Multi-line svn commit, see body.

[shibboleth/cpp-opensaml.git] / saml / binding / impl / ClientCertAuthRule.cpp

diff --git a/saml/binding/impl/ClientCertAuthRule.cpp b/saml/binding/impl/ClientCertAuthRule.cpp
index c1c3f7d..f736092 100644 (file)
--- a/saml/binding/impl/ClientCertAuthRule.cpp
+++ b/saml/binding/impl/ClientCertAuthRule.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2001-2006 Internet2
+ *  Copyright 2001-2007 Internet2
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,37 +22,50 @@
 
 #include "internal.h"
 #include "exceptions.h"
-#include "binding/ClientCertAuthRule.h"
+#include "binding/SecurityPolicyRule.h"
 #include "saml2/metadata/Metadata.h"
+#include "saml2/metadata/MetadataCredentialCriteria.h"
 #include "saml2/metadata/MetadataProvider.h"
 
+#include <xmltooling/logging.h>
 #include <xmltooling/security/X509TrustEngine.h>
 #include <xmltooling/util/ReplayCache.h>
-#include <log4cpp/Category.hh>
 
 using namespace opensaml::saml2md;
 using namespace opensaml;
+using namespace xmltooling::logging;
 using namespace xmltooling;
-using namespace log4cpp;
 using namespace std;
 
 namespace opensaml {
+    class SAML_DLLLOCAL ClientCertAuthRule : public SecurityPolicyRule
+    {
+    public:
+        ClientCertAuthRule(const DOMElement* e) {}
+        virtual ~ClientCertAuthRule() {}
+        
+        const char* getType() const {
+            return CLIENTCERTAUTH_POLICY_RULE;
+        }
+        void evaluate(const XMLObject& message, const GenericRequest* request, const XMLCh* protocol, SecurityPolicy& policy) const;
+    };
+
     SecurityPolicyRule* SAML_DLLLOCAL ClientCertAuthRuleFactory(const DOMElement* const & e)
     {
         return new ClientCertAuthRule(e);
     }
 };
 
-void ClientCertAuthRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const
+void ClientCertAuthRule::evaluate(
+    const XMLObject& message, const GenericRequest* request, const XMLCh* protocol, SecurityPolicy& policy
+    ) const
 {
     Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.ClientCertAuth");
-    log.debug("evaluating client certificate authentication policy");
     
-    if (!request) {
-        log.debug("ignoring message, no protocol request available");
+    if (!request)
         return;
-    }
-    else if (!policy.getIssuerMetadata()) {
+    
+    if (!policy.getIssuerMetadata()) {
         log.debug("ignoring message, no issuer metadata supplied");
         return;
     }
@@ -64,13 +77,16 @@ void ClientCertAuthRule::evaluate(const XMLObject& message, const GenericRequest
     }
     
     const std::vector<XSECCryptoX509*>& chain = request->getClientCertificates();
-    if (chain.empty()) {
-        log.debug("ignoring message, no client certificates in request");
+    if (chain.empty())
         return;
-    }
     
-    if (!x509trust->validate(chain.front(), chain, *(policy.getIssuerMetadata()), true,
-            policy.getMetadataProvider()->getKeyResolver())) {
+    // Set up criteria object, including peer name to enforce cert name checking.
+    MetadataCredentialCriteria cc(*(policy.getIssuerMetadata()));
+    auto_ptr_char pn(policy.getIssuer()->getName());
+    cc.setPeerName(pn.get());
+    cc.setUsage(CredentialCriteria::TLS_CREDENTIAL);
+
+    if (!x509trust->validate(chain.front(), chain, *(policy.getMetadataProvider()), &cc)) {
         log.error("unable to verify certificate chain with supplied trust engine");
         return;
     }