}
};
-void ClientCertAuthRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const
+bool ClientCertAuthRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const
{
Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.ClientCertAuth");
log.debug("evaluating client certificate authentication policy");
if (!request) {
log.debug("ignoring message, no protocol request available");
- return;
+ return false;
}
else if (!policy.getIssuerMetadata()) {
log.debug("ignoring message, no issuer metadata supplied");
- return;
+ return false;
}
const X509TrustEngine* x509trust;
if (!(x509trust=dynamic_cast<const X509TrustEngine*>(policy.getTrustEngine()))) {
log.debug("ignoring message, no X509TrustEngine supplied");
- return;
+ return false;
}
const std::vector<XSECCryptoX509*>& chain = request->getClientCertificates();
if (chain.empty()) {
log.debug("ignoring message, no client certificates in request");
- return;
+ return false;
}
if (!x509trust->validate(chain.front(), chain, *(policy.getIssuerMetadata()), true,
policy.getMetadataProvider()->getKeyResolver())) {
log.error("unable to verify certificate chain with supplied trust engine");
- return;
+ return false;
}
log.debug("client certificate verified against message issuer");
+ return true;
}