Reducing header overuse, non-inlining selected methods (CPPOST-35).

[shibboleth/cpp-xmltooling.git] / xmltooling / security / AbstractPKIXTrustEngine.h
diff --git a/xmltooling/security/AbstractPKIXTrustEngine.h b/xmltooling/security/AbstractPKIXTrustEngine.h

index a1f77e2..5d1a0d8 100644 (file)
--- a/xmltooling/security/AbstractPKIXTrustEngine.h
+++ b/xmltooling/security/AbstractPKIXTrustEngine.h
@@ -1,5 +1,5 @@
  /*
- *  Copyright 2001-2007 Internet2
+ *  Copyright 2001-2009 Internet2
   * 
   * Licensed under the Apache License, Version 2.0 (the "License");
   * you may not use this file except in compliance with the License.
@@ -25,15 +25,17 @@
  #define __xmltooling_pkixtrust_h__
  
  #include <xmltooling/security/OpenSSLTrustEngine.h>
-#include <xmltooling/security/XSECCryptoX509CRL.h>
+#include <xmltooling/security/SignatureTrustEngine.h>
  
  namespace xmltooling {
  
+    class XMLTOOL_API XSECCryptoX509CRL;
+
      /**
       * A trust engine that uses X.509 trust anchors and CRLs associated with a peer
       * to perform PKIX validation of signatures and credentials.
       */
-    class XMLTOOL_API AbstractPKIXTrustEngine : public OpenSSLTrustEngine
+    class XMLTOOL_API AbstractPKIXTrustEngine : public SignatureTrustEngine, public OpenSSLTrustEngine
      {
      protected:
          /**
@@ -42,6 +44,7 @@ namespace xmltooling {
           * If a DOM is supplied, the following XML content is supported:
           * 
           * <ul>
+         *  <li>fullCRLChain boolean attribute
           *  <li>&lt;KeyInfoResolver&gt; elements with a type attribute
           * </ul>
           * 
@@ -49,7 +52,10 @@ namespace xmltooling {
           * 
           * @param e DOM to supply configuration for provider
           */
-        AbstractPKIXTrustEngine(const xercesc::DOMElement* e=NULL) : OpenSSLTrustEngine(e) {}
+        AbstractPKIXTrustEngine(const xercesc::DOMElement* e=NULL);
+
+        /** Flag controls whether every issuer in the trust path must have a CRL loaded. */
+        bool m_fullCRLChain;
          
          /**
           * Checks that either the name of the peer with the given credentials or the names
@@ -62,9 +68,9 @@ namespace xmltooling {
           * @return true the name check succeeds, false if not
           */
          bool checkEntityNames(X509* certEE, const CredentialResolver& credResolver, const CredentialCriteria& criteria) const;
-        
+
      public:
-        virtual ~AbstractPKIXTrustEngine() {}
+        virtual ~AbstractPKIXTrustEngine();
  
          bool validate(
              xmlsignature::Signature& sig,
@@ -105,10 +111,10 @@ namespace xmltooling {
          class XMLTOOL_API PKIXValidationInfoIterator {
              MAKE_NONCOPYABLE(PKIXValidationInfoIterator);
          protected:
-            PKIXValidationInfoIterator() {}
+            PKIXValidationInfoIterator();
              
          public:
-            virtual ~PKIXValidationInfoIterator() {}
+            virtual ~PKIXValidationInfoIterator();
              
              /**
               * Advances to the next set of information, if any.
@@ -159,6 +165,15 @@ namespace xmltooling {
          virtual PKIXValidationInfoIterator* getPKIXValidationInfoIterator(
              const CredentialResolver& pkixSource, CredentialCriteria* criteria=NULL
              ) const=0;
+
+    private:
+        bool validateWithCRLs(
+            X509* certEE,
+            STACK_OF(X509)* certChain,
+            const CredentialResolver& credResolver,
+            CredentialCriteria* criteria=NULL,
+            const std::vector<XSECCryptoX509CRL*>* inlineCRLs=NULL
+            ) const;
      };
  };