X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=xmltooling%2Fsecurity%2FTrustEngine.h;h=c39744131eedfe5ecebd1d1ce19fd1b1cf7da7e9;hb=81b488b2790e7bdeb2f43560b1d4a7d22c3dfdf5;hp=cf4c257e04c41121cedd30b9acc5372bf6115075;hpb=6505807a62569ce65803b448b07a6872c6af2512;p=shibboleth%2Fcpp-xmltooling.git diff --git a/xmltooling/security/TrustEngine.h b/xmltooling/security/TrustEngine.h index cf4c257..c397441 100644 --- a/xmltooling/security/TrustEngine.h +++ b/xmltooling/security/TrustEngine.h @@ -1,23 +1,27 @@ -/* - * Copyright 2001-2007 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at +/** + * Licensed to the University Corporation for Advanced Internet + * Development, Inc. (UCAID) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for + * additional information regarding copyright ownership. + * + * UCAID licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the + * License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, + * either express or implied. See the License for the specific + * language governing permissions and limitations under the License. */ /** * @file xmltooling/security/TrustEngine.h * - * Evaluates the trustworthiness and validity of signatures against + * Evaluates the trustworthiness and validity of security information against * implementation-specific requirements. */ @@ -25,20 +29,14 @@ #define __xmltooling_trust_h__ #include - -namespace xmlsignature { - class XMLTOOL_API KeyInfo; - class XMLTOOL_API Signature; -}; +#include namespace xmltooling { - class XMLTOOL_API CredentialCriteria; - class XMLTOOL_API CredentialResolver; class XMLTOOL_API KeyInfoResolver; /** - * Evaluates the trustworthiness and validity of XML or raw Signatures against + * Evaluates the trustworthiness and validity of security information against * implementation-specific requirements. */ class XMLTOOL_API TrustEngine { @@ -57,7 +55,7 @@ namespace xmltooling { * * @param e DOM to supply configuration for provider */ - TrustEngine(const DOMElement* e=NULL); + TrustEngine(const xercesc::DOMElement* e=nullptr); /** Custom KeyInfoResolver instance. */ KeyInfoResolver* m_keyInfoResolver; @@ -73,66 +71,6 @@ namespace xmltooling { * @param keyInfoResolver new KeyInfoResolver instance to use */ void setKeyInfoResolver(KeyInfoResolver* keyInfoResolver); - - /** - * Determines whether an XML signature is correct and valid with respect to - * the source of credentials supplied. - * - *

It is the responsibility of the application to ensure that the credentials - * supplied are in fact associated with the peer who created the signature. - * - *

If criteria with a peer name are supplied, the "name" of the Credential that verifies - * the signature may also be checked to ensure that it identifies the intended peer. - * The peer name itself or implementation-specific rules based on the content of the - * peer credentials may be applied. Implementations may omit this check if they - * deem it unnecessary. - * - * @param sig reference to a signature object to validate - * @param credResolver a locked resolver to supply trusted peer credentials to the TrustEngine - * @param criteria criteria for selecting peer credentials - * @return true iff the signature validates - */ - virtual bool validate( - xmlsignature::Signature& sig, - const CredentialResolver& credResolver, - CredentialCriteria* criteria=NULL - ) const=0; - - /** - * Determines whether a raw signature is correct and valid with respect to - * the source of credentials supplied. - * - *

It is the responsibility of the application to ensure that the Credentials - * supplied are in fact associated with the peer who created the signature. - * - *

If criteria with a peer name are supplied, the "name" of the Credential that verifies - * the signature may also be checked to ensure that it identifies the intended peer. - * The peer name itself or implementation-specific rules based on the content of the - * peer credentials may be applied. Implementations may omit this check if they - * deem it unnecessary. - * - *

Note that the keyInfo parameter is not part of the implicitly trusted - * set of information supplied via the CredentialResolver, but rather advisory - * data that may have accompanied the signature itself. - * - * @param sigAlgorithm XML Signature identifier for the algorithm used - * @param sig null-terminated base64-encoded signature value - * @param keyInfo KeyInfo object accompanying the signature, if any - * @param in the input data over which the signature was created - * @param in_len size of input data in bytes - * @param credResolver a locked resolver to supply trusted peer credentials to the TrustEngine - * @param criteria criteria for selecting peer credentials - * @return true iff the signature validates - */ - virtual bool validate( - const XMLCh* sigAlgorithm, - const char* sig, - xmlsignature::KeyInfo* keyInfo, - const char* in, - unsigned int in_len, - const CredentialResolver& credResolver, - CredentialCriteria* criteria=NULL - ) const=0; }; /** @@ -142,7 +80,10 @@ namespace xmltooling { /** TrustEngine based on explicit knowledge of peer key information. */ #define EXPLICIT_KEY_TRUSTENGINE "ExplicitKey" - + + /** TrustEngine based on PKIX evaluation against a static set of trust anchors. */ + #define STATIC_PKIX_TRUSTENGINE "StaticPKIX" + /** TrustEngine that tries multiple engines in sequence. */ #define CHAINING_TRUSTENGINE "Chaining"