*/
#include "internal.h"
+#include "logging.h"
#include "security/AbstractPKIXTrustEngine.h"
#include "signature/KeyInfo.h"
-#include <log4cpp/Category.hh>
#include <openssl/x509_vfy.h>
#include <openssl/x509v3.h>
#include <xmltooling/security/CredentialCriteria.h>
#include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
using namespace xmlsignature;
+using namespace xmltooling::logging;
using namespace xmltooling;
-using namespace log4cpp;
using namespace std;
X509* certEE, const CredentialResolver& credResolver, const CredentialCriteria& criteria
) const
{
- Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine");
+ Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.PKIX");
+ // We resolve to a set of trusted credentials.
vector<const Credential*> creds;
credResolver.resolve(creds,&criteria);
// Build a list of acceptable names.
- vector<string> keynames(1,criteria.getPeerName());
+ set<string> trustednames;
+ trustednames.insert(criteria.getPeerName());
for (vector<const Credential*>::const_iterator cred = creds.begin(); cred!=creds.end(); ++cred)
- (*cred)->getKeyNames(keynames);
+ trustednames.insert((*cred)->getKeyNames().begin(), (*cred)->getKeyNames().end());
char buf[256];
X509_NAME* subject=X509_get_subject_name(certEE);
}
// Check each keyname.
- for (vector<string>::const_iterator n=keynames.begin(); n!=keynames.end(); n++) {
+ for (set<string>::const_iterator n=trustednames.begin(); n!=trustednames.end(); n++) {
#ifdef HAVE_STRCASECMP
if (!strcasecmp(n->c_str(),subjectstr.c_str()) || !strcasecmp(n->c_str(),subjectstr2.c_str())) {
#else
if (check->type==GEN_DNS || check->type==GEN_URI) {
const char* altptr = (char*)ASN1_STRING_data(check->d.ia5);
const int altlen = ASN1_STRING_length(check->d.ia5);
-
- for (vector<string>::const_iterator n=keynames.begin(); n!=keynames.end(); n++) {
+ for (set<string>::const_iterator n=trustednames.begin(); n!=trustednames.end(); n++) {
#ifdef HAVE_STRCASECMP
if ((check->type==GEN_DNS && !strncasecmp(altptr,n->c_str(),altlen))
#else
log.debug("unable to match subjectAltName, trying TLS CN match");
memset(buf,0,sizeof(buf));
if (X509_NAME_get_text_by_NID(subject,NID_commonName,buf,255)>0) {
- for (vector<string>::const_iterator n=keynames.begin(); n!=keynames.end(); n++) {
+ for (set<string>::const_iterator n=trustednames.begin(); n!=trustednames.end(); n++) {
#ifdef HAVE_STRCASECMP
if (!strcasecmp(buf,n->c_str())) {
#else
#ifdef _DEBUG
NDC ndc("validate");
#endif
- Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine");
+ Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.PKIX");
if (!certEE) {
log.error("X.509 credential was NULL, unable to perform validation");
log.debug("performing certificate path validation...");
- auto_ptr<PKIXValidationInfoIterator> pkix(getPKIXValidationInfoIterator(credResolver, criteria, m_keyInfoResolver));
+ auto_ptr<PKIXValidationInfoIterator> pkix(getPKIXValidationInfoIterator(credResolver, criteria));
while (pkix->next()) {
if (::validate(certEE,certChain,pkix.get())) {
return true;
NDC ndc("validate");
#endif
if (!certEE) {
- Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine").error("X.509 credential was NULL, unable to perform validation");
+ Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.PKIX").error("X.509 credential was NULL, unable to perform validation");
return false;
}
else if (certEE->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
- Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine").error("only the OpenSSL XSEC provider is supported");
+ Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.PKIX").error("only the OpenSSL XSEC provider is supported");
return false;
}
#ifdef _DEBUG
NDC ndc("validate");
#endif
- Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine");
+ Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.PKIX");
const KeyInfoResolver* inlineResolver = m_keyInfoResolver;
if (!inlineResolver)
#ifdef _DEBUG
NDC ndc("validate");
#endif
- Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine");
+ Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.PKIX");
if (!keyInfo) {
log.error("unable to perform PKIX validation, KeyInfo not present");