-/*
- * Copyright 2001-2007 Internet2
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
+/**
+ * Licensed to the University Corporation for Advanced Internet
+ * Development, Inc. (UCAID) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for
+ * additional information regarding copyright ownership.
+ *
+ * UCAID licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the
+ * License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the License.
*/
/**
/**
* Constructor.
*
- * If a DOM is supplied, the following XML content is supported:
- *
- * <ul>
- * <li><KeyResolver> elements with a type attribute
- * </ul>
- *
- * XML namespaces are ignored in the processing of this content.
- *
* @param e DOM to supply configuration for provider
*/
- OpenSSLTrustEngine(const DOMElement* e=NULL) : X509TrustEngine(e) {}
+ OpenSSLTrustEngine(const xercesc::DOMElement* e=nullptr);
public:
- virtual ~OpenSSLTrustEngine() {}
-
+ virtual ~OpenSSLTrustEngine();
+
+ using X509TrustEngine::validate;
+
/**
* Determines whether an X.509 credential is valid with respect to the
- * source of KeyInfo data supplied. It is the responsibility of the
- * application to ensure that the KeyInfo information supplied is in fact
- * associated with the peer who presented the credential.
+ * source of credentials supplied.
+ *
+ * <p>It is the responsibility of the application to ensure that the credentials
+ * supplied are in fact associated with the peer who presented the credential.
*
- * A custom KeyResolver can be supplied from outside the TrustEngine.
- * Alternatively, one may be specified to the plugin constructor.
- * A non-caching, inline resolver will be used as a fallback.
+ * <p>If criteria with a peer name are supplied, the "name" of the EE certificate
+ * may also be checked to ensure that it identifies the intended peer.
+ * The peer name itself or implementation-specific rules based on the content of the
+ * peer credentials may be applied. Implementations may omit this check if they
+ * deem it unnecessary.
*
* @param certEE end-entity certificate to validate
- * @param certChain stack of certificates presented for validation (includes certEE)
- * @param keyInfoSource supplies KeyInfo objects to the TrustEngine
- * @param checkName true iff certificate subject/name checking has <b>NOT</b> already occurred
- * @param keyResolver optional externally supplied KeyResolver, or NULL
+ * @param certChain the complete set of certificates presented for validation (includes certEE)
+ * @param credResolver a locked resolver to supply trusted peer credentials to the TrustEngine
+ * @param criteria criteria for selecting peer credentials
*/
virtual bool validate(
- X509* certEE,
- STACK_OF(X509)* certChain,
- const KeyInfoSource& keyInfoSource,
- bool checkName=true,
- const xmlsignature::KeyResolver* keyResolver=NULL
+ X509* certEE, STACK_OF(X509)* certChain,
+ const CredentialResolver& credResolver,
+ CredentialCriteria* criteria=nullptr
) const=0;
};