/*
- * Copyright 2001-2007 Internet2
+ * Copyright 2001-2010 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
/**
* @file xmltooling/security/TrustEngine.h
*
- * Evaluates the trustworthiness and validity of signatures against
+ * Evaluates the trustworthiness and validity of security information against
* implementation-specific requirements.
*/
#define __xmltooling_trust_h__
#include <xmltooling/base.h>
-
-namespace xmlsignature {
- class XMLTOOL_API KeyInfo;
- class XMLTOOL_API Signature;
-};
+#include <xercesc/dom/DOM.hpp>
namespace xmltooling {
- class XMLTOOL_API CredentialCriteria;
- class XMLTOOL_API CredentialResolver;
class XMLTOOL_API KeyInfoResolver;
/**
- * Evaluates the trustworthiness and validity of XML or raw Signatures against
+ * Evaluates the trustworthiness and validity of security information against
* implementation-specific requirements.
*/
class XMLTOOL_API TrustEngine {
*
* @param e DOM to supply configuration for provider
*/
- TrustEngine(const xercesc::DOMElement* e=NULL);
+ TrustEngine(const xercesc::DOMElement* e=nullptr);
/** Custom KeyInfoResolver instance. */
KeyInfoResolver* m_keyInfoResolver;
* @param keyInfoResolver new KeyInfoResolver instance to use
*/
void setKeyInfoResolver(KeyInfoResolver* keyInfoResolver);
-
- /**
- * Determines whether an XML signature is correct and valid with respect to
- * the source of credentials supplied.
- *
- * <p>It is the responsibility of the application to ensure that the credentials
- * supplied are in fact associated with the peer who created the signature.
- *
- * <p>If criteria with a peer name are supplied, the "name" of the Credential that verifies
- * the signature may also be checked to ensure that it identifies the intended peer.
- * The peer name itself or implementation-specific rules based on the content of the
- * peer credentials may be applied. Implementations may omit this check if they
- * deem it unnecessary.
- *
- * @param sig reference to a signature object to validate
- * @param credResolver a locked resolver to supply trusted peer credentials to the TrustEngine
- * @param criteria criteria for selecting peer credentials
- * @return true iff the signature validates
- */
- virtual bool validate(
- xmlsignature::Signature& sig,
- const CredentialResolver& credResolver,
- CredentialCriteria* criteria=NULL
- ) const=0;
-
- /**
- * Determines whether a raw signature is correct and valid with respect to
- * the source of credentials supplied.
- *
- * <p>It is the responsibility of the application to ensure that the Credentials
- * supplied are in fact associated with the peer who created the signature.
- *
- * <p>If criteria with a peer name are supplied, the "name" of the Credential that verifies
- * the signature may also be checked to ensure that it identifies the intended peer.
- * The peer name itself or implementation-specific rules based on the content of the
- * peer credentials may be applied. Implementations may omit this check if they
- * deem it unnecessary.
- *
- * <p>Note that the keyInfo parameter is not part of the implicitly trusted
- * set of information supplied via the CredentialResolver, but rather advisory
- * data that may have accompanied the signature itself.
- *
- * @param sigAlgorithm XML Signature identifier for the algorithm used
- * @param sig null-terminated base64-encoded signature value
- * @param keyInfo KeyInfo object accompanying the signature, if any
- * @param in the input data over which the signature was created
- * @param in_len size of input data in bytes
- * @param credResolver a locked resolver to supply trusted peer credentials to the TrustEngine
- * @param criteria criteria for selecting peer credentials
- * @return true iff the signature validates
- */
- virtual bool validate(
- const XMLCh* sigAlgorithm,
- const char* sig,
- xmlsignature::KeyInfo* keyInfo,
- const char* in,
- unsigned int in_len,
- const CredentialResolver& credResolver,
- CredentialCriteria* criteria=NULL
- ) const=0;
};
/**
/** TrustEngine based on explicit knowledge of peer key information. */
#define EXPLICIT_KEY_TRUSTENGINE "ExplicitKey"
-
+
+ /** TrustEngine based on PKIX evaluation against a static set of trust anchors. */
+ #define STATIC_PKIX_TRUSTENGINE "StaticPKIX"
+
/** TrustEngine that tries multiple engines in sequence. */
#define CHAINING_TRUSTENGINE "Chaining"