security/KeyInfoCredentialContext.h \
security/KeyInfoResolver.h \
security/OpenSSLCredential.h \
+ security/SignatureTrustEngine.h \
security/TrustEngine.h \
security/X509Credential.h \
security/X509TrustEngine.h \
#define __xmltooling_pkixtrust_h__
#include <xmltooling/security/OpenSSLTrustEngine.h>
+#include <xmltooling/security/SignatureTrustEngine.h>
#include <xmltooling/security/XSECCryptoX509CRL.h>
namespace xmltooling {
* A trust engine that uses X.509 trust anchors and CRLs associated with a peer
* to perform PKIX validation of signatures and credentials.
*/
- class XMLTOOL_API AbstractPKIXTrustEngine : public OpenSSLTrustEngine
+ class XMLTOOL_API AbstractPKIXTrustEngine : public SignatureTrustEngine, public OpenSSLTrustEngine
{
protected:
/**
*
* @param e DOM to supply configuration for provider
*/
- AbstractPKIXTrustEngine(const xercesc::DOMElement* e=NULL) : OpenSSLTrustEngine(e) {}
+ AbstractPKIXTrustEngine(const xercesc::DOMElement* e=NULL) : TrustEngine(e) {}
/**
* Checks that either the name of the peer with the given credentials or the names
#define __xmltooling_chaintrust_h__
#include <xmltooling/security/OpenSSLTrustEngine.h>
+#include <xmltooling/security/SignatureTrustEngine.h>
namespace xmltooling {
/**
* OpenSSLTrustEngine that uses multiple engines in sequence.
*/
- class XMLTOOL_API ChainingTrustEngine : public OpenSSLTrustEngine {
+ class XMLTOOL_API ChainingTrustEngine : public SignatureTrustEngine, public OpenSSLTrustEngine {
public:
/**
* Constructor.
) const;
private:
std::vector<TrustEngine*> m_engines;
+ std::vector<SignatureTrustEngine*> m_sigEngines;
+ std::vector<X509TrustEngine*> m_x509Engines;
+ std::vector<OpenSSLTrustEngine*> m_osslEngines;
};
};
--- /dev/null
+/*
+ * Copyright 2001-2007 Internet2
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @file xmltooling/security/SignatureTrustEngine.h
+ *
+ * TrustEngine interface that adds validation of digital signatures.
+ */
+
+#if !defined(__xmltooling_sigtrust_h__) && !defined(XMLTOOLING_NO_XMLSEC)
+#define __xmltooling_sigtrust_h__
+
+#include <xmltooling/security/TrustEngine.h>
+
+namespace xmlsignature {
+ class XMLTOOL_API KeyInfo;
+ class XMLTOOL_API Signature;
+};
+
+namespace xmltooling {
+
+ class XMLTOOL_API CredentialCriteria;
+ class XMLTOOL_API CredentialResolver;
+
+ /**
+ * TrustEngine interface that adds validation of digital signatures.
+ */
+ class XMLTOOL_API SignatureTrustEngine : public virtual TrustEngine {
+ protected:
+ /**
+ * Constructor.
+ *
+ * If a DOM is supplied, the following XML content is supported:
+ *
+ * <ul>
+ * <li><KeyInfoResolver> elements with a type attribute
+ * </ul>
+ *
+ * XML namespaces are ignored in the processing of this content.
+ *
+ * @param e DOM to supply configuration for provider
+ */
+ SignatureTrustEngine(const xercesc::DOMElement* e=NULL) : TrustEngine(e) {}
+
+ public:
+ virtual ~SignatureTrustEngine() {}
+
+ /**
+ * Determines whether an XML signature is correct and valid with respect to
+ * the source of credentials supplied.
+ *
+ * <p>It is the responsibility of the application to ensure that the credentials
+ * supplied are in fact associated with the peer who created the signature.
+ *
+ * <p>If criteria with a peer name are supplied, the "name" of the Credential that verifies
+ * the signature may also be checked to ensure that it identifies the intended peer.
+ * The peer name itself or implementation-specific rules based on the content of the
+ * peer credentials may be applied. Implementations may omit this check if they
+ * deem it unnecessary.
+ *
+ * @param sig reference to a signature object to validate
+ * @param credResolver a locked resolver to supply trusted peer credentials to the TrustEngine
+ * @param criteria criteria for selecting peer credentials
+ * @return true iff the signature validates
+ */
+ virtual bool validate(
+ xmlsignature::Signature& sig,
+ const CredentialResolver& credResolver,
+ CredentialCriteria* criteria=NULL
+ ) const=0;
+
+ /**
+ * Determines whether a raw signature is correct and valid with respect to
+ * the source of credentials supplied.
+ *
+ * <p>It is the responsibility of the application to ensure that the Credentials
+ * supplied are in fact associated with the peer who created the signature.
+ *
+ * <p>If criteria with a peer name are supplied, the "name" of the Credential that verifies
+ * the signature may also be checked to ensure that it identifies the intended peer.
+ * The peer name itself or implementation-specific rules based on the content of the
+ * peer credentials may be applied. Implementations may omit this check if they
+ * deem it unnecessary.
+ *
+ * <p>Note that the keyInfo parameter is not part of the implicitly trusted
+ * set of information supplied via the CredentialResolver, but rather advisory
+ * data that may have accompanied the signature itself.
+ *
+ * @param sigAlgorithm XML Signature identifier for the algorithm used
+ * @param sig null-terminated base64-encoded signature value
+ * @param keyInfo KeyInfo object accompanying the signature, if any
+ * @param in the input data over which the signature was created
+ * @param in_len size of input data in bytes
+ * @param credResolver a locked resolver to supply trusted peer credentials to the TrustEngine
+ * @param criteria criteria for selecting peer credentials
+ * @return true iff the signature validates
+ */
+ virtual bool validate(
+ const XMLCh* sigAlgorithm,
+ const char* sig,
+ xmlsignature::KeyInfo* keyInfo,
+ const char* in,
+ unsigned int in_len,
+ const CredentialResolver& credResolver,
+ CredentialCriteria* criteria=NULL
+ ) const=0;
+ };
+};
+
+#endif /* __xmltooling_sigtrust_h__ */
/**
* @file xmltooling/security/TrustEngine.h
*
- * Evaluates the trustworthiness and validity of signatures against
+ * Evaluates the trustworthiness and validity of security information against
* implementation-specific requirements.
*/
#include <xmltooling/base.h>
-namespace xmlsignature {
- class XMLTOOL_API KeyInfo;
- class XMLTOOL_API Signature;
-};
-
namespace xmltooling {
- class XMLTOOL_API CredentialCriteria;
- class XMLTOOL_API CredentialResolver;
class XMLTOOL_API KeyInfoResolver;
/**
- * Evaluates the trustworthiness and validity of XML or raw Signatures against
+ * Evaluates the trustworthiness and validity of security information against
* implementation-specific requirements.
*/
class XMLTOOL_API TrustEngine {
* @param keyInfoResolver new KeyInfoResolver instance to use
*/
void setKeyInfoResolver(KeyInfoResolver* keyInfoResolver);
-
- /**
- * Determines whether an XML signature is correct and valid with respect to
- * the source of credentials supplied.
- *
- * <p>It is the responsibility of the application to ensure that the credentials
- * supplied are in fact associated with the peer who created the signature.
- *
- * <p>If criteria with a peer name are supplied, the "name" of the Credential that verifies
- * the signature may also be checked to ensure that it identifies the intended peer.
- * The peer name itself or implementation-specific rules based on the content of the
- * peer credentials may be applied. Implementations may omit this check if they
- * deem it unnecessary.
- *
- * @param sig reference to a signature object to validate
- * @param credResolver a locked resolver to supply trusted peer credentials to the TrustEngine
- * @param criteria criteria for selecting peer credentials
- * @return true iff the signature validates
- */
- virtual bool validate(
- xmlsignature::Signature& sig,
- const CredentialResolver& credResolver,
- CredentialCriteria* criteria=NULL
- ) const=0;
-
- /**
- * Determines whether a raw signature is correct and valid with respect to
- * the source of credentials supplied.
- *
- * <p>It is the responsibility of the application to ensure that the Credentials
- * supplied are in fact associated with the peer who created the signature.
- *
- * <p>If criteria with a peer name are supplied, the "name" of the Credential that verifies
- * the signature may also be checked to ensure that it identifies the intended peer.
- * The peer name itself or implementation-specific rules based on the content of the
- * peer credentials may be applied. Implementations may omit this check if they
- * deem it unnecessary.
- *
- * <p>Note that the keyInfo parameter is not part of the implicitly trusted
- * set of information supplied via the CredentialResolver, but rather advisory
- * data that may have accompanied the signature itself.
- *
- * @param sigAlgorithm XML Signature identifier for the algorithm used
- * @param sig null-terminated base64-encoded signature value
- * @param keyInfo KeyInfo object accompanying the signature, if any
- * @param in the input data over which the signature was created
- * @param in_len size of input data in bytes
- * @param credResolver a locked resolver to supply trusted peer credentials to the TrustEngine
- * @param criteria criteria for selecting peer credentials
- * @return true iff the signature validates
- */
- virtual bool validate(
- const XMLCh* sigAlgorithm,
- const char* sig,
- xmlsignature::KeyInfo* keyInfo,
- const char* in,
- unsigned int in_len,
- const CredentialResolver& credResolver,
- CredentialCriteria* criteria=NULL
- ) const=0;
};
/**
/**
* @file xmltooling/security/X509TrustEngine.h
*
- * Extended TrustEngine interface that adds validation of X.509 credentials.
+ * TrustEngine interface that adds validation of X.509 credentials.
*/
#if !defined(__xmltooling_x509trust_h__) && !defined(XMLTOOLING_NO_XMLSEC)
namespace xmltooling {
+ class XMLTOOL_API CredentialCriteria;
+ class XMLTOOL_API CredentialResolver;
+
/**
- * Extended TrustEngine interface that adds validation of X.509 credentials.
+ * TrustEngine interface that adds validation of X.509 credentials.
*/
- class XMLTOOL_API X509TrustEngine : public TrustEngine {
+ class XMLTOOL_API X509TrustEngine : public virtual TrustEngine {
protected:
/**
* Constructor.
public:
virtual ~X509TrustEngine() {}
- using TrustEngine::validate;
-
/**
* Determines whether an X.509 credential is valid with respect to the
* source of credentials supplied.
static const XMLCh _TrustEngine[] = UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e);
static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e);
-ChainingTrustEngine::ChainingTrustEngine(const DOMElement* e) : OpenSSLTrustEngine(e) {
+ChainingTrustEngine::ChainingTrustEngine(const DOMElement* e) : TrustEngine(e) {
Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine");
e = e ? XMLHelper::getFirstChildElement(e, _TrustEngine) : NULL;
while (e) {
log.info("building TrustEngine of type %s", temp.get());
TrustEngine* engine = XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(temp.get(), e);
m_engines.push_back(engine);
+ SignatureTrustEngine* sig = dynamic_cast<SignatureTrustEngine*>(engine);
+ if (sig)
+ m_sigEngines.push_back(sig);
+ X509TrustEngine* x509 = dynamic_cast<X509TrustEngine*>(engine);
+ if (x509)
+ m_x509Engines.push_back(x509);
+ OpenSSLTrustEngine* ossl = dynamic_cast<OpenSSLTrustEngine*>(engine);
+ if (ossl)
+ m_osslEngines.push_back(ossl);
}
}
catch (exception& ex) {
bool ChainingTrustEngine::validate(Signature& sig, const CredentialResolver& credResolver, CredentialCriteria* criteria) const
{
- for (vector<TrustEngine*>::const_iterator i=m_engines.begin(); i!=m_engines.end(); ++i) {
+ for (vector<SignatureTrustEngine*>::const_iterator i=m_sigEngines.begin(); i!=m_sigEngines.end(); ++i) {
if ((*i)->validate(sig,credResolver,criteria))
return true;
}
CredentialCriteria* criteria
) const
{
- for (vector<TrustEngine*>::const_iterator i=m_engines.begin(); i!=m_engines.end(); ++i) {
+ for (vector<SignatureTrustEngine*>::const_iterator i=m_sigEngines.begin(); i!=m_sigEngines.end(); ++i) {
if ((*i)->validate(sigAlgorithm, sig, keyInfo, in, in_len, credResolver, criteria))
return true;
}
CredentialCriteria* criteria
) const
{
- X509TrustEngine* down;
- for (vector<TrustEngine*>::const_iterator i=m_engines.begin(); i!=m_engines.end(); ++i) {
- if ((down = dynamic_cast<X509TrustEngine*>(*i)) &&
- down->validate(certEE,certChain,credResolver,criteria))
+ for (vector<X509TrustEngine*>::const_iterator i=m_x509Engines.begin(); i!=m_x509Engines.end(); ++i) {
+ if ((*i)->validate(certEE,certChain,credResolver,criteria))
return true;
}
return false;
CredentialCriteria* criteria
) const
{
- OpenSSLTrustEngine* down;
- for (vector<TrustEngine*>::const_iterator i=m_engines.begin(); i!=m_engines.end(); ++i) {
- if ((down = dynamic_cast<OpenSSLTrustEngine*>(*i)) && down->validate(certEE,certChain,credResolver,criteria))
+ for (vector<OpenSSLTrustEngine*>::const_iterator i=m_osslEngines.begin(); i!=m_osslEngines.end(); ++i) {
+ if ((*i)->validate(certEE,certChain,credResolver,criteria))
return true;
}
return false;
#include "security/CredentialCriteria.h"
#include "security/CredentialResolver.h"
#include "security/OpenSSLTrustEngine.h"
+#include "security/SignatureTrustEngine.h"
#include "signature/SignatureValidator.h"
#include "util/NDC.h"
using namespace std;
namespace xmltooling {
- class XMLTOOL_DLLLOCAL ExplicitKeyTrustEngine : public OpenSSLTrustEngine
+ class XMLTOOL_DLLLOCAL ExplicitKeyTrustEngine : public SignatureTrustEngine, public OpenSSLTrustEngine
{
public:
- ExplicitKeyTrustEngine(const DOMElement* e) : OpenSSLTrustEngine(e) {}
+ ExplicitKeyTrustEngine(const DOMElement* e) : TrustEngine(e) {}
virtual ~ExplicitKeyTrustEngine() {}
virtual bool validate(
>\r
</File>\r
<File\r
+ RelativePath=".\security\SignatureTrustEngine.h"\r
+ >\r
+ </File>\r
+ <File\r
RelativePath=".\security\TrustEngine.h"\r
>\r
</File>\r