From: cantor <cantor@de75baf8-a10c-0410-a50a-987c0e22f00f>
Date: Thu, 30 Aug 2007 02:18:30 +0000 (+0000)
Subject: TrustEngine based on static trust roots.
X-Git-Tag: 1.4.1~447
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fxmltooling.git;a=commitdiff_plain;h=134b8d09a00441f50a7dad52bd7af0abc1be53f0

TrustEngine based on static trust roots.

git-svn-id: https://svn.middleware.georgetown.edu/cpp-xmltooling/trunk@378 de75baf8-a10c-0410-a50a-987c0e22f00f
---

diff --git a/xmltooling/Makefile.am b/xmltooling/Makefile.am
index f4368b3..1e80e16 100644
--- a/xmltooling/Makefile.am
+++ b/xmltooling/Makefile.am
@@ -134,6 +134,7 @@ xmlsec_sources = \
 	security/impl/InlineKeyResolver.cpp \
 	security/impl/KeyInfoResolver.cpp \
 	security/impl/OpenSSLCryptoX509CRL.cpp \
+	security/impl/StaticPKIXTrustEngine.cpp \
 	security/impl/TrustEngine.cpp \
 	security/impl/XSECCryptoX509CRL.cpp \
 	signature/impl/SignatureValidator.cpp \
diff --git a/xmltooling/security/TrustEngine.h b/xmltooling/security/TrustEngine.h
index 44bbe91..c187648 100644
--- a/xmltooling/security/TrustEngine.h
+++ b/xmltooling/security/TrustEngine.h
@@ -25,6 +25,7 @@
 #define __xmltooling_trust_h__
 
 #include <xmltooling/base.h>
+#include <xercesc/dom/DOM.hpp>
 
 namespace xmltooling {
 
@@ -75,7 +76,10 @@ namespace xmltooling {
 
     /** TrustEngine based on explicit knowledge of peer key information. */
     #define EXPLICIT_KEY_TRUSTENGINE  "ExplicitKey"
-    
+
+    /** TrustEngine based on PKIX evaluation against a static set of trust anchors. */
+    #define STATIC_PKIX_TRUSTENGINE  "StaticPKIX"
+
     /** TrustEngine that tries multiple engines in sequence. */
     #define CHAINING_TRUSTENGINE  "Chaining"
     
diff --git a/xmltooling/security/X509TrustEngine.h b/xmltooling/security/X509TrustEngine.h
index aa0a4f1..b73ff0b 100644
--- a/xmltooling/security/X509TrustEngine.h
+++ b/xmltooling/security/X509TrustEngine.h
@@ -25,6 +25,9 @@
 
 #include <xmltooling/security/TrustEngine.h>
 
+#include <vector>
+#include <xsec/enc/XSECCryptoX509.hpp>
+
 namespace xmltooling {
 
     class XMLTOOL_API CredentialCriteria;
diff --git a/xmltooling/security/impl/StaticPKIXTrustEngine.cpp b/xmltooling/security/impl/StaticPKIXTrustEngine.cpp
new file mode 100644
index 0000000..70ab7c2
--- /dev/null
+++ b/xmltooling/security/impl/StaticPKIXTrustEngine.cpp
@@ -0,0 +1,168 @@
+/*
+ *  Copyright 2001-2007 Internet2
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * PKIXTrustEngine.cpp
+ * 
+ * Shibboleth-specific PKIX-validation TrustEngine
+ */
+
+#include "internal.h"
+
+#include "logging.h"
+#include "XMLToolingConfig.h"
+#include "security/AbstractPKIXTrustEngine.h"
+#include "security/CredentialResolver.h"
+#include "security/X509Credential.h"
+#include "util/XMLHelper.h"
+
+#include <xercesc/util/XMLUniDefs.hpp>
+
+using namespace xmlsignature;
+using namespace xmltooling;
+using namespace xercesc;
+using namespace std;
+
+namespace xmltooling {
+
+    static const XMLCh _CredentialResolver[] =  UNICODE_LITERAL_18(C,r,e,d,e,n,t,i,a,l,R,e,s,o,l,v,e,r);
+    static const XMLCh type[] =                 UNICODE_LITERAL_4(t,y,p,e);
+    static const XMLCh certificate[] =          UNICODE_LITERAL_11(c,e,r,t,i,f,i,c,a,t,e);
+    static const XMLCh Certificate[] =          UNICODE_LITERAL_11(C,e,r,t,i,f,i,c,a,t,e);
+    static const XMLCh Path[] =                 UNICODE_LITERAL_4(P,a,t,h);
+    static const XMLCh verifyDepth[] =          UNICODE_LITERAL_11(v,e,r,i,f,y,D,e,p,t,h);
+
+    class XMLTOOL_DLLLOCAL StaticPKIXTrustEngine : public AbstractPKIXTrustEngine
+    {
+    public:
+        StaticPKIXTrustEngine(const DOMElement* e=NULL);
+
+        virtual ~StaticPKIXTrustEngine() {
+            if (m_credResolver) {
+                m_credResolver->unlock();
+                delete m_credResolver;
+            }
+        }
+        
+        AbstractPKIXTrustEngine::PKIXValidationInfoIterator* getPKIXValidationInfoIterator(
+            const CredentialResolver& pkixSource, CredentialCriteria* criteria=NULL
+            ) const;
+
+        const KeyInfoResolver* getKeyInfoResolver() const {
+            return m_keyInfoResolver ? m_keyInfoResolver : XMLToolingConfig::getConfig().getKeyInfoResolver();
+        }
+
+    private:
+        CredentialResolver* m_credResolver;
+        int m_depth;
+        vector<XSECCryptoX509*> m_certs;
+        vector<XSECCryptoX509CRL*> m_crls;
+        friend class XMLTOOL_DLLLOCAL StaticPKIXIterator;
+    };
+    
+    TrustEngine* XMLTOOL_DLLLOCAL StaticPKIXTrustEngineFactory(const DOMElement* const & e)
+    {
+        return new StaticPKIXTrustEngine(e);
+    }
+
+    class XMLTOOL_DLLLOCAL StaticPKIXIterator : public AbstractPKIXTrustEngine::PKIXValidationInfoIterator
+    {
+    public:
+        StaticPKIXIterator(const StaticPKIXTrustEngine& engine) : m_engine(engine), m_done(false) {
+        }
+
+        virtual ~StaticPKIXIterator() {
+        }
+
+        bool next() {
+            if (m_done)
+                return false;
+            m_done = true;
+            return true;
+        }
+
+        int getVerificationDepth() const {
+            return m_engine.m_depth;
+        }
+        
+        const vector<XSECCryptoX509*>& getTrustAnchors() const {
+            return m_engine.m_certs;
+        }
+
+        const vector<XSECCryptoX509CRL*>& getCRLs() const {
+            return m_engine.m_crls;
+        }
+    
+    private:
+        const StaticPKIXTrustEngine& m_engine;
+        bool m_done;
+    };
+};
+
+StaticPKIXTrustEngine::StaticPKIXTrustEngine(const DOMElement* e) : AbstractPKIXTrustEngine(e)
+{
+    const XMLCh* depth = e ? e->getAttributeNS(NULL, verifyDepth) : NULL;
+    if (depth && *depth)
+        m_depth = XMLString::parseInt(depth);
+    else
+        m_depth = 1;
+
+    if (e && e->hasAttributeNS(NULL,certificate)) {
+        // Dummy up a file resolver.
+        DOMElement* dummy = e->getOwnerDocument()->createElementNS(NULL,_CredentialResolver);
+        DOMElement* child = e->getOwnerDocument()->createElementNS(NULL,Certificate);
+        dummy->appendChild(child);
+        DOMElement* path = e->getOwnerDocument()->createElementNS(NULL,Path);
+        child->appendChild(path);
+        path->appendChild(e->getOwnerDocument()->createTextNode(e->getAttributeNS(NULL,certificate)));
+        m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(FILESYSTEM_CREDENTIAL_RESOLVER,dummy);
+    }
+    else {
+        e = e ? XMLHelper::getFirstChildElement(e, _CredentialResolver) : NULL;
+        auto_ptr_char t(e ? e->getAttributeNS(NULL,type) : NULL);
+        if (t.get()) {
+            m_credResolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(t.get(),e);
+        }
+        else
+            throw XMLSecurityException("Missing <CredentialResolver> element, or no type attribute found");
+    }
+
+    m_credResolver->lock();
+
+    // Merge together all X509Credentials we can resolve.
+    try {
+        vector<const Credential*> creds;
+        m_credResolver->resolve(creds);
+        for (vector<const Credential*>::const_iterator i = creds.begin(); i != creds.end(); ++i) {
+            const X509Credential* xcred = dynamic_cast<const X509Credential*>(*i);
+            if (xcred) {
+                m_certs.insert(m_certs.end(), xcred->getEntityCertificateChain().begin(), xcred->getEntityCertificateChain().end());
+                if (xcred->getCRL())
+                    m_crls.push_back(xcred->getCRL());
+            }
+        }
+    }
+    catch (exception& ex) {
+        logging::Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine.StaticPKIX").error(ex.what());
+    }
+}
+
+AbstractPKIXTrustEngine::PKIXValidationInfoIterator* StaticPKIXTrustEngine::getPKIXValidationInfoIterator(
+    const CredentialResolver& pkixSource, CredentialCriteria* criteria
+    ) const
+{
+    return new StaticPKIXIterator(*this);
+}
diff --git a/xmltooling/security/impl/TrustEngine.cpp b/xmltooling/security/impl/TrustEngine.cpp
index 9884f46..0052b13 100644
--- a/xmltooling/security/impl/TrustEngine.cpp
+++ b/xmltooling/security/impl/TrustEngine.cpp
@@ -32,6 +32,7 @@ using namespace std;
 
 namespace xmltooling {
     XMLTOOL_DLLLOCAL PluginManager<TrustEngine,string,const DOMElement*>::Factory ExplicitKeyTrustEngineFactory;
+    XMLTOOL_DLLLOCAL PluginManager<TrustEngine,string,const DOMElement*>::Factory StaticPKIXTrustEngineFactory;
     XMLTOOL_DLLLOCAL PluginManager<TrustEngine,string,const DOMElement*>::Factory ChainingTrustEngineFactory;
 };
 
@@ -39,6 +40,7 @@ void XMLTOOL_API xmltooling::registerTrustEngines()
 {
     XMLToolingConfig& conf=XMLToolingConfig::getConfig();
     conf.TrustEngineManager.registerFactory(EXPLICIT_KEY_TRUSTENGINE, ExplicitKeyTrustEngineFactory);
+    conf.TrustEngineManager.registerFactory(STATIC_PKIX_TRUSTENGINE, StaticPKIXTrustEngineFactory);
     conf.TrustEngineManager.registerFactory(CHAINING_TRUSTENGINE, ChainingTrustEngineFactory);
 }
 
diff --git a/xmltooling/xmltooling.vcproj b/xmltooling/xmltooling.vcproj
index 41b221a..da3ed46 100644
--- a/xmltooling/xmltooling.vcproj
+++ b/xmltooling/xmltooling.vcproj
@@ -421,6 +421,10 @@
 						>
 					</File>
 					<File
+						RelativePath=".\security\impl\StaticPKIXTrustEngine.cpp"
+						>
+					</File>
+					<File
 						RelativePath=".\security\impl\TrustEngine.cpp"
 						>
 					</File>