projects / shibboleth / cpp-xmltooling.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Multi-line svn commit, see body.
[shibboleth/cpp-xmltooling.git] / xmltooling / security / impl / AbstractPKIXTrustEngine.cpp
diff --git a/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp b/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp
index a891f7d..b98ce39 100644 (file)
--- a/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp
+++ b/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp
@@ -22,10 +22,10 @@
  */
 
 #include "internal.h"
+#include "logging.h"
 #include "security/AbstractPKIXTrustEngine.h"
 #include "signature/KeyInfo.h"
 
-#include <log4cpp/Category.hh>
 #include <openssl/x509_vfy.h>
 #include <openssl/x509v3.h>
 #include <xmltooling/security/CredentialCriteria.h>
@@ -38,8 +38,8 @@
 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
 
 using namespace xmlsignature;
+using namespace xmltooling::logging;
 using namespace xmltooling;
-using namespace log4cpp;
 using namespace std;
 
 
@@ -140,15 +140,17 @@ bool AbstractPKIXTrustEngine::checkEntityNames(
     X509* certEE, const CredentialResolver& credResolver, const CredentialCriteria& criteria
     ) const
 {
-    Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine");
+    Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.PKIX");
 
+    // We resolve to a set of trusted credentials.
     vector<const Credential*> creds;
     credResolver.resolve(creds,&criteria);
 
     // Build a list of acceptable names.
-    vector<string> keynames(1,criteria.getPeerName());
+    set<string> trustednames;
+    trustednames.insert(criteria.getPeerName());
     for (vector<const Credential*>::const_iterator cred = creds.begin(); cred!=creds.end(); ++cred)
-        (*cred)->getKeyNames(keynames);
+        trustednames.insert((*cred)->getKeyNames().begin(), (*cred)->getKeyNames().end());
 
     char buf[256];
     X509_NAME* subject=X509_get_subject_name(certEE);
@@ -177,7 +179,7 @@ bool AbstractPKIXTrustEngine::checkEntityNames(
         }
         
         // Check each keyname.
-        for (vector<string>::const_iterator n=keynames.begin(); n!=keynames.end(); n++) {
+        for (set<string>::const_iterator n=trustednames.begin(); n!=trustednames.end(); n++) {
 #ifdef HAVE_STRCASECMP
             if (!strcasecmp(n->c_str(),subjectstr.c_str()) || !strcasecmp(n->c_str(),subjectstr2.c_str())) {
 #else
@@ -201,8 +203,7 @@ bool AbstractPKIXTrustEngine::checkEntityNames(
                 if (check->type==GEN_DNS || check->type==GEN_URI) {
                     const char* altptr = (char*)ASN1_STRING_data(check->d.ia5);
                     const int altlen = ASN1_STRING_length(check->d.ia5);
-                    
-                    for (vector<string>::const_iterator n=keynames.begin(); n!=keynames.end(); n++) {
+                    for (set<string>::const_iterator n=trustednames.begin(); n!=trustednames.end(); n++) {
 #ifdef HAVE_STRCASECMP
                         if ((check->type==GEN_DNS && !strncasecmp(altptr,n->c_str(),altlen))
 #else
@@ -222,7 +223,7 @@ bool AbstractPKIXTrustEngine::checkEntityNames(
         log.debug("unable to match subjectAltName, trying TLS CN match");
         memset(buf,0,sizeof(buf));
         if (X509_NAME_get_text_by_NID(subject,NID_commonName,buf,255)>0) {
-            for (vector<string>::const_iterator n=keynames.begin(); n!=keynames.end(); n++) {
+            for (set<string>::const_iterator n=trustednames.begin(); n!=trustednames.end(); n++) {
 #ifdef HAVE_STRCASECMP
                 if (!strcasecmp(buf,n->c_str())) {
 #else
@@ -252,7 +253,7 @@ bool AbstractPKIXTrustEngine::validate(
 #ifdef _DEBUG
     NDC ndc("validate");
 #endif
-    Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine");
+    Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.PKIX");
 
     if (!certEE) {
         log.error("X.509 credential was NULL, unable to perform validation");
@@ -271,7 +272,7 @@ bool AbstractPKIXTrustEngine::validate(
     
     log.debug("performing certificate path validation...");
 
-    auto_ptr<PKIXValidationInfoIterator> pkix(getPKIXValidationInfoIterator(credResolver, criteria, m_keyInfoResolver));
+    auto_ptr<PKIXValidationInfoIterator> pkix(getPKIXValidationInfoIterator(credResolver, criteria));
     while (pkix->next()) {
         if (::validate(certEE,certChain,pkix.get())) {
             return true;
@@ -293,11 +294,11 @@ bool AbstractPKIXTrustEngine::validate(
         NDC ndc("validate");
 #endif
     if (!certEE) {
-        Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine").error("X.509 credential was NULL, unable to perform validation");
+        Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.PKIX").error("X.509 credential was NULL, unable to perform validation");
         return false;
     }
     else if (certEE->getProviderName()!=DSIGConstants::s_unicodeStrPROVOpenSSL) {
-        Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine").error("only the OpenSSL XSEC provider is supported");
+        Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.PKIX").error("only the OpenSSL XSEC provider is supported");
         return false;
     }
 
@@ -319,7 +320,7 @@ bool AbstractPKIXTrustEngine::validate(
 #ifdef _DEBUG
     NDC ndc("validate");
 #endif
-    Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine");
+    Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.PKIX");
 
     const KeyInfoResolver* inlineResolver = m_keyInfoResolver;
     if (!inlineResolver)
@@ -381,7 +382,7 @@ bool AbstractPKIXTrustEngine::validate(
 #ifdef _DEBUG
     NDC ndc("validate");
 #endif
-    Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine");
+    Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.PKIX");
 
     if (!keyInfo) {
         log.error("unable to perform PKIX validation, KeyInfo not present");
Unnamed repository; edit this file 'description' to name the repository.