projects / shibboleth / cpp-xmltooling.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Incorporating boostisms
[shibboleth/cpp-xmltooling.git] / xmltooling / security / AbstractPKIXTrustEngine.h
1 /**
2  * Licensed to the University Corporation for Advanced Internet
3  * Development, Inc. (UCAID) under one or more contributor license
4  * agreements. See the NOTICE file distributed with this work for
5  * additional information regarding copyright ownership.
6  *
7  * UCAID licenses this file to you under the Apache License,
8  * Version 2.0 (the "License"); you may not use this file except
9  * in compliance with the License. You may obtain a copy of the
10  * License at
11  *
12  * http://www.apache.org/licenses/LICENSE-2.0
13  *
14  * Unless required by applicable law or agreed to in writing,
15  * software distributed under the License is distributed on an
16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17  * either express or implied. See the License for the specific
18  * language governing permissions and limitations under the License.
19  */
20
21 /**
22  * @file xmltooling/security/AbstractPKIXTrustEngine.h
23  * 
24  * A trust engine that uses X.509 trust anchors and CRLs associated with a peer
25  * to perform PKIX validation of signatures and credentials.
26  */
27
28 #if !defined(__xmltooling_pkixtrust_h__) && !defined(XMLTOOLING_NO_XMLSEC)
29 #define __xmltooling_pkixtrust_h__
30
31 #include <xmltooling/security/OpenSSLTrustEngine.h>
32 #include <xmltooling/security/SignatureTrustEngine.h>
33
34 #include <set>
35 #include <string>
36 #include <boost/ptr_container/ptr_vector.hpp>
37
38 namespace xmltooling {
39
40     class XMLTOOL_API OpenSSLPathValidator;
41     class XMLTOOL_API XSECCryptoX509CRL;
42
43     /**
44      * A trust engine that uses X.509 trust anchors and CRLs associated with a peer
45      * to perform PKIX validation of signatures and credentials.
46      */
47     class XMLTOOL_API AbstractPKIXTrustEngine : public SignatureTrustEngine, public OpenSSLTrustEngine
48     {
49     protected:
50         /**
51          * Constructor.
52          * 
53          * If a DOM is supplied, the following XML content is supported:
54          * 
55          * <ul>
56          *  <li>checkRevocation attribute (off, entityOnly, fullChain)
57          *  <li>policyMappingInhibit attribute (boolean)
58          *  <li>anyPolicyInhibit attribute (boolean)
59          *  <li>&t;PathValidator&gt; element (zero or more)
60          *  <li>&lt;TrustedName&gt; element (zero or more)
61          *  <li>&lt;PolicyOID&gt; element (zero or more)
62          * </ul>
63          * 
64          * @param e DOM to supply configuration for provider
65          */
66         AbstractPKIXTrustEngine(const xercesc::DOMElement* e=nullptr);
67
68         /** Plugins used to perform path validation. */
69         boost::ptr_vector<OpenSSLPathValidator> m_pathValidators;
70
71         /** Controls revocation checking, currently limited to CRLs and supports "off", "entityOnly", "fullChain". */
72         std::string m_checkRevocation;
73
74         /** Deprecated option, equivalent to checkRevocation="fullChain". */
75         bool m_fullCRLChain;
76
77         /** Disable policy mapping when applying PKIX policy checking. */
78         bool m_policyMappingInhibit;
79
80         /** Disallow the anyPolicy OID (2.5.29.32.0) when applying PKIX policy checking. */
81         bool m_anyPolicyInhibit;
82
83         /** A list of acceptable policy OIDs (explicit policy checking). */
84         std::set<std::string> m_policyOIDs;
85
86         /** A list of trusted names (subject DNs / CN attributes / subjectAltName entries). */
87         std::set<std::string> m_trustedNames;
88
89         /**
90          * Checks that either the name of the peer with the given credentials or the names
91          * of the credentials match the subject or subject alternate names of the certificate.
92          * Alternatively explicit trusted names can be supplied statically via configuration.
93          * 
94          * @param certEE        the credential for the entity to validate
95          * @param credResolver  source of trusted credentials
96          * @param criteria      criteria for selecting credentials, including the peer name
97          * 
98          * @return true the name check succeeds, false if not
99          */
100         bool checkEntityNames(X509* certEE, const CredentialResolver& credResolver, const CredentialCriteria& criteria) const;
101
102     public:
103         virtual ~AbstractPKIXTrustEngine();
104
105         bool validate(
106             xmlsignature::Signature& sig,
107             const CredentialResolver& credResolver,
108             CredentialCriteria* criteria=nullptr
109             ) const;
110
111         bool validate(
112             const XMLCh* sigAlgorithm,
113             const char* sig,
114             xmlsignature::KeyInfo* keyInfo,
115             const char* in,
116             unsigned int in_len,
117             const CredentialResolver& credResolver,
118             CredentialCriteria* criteria=nullptr
119             ) const;
120
121         bool validate(
122             XSECCryptoX509* certEE,
123             const std::vector<XSECCryptoX509*>& certChain,
124             const CredentialResolver& credResolver,
125             CredentialCriteria* criteria=nullptr
126             ) const;
127
128         bool validate(
129             X509* certEE,
130             STACK_OF(X509)* certChain,
131             const CredentialResolver& credResolver,
132             CredentialCriteria* criteria=nullptr
133             ) const;
134
135         /**
136          * Stateful interface that supplies PKIX validation data to the trust engine.
137          * Applications can adapt this TrustEngine to their environment by returning
138          * implementations of this interface from the getPKIXValidationInfoIterator
139          * method.
140          */
141         class XMLTOOL_API PKIXValidationInfoIterator {
142             MAKE_NONCOPYABLE(PKIXValidationInfoIterator);
143         protected:
144             PKIXValidationInfoIterator();
145             
146         public:
147             virtual ~PKIXValidationInfoIterator();
148             
149             /**
150              * Advances to the next set of information, if any.
151              * 
152              * @return true iff another set of information is available
153              */
154             virtual bool next()=0;
155             
156             /**
157              * Returns the allowable trust chain verification depth for the
158              * validation data in the current position.
159              * 
160              * @return  allowable trust chain verification depth
161              */
162             virtual int getVerificationDepth() const=0;
163             
164             /**
165              * Returns the set of trust anchors for the validation data in the
166              * current position. Keeping the certificates beyond the lifetime
167              * of the iterator or after advancing to the next position requires
168              * copying them.
169              * 
170              * @return  set of trust anchors
171              */
172             virtual const std::vector<XSECCryptoX509*>& getTrustAnchors() const=0;
173
174             /**
175              * Returns the set of CRLs for the validation data in the
176              * current position. Keeping the CRLs beyond the lifetime
177              * of the iterator or after advancing to the next position requires
178              * copying them.
179              * 
180              * @return  set of CRLs
181              */
182             virtual const std::vector<XSECCryptoX509CRL*>& getCRLs() const=0;
183         };
184         
185         /**
186          * Provides access to the information necessary, for the given credential source, for
187          * PKIX validation of credentials. Each set of validation information returned
188          * will be tried, in turn, until one succeeds or no more remain.
189          * The caller must free the returned interface when finished with it.
190          * 
191          * @param pkixSource        the peer for which validation rules are required
192          * @param criteria          criteria for selecting validation rules
193          * @return interface for obtaining validation data
194          */
195         virtual PKIXValidationInfoIterator* getPKIXValidationInfoIterator(
196             const CredentialResolver& pkixSource, CredentialCriteria* criteria=nullptr
197             ) const=0;
198
199     private:
200         bool validateWithCRLs(
201             X509* certEE,
202             STACK_OF(X509)* certChain,
203             const CredentialResolver& credResolver,
204             CredentialCriteria* criteria=nullptr,
205             const std::vector<XSECCryptoX509CRL*>* inlineCRLs=nullptr
206             ) const;
207
208         friend class XMLTOOL_DLLLOCAL PKIXParams;
209     };
210 };
211
212 #endif /* __xmltooling_pkixtrust_h__ */
Unnamed repository; edit this file 'description' to name the repository.