X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fopensaml2.git;a=blobdiff_plain;f=saml%2Fbinding%2Fimpl%2FClientCertAuthRule.cpp;h=b3ad35260cf02b2001482f834d9547285ef788ec;hp=4662392acd8e468b2465cafc42f7895e492c140d;hb=9fddf9054c76de6239295b98a559fcc75453effc;hpb=f9aa9375e0908e119af283278d00468a9b2249f5

diff --git a/saml/binding/impl/ClientCertAuthRule.cpp b/saml/binding/impl/ClientCertAuthRule.cpp
index 4662392..b3ad352 100644
--- a/saml/binding/impl/ClientCertAuthRule.cpp
+++ b/saml/binding/impl/ClientCertAuthRule.cpp
@@ -24,16 +24,17 @@
 #include "exceptions.h"
 #include "binding/SecurityPolicyRule.h"
 #include "saml2/metadata/Metadata.h"
+#include "saml2/metadata/MetadataCredentialCriteria.h"
 #include "saml2/metadata/MetadataProvider.h"
 
+#include <xmltooling/logging.h>
 #include <xmltooling/security/X509TrustEngine.h>
 #include <xmltooling/util/ReplayCache.h>
-#include <log4cpp/Category.hh>
 
 using namespace opensaml::saml2md;
 using namespace opensaml;
+using namespace xmltooling::logging;
 using namespace xmltooling;
-using namespace log4cpp;
 using namespace std;
 
 namespace opensaml {
@@ -55,13 +56,11 @@ namespace opensaml {
 void ClientCertAuthRule::evaluate(const XMLObject& message, const GenericRequest* request, SecurityPolicy& policy) const
 {
     Category& log=Category::getInstance(SAML_LOGCAT".SecurityPolicyRule.ClientCertAuth");
-    log.debug("evaluating client certificate authentication policy");
     
-    if (!request) {
-        log.debug("ignoring message, no protocol request available");
+    if (!request)
         return;
-    }
-    else if (!policy.getIssuerMetadata()) {
+    
+    if (!policy.getIssuerMetadata()) {
         log.debug("ignoring message, no issuer metadata supplied");
         return;
     }
@@ -73,13 +72,16 @@ void ClientCertAuthRule::evaluate(const XMLObject& message, const GenericRequest
     }
     
     const std::vector<XSECCryptoX509*>& chain = request->getClientCertificates();
-    if (chain.empty()) {
-        log.debug("ignoring message, no client certificates in request");
+    if (chain.empty())
         return;
-    }
     
-    if (!x509trust->validate(chain.front(), chain, *(policy.getIssuerMetadata()), true,
-            policy.getMetadataProvider()->getKeyResolver())) {
+    // Set up criteria object, including peer name to enforce cert name checking.
+    MetadataCredentialCriteria cc(*(policy.getIssuerMetadata()));
+    auto_ptr_char pn(policy.getIssuer()->getName());
+    cc.setPeerName(pn.get());
+    cc.setUsage(CredentialCriteria::TLS_CREDENTIAL);
+
+    if (!x509trust->validate(chain.front(), chain, *(policy.getMetadataProvider()), &cc)) {
         log.error("unable to verify certificate chain with supplied trust engine");
         return;
     }