/*
- * Copyright 2001-2006 Internet2
+ * Copyright 2001-2009 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
/**
* @file xmltooling/security/AbstractPKIXTrustEngine.h
*
- * A trust engine that uses X.509 trust anchors and CRLs associated with a KeyInfoSource
- * to perform PKIX validation of signatures and certificates.
+ * A trust engine that uses X.509 trust anchors and CRLs associated with a peer
+ * to perform PKIX validation of signatures and credentials.
*/
#if !defined(__xmltooling_pkixtrust_h__) && !defined(XMLTOOLING_NO_XMLSEC)
#define __xmltooling_pkixtrust_h__
#include <xmltooling/security/OpenSSLTrustEngine.h>
-#include <xmltooling/security/XSECCryptoX509CRL.h>
+#include <xmltooling/security/SignatureTrustEngine.h>
namespace xmltooling {
+ class XMLTOOL_API XSECCryptoX509CRL;
+
/**
- * A trust engine that uses X.509 trust anchors and CRLs associated with a KeyInfoSource
- * to perform PKIX validation of signatures and certificates.
+ * A trust engine that uses X.509 trust anchors and CRLs associated with a peer
+ * to perform PKIX validation of signatures and credentials.
*/
- class XMLTOOL_API AbstractPKIXTrustEngine : public OpenSSLTrustEngine
+ class XMLTOOL_API AbstractPKIXTrustEngine : public SignatureTrustEngine, public OpenSSLTrustEngine
{
protected:
/**
* If a DOM is supplied, the following XML content is supported:
*
* <ul>
- * <li><KeyResolver> elements with a type attribute
+ * <li>fullCRLChain boolean attribute
+ * <li><KeyInfoResolver> elements with a type attribute
* </ul>
*
* XML namespaces are ignored in the processing of this content.
*
* @param e DOM to supply configuration for provider
*/
- AbstractPKIXTrustEngine(const DOMElement* e=NULL);
+ AbstractPKIXTrustEngine(const xercesc::DOMElement* e=NULL);
+
+ /** Flag controls whether every issuer in the trust path must have a CRL loaded. */
+ bool m_fullCRLChain;
/**
- * Checks that either the ID for the entity with the given role or the key names
- * for the given role match the subject or subject alternate names
- * of the entity's certificate.
+ * Checks that either the name of the peer with the given credentials or the names
+ * of the credentials match the subject or subject alternate names of the certificate.
*
* @param certEE the credential for the entity to validate
- * @param keyInfoSource supplies KeyInfo objects to the TrustEngine
+ * @param credResolver source of credentials
+ * @param criteria criteria for selecting credentials, including the peer name
*
* @return true the name check succeeds, false if not
*/
- bool checkEntityNames(X509* certEE, const KeyInfoSource& keyInfoSource) const;
-
- /** An inline KeyResolver for extracting certificates out of a signature. */
- xmlsignature::KeyResolver* m_inlineResolver;
-
+ bool checkEntityNames(X509* certEE, const CredentialResolver& credResolver, const CredentialCriteria& criteria) const;
+
public:
virtual ~AbstractPKIXTrustEngine();
- virtual bool validate(
+ bool validate(
xmlsignature::Signature& sig,
- const KeyInfoSource& keyInfoSource,
- const xmlsignature::KeyResolver* keyResolver=NULL
+ const CredentialResolver& credResolver,
+ CredentialCriteria* criteria=NULL
) const;
- virtual bool validate(
+ bool validate(
const XMLCh* sigAlgorithm,
const char* sig,
xmlsignature::KeyInfo* keyInfo,
const char* in,
unsigned int in_len,
- const KeyInfoSource& keyInfoSource,
- const xmlsignature::KeyResolver* keyResolver=NULL
+ const CredentialResolver& credResolver,
+ CredentialCriteria* criteria=NULL
) const;
- virtual bool validate(
+ bool validate(
XSECCryptoX509* certEE,
const std::vector<XSECCryptoX509*>& certChain,
- const KeyInfoSource& keyInfoSource,
- bool checkName=true,
- const xmlsignature::KeyResolver* keyResolver=NULL
+ const CredentialResolver& credResolver,
+ CredentialCriteria* criteria=NULL
) const;
- virtual bool validate(
+ bool validate(
X509* certEE,
STACK_OF(X509)* certChain,
- const KeyInfoSource& keyInfoSource,
- bool checkName=true,
- const xmlsignature::KeyResolver* keyResolver=NULL
+ const CredentialResolver& credResolver,
+ CredentialCriteria* criteria=NULL
) const;
/**
class XMLTOOL_API PKIXValidationInfoIterator {
MAKE_NONCOPYABLE(PKIXValidationInfoIterator);
protected:
- PKIXValidationInfoIterator() {}
+ PKIXValidationInfoIterator();
+
public:
- virtual ~PKIXValidationInfoIterator() {}
+ virtual ~PKIXValidationInfoIterator();
/**
* Advances to the next set of information, if any.
};
/**
- * Provides access to the information necessary, for the given key source, for
+ * Provides access to the information necessary, for the given credential source, for
* PKIX validation of credentials. Each set of validation information returned
* will be tried, in turn, until one succeeds or no more remain.
* The caller must free the returned interface when finished with it.
*
- * @return interface for obtaining validation data
+ * @param pkixSource the peer for which validation rules are required
+ * @param criteria criteria for selecting validation rules
+ * @return interface for obtaining validation data
*/
- virtual PKIXValidationInfoIterator* getPKIXValidationInfoIterator(const KeyInfoSource& pkixSource) const=0;
+ virtual PKIXValidationInfoIterator* getPKIXValidationInfoIterator(
+ const CredentialResolver& pkixSource, CredentialCriteria* criteria=NULL
+ ) const=0;
+
+ private:
+ bool validateWithCRLs(
+ X509* certEE,
+ STACK_OF(X509)* certChain,
+ const CredentialResolver& credResolver,
+ CredentialCriteria* criteria=NULL,
+ const std::vector<XSECCryptoX509CRL*>* inlineCRLs=NULL
+ ) const;
};
};