2 Copyright (C) 2013-2014 Carl Hetherington <cth@carlh.net>
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 /** @file src/signer.cc
21 * @brief Signer class.
25 #include "exceptions.h"
26 #include "certificate_chain.h"
28 #include <libcxml/cxml.h>
29 #include <libxml++/libxml++.h>
30 #include <xmlsec/xmldsig.h>
31 #include <xmlsec/dl.h>
32 #include <xmlsec/app.h>
33 #include <xmlsec/crypto.h>
34 #include <openssl/pem.h>
35 #include "compose.hpp"
39 using boost::shared_ptr;
42 Signer::Signer (boost::filesystem::path openssl)
44 create (make_certificate_chain (openssl));
47 Signer::Signer (boost::filesystem::path openssl,
49 string organisational_unit,
50 string root_common_name,
51 string intermediate_common_name,
52 string leaf_common_name
56 make_certificate_chain (
61 intermediate_common_name,
68 Signer::create (boost::filesystem::path directory)
70 _certificates.add (dcp::Certificate (dcp::file_to_string (directory / "ca.self-signed.pem")));
71 _certificates.add (dcp::Certificate (dcp::file_to_string (directory / "intermediate.signed.pem")));
72 _certificates.add (dcp::Certificate (dcp::file_to_string (directory / "leaf.signed.pem")));
74 _key = dcp::file_to_string (directory / "leaf.key");
76 boost::filesystem::remove_all (directory);
79 /** Add a <Signer> and <ds:Signature> nodes to an XML node.
80 * @param parent XML node to add to.
81 * @param standard INTEROP or SMPTE.
84 Signer::sign (xmlpp::Element* parent, Standard standard) const
88 xmlpp::Element* signer = parent->add_child("Signer");
89 xmlpp::Element* data = signer->add_child("X509Data", "dsig");
90 xmlpp::Element* serial_element = data->add_child("X509IssuerSerial", "dsig");
91 serial_element->add_child("X509IssuerName", "dsig")->add_child_text (_certificates.leaf().issuer());
92 serial_element->add_child("X509SerialNumber", "dsig")->add_child_text (_certificates.leaf().serial());
93 data->add_child("X509SubjectName", "dsig")->add_child_text (_certificates.leaf().subject());
97 xmlpp::Element* signature = parent->add_child("Signature", "dsig");
99 xmlpp::Element* signed_info = signature->add_child ("SignedInfo", "dsig");
100 signed_info->add_child("CanonicalizationMethod", "dsig")->set_attribute ("Algorithm", "http://www.w3.org/TR/2001/REC-xml-c14n-20010315");
102 if (standard == INTEROP) {
103 signed_info->add_child("SignatureMethod", "dsig")->set_attribute("Algorithm", "http://www.w3.org/2000/09/xmldsig#rsa-sha1");
105 signed_info->add_child("SignatureMethod", "dsig")->set_attribute("Algorithm", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
108 xmlpp::Element* reference = signed_info->add_child("Reference", "dsig");
109 reference->set_attribute ("URI", "");
111 xmlpp::Element* transforms = reference->add_child("Transforms", "dsig");
112 transforms->add_child("Transform", "dsig")->set_attribute (
113 "Algorithm", "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
116 reference->add_child("DigestMethod", "dsig")->set_attribute("Algorithm", "http://www.w3.org/2000/09/xmldsig#sha1");
117 /* This will be filled in by the signing later */
118 reference->add_child("DigestValue", "dsig");
120 signature->add_child("SignatureValue", "dsig");
121 signature->add_child("KeyInfo", "dsig");
122 add_signature_value (signature, "dsig");
126 /** Sign an XML node.
128 * @param parent Node to sign.
129 * @param ns Namespace to use for the signature XML nodes.
132 Signer::add_signature_value (xmlpp::Node* parent, string ns) const
134 cxml::Node cp (parent);
135 xmlpp::Node* key_info = cp.node_child("KeyInfo")->node ();
137 /* Add the certificate chain to the KeyInfo child node of parent */
138 CertificateChain::List c = _certificates.leaf_to_root ();
139 for (CertificateChain::List::iterator i = c.begin(); i != c.end(); ++i) {
140 xmlpp::Element* data = key_info->add_child("X509Data", ns);
143 xmlpp::Element* serial = data->add_child("X509IssuerSerial", ns);
144 serial->add_child("X509IssuerName", ns)->add_child_text (i->issuer ());
145 serial->add_child("X509SerialNumber", ns)->add_child_text (i->serial ());
148 data->add_child("X509Certificate", ns)->add_child_text (i->certificate());
151 xmlSecDSigCtxPtr signature_context = xmlSecDSigCtxCreate (0);
152 if (signature_context == 0) {
153 throw MiscError ("could not create signature context");
156 signature_context->signKey = xmlSecCryptoAppKeyLoadMemory (
157 reinterpret_cast<const unsigned char *> (_key.c_str()), _key.size(), xmlSecKeyDataFormatPem, 0, 0, 0
160 if (signature_context->signKey == 0) {
161 throw FileError ("could not load private key file", _key, 0);
164 /* XXX: set key name to the file name: is this right? */
165 if (xmlSecKeySetName (signature_context->signKey, reinterpret_cast<const xmlChar *> (_key.c_str())) < 0) {
166 throw MiscError ("could not set key name");
169 int const r = xmlSecDSigCtxSign (signature_context, parent->cobj ());
171 throw MiscError (String::compose ("could not sign (%1)", r));
174 xmlSecDSigCtxDestroy (signature_context);
178 Signer::valid () const
180 if (!_certificates.valid ()) {
184 BIO* bio = BIO_new_mem_buf (const_cast<char *> (_key.c_str ()), -1);
186 throw MiscError ("could not create memory BIO");
189 RSA* private_key = PEM_read_bio_RSAPrivateKey (bio, 0, 0, 0);
190 RSA* public_key = _certificates.leaf().public_key ();
191 bool const valid = !BN_cmp (private_key->n, public_key->n);
projects / libdcp.git / blob