PKIX TrustEngine.

[shibboleth/cpp-opensaml.git] / saml / security / AbstractPKIXTrustEngine.h

/*\r
 *  Copyright 2001-2006 Internet2\r
 * \r
 * Licensed under the Apache License, Version 2.0 (the "License");\r
 * you may not use this file except in compliance with the License.\r
 * You may obtain a copy of the License at\r
 *\r
 *     http://www.apache.org/licenses/LICENSE-2.0\r
 *\r
 * Unless required by applicable law or agreed to in writing, software\r
 * distributed under the License is distributed on an "AS IS" BASIS,\r
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
 * See the License for the specific language governing permissions and\r
 * limitations under the License.\r
 */\r
\r
/**\r
 * @file saml/security/AbstractPKIXTrustEngine.h\r
 * \r
 * A trust engine that uses X.509 trust anchors and CRLs associated with a role\r
 * to perform PKIX validation of signatures and certificates.\r
 */\r
\r
#ifndef __saml_pkixtrust_h__\r
#define __saml_pkixtrust_h__\r
\r
#include <saml/security/X509TrustEngine.h>\r
#include <xmltooling/security/XSECCryptoX509CRL.h>\r
\r
namespace opensaml {\r
\r
    /**\r
     * A trust engine that uses X.509 trust anchors and CRLs associated with a role\r
     * to perform PKIX validation of signatures and certificates.\r
     */\r
    class SAML_API AbstractPKIXTrustEngine : public X509TrustEngine\r
    {\r
    protected:\r
        /**\r
         * Constructor.\r
         * \r
         * If a DOM is supplied, the following XML content is supported:\r
         * \r
         * <ul>\r
         *  <li>&lt;KeyResolver&gt; elements with a type attribute\r
         * </ul>\r
         * \r
         * XML namespaces are ignored in the processing of this content.\r
         * \r
         * @param e DOM to supply configuration for provider\r
         */\r
        AbstractPKIXTrustEngine(const DOMElement* e=NULL);\r
        \r
        /**\r
         * Checks that either the ID for the entity with the given role or the key names\r
         * for the given role match the subject or subject alternate names\r
         * of the entity's certificate.\r
         * \r
         * @param certEE    the credential for the entity to validate\r
         * @param role      the descriptor of the role the entity is supposed to be acting in\r
         * \r
         * @return true the name check succeeds, false if not\r
         */\r
        bool checkEntityNames(XSECCryptoX509* certEE, const saml2md::RoleDescriptor& role) const;\r
        \r
        /** An inline KeyResolver for extracting certificates out of a signature. */\r
        xmlsignature::KeyResolver* m_inlineResolver;\r
        \r
    public:\r
        virtual ~AbstractPKIXTrustEngine();\r
\r
        virtual bool validate(\r
            xmlsignature::Signature& sig,\r
            const saml2md::RoleDescriptor& role,\r
            const xmlsignature::KeyResolver* keyResolver=NULL\r
            );\r
\r
        virtual bool validate(\r
            XSECCryptoX509* certEE,\r
            const std::vector<XSECCryptoX509*>& certChain,\r
            const saml2md::RoleDescriptor& role,\r
            bool checkName=true,\r
            const xmlsignature::KeyResolver* keyResolver=NULL\r
            );\r
\r
        /**\r
         * Stateful interface that supplies PKIX validation data to the trust engine.\r
         * Applications can adapt this TrustEngine to their environment by returning\r
         * implementations of this interface from the getPKIXValidationInfoIterator\r
         * method.\r
         */\r
        class SAML_API PKIXValidationInfoIterator {\r
            MAKE_NONCOPYABLE(PKIXValidationInfoIterator);\r
        protected:\r
            PKIXValidationInfoIterator() {}\r
        public:\r
            virtual ~PKIXValidationInfoIterator() {}\r
            \r
            /**\r
             * Advances to the next set of information, if any.\r
             * \r
             * @return true iff another set of information is available\r
             */\r
            virtual bool next()=0;\r
            \r
            /**\r
             * Returns the allowable trust chain verification depth for the\r
             * validation data in the current position.\r
             * \r
             * @return  allowable trust chain verification depth\r
             */\r
            virtual int getVerificationDepth() const=0;\r
            \r
            /**\r
             * Returns the set of trust anchors for the validation data in the\r
             * current position. Keeping the certificates beyond the lifetime\r
             * of the iterator or after advancing to the next position requires\r
             * copying them.\r
             * \r
             * @return  set of trust anchors\r
             */\r
            virtual const std::vector<XSECCryptoX509*>& getTrustAnchors() const=0;\r
\r
            /**\r
             * Returns the set of CRLs for the validation data in the\r
             * current position. Keeping the CRLs beyond the lifetime\r
             * of the iterator or after advancing to the next position requires\r
             * copying them.\r
             * \r
             * @return  set of CRLs\r
             */\r
            virtual const std::vector<xmltooling::XSECCryptoX509CRL*>& getCRLs() const=0;\r
        };\r
        \r
        /**\r
         * Provides access to the information necessary, for the given role, for\r
         * PKIX validation of credentials. Each set of validation information returned\r
         * will be tried, in turn, until one succeeds or no more remain.\r
         * The caller must free the returned interface when finished with it.\r
         * \r
         * @return interface for obtaining validation data  \r
         */\r
        virtual PKIXValidationInfoIterator* getPKIXValidationInfoIterator(const saml2md::RoleDescriptor& role) const=0;\r
    };\r
};\r
\r
#endif /* __saml_pkixtrust_h__ */\r