2 * Copyright 2001-2007 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file xmltooling/security/TrustEngine.h
20 * Evaluates the trustworthiness and validity of XML Signatures against
21 * implementation-specific requirements.
24 #if !defined(__xmltooling_trust_h__) && !defined(XMLTOOLING_NO_XMLSEC)
25 #define __xmltooling_trust_h__
27 #include <xmltooling/security/KeyInfoSource.h>
28 #include <xmltooling/signature/KeyResolver.h>
29 #include <xmltooling/signature/Signature.h>
31 namespace xmltooling {
34 * Evaluates the trustworthiness and validity of XML or raw Signatures against
35 * implementation-specific requirements.
37 class XMLTOOL_API TrustEngine {
38 MAKE_NONCOPYABLE(TrustEngine);
43 * If a DOM is supplied, the following XML content is supported:
46 * <li><KeyResolver> elements with a type attribute
49 * XML namespaces are ignored in the processing of this content.
51 * @param e DOM to supply configuration for provider
53 TrustEngine(const DOMElement* e=NULL);
55 /** Default KeyResolver instance. */
56 xmlsignature::KeyResolver* m_keyResolver;
59 virtual ~TrustEngine();
62 * Determines whether an XML signature is correct and valid with respect to
63 * the source of KeyInfo data supplied. It is the responsibility of the
64 * application to ensure that the KeyInfo information supplied is in fact
65 * associated with the peer who created the signature.
67 * <p>A custom KeyResolver can be supplied from outside the TrustEngine.
68 * Alternatively, one may be specified to the plugin constructor.
69 * A non-caching, inline resolver will be used as a fallback.
71 * @param sig reference to a signature object to validate
72 * @param keyInfoSource supplies KeyInfo objects to the TrustEngine
73 * @param keyResolver optional externally supplied KeyResolver, or NULL
74 * @return true iff the signature validates
76 virtual bool validate(
77 xmlsignature::Signature& sig,
78 const KeyInfoSource& keyInfoSource,
79 const xmlsignature::KeyResolver* keyResolver=NULL
83 * Determines whether a raw signature is correct and valid with respect to
84 * the source of KeyInfo data supplied. It is the responsibility of the
85 * application to ensure that the KeyInfo information supplied is in fact
86 * associated with the peer who created the signature.
88 * <p>A custom KeyResolver can be supplied from outside the TrustEngine.
89 * Alternatively, one may be specified to the plugin constructor.
90 * A non-caching, inline resolver will be used as a fallback.
92 * <p>Note that the keyInfo parameter is not part of the implicitly trusted
93 * set of key information supplied via the KeyInfoSource, but rather advisory
94 * data that may have accompanied the signature itself.
96 * @param sigAlgorithm XML Signature identifier for the algorithm used
97 * @param sig null-terminated base64-encoded signature value
98 * @param keyInfo KeyInfo object accompanying the signature, if any
99 * @param in the input data over which the signature was created
100 * @param in_len size of input data in bytes
101 * @param keyInfoSource supplies KeyInfo objects to the TrustEngine
102 * @param keyResolver optional externally supplied KeyResolver, or NULL
103 * @return true iff the signature validates
105 virtual bool validate(
106 const XMLCh* sigAlgorithm,
108 xmlsignature::KeyInfo* keyInfo,
111 const KeyInfoSource& keyInfoSource,
112 const xmlsignature::KeyResolver* keyResolver=NULL
117 * Registers TrustEngine classes into the runtime.
119 void XMLTOOL_API registerTrustEngines();
121 /** TrustEngine based on explicit knowledge of peer key information. */
122 #define EXPLICIT_KEY_TRUSTENGINE "org.opensaml.xmltooling.security.ExplicitKeyTrustEngine"
124 /** TrustEngine that tries multiple engines in sequence. */
125 #define CHAINING_TRUSTENGINE "org.opensaml.xmltooling.security.ChainingTrustEngine"
129 #endif /* __xmltooling_trust_h__ */