X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=xmltooling%2Fsecurity%2FX509TrustEngine.h;h=f386602c6a9ddfe81fc5e9b2f5be52ba2d8fe7ad;hb=HEAD;hp=6387baf6f2a9e1aec3092235f77eaf03db2dc354;hpb=085daff2d0c1d078f006f23808b4092130110eb9;p=shibboleth%2Fcpp-xmltooling.git

diff --git a/xmltooling/security/X509TrustEngine.h b/xmltooling/security/X509TrustEngine.h
index 6387baf..f386602 100644
--- a/xmltooling/security/X509TrustEngine.h
+++ b/xmltooling/security/X509TrustEngine.h
@@ -1,23 +1,27 @@
-/*
- *  Copyright 2001-2007 Internet2
- * 
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
+/**
+ * Licensed to the University Corporation for Advanced Internet
+ * Development, Inc. (UCAID) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for
+ * additional information regarding copyright ownership.
+ *
+ * UCAID licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the
+ * License at
  *
- *     http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
  *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the License.
  */
 
 /**
  * @file xmltooling/security/X509TrustEngine.h
  * 
- * Extended TrustEngine interface that adds validation of X.509 credentials.
+ * TrustEngine interface that adds validation of X.509 credentials.
  */
 
 #if !defined(__xmltooling_x509trust_h__) && !defined(XMLTOOLING_NO_XMLSEC)
@@ -25,53 +29,53 @@
 
 #include <xmltooling/security/TrustEngine.h>
 
+#include <vector>
+
+class XSECCryptoX509;
+
 namespace xmltooling {
 
+    class XMLTOOL_API CredentialCriteria;
+    class XMLTOOL_API CredentialResolver;
+
     /**
-     * Extended TrustEngine interface that adds validation of X.509 credentials.
+     * TrustEngine interface that adds validation of X.509 credentials.
      */
-    class XMLTOOL_API X509TrustEngine : public TrustEngine {
+    class XMLTOOL_API X509TrustEngine : public virtual TrustEngine {
     protected:
         /**
          * Constructor.
          * 
-         * If a DOM is supplied, the following XML content is supported:
-         * 
-         * <ul>
-         *  <li>&lt;KeyResolver&gt; elements with a type attribute
-         * </ul>
-         * 
-         * XML namespaces are ignored in the processing of this content.
-         * 
          * @param e DOM to supply configuration for provider
          */
-        X509TrustEngine(const DOMElement* e=NULL) : TrustEngine(e) {}
+        X509TrustEngine(const xercesc::DOMElement* e=nullptr);
         
     public:
-        virtual ~X509TrustEngine() {}
-        
+        virtual ~X509TrustEngine();
+
         /**
          * Determines whether an X.509 credential is valid with respect to the
-         * source of KeyInfo data supplied. It is the responsibility of the
-         * application to ensure that the KeyInfo information supplied is in fact
-         * associated with the peer who presented the credential. 
+         * source of credentials supplied.
+         * 
+         * <p>It is the responsibility of the application to ensure that the credentials
+         * supplied are in fact associated with the peer who presented the credential.
          * 
-         * A custom KeyResolver can be supplied from outside the TrustEngine.
-         * Alternatively, one may be specified to the plugin constructor.
-         * A non-caching, inline resolver will be used as a fallback.
+         * <p>If criteria with a peer name are supplied, the "name" of the EE certificate
+         * may also be checked to ensure that it identifies the intended peer.
+         * The peer name itself or implementation-specific rules based on the content of the
+         * peer credentials may be applied. Implementations may omit this check if they
+         * deem it unnecessary.
          * 
          * @param certEE        end-entity certificate to validate
          * @param certChain     the complete set of certificates presented for validation (includes certEE)
-         * @param keyInfoSource supplies KeyInfo objects to the TrustEngine
-         * @param checkName     true iff certificate subject/name checking has <b>NOT</b> already occurred
-         * @param keyResolver   optional externally supplied KeyResolver, or NULL
+         * @param credResolver  a locked resolver to supply trusted peer credentials to the TrustEngine
+         * @param criteria      criteria for selecting peer credentials
          */
         virtual bool validate(
             XSECCryptoX509* certEE,
             const std::vector<XSECCryptoX509*>& certChain,
-            const KeyInfoSource& keyInfoSource,
-            bool checkName=true,
-            const KeyResolver* keyResolver=NULL
+            const CredentialResolver& credResolver,
+            CredentialCriteria* criteria=nullptr
             ) const=0;
     };