2 * Copyright 2001-2010 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file xmltooling/security/SignatureTrustEngine.h
20 * TrustEngine interface that adds validation of digital signatures.
23 #if !defined(__xmltooling_sigtrust_h__) && !defined(XMLTOOLING_NO_XMLSEC)
24 #define __xmltooling_sigtrust_h__
26 #include <xmltooling/security/TrustEngine.h>
28 namespace xmlsignature {
29 class XMLTOOL_API KeyInfo;
30 class XMLTOOL_API Signature;
33 namespace xmltooling {
35 class XMLTOOL_API CredentialCriteria;
36 class XMLTOOL_API CredentialResolver;
39 * TrustEngine interface that adds validation of digital signatures.
41 class XMLTOOL_API SignatureTrustEngine : public virtual TrustEngine {
46 * @param e DOM to supply configuration for provider
48 SignatureTrustEngine(const xercesc::DOMElement* e=nullptr);
51 virtual ~SignatureTrustEngine();
54 * Determines whether an XML signature is correct and valid with respect to
55 * the source of credentials supplied.
57 * <p>It is the responsibility of the application to ensure that the credentials
58 * supplied are in fact associated with the peer who created the signature.
60 * <p>If criteria with a peer name are supplied, the "name" of the Credential that verifies
61 * the signature may also be checked to ensure that it identifies the intended peer.
62 * The peer name itself or implementation-specific rules based on the content of the
63 * peer credentials may be applied. Implementations may omit this check if they
64 * deem it unnecessary.
66 * @param sig reference to a signature object to validate
67 * @param credResolver a locked resolver to supply trusted peer credentials to the TrustEngine
68 * @param criteria criteria for selecting peer credentials
69 * @return true iff the signature validates
71 virtual bool validate(
72 xmlsignature::Signature& sig,
73 const CredentialResolver& credResolver,
74 CredentialCriteria* criteria=nullptr
78 * Determines whether a raw signature is correct and valid with respect to
79 * the source of credentials supplied.
81 * <p>It is the responsibility of the application to ensure that the Credentials
82 * supplied are in fact associated with the peer who created the signature.
84 * <p>If criteria with a peer name are supplied, the "name" of the Credential that verifies
85 * the signature may also be checked to ensure that it identifies the intended peer.
86 * The peer name itself or implementation-specific rules based on the content of the
87 * peer credentials may be applied. Implementations may omit this check if they
88 * deem it unnecessary.
90 * <p>Note that the keyInfo parameter is not part of the implicitly trusted
91 * set of information supplied via the CredentialResolver, but rather advisory
92 * data that may have accompanied the signature itself.
94 * @param sigAlgorithm XML Signature identifier for the algorithm used
95 * @param sig null-terminated base64-encoded signature value
96 * @param keyInfo KeyInfo object accompanying the signature, if any
97 * @param in the input data over which the signature was created
98 * @param in_len size of input data in bytes
99 * @param credResolver a locked resolver to supply trusted peer credentials to the TrustEngine
100 * @param criteria criteria for selecting peer credentials
101 * @return true iff the signature validates
103 virtual bool validate(
104 const XMLCh* sigAlgorithm,
106 xmlsignature::KeyInfo* keyInfo,
109 const CredentialResolver& credResolver,
110 CredentialCriteria* criteria=nullptr
115 #endif /* __xmltooling_sigtrust_h__ */