From ab362f9c3195134452702c1ba7108258e81d8841 Mon Sep 17 00:00:00 2001
From: Scott Cantor <cantor.2@osu.edu>
Date: Sat, 3 Dec 2011 22:53:01 +0000
Subject: [PATCH] Incorporating boostisms

---
 configure.ac                                       |  3 +-
 cpp-xmltooling.sln                                 |  1 +
 xmltooling/XMLToolingConfig.cpp                    | 16 ++++-----
 xmltooling/impl/MemoryStorageService.cpp           | 30 +++++++---------
 xmltooling/io/HTTPRequest.cpp                      | 40 ++++++++++-----------
 xmltooling/io/HTTPResponse.cpp                     | 19 +++++-----
 xmltooling/security/AbstractPKIXTrustEngine.h      |  3 +-
 xmltooling/security/ChainingTrustEngine.h          | 10 +++---
 .../security/impl/AbstractPKIXTrustEngine.cpp      |  7 ++--
 .../security/impl/ChainingCredentialResolver.cpp   | 26 ++++++++------
 xmltooling/security/impl/ChainingTrustEngine.cpp   | 42 ++++++++++++----------
 xmltooling/security/impl/InlineKeyResolver.cpp     | 19 ++++------
 xmltooling/security/impl/StaticPKIXTrustEngine.cpp | 12 +++----
 xmltoolingtest/PKIXEngineTest.h                    | 41 +++++++++++++++------
 14 files changed, 143 insertions(+), 126 deletions(-)

diff --git a/configure.ac b/configure.ac
index 62fd024..9e16836 100644
--- a/configure.ac
+++ b/configure.ac
@@ -95,8 +95,9 @@ AC_CXX_REQUIRE_STL
 
 # Boost
 BOOST_REQUIRE
-BOOST_STRING_ALGO
+BOOST_BIND
 BOOST_LAMBDA
+BOOST_STRING_ALGO
 
 # are covariant methods allowed?
 AC_LINK_IFELSE(
diff --git a/cpp-xmltooling.sln b/cpp-xmltooling.sln
index be5fd75..872535b 100644
--- a/cpp-xmltooling.sln
+++ b/cpp-xmltooling.sln
@@ -6,6 +6,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Misc", "Misc", "{61BF324D-2
 		m4\acinclude.m4 = m4\acinclude.m4
 		m4\acx_pthread.m4 = m4\acx_pthread.m4
 		m4\ax_create_pkgconfig_info.m4 = m4\ax_create_pkgconfig_info.m4
+		..\cpp-sp-ext\m4\boost.m4 = ..\cpp-sp-ext\m4\boost.m4
 		config_win32.h = config_win32.h
 		configure.ac = configure.ac
 		doxygen.am = doxygen.am
diff --git a/xmltooling/XMLToolingConfig.cpp b/xmltooling/XMLToolingConfig.cpp
index f67bb14..217fc76 100644
--- a/xmltooling/XMLToolingConfig.cpp
+++ b/xmltooling/XMLToolingConfig.cpp
@@ -56,8 +56,8 @@
 
 #include <stdexcept>
 #include <boost/algorithm/string.hpp>
-#include <boost/lambda/bind.hpp>
-#include <boost/lambda/lambda.hpp>
+#include <boost/bind.hpp>
+#include <boost/ptr_container/ptr_vector.hpp>
 
 #if defined(XMLTOOLING_LOG4SHIB)
 # include <log4shib/PropertyConfigurator.hh>
@@ -82,7 +82,6 @@ using namespace soap11;
 using namespace xmltooling::logging;
 using namespace xmltooling;
 using namespace xercesc;
-using namespace boost::lambda;
 using namespace boost;
 using namespace std;
 
@@ -114,14 +113,14 @@ using namespace xmlsignature;
 namespace {
     static XMLToolingInternalConfig g_config;
 #ifndef XMLTOOLING_NO_XMLSEC
-    static vector<Mutex*> g_openssl_locks;
+    static ptr_vector<Mutex> g_openssl_locks;
 
     extern "C" void openssl_locking_callback(int mode,int n,const char *file,int line)
     {
         if (mode & CRYPTO_LOCK)
-            g_openssl_locks[n]->lock();
+            g_openssl_locks[n].lock();
         else
-            g_openssl_locks[n]->unlock();
+            g_openssl_locks[n].unlock();
     }
 
 # ifndef WIN32
@@ -431,7 +430,7 @@ bool XMLToolingInternalConfig::init()
             for_each(
                 catpaths.begin(), catpaths.end(),
                 // Call loadCatalog with an inner call to s->c_str() on each entry.
-                lambda::bind(static_cast<bool (ParserPool::*)(const char*)>(&ParserPool::loadCatalog), m_validatingPool, lambda::bind(&string::c_str,_1))
+                boost::bind(static_cast<bool (ParserPool::*)(const char*)>(&ParserPool::loadCatalog), m_validatingPool, boost::bind(&string::c_str,_1))
                 );
         }
 
@@ -520,8 +519,7 @@ void XMLToolingInternalConfig::term()
 
 #ifndef XMLTOOLING_NO_XMLSEC
     CRYPTO_set_locking_callback(nullptr);
-    for_each(g_openssl_locks.begin(), g_openssl_locks.end(), xmltooling::cleanup<Mutex>());
-    g_openssl_locks.clear();
+    g_openssl_locks.release();
 #endif
 
     SchemaValidators.destroyValidators();
diff --git a/xmltooling/impl/MemoryStorageService.cpp b/xmltooling/impl/MemoryStorageService.cpp
index 7547d07..6d4688f 100644
--- a/xmltooling/impl/MemoryStorageService.cpp
+++ b/xmltooling/impl/MemoryStorageService.cpp
@@ -116,9 +116,9 @@ namespace xmltooling {
         }
 
         map<string,Context> m_contextMap;
-        RWLock* m_lock;
-        CondWait* shutdown_wait;
-        Thread* cleanup_thread;
+        auto_ptr<RWLock> m_lock;
+        auto_ptr<CondWait> shutdown_wait;
+        auto_ptr<Thread> cleanup_thread;
         static void* cleanup_fn(void*);
         bool shutdown;
         int m_cleanupInterval;
@@ -134,13 +134,11 @@ namespace xmltooling {
 static const XMLCh cleanupInterval[] = UNICODE_LITERAL_15(c,l,e,a,n,u,p,I,n,t,e,r,v,a,l);
 
 MemoryStorageService::MemoryStorageService(const DOMElement* e)
-    : m_lock(nullptr), shutdown_wait(nullptr), cleanup_thread(nullptr), shutdown(false),
+    : m_lock(RWLock::create()), shutdown_wait(CondWait::create()), shutdown(false),
         m_cleanupInterval(XMLHelper::getAttrInt(e, 900, cleanupInterval)),
         m_log(Category::getInstance(XMLTOOLING_LOGCAT".StorageService"))
 {
-    m_lock = RWLock::create();
-    shutdown_wait = CondWait::create();
-    cleanup_thread = Thread::create(&cleanup_fn, (void*)this);
+    cleanup_thread.reset(Thread::create(&cleanup_fn, (void*)this));
 }
 
 MemoryStorageService::~MemoryStorageService()
@@ -149,10 +147,6 @@ MemoryStorageService::~MemoryStorageService()
     shutdown = true;
     shutdown_wait->signal();
     cleanup_thread->join(nullptr);
-
-    delete cleanup_thread;
-    delete shutdown_wait;
-    delete m_lock;
 }
 
 void* MemoryStorageService::cleanup_fn(void* pv)
@@ -181,7 +175,7 @@ void* MemoryStorageService::cleanup_fn(void* pv)
         unsigned long count=0;
         time_t now = time(nullptr);
         cache->m_lock->wrlock();
-        SharedLock locker(cache->m_lock, false);
+        SharedLock locker(cache->m_lock.get(), false);
         for (map<string,Context>::iterator i=cache->m_contextMap.begin(); i!=cache->m_contextMap.end(); ++i)
             count += i->second.reap(now);
 
@@ -198,7 +192,7 @@ void* MemoryStorageService::cleanup_fn(void* pv)
 void MemoryStorageService::reap(const char* context)
 {
     Context& ctx = writeContext(context);
-    SharedLock locker(m_lock, false);
+    SharedLock locker(m_lock.get(), false);
     ctx.reap(time(nullptr));
 }
 
@@ -224,7 +218,7 @@ unsigned long MemoryStorageService::Context::reap(time_t exp)
 bool MemoryStorageService::createString(const char* context, const char* key, const char* value, time_t expiration)
 {
     Context& ctx = writeContext(context);
-    SharedLock locker(m_lock, false);
+    SharedLock locker(m_lock.get(), false);
 
     // Check for a duplicate.
     map<string,Record>::iterator i=ctx.m_dataMap.find(key);
@@ -245,7 +239,7 @@ bool MemoryStorageService::createString(const char* context, const char* key, co
 int MemoryStorageService::readString(const char* context, const char* key, string* pvalue, time_t* pexpiration, int version)
 {
     Context& ctx = readContext(context);
-    SharedLock locker(m_lock, false);
+    SharedLock locker(m_lock.get(), false);
 
     map<string,Record>::iterator i=ctx.m_dataMap.find(key);
     if (i==ctx.m_dataMap.end())
@@ -264,7 +258,7 @@ int MemoryStorageService::readString(const char* context, const char* key, strin
 int MemoryStorageService::updateString(const char* context, const char* key, const char* value, time_t expiration, int version)
 {
     Context& ctx = writeContext(context);
-    SharedLock locker(m_lock, false);
+    SharedLock locker(m_lock.get(), false);
 
     map<string,Record>::iterator i=ctx.m_dataMap.find(key);
     if (i==ctx.m_dataMap.end())
@@ -290,7 +284,7 @@ int MemoryStorageService::updateString(const char* context, const char* key, con
 bool MemoryStorageService::deleteString(const char* context, const char* key)
 {
     Context& ctx = writeContext(context);
-    SharedLock locker(m_lock, false);
+    SharedLock locker(m_lock.get(), false);
 
     // Find the record.
     map<string,Record>::iterator i=ctx.m_dataMap.find(key);
@@ -307,7 +301,7 @@ bool MemoryStorageService::deleteString(const char* context, const char* key)
 void MemoryStorageService::updateContext(const char* context, time_t expiration)
 {
     Context& ctx = writeContext(context);
-    SharedLock locker(m_lock, false);
+    SharedLock locker(m_lock.get(), false);
 
     time_t now = time(nullptr);
     map<string,Record>::iterator stop=ctx.m_dataMap.end();
diff --git a/xmltooling/io/HTTPRequest.cpp b/xmltooling/io/HTTPRequest.cpp
index 7226660..10bc323 100644
--- a/xmltooling/io/HTTPRequest.cpp
+++ b/xmltooling/io/HTTPRequest.cpp
@@ -27,7 +27,11 @@
 #include "internal.h"
 #include "HTTPRequest.h"
 
+#include <boost/algorithm/string.hpp>
+#include <boost/bind.hpp>
+
 using namespace xmltooling;
+using namespace boost;
 using namespace std;
 
 GenericRequest::GenericRequest()
@@ -51,32 +55,24 @@ bool HTTPRequest::isSecure() const
     return strcmp(getScheme(),"https")==0;
 }
 
+namespace {
+    void handle_cookie_fn(map<string,string>& cookieMap, vector<string>& nvpair, const string& s) {
+        nvpair.clear();
+        split(nvpair, s, is_any_of("="));
+        if (nvpair.size() == 2) {
+            trim(nvpair[0]);
+            cookieMap[nvpair[0]] = nvpair[1];
+        }
+    }
+}
+
 const char* HTTPRequest::getCookie(const char* name) const
 {
     if (m_cookieMap.empty()) {
         string cookies=getHeader("Cookie");
-
-        string::size_type pos=0,cname,namelen,val,vallen;
-        while (pos !=string::npos && pos < cookies.length()) {
-            while (isspace(cookies[pos])) pos++;
-            cname=pos;
-            pos=cookies.find_first_of("=",pos);
-            if (pos == string::npos)
-                break;
-            namelen=pos-cname;
-            pos++;
-            if (pos==cookies.length())
-                break;
-            val=pos;
-            pos=cookies.find_first_of(";",pos);
-            if (pos != string::npos) {
-                vallen=pos-val;
-                pos++;
-                m_cookieMap.insert(make_pair(cookies.substr(cname,namelen),cookies.substr(val,vallen)));
-            }
-            else
-                m_cookieMap.insert(make_pair(cookies.substr(cname,namelen),cookies.substr(val)));
-        }
+        vector<string> nvpairs, nvpair;
+        split(nvpairs, cookies, is_any_of(";"), algorithm::token_compress_on);
+        for_each(nvpairs.begin(), nvpairs.end(), boost::bind(handle_cookie_fn, boost::ref(m_cookieMap), boost::ref(nvpair), _1));
     }
     map<string,string>::const_iterator lookup=m_cookieMap.find(name);
     return (lookup==m_cookieMap.end()) ? nullptr : lookup->second.c_str();
diff --git a/xmltooling/io/HTTPResponse.cpp b/xmltooling/io/HTTPResponse.cpp
index 7858174..c49c9a8 100644
--- a/xmltooling/io/HTTPResponse.cpp
+++ b/xmltooling/io/HTTPResponse.cpp
@@ -27,7 +27,11 @@
 #include "internal.h"
 #include "HTTPResponse.h"
 
+#include <boost/algorithm/string/predicate.hpp>
+#include <boost/bind.hpp>
+
 using namespace xmltooling;
+using namespace boost;
 using namespace std;
 
 GenericResponse::GenericResponse()
@@ -47,6 +51,9 @@ vector<string>& HTTPResponse::getAllowedSchemes()
 
 void HTTPResponse::sanitizeURL(const char* url)
 {
+    // predicate for checking scheme below
+    static bool (*fn)(const string&, const string&, const std::locale&) = iequals;
+
     const char* ch;
     for (ch=url; *ch; ++ch) {
         if (iscntrl((unsigned char)(*ch)))  // convert to unsigned to allow full range from 00-FF
@@ -57,14 +64,10 @@ void HTTPResponse::sanitizeURL(const char* url)
     if (!ch)
         throw IOException("URL is malformed.");
     string s(url, ch - url);
-    for (vector<string>::const_iterator i = m_allowedSchemes.begin(); i != m_allowedSchemes.end(); ++i) {
-#ifdef HAVE_STRCASECMP
-        if (!strcasecmp(s.c_str(), i->c_str()))
-#else
-        if (!stricmp(s.c_str(), i->c_str()))
-#endif
-            return;
-    }
+    vector<string>::const_iterator i =
+        find_if(m_allowedSchemes.begin(), m_allowedSchemes.end(), boost::bind(fn, boost::cref(s), _1, boost::cref(std::locale())));
+    if (i != m_allowedSchemes.end())
+        return;
 
     throw IOException("URL contains invalid scheme ($1).", params(1, s.c_str()));
 }
diff --git a/xmltooling/security/AbstractPKIXTrustEngine.h b/xmltooling/security/AbstractPKIXTrustEngine.h
index b828fbe..3666fb7 100644
--- a/xmltooling/security/AbstractPKIXTrustEngine.h
+++ b/xmltooling/security/AbstractPKIXTrustEngine.h
@@ -33,6 +33,7 @@
 
 #include <set>
 #include <string>
+#include <boost/ptr_container/ptr_vector.hpp>
 
 namespace xmltooling {
 
@@ -65,7 +66,7 @@ namespace xmltooling {
         AbstractPKIXTrustEngine(const xercesc::DOMElement* e=nullptr);
 
         /** Plugins used to perform path validation. */
-        std::vector<OpenSSLPathValidator*> m_pathValidators;
+        boost::ptr_vector<OpenSSLPathValidator> m_pathValidators;
 
         /** Controls revocation checking, currently limited to CRLs and supports "off", "entityOnly", "fullChain". */
         std::string m_checkRevocation;
diff --git a/xmltooling/security/ChainingTrustEngine.h b/xmltooling/security/ChainingTrustEngine.h
index 8daeaa5..a48decb 100644
--- a/xmltooling/security/ChainingTrustEngine.h
+++ b/xmltooling/security/ChainingTrustEngine.h
@@ -30,7 +30,7 @@
 #include <xmltooling/security/OpenSSLTrustEngine.h>
 #include <xmltooling/security/SignatureTrustEngine.h>
 
-#include <vector>
+#include <boost/ptr_container/ptr_vector.hpp>
 
 namespace xmltooling {
 
@@ -101,10 +101,10 @@ namespace xmltooling {
             CredentialCriteria* criteria=nullptr
             ) const;
     private:
-        std::vector<TrustEngine*> m_engines;
-        std::vector<SignatureTrustEngine*> m_sigEngines;
-        std::vector<X509TrustEngine*> m_x509Engines;
-        std::vector<OpenSSLTrustEngine*> m_osslEngines;
+        boost::ptr_vector<TrustEngine> m_engines;
+        boost::ptr_vector<SignatureTrustEngine,boost::view_clone_allocator> m_sigEngines;
+        boost::ptr_vector<X509TrustEngine,boost::view_clone_allocator> m_x509Engines;
+        boost::ptr_vector<OpenSSLTrustEngine,boost::view_clone_allocator> m_osslEngines;
     };
     
 };
diff --git a/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp b/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp
index dd450b6..9a3f95b 100644
--- a/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp
+++ b/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp
@@ -50,7 +50,7 @@ using namespace xmlsignature;
 using namespace xmltooling::logging;
 using namespace xmltooling;
 using namespace std;
-
+using boost::ptr_vector;
 
 namespace xmltooling {
     // Adapter between TrustEngine and PathValidator
@@ -185,7 +185,6 @@ AbstractPKIXTrustEngine::AbstractPKIXTrustEngine(const xercesc::DOMElement* e)
 
 AbstractPKIXTrustEngine::~AbstractPKIXTrustEngine()
 {
-    for_each(m_pathValidators.begin(), m_pathValidators.end(), xmltooling::cleanup<PathValidator>());
 }
 
 bool AbstractPKIXTrustEngine::checkEntityNames(
@@ -378,8 +377,8 @@ bool AbstractPKIXTrustEngine::validateWithCRLs(
     auto_ptr<PKIXValidationInfoIterator> pkix(getPKIXValidationInfoIterator(credResolver, criteria));
     while (pkix->next()) {
         PKIXParams params(*this, *pkix.get(), inlineCRLs);
-        for (vector<OpenSSLPathValidator*>::const_iterator v = m_pathValidators.begin(); v != m_pathValidators.end(); ++v) {
-            if ((*v)->validate(certEE, certChain, params)) {
+        for (ptr_vector<OpenSSLPathValidator>::const_iterator v = m_pathValidators.begin(); v != m_pathValidators.end(); ++v) {
+            if (v->validate(certEE, certChain, params)) {
                 return true;
             }
         }
diff --git a/xmltooling/security/impl/ChainingCredentialResolver.cpp b/xmltooling/security/impl/ChainingCredentialResolver.cpp
index 8f6852c..dd3c343 100644
--- a/xmltooling/security/impl/ChainingCredentialResolver.cpp
+++ b/xmltooling/security/impl/ChainingCredentialResolver.cpp
@@ -33,10 +33,13 @@
 
 #include <algorithm>
 #include <functional>
+#include <boost/bind.hpp>
+#include <boost/ptr_container/ptr_vector.hpp>
 #include <xercesc/util/XMLUniDefs.hpp>
 
 using namespace xmltooling::logging;
 using namespace xmltooling;
+using namespace boost;
 using namespace std;
 
 using xercesc::DOMElement;
@@ -46,35 +49,38 @@ namespace xmltooling {
     {
     public:
         ChainingCredentialResolver(const DOMElement* e);
-        virtual ~ChainingCredentialResolver() {
-            for_each(m_resolvers.begin(), m_resolvers.end(), xmltooling::cleanup<CredentialResolver>());
-        }
+        virtual ~ChainingCredentialResolver() {}
 
         Lockable* lock() {
-            for_each(m_resolvers.begin(), m_resolvers.end(), mem_fun(&Lockable::lock));
+            for_each(m_resolvers.begin(), m_resolvers.end(), mem_fun_ref(&Lockable::lock));
             return this;
         }
         void unlock() {
-            for_each(m_resolvers.begin(), m_resolvers.end(), mem_fun(&Lockable::unlock));
+            for_each(m_resolvers.begin(), m_resolvers.end(), mem_fun_ref(&Lockable::unlock));
         }
         
         const Credential* resolve(const CredentialCriteria* criteria=nullptr) const {
             const Credential* cred = nullptr;
-            for (vector<CredentialResolver*>::const_iterator cr = m_resolvers.begin(); !cred && cr!=m_resolvers.end(); ++cr)
-                cred = (*cr)->resolve(criteria);
+            for (ptr_vector<CredentialResolver>::const_iterator cr = m_resolvers.begin(); !cred && cr!=m_resolvers.end(); ++cr)
+                cred = cr->resolve(criteria);
             return cred;
         }
 
         virtual vector<const Credential*>::size_type resolve(
             vector<const Credential*>& results, const CredentialCriteria* criteria=nullptr
             ) const {
-            for (vector<CredentialResolver*>::const_iterator cr = m_resolvers.begin(); cr!=m_resolvers.end(); ++cr)
-                (*cr)->resolve(results, criteria);
+
+            // Member function pointer to method to call.
+            static vector<const Credential*>::size_type (CredentialResolver::* fn)
+                (vector<const Credential*>& results, const CredentialCriteria* criteria) const = &CredentialResolver::resolve;
+
+            // ref() converts pass by copy to pass by reference for output parameter
+            for_each(m_resolvers.begin(), m_resolvers.end(), boost::bind(fn, _1, boost::ref(results), criteria));
             return results.size();
         }
 
     private:
-        vector<CredentialResolver*> m_resolvers;
+        ptr_vector<CredentialResolver> m_resolvers;
     };
 
     CredentialResolver* XMLTOOL_DLLLOCAL ChainingCredentialResolverFactory(const DOMElement* const & e)
diff --git a/xmltooling/security/impl/ChainingTrustEngine.cpp b/xmltooling/security/impl/ChainingTrustEngine.cpp
index 461f022..81fbd55 100644
--- a/xmltooling/security/impl/ChainingTrustEngine.cpp
+++ b/xmltooling/security/impl/ChainingTrustEngine.cpp
@@ -32,11 +32,14 @@
 #include "util/XMLHelper.h"
 
 #include <algorithm>
+#include <boost/lambda/lambda.hpp>
 #include <xercesc/util/XMLUniDefs.hpp>
 
 using namespace xmlsignature;
 using namespace xmltooling::logging;
 using namespace xmltooling;
+using namespace boost::lambda;
+using namespace boost;
 using namespace std;
 
 using xercesc::DOMElement;
@@ -51,7 +54,8 @@ namespace xmltooling {
 static const XMLCh _TrustEngine[] =                 UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e);
 static const XMLCh type[] =                         UNICODE_LITERAL_4(t,y,p,e);
 
-ChainingTrustEngine::ChainingTrustEngine(const DOMElement* e) : TrustEngine(e) {
+ChainingTrustEngine::ChainingTrustEngine(const DOMElement* e) : TrustEngine(e)
+{
     Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine."CHAINING_TRUSTENGINE);
     e = e ? XMLHelper::getFirstChildElement(e, _TrustEngine) : nullptr;
     while (e) {
@@ -69,8 +73,8 @@ ChainingTrustEngine::ChainingTrustEngine(const DOMElement* e) : TrustEngine(e) {
     }
 }
 
-ChainingTrustEngine::~ChainingTrustEngine() {
-    for_each(m_engines.begin(), m_engines.end(), xmltooling::cleanup<TrustEngine>());
+ChainingTrustEngine::~ChainingTrustEngine()
+{
 }
 
 void ChainingTrustEngine::addTrustEngine(TrustEngine* newEngine)
@@ -89,32 +93,34 @@ void ChainingTrustEngine::addTrustEngine(TrustEngine* newEngine)
 
 TrustEngine* ChainingTrustEngine::removeTrustEngine(TrustEngine* oldEngine)
 {
-    vector<TrustEngine*>::iterator i = find(m_engines.begin(), m_engines.end(), oldEngine);
+    ptr_vector<TrustEngine>::iterator i =
+        find_if(m_engines.begin(), m_engines.end(), (&_1 == oldEngine));
     if (i != m_engines.end()) {
-        m_engines.erase(i);
-
         SignatureTrustEngine* sig = dynamic_cast<SignatureTrustEngine*>(oldEngine);
         if (sig) {
-            vector<SignatureTrustEngine*>::iterator s = find(m_sigEngines.begin(), m_sigEngines.end(), sig);
+            ptr_vector<SignatureTrustEngine>::iterator s =
+                find_if(m_sigEngines.begin(), m_sigEngines.end(), (&_1 == sig));
             if (s != m_sigEngines.end())
                 m_sigEngines.erase(s);
         }
 
         X509TrustEngine* x509 = dynamic_cast<X509TrustEngine*>(oldEngine);
         if (x509) {
-            vector<X509TrustEngine*>::iterator x = find(m_x509Engines.begin(), m_x509Engines.end(), x509);
+            ptr_vector<X509TrustEngine>::iterator x =
+                find_if(m_x509Engines.begin(), m_x509Engines.end(), (&_1 == x509));
             if (x != m_x509Engines.end())
                 m_x509Engines.erase(x);
         }
 
         OpenSSLTrustEngine* ossl = dynamic_cast<OpenSSLTrustEngine*>(oldEngine);
         if (ossl) {
-            vector<OpenSSLTrustEngine*>::iterator o = find(m_osslEngines.begin(), m_osslEngines.end(), ossl);
+            ptr_vector<OpenSSLTrustEngine>::iterator o =
+                find_if(m_osslEngines.begin(), m_osslEngines.end(), (&_1 == ossl));
             if (o != m_osslEngines.end())
                 m_osslEngines.erase(o);
         }
 
-        return oldEngine;
+        return (m_engines.release(i)).release();
     }
     return nullptr;
 }
@@ -122,8 +128,8 @@ TrustEngine* ChainingTrustEngine::removeTrustEngine(TrustEngine* oldEngine)
 bool ChainingTrustEngine::validate(Signature& sig, const CredentialResolver& credResolver, CredentialCriteria* criteria) const
 {
     unsigned int usage = criteria ? criteria->getUsage() : 0;
-    for (vector<SignatureTrustEngine*>::const_iterator i=m_sigEngines.begin(); i!=m_sigEngines.end(); ++i) {
-        if ((*i)->validate(sig,credResolver,criteria))
+    for (ptr_vector<SignatureTrustEngine>::const_iterator i=m_sigEngines.begin(); i!=m_sigEngines.end(); ++i) {
+        if (i->validate(sig,credResolver,criteria))
             return true;
         if (criteria) {
             criteria->reset();
@@ -144,8 +150,8 @@ bool ChainingTrustEngine::validate(
     ) const
 {
     unsigned int usage = criteria ? criteria->getUsage() : 0;
-    for (vector<SignatureTrustEngine*>::const_iterator i=m_sigEngines.begin(); i!=m_sigEngines.end(); ++i) {
-        if ((*i)->validate(sigAlgorithm, sig, keyInfo, in, in_len, credResolver, criteria))
+    for (ptr_vector<SignatureTrustEngine>::const_iterator i=m_sigEngines.begin(); i!=m_sigEngines.end(); ++i) {
+        if (i->validate(sigAlgorithm, sig, keyInfo, in, in_len, credResolver, criteria))
             return true;
         if (criteria) {
             criteria->reset();
@@ -163,8 +169,8 @@ bool ChainingTrustEngine::validate(
     ) const
 {
     unsigned int usage = criteria ? criteria->getUsage() : 0;
-    for (vector<X509TrustEngine*>::const_iterator i=m_x509Engines.begin(); i!=m_x509Engines.end(); ++i) {
-        if ((*i)->validate(certEE,certChain,credResolver,criteria))
+    for (ptr_vector<X509TrustEngine>::const_iterator i=m_x509Engines.begin(); i!=m_x509Engines.end(); ++i) {
+        if (i->validate(certEE,certChain,credResolver,criteria))
             return true;
         if (criteria) {
             criteria->reset();
@@ -182,8 +188,8 @@ bool ChainingTrustEngine::validate(
     ) const
 {
     unsigned int usage = criteria ? criteria->getUsage() : 0;
-    for (vector<OpenSSLTrustEngine*>::const_iterator i=m_osslEngines.begin(); i!=m_osslEngines.end(); ++i) {
-        if ((*i)->validate(certEE,certChain,credResolver,criteria))
+    for (ptr_vector<OpenSSLTrustEngine>::const_iterator i=m_osslEngines.begin(); i!=m_osslEngines.end(); ++i) {
+        if (i->validate(certEE,certChain,credResolver,criteria))
             return true;
         if (criteria) {
             criteria->reset();
diff --git a/xmltooling/security/impl/InlineKeyResolver.cpp b/xmltooling/security/impl/InlineKeyResolver.cpp
index 6417090..1fab308 100644
--- a/xmltooling/security/impl/InlineKeyResolver.cpp
+++ b/xmltooling/security/impl/InlineKeyResolver.cpp
@@ -61,15 +61,10 @@ namespace xmltooling {
     class XMLTOOL_DLLLOCAL InlineCredential : public BasicX509Credential
     {
     public:
-        InlineCredential(const KeyInfo* keyInfo=nullptr) : BasicX509Credential(keyInfo!=nullptr), m_credctx(new KeyInfoCredentialContext(keyInfo)) {
-        }
-        InlineCredential(DSIGKeyInfoList* keyInfo) : BasicX509Credential(false), m_credctx(new KeyInfoCredentialContext(keyInfo)) {
-        }
-        InlineCredential(KeyInfoCredentialContext* context) : BasicX509Credential(context->getKeyInfo()!=nullptr), m_credctx(nullptr) {
-        }
-        virtual ~InlineCredential() {
-            delete m_credctx;
-        }
+        InlineCredential(const KeyInfo* keyInfo=nullptr) : BasicX509Credential(keyInfo!=nullptr), m_credctx(new KeyInfoCredentialContext(keyInfo)) {}
+        InlineCredential(DSIGKeyInfoList* keyInfo) : BasicX509Credential(false), m_credctx(new KeyInfoCredentialContext(keyInfo)) {}
+        InlineCredential(KeyInfoCredentialContext* context) : BasicX509Credential(context->getKeyInfo()!=nullptr) {}
+        virtual ~InlineCredential() {}
 
         XSECCryptoKey* getPrivateKey() const {
             return nullptr;
@@ -108,11 +103,11 @@ namespace xmltooling {
         }
         
         const CredentialContext* getCredentalContext() const {
-            return m_credctx;
+            return m_credctx.get();
         }
 
         void setCredentialContext(KeyInfoCredentialContext* context) {
-            m_credctx = context;
+            m_credctx.reset(context);
         }
 
         void resolve(const KeyInfo* keyInfo, int types=0, bool followRefs=false);
@@ -123,7 +118,7 @@ namespace xmltooling {
         bool resolveKey(const KeyInfo* keyInfo, bool followRefs=false);
         bool resolveCRLs(const KeyInfo* keyInfo, bool followRefs=false);
 
-        KeyInfoCredentialContext* m_credctx;
+        auto_ptr<KeyInfoCredentialContext> m_credctx;
     };
 
     static const XMLCh keyInfoReferences[] = UNICODE_LITERAL_17(k,e,y,I,n,f,o,R,e,f,e,r,e,n,c,e,s);
diff --git a/xmltooling/security/impl/StaticPKIXTrustEngine.cpp b/xmltooling/security/impl/StaticPKIXTrustEngine.cpp
index 846ec19..d64aaac 100644
--- a/xmltooling/security/impl/StaticPKIXTrustEngine.cpp
+++ b/xmltooling/security/impl/StaticPKIXTrustEngine.cpp
@@ -54,9 +54,7 @@ namespace xmltooling {
     public:
         StaticPKIXTrustEngine(const DOMElement* e=nullptr);
 
-        virtual ~StaticPKIXTrustEngine() {
-            delete m_credResolver;
-        }
+        virtual ~StaticPKIXTrustEngine() {}
         
         AbstractPKIXTrustEngine::PKIXValidationInfoIterator* getPKIXValidationInfoIterator(
             const CredentialResolver& pkixSource, CredentialCriteria* criteria=nullptr
@@ -68,7 +66,7 @@ namespace xmltooling {
 
     private:
         int m_depth;
-        CredentialResolver* m_credResolver;
+        auto_ptr<CredentialResolver> m_credResolver;
         friend class XMLTOOL_DLLLOCAL StaticPKIXIterator;
     };
     
@@ -131,17 +129,17 @@ namespace xmltooling {
 };
 
 StaticPKIXTrustEngine::StaticPKIXTrustEngine(const DOMElement* e)
-    : AbstractPKIXTrustEngine(e), m_depth(XMLHelper::getAttrInt(e, 1, verifyDepth)), m_credResolver(nullptr)
+    : AbstractPKIXTrustEngine(e), m_depth(XMLHelper::getAttrInt(e, 1, verifyDepth))
 {
     if (e && e->hasAttributeNS(nullptr, certificate)) {
         // Simple File resolver config rooted here.
-        m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER, e);
+        m_credResolver.reset(XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER, e));
     }
     else {
         e = e ? XMLHelper::getFirstChildElement(e, _CredentialResolver) : nullptr;
         string t = XMLHelper::getAttrString(e, nullptr, type);
         if (!t.empty())
-            m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(t.c_str(), e);
+            m_credResolver.reset(XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(t.c_str(), e));
         else
             throw XMLSecurityException("Missing <CredentialResolver> element, or no type attribute found");
     }
diff --git a/xmltoolingtest/PKIXEngineTest.h b/xmltoolingtest/PKIXEngineTest.h
index 1670104..11fb21b 100644
--- a/xmltoolingtest/PKIXEngineTest.h
+++ b/xmltoolingtest/PKIXEngineTest.h
@@ -20,9 +20,9 @@
 
 #include "XMLObjectBaseTestCase.h"
 
+#include <xmltooling/security/ChainingTrustEngine.h>
 #include <xmltooling/security/CredentialResolver.h>
 #include <xmltooling/security/SecurityHelper.h>
-#include <xmltooling/security/X509TrustEngine.h>
 
 #include <fstream>
 #include <xsec/enc/XSECCryptoKey.hpp>
@@ -43,6 +43,7 @@ class PKIXEngineTest : public CxxTest::TestSuite {
     }
 
     CredentialResolver* m_dummy;
+    ChainingTrustEngine* m_chain;
     XSECCryptoX509* m_ee;   // end entity
     XSECCryptoX509* m_int1; // any policy
     XSECCryptoX509* m_int2; // explicit policy
@@ -51,6 +52,7 @@ class PKIXEngineTest : public CxxTest::TestSuite {
 public:
     void setUp() {
         m_dummy = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(DUMMY_CREDENTIAL_RESOLVER, nullptr);
+        m_chain = dynamic_cast<ChainingTrustEngine*>(XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(CHAINING_TRUSTENGINE, nullptr));
 
         m_ee = m_int1 = m_int2 = m_int3 = nullptr;
         vector<XSECCryptoX509*> certs;
@@ -69,6 +71,7 @@ public:
     }
 
     void tearDown() {
+        delete m_chain;
         delete m_dummy;
         delete m_ee;
         delete m_int1;
@@ -78,37 +81,53 @@ public:
 
 
     void testAnyPolicy() {
-        auto_ptr<X509TrustEngine> trust(buildTrustEngine("AnyPolicy"));
+        TrustEngine* trust = buildTrustEngine("AnyPolicy");
+        m_chain->addTrustEngine(trust);
 
         vector<XSECCryptoX509*> untrusted(1, m_int1);
-        TSM_ASSERT("PKIX validation failed", trust->validate(m_ee, untrusted, *m_dummy));
+        TSM_ASSERT("PKIX validation failed", m_chain->validate(m_ee, untrusted, *m_dummy));
+
+        TSM_ASSERT_EQUALS("Trust engine removal failed", m_chain->removeTrustEngine(trust), trust);
+        delete trust;
     }
 
     void testExplicitPolicy() {
-        auto_ptr<X509TrustEngine> trust(buildTrustEngine("ExplicitPolicy"));
+        TrustEngine* trust = buildTrustEngine("ExplicitPolicy");
+        m_chain->addTrustEngine(trust);
 
         vector<XSECCryptoX509*> untrusted(1, m_int1);
-        TSM_ASSERT("PKIX validation succeeded despite anyPolicyInhibit", !trust->validate(m_ee, untrusted, *m_dummy));
+        TSM_ASSERT("PKIX validation succeeded despite anyPolicyInhibit", !m_chain->validate(m_ee, untrusted, *m_dummy));
 
         untrusted[0] = m_int2;
-        TSM_ASSERT("PKIX validation failed", trust->validate(m_ee, untrusted, *m_dummy));
+        TSM_ASSERT("PKIX validation failed", m_chain->validate(m_ee, untrusted, *m_dummy));
 
         untrusted[0] = m_int3;
-        TSM_ASSERT("PKIX validation failed", trust->validate(m_ee, untrusted, *m_dummy));
+        TSM_ASSERT("PKIX validation failed", m_chain->validate(m_ee, untrusted, *m_dummy));
+
+        TSM_ASSERT_EQUALS("Trust engine removal failed", m_chain->removeTrustEngine(trust), trust);
+        delete trust;
     }
 
     void testExplicitPolicyMap() {
-        auto_ptr<X509TrustEngine> trust(buildTrustEngine("ExplicitPolicyMap"));
+        TrustEngine* trust = buildTrustEngine("ExplicitPolicyMap");
+        m_chain->addTrustEngine(trust);
 
         vector<XSECCryptoX509*> untrusted(1, m_int3);
-        TSM_ASSERT("PKIX validation failed", trust->validate(m_ee, untrusted, *m_dummy));
+        TSM_ASSERT("PKIX validation failed", m_chain->validate(m_ee, untrusted, *m_dummy));
+
+        TSM_ASSERT_EQUALS("Trust engine removal failed", m_chain->removeTrustEngine(trust), trust);
+        delete trust;
     }
 
     void testExplicitPolicyNoMap() {
-        auto_ptr<X509TrustEngine> trust(buildTrustEngine("ExplicitPolicyNoMap"));
+        TrustEngine* trust = buildTrustEngine("ExplicitPolicyNoMap");
+        m_chain->addTrustEngine(trust);
 
         vector<XSECCryptoX509*> untrusted(1, m_int3);
-        TSM_ASSERT("PKIX validation succeeded despite policyMappingInhibit", !trust->validate(m_ee, untrusted, *m_dummy));
+        TSM_ASSERT("PKIX validation succeeded despite policyMappingInhibit", !m_chain->validate(m_ee, untrusted, *m_dummy));
+
+        TSM_ASSERT_EQUALS("Trust engine removal failed", m_chain->removeTrustEngine(trust), trust);
+        delete trust;
     }
 
 };
-- 
2.1.4