X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=xmltooling%2Fsecurity%2Fimpl%2FAbstractPKIXTrustEngine.cpp;h=b98ce39d60f5c9ca119cc2ee5b83d813165ecfa7;hb=64dcaec957e9befd960779498d7fe35bbb62141a;hp=a891f7d70f24d828ae2574a29231fa5dbe02f41e;hpb=6505807a62569ce65803b448b07a6872c6af2512;p=shibboleth%2Fcpp-xmltooling.git diff --git a/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp b/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp index a891f7d..b98ce39 100644 --- a/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp +++ b/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp @@ -22,10 +22,10 @@ */ #include "internal.h" +#include "logging.h" #include "security/AbstractPKIXTrustEngine.h" #include "signature/KeyInfo.h" -#include #include #include #include @@ -38,8 +38,8 @@ #include using namespace xmlsignature; +using namespace xmltooling::logging; using namespace xmltooling; -using namespace log4cpp; using namespace std; @@ -140,15 +140,17 @@ bool AbstractPKIXTrustEngine::checkEntityNames( X509* certEE, const CredentialResolver& credResolver, const CredentialCriteria& criteria ) const { - Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine"); + Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.PKIX"); + // We resolve to a set of trusted credentials. vector creds; credResolver.resolve(creds,&criteria); // Build a list of acceptable names. - vector keynames(1,criteria.getPeerName()); + set trustednames; + trustednames.insert(criteria.getPeerName()); for (vector::const_iterator cred = creds.begin(); cred!=creds.end(); ++cred) - (*cred)->getKeyNames(keynames); + trustednames.insert((*cred)->getKeyNames().begin(), (*cred)->getKeyNames().end()); char buf[256]; X509_NAME* subject=X509_get_subject_name(certEE); @@ -177,7 +179,7 @@ bool AbstractPKIXTrustEngine::checkEntityNames( } // Check each keyname. - for (vector::const_iterator n=keynames.begin(); n!=keynames.end(); n++) { + for (set::const_iterator n=trustednames.begin(); n!=trustednames.end(); n++) { #ifdef HAVE_STRCASECMP if (!strcasecmp(n->c_str(),subjectstr.c_str()) || !strcasecmp(n->c_str(),subjectstr2.c_str())) { #else @@ -201,8 +203,7 @@ bool AbstractPKIXTrustEngine::checkEntityNames( if (check->type==GEN_DNS || check->type==GEN_URI) { const char* altptr = (char*)ASN1_STRING_data(check->d.ia5); const int altlen = ASN1_STRING_length(check->d.ia5); - - for (vector::const_iterator n=keynames.begin(); n!=keynames.end(); n++) { + for (set::const_iterator n=trustednames.begin(); n!=trustednames.end(); n++) { #ifdef HAVE_STRCASECMP if ((check->type==GEN_DNS && !strncasecmp(altptr,n->c_str(),altlen)) #else @@ -222,7 +223,7 @@ bool AbstractPKIXTrustEngine::checkEntityNames( log.debug("unable to match subjectAltName, trying TLS CN match"); memset(buf,0,sizeof(buf)); if (X509_NAME_get_text_by_NID(subject,NID_commonName,buf,255)>0) { - for (vector::const_iterator n=keynames.begin(); n!=keynames.end(); n++) { + for (set::const_iterator n=trustednames.begin(); n!=trustednames.end(); n++) { #ifdef HAVE_STRCASECMP if (!strcasecmp(buf,n->c_str())) { #else @@ -252,7 +253,7 @@ bool AbstractPKIXTrustEngine::validate( #ifdef _DEBUG NDC ndc("validate"); #endif - Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine"); + Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.PKIX"); if (!certEE) { log.error("X.509 credential was NULL, unable to perform validation"); @@ -271,7 +272,7 @@ bool AbstractPKIXTrustEngine::validate( log.debug("performing certificate path validation..."); - auto_ptr pkix(getPKIXValidationInfoIterator(credResolver, criteria, m_keyInfoResolver)); + auto_ptr pkix(getPKIXValidationInfoIterator(credResolver, criteria)); while (pkix->next()) { if (::validate(certEE,certChain,pkix.get())) { return true; @@ -293,11 +294,11 @@ bool AbstractPKIXTrustEngine::validate( NDC ndc("validate"); #endif if (!certEE) { - Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine").error("X.509 credential was NULL, unable to perform validation"); + Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.PKIX").error("X.509 credential was NULL, unable to perform validation"); return false; } else if (certEE->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) { - Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine").error("only the OpenSSL XSEC provider is supported"); + Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.PKIX").error("only the OpenSSL XSEC provider is supported"); return false; } @@ -319,7 +320,7 @@ bool AbstractPKIXTrustEngine::validate( #ifdef _DEBUG NDC ndc("validate"); #endif - Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine"); + Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.PKIX"); const KeyInfoResolver* inlineResolver = m_keyInfoResolver; if (!inlineResolver) @@ -381,7 +382,7 @@ bool AbstractPKIXTrustEngine::validate( #ifdef _DEBUG NDC ndc("validate"); #endif - Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine"); + Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.PKIX"); if (!keyInfo) { log.error("unable to perform PKIX validation, KeyInfo not present");