+
+void ReloadableXMLFile::preserveCacheTag()
+{
+ if (!m_cacheTag.empty() && !m_backing.empty()) {
+ try {
+ string tagname = m_backing + ".tag";
+ ofstream backer(tagname.c_str());
+ backer << m_cacheTag;
+ }
+ catch (exception&) {
+ }
+ }
+}
+
+#ifndef XMLTOOLING_LITE
+
+void ReloadableXMLFile::validateSignature(Signature& sigObj) const
+{
+ DSIGSignature* sig=sigObj.getXMLSignature();
+ if (!sig)
+ throw XMLSecurityException("Signature does not exist yet.");
+
+ // Make sure the whole document was signed.
+ bool valid=false;
+ DSIGReferenceList* refs=sig->getReferenceList();
+ if (refs && refs->getSize()==1) {
+ DSIGReference* ref=refs->item(0);
+ if (ref) {
+ const XMLCh* URI=ref->getURI();
+ if (URI==nullptr || *URI==0) {
+ DSIGTransformList* tlist=ref->getTransforms();
+ if (tlist->getSize() <= 2) {
+ for (unsigned int i=0; tlist && i<tlist->getSize(); i++) {
+ if (tlist->item(i)->getTransformType()==TRANSFORM_ENVELOPED_SIGNATURE)
+ valid=true;
+ else if (tlist->item(i)->getTransformType()!=TRANSFORM_EXC_C14N &&
+ tlist->item(i)->getTransformType()!=TRANSFORM_C14N
+#ifdef XMLTOOLING_XMLSEC_C14N11
+ && tlist->item(i)->getTransformType()!=TRANSFORM_C14N11
+#endif
+ ) {
+ valid=false;
+ break;
+ }
+ }
+ }
+ }
+ }
+ }
+
+ if (!valid)
+ throw XMLSecurityException("Invalid signature profile for signed configuration resource.");
+
+ // Set up criteria.
+ CredentialCriteria cc;
+ cc.setUsage(Credential::SIGNING_CREDENTIAL);
+ cc.setSignature(sigObj, CredentialCriteria::KEYINFO_EXTRACTION_KEY);
+ if (!m_signerName.empty())
+ cc.setPeerName(m_signerName.c_str());
+
+ if (m_credResolver) {
+ Locker locker(m_credResolver);
+ vector<const Credential*> creds;
+ if (m_credResolver->resolve(creds, &cc)) {
+ SignatureValidator sigValidator;
+ for (vector<const Credential*>::const_iterator i = creds.begin(); i != creds.end(); ++i) {
+ try {
+ sigValidator.setCredential(*i);
+ sigValidator.validate(&sigObj);
+ return; // success!
+ }
+ catch (exception&) {
+ }
+ }
+ throw XMLSecurityException("Unable to verify signature with supplied key(s).");
+ }
+ else {
+ throw XMLSecurityException("CredentialResolver did not supply any candidate keys.");
+ }
+ }
+ else if (m_trust) {
+ DummyCredentialResolver dummy;
+ if (m_trust->validate(sigObj, dummy, &cc))
+ return;
+ throw XMLSecurityException("TrustEngine unable to verify signature.");
+ }
+
+ throw XMLSecurityException("Unable to verify signature.");
+}
+
+#endif