xmltooling::AbstractPKIXTrustEngine Class Reference

A trust engine that uses X.509 trust anchors and CRLs associated with a peer to perform PKIX validation of signatures and credentials. More...

#include <xmltooling/security/AbstractPKIXTrustEngine.h>

Inheritance diagram for xmltooling::AbstractPKIXTrustEngine:

xmltooling::SignatureTrustEngine xmltooling::OpenSSLTrustEngine xmltooling::TrustEngine xmltooling::X509TrustEngine xmltooling::TrustEngine List of all members.

Public Member Functions

bool validate (xmlsignature::Signature &sig, const CredentialResolver &credResolver, CredentialCriteria *criteria=NULL) const
 Determines whether an XML signature is correct and valid with respect to the source of credentials supplied.
bool validate (const XMLCh *sigAlgorithm, const char *sig, xmlsignature::KeyInfo *keyInfo, const char *in, unsigned int in_len, const CredentialResolver &credResolver, CredentialCriteria *criteria=NULL) const
 Determines whether a raw signature is correct and valid with respect to the source of credentials supplied.
bool validate (XSECCryptoX509 *certEE, const std::vector< XSECCryptoX509 * > &certChain, const CredentialResolver &credResolver, CredentialCriteria *criteria=NULL) const
 Determines whether an X.509 credential is valid with respect to the source of credentials supplied.
bool validate (X509 *certEE, STACK_OF(X509)*certChain, const CredentialResolver &credResolver, CredentialCriteria *criteria=NULL) const
 Determines whether an X.509 credential is valid with respect to the source of credentials supplied.
virtual PKIXValidationInfoIteratorgetPKIXValidationInfoIterator (const CredentialResolver &pkixSource, CredentialCriteria *criteria=NULL) const =0
 Provides access to the information necessary, for the given credential source, for PKIX validation of credentials.

Protected Member Functions

 AbstractPKIXTrustEngine (const xercesc::DOMElement *e=NULL)
 Constructor.
bool checkEntityNames (X509 *certEE, const CredentialResolver &credResolver, const CredentialCriteria &criteria) const
 Checks that either the name of the peer with the given credentials or the names of the credentials match the subject or subject alternate names of the certificate.

Protected Attributes

bool m_fullCRLChain
 Flag controls whether every issuer in the trust path must have a CRL loaded.

Classes

class  PKIXValidationInfoIterator
 Stateful interface that supplies PKIX validation data to the trust engine. More...

Detailed Description

A trust engine that uses X.509 trust anchors and CRLs associated with a peer to perform PKIX validation of signatures and credentials.


Constructor & Destructor Documentation

xmltooling::AbstractPKIXTrustEngine::AbstractPKIXTrustEngine ( const xercesc::DOMElement *  e = NULL  )  [protected]

Constructor.

If a DOM is supplied, the following XML content is supported:

XML namespaces are ignored in the processing of this content.

Parameters:
e DOM to supply configuration for provider


Member Function Documentation

bool xmltooling::AbstractPKIXTrustEngine::checkEntityNames ( X509 *  certEE,
const CredentialResolver credResolver,
const CredentialCriteria criteria 
) const [protected]

Checks that either the name of the peer with the given credentials or the names of the credentials match the subject or subject alternate names of the certificate.

Parameters:
certEE the credential for the entity to validate
credResolver source of credentials
criteria criteria for selecting credentials, including the peer name
Returns:
true the name check succeeds, false if not

virtual PKIXValidationInfoIterator* xmltooling::AbstractPKIXTrustEngine::getPKIXValidationInfoIterator ( const CredentialResolver pkixSource,
CredentialCriteria criteria = NULL 
) const [pure virtual]

Provides access to the information necessary, for the given credential source, for PKIX validation of credentials.

Each set of validation information returned will be tried, in turn, until one succeeds or no more remain. The caller must free the returned interface when finished with it.

Parameters:
pkixSource the peer for which validation rules are required
criteria criteria for selecting validation rules
Returns:
interface for obtaining validation data

bool xmltooling::AbstractPKIXTrustEngine::validate ( X509 *  certEE,
STACK_OF(X509)*  certChain,
const CredentialResolver credResolver,
CredentialCriteria criteria = NULL 
) const [virtual]

Determines whether an X.509 credential is valid with respect to the source of credentials supplied.

It is the responsibility of the application to ensure that the credentials supplied are in fact associated with the peer who presented the credential.

If criteria with a peer name are supplied, the "name" of the EE certificate may also be checked to ensure that it identifies the intended peer. The peer name itself or implementation-specific rules based on the content of the peer credentials may be applied. Implementations may omit this check if they deem it unnecessary.

Parameters:
certEE end-entity certificate to validate
certChain the complete set of certificates presented for validation (includes certEE)
credResolver a locked resolver to supply trusted peer credentials to the TrustEngine
criteria criteria for selecting peer credentials

Implements xmltooling::OpenSSLTrustEngine.

bool xmltooling::AbstractPKIXTrustEngine::validate ( XSECCryptoX509 *  certEE,
const std::vector< XSECCryptoX509 * > &  certChain,
const CredentialResolver credResolver,
CredentialCriteria criteria = NULL 
) const [virtual]

Determines whether an X.509 credential is valid with respect to the source of credentials supplied.

It is the responsibility of the application to ensure that the credentials supplied are in fact associated with the peer who presented the credential.

If criteria with a peer name are supplied, the "name" of the EE certificate may also be checked to ensure that it identifies the intended peer. The peer name itself or implementation-specific rules based on the content of the peer credentials may be applied. Implementations may omit this check if they deem it unnecessary.

Parameters:
certEE end-entity certificate to validate
certChain the complete set of certificates presented for validation (includes certEE)
credResolver a locked resolver to supply trusted peer credentials to the TrustEngine
criteria criteria for selecting peer credentials

Implements xmltooling::X509TrustEngine.

bool xmltooling::AbstractPKIXTrustEngine::validate ( const XMLCh *  sigAlgorithm,
const char *  sig,
xmlsignature::KeyInfo keyInfo,
const char *  in,
unsigned int  in_len,
const CredentialResolver credResolver,
CredentialCriteria criteria = NULL 
) const [virtual]

Determines whether a raw signature is correct and valid with respect to the source of credentials supplied.

It is the responsibility of the application to ensure that the Credentials supplied are in fact associated with the peer who created the signature.

If criteria with a peer name are supplied, the "name" of the Credential that verifies the signature may also be checked to ensure that it identifies the intended peer. The peer name itself or implementation-specific rules based on the content of the peer credentials may be applied. Implementations may omit this check if they deem it unnecessary.

Note that the keyInfo parameter is not part of the implicitly trusted set of information supplied via the CredentialResolver, but rather advisory data that may have accompanied the signature itself.

Parameters:
sigAlgorithm XML Signature identifier for the algorithm used
sig null-terminated base64-encoded signature value
keyInfo KeyInfo object accompanying the signature, if any
in the input data over which the signature was created
in_len size of input data in bytes
credResolver a locked resolver to supply trusted peer credentials to the TrustEngine
criteria criteria for selecting peer credentials
Returns:
true iff the signature validates

Implements xmltooling::SignatureTrustEngine.

bool xmltooling::AbstractPKIXTrustEngine::validate ( xmlsignature::Signature sig,
const CredentialResolver credResolver,
CredentialCriteria criteria = NULL 
) const [virtual]

Determines whether an XML signature is correct and valid with respect to the source of credentials supplied.

It is the responsibility of the application to ensure that the credentials supplied are in fact associated with the peer who created the signature.

If criteria with a peer name are supplied, the "name" of the Credential that verifies the signature may also be checked to ensure that it identifies the intended peer. The peer name itself or implementation-specific rules based on the content of the peer credentials may be applied. Implementations may omit this check if they deem it unnecessary.

Parameters:
sig reference to a signature object to validate
credResolver a locked resolver to supply trusted peer credentials to the TrustEngine
criteria criteria for selecting peer credentials
Returns:
true iff the signature validates

Implements xmltooling::SignatureTrustEngine.


The documentation for this class was generated from the following file:
Generated on Mon Oct 19 14:18:34 2009 for xmltooling by  doxygen 1.4.7