/*
- * Copyright 2001-2007 Internet2
+ * Copyright 2001-2009 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
#define __xmltooling_pkixtrust_h__
#include <xmltooling/security/OpenSSLTrustEngine.h>
+#include <xmltooling/security/SignatureTrustEngine.h>
#include <xmltooling/security/XSECCryptoX509CRL.h>
namespace xmltooling {
* A trust engine that uses X.509 trust anchors and CRLs associated with a peer
* to perform PKIX validation of signatures and credentials.
*/
- class XMLTOOL_API AbstractPKIXTrustEngine : public OpenSSLTrustEngine
+ class XMLTOOL_API AbstractPKIXTrustEngine : public SignatureTrustEngine, public OpenSSLTrustEngine
{
protected:
/**
* If a DOM is supplied, the following XML content is supported:
*
* <ul>
+ * <li>fullCRLChain boolean attribute
* <li><KeyInfoResolver> elements with a type attribute
* </ul>
*
*
* @param e DOM to supply configuration for provider
*/
- AbstractPKIXTrustEngine(const xercesc::DOMElement* e=NULL) : OpenSSLTrustEngine(e) {}
+ AbstractPKIXTrustEngine(const xercesc::DOMElement* e=NULL);
+
+ /** Flag controls whether every issuer in the trust path must have a CRL loaded. */
+ bool m_fullCRLChain;
/**
* Checks that either the name of the peer with the given credentials or the names
* @return true the name check succeeds, false if not
*/
bool checkEntityNames(X509* certEE, const CredentialResolver& credResolver, const CredentialCriteria& criteria) const;
-
+
public:
virtual ~AbstractPKIXTrustEngine() {}
virtual PKIXValidationInfoIterator* getPKIXValidationInfoIterator(
const CredentialResolver& pkixSource, CredentialCriteria* criteria=NULL
) const=0;
+
+ private:
+ bool validateWithCRLs(
+ X509* certEE,
+ STACK_OF(X509)* certChain,
+ const CredentialResolver& credResolver,
+ CredentialCriteria* criteria=NULL,
+ const std::vector<XSECCryptoX509CRL*>* inlineCRLs=NULL
+ ) const;
};
};
projects / shibboleth / cpp-xmltooling.git / blobdiff