
- return(-1);
+ return(-1);
}
/* verify file */
if(verify_file(mngr, argv[1]) < 0) {
- xmlSecKeysMngrDestroy(mngr);
- return(-1);
+ xmlSecKeysMngrDestroy(mngr);
+ return(-1);
}
/* destroy keys manager */
@@ -130,6 +146,7 @@ main(int argc, char **argv) {
/* Shutdown libxslt/libxml */
#ifndef XMLSEC_NO_XSLT
+ xsltFreeSecurityPrefs(xsltSecPrefs);
xsltCleanupGlobals();
#endif /* XMLSEC_NO_XSLT */
xmlCleanupParser();
@@ -139,8 +156,8 @@ main(int argc, char **argv) {
/**
* load_trusted_certs:
- * @files: the list of filenames.
- * @files_size: the number of filenames in #files.
+ * @files: the list of filenames.
+ * @files_size: the number of filenames in #files.
*
* Creates simple keys manager and load trusted certificates from PEM #files.
* The caller is responsible for destroing returned keys manager using
@@ -163,24 +180,24 @@ load_trusted_certs(char** files, int files_size) {
*/
mngr = xmlSecKeysMngrCreate();
if(mngr == NULL) {
- fprintf(stderr, "Error: failed to create keys manager.\n");
- return(NULL);
+ fprintf(stderr, "Error: failed to create keys manager.\n");
+ return(NULL);
}
if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) {
- fprintf(stderr, "Error: failed to initialize keys manager.\n");
- xmlSecKeysMngrDestroy(mngr);
- return(NULL);
+ fprintf(stderr, "Error: failed to initialize keys manager.\n");
+ xmlSecKeysMngrDestroy(mngr);
+ return(NULL);
}
for(i = 0; i < files_size; ++i) {
- assert(files[i]);
+ assert(files[i]);
- /* load trusted cert */
- if(xmlSecCryptoAppKeysMngrCertLoad(mngr, files[i], xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
- fprintf(stderr,"Error: failed to load pem certificate from \"%s\"\n", files[i]);
- xmlSecKeysMngrDestroy(mngr);
- return(NULL);
- }
+ /* load trusted cert */
+ if(xmlSecCryptoAppKeysMngrCertLoad(mngr, files[i], xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
+ fprintf(stderr,"Error: failed to load pem certificate from \"%s\"\n", files[i]);
+ xmlSecKeysMngrDestroy(mngr);
+ return(NULL);
+ }
}
return(mngr);
@@ -188,8 +205,8 @@ load_trusted_certs(char** files, int files_size) {
/**
* verify_file:
- * @mngr: the pointer to keys manager.
- * @xml_file: the signed XML file name.
+ * @mngr: the pointer to keys manager.
+ * @xml_file: the signed XML file name.
*
* Verifies XML signature in #xml_file.
*
@@ -208,35 +225,35 @@ verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file) {
/* load file */
doc = xmlParseFile(xml_file);
if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
- fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file);
- goto done;
+ fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file);
+ goto done;
}
/* find start node */
node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
if(node == NULL) {
- fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file);
- goto done;
+ fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file);
+ goto done;
}
/* create signature context */
dsigCtx = xmlSecDSigCtxCreate(mngr);
if(dsigCtx == NULL) {
fprintf(stderr,"Error: failed to create signature context\n");
- goto done;
+ goto done;
}
/* limit the Reference URI attributes to empty or NULL */
dsigCtx->enabledReferenceUris = xmlSecTransformUriTypeEmpty;
- /* limit allowed transforms for siganture and reference processing */
+ /* limit allowed transforms for signature and reference processing */
if((xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14NId) < 0) ||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformExclC14NId) < 0) ||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha1Id) < 0) ||
(xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha1Id) < 0)) {
- fprintf(stderr,"Error: failed to limit allowed siganture transforms\n");
- goto done;
+ fprintf(stderr,"Error: failed to limit allowed signature transforms\n");
+ goto done;
}
if((xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformInclC14NId) < 0) ||
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformExclC14NId) < 0) ||
@@ -244,34 +261,34 @@ verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file) {
(xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformEnvelopedId) < 0)) {
fprintf(stderr,"Error: failed to limit allowed reference transforms\n");
- goto done;
+ goto done;
}
/* in addition, limit possible key data to valid X509 certificates only */
if(xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData), BAD_CAST xmlSecKeyDataX509Id) < 0) {
fprintf(stderr,"Error: failed to limit allowed key data\n");
- goto done;
+ goto done;
}
/* Verify signature */
if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
fprintf(stderr,"Error: signature verify\n");
- goto done;
+ goto done;
}
/* check that we have only one Reference */
if((dsigCtx->status == xmlSecDSigStatusSucceeded) &&
(xmlSecPtrListGetSize(&(dsigCtx->signedInfoReferences)) != 1)) {
-
+
fprintf(stderr,"Error: only one reference is allowed\n");
- goto done;
+ goto done;
}
/* print verification result to stdout */
if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
- fprintf(stdout, "Signature is OK\n");
+ fprintf(stdout, "Signature is OK\n");
} else {
- fprintf(stdout, "Signature is INVALID\n");
+ fprintf(stdout, "Signature is INVALID\n");
}
/* success */
@@ -280,11 +297,11 @@ verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file) {
done:
/* cleanup */
if(dsigCtx != NULL) {
- xmlSecDSigCtxDestroy(dsigCtx);
+ xmlSecDSigCtxDestroy(dsigCtx);
}
if(doc != NULL) {
- xmlFreeDoc(doc);
+ xmlFreeDoc(doc);
}
return(res);
}
diff --git a/examples/xkms-server.c b/examples/xkms-server.c
index 1021b182..188d5c73 100644
--- a/examples/xkms-server.c
+++ b/examples/xkms-server.c
@@ -4,10 +4,10 @@
* Starts XKMS server on specified port.
*
* Usage:
- * ./xkms-server [--port <port>] [--format plain|soap-1.1|soap-1.2] <keys-file>
+ * ./xkms-server [--port <port>] [--format plain|soap-1.1|soap-1.2] <keys-file>
*
* Example:
- * ./xkms-server --port 8080 --format soap-1.1 keys.xml
+ * ./xkms-server --port 8080 --format soap-1.1 keys.xml
*
* This is free software; see Copyright file in the source
* distribution for preciese wording.
@@ -23,8 +23,8 @@
#ifdef XMLSEC_NO_XKMS
int main(int argc, char** argv) {
- fprintf(stderr, "ERROR: XKMS is disabled.\n");
- return 1;
+ fprintf(stderr, "ERROR: XKMS is disabled.\n");
+ return 1;
}
#else /* XMLSEC_NO_XKMS */
@@ -35,6 +35,7 @@ int main(int argc, char** argv) {
#ifndef XMLSEC_NO_XSLT
#include <libxslt/xslt.h>
+#include <libxslt/security.h>
#endif /* XMLSEC_NO_XSLT */
#include <xmlsec/xmlsec.h>
@@ -64,13 +65,13 @@ int main(int argc, char** argv) {
#endif /* WIN32_SOCKETS */
#endif /* UNIX_SOCKETS */
-#define DEFAULT_PORT 1234
-#define PENDING_QUEUE_SIZE 100
+#define DEFAULT_PORT 1234
+#define PENDING_QUEUE_SIZE 100
-#define LOG_LEVEL_SILENT 0
-#define LOG_LEVEL_INFO 1
-#define LOG_LEVEL_DATA 2
-#define LOG_LEVEL_DEBUG 3
+#define LOG_LEVEL_SILENT 0
+#define LOG_LEVEL_INFO 1
+#define LOG_LEVEL_DATA 2
+#define LOG_LEVEL_DEBUG 3
#ifdef UNIX_SOCKETS
static int sockfd = -1;
@@ -91,7 +92,7 @@ static const xmlChar* my_strnstr(const xmlChar* str, xmlSecSize strLen, const xm
static int handle_connection(int fd, xmlSecXkmsServerCtxPtr xkmsCtx, xmlSecXkmsServerFormat format);
static int read_request(int fd, const char* in_ip, xmlSecBufferPtr buffer);
static int send_response(int fd, const char* in_ip, int resp_code,
- const char* body, int body_size);
+ const char* body, int body_size);
static char usage[] = "[--port <port>] [--format plain|soap-1.1|soap-1.2] <keys-file>";
static char http_header[] =
@@ -105,6 +106,9 @@ static char http_503[] =
int main(int argc, char** argv) {
int argpos;
unsigned short port = DEFAULT_PORT;
+#ifndef XMLSEC_NO_XSLT
+ xsltSecurityPrefsPtr xsltSecPrefs = NULL;
+#endif /* XMLSEC_NO_XSLT */
xmlSecKeysMngrPtr mngr = NULL;
xmlSecXkmsServerCtxPtr xkmsCtx = NULL;
xmlSecXkmsServerFormat format = xmlSecXkmsServerFormatPlain;
@@ -120,17 +124,29 @@ int main(int argc, char** argv) {
#ifndef XMLSEC_NO_XSLT
xmlIndentTreeOutput = 1;
#endif /* XMLSEC_NO_XSLT */
-
+
+ /* Init libxslt */
+#ifndef XMLSEC_NO_XSLT
+ /* disable everything */
+ xsltSecPrefs = xsltNewSecurityPrefs();
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid);
+ xsltSetDefaultSecurityPrefs(xsltSecPrefs);
+#endif /* XMLSEC_NO_XSLT */
+
/* Init xmlsec library */
if(xmlSecInit() < 0) {
- fprintf(stderr, "Error %d: xmlsec initialization failed.\n", errno);
- return(-1);
+ fprintf(stderr, "Error %d: xmlsec initialization failed.\n", errno);
+ return(-1);
}
/* Check loaded library version */
if(xmlSecCheckVersion() != 1) {
- fprintf(stderr, "Error %d: loaded xmlsec library version is not compatible.\n", errno);
- return(-1);
+ fprintf(stderr, "Error %d: loaded xmlsec library version is not compatible.\n", errno);
+ return(-1);
}
/* Load default crypto engine if we are supporting dynamic
@@ -140,115 +156,115 @@ int main(int argc, char** argv) {
*/
#ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
- fprintf(stderr, "Error %d: unable to load default xmlsec-crypto library. Make sure\n"
- "that you have it installed and check shared libraries path\n"
- "(LD_LIBRARY_PATH) envornment variable.\n", errno);
- return(-1);
+ fprintf(stderr, "Error %d: unable to load default xmlsec-crypto library. Make sure\n"
+ "that you have it installed and check shared libraries path\n"
+ "(LD_LIBRARY_PATH) envornment variable.\n", errno);
+ return(-1);
}
#endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
/* Init crypto library */
if(xmlSecCryptoAppInit(NULL) < 0) {
- fprintf(stderr, "Error %d: crypto initialization failed.\n", errno);
- return(-1);
+ fprintf(stderr, "Error %d: crypto initialization failed.\n", errno);
+ return(-1);
}
/* Init xmlsec-crypto library */
if(xmlSecCryptoInit() < 0) {
- fprintf(stderr, "Error %d: xmlsec-crypto initialization failed.\n", errno);
- return(-1);
+ fprintf(stderr, "Error %d: xmlsec-crypto initialization failed.\n", errno);
+ return(-1);
}
/* Create and initialize keys manager */
mngr = xmlSecKeysMngrCreate();
if(mngr == NULL) {
- fprintf(stderr, "Error %d: failed to create keys manager.\n", errno);
- goto done;
+ fprintf(stderr, "Error %d: failed to create keys manager.\n", errno);
+ goto done;
}
if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) {
- fprintf(stderr, "Error %d: failed to initialize keys manager.\n", errno);
- goto done;
+ fprintf(stderr, "Error %d: failed to initialize keys manager.\n", errno);
+ goto done;
}
/* Create XKMS server context */
xkmsCtx = xmlSecXkmsServerCtxCreate(mngr);
if(xkmsCtx == NULL) {
- fprintf(stderr, "Error %d: XKMS server context initialization failed\n", errno);
- goto done;
+ fprintf(stderr, "Error %d: XKMS server context initialization failed\n", errno);
+ goto done;
}
/* Process input parameters */
for(argpos = 1; (argpos < argc) && (argv[argpos][0] == '-'); argpos++) {
- if((strcmp(argv[argpos], "--port") == 0) || (strcmp(argv[argpos], "-p") == 0)) {
- argpos++;
- port = atoi(argv[argpos]);
- if(port == 0) {
- fprintf(stderr, "Error %d: invalid port number \"%s\".\nUsage: %s %s\n", errno, argv[argpos], argv[0], usage);
- goto done;
- }
- } else if((strcmp(argv[argpos], "--format") == 0) || (strcmp(argv[argpos], "-f") == 0)) {
- argpos++;
- format = xmlSecXkmsServerFormatFromString(BAD_CAST argv[argpos]);
- if(format == xmlSecXkmsServerFormatUnknown) {
- fprintf(stderr, "Error %d: invalid format \"%s\".\nUsage: %s %s\n", errno, argv[argpos], argv[0], usage);
- goto done;
- }
- } else if((strcmp(argv[argpos], "--log-level") == 0) || (strcmp(argv[argpos], "-l") == 0)) {
- argpos++;
- log_level = atoi(argv[argpos]);
- } else {
- fprintf(stderr, "Error %d: unknown parameter \"%s\".\nUsage: %s %s\n", errno, argv[argpos], argv[0], usage);
- goto done;
- }
+ if((strcmp(argv[argpos], "--port") == 0) || (strcmp(argv[argpos], "-p") == 0)) {
+ argpos++;
+ port = atoi(argv[argpos]);
+ if(port == 0) {
+ fprintf(stderr, "Error %d: invalid port number \"%s\".\nUsage: %s %s\n", errno, argv[argpos], argv[0], usage);
+ goto done;
+ }
+ } else if((strcmp(argv[argpos], "--format") == 0) || (strcmp(argv[argpos], "-f") == 0)) {
+ argpos++;
+ format = xmlSecXkmsServerFormatFromString(BAD_CAST argv[argpos]);
+ if(format == xmlSecXkmsServerFormatUnknown) {
+ fprintf(stderr, "Error %d: invalid format \"%s\".\nUsage: %s %s\n", errno, argv[argpos], argv[0], usage);
+ goto done;
+ }
+ } else if((strcmp(argv[argpos], "--log-level") == 0) || (strcmp(argv[argpos], "-l") == 0)) {
+ argpos++;
+ log_level = atoi(argv[argpos]);
+ } else {
+ fprintf(stderr, "Error %d: unknown parameter \"%s\".\nUsage: %s %s\n", errno, argv[argpos], argv[0], usage);
+ goto done;
+ }
}
if(argpos >= argc) {
- fprintf(stderr, "Error %d: keys file is not specified.\nUsage: %s %s\n", errno, argv[0], usage);
- goto done;
+ fprintf(stderr, "Error %d: keys file is not specified.\nUsage: %s %s\n", errno, argv[0], usage);
+ goto done;
}
/* Load keys */
for(; argpos < argc; argpos++) {
if(xmlSecCryptoAppDefaultKeysMngrLoad(mngr, argv[argpos]) < 0) {
- fprintf(stderr, "Error %d: failed to load xml keys file \"%s\".\nUsage: %s %s\n", errno, argv[argpos], argv[0], usage);
- goto done;
- }
- if(log_level >= LOG_LEVEL_INFO) {
- fprintf(stdout, "Log: loaded keys from \"%s\"\n", argv[argpos]);
- }
+ fprintf(stderr, "Error %d: failed to load xml keys file \"%s\".\nUsage: %s %s\n", errno, argv[argpos], argv[0], usage);
+ goto done;
+ }
+ if(log_level >= LOG_LEVEL_INFO) {
+ fprintf(stdout, "Log: loaded keys from \"%s\"\n", argv[argpos]);
+ }
}
/* Startup TCP server */
if(init_server(port) < 0) {
- fprintf(stderr, "Error, errno: server initialization failed\n", errno);
- goto done;
+ fprintf(stderr, "Error, errno: server initialization failed\n", errno);
+ goto done;
}
assert(sockfd != -1);
/* main loop: accept connections and process requests */
while(finished == 0) {
- fd_set fds;
+ fd_set fds;
struct timeval timeout;
-
- /* Set up polling using select() */
- FD_ZERO(&fds);
- FD_SET(sockfd, &fds);
- memset(&timeout, 0, sizeof(timeout));
- timeout.tv_sec = 1;
- ret = select(sockfd + 1, &fds, NULL, NULL, &timeout);
- if((ret <= 0) || !FD_ISSET(sockfd, &fds)) {
- /* error, timed out or not our socket: try again */
- continue;
- }
-
- if(handle_connection(sockfd, xkmsCtx, format) < 0) {
- fprintf(stderr, "Error %d: unable to accept incomming connection\n");
- goto done;
- }
+
+ /* Set up polling using select() */
+ FD_ZERO(&fds);
+ FD_SET(sockfd, &fds);
+ memset(&timeout, 0, sizeof(timeout));
+ timeout.tv_sec = 1;
+ ret = select(sockfd + 1, &fds, NULL, NULL, &timeout);
+ if((ret <= 0) || !FD_ISSET(sockfd, &fds)) {
+ /* error, timed out or not our socket: try again */
+ continue;
+ }
+
+ if(handle_connection(sockfd, xkmsCtx, format) < 0) {
+ fprintf(stderr, "Error %d: unable to accept incomming connection\n");
+ goto done;
+ }
}
done:
if(log_level >= LOG_LEVEL_INFO) {
- fprintf(stdout, "Log: server is shutting down\n");
+ fprintf(stdout, "Log: server is shutting down\n");
}
/* Shutdown TCP server */
@@ -256,14 +272,14 @@ done:
/* Destroy xkms server context */
if(xkmsCtx != NULL) {
- xmlSecXkmsServerCtxDestroy(xkmsCtx);
- xkmsCtx = NULL;
+ xmlSecXkmsServerCtxDestroy(xkmsCtx);
+ xkmsCtx = NULL;
}
/* Destroy keys manager */
if(mngr != NULL) {
xmlSecKeysMngrDestroy(mngr);
- mngr = NULL;
+ mngr = NULL;
}
/* Shutdown xmlsec-crypto library */
@@ -277,6 +293,7 @@ done:
/* Shutdown libxslt/libxml */
#ifndef XMLSEC_NO_XSLT
+ xsltFreeSecurityPrefs(xsltSecPrefs);
xsltCleanupGlobals();
#endif /* XMLSEC_NO_XSLT */
xmlCleanupParser();
@@ -287,7 +304,7 @@ done:
/**
* init_server:
- * @port: the server'xmlSecBufferGetData(buffer) TCP port number.
+ * @port: the server'xmlSecBufferGetData(buffer) TCP port number.
*
* Starts up a TCP server listening on given @port.
*
@@ -303,8 +320,8 @@ init_server(unsigned short port) {
#ifdef WIN32_SOCKETS
if(WSAStartup(MAKEWORD(1,1), &data)) {
- fprintf(stderr, "Error %d: WSAStartup() failed\n", errno);
- return(-1);
+ fprintf(stderr, "Error %d: WSAStartup() failed\n", errno);
+ return(-1);
}
#endif /* WIN32_SOCKETS */
@@ -318,44 +335,44 @@ init_server(unsigned short port) {
if(sockfd == INVALID_SOCKET) {
#endif /* WIN32_SOCKETS */
- fprintf(stderr, "Error %d: socket() failed\n", errno);
- return(-1);
+ fprintf(stderr, "Error %d: socket() failed\n", errno);
+ return(-1);
}
/* enable reuse of address */
flags = 1;
if(setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, (char *)&flags, sizeof(flags)) != 0) {
- fprintf(stderr, "Error %d: setsockopt(SO_REUSEADDR) failed\n", errno);
- return(-1);
+ fprintf(stderr, "Error %d: setsockopt(SO_REUSEADDR) failed\n", errno);
+ return(-1);
}
#ifdef UNIX_SOCKETS
/* set non-blocking */
flags = fcntl(sockfd, F_GETFL);
if(flags < 0) {
- fprintf(stderr, "Error %d: fcntl(F_GETFL) failed\n", errno);
- return(-1);
+ fprintf(stderr, "Error %d: fcntl(F_GETFL) failed\n", errno);
+ return(-1);
}
if(fcntl(sockfd, F_SETFL, flags | O_NONBLOCK) < 0) {
- fprintf(stderr, "Error %d: fcntl(F_SETFL) failed\n", errno);
- return(-1);
+ fprintf(stderr, "Error %d: fcntl(F_SETFL) failed\n", errno);
+ return(-1);
}
#endif /* UNIX_SOCKETS */
/* preset socket structure for socket binding */
memset(&saddr, 0, sizeof(saddr));
- saddr.sin_family = AF_INET;
- saddr.sin_port = htons(port);
- saddr.sin_addr.s_addr = INADDR_ANY;
+ saddr.sin_family = AF_INET;
+ saddr.sin_port = htons(port);
+ saddr.sin_addr.s_addr = INADDR_ANY;
if(bind(sockfd, (struct sockaddr *)&saddr, sizeof(struct sockaddr)) != 0) {
- fprintf(stderr, "Error %d: bind() failed\n", errno);
- return(-1);
+ fprintf(stderr, "Error %d: bind() failed\n", errno);
+ return(-1);
}
/* prepare for listening */
if(listen(sockfd, PENDING_QUEUE_SIZE) != 0) {
- fprintf(stderr, "Error %d: listen() failed\n", errno);
- return(-1);
+ fprintf(stderr, "Error %d: listen() failed\n", errno);
+ return(-1);
}
#ifdef UNIX_SOCKETS
@@ -386,8 +403,8 @@ stop_server() {
#ifdef WIN32_SOCKETS
if(sockfd != -1) {
- close(sockfd);
- sockfd = -1;
+ close(sockfd);
+ sockfd = -1;
}
#endif /* WIN32_SOCKETS */
if(log_level >= LOG_LEVEL_INFO) {
@@ -397,7 +414,7 @@ stop_server() {
/**
* int_signal_handler:
- * @sig_num: the signal number.
+ * @sig_num: the signal number.
*
* Unix's Ctrl-C signal handler that stops the server.
*/
@@ -411,9 +428,9 @@ int_signal_handler(int sig_num) {
/**
* handle_connection:
- * @sockfd: the server's socket.
- * @xkmsCtx: the template XKMS server context.
- * @format: the expected format of XKMS requests.
+ * @sockfd: the server's socket.
+ * @xkmsCtx: the template XKMS server context.
+ * @format: the expected format of XKMS requests.
*
* Establishs a connection, forks a child process (onUnix), reads the request,
* processes it and writes back the response.
@@ -457,8 +474,8 @@ handle_connection(int sockfd, xmlSecXkmsServerCtxPtr xkmsCtx, xmlSecXkmsServerFo
if(sockfd == INVALID_SOCKET) {
#endif /* WIN32_SOCKETS */
- fprintf(stderr, "Error %d: accept() failed\n", errno);
- return(-1);
+ fprintf(stderr, "Error %d: accept() failed\n", errno);
+ return(-1);
}
if(log_level >= LOG_LEVEL_INFO) {
fprintf(stdout, "Log [%s]: got connection\n", inet_ntoa(saddr.sin_addr));
@@ -467,19 +484,19 @@ handle_connection(int sockfd, xmlSecXkmsServerCtxPtr xkmsCtx, xmlSecXkmsServerFo
/* Create a copy of XKMS server context */
xkmsCtx2 = xmlSecXkmsServerCtxCreate(NULL);
if(xkmsCtx2 == NULL) {
- fprintf(stderr, "Error %d [%s]: a copy of XKMS server context initialization failed\n", errno, inet_ntoa(saddr.sin_addr));
- goto done;
+ fprintf(stderr, "Error %d [%s]: a copy of XKMS server context initialization failed\n", errno, inet_ntoa(saddr.sin_addr));
+ goto done;
}
if(xmlSecXkmsServerCtxCopyUserPref(xkmsCtx2, xkmsCtx) < 0) {
- fprintf(stderr, "Error %d [%s]: XKMS server context copy failed\n", errno, inet_ntoa(saddr.sin_addr));
- goto done;
+ fprintf(stderr, "Error %d [%s]: XKMS server context copy failed\n", errno, inet_ntoa(saddr.sin_addr));
+ goto done;
}
#ifdef UNIX_SOCKETS
/* on Unix we use child process to process requests */
if(fork()) {
- /* parent process */
- return(0);
+ /* parent process */
+ return(0);
}
/* child process */
@@ -489,36 +506,36 @@ handle_connection(int sockfd, xmlSecXkmsServerCtxPtr xkmsCtx, xmlSecXkmsServerFo
buffer = xmlSecBufferCreate(0);
if(buffer == NULL) {
- fprintf(stderr, "Error %d [%s]: xmlSecBufferCreate() failed\n", errno, inet_ntoa(saddr.sin_addr));
- goto done;
+ fprintf(stderr, "Error %d [%s]: xmlSecBufferCreate() failed\n", errno, inet_ntoa(saddr.sin_addr));
+ goto done;
}
/* read input request */
ret = read_request(fd, inet_ntoa(saddr.sin_addr), buffer);
if(ret < 0) {
- fprintf(stderr, "Error %d [%s]: read_request() failed\n", errno, inet_ntoa(saddr.sin_addr));
- goto done;
+ fprintf(stderr, "Error %d [%s]: read_request() failed\n", errno, inet_ntoa(saddr.sin_addr));
+ goto done;
}
/* parse request */
inDoc = xmlParseMemory(xmlSecBufferGetData(buffer), xmlSecBufferGetSize(buffer) );
if((inDoc == NULL) || (xmlDocGetRootElement(inDoc) == NULL)) {
- fprintf(stderr, "Error %d [%s]: failed to parse request\n", errno, inet_ntoa(saddr.sin_addr));
- goto done;
+ fprintf(stderr, "Error %d [%s]: failed to parse request\n", errno, inet_ntoa(saddr.sin_addr));
+ goto done;
}
xmlSecBufferEmpty(buffer);
/* prepare result document */
outDoc = xmlNewDoc(BAD_CAST "1.0");
if(outDoc == NULL) {
- fprintf(stderr, "Error %d [%s]: failed to create result doc\n", errno, inet_ntoa(saddr.sin_addr));
- goto done;
+ fprintf(stderr, "Error %d [%s]: failed to create result doc\n", errno, inet_ntoa(saddr.sin_addr));
+ goto done;
}
result = xmlSecXkmsServerCtxProcess(xkmsCtx2, xmlDocGetRootElement(inDoc), format, outDoc);
if(result == NULL) {
- fprintf(stderr, "Error %d [%s]: failed to process xkms server request\n", errno, inet_ntoa(saddr.sin_addr));
- goto done;
+ fprintf(stderr, "Error %d [%s]: failed to process xkms server request\n", errno, inet_ntoa(saddr.sin_addr));
+ goto done;
}
/* apppend returned result node to the output document */
@@ -527,8 +544,8 @@ handle_connection(int sockfd, xmlSecXkmsServerCtxPtr xkmsCtx, xmlSecXkmsServerFo
/* create LibXML2 output buffer */
output = xmlSecBufferCreateOutputBuffer(buffer);
if(output == NULL) {
- fprintf(stderr, "Error %d [%s]: xmlSecBufferCreateOutputBuffer() failed\n", errno, inet_ntoa(saddr.sin_addr));
- goto done;
+ fprintf(stderr, "Error %d [%s]: xmlSecBufferCreateOutputBuffer() failed\n", errno, inet_ntoa(saddr.sin_addr));
+ goto done;
}
xmlNodeDumpOutput(output, result->doc, result, 0, 0, NULL);
@@ -537,72 +554,72 @@ handle_connection(int sockfd, xmlSecXkmsServerCtxPtr xkmsCtx, xmlSecXkmsServerFo
done:
/* send back response */
if((resp_ready == 1) && (xmlSecBufferGetData(buffer) != NULL)) {
- ret = send_response(fd, inet_ntoa(saddr.sin_addr), 200, xmlSecBufferGetData(buffer), xmlSecBufferGetSize(buffer));
- if(log_level >= LOG_LEVEL_INFO) {
- fprintf(stdout, "Log [%s]: processed request\n", inet_ntoa(saddr.sin_addr));
- }
+ ret = send_response(fd, inet_ntoa(saddr.sin_addr), 200, xmlSecBufferGetData(buffer), xmlSecBufferGetSize(buffer));
+ if(log_level >= LOG_LEVEL_INFO) {
+ fprintf(stdout, "Log [%s]: processed request\n", inet_ntoa(saddr.sin_addr));
+ }
} else if(fd >= 0) {
- ret = send_response(fd, inet_ntoa(saddr.sin_addr), 503, http_503, strlen(http_503));
+ ret = send_response(fd, inet_ntoa(saddr.sin_addr), 503, http_503, strlen(http_503));
if(log_level >= LOG_LEVEL_INFO) {
- fprintf(stdout, "Log [%s]: failed to process request\n", inet_ntoa(saddr.sin_addr));
- }
+ fprintf(stdout, "Log [%s]: failed to process request\n", inet_ntoa(saddr.sin_addr));
+ }
} else {
- ret = -1;
+ ret = -1;
}
if(ret < 0) {
- fprintf(stderr, "Error %d [%s]: send_response() failed\n", errno, inet_ntoa(saddr.sin_addr));
+ fprintf(stderr, "Error %d [%s]: send_response() failed\n", errno, inet_ntoa(saddr.sin_addr));
}
/* cleanup */
if(output != NULL) {
- xmlOutputBufferClose(output);
- output = NULL;
+ xmlOutputBufferClose(output);
+ output = NULL;
}
if(outDoc != NULL) {
- xmlFreeDoc(outDoc);
- outDoc = NULL;
+ xmlFreeDoc(outDoc);
+ outDoc = NULL;
}
if(inDoc != NULL) {
- xmlFreeDoc(inDoc);
- inDoc = NULL;
+ xmlFreeDoc(inDoc);
+ inDoc = NULL;
}
if(buffer != NULL) {
- xmlSecBufferDestroy(buffer);
- buffer = NULL;
+ xmlSecBufferDestroy(buffer);
+ buffer = NULL;
}
if(xkmsCtx2 != NULL) {
- xmlSecXkmsServerCtxDestroy(xkmsCtx2);
- xkmsCtx2 = NULL;
+ xmlSecXkmsServerCtxDestroy(xkmsCtx2);
+ xkmsCtx2 = NULL;
}
if(fd >= 0) {
#ifdef UNIX_SOCKETS
- shutdown(fd, SHUT_RDWR);
- close(fd);
+ shutdown(fd, SHUT_RDWR);
+ close(fd);
#endif /* UNIX_SCOKETS */
#ifdef WIN32_SOCKETS
- close(fd);
+ close(fd);
#endif /* WIN32_SCOKETS */
- fd = -1;
+ fd = -1;
}
if(in_child_process) {
- exit(0);
+ exit(0);
}
return(0);
}
/**
* read_request:
- * @fd: the request's socket.
- * @in_ip: the request's IP address (for logging).
- * @buffer: the output buffer.
+ * @fd: the request's socket.
+ * @in_ip: the request's IP address (for logging).
+ * @buffer: the output buffer.
*
* Reads the request from socket @fd and stores it in the @buffer.
*
@@ -625,16 +642,16 @@ read_request(int fd, const char* in_ip, xmlSecBufferPtr buffer) {
/* first read the http headers */
counter = 5;
while(my_strnstr(xmlSecBufferGetData(buffer), xmlSecBufferGetSize(buffer), BAD_CAST "\r\n\r\n", 4) == NULL) {
- nread = recv(fd, buf, sizeof(buf), 0);
- if(nread < 0) {
- fprintf(stderr, "Error %d [%s]: read() failed\n", errno, in_ip);
- return(-1);
- }
+ nread = recv(fd, buf, sizeof(buf), 0);
+ if(nread < 0) {
+ fprintf(stderr, "Error %d [%s]: read() failed\n", errno, in_ip);
+ return(-1);
+ }
- if((nread > 0) && (xmlSecBufferAppend(buffer, buf, nread) < 0)) {
- fprintf(stderr, "Error %d [%s]: xmlSecBufferAppend(%d) failed\n", errno, in_ip, nread);
- return(-1);
- }
+ if((nread > 0) && (xmlSecBufferAppend(buffer, buf, nread) < 0)) {
+ fprintf(stderr, "Error %d [%s]: xmlSecBufferAppend(%d) failed\n", errno, in_ip, nread);
+ return(-1);
+ }
if(nread < sizeof(buffer)) {
counter--;
@@ -646,13 +663,13 @@ read_request(int fd, const char* in_ip, xmlSecBufferPtr buffer) {
if(xmlSecBufferGetData(buffer) == NULL) {
fprintf(stderr, "Error %d [%s]: no bytes read\n", errno, in_ip);
- return(-1);
+ return(-1);
}
if(log_level >= LOG_LEVEL_DEBUG) {
- xmlSecBufferAppend(buffer, BAD_CAST "\0", 1);
+ xmlSecBufferAppend(buffer, BAD_CAST "\0", 1);
fprintf(stdout, "Debug [%s]: request headers:\n%s\n", in_ip, xmlSecBufferGetData(buffer));
- xmlSecBufferRemoveTail(buffer, 1);
+ xmlSecBufferRemoveTail(buffer, 1);
}
/* Parse the request and extract the body. We expect the request to look
@@ -660,37 +677,37 @@ read_request(int fd, const char* in_ip, xmlSecBufferPtr buffer) {
* POST <path> HTTP/1.x\r\n
* <header1>\r\n
* <header2>\r\n
- * ...
+ * ...
* <headerN>\r\n
- * \r\n
- * <body>
+ * \r\n
+ * <body>
*/
/* analyze the first line */
p = my_strnstr(xmlSecBufferGetData(buffer), xmlSecBufferGetSize(buffer), BAD_CAST "\r\n", 2);
if(p == NULL) {
- fprintf(stderr, "Error %d [%s]: there is no HTTP header\n", errno, in_ip);
- return(-1);
+ fprintf(stderr, "Error %d [%s]: there is no HTTP header\n", errno, in_ip);
+ return(-1);
}
if(xmlStrncasecmp(xmlSecBufferGetData(buffer), BAD_CAST "POST ", 5) != 0) {
- fprintf(stderr, "Error %d [%s]: not a POST request\n", errno, in_ip);
- return(-1);
+ fprintf(stderr, "Error %d [%s]: not a POST request\n", errno, in_ip);
+ return(-1);
}
/* "POST " + " HTTP/1.x" == 14 */
s = xmlSecBufferGetData(buffer);
if(p - s <= 14) {
- fprintf(stderr, "Error %d [%s]: first line has bad length\n", errno, in_ip);
- return(-1);
+ fprintf(stderr, "Error %d [%s]: first line has bad length\n", errno, in_ip);
+ return(-1);
}
if((xmlStrncasecmp(p - 9, BAD_CAST " HTTP/1.0", 9) != 0) &&
(xmlStrncasecmp(p - 9, BAD_CAST " HTTP/1.1", 9) != 0)) {
-
+
fprintf(stderr, "Error %d [%s]: first line does not end with \" HTTP/1.x\"\n", errno, in_ip);
- return(-1);
+ return(-1);
}
if(xmlSecBufferRemoveHead(buffer, p - xmlSecBufferGetData(buffer) + 2) < 0) {
- fprintf(stderr, "Error %d [%s]: failed to skip first line\n", errno, in_ip);
- return(-1);
+ fprintf(stderr, "Error %d [%s]: failed to skip first line\n", errno, in_ip);
+ return(-1);
}
/* now skip all the headers (i.e. everything until empty line) */
@@ -699,19 +716,19 @@ read_request(int fd, const char* in_ip, xmlSecBufferPtr buffer) {
p = my_strnstr(xmlSecBufferGetData(buffer), xmlSecBufferGetSize(buffer), BAD_CAST "\r\n", 2);
if(p == NULL) {
fprintf(stderr, "Error %d [%s]: there is no HTTP body\n", errno, in_ip);
- return(-1);
- }
-
- if(p == xmlSecBufferGetData(buffer)) {
- found = 1;
- } else if(xmlStrncasecmp(xmlSecBufferGetData(buffer), BAD_CAST "Content-length: ", 16) == 0) {
- length = atoi(xmlSecBufferGetData(buffer) + 16);
- }
-
- if(xmlSecBufferRemoveHead(buffer, p - xmlSecBufferGetData(buffer) + 2) < 0) {
- fprintf(stderr, "Error %d [%s]: failed to skip header line\n", errno, in_ip);
- return(-1);
- }
+ return(-1);
+ }
+
+ if(p == xmlSecBufferGetData(buffer)) {
+ found = 1;
+ } else if(xmlStrncasecmp(xmlSecBufferGetData(buffer), BAD_CAST "Content-length: ", 16) == 0) {
+ length = atoi(xmlSecBufferGetData(buffer) + 16);
+ }
+
+ if(xmlSecBufferRemoveHead(buffer, p - xmlSecBufferGetData(buffer) + 2) < 0) {
+ fprintf(stderr, "Error %d [%s]: failed to skip header line\n", errno, in_ip);
+ return(-1);
+ }
}
/* remove the trailing \0 we added */
@@ -720,16 +737,16 @@ read_request(int fd, const char* in_ip, xmlSecBufferPtr buffer) {
/* now read the body */
counter = 5;
while(xmlSecBufferGetSize(buffer) < length) {
- nread = recv(fd, buf, sizeof(buf), 0);
- if(nread < 0) {
- fprintf(stderr, "Error %d [%s]: read() failed\n", errno, in_ip);
- return(-1);
- }
-
- if((nread > 0) && (xmlSecBufferAppend(buffer, buf, nread) < 0)) {
- fprintf(stderr, "Error %d [%s]: xmlSecBufferAppend(%d) failed\n", errno, in_ip, nread);
- return(-1);
- }
+ nread = recv(fd, buf, sizeof(buf), 0);
+ if(nread < 0) {
+ fprintf(stderr, "Error %d [%s]: read() failed\n", errno, in_ip);
+ return(-1);
+ }
+
+ if((nread > 0) && (xmlSecBufferAppend(buffer, buf, nread) < 0)) {
+ fprintf(stderr, "Error %d [%s]: xmlSecBufferAppend(%d) failed\n", errno, in_ip, nread);
+ return(-1);
+ }
if(nread < sizeof(buffer)) {
counter--;
if(counter <= 0) {
@@ -738,23 +755,23 @@ read_request(int fd, const char* in_ip, xmlSecBufferPtr buffer) {
}
}
if(log_level >= LOG_LEVEL_INFO) {
- fprintf(stdout, "Log [%s]: body size is %d bytes\n", in_ip, xmlSecBufferGetSize(buffer));
+ fprintf(stdout, "Log [%s]: body size is %d bytes\n", in_ip, xmlSecBufferGetSize(buffer));
}
if(log_level >= LOG_LEVEL_DATA) {
- xmlSecBufferAppend(buffer, BAD_CAST "\0", 1);
+ xmlSecBufferAppend(buffer, BAD_CAST "\0", 1);
fprintf(stdout, "Log [%s]: request body:\n%s\n", in_ip, xmlSecBufferGetData(buffer));
- xmlSecBufferRemoveTail(buffer, 1);
+ xmlSecBufferRemoveTail(buffer, 1);
}
return(0);
}
/**
* send_response:
- * @fd: the request's socket.
- * @in_ip: the request's IP address (for logging).
- * @resp_code: the HTTP response code.
- * @body: the response body.
- * @body_len: the response body length.
+ * @fd: the request's socket.
+ * @in_ip: the request's IP address (for logging).
+ * @resp_code: the HTTP response code.
+ * @body: the response body.
+ * @body_len: the response body length.
*
* Writes HTTP response headers and @body to the @socket.
*
@@ -772,20 +789,20 @@ send_response(int fd, const char* in_ip, int resp_code, const char* body, int bo
/* prepare and send http header */
sprintf(header, http_header, resp_code, body_size);
if(send(fd, header, strlen(header), 0) == -1) {
- fprintf(stderr, "Error %d [%s]: send(header) failed\n", errno, in_ip);
- return(-1);
+ fprintf(stderr, "Error %d [%s]: send(header) failed\n", errno, in_ip);
+ return(-1);
}
if(log_level >= LOG_LEVEL_DATA) {
- xmlChar* tmp = xmlStrndup(body, body_size);
+ xmlChar* tmp = xmlStrndup(body, body_size);
fprintf(stdout, "Log [%s]: response is\n%s\n", in_ip, tmp);
- xmlFree(tmp);
+ xmlFree(tmp);
}
/* send body */
if(send(fd, body, body_size, 0) == -1) {
- fprintf(stderr, "Error %d [%s]: send(body) failed\n", errno, in_ip);
- return(-1);
+ fprintf(stderr, "Error %d [%s]: send(body) failed\n", errno, in_ip);
+ return(-1);
}
return(0);
diff --git a/examples/xmldsigverify.c b/examples/xmldsigverify.c
index a4c9f532..f4c376ea 100644
--- a/examples/xmldsigverify.c
+++ b/examples/xmldsigverify.c
@@ -17,6 +17,7 @@
#ifndef XMLSEC_NO_XSLT
#include <libxslt/xslt.h>
+#include <libxslt/security.h>
#endif /* XMLSEC_NO_XSLT */
#include <xmlsec/xmlsec.h>
@@ -24,9 +25,9 @@
#include <xmlsec/xmldsig.h>
#include <xmlsec/crypto.h>
-/* #define XMLDSIGVERIFY_DEFAULT_TRUSTED_CERTS_FOLDER "/etc/httpd/conf/ssl.crt" */
-#define XMLDSIGVERIFY_DEFAULT_TRUSTED_CERTS_FOLDER "/var/www/cgi-bin/keys-certs.def"
-#define XMLDSIGVERIFY_KEY_AND_CERTS_FOLDER "/var/www/cgi-bin/keys-certs"
+/* #define XMLDSIGVERIFY_DEFAULT_TRUSTED_CERTS_FOLDER "/etc/httpd/conf/ssl.crt" */
+#define XMLDSIGVERIFY_DEFAULT_TRUSTED_CERTS_FOLDER "/var/www/cgi-bin/keys-certs.def"
+#define XMLDSIGVERIFY_KEY_AND_CERTS_FOLDER "/var/www/cgi-bin/keys-certs"
int load_keys(xmlSecKeysMngrPtr mngr, const char* path, int report_loaded_keys);
@@ -37,7 +38,10 @@ int url_decode(char *buf, size_t size);
int
main(int argc, char **argv) {
xmlSecKeysMngrPtr mngr;
-
+#ifndef XMLSEC_NO_XSLT
+ xsltSecurityPrefsPtr xsltSecPrefs = NULL;
+#endif /* XMLSEC_NO_XSLT */
+
/* start response */
fprintf(stdout, "Content-type: text/plain\n");
fprintf(stdout, "\n");
@@ -53,17 +57,29 @@ main(int argc, char **argv) {
/* make sure that we print out everything to stdout */
xmlGenericErrorContext = stdout;
-
+
+ /* Init libxslt */
+#ifndef XMLSEC_NO_XSLT
+ /* disable everything */
+ xsltSecPrefs = xsltNewSecurityPrefs();
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid);
+ xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid);
+ xsltSetDefaultSecurityPrefs(xsltSecPrefs);
+#endif /* XMLSEC_NO_XSLT */
+
/* Init xmlsec library */
if(xmlSecInit() < 0) {
- fprintf(stdout, "Error: xmlsec initialization failed.\n");
- return(-1);
+ fprintf(stdout, "Error: xmlsec initialization failed.\n");
+ return(-1);
}
/* Check loaded library version */
if(xmlSecCheckVersion() != 1) {
- fprintf(stdout, "Error: loaded xmlsec library version is not compatible.\n");
- return(-1);
+ fprintf(stdout, "Error: loaded xmlsec library version is not compatible.\n");
+ return(-1);
}
/* Load default crypto engine if we are supporting dynamic
@@ -73,49 +89,49 @@ main(int argc, char **argv) {
*/
#ifdef XMLSEC_CRYPTO_DYNAMIC_LOADING
if(xmlSecCryptoDLLoadLibrary(BAD_CAST XMLSEC_CRYPTO) < 0) {
- fprintf(stdout, "Error: unable to load default xmlsec-crypto library. Make sure\n"
- "that you have it installed and check shared libraries path\n"
- "(LD_LIBRARY_PATH) envornment variable.\n");
- return(-1);
+ fprintf(stdout, "Error: unable to load default xmlsec-crypto library. Make sure\n"
+ "that you have it installed and check shared libraries path\n"
+ "(LD_LIBRARY_PATH) envornment variable.\n");
+ return(-1);
}
#endif /* XMLSEC_CRYPTO_DYNAMIC_LOADING */
/* Init crypto library */
if(xmlSecCryptoAppInit(XMLDSIGVERIFY_DEFAULT_TRUSTED_CERTS_FOLDER) < 0) {
- fprintf(stdout, "Error: crypto initialization failed.\n");
- return(-1);
+ fprintf(stdout, "Error: crypto initialization failed.\n");
+ return(-1);
}
/* Init xmlsec-crypto library */
if(xmlSecCryptoInit() < 0) {
- fprintf(stdout, "Error: xmlsec-crypto initialization failed.\n");
- return(-1);
+ fprintf(stdout, "Error: xmlsec-crypto initialization failed.\n");
+ return(-1);
}
/* create keys manager */
mngr = xmlSecKeysMngrCreate();
if(mngr == NULL) {
- fprintf(stdout, "Error: failed to create keys manager.\n");
- return(-1);
+ fprintf(stdout, "Error: failed to create keys manager.\n");
+ return(-1);
}
if(xmlSecCryptoAppDefaultKeysMngrInit(mngr) < 0) {
- fprintf(stdout, "Error: failed to initialize keys manager.\n");
- return(-1);
+ fprintf(stdout, "Error: failed to initialize keys manager.\n");
+ return(-1);
}
if(load_keys(mngr, XMLDSIGVERIFY_KEY_AND_CERTS_FOLDER, 0) < 0) {
- xmlSecKeysMngrDestroy(mngr);
- return(-1);
+ xmlSecKeysMngrDestroy(mngr);
+ return(-1);
}
if(load_trusted_certs(mngr, XMLDSIGVERIFY_KEY_AND_CERTS_FOLDER, 0) < 0) {
- xmlSecKeysMngrDestroy(mngr);
- return(-1);
+ xmlSecKeysMngrDestroy(mngr);
+ return(-1);
}
if(verify_request(mngr) < 0) {
- xmlSecKeysMngrDestroy(mngr);
- return(-1);
+ xmlSecKeysMngrDestroy(mngr);
+ return(-1);
}
/* Destroy keys manager */
@@ -132,8 +148,10 @@ main(int argc, char **argv) {
/* Shutdown libxslt/libxml */
#ifndef XMLSEC_NO_XSLT
+ xsltFreeSecurityPrefs(xsltSecPrefs);
xsltCleanupGlobals();
#endif /* XMLSEC_NO_XSLT */
+
xmlCleanupParser();
return(0);
@@ -141,8 +159,8 @@ main(int argc, char **argv) {
/**
* load_trusted_certs:
- * @mngr: the keys manager.
- * @path: the path to a folder that contains trusted certificates.
+ * @mngr: the keys manager.
+ * @path: the path to a folder that contains trusted certificates.
*
* Loads trusted certificates from @path.
*
@@ -159,33 +177,33 @@ int load_trusted_certs(xmlSecKeysMngrPtr mngr, const char* path, int report_load
dir = opendir(path);
if(dir == NULL) {
- fprintf(stdout, "Error: failed to open folder \"%s\".\n", path);
- return(-1);
+ fprintf(stdout, "Error: failed to open folder \"%s\".\n", path);
+ return(-1);
}
while((entry = readdir(dir)) != NULL) {
- assert(entry->d_name);
- len = strlen(entry->d_name);
- if((len > 4) && (strcmp(entry->d_name + len - 4, ".pem") == 0)) {
- snprintf(filename, sizeof(filename), "%s/%s", path, entry->d_name);
- if(xmlSecCryptoAppKeysMngrCertLoad(mngr, filename, xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
- fprintf(stdout,"Error: failed to load pem certificate from \"%s\"\n", filename);
- closedir(dir);
- return(-1);
- }
- if(report_loaded_certs) {
- fprintf(stdout, "Loaded trusted certificate from \"%s\"...\n", filename);
- }
- } else if((len > 4) && (strcmp(entry->d_name + len - 4, ".der") == 0)) {
- snprintf(filename, sizeof(filename), "%s/%s", path, entry->d_name);
- if(xmlSecCryptoAppKeysMngrCertLoad(mngr, filename, xmlSecKeyDataFormatDer, xmlSecKeyDataTypeTrusted) < 0) {
- fprintf(stdout,"Error: failed to load der certificate from \"%s\"\n", filename);
- closedir(dir);
- return(-1);
- }
- if(report_loaded_certs) {
- fprintf(stdout, "Loaded trusted certificate from \"%s\"...\n", filename);
- }
- }
+ assert(entry->d_name);
+ len = strlen(entry->d_name);
+ if((len > 4) && (strcmp(entry->d_name + len - 4, ".pem") == 0)) {
+ snprintf(filename, sizeof(filename), "%s/%s", path, entry->d_name);
+ if(xmlSecCryptoAppKeysMngrCertLoad(mngr, filename, xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
+ fprintf(stdout,"Error: failed to load pem certificate from \"%s\"\n", filename);
+ closedir(dir);
+ return(-1);
+ }
+ if(report_loaded_certs) {
+ fprintf(stdout, "Loaded trusted certificate from \"%s\"...\n", filename);
+ }
+ } else if((len > 4) && (strcmp(entry->d_name + len - 4, ".der") == 0)) {
+ snprintf(filename, sizeof(filename), "%s/%s", path, entry->d_name);
+ if(xmlSecCryptoAppKeysMngrCertLoad(mngr, filename, xmlSecKeyDataFormatDer, xmlSecKeyDataTypeTrusted) < 0) {
+ fprintf(stdout,"Error: failed to load der certificate from \"%s\"\n", filename);
+ closedir(dir);
+ return(-1);
+ }
+ if(report_loaded_certs) {
+ fprintf(stdout, "Loaded trusted certificate from \"%s\"...\n", filename);
+ }
+ }
}
closedir(dir);
return(0);
@@ -198,8 +216,8 @@ int load_keys(xmlSecKeysMngrPtr mngr, const char* path, int report_loaded_keys)
snprintf(filename, sizeof(filename), "%s/keys.xml", path);
if(xmlSecCryptoAppDefaultKeysMngrLoad(mngr, filename) < 0) {
- fprintf(stdout,"Error: failed to load keys from \"%s\"\n", filename);
- return(-1);
+ fprintf(stdout,"Error: failed to load keys from \"%s\"\n", filename);
+ return(-1);
}
if(report_loaded_keys) {
@@ -211,7 +229,7 @@ int load_keys(xmlSecKeysMngrPtr mngr, const char* path, int report_loaded_keys)
/**
* verify_request:
- * @mng: the keys manager
+ * @mng: the keys manager
*
* Verifies XML signature in the request (stdin).
*
@@ -232,35 +250,35 @@ verify_request(xmlSecKeysMngrPtr mngr) {
/* load request in the buffer */
buffer = xmlBufferCreate();
if(buffer == NULL) {
- fprintf(stdout,"Error: failed to create buffer\n");
- goto done;
+ fprintf(stdout,"Error: failed to create buffer\n");
+ goto done;
}
while(!feof(stdin)) {
- ret = fread(buf, 1, sizeof(buf), stdin);
- if(ret < 0) {
- fprintf(stdout,"Error: read failed\n");
- goto done;
- }
- xmlBufferAdd(buffer, buf, ret);
+ ret = fread(buf, 1, sizeof(buf), stdin);
+ if(ret < 0) {
+ fprintf(stdout,"Error: read failed\n");
+ goto done;
+ }
+ xmlBufferAdd(buffer, buf, ret);
}
/* is the document subbmitted from the form? */
if(strncmp((char*)xmlBufferContent(buffer), "_xmldoc=", 8) == 0) {
- xmlBufferShrink(buffer, 8);
- buffer->use = url_decode((char*)xmlBufferContent(buffer), xmlBufferLength(buffer));
+ xmlBufferShrink(buffer, 8);
+ buffer->use = url_decode((char*)xmlBufferContent(buffer), xmlBufferLength(buffer));
}
/**
* Load doc
*/
doc = xmlReadMemory(xmlBufferContent(buffer), xmlBufferLength(buffer),
- NULL, NULL,
- XML_PARSE_NOENT | XML_PARSE_NOCDATA |
- XML_PARSE_PEDANTIC | XML_PARSE_NOCDATA);
+ NULL, NULL,
+ XML_PARSE_NOENT | XML_PARSE_NOCDATA |
+ XML_PARSE_PEDANTIC | XML_PARSE_NOCDATA);
if (doc == NULL) {
- fprintf(stdout, "Error: unable to parse xml document (syntax error)\n");
- goto done;
+ fprintf(stdout, "Error: unable to parse xml document (syntax error)\n");
+ goto done;
}
/*
@@ -268,41 +286,41 @@ verify_request(xmlSecKeysMngrPtr mngr) {
*/
if(xmlDocGetRootElement(doc) == NULL) {
fprintf(stdout,"Error: empty document\n");
- goto done;
+ goto done;
}
/* find start node */
node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
if(node == NULL) {
- fprintf(stdout, "Error: start <dsig:Signature/> node not found\n");
- goto done;
+ fprintf(stdout, "Error: start <dsig:Signature/> node not found\n");
+ goto done;
}
/* create signature context */
dsigCtx = xmlSecDSigCtxCreate(mngr);
if(dsigCtx == NULL) {
fprintf(stdout,"Error: failed to create signature context\n");
- goto done;
+ goto done;
}
/* we would like to store and print out everything */
/* actually we would not because it opens a security hole
dsigCtx->flags = XMLSEC_DSIG_FLAGS_STORE_SIGNEDINFO_REFERENCES |
- XMLSEC_DSIG_FLAGS_STORE_MANIFEST_REFERENCES |
- XMLSEC_DSIG_FLAGS_STORE_SIGNATURE;
+ XMLSEC_DSIG_FLAGS_STORE_MANIFEST_REFERENCES |
+ XMLSEC_DSIG_FLAGS_STORE_SIGNATURE;
*/
/* Verify signature */
if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
fprintf(stdout,"Error: signature verification failed\n");
- goto done;
+ goto done;
}
/* print verification result to stdout */
if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
- fprintf(stdout, "RESULT: Signature is OK\n");
+ fprintf(stdout, "RESULT: Signature is OK\n");
} else {
- fprintf(stdout, "RESULT: Signature is INVALID\n");
+ fprintf(stdout, "RESULT: Signature is INVALID\n");
}
fprintf(stdout, "---------------------------------------------------\n");
xmlSecDSigCtxDebugDump(dsigCtx, stdout);
@@ -313,30 +331,30 @@ verify_request(xmlSecKeysMngrPtr mngr) {
done:
/* cleanup */
if(dsigCtx != NULL) {
- xmlSecDSigCtxDestroy(dsigCtx);
+ xmlSecDSigCtxDestroy(dsigCtx);
}
if(doc != NULL) {
- xmlFreeDoc(doc);
+ xmlFreeDoc(doc);
}
if(buffer != NULL) {
- xmlBufferFree(buffer);
+ xmlBufferFree(buffer);
}
return(res);
}
/* not the best way to do it */
#define toHex(c) ( ( ('0' <= (c)) && ((c) <= '9') ) ? (c) - '0' : \
- ( ( ('A' <= (c)) && ((c) <= 'F') ) ? (c) - 'A' + 10 : 0 ) )
+ ( ( ('A' <= (c)) && ((c) <= 'F') ) ? (c) - 'A' + 10 : 0 ) )
/**
* url_decode:
- * @buf: the input buffer.
- * @size: the input buffer size.
+ * @buf: the input buffer.
+ * @size: the input buffer size.
*
* Does url decoding in-place.
- *
+ *
* Returns length of the decoded result on success or
* a negative value if an error occurs.
*/
@@ -347,15 +365,15 @@ int url_decode(char *buf, size_t size) {
p1 = p2 = buf;
while(p1 - buf < size) {
- if(((*p1) == '%') && ((p1 - buf) <= (size - 3))) {
- *(p2++) = (char)(toHex(p1[1]) * 16 + toHex(p1[2]));
- p1 += 3;
- } else if((*p1) == '+') {
- *(p2++) = ' ';
- p1++;
- } else {
- *(p2++) = *(p1++);
- }
+ if(((*p1) == '%') && ((p1 - buf) <= (size - 3))) {
+ *(p2++) = (char)(toHex(p1[1]) * 16 + toHex(p1[2]));
+ p1 += 3;
+ } else if((*p1) == '+') {
+ *(p2++) = ' ';
+ p1++;
+ } else {
+ *(p2++) = *(p1++);
+ }
}
return(p2 - buf);
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-23 15:47:44 +0000