3 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
4 <title>Using context objects.</title>
5 <meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.79">
6 <link rel="HOME" title="XML Security Library Reference Manual" href="index.html">
7 <link rel="UP" title="XML Security Library Tutorial" href="xmlsec-notes.html">
8 <link rel="PREVIOUS" title="Transforms and transforms chain." href="xmlsec-notes-transforms.html">
9 <link rel="NEXT" title="Adding support for new cryptographic library." href="xmlsec-notes-new-crypto.html">
10 <style type="text/css">.synopsis, .classsynopsis {
12 border: solid 1px #aaaaaa;
17 border: solid 1px #aaaaff;
26 border: solid 1px #ffaaaa;
33 .navigation a:visited {
40 <body><table witdh="100%" valign="top"><tr valign="top">
41 <td valign="top" align="left" width="210">
42 <img src="../images/logo.gif" alt="XML Security Library" border="0"><p></p>
44 <li><a href="../index.html">Home</a></li>
45 <li><a href="../download.html">Download</a></li>
46 <li><a href="../news.html">News</a></li>
47 <li><a href="../documentation.html">Documentation</a></li>
49 <li><a href="../faq.html">FAQ</a></li>
50 <li><a href="../api/xmlsec-notes.html">Tutorial</a></li>
51 <li><a href="../api/xmlsec-reference.html">API reference</a></li>
52 <li><a href="../api/xmlsec-examples.html">Examples</a></li>
54 <li><a href="../xmldsig.html">XML Digital Signature</a></li>
55 <ul><li><a href="http://www.aleksey.com/xmlsec/xmldsig-verifier.html">Online Verifier</a></li></ul>
56 <li><a href="../xmlenc.html">XML Encryption</a></li>
57 <li><a href="../c14n.html">XML Canonicalization</a></li>
58 <li><a href="../bugs.html">Reporting Bugs</a></li>
59 <li><a href="http://www.aleksey.com/pipermail/xmlsec">Mailing list</a></li>
60 <li><a href="../related.html">Related</a></li>
61 <li><a href="../authors.html">Authors</a></li>
66 <td><a href="http://xmlsoft.org/"><img src="../images/libxml2-logo.png" alt="LibXML2" border="0"></a></td>
70 <td><a href="http://xmlsoft.org/XSLT"><img src="../images/libxslt-logo.png" alt="LibXSLT" border="0"></a></td>
74 <td><a href="http://www.openssl.org/"><img src="../images/openssl-logo.png" alt="OpenSSL" border="0"></a></td>
76 <!--Links - start--><!--Links - end-->
79 <td valign="top"><table width="100%" valign="top"><tr><td valign="top" align="left" id="xmlsecContent">
80 <table width="100%" class="navigation" summary="Navigation header" cellpadding="2" cellspacing="2"><tr valign="middle">
81 <td><a accesskey="p" href="xmlsec-notes-transforms.html"><img src="left.png" width="24" height="24" border="0" alt="Prev"></a></td>
82 <td><a accesskey="u" href="xmlsec-notes.html"><img src="up.png" width="24" height="24" border="0" alt="Up"></a></td>
83 <td><a accesskey="h" href="index.html"><img src="home.png" width="24" height="24" border="0" alt="Home"></a></td>
84 <th width="100%" align="center">XML Security Library Reference Manual</th>
85 <td><a accesskey="n" href="xmlsec-notes-new-crypto.html"><img src="right.png" width="24" height="24" border="0" alt="Next"></a></td>
89 <a name="XMLSEC-NOTES-CONTEXTS"></a>Using context objects.</h1>
90 <p>The great flexibility of XML Digital Signature and XML Encryption
91 specification is one of the most interesting and in the same time,
92 most dangerouse feature for an application developer.
93 For example, XPath and XSLT transform can make it very difficult
94 to find out what exactly was signed by just looking at the
95 transforms and the input data. Many protocols based on
96 XML Digital Signature and XML Encryption restrict allowed
97 key data types, allowed transforms or possible input data.
98 For example, signature in a simple SAML Response should have only
99 one <dsig:Reference/> element with an empty or NULL
100 URI attribute and only one enveloped transform.
101 XML Security Library uses "context" objects to let application
102 enable or disable particular features, return the result
103 data and the information collected during the processing.
104 Also all the context objects defined in XML Security library have
105 a special <code class="STRUCTFIELD">userData</code> member which could
106 be used by application to pass application specific data around.
107 XML Security Library never use this field.
108 The application creates a new
109 <a href="xmlsec-xmldsig.html#XMLSECDSIGCTX">xmlSecDSigCtx</a>
110 or <a href="xmlsec-xmlenc.html#XMLSECENCCTX">xmlSecEncCtx</a> object for each
111 operation, sets necessary options and consumes result returned
112 in the context after signature, verification, encryption or decryption.
115 <div class="EXAMPLE">
116 <a name="AEN489"></a><p><b>Example 1. SAML signature validation.</b></p>
117 <pre class="PROGRAMLISTING">/**
119 * @mngr: the pointer to keys manager.
120 * @xml_file: the signed XML file name.
122 * Verifies XML signature in #xml_file.
124 * Returns 0 on success or a negative value if an error occurs.
127 verify_file(xmlSecKeysMngrPtr mngr, const char* xml_file) {
128 xmlDocPtr doc = NULL;
129 xmlNodePtr node = NULL;
130 xmlSecDSigCtxPtr dsigCtx = NULL;
137 doc = xmlParseFile(xml_file);
138 if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)){
139 fprintf(stderr, "Error: unable to parse file \"%s\"\n", xml_file);
143 /* find start node */
144 node = xmlSecFindNode(xmlDocGetRootElement(doc), xmlSecNodeSignature, xmlSecDSigNs);
146 fprintf(stderr, "Error: start node not found in \"%s\"\n", xml_file);
150 /* create signature context */
151 dsigCtx = xmlSecDSigCtxCreate(mngr);
152 if(dsigCtx == NULL) {
153 fprintf(stderr,"Error: failed to create signature context\n");
157 /* limit the Reference URI attributes to empty or NULL */
158 dsigCtx->enabledReferenceUris = xmlSecTransformUriTypeEmpty;
160 /* limit allowed transforms for siganture and reference processing */
161 if((xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformInclC14NId) < 0) ||
162 (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformExclC14NId) < 0) ||
163 (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformSha1Id) < 0) ||
164 (xmlSecDSigCtxEnableSignatureTransform(dsigCtx, xmlSecTransformRsaSha1Id) < 0)) {
166 fprintf(stderr,"Error: failed to limit allowed siganture transforms\n");
169 if((xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformInclC14NId) < 0) ||
170 (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformExclC14NId) < 0) ||
171 (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformSha1Id) < 0) ||
172 (xmlSecDSigCtxEnableReferenceTransform(dsigCtx, xmlSecTransformEnvelopedId) < 0)) {
174 fprintf(stderr,"Error: failed to limit allowed reference transforms\n");
178 /* in addition, limit possible key data to valid X509 certificates only */
179 if(xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData), BAD_CAST xmlSecKeyDataX509Id) < 0) {
180 fprintf(stderr,"Error: failed to limit allowed key data\n");
184 /* Verify signature */
185 if(xmlSecDSigCtxVerify(dsigCtx, node) < 0) {
186 fprintf(stderr,"Error: signature verify\n");
190 /* check that we have only one Reference */
191 if((dsigCtx->status == xmlSecDSigStatusSucceeded) &&
192 (xmlSecPtrListGetSize(&(dsigCtx->signedInfoReferences)) != 1)) {
194 fprintf(stderr,"Error: only one reference is allowed\n");
198 /* print verification result to stdout */
199 if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
200 fprintf(stdout, "Signature is OK\n");
202 fprintf(stdout, "Signature is INVALID\n");
210 if(dsigCtx != NULL) {
211 xmlSecDSigCtxDestroy(dsigCtx);
223 <table class="navigation" width="100%" summary="Navigation footer" cellpadding="2" cellspacing="2"><tr valign="middle">
224 <td align="left"><a accesskey="p" href="xmlsec-notes-transforms.html"><b><<< Transforms and transforms chain.</b></a></td>
225 <td align="right"><a accesskey="n" href="xmlsec-notes-new-crypto.html"><b>Adding support for new cryptographic library. >>></b></a></td>
227 </td></tr></table></td>