A trust engine that uses X.509 trust anchors and CRLs associated with a peer to perform PKIX validation of signatures and credentials.
More...
#include <xmltooling/security/AbstractPKIXTrustEngine.h>
|
bool | validate (xmlsignature::Signature &sig, const CredentialResolver &credResolver, CredentialCriteria *criteria=0) const |
| Determines whether an XML signature is correct and valid with respect to the source of credentials supplied. More...
|
|
bool | validate (const XMLCh *sigAlgorithm, const char *sig, xmlsignature::KeyInfo *keyInfo, const char *in, unsigned int in_len, const CredentialResolver &credResolver, CredentialCriteria *criteria=0) const |
| Determines whether a raw signature is correct and valid with respect to the source of credentials supplied. More...
|
|
bool | validate (XSECCryptoX509 *certEE, const std::vector< XSECCryptoX509 *> &certChain, const CredentialResolver &credResolver, CredentialCriteria *criteria=0) const |
| Determines whether an X.509 credential is valid with respect to the source of credentials supplied. More...
|
|
bool | validate (X509 *certEE, STACK_OF(X509) *certChain, const CredentialResolver &credResolver, CredentialCriteria *criteria=0) const |
| Determines whether an X.509 credential is valid with respect to the source of credentials supplied. More...
|
|
virtual PKIXValidationInfoIterator * | getPKIXValidationInfoIterator (const CredentialResolver &pkixSource, CredentialCriteria *criteria=0) const =0 |
| Provides access to the information necessary, for the given credential source, for PKIX validation of credentials. More...
|
|
void | setKeyInfoResolver (KeyInfoResolver *keyInfoResolver) |
| Supplies a KeyInfoResolver instance. More...
|
|
virtual bool | validate (XSECCryptoX509 *certEE, const std::vector< XSECCryptoX509 * > &certChain, const CredentialResolver &credResolver, CredentialCriteria *criteria=0) const=0 |
| Determines whether an X.509 credential is valid with respect to the source of credentials supplied. More...
|
|
A trust engine that uses X.509 trust anchors and CRLs associated with a peer to perform PKIX validation of signatures and credentials.
◆ AbstractPKIXTrustEngine()
xmltooling::AbstractPKIXTrustEngine::AbstractPKIXTrustEngine |
( |
const xercesc::DOMElement * |
e = 0 | ) |
|
|
protected |
Constructor.
If a DOM is supplied, the following XML content is supported:
-
checkRevocation attribute (off, entityOnly, fullChain)
-
policyMappingInhibit attribute (boolean)
-
anyPolicyInhibit attribute (boolean)
-
PathValidator> element (zero or more)
-
<TrustedName> element (zero or more)
-
<PolicyOID> element (zero or more)
- Parameters
-
e | DOM to supply configuration for provider |
◆ checkEntityNames()
Checks that either the name of the peer with the given credentials or the names of the credentials match the subject or subject alternate names of the certificate.
Alternatively explicit trusted names can be supplied statically via configuration.
- Parameters
-
certEE | the credential for the entity to validate |
credResolver | source of trusted credentials |
criteria | criteria for selecting credentials, including the peer name |
- Returns
- true the name check succeeds, false if not
◆ getPKIXValidationInfoIterator()
Provides access to the information necessary, for the given credential source, for PKIX validation of credentials.
Each set of validation information returned will be tried, in turn, until one succeeds or no more remain. The caller must free the returned interface when finished with it.
- Parameters
-
pkixSource | the peer for which validation rules are required |
criteria | criteria for selecting validation rules |
- Returns
- interface for obtaining validation data
◆ validate() [1/4]
Determines whether an XML signature is correct and valid with respect to the source of credentials supplied.
It is the responsibility of the application to ensure that the credentials supplied are in fact associated with the peer who created the signature.
If criteria with a peer name are supplied, the "name" of the Credential that verifies the signature may also be checked to ensure that it identifies the intended peer. The peer name itself or implementation-specific rules based on the content of the peer credentials may be applied. Implementations may omit this check if they deem it unnecessary.
- Parameters
-
sig | reference to a signature object to validate |
credResolver | a locked resolver to supply trusted peer credentials to the TrustEngine |
criteria | criteria for selecting peer credentials |
- Returns
- true iff the signature validates
Implements xmltooling::SignatureTrustEngine.
◆ validate() [2/4]
bool xmltooling::AbstractPKIXTrustEngine::validate |
( |
const XMLCh * |
sigAlgorithm, |
|
|
const char * |
sig, |
|
|
xmlsignature::KeyInfo * |
keyInfo, |
|
|
const char * |
in, |
|
|
unsigned int |
in_len, |
|
|
const CredentialResolver & |
credResolver, |
|
|
CredentialCriteria * |
criteria = 0 |
|
) |
| const |
|
virtual |
Determines whether a raw signature is correct and valid with respect to the source of credentials supplied.
It is the responsibility of the application to ensure that the Credentials supplied are in fact associated with the peer who created the signature.
If criteria with a peer name are supplied, the "name" of the Credential that verifies the signature may also be checked to ensure that it identifies the intended peer. The peer name itself or implementation-specific rules based on the content of the peer credentials may be applied. Implementations may omit this check if they deem it unnecessary.
Note that the keyInfo parameter is not part of the implicitly trusted set of information supplied via the CredentialResolver, but rather advisory data that may have accompanied the signature itself.
- Parameters
-
sigAlgorithm | XML Signature identifier for the algorithm used |
sig | null-terminated base64-encoded signature value |
keyInfo | KeyInfo object accompanying the signature, if any |
in | the input data over which the signature was created |
in_len | size of input data in bytes |
credResolver | a locked resolver to supply trusted peer credentials to the TrustEngine |
criteria | criteria for selecting peer credentials |
- Returns
- true iff the signature validates
Implements xmltooling::SignatureTrustEngine.
◆ validate() [3/4]
bool xmltooling::AbstractPKIXTrustEngine::validate |
( |
XSECCryptoX509 * |
certEE, |
|
|
const std::vector< XSECCryptoX509 *> & |
certChain, |
|
|
const CredentialResolver & |
credResolver, |
|
|
CredentialCriteria * |
criteria = 0 |
|
) |
| const |
|
virtual |
Determines whether an X.509 credential is valid with respect to the source of credentials supplied.
It is the responsibility of the application to ensure that the credentials supplied are in fact associated with the peer who presented the credential.
If criteria with a peer name are supplied, the "name" of the EE certificate may also be checked to ensure that it identifies the intended peer. The peer name itself or implementation-specific rules based on the content of the peer credentials may be applied. Implementations may omit this check if they deem it unnecessary.
- Parameters
-
certEE | end-entity certificate to validate |
certChain | the complete set of certificates presented for validation (includes certEE) |
credResolver | a locked resolver to supply trusted peer credentials to the TrustEngine |
criteria | criteria for selecting peer credentials |
Implements xmltooling::X509TrustEngine.
◆ validate() [4/4]
Determines whether an X.509 credential is valid with respect to the source of credentials supplied.
It is the responsibility of the application to ensure that the credentials supplied are in fact associated with the peer who presented the credential.
If criteria with a peer name are supplied, the "name" of the EE certificate may also be checked to ensure that it identifies the intended peer. The peer name itself or implementation-specific rules based on the content of the peer credentials may be applied. Implementations may omit this check if they deem it unnecessary.
- Parameters
-
certEE | end-entity certificate to validate |
certChain | the complete set of certificates presented for validation (includes certEE) |
credResolver | a locked resolver to supply trusted peer credentials to the TrustEngine |
criteria | criteria for selecting peer credentials |
Implements xmltooling::OpenSSLTrustEngine.
◆ m_anyPolicyInhibit
bool xmltooling::AbstractPKIXTrustEngine::m_anyPolicyInhibit |
|
protected |
Disallow the anyPolicy OID (2.5.29.32.0) when applying PKIX policy checking.
◆ m_checkRevocation
std::string xmltooling::AbstractPKIXTrustEngine::m_checkRevocation |
|
protected |
Controls revocation checking, currently limited to CRLs and supports "off", "entityOnly", "fullChain".
◆ m_fullCRLChain
bool xmltooling::AbstractPKIXTrustEngine::m_fullCRLChain |
|
protected |
Deprecated option, equivalent to checkRevocation="fullChain".
◆ m_pathValidators
std::vector< boost::shared_ptr<OpenSSLPathValidator> > xmltooling::AbstractPKIXTrustEngine::m_pathValidators |
|
protected |
Plugins used to perform path validation.
◆ m_policyMappingInhibit
bool xmltooling::AbstractPKIXTrustEngine::m_policyMappingInhibit |
|
protected |
Disable policy mapping when applying PKIX policy checking.
◆ m_policyOIDs
std::set<std::string> xmltooling::AbstractPKIXTrustEngine::m_policyOIDs |
|
protected |
A list of acceptable policy OIDs (explicit policy checking).
◆ m_trustedNames
std::set<std::string> xmltooling::AbstractPKIXTrustEngine::m_trustedNames |
|
protected |
A list of trusted names (subject DNs / CN attributes / subjectAltName entries).
The documentation for this class was generated from the following file: