X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=xmltooling%2Fsecurity%2FAbstractPKIXTrustEngine.h;h=43bc661a512545c495620c251a79eb443cc1d541;hb=a0d768778a8f5f539b909baf5b115e70ea765f0f;hp=a1f77e2cc607e2d4a306c73d364e49762fa24be9;hpb=fbb50076025b3885017ebae06b5e67af42303e96;p=shibboleth%2Fcpp-xmltooling.git

diff --git a/xmltooling/security/AbstractPKIXTrustEngine.h b/xmltooling/security/AbstractPKIXTrustEngine.h
index a1f77e2..43bc661 100644
--- a/xmltooling/security/AbstractPKIXTrustEngine.h
+++ b/xmltooling/security/AbstractPKIXTrustEngine.h
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2001-2007 Internet2
+ *  Copyright 2001-2010 Internet2
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,15 +25,17 @@
 #define __xmltooling_pkixtrust_h__
 
 #include <xmltooling/security/OpenSSLTrustEngine.h>
-#include <xmltooling/security/XSECCryptoX509CRL.h>
+#include <xmltooling/security/SignatureTrustEngine.h>
 
 namespace xmltooling {
 
+    class XMLTOOL_API XSECCryptoX509CRL;
+
     /**
      * A trust engine that uses X.509 trust anchors and CRLs associated with a peer
      * to perform PKIX validation of signatures and credentials.
      */
-    class XMLTOOL_API AbstractPKIXTrustEngine : public OpenSSLTrustEngine
+    class XMLTOOL_API AbstractPKIXTrustEngine : public SignatureTrustEngine, public OpenSSLTrustEngine
     {
     protected:
         /**
@@ -42,6 +44,7 @@ namespace xmltooling {
          * If a DOM is supplied, the following XML content is supported:
          * 
          * <ul>
+         *  <li>fullCRLChain boolean attribute
          *  <li>&lt;KeyInfoResolver&gt; elements with a type attribute
          * </ul>
          * 
@@ -49,7 +52,10 @@ namespace xmltooling {
          * 
          * @param e DOM to supply configuration for provider
          */
-        AbstractPKIXTrustEngine(const xercesc::DOMElement* e=NULL) : OpenSSLTrustEngine(e) {}
+        AbstractPKIXTrustEngine(const xercesc::DOMElement* e=nullptr);
+
+        /** Flag controls whether every issuer in the trust path must have a CRL loaded. */
+        bool m_fullCRLChain;
         
         /**
          * Checks that either the name of the peer with the given credentials or the names
@@ -62,14 +68,14 @@ namespace xmltooling {
          * @return true the name check succeeds, false if not
          */
         bool checkEntityNames(X509* certEE, const CredentialResolver& credResolver, const CredentialCriteria& criteria) const;
-        
+
     public:
-        virtual ~AbstractPKIXTrustEngine() {}
+        virtual ~AbstractPKIXTrustEngine();
 
         bool validate(
             xmlsignature::Signature& sig,
             const CredentialResolver& credResolver,
-            CredentialCriteria* criteria=NULL
+            CredentialCriteria* criteria=nullptr
             ) const;
 
         bool validate(
@@ -79,21 +85,21 @@ namespace xmltooling {
             const char* in,
             unsigned int in_len,
             const CredentialResolver& credResolver,
-            CredentialCriteria* criteria=NULL
+            CredentialCriteria* criteria=nullptr
             ) const;
 
         bool validate(
             XSECCryptoX509* certEE,
             const std::vector<XSECCryptoX509*>& certChain,
             const CredentialResolver& credResolver,
-            CredentialCriteria* criteria=NULL
+            CredentialCriteria* criteria=nullptr
             ) const;
 
         bool validate(
             X509* certEE,
             STACK_OF(X509)* certChain,
             const CredentialResolver& credResolver,
-            CredentialCriteria* criteria=NULL
+            CredentialCriteria* criteria=nullptr
             ) const;
 
         /**
@@ -105,10 +111,10 @@ namespace xmltooling {
         class XMLTOOL_API PKIXValidationInfoIterator {
             MAKE_NONCOPYABLE(PKIXValidationInfoIterator);
         protected:
-            PKIXValidationInfoIterator() {}
+            PKIXValidationInfoIterator();
             
         public:
-            virtual ~PKIXValidationInfoIterator() {}
+            virtual ~PKIXValidationInfoIterator();
             
             /**
              * Advances to the next set of information, if any.
@@ -157,8 +163,17 @@ namespace xmltooling {
          * @return interface for obtaining validation data
          */
         virtual PKIXValidationInfoIterator* getPKIXValidationInfoIterator(
-            const CredentialResolver& pkixSource, CredentialCriteria* criteria=NULL
+            const CredentialResolver& pkixSource, CredentialCriteria* criteria=nullptr
             ) const=0;
+
+    private:
+        bool validateWithCRLs(
+            X509* certEE,
+            STACK_OF(X509)* certChain,
+            const CredentialResolver& credResolver,
+            CredentialCriteria* criteria=nullptr,
+            const std::vector<XSECCryptoX509CRL*>* inlineCRLs=nullptr
+            ) const;
     };
 };