File: xmlsec-notes-contexts.html

package info (click to toggle)
xmlsec1 1.3.7-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 19,916 kB
  • sloc: ansic: 100,493; xml: 19,156; sh: 8,079; makefile: 1,186; javascript: 438; perl: 199
file content (165 lines) | stat: -rw-r--r-- 6,989 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
 
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Using context objects.: XML Security Library Reference Manual</title>
<meta name="generator" content="DocBook XSL Stylesheets Vsnapshot">
<link rel="home" href="index.html" title="XML Security Library Reference Manual">
<link rel="up" href="xmlsec-notes.html" title="Part I. XML Security Library Tutorial">
<link rel="prev" href="xmlsec-notes-transforms.html" title="Transforms and transforms chain.">
<link rel="next" href="xmlsec-notes-new-crypto.html" title="Adding support for new cryptographic library.">
<meta name="generator" content="GTK-Doc V1.34.0 (XML mode)">
<link rel="stylesheet" href="style.css" type="text/css">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<table class="navigation" id="top" width="100%" summary="Navigation header" cellpadding="2" cellspacing="5"><tr valign="middle">
<td width="100%" align="left" class="shortcuts"></td>
<td><a accesskey="h" href="index.html"><img src="home.png" width="16" height="16" border="0" alt="Home"></a></td>
<td><a accesskey="u" href="xmlsec-notes.html"><img src="up.png" width="16" height="16" border="0" alt="Up"></a></td>
<td><a accesskey="p" href="xmlsec-notes-transforms.html"><img src="left.png" width="16" height="16" border="0" alt="Prev"></a></td>
<td><a accesskey="n" href="xmlsec-notes-new-crypto.html"><img src="right.png" width="16" height="16" border="0" alt="Next"></a></td>
</tr></table>
<div class="chapter">
<div class="titlepage"><div><div><h2 class="title">
<a name="xmlsec-notes-contexts"></a>Using context objects.</h2></div></div></div>
<p>The great flexibility of XML Digital Signature and XML Encryption
    specification is one of the most interesting and in the same time,
    most dangerouse feature for an application developer.
    For example, XPath and XSLT transform can make it very difficult
    to find out what exactly was signed by just looking at the 
    transforms and the input data. Many protocols based on 
    XML Digital Signature and XML Encryption restrict allowed 
    key data types, allowed transforms or possible input data.
    For example, signature in a simple SAML Response should have only 
    one &lt;dsig:Reference/&gt; element with an empty or NULL 
    URI attribute and only one enveloped transform.
    XML Security Library uses "context" objects to let application
    enable or disable particular features, return the result
    data and the information collected during the processing.
    Also all the context objects defined in XML Security library have 
    a special <em class="structfield"><code>userData</code></em> member which could 
    be used by application to pass application specific data around.
    XML Security Library never use this field.
    The application creates a new 
    <a class="link" href="xmlsec-xmldsig.html#xmlSecDSigCtx" title="struct xmlSecDSigCtx">xmlSecDSigCtx</a>
    or <a class="link" href="xmlsec-xmlenc.html#xmlSecEncCtx" title="struct xmlSecEncCtx">xmlSecEncCtx</a> object for each 
    operation, sets necessary options and consumes result returned
    in the context after signature, verification, encryption or decryption.
    </p>
<p>
	</p>
<div class="example">
<a name="id-1.2.13.3.1"></a><p class="title"><b>Example 24. SAML signature validation.</b></p>
<div class="example-contents"><pre class="programlisting">
/** 
 * verify_file:
 * @mngr:		the pointer to keys manager.
 * @xml_file:		the signed XML file name.
 *
 * Verifies XML signature in #xml_file.
 *
 * Returns 0 on success or a negative value if an error occurs.
 */
int 
verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file) {
    xmlDocPtr doc = NULL;
    xmlNodePtr node = NULL;
    xmlSecDSigCtxPtr dsigCtx = NULL;
    int res = -1;
    
    assert(mngr);
    assert(xml_file);

    /* load file */
    doc = xmlParseFile(xml_file);
    if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
	fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file);
	goto done;	
    }
    
    /* find start node */
    node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
    if(node == NULL) {
	fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file);
	goto done;	
    }

    /* create signature context */
    dsigCtx = xmlSecDSigCtxCreate(mngr);
    if(dsigCtx == NULL) {
        fprintf(stderr,"Error: failed to create signature context\n");
	goto done;
    }

    /* limit the Reference URI attributes to empty or NULL */
    dsigCtx-&gt;enabledReferenceUris = xmlSecTransformUriTypeEmpty;
    
    /* limit allowed transforms for signature and reference processing */
    if((xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14NId) &lt; 0) ||
       (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformExclC14NId) &lt; 0) ||
       (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha1Id) &lt; 0) ||
       (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha1Id) &lt; 0)) {

        fprintf(stderr,"Error: failed to limit allowed signature transforms\n");
	goto done;
    }
    if((xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformInclC14NId) &lt; 0) ||
       (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformExclC14NId) &lt; 0) ||
       (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha1Id) &lt; 0) ||
       (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformEnvelopedId) &lt; 0)) {

        fprintf(stderr,"Error: failed to limit allowed reference transforms\n");
	goto done;
    }

    /* in addition, limit possible key data to valid X509 certificates only */
    if(xmlSecPtrListAdd(&amp;(dsigCtx-&gt;keyInfoReadCtx.enabledKeyData), BAD_CAST xmlSecKeyDataX509Id) &lt; 0) {
        fprintf(stderr,"Error: failed to limit allowed key data\n");
	goto done;
    }
    
    /* Verify signature */
    if(xmlSecDSigCtxVerify(dsigCtx, node) &lt; 0) {
        fprintf(stderr,"Error: signature verify\n");
	goto done;
    }

    /* check that we have only one Reference */
    if((dsigCtx-&gt;status == xmlSecDSigStatusSucceeded) &amp;&amp; 
        (xmlSecPtrListGetSize(&amp;(dsigCtx-&gt;signedInfoReferences)) != 1)) {
	
        fprintf(stderr,"Error: only one reference is allowed\n");
	goto done;
    }
        
    /* print verification result to stdout */
    if(dsigCtx-&gt;status == xmlSecDSigStatusSucceeded) {
	fprintf(stdout, "Signature is OK\n");
    } else {
	fprintf(stdout, "Signature is INVALID\n");
    }    

    /* success */
    res = 0;

done:    
    /* cleanup */
    if(dsigCtx != NULL) {
	xmlSecDSigCtxDestroy(dsigCtx);
    }
    
    if(doc != NULL) {
	xmlFreeDoc(doc); 
    }
    return(res);
}

	    </pre></div>
</div>
<p><br class="example-break">
    </p>
</div>
<div class="footer">
<hr>Generated by GTK-Doc V1.34.0</div>
</body>
</html>