2 * Copyright 2001-2007 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file xmltooling/security/TrustEngine.h
20 * Evaluates the trustworthiness and validity of signatures against
21 * implementation-specific requirements.
24 #if !defined(__xmltooling_trust_h__) && !defined(XMLTOOLING_NO_XMLSEC)
25 #define __xmltooling_trust_h__
27 #include <xmltooling/base.h>
29 namespace xmlsignature {
30 class XMLTOOL_API KeyInfo;
31 class XMLTOOL_API Signature;
34 namespace xmltooling {
36 class XMLTOOL_API CredentialCriteria;
37 class XMLTOOL_API CredentialResolver;
38 class XMLTOOL_API KeyInfoResolver;
41 * Evaluates the trustworthiness and validity of XML or raw Signatures against
42 * implementation-specific requirements.
44 class XMLTOOL_API TrustEngine {
45 MAKE_NONCOPYABLE(TrustEngine);
50 * If a DOM is supplied, the following XML content is supported:
53 * <li><KeyInfoResolver> elements with a type attribute
56 * XML namespaces are ignored in the processing of this content.
58 * @param e DOM to supply configuration for provider
60 TrustEngine(const xercesc::DOMElement* e=NULL);
62 /** Custom KeyInfoResolver instance. */
63 KeyInfoResolver* m_keyInfoResolver;
66 virtual ~TrustEngine();
69 * Supplies a KeyInfoResolver instance.
70 * <p>This method must be externally synchronized with any code that uses the object.
71 * Any previously set object is destroyed.
73 * @param keyInfoResolver new KeyInfoResolver instance to use
75 void setKeyInfoResolver(KeyInfoResolver* keyInfoResolver);
78 * Determines whether an XML signature is correct and valid with respect to
79 * the source of credentials supplied.
81 * <p>It is the responsibility of the application to ensure that the credentials
82 * supplied are in fact associated with the peer who created the signature.
84 * <p>If criteria with a peer name are supplied, the "name" of the Credential that verifies
85 * the signature may also be checked to ensure that it identifies the intended peer.
86 * The peer name itself or implementation-specific rules based on the content of the
87 * peer credentials may be applied. Implementations may omit this check if they
88 * deem it unnecessary.
90 * @param sig reference to a signature object to validate
91 * @param credResolver a locked resolver to supply trusted peer credentials to the TrustEngine
92 * @param criteria criteria for selecting peer credentials
93 * @return true iff the signature validates
95 virtual bool validate(
96 xmlsignature::Signature& sig,
97 const CredentialResolver& credResolver,
98 CredentialCriteria* criteria=NULL
102 * Determines whether a raw signature is correct and valid with respect to
103 * the source of credentials supplied.
105 * <p>It is the responsibility of the application to ensure that the Credentials
106 * supplied are in fact associated with the peer who created the signature.
108 * <p>If criteria with a peer name are supplied, the "name" of the Credential that verifies
109 * the signature may also be checked to ensure that it identifies the intended peer.
110 * The peer name itself or implementation-specific rules based on the content of the
111 * peer credentials may be applied. Implementations may omit this check if they
112 * deem it unnecessary.
114 * <p>Note that the keyInfo parameter is not part of the implicitly trusted
115 * set of information supplied via the CredentialResolver, but rather advisory
116 * data that may have accompanied the signature itself.
118 * @param sigAlgorithm XML Signature identifier for the algorithm used
119 * @param sig null-terminated base64-encoded signature value
120 * @param keyInfo KeyInfo object accompanying the signature, if any
121 * @param in the input data over which the signature was created
122 * @param in_len size of input data in bytes
123 * @param credResolver a locked resolver to supply trusted peer credentials to the TrustEngine
124 * @param criteria criteria for selecting peer credentials
125 * @return true iff the signature validates
127 virtual bool validate(
128 const XMLCh* sigAlgorithm,
130 xmlsignature::KeyInfo* keyInfo,
133 const CredentialResolver& credResolver,
134 CredentialCriteria* criteria=NULL
139 * Registers TrustEngine classes into the runtime.
141 void XMLTOOL_API registerTrustEngines();
143 /** TrustEngine based on explicit knowledge of peer key information. */
144 #define EXPLICIT_KEY_TRUSTENGINE "ExplicitKey"
146 /** TrustEngine that tries multiple engines in sequence. */
147 #define CHAINING_TRUSTENGINE "Chaining"
151 #endif /* __xmltooling_trust_h__ */