X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fcpp-xmltooling.git;a=blobdiff_plain;f=xmltooling%2Fencryption%2FDecrypter.h;h=5f26258307c947d7fe91a161e80c45c360b53c3a;hp=8d2b574bf686ada417ac53df1b185a8435a9c44a;hb=HEAD;hpb=bd026f07e729e66127b3efd48aee443fba815af3 diff --git a/xmltooling/encryption/Decrypter.h b/xmltooling/encryption/Decrypter.h index 8d2b574..5f26258 100644 --- a/xmltooling/encryption/Decrypter.h +++ b/xmltooling/encryption/Decrypter.h @@ -1,17 +1,21 @@ -/* - * Copyright 2001-2009 Internet2 - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at +/** + * Licensed to the University Corporation for Advanced Internet + * Development, Inc. (UCAID) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for + * additional information regarding copyright ownership. * - * http://www.apache.org/licenses/LICENSE-2.0 + * UCAID licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the + * License at * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, + * either express or implied. See the License for the specific + * language governing permissions and limitations under the License. */ /** @@ -26,6 +30,7 @@ #include class XENCCipher; +class XSECCryptoKey; namespace xmltooling { class XMLTOOL_API CredentialCriteria; @@ -47,14 +52,22 @@ namespace xmlencryption { /** * Constructor. * + *

The final boolean parameter is used to enforce a requirement for an authenticated cipher + * suite such as AES-GCM or similar. These ciphers include an HMAC or equivalent step that + * prevents tampering. Newer applications should set this parameter to true unless the ciphertext + * has been independently authenticated, and even in such a case, it is rarely possible to prevent + * chosen ciphertext attacks by trusted signers. + * * @param credResolver locked credential resolver to supply decryption keys * @param criteria optional external criteria to use with resolver * @param EKResolver locates an EncryptedKey pertaining to the EncryptedData + * @param requireAuthenticatedCipher true iff the bulk data encryption algorithm must be an authenticated cipher */ Decrypter( - const xmltooling::CredentialResolver* credResolver=NULL, - xmltooling::CredentialCriteria* criteria=NULL, - const EncryptedKeyResolver* EKResolver=NULL + const xmltooling::CredentialResolver* credResolver=nullptr, + xmltooling::CredentialCriteria* criteria=nullptr, + const EncryptedKeyResolver* EKResolver=nullptr, + bool requireAuthenticatedCipher=false ); virtual ~Decrypter(); @@ -69,7 +82,7 @@ namespace xmlencryption { /** * Replace the current CredentialResolver interface, if any, with a new one. * - * @param resolver the locked CredentialResolver to attach, or NULL to clear + * @param resolver the locked CredentialResolver to attach, or nullptr to clear * @param criteria optional external criteria to use with resolver */ void setKEKResolver(const xmltooling::CredentialResolver* resolver, xmltooling::CredentialCriteria* criteria); @@ -106,7 +119,7 @@ namespace xmlencryption { * @param recipient identifier of decrypting entity for use in identifying multi-cast keys * @return the decrypted DOM fragment */ - xercesc::DOMDocumentFragment* decryptData(const EncryptedData& encryptedData, const XMLCh* recipient=NULL); + xercesc::DOMDocumentFragment* decryptData(const EncryptedData& encryptedData, const XMLCh* recipient=nullptr); /** * Decrypts the supplied information to an output stream. @@ -124,7 +137,7 @@ namespace xmlencryption { * @param encryptedData the data to decrypt * @param recipient identifier of decrypting entity for use in identifying multi-cast keys */ - void decryptData(std::ostream& out, const EncryptedData& encryptedData, const XMLCh* recipient=NULL); + void decryptData(std::ostream& out, const EncryptedData& encryptedData, const XMLCh* recipient=nullptr); /** * Decrypts the supplied information and returns the resulting key. @@ -143,6 +156,7 @@ namespace xmlencryption { const xmltooling::CredentialResolver* m_credResolver; xmltooling::CredentialCriteria* m_criteria; const EncryptedKeyResolver* m_EKResolver; + bool m_requireAuthenticatedCipher; }; DECL_XMLTOOLING_EXCEPTION(DecryptionException,XMLTOOL_EXCEPTIONAPI(XMLTOOL_API),xmlencryption,xmltooling::XMLToolingException,Exceptions in decryption processing);