2 * Copyright 2001-2006 Internet2
\r
4 * Licensed under the Apache License, Version 2.0 (the "License");
\r
5 * you may not use this file except in compliance with the License.
\r
6 * You may obtain a copy of the License at
\r
8 * http://www.apache.org/licenses/LICENSE-2.0
\r
10 * Unless required by applicable law or agreed to in writing, software
\r
11 * distributed under the License is distributed on an "AS IS" BASIS,
\r
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
13 * See the License for the specific language governing permissions and
\r
14 * limitations under the License.
\r
18 * @file xmltooling/security/TrustEngine.h
\r
20 * Evaluates the trustworthiness and validity of XML Signatures against
\r
21 * implementation-specific requirements.
\r
24 #if !defined(__xmltooling_trust_h__) && !defined(XMLTOOLING_NO_XMLSEC)
\r
25 #define __xmltooling_trust_h__
\r
27 #include <xmltooling/signature/KeyResolver.h>
\r
28 #include <xmltooling/signature/Signature.h>
\r
30 namespace xmltooling {
\r
33 * Evaluates the trustworthiness and validity of XML Signatures against
\r
34 * implementation-specific requirements.
\r
36 class XMLTOOL_API TrustEngine {
\r
37 MAKE_NONCOPYABLE(TrustEngine);
\r
42 * If a DOM is supplied, the following XML content is supported:
\r
45 * <li><KeyResolver> elements with a type attribute
\r
48 * XML namespaces are ignored in the processing of this content.
\r
50 * @param e DOM to supply configuration for provider
\r
52 TrustEngine(const DOMElement* e=NULL);
\r
54 /** Default KeyResolver instance. */
\r
55 xmlsignature::KeyResolver* m_keyResolver;
\r
58 virtual ~TrustEngine();
\r
61 * Callback interface to supply KeyInfo objects to a TrustEngine.
\r
62 * Applications can adapt TrustEngines to their environment by supplying
\r
63 * implementations of this interface, or create specialized TrustEngine APIs
\r
64 * by combining a KeyInfoIterator with a delegated TrustEngine.
\r
66 class XMLTOOL_API KeyInfoIterator {
\r
67 MAKE_NONCOPYABLE(KeyInfoIterator);
\r
69 KeyInfoIterator() {}
\r
71 virtual ~KeyInfoIterator() {}
\r
74 * Indicates whether additional KeyInfo objects are available.
\r
76 * @return true iff another KeyInfo object can be fetched
\r
78 virtual bool hasNext() const=0;
\r
81 * Returns the next KeyInfo object available.
\r
83 * @return the next KeyInfo object, or NULL if none are left
\r
85 virtual const xmlsignature::KeyInfo* next()=0;
\r
89 * Determines whether a signature is correct and valid with respect to the
\r
90 * KeyInfo data supplied. It is the responsibility of the application to
\r
91 * ensure that the KeyInfo information supplied is in fact associated with
\r
92 * the peer who created the signature.
\r
94 * A custom KeyResolver can be supplied from outside the TrustEngine.
\r
95 * Alternatively, one may be specified to the plugin constructor.
\r
96 * A non-caching, inline resolver will be used as a fallback.
\r
98 * @param sig reference to a signature object to validate
\r
99 * @param keyInfoSource supplies KeyInfo objects to the TrustEngine
\r
100 * @param keyResolver optional externally supplied KeyResolver, or NULL
\r
102 virtual bool validate(
\r
103 xmlsignature::Signature& sig,
\r
104 KeyInfoIterator& keyInfoSource,
\r
105 const xmlsignature::KeyResolver* keyResolver=NULL
\r
110 * Registers TrustEngine classes into the runtime.
\r
112 void XMLTOOL_API registerTrustEngines();
\r
114 /** TrustEngine based on explicit knowledge of peer key information. */
\r
115 #define EXPLICIT_KEY_TRUSTENGINE "org.opensaml.xmlooling.security.ExplicitKeyTrustEngine"
\r
118 #endif /* __xmltooling_trust_h__ */
\r