xmltooling  3.2.2
xmltooling::AbstractPKIXTrustEngine Class Referenceabstract

A trust engine that uses X.509 trust anchors and CRLs associated with a peer to perform PKIX validation of signatures and credentials. More...

#include <xmltooling/security/AbstractPKIXTrustEngine.h>

Inheritance diagram for xmltooling::AbstractPKIXTrustEngine:
xmltooling::SignatureTrustEngine xmltooling::OpenSSLTrustEngine xmltooling::TrustEngine xmltooling::X509TrustEngine xmltooling::TrustEngine

Classes

class  PKIXValidationInfoIterator
 Stateful interface that supplies PKIX validation data to the trust engine. More...
 

Public Member Functions

bool validate (xmlsignature::Signature &sig, const CredentialResolver &credResolver, CredentialCriteria *criteria=0) const
 Determines whether an XML signature is correct and valid with respect to the source of credentials supplied. More...
 
bool validate (const XMLCh *sigAlgorithm, const char *sig, xmlsignature::KeyInfo *keyInfo, const char *in, unsigned int in_len, const CredentialResolver &credResolver, CredentialCriteria *criteria=0) const
 Determines whether a raw signature is correct and valid with respect to the source of credentials supplied. More...
 
bool validate (XSECCryptoX509 *certEE, const std::vector< XSECCryptoX509 *> &certChain, const CredentialResolver &credResolver, CredentialCriteria *criteria=0) const
 Determines whether an X.509 credential is valid with respect to the source of credentials supplied. More...
 
bool validate (X509 *certEE, STACK_OF(X509) *certChain, const CredentialResolver &credResolver, CredentialCriteria *criteria=0) const
 Determines whether an X.509 credential is valid with respect to the source of credentials supplied. More...
 
virtual PKIXValidationInfoIteratorgetPKIXValidationInfoIterator (const CredentialResolver &pkixSource, CredentialCriteria *criteria=0) const =0
 Provides access to the information necessary, for the given credential source, for PKIX validation of credentials. More...
 
- Public Member Functions inherited from xmltooling::TrustEngine
void setKeyInfoResolver (KeyInfoResolver *keyInfoResolver)
 Supplies a KeyInfoResolver instance. More...
 
- Public Member Functions inherited from xmltooling::OpenSSLTrustEngine
virtual bool validate (XSECCryptoX509 *certEE, const std::vector< XSECCryptoX509 * > &certChain, const CredentialResolver &credResolver, CredentialCriteria *criteria=0) const=0
 Determines whether an X.509 credential is valid with respect to the source of credentials supplied. More...
 

Protected Member Functions

 AbstractPKIXTrustEngine (const xercesc::DOMElement *e=0, bool deprecationSupport=true)
 Constructor. More...
 
virtual bool checkEntityNames (X509 *certEE, const CredentialResolver &credResolver, const CredentialCriteria &criteria) const
 Checks that either the name of the peer with the given credentials or the names of the credentials match the subject or subject alternate names of the certificate. More...
 
- Protected Member Functions inherited from xmltooling::SignatureTrustEngine
 SignatureTrustEngine (const xercesc::DOMElement *e=0, bool deprecationSupport=true)
 Constructor. More...
 
- Protected Member Functions inherited from xmltooling::TrustEngine
 TrustEngine (const xercesc::DOMElement *e=0, bool deprecationSupport=true)
 Constructor. More...
 
- Protected Member Functions inherited from xmltooling::OpenSSLTrustEngine
 OpenSSLTrustEngine (const xercesc::DOMElement *e=0, bool deprecationSupport=true)
 Constructor. More...
 
- Protected Member Functions inherited from xmltooling::X509TrustEngine
 X509TrustEngine (const xercesc::DOMElement *e=0, bool deprecationSupport=true)
 Constructor. More...
 

Protected Attributes

std::vector< boost::shared_ptr< OpenSSLPathValidator > > m_pathValidators
 Plugins used to perform path validation. More...
 
std::string m_checkRevocation
 Controls revocation checking, currently limited to CRLs and supports "off", "entityOnly", "fullChain". More...
 
bool m_policyMappingInhibit
 Disable policy mapping when applying PKIX policy checking. More...
 
bool m_anyPolicyInhibit
 Disallow the anyPolicy OID (2.5.29.32.0) when applying PKIX policy checking. More...
 
std::set< std::string > m_policyOIDs
 A list of acceptable policy OIDs (explicit policy checking). More...
 
std::set< std::string > m_trustedNames
 A list of trusted names (subject DNs / CN attributes / subjectAltName entries). More...
 
- Protected Attributes inherited from xmltooling::TrustEngine
KeyInfoResolverm_keyInfoResolver
 Custom KeyInfoResolver instance. More...
 

Friends

class PKIXParams
 

Detailed Description

A trust engine that uses X.509 trust anchors and CRLs associated with a peer to perform PKIX validation of signatures and credentials.

Constructor & Destructor Documentation

◆ AbstractPKIXTrustEngine()

xmltooling::AbstractPKIXTrustEngine::AbstractPKIXTrustEngine ( const xercesc::DOMElement *  e = 0,
bool  deprecationSupport = true 
)
protected

Constructor.

If a DOM is supplied, the following XML content is supported:

  • checkRevocation attribute (off, entityOnly, fullChain)
  • policyMappingInhibit attribute (boolean)
  • anyPolicyInhibit attribute (boolean)
  • <PathValidator> element (zero or more)
  • <TrustedName> element (zero or more)
  • <PolicyOID> element (zero or more)
Parameters
eDOM to supply configuration for provider
deprecationSupporttrue iff deprecated features and settings should be supported

Member Function Documentation

◆ checkEntityNames()

virtual bool xmltooling::AbstractPKIXTrustEngine::checkEntityNames ( X509 *  certEE,
const CredentialResolver credResolver,
const CredentialCriteria criteria 
) const
protectedvirtual

Checks that either the name of the peer with the given credentials or the names of the credentials match the subject or subject alternate names of the certificate.

Alternatively explicit trusted names can be supplied statically via configuration.

Parameters
certEEthe credential for the entity to validate
credResolversource of trusted credentials
criteriacriteria for selecting credentials, including the peer name
Returns
true the name check succeeds, false if not

◆ getPKIXValidationInfoIterator()

virtual PKIXValidationInfoIterator* xmltooling::AbstractPKIXTrustEngine::getPKIXValidationInfoIterator ( const CredentialResolver pkixSource,
CredentialCriteria criteria = 0 
) const
pure virtual

Provides access to the information necessary, for the given credential source, for PKIX validation of credentials.

Each set of validation information returned will be tried, in turn, until one succeeds or no more remain. The caller must free the returned interface when finished with it.

Parameters
pkixSourcethe peer for which validation rules are required
criteriacriteria for selecting validation rules
Returns
interface for obtaining validation data

◆ validate() [1/4]

bool xmltooling::AbstractPKIXTrustEngine::validate ( xmlsignature::Signature sig,
const CredentialResolver credResolver,
CredentialCriteria criteria = 0 
) const
virtual

Determines whether an XML signature is correct and valid with respect to the source of credentials supplied.

It is the responsibility of the application to ensure that the credentials supplied are in fact associated with the peer who created the signature.

If criteria with a peer name are supplied, the "name" of the Credential that verifies the signature may also be checked to ensure that it identifies the intended peer. The peer name itself or implementation-specific rules based on the content of the peer credentials may be applied. Implementations may omit this check if they deem it unnecessary.

Parameters
sigreference to a signature object to validate
credResolvera locked resolver to supply trusted peer credentials to the TrustEngine
criteriacriteria for selecting peer credentials
Returns
true iff the signature validates

Implements xmltooling::SignatureTrustEngine.

◆ validate() [2/4]

bool xmltooling::AbstractPKIXTrustEngine::validate ( const XMLCh *  sigAlgorithm,
const char *  sig,
xmlsignature::KeyInfo *  keyInfo,
const char *  in,
unsigned int  in_len,
const CredentialResolver credResolver,
CredentialCriteria criteria = 0 
) const
virtual

Determines whether a raw signature is correct and valid with respect to the source of credentials supplied.

It is the responsibility of the application to ensure that the Credentials supplied are in fact associated with the peer who created the signature.

If criteria with a peer name are supplied, the "name" of the Credential that verifies the signature may also be checked to ensure that it identifies the intended peer. The peer name itself or implementation-specific rules based on the content of the peer credentials may be applied. Implementations may omit this check if they deem it unnecessary.

Note that the keyInfo parameter is not part of the implicitly trusted set of information supplied via the CredentialResolver, but rather advisory data that may have accompanied the signature itself.

Parameters
sigAlgorithmXML Signature identifier for the algorithm used
signull-terminated base64-encoded signature value
keyInfoKeyInfo object accompanying the signature, if any
inthe input data over which the signature was created
in_lensize of input data in bytes
credResolvera locked resolver to supply trusted peer credentials to the TrustEngine
criteriacriteria for selecting peer credentials
Returns
true iff the signature validates

Implements xmltooling::SignatureTrustEngine.

◆ validate() [3/4]

bool xmltooling::AbstractPKIXTrustEngine::validate ( XSECCryptoX509 *  certEE,
const std::vector< XSECCryptoX509 *> &  certChain,
const CredentialResolver credResolver,
CredentialCriteria criteria = 0 
) const
virtual

Determines whether an X.509 credential is valid with respect to the source of credentials supplied.

It is the responsibility of the application to ensure that the credentials supplied are in fact associated with the peer who presented the credential.

If criteria with a peer name are supplied, the "name" of the EE certificate may also be checked to ensure that it identifies the intended peer. The peer name itself or implementation-specific rules based on the content of the peer credentials may be applied. Implementations may omit this check if they deem it unnecessary.

Parameters
certEEend-entity certificate to validate
certChainthe complete set of certificates presented for validation (includes certEE)
credResolvera locked resolver to supply trusted peer credentials to the TrustEngine
criteriacriteria for selecting peer credentials

Implements xmltooling::X509TrustEngine.

◆ validate() [4/4]

bool xmltooling::AbstractPKIXTrustEngine::validate ( X509 *  certEE,
STACK_OF(X509) *  certChain,
const CredentialResolver credResolver,
CredentialCriteria criteria = 0 
) const
virtual

Determines whether an X.509 credential is valid with respect to the source of credentials supplied.

It is the responsibility of the application to ensure that the credentials supplied are in fact associated with the peer who presented the credential.

If criteria with a peer name are supplied, the "name" of the EE certificate may also be checked to ensure that it identifies the intended peer. The peer name itself or implementation-specific rules based on the content of the peer credentials may be applied. Implementations may omit this check if they deem it unnecessary.

Parameters
certEEend-entity certificate to validate
certChainthe complete set of certificates presented for validation (includes certEE)
credResolvera locked resolver to supply trusted peer credentials to the TrustEngine
criteriacriteria for selecting peer credentials

Implements xmltooling::OpenSSLTrustEngine.

Member Data Documentation

◆ m_anyPolicyInhibit

bool xmltooling::AbstractPKIXTrustEngine::m_anyPolicyInhibit
protected

Disallow the anyPolicy OID (2.5.29.32.0) when applying PKIX policy checking.

◆ m_checkRevocation

std::string xmltooling::AbstractPKIXTrustEngine::m_checkRevocation
protected

Controls revocation checking, currently limited to CRLs and supports "off", "entityOnly", "fullChain".

◆ m_pathValidators

std::vector< boost::shared_ptr<OpenSSLPathValidator> > xmltooling::AbstractPKIXTrustEngine::m_pathValidators
protected

Plugins used to perform path validation.

◆ m_policyMappingInhibit

bool xmltooling::AbstractPKIXTrustEngine::m_policyMappingInhibit
protected

Disable policy mapping when applying PKIX policy checking.

◆ m_policyOIDs

std::set<std::string> xmltooling::AbstractPKIXTrustEngine::m_policyOIDs
protected

A list of acceptable policy OIDs (explicit policy checking).

◆ m_trustedNames

std::set<std::string> xmltooling::AbstractPKIXTrustEngine::m_trustedNames
protected

A list of trusted names (subject DNs / CN attributes / subjectAltName entries).


The documentation for this class was generated from the following file: