-/*\r
- * Copyright 2001-2006 Internet2\r
- * \r
- * Licensed under the Apache License, Version 2.0 (the "License");\r
- * you may not use this file except in compliance with the License.\r
- * You may obtain a copy of the License at\r
- *\r
- * http://www.apache.org/licenses/LICENSE-2.0\r
- *\r
- * Unless required by applicable law or agreed to in writing, software\r
- * distributed under the License is distributed on an "AS IS" BASIS,\r
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * See the License for the specific language governing permissions and\r
- * limitations under the License.\r
- */\r
-\r
-/**\r
- * @file saml/security/AbstractPKIXTrustEngine.h\r
- * \r
- * A trust engine that uses X.509 trust anchors and CRLs associated with a role\r
- * to perform PKIX validation of signatures and certificates.\r
- */\r
-\r
-#ifndef __saml_pkixtrust_h__\r
-#define __saml_pkixtrust_h__\r
-\r
-#include <saml/security/X509TrustEngine.h>\r
-#include <xmltooling/security/XSECCryptoX509CRL.h>\r
-\r
-namespace opensaml {\r
-\r
- /**\r
- * A trust engine that uses X.509 trust anchors and CRLs associated with a role\r
- * to perform PKIX validation of signatures and certificates.\r
- */\r
- class SAML_API AbstractPKIXTrustEngine : public X509TrustEngine\r
- {\r
- protected:\r
- /**\r
- * Constructor.\r
- * \r
- * If a DOM is supplied, the following XML content is supported:\r
- * \r
- * <ul>\r
- * <li><KeyResolver> elements with a type attribute\r
- * </ul>\r
- * \r
- * XML namespaces are ignored in the processing of this content.\r
- * \r
- * @param e DOM to supply configuration for provider\r
- */\r
- AbstractPKIXTrustEngine(const DOMElement* e=NULL);\r
- \r
- /**\r
- * Checks that either the ID for the entity with the given role or the key names\r
- * for the given role match the subject or subject alternate names\r
- * of the entity's certificate.\r
- * \r
- * @param certEE the credential for the entity to validate\r
- * @param role the descriptor of the role the entity is supposed to be acting in\r
- * \r
- * @return true the name check succeeds, false if not\r
- */\r
- bool checkEntityNames(XSECCryptoX509* certEE, const saml2md::RoleDescriptor& role) const;\r
- \r
- /** An inline KeyResolver for extracting certificates out of a signature. */\r
- xmlsignature::KeyResolver* m_inlineResolver;\r
- \r
- public:\r
- virtual ~AbstractPKIXTrustEngine();\r
-\r
- virtual bool validate(\r
- xmlsignature::Signature& sig,\r
- const saml2md::RoleDescriptor& role,\r
- const xmlsignature::KeyResolver* keyResolver=NULL\r
- ) const;\r
-\r
- virtual bool validate(\r
- XSECCryptoX509* certEE,\r
- const std::vector<XSECCryptoX509*>& certChain,\r
- const saml2md::RoleDescriptor& role,\r
- bool checkName=true,\r
- const xmlsignature::KeyResolver* keyResolver=NULL\r
- ) const;\r
-\r
- /**\r
- * Stateful interface that supplies PKIX validation data to the trust engine.\r
- * Applications can adapt this TrustEngine to their environment by returning\r
- * implementations of this interface from the getPKIXValidationInfoIterator\r
- * method.\r
- */\r
- class SAML_API PKIXValidationInfoIterator {\r
- MAKE_NONCOPYABLE(PKIXValidationInfoIterator);\r
- protected:\r
- PKIXValidationInfoIterator() {}\r
- public:\r
- virtual ~PKIXValidationInfoIterator() {}\r
- \r
- /**\r
- * Advances to the next set of information, if any.\r
- * \r
- * @return true iff another set of information is available\r
- */\r
- virtual bool next()=0;\r
- \r
- /**\r
- * Returns the allowable trust chain verification depth for the\r
- * validation data in the current position.\r
- * \r
- * @return allowable trust chain verification depth\r
- */\r
- virtual int getVerificationDepth() const=0;\r
- \r
- /**\r
- * Returns the set of trust anchors for the validation data in the\r
- * current position. Keeping the certificates beyond the lifetime\r
- * of the iterator or after advancing to the next position requires\r
- * copying them.\r
- * \r
- * @return set of trust anchors\r
- */\r
- virtual const std::vector<XSECCryptoX509*>& getTrustAnchors() const=0;\r
-\r
- /**\r
- * Returns the set of CRLs for the validation data in the\r
- * current position. Keeping the CRLs beyond the lifetime\r
- * of the iterator or after advancing to the next position requires\r
- * copying them.\r
- * \r
- * @return set of CRLs\r
- */\r
- virtual const std::vector<xmltooling::XSECCryptoX509CRL*>& getCRLs() const=0;\r
- };\r
- \r
- /**\r
- * Provides access to the information necessary, for the given role, for\r
- * PKIX validation of credentials. Each set of validation information returned\r
- * will be tried, in turn, until one succeeds or no more remain.\r
- * The caller must free the returned interface when finished with it.\r
- * \r
- * @return interface for obtaining validation data \r
- */\r
- virtual PKIXValidationInfoIterator* getPKIXValidationInfoIterator(const saml2md::RoleDescriptor& role) const=0;\r
- };\r
-};\r
-\r
-#endif /* __saml_pkixtrust_h__ */\r
+/*
+ * Copyright 2001-2006 Internet2
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @file saml/security/AbstractPKIXTrustEngine.h
+ *
+ * A trust engine that uses X.509 trust anchors and CRLs associated with a role
+ * to perform PKIX validation of signatures and certificates.
+ */
+
+#ifndef __saml_pkixtrust_h__
+#define __saml_pkixtrust_h__
+
+#include <saml/security/X509TrustEngine.h>
+#include <xmltooling/security/XSECCryptoX509CRL.h>
+
+namespace opensaml {
+
+ /**
+ * A trust engine that uses X.509 trust anchors and CRLs associated with a role
+ * to perform PKIX validation of signatures and certificates.
+ */
+ class SAML_API AbstractPKIXTrustEngine : public X509TrustEngine
+ {
+ protected:
+ /**
+ * Constructor.
+ *
+ * If a DOM is supplied, the following XML content is supported:
+ *
+ * <ul>
+ * <li><KeyResolver> elements with a type attribute
+ * </ul>
+ *
+ * XML namespaces are ignored in the processing of this content.
+ *
+ * @param e DOM to supply configuration for provider
+ */
+ AbstractPKIXTrustEngine(const DOMElement* e=NULL);
+
+ /**
+ * Checks that either the ID for the entity with the given role or the key names
+ * for the given role match the subject or subject alternate names
+ * of the entity's certificate.
+ *
+ * @param certEE the credential for the entity to validate
+ * @param role the descriptor of the role the entity is supposed to be acting in
+ *
+ * @return true the name check succeeds, false if not
+ */
+ bool checkEntityNames(XSECCryptoX509* certEE, const saml2md::RoleDescriptor& role) const;
+
+ /** An inline KeyResolver for extracting certificates out of a signature. */
+ xmlsignature::KeyResolver* m_inlineResolver;
+
+ public:
+ virtual ~AbstractPKIXTrustEngine();
+
+ virtual bool validate(
+ xmlsignature::Signature& sig,
+ const saml2md::RoleDescriptor& role,
+ const xmlsignature::KeyResolver* keyResolver=NULL
+ ) const;
+
+ virtual bool validate(
+ const XMLCh* sigAlgorithm,
+ const char* sig,
+ xmlsignature::KeyInfo* keyInfo,
+ const char* in,
+ unsigned int in_len,
+ const saml2md::RoleDescriptor& role,
+ const xmlsignature::KeyResolver* keyResolver=NULL
+ ) const;
+
+ virtual bool validate(
+ XSECCryptoX509* certEE,
+ const std::vector<XSECCryptoX509*>& certChain,
+ const saml2md::RoleDescriptor& role,
+ bool checkName=true,
+ const xmlsignature::KeyResolver* keyResolver=NULL
+ ) const;
+
+ /**
+ * Stateful interface that supplies PKIX validation data to the trust engine.
+ * Applications can adapt this TrustEngine to their environment by returning
+ * implementations of this interface from the getPKIXValidationInfoIterator
+ * method.
+ */
+ class SAML_API PKIXValidationInfoIterator {
+ MAKE_NONCOPYABLE(PKIXValidationInfoIterator);
+ protected:
+ PKIXValidationInfoIterator() {}
+ public:
+ virtual ~PKIXValidationInfoIterator() {}
+
+ /**
+ * Advances to the next set of information, if any.
+ *
+ * @return true iff another set of information is available
+ */
+ virtual bool next()=0;
+
+ /**
+ * Returns the allowable trust chain verification depth for the
+ * validation data in the current position.
+ *
+ * @return allowable trust chain verification depth
+ */
+ virtual int getVerificationDepth() const=0;
+
+ /**
+ * Returns the set of trust anchors for the validation data in the
+ * current position. Keeping the certificates beyond the lifetime
+ * of the iterator or after advancing to the next position requires
+ * copying them.
+ *
+ * @return set of trust anchors
+ */
+ virtual const std::vector<XSECCryptoX509*>& getTrustAnchors() const=0;
+
+ /**
+ * Returns the set of CRLs for the validation data in the
+ * current position. Keeping the CRLs beyond the lifetime
+ * of the iterator or after advancing to the next position requires
+ * copying them.
+ *
+ * @return set of CRLs
+ */
+ virtual const std::vector<xmltooling::XSECCryptoX509CRL*>& getCRLs() const=0;
+ };
+
+ /**
+ * Provides access to the information necessary, for the given role, for
+ * PKIX validation of credentials. Each set of validation information returned
+ * will be tried, in turn, until one succeeds or no more remain.
+ * The caller must free the returned interface when finished with it.
+ *
+ * @return interface for obtaining validation data
+ */
+ virtual PKIXValidationInfoIterator* getPKIXValidationInfoIterator(const saml2md::RoleDescriptor& role) const=0;
+ };
+};
+
+#endif /* __saml_pkixtrust_h__ */