Merged trust engines back into a unified version, made metadata roles a "KeyInfoSource".

[shibboleth/cpp-opensaml.git] / saml / binding / impl / XMLSigningRule.cpp

diff --git a/saml/binding/impl/XMLSigningRule.cpp b/saml/binding/impl/XMLSigningRule.cpp
index d667cfd..6cc736d 100644 (file)
--- a/saml/binding/impl/XMLSigningRule.cpp
+++ b/saml/binding/impl/XMLSigningRule.cpp
@@ -28,7 +28,7 @@
 #include "saml2/core/Protocols.h"
 #include "saml2/metadata/Metadata.h"
 #include "saml2/metadata/MetadataProvider.h"
-#include "security/TrustEngine.h"
+#include "signature/SignatureProfileValidator.h"
 
 #include <xmltooling/util/NDC.h>
 #include <xmltooling/util/ReplayCache.h>
@@ -52,7 +52,7 @@ pair<saml2::Issuer*,const RoleDescriptor*> XMLSigningRule::evaluate(
     const XMLObject& message,
     const MetadataProvider* metadataProvider,
     const QName* role,
-    const opensaml::TrustEngine* trustEngine
+    const TrustEngine* trustEngine
     ) const
 {
     Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.XMLSigning");
@@ -72,6 +72,17 @@ pair<saml2::Issuer*,const RoleDescriptor*> XMLSigningRule::evaluate(
             return ret;
         }
         
+        log.debug("validating signature profile");
+        try {
+            SignatureProfileValidator sigval;
+            sigval.validate(signable->getSignature());
+        }
+        catch (ValidationException& ve) {
+            log.error("signature profile failed to validate: %s", ve.what());
+            return ret;
+        }
+        
+        
         log.debug("extracting issuer from message");
         pair<saml2::Issuer*,const XMLCh*> issuerInfo = getIssuerAndProtocol(message);