-/*
- * Copyright 2001-2007 Internet2
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
+/**
+ * Licensed to the University Corporation for Advanced Internet
+ * Development, Inc. (UCAID) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for
+ * additional information regarding copyright ownership.
+ *
+ * UCAID licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the
+ * License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the License.
*/
/**
#define __xmltooling_pkixtrust_h__
#include <xmltooling/security/OpenSSLTrustEngine.h>
-#include <xmltooling/security/XSECCryptoX509CRL.h>
+#include <xmltooling/security/SignatureTrustEngine.h>
+
+#include <set>
+#include <string>
+#include <boost/ptr_container/ptr_vector.hpp>
namespace xmltooling {
+ class XMLTOOL_API OpenSSLPathValidator;
+ class XMLTOOL_API XSECCryptoX509CRL;
+
/**
* A trust engine that uses X.509 trust anchors and CRLs associated with a peer
* to perform PKIX validation of signatures and credentials.
*/
- class XMLTOOL_API AbstractPKIXTrustEngine : public OpenSSLTrustEngine
+ class XMLTOOL_API AbstractPKIXTrustEngine : public SignatureTrustEngine, public OpenSSLTrustEngine
{
protected:
/**
* If a DOM is supplied, the following XML content is supported:
*
* <ul>
- * <li><KeyInfoResolver> elements with a type attribute
+ * <li>checkRevocation attribute (off, entityOnly, fullChain)
+ * <li>policyMappingInhibit attribute (boolean)
+ * <li>anyPolicyInhibit attribute (boolean)
+ * <li>&t;PathValidator> element (zero or more)
+ * <li><TrustedName> element (zero or more)
+ * <li><PolicyOID> element (zero or more)
* </ul>
*
- * XML namespaces are ignored in the processing of this content.
- *
* @param e DOM to supply configuration for provider
*/
- AbstractPKIXTrustEngine(const DOMElement* e=NULL) : OpenSSLTrustEngine(e) {}
-
+ AbstractPKIXTrustEngine(const xercesc::DOMElement* e=nullptr);
+
+ /** Plugins used to perform path validation. */
+ boost::ptr_vector<OpenSSLPathValidator> m_pathValidators;
+
+ /** Controls revocation checking, currently limited to CRLs and supports "off", "entityOnly", "fullChain". */
+ std::string m_checkRevocation;
+
+ /** Deprecated option, equivalent to checkRevocation="fullChain". */
+ bool m_fullCRLChain;
+
+ /** Disable policy mapping when applying PKIX policy checking. */
+ bool m_policyMappingInhibit;
+
+ /** Disallow the anyPolicy OID (2.5.29.32.0) when applying PKIX policy checking. */
+ bool m_anyPolicyInhibit;
+
+ /** A list of acceptable policy OIDs (explicit policy checking). */
+ std::set<std::string> m_policyOIDs;
+
+ /** A list of trusted names (subject DNs / CN attributes / subjectAltName entries). */
+ std::set<std::string> m_trustedNames;
+
/**
* Checks that either the name of the peer with the given credentials or the names
* of the credentials match the subject or subject alternate names of the certificate.
+ * Alternatively explicit trusted names can be supplied statically via configuration.
*
* @param certEE the credential for the entity to validate
- * @param credResolver source of credentials
+ * @param credResolver source of trusted credentials
* @param criteria criteria for selecting credentials, including the peer name
*
* @return true the name check succeeds, false if not
*/
bool checkEntityNames(X509* certEE, const CredentialResolver& credResolver, const CredentialCriteria& criteria) const;
-
+
public:
- virtual ~AbstractPKIXTrustEngine() {}
+ virtual ~AbstractPKIXTrustEngine();
- virtual bool validate(
+ bool validate(
xmlsignature::Signature& sig,
const CredentialResolver& credResolver,
- CredentialCriteria* criteria=NULL
+ CredentialCriteria* criteria=nullptr
) const;
- virtual bool validate(
+ bool validate(
const XMLCh* sigAlgorithm,
const char* sig,
xmlsignature::KeyInfo* keyInfo,
const char* in,
unsigned int in_len,
const CredentialResolver& credResolver,
- CredentialCriteria* criteria=NULL
+ CredentialCriteria* criteria=nullptr
) const;
- virtual bool validate(
+ bool validate(
XSECCryptoX509* certEE,
const std::vector<XSECCryptoX509*>& certChain,
const CredentialResolver& credResolver,
- CredentialCriteria* criteria=NULL
+ CredentialCriteria* criteria=nullptr
) const;
- virtual bool validate(
+ bool validate(
X509* certEE,
STACK_OF(X509)* certChain,
const CredentialResolver& credResolver,
- CredentialCriteria* criteria=NULL
+ CredentialCriteria* criteria=nullptr
) const;
/**
class XMLTOOL_API PKIXValidationInfoIterator {
MAKE_NONCOPYABLE(PKIXValidationInfoIterator);
protected:
- PKIXValidationInfoIterator() {}
+ PKIXValidationInfoIterator();
public:
- virtual ~PKIXValidationInfoIterator() {}
+ virtual ~PKIXValidationInfoIterator();
/**
* Advances to the next set of information, if any.
*
* @param pkixSource the peer for which validation rules are required
* @param criteria criteria for selecting validation rules
- * @param keyInfoResolver custom KeyInfoResolver to use for KeyInfo extraction
* @return interface for obtaining validation data
*/
virtual PKIXValidationInfoIterator* getPKIXValidationInfoIterator(
- const CredentialResolver& pkixSource,
- CredentialCriteria* criteria=NULL,
- const KeyInfoResolver* keyInfoResolver=NULL
+ const CredentialResolver& pkixSource, CredentialCriteria* criteria=nullptr
) const=0;
+
+ private:
+ bool validateWithCRLs(
+ X509* certEE,
+ STACK_OF(X509)* certChain,
+ const CredentialResolver& credResolver,
+ CredentialCriteria* criteria=nullptr,
+ const std::vector<XSECCryptoX509CRL*>* inlineCRLs=nullptr
+ ) const;
+
+ friend class XMLTOOL_DLLLOCAL PKIXParams;
};
};