X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=xmltooling%2Fsecurity%2Fimpl%2FChainingTrustEngine.cpp;h=461f022afc3bddf597343febb8ee7c915d09a965;hb=81b488b2790e7bdeb2f43560b1d4a7d22c3dfdf5;hp=361d95cc4896f957e225732c0c43b7bd343b1958;hpb=f37cfd9ac949d9e61b39b3a39251c9f151e24ff0;p=shibboleth%2Fcpp-xmltooling.git

diff --git a/xmltooling/security/impl/ChainingTrustEngine.cpp b/xmltooling/security/impl/ChainingTrustEngine.cpp
index 361d95c..461f022 100644
--- a/xmltooling/security/impl/ChainingTrustEngine.cpp
+++ b/xmltooling/security/impl/ChainingTrustEngine.cpp
@@ -1,35 +1,46 @@
-/*
- *  Copyright 2001-2005 Internet2
- * 
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
+/**
+ * Licensed to the University Corporation for Advanced Internet
+ * Development, Inc. (UCAID) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for
+ * additional information regarding copyright ownership.
+ *
+ * UCAID licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the
+ * License at
  *
- *     http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
  *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific
+ * language governing permissions and limitations under the License.
  */
 
 /**
  * ChainingTrustEngine.cpp
  * 
- * TrustEngine that uses multiple engines in sequence.
+ * OpenSSLTrustEngine that uses multiple engines in sequence.
  */
 
 #include "internal.h"
 #include "exceptions.h"
+#include "logging.h"
 #include "security/ChainingTrustEngine.h"
+#include "security/CredentialCriteria.h"
+#include "util/XMLHelper.h"
 
+#include <algorithm>
 #include <xercesc/util/XMLUniDefs.hpp>
 
 using namespace xmlsignature;
+using namespace xmltooling::logging;
 using namespace xmltooling;
 using namespace std;
 
+using xercesc::DOMElement;
+
 namespace xmltooling {
     TrustEngine* XMLTOOL_DLLLOCAL ChainingTrustEngineFactory(const DOMElement* const & e)
     {
@@ -37,49 +48,87 @@ namespace xmltooling {
     }
 };
 
-static const XMLCh GenericTrustEngine[] =           UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e);
+static const XMLCh _TrustEngine[] =                 UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e);
 static const XMLCh type[] =                         UNICODE_LITERAL_4(t,y,p,e);
 
-ChainingTrustEngine::ChainingTrustEngine(const DOMElement* e) : X509TrustEngine(e) {
-    try {
-        e = e ? xmltooling::XMLHelper::getFirstChildElement(e, GenericTrustEngine) : NULL;
-        while (e) {
-            xmltooling::auto_ptr_char temp(e->getAttributeNS(NULL,type));
-            if (temp.get()) {
-                auto_ptr<TrustEngine> engine(
-                    XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(temp.get(), e)
-                    );
-                X509TrustEngine* x509 = dynamic_cast<X509TrustEngine*>(engine.get());
-                if (x509) {
-                    m_engines.push_back(x509);
-                    engine.release();
-                }
-                else {
-                    throw xmltooling::UnknownExtensionException("Embedded trust engine does not support required interface.");
-                }
+ChainingTrustEngine::ChainingTrustEngine(const DOMElement* e) : TrustEngine(e) {
+    Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine."CHAINING_TRUSTENGINE);
+    e = e ? XMLHelper::getFirstChildElement(e, _TrustEngine) : nullptr;
+    while (e) {
+        try {
+            string t = XMLHelper::getAttrString(e, nullptr, type);
+            if (!t.empty()) {
+                log.info("building TrustEngine of type %s", t.c_str());
+                addTrustEngine(XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(t.c_str(), e));
             }
-            e = xmltooling::XMLHelper::getNextSiblingElement(e, GenericTrustEngine);
         }
-    }
-    catch (xmltooling::XMLToolingException&) {
-        for_each(m_engines.begin(), m_engines.end(), xmltooling::cleanup<X509TrustEngine>());
-        throw;
+        catch (exception& ex) {
+            log.error("error building TrustEngine: %s", ex.what());
+        }
+        e = XMLHelper::getNextSiblingElement(e, _TrustEngine);
     }
 }
 
 ChainingTrustEngine::~ChainingTrustEngine() {
-    for_each(m_engines.begin(), m_engines.end(), xmltooling::cleanup<X509TrustEngine>());
+    for_each(m_engines.begin(), m_engines.end(), xmltooling::cleanup<TrustEngine>());
 }
 
-bool ChainingTrustEngine::validate(
-    Signature& sig,
-    const KeyInfoSource& keyInfoSource,
-    const KeyResolver* keyResolver
-    ) const
+void ChainingTrustEngine::addTrustEngine(TrustEngine* newEngine)
+{
+    m_engines.push_back(newEngine);
+    SignatureTrustEngine* sig = dynamic_cast<SignatureTrustEngine*>(newEngine);
+    if (sig)
+        m_sigEngines.push_back(sig);
+    X509TrustEngine* x509 = dynamic_cast<X509TrustEngine*>(newEngine);
+    if (x509)
+        m_x509Engines.push_back(x509);
+    OpenSSLTrustEngine* ossl = dynamic_cast<OpenSSLTrustEngine*>(newEngine);
+    if (ossl)
+        m_osslEngines.push_back(ossl);
+}
+
+TrustEngine* ChainingTrustEngine::removeTrustEngine(TrustEngine* oldEngine)
+{
+    vector<TrustEngine*>::iterator i = find(m_engines.begin(), m_engines.end(), oldEngine);
+    if (i != m_engines.end()) {
+        m_engines.erase(i);
+
+        SignatureTrustEngine* sig = dynamic_cast<SignatureTrustEngine*>(oldEngine);
+        if (sig) {
+            vector<SignatureTrustEngine*>::iterator s = find(m_sigEngines.begin(), m_sigEngines.end(), sig);
+            if (s != m_sigEngines.end())
+                m_sigEngines.erase(s);
+        }
+
+        X509TrustEngine* x509 = dynamic_cast<X509TrustEngine*>(oldEngine);
+        if (x509) {
+            vector<X509TrustEngine*>::iterator x = find(m_x509Engines.begin(), m_x509Engines.end(), x509);
+            if (x != m_x509Engines.end())
+                m_x509Engines.erase(x);
+        }
+
+        OpenSSLTrustEngine* ossl = dynamic_cast<OpenSSLTrustEngine*>(oldEngine);
+        if (ossl) {
+            vector<OpenSSLTrustEngine*>::iterator o = find(m_osslEngines.begin(), m_osslEngines.end(), ossl);
+            if (o != m_osslEngines.end())
+                m_osslEngines.erase(o);
+        }
+
+        return oldEngine;
+    }
+    return nullptr;
+}
+
+bool ChainingTrustEngine::validate(Signature& sig, const CredentialResolver& credResolver, CredentialCriteria* criteria) const
 {
-    for (vector<X509TrustEngine*>::const_iterator i=m_engines.begin(); i!=m_engines.end(); ++i) {
-        if (static_cast<TrustEngine*>(*i)->validate(sig,keyInfoSource,keyResolver))
+    unsigned int usage = criteria ? criteria->getUsage() : 0;
+    for (vector<SignatureTrustEngine*>::const_iterator i=m_sigEngines.begin(); i!=m_sigEngines.end(); ++i) {
+        if ((*i)->validate(sig,credResolver,criteria))
             return true;
+        if (criteria) {
+            criteria->reset();
+            criteria->setUsage(usage);
+        }
     }
     return false;
 }
@@ -90,13 +139,18 @@ bool ChainingTrustEngine::validate(
     KeyInfo* keyInfo,
     const char* in,
     unsigned int in_len,
-    const KeyInfoSource& keyInfoSource,
-    const KeyResolver* keyResolver
+    const CredentialResolver& credResolver,
+    CredentialCriteria* criteria
     ) const
 {
-    for (vector<X509TrustEngine*>::const_iterator i=m_engines.begin(); i!=m_engines.end(); ++i) {
-        if (static_cast<TrustEngine*>(*i)->validate(sigAlgorithm, sig, keyInfo, in, in_len, keyInfoSource, keyResolver))
+    unsigned int usage = criteria ? criteria->getUsage() : 0;
+    for (vector<SignatureTrustEngine*>::const_iterator i=m_sigEngines.begin(); i!=m_sigEngines.end(); ++i) {
+        if ((*i)->validate(sigAlgorithm, sig, keyInfo, in, in_len, credResolver, criteria))
             return true;
+        if (criteria) {
+            criteria->reset();
+            criteria->setUsage(usage);
+        }
     }
     return false;
 }
@@ -104,14 +158,37 @@ bool ChainingTrustEngine::validate(
 bool ChainingTrustEngine::validate(
     XSECCryptoX509* certEE,
     const vector<XSECCryptoX509*>& certChain,
-    const KeyInfoSource& keyInfoSource,
-    bool checkName,
-    const KeyResolver* keyResolver
+    const CredentialResolver& credResolver,
+    CredentialCriteria* criteria
     ) const
 {
-    for (vector<X509TrustEngine*>::const_iterator i=m_engines.begin(); i!=m_engines.end(); ++i) {
-        if ((*i)->validate(certEE,certChain,keyInfoSource,checkName,keyResolver))
+    unsigned int usage = criteria ? criteria->getUsage() : 0;
+    for (vector<X509TrustEngine*>::const_iterator i=m_x509Engines.begin(); i!=m_x509Engines.end(); ++i) {
+        if ((*i)->validate(certEE,certChain,credResolver,criteria))
             return true;
+        if (criteria) {
+            criteria->reset();
+            criteria->setUsage(usage);
+        }
+    }
+    return false;
+}
+
+bool ChainingTrustEngine::validate(
+    X509* certEE,
+    STACK_OF(X509)* certChain,
+    const CredentialResolver& credResolver,
+    CredentialCriteria* criteria
+    ) const
+{
+    unsigned int usage = criteria ? criteria->getUsage() : 0;
+    for (vector<OpenSSLTrustEngine*>::const_iterator i=m_osslEngines.begin(); i!=m_osslEngines.end(); ++i) {
+        if ((*i)->validate(certEE,certChain,credResolver,criteria))
+            return true;
+        if (criteria) {
+            criteria->reset();
+            criteria->setUsage(usage);
+        }
     }
     return false;
 }