/*
- * Copyright 2001-2007 Internet2
+ * Copyright 2001-2009 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
/**
* @file xmltooling/security/CredentialCriteria.h
*
- * Class for specifying criteria by which a CredentialResolver should resolve credentials.
+ * Class for specifying criteria by which a CredentialResolver should resolve credentials.
*/
#if !defined(__xmltooling_credcrit_h__) && !defined(XMLTOOLING_NO_XMLSEC)
#define __xmltooling_credcrit_h__
-#include <xmltooling/XMLToolingConfig.h>
-#include <xmltooling/security/KeyInfoResolver.h>
-#include <xmltooling/security/X509Credential.h>
-#include <xmltooling/signature/KeyInfo.h>
-#include <xmltooling/signature/Signature.h>
+#include <xmltooling/base.h>
#include <set>
-#include <xsec/dsig/DSIGKeyInfoList.hpp>
-#include <xsec/dsig/DSIGKeyInfoName.hpp>
+
+class DSIGKeyInfoList;
+
+namespace xmlsignature {
+ class XMLTOOL_API KeyInfo;
+ class XMLTOOL_API Signature;
+};
namespace xmltooling {
{
MAKE_NONCOPYABLE(CredentialCriteria);
public:
- CredentialCriteria() : m_keyUsage(UNSPECIFIED_CREDENTIAL), m_keySize(0), m_key(NULL),
- m_keyInfo(NULL), m_nativeKeyInfo(NULL), m_credential(NULL) {
- }
- virtual ~CredentialCriteria() {
- delete m_credential;
- }
+ /** Default constructor. */
+ CredentialCriteria();
- enum UsageType {
- UNSPECIFIED_CREDENTIAL,
- SIGNING_CREDENTIAL,
- TLS_CREDENTIAL,
- ENCRYPTION_CREDENTIAL
- };
-
+ virtual ~CredentialCriteria();
+
+ /**
+ * Determines whether the supplied Credential matches this CredentialCriteria.
+ *
+ * @param credential the Credential to evaluate
+ * @return true iff the Credential is consistent with this criteria
+ */
+ virtual bool matches(const Credential& credential) const;
+
/**
- * Get the key usage criteria.
+ * Get key usage criteria.
*
- * @return the usage.
+ * @return the usage mask
*/
- UsageType getUsage() const {
+ unsigned int getUsage() const {
return m_keyUsage;
}
/**
- * Set the key usage criteria.
+ * Set key usage criteria.
*
- * @param usage the usage to set
+ * @param usage the usage mask to set
*/
- void setUsage(UsageType usage) {
+ void setUsage(unsigned int usage) {
m_keyUsage = usage;
}
*
* @param algorithm XML algorithm specifier
*/
- void setXMLAlgorithm(const XMLCh* algorithm) {
- if (algorithm) {
- std::pair<const char*,unsigned int> mapped =
- XMLToolingConfig::getConfig().mapXMLAlgorithmToKeyAlgorithm(algorithm);
- setKeyAlgorithm(mapped.first);
- setKeySize(mapped.second);
- }
- else {
- setKeyAlgorithm(NULL);
- setKeySize(0);
- }
- }
+ void setXMLAlgorithm(const XMLCh* algorithm);
/**
* Gets key name criteria.
m_key = key;
}
+ /**
+ * Bitmask constants controlling the kinds of criteria set automatically
+ * based on a KeyInfo object.
+ */
enum keyinfo_extraction_t {
KEYINFO_EXTRACTION_KEY = 1,
- KEYINFO_EXTRACTION_KEYNAMES = 2,
- KEYINFO_EXTRACTION_IMPLICIT_KEYNAMES = 4
+ KEYINFO_EXTRACTION_KEYNAMES = 2
};
/**
* @param keyInfo the KeyInfo criteria
* @param extraction bitmask of criteria to auto-extract from KeyInfo
*/
- virtual void setKeyInfo(const xmlsignature::KeyInfo* keyInfo, int extraction=0) {
- delete m_credential;
- m_credential = NULL;
- m_keyInfo = keyInfo;
- if (!keyInfo || !extraction)
- return;
-
- int types = (extraction & KEYINFO_EXTRACTION_KEY) ? Credential::RESOLVE_KEYS : 0;
- types |= (extraction & KEYINFO_EXTRACTION_IMPLICIT_KEYNAMES) ? X509Credential::RESOLVE_CERTS : 0;
- m_credential = XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(keyInfo,types);
-
- if (extraction & KEYINFO_EXTRACTION_KEY)
- setPublicKey(m_credential->getPublicKey());
- if (extraction & KEYINFO_EXTRACTION_KEYNAMES)
- m_keyNames.insert(m_credential->getKeyNames().begin(), m_credential->getKeyNames().end());
- if (extraction & KEYINFO_EXTRACTION_IMPLICIT_KEYNAMES) {
- const X509Credential* xcred = dynamic_cast<const X509Credential*>(m_credential);
- if (xcred && !xcred->getEntityCertificateChain().empty())
- X509Credential::extractNames(xcred->getEntityCertificateChain().front(), m_keyNames);
- }
- }
+ virtual void setKeyInfo(const xmlsignature::KeyInfo* keyInfo, int extraction=0);
/**
* Gets the native KeyInfo criteria.
* @param keyInfo the KeyInfo criteria
* @param extraction bitmask of criteria to auto-extract from KeyInfo
*/
- virtual void setNativeKeyInfo(DSIGKeyInfoList* keyInfo, int extraction=0) {
- delete m_credential;
- m_credential = NULL;
- m_nativeKeyInfo = keyInfo;
- if (!keyInfo || !extraction)
- return;
-
- int types = (extraction & KEYINFO_EXTRACTION_KEY) ? Credential::RESOLVE_KEYS : 0;
- types |= (extraction & KEYINFO_EXTRACTION_IMPLICIT_KEYNAMES) ? X509Credential::RESOLVE_CERTS : 0;
- m_credential = XMLToolingConfig::getConfig().getKeyInfoResolver()->resolve(keyInfo,types);
-
- if (extraction & KEYINFO_EXTRACTION_KEY)
- setPublicKey(m_credential->getPublicKey());
- if (extraction & KEYINFO_EXTRACTION_KEYNAMES)
- m_keyNames.insert(m_credential->getKeyNames().begin(), m_credential->getKeyNames().end());
- if (extraction & KEYINFO_EXTRACTION_IMPLICIT_KEYNAMES) {
- const X509Credential* xcred = dynamic_cast<const X509Credential*>(m_credential);
- if (xcred && !xcred->getEntityCertificateChain().empty())
- X509Credential::extractNames(xcred->getEntityCertificateChain().front(), m_keyNames);
- }
- }
+ virtual void setNativeKeyInfo(DSIGKeyInfoList* keyInfo, int extraction=0);
/**
* Sets the KeyInfo criteria from an XML Signature.
* @param sig the Signature containing KeyInfo criteria
* @param extraction bitmask of criteria to auto-extract from KeyInfo
*/
- void setSignature(const xmlsignature::Signature& sig, int extraction=0) {
- setXMLAlgorithm(sig.getSignatureAlgorithm());
- xmlsignature::KeyInfo* k = sig.getKeyInfo();
- if (k)
- return setKeyInfo(k,extraction);
- DSIGSignature* dsig = sig.getXMLSignature();
- if (dsig)
- setNativeKeyInfo(dsig->getKeyInfoList(),extraction);
- }
+ void setSignature(const xmlsignature::Signature& sig, int extraction=0);
private:
- UsageType m_keyUsage;
+ unsigned int m_keyUsage;
unsigned int m_keySize;
std::string m_peerName,m_keyAlgorithm;
std::set<std::string> m_keyNames;