2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
24 * Shibboleth-specific PKIX-validation TrustEngine.
30 #include "XMLToolingConfig.h"
31 #include "security/AbstractPKIXTrustEngine.h"
32 #include "security/CredentialResolver.h"
33 #include "security/X509Credential.h"
34 #include "util/XMLHelper.h"
36 #include <xercesc/util/XMLUniDefs.hpp>
38 using namespace xmlsignature;
39 using namespace xmltooling;
40 using namespace xercesc;
43 namespace xmltooling {
45 static const XMLCh _CredentialResolver[] = UNICODE_LITERAL_18(C,r,e,d,e,n,t,i,a,l,R,e,s,o,l,v,e,r);
46 static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e);
47 static const XMLCh certificate[] = UNICODE_LITERAL_11(c,e,r,t,i,f,i,c,a,t,e);
48 static const XMLCh Certificate[] = UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e);
49 static const XMLCh Path[] = UNICODE_LITERAL_4(P,a,t,h);
50 static const XMLCh verifyDepth[] = UNICODE_LITERAL_11(v,e,r,i,f,y,D,e,p,t,h);
52 class XMLTOOL_DLLLOCAL StaticPKIXTrustEngine : public AbstractPKIXTrustEngine
55 StaticPKIXTrustEngine(const DOMElement* e=nullptr);
57 virtual ~StaticPKIXTrustEngine() {}
59 AbstractPKIXTrustEngine::PKIXValidationInfoIterator* getPKIXValidationInfoIterator(
60 const CredentialResolver& pkixSource, CredentialCriteria* criteria=nullptr
63 const KeyInfoResolver* getKeyInfoResolver() const {
64 return m_keyInfoResolver ? m_keyInfoResolver : XMLToolingConfig::getConfig().getKeyInfoResolver();
69 auto_ptr<CredentialResolver> m_credResolver;
70 friend class XMLTOOL_DLLLOCAL StaticPKIXIterator;
73 TrustEngine* XMLTOOL_DLLLOCAL StaticPKIXTrustEngineFactory(const DOMElement* const & e)
75 return new StaticPKIXTrustEngine(e);
78 class XMLTOOL_DLLLOCAL StaticPKIXIterator : public AbstractPKIXTrustEngine::PKIXValidationInfoIterator
81 StaticPKIXIterator(const StaticPKIXTrustEngine& engine) : m_engine(engine), m_done(false) {
82 // Merge together all X509Credentials we can resolve.
83 m_engine.m_credResolver->lock();
85 vector<const Credential*> creds;
86 m_engine.m_credResolver->resolve(creds);
87 for (vector<const Credential*>::const_iterator i = creds.begin(); i != creds.end(); ++i) {
88 const X509Credential* xcred = dynamic_cast<const X509Credential*>(*i);
90 m_certs.insert(m_certs.end(), xcred->getEntityCertificateChain().begin(), xcred->getEntityCertificateChain().end());
91 m_crls.insert(m_crls.end(), xcred->getCRLs().begin(), xcred->getCRLs().end());
95 catch (exception& ex) {
96 logging::Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.StaticPKIX").error(ex.what());
100 virtual ~StaticPKIXIterator() {
101 m_engine.m_credResolver->unlock();
111 int getVerificationDepth() const {
112 return m_engine.m_depth;
115 const vector<XSECCryptoX509*>& getTrustAnchors() const {
119 const vector<XSECCryptoX509CRL*>& getCRLs() const {
124 const StaticPKIXTrustEngine& m_engine;
125 vector<XSECCryptoX509*> m_certs;
126 vector<XSECCryptoX509CRL*> m_crls;
131 StaticPKIXTrustEngine::StaticPKIXTrustEngine(const DOMElement* e)
132 : AbstractPKIXTrustEngine(e), m_depth(XMLHelper::getAttrInt(e, 1, verifyDepth))
134 if (e && e->hasAttributeNS(nullptr, certificate)) {
135 // Simple File resolver config rooted here.
136 m_credResolver.reset(XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER, e));
139 e = e ? XMLHelper::getFirstChildElement(e, _CredentialResolver) : nullptr;
140 string t = XMLHelper::getAttrString(e, nullptr, type);
142 m_credResolver.reset(XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(t.c_str(), e));
144 throw XMLSecurityException("Missing <CredentialResolver> element, or no type attribute found");
148 AbstractPKIXTrustEngine::PKIXValidationInfoIterator* StaticPKIXTrustEngine::getPKIXValidationInfoIterator(
149 const CredentialResolver& pkixSource, CredentialCriteria* criteria
152 return new StaticPKIXIterator(*this);