A trust engine that uses X.509 trust anchors and CRLs associated with a peer to perform PKIX validation of signatures and credentials. More...
#include <xmltooling/security/AbstractPKIXTrustEngine.h>
Classes | |
class | PKIXValidationInfoIterator |
Stateful interface that supplies PKIX validation data to the trust engine. More... | |
Public Member Functions | |
bool | validate (xmlsignature::Signature &sig, const CredentialResolver &credResolver, CredentialCriteria *criteria=0) const |
Determines whether an XML signature is correct and valid with respect to the source of credentials supplied. | |
bool | validate (const XMLCh *sigAlgorithm, const char *sig, xmlsignature::KeyInfo *keyInfo, const char *in, unsigned int in_len, const CredentialResolver &credResolver, CredentialCriteria *criteria=0) const |
Determines whether a raw signature is correct and valid with respect to the source of credentials supplied. | |
bool | validate (XSECCryptoX509 *certEE, const std::vector< XSECCryptoX509 * > &certChain, const CredentialResolver &credResolver, CredentialCriteria *criteria=0) const |
Determines whether an X.509 credential is valid with respect to the source of credentials supplied. | |
bool | validate (X509 *certEE, STACK_OF(X509)*certChain, const CredentialResolver &credResolver, CredentialCriteria *criteria=0) const |
Determines whether an X.509 credential is valid with respect to the source of credentials supplied. | |
virtual PKIXValidationInfoIterator * | getPKIXValidationInfoIterator (const CredentialResolver &pkixSource, CredentialCriteria *criteria=0) const =0 |
Provides access to the information necessary, for the given credential source, for PKIX validation of credentials. | |
Protected Member Functions | |
AbstractPKIXTrustEngine (const xercesc::DOMElement *e=0, bool deprecationSupport=true) | |
Constructor. | |
virtual bool | checkEntityNames (X509 *certEE, const CredentialResolver &credResolver, const CredentialCriteria &criteria) const |
Checks that either the name of the peer with the given credentials or the names of the credentials match the subject or subject alternate names of the certificate. | |
Protected Attributes | |
std::vector< boost::shared_ptr < OpenSSLPathValidator > > | m_pathValidators |
Plugins used to perform path validation. | |
std::string | m_checkRevocation |
Controls revocation checking, currently limited to CRLs and supports "off", "entityOnly", "fullChain". | |
bool | m_policyMappingInhibit |
Disable policy mapping when applying PKIX policy checking. | |
bool | m_anyPolicyInhibit |
Disallow the anyPolicy OID (2.5.29.32.0) when applying PKIX policy checking. | |
std::set< std::string > | m_policyOIDs |
A list of acceptable policy OIDs (explicit policy checking). | |
std::set< std::string > | m_trustedNames |
A list of trusted names (subject DNs / CN attributes / subjectAltName entries). | |
Friends | |
class | PKIXParams |
A trust engine that uses X.509 trust anchors and CRLs associated with a peer to perform PKIX validation of signatures and credentials.
xmltooling::AbstractPKIXTrustEngine::AbstractPKIXTrustEngine | ( | const xercesc::DOMElement * | e = 0 , |
|
bool | deprecationSupport = true | |||
) | [protected] |
Constructor.
If a DOM is supplied, the following XML content is supported:
e | DOM to supply configuration for provider | |
deprecationSupport | true iff deprecated features and settings should be supported |
virtual bool xmltooling::AbstractPKIXTrustEngine::checkEntityNames | ( | X509 * | certEE, | |
const CredentialResolver & | credResolver, | |||
const CredentialCriteria & | criteria | |||
) | const [protected, virtual] |
Checks that either the name of the peer with the given credentials or the names of the credentials match the subject or subject alternate names of the certificate.
Alternatively explicit trusted names can be supplied statically via configuration.
certEE | the credential for the entity to validate | |
credResolver | source of trusted credentials | |
criteria | criteria for selecting credentials, including the peer name |
virtual PKIXValidationInfoIterator* xmltooling::AbstractPKIXTrustEngine::getPKIXValidationInfoIterator | ( | const CredentialResolver & | pkixSource, | |
CredentialCriteria * | criteria = 0 | |||
) | const [pure virtual] |
Provides access to the information necessary, for the given credential source, for PKIX validation of credentials.
Each set of validation information returned will be tried, in turn, until one succeeds or no more remain. The caller must free the returned interface when finished with it.
pkixSource | the peer for which validation rules are required | |
criteria | criteria for selecting validation rules |
bool xmltooling::AbstractPKIXTrustEngine::validate | ( | X509 * | certEE, | |
STACK_OF(X509)* | certChain, | |||
const CredentialResolver & | credResolver, | |||
CredentialCriteria * | criteria = 0 | |||
) | const [virtual] |
Determines whether an X.509 credential is valid with respect to the source of credentials supplied.
It is the responsibility of the application to ensure that the credentials supplied are in fact associated with the peer who presented the credential.
If criteria with a peer name are supplied, the "name" of the EE certificate may also be checked to ensure that it identifies the intended peer. The peer name itself or implementation-specific rules based on the content of the peer credentials may be applied. Implementations may omit this check if they deem it unnecessary.
certEE | end-entity certificate to validate | |
certChain | the complete set of certificates presented for validation (includes certEE) | |
credResolver | a locked resolver to supply trusted peer credentials to the TrustEngine | |
criteria | criteria for selecting peer credentials |
Implements xmltooling::OpenSSLTrustEngine.
bool xmltooling::AbstractPKIXTrustEngine::validate | ( | XSECCryptoX509 * | certEE, | |
const std::vector< XSECCryptoX509 * > & | certChain, | |||
const CredentialResolver & | credResolver, | |||
CredentialCriteria * | criteria = 0 | |||
) | const [virtual] |
Determines whether an X.509 credential is valid with respect to the source of credentials supplied.
It is the responsibility of the application to ensure that the credentials supplied are in fact associated with the peer who presented the credential.
If criteria with a peer name are supplied, the "name" of the EE certificate may also be checked to ensure that it identifies the intended peer. The peer name itself or implementation-specific rules based on the content of the peer credentials may be applied. Implementations may omit this check if they deem it unnecessary.
certEE | end-entity certificate to validate | |
certChain | the complete set of certificates presented for validation (includes certEE) | |
credResolver | a locked resolver to supply trusted peer credentials to the TrustEngine | |
criteria | criteria for selecting peer credentials |
Implements xmltooling::X509TrustEngine.
bool xmltooling::AbstractPKIXTrustEngine::validate | ( | const XMLCh * | sigAlgorithm, | |
const char * | sig, | |||
xmlsignature::KeyInfo * | keyInfo, | |||
const char * | in, | |||
unsigned int | in_len, | |||
const CredentialResolver & | credResolver, | |||
CredentialCriteria * | criteria = 0 | |||
) | const [virtual] |
Determines whether a raw signature is correct and valid with respect to the source of credentials supplied.
It is the responsibility of the application to ensure that the Credentials supplied are in fact associated with the peer who created the signature.
If criteria with a peer name are supplied, the "name" of the Credential that verifies the signature may also be checked to ensure that it identifies the intended peer. The peer name itself or implementation-specific rules based on the content of the peer credentials may be applied. Implementations may omit this check if they deem it unnecessary.
Note that the keyInfo parameter is not part of the implicitly trusted set of information supplied via the CredentialResolver, but rather advisory data that may have accompanied the signature itself.
sigAlgorithm | XML Signature identifier for the algorithm used | |
sig | null-terminated base64-encoded signature value | |
keyInfo | KeyInfo object accompanying the signature, if any | |
in | the input data over which the signature was created | |
in_len | size of input data in bytes | |
credResolver | a locked resolver to supply trusted peer credentials to the TrustEngine | |
criteria | criteria for selecting peer credentials |
Implements xmltooling::SignatureTrustEngine.
bool xmltooling::AbstractPKIXTrustEngine::validate | ( | xmlsignature::Signature & | sig, | |
const CredentialResolver & | credResolver, | |||
CredentialCriteria * | criteria = 0 | |||
) | const [virtual] |
Determines whether an XML signature is correct and valid with respect to the source of credentials supplied.
It is the responsibility of the application to ensure that the credentials supplied are in fact associated with the peer who created the signature.
If criteria with a peer name are supplied, the "name" of the Credential that verifies the signature may also be checked to ensure that it identifies the intended peer. The peer name itself or implementation-specific rules based on the content of the peer credentials may be applied. Implementations may omit this check if they deem it unnecessary.
sig | reference to a signature object to validate | |
credResolver | a locked resolver to supply trusted peer credentials to the TrustEngine | |
criteria | criteria for selecting peer credentials |
Implements xmltooling::SignatureTrustEngine.
bool xmltooling::AbstractPKIXTrustEngine::m_anyPolicyInhibit [protected] |
Disallow the anyPolicy OID (2.5.29.32.0) when applying PKIX policy checking.
std::string xmltooling::AbstractPKIXTrustEngine::m_checkRevocation [protected] |
Controls revocation checking, currently limited to CRLs and supports "off", "entityOnly", "fullChain".
std::vector< boost::shared_ptr<OpenSSLPathValidator> > xmltooling::AbstractPKIXTrustEngine::m_pathValidators [protected] |
Plugins used to perform path validation.
bool xmltooling::AbstractPKIXTrustEngine::m_policyMappingInhibit [protected] |
Disable policy mapping when applying PKIX policy checking.
std::set<std::string> xmltooling::AbstractPKIXTrustEngine::m_policyOIDs [protected] |
A list of acceptable policy OIDs (explicit policy checking).
std::set<std::string> xmltooling::AbstractPKIXTrustEngine::m_trustedNames [protected] |
A list of trusted names (subject DNs / CN attributes / subjectAltName entries).