2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
22 * @file xmltooling/security/SignatureTrustEngine.h
24 * TrustEngine interface that adds validation of digital signatures.
27 #if !defined(__xmltooling_sigtrust_h__) && !defined(XMLTOOLING_NO_XMLSEC)
28 #define __xmltooling_sigtrust_h__
30 #include <xmltooling/security/TrustEngine.h>
32 namespace xmlsignature {
33 class XMLTOOL_API KeyInfo;
34 class XMLTOOL_API Signature;
37 namespace xmltooling {
39 class XMLTOOL_API CredentialCriteria;
40 class XMLTOOL_API CredentialResolver;
43 * TrustEngine interface that adds validation of digital signatures.
45 class XMLTOOL_API SignatureTrustEngine : public virtual TrustEngine {
50 * @param e DOM to supply configuration for provider
52 SignatureTrustEngine(const xercesc::DOMElement* e=nullptr);
55 virtual ~SignatureTrustEngine();
58 * Determines whether an XML signature is correct and valid with respect to
59 * the source of credentials supplied.
61 * <p>It is the responsibility of the application to ensure that the credentials
62 * supplied are in fact associated with the peer who created the signature.
64 * <p>If criteria with a peer name are supplied, the "name" of the Credential that verifies
65 * the signature may also be checked to ensure that it identifies the intended peer.
66 * The peer name itself or implementation-specific rules based on the content of the
67 * peer credentials may be applied. Implementations may omit this check if they
68 * deem it unnecessary.
70 * @param sig reference to a signature object to validate
71 * @param credResolver a locked resolver to supply trusted peer credentials to the TrustEngine
72 * @param criteria criteria for selecting peer credentials
73 * @return true iff the signature validates
75 virtual bool validate(
76 xmlsignature::Signature& sig,
77 const CredentialResolver& credResolver,
78 CredentialCriteria* criteria=nullptr
82 * Determines whether a raw signature is correct and valid with respect to
83 * the source of credentials supplied.
85 * <p>It is the responsibility of the application to ensure that the Credentials
86 * supplied are in fact associated with the peer who created the signature.
88 * <p>If criteria with a peer name are supplied, the "name" of the Credential that verifies
89 * the signature may also be checked to ensure that it identifies the intended peer.
90 * The peer name itself or implementation-specific rules based on the content of the
91 * peer credentials may be applied. Implementations may omit this check if they
92 * deem it unnecessary.
94 * <p>Note that the keyInfo parameter is not part of the implicitly trusted
95 * set of information supplied via the CredentialResolver, but rather advisory
96 * data that may have accompanied the signature itself.
98 * @param sigAlgorithm XML Signature identifier for the algorithm used
99 * @param sig null-terminated base64-encoded signature value
100 * @param keyInfo KeyInfo object accompanying the signature, if any
101 * @param in the input data over which the signature was created
102 * @param in_len size of input data in bytes
103 * @param credResolver a locked resolver to supply trusted peer credentials to the TrustEngine
104 * @param criteria criteria for selecting peer credentials
105 * @return true iff the signature validates
107 virtual bool validate(
108 const XMLCh* sigAlgorithm,
110 xmlsignature::KeyInfo* keyInfo,
113 const CredentialResolver& credResolver,
114 CredentialCriteria* criteria=nullptr
119 #endif /* __xmltooling_sigtrust_h__ */