This file is indexed.

/usr/include/xmltooling/security/AbstractPKIXTrustEngine.h is in libxmltooling-dev 1.5.3-2+deb8u3.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
/**
 * Licensed to the University Corporation for Advanced Internet
 * Development, Inc. (UCAID) under one or more contributor license
 * agreements. See the NOTICE file distributed with this work for
 * additional information regarding copyright ownership.
 *
 * UCAID licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file except
 * in compliance with the License. You may obtain a copy of the
 * License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
 * either express or implied. See the License for the specific
 * language governing permissions and limitations under the License.
 */

/**
 * @file xmltooling/security/AbstractPKIXTrustEngine.h
 * 
 * A trust engine that uses X.509 trust anchors and CRLs associated with a peer
 * to perform PKIX validation of signatures and credentials.
 */

#if !defined(__xmltooling_pkixtrust_h__) && !defined(XMLTOOLING_NO_XMLSEC)
#define __xmltooling_pkixtrust_h__

#include <xmltooling/security/OpenSSLTrustEngine.h>
#include <xmltooling/security/SignatureTrustEngine.h>

#include <set>
#include <string>
#include <boost/ptr_container/ptr_vector.hpp>

namespace xmltooling {

    class XMLTOOL_API OpenSSLPathValidator;
    class XMLTOOL_API XSECCryptoX509CRL;

    /**
     * A trust engine that uses X.509 trust anchors and CRLs associated with a peer
     * to perform PKIX validation of signatures and credentials.
     */
    class XMLTOOL_API AbstractPKIXTrustEngine : public SignatureTrustEngine, public OpenSSLTrustEngine
    {
    protected:
        /**
         * Constructor.
         * 
         * If a DOM is supplied, the following XML content is supported:
         * 
         * <ul>
         *  <li>checkRevocation attribute (off, entityOnly, fullChain)
         *  <li>policyMappingInhibit attribute (boolean)
         *  <li>anyPolicyInhibit attribute (boolean)
         *  <li>&t;PathValidator&gt; element (zero or more)
         *  <li>&lt;TrustedName&gt; element (zero or more)
         *  <li>&lt;PolicyOID&gt; element (zero or more)
         * </ul>
         * 
         * @param e DOM to supply configuration for provider
         */
        AbstractPKIXTrustEngine(const xercesc::DOMElement* e=nullptr);

        /** Plugins used to perform path validation. */
        boost::ptr_vector<OpenSSLPathValidator> m_pathValidators;

        /** Controls revocation checking, currently limited to CRLs and supports "off", "entityOnly", "fullChain". */
        std::string m_checkRevocation;

        /** Deprecated option, equivalent to checkRevocation="fullChain". */
        bool m_fullCRLChain;

        /** Disable policy mapping when applying PKIX policy checking. */
        bool m_policyMappingInhibit;

        /** Disallow the anyPolicy OID (2.5.29.32.0) when applying PKIX policy checking. */
        bool m_anyPolicyInhibit;

        /** A list of acceptable policy OIDs (explicit policy checking). */
        std::set<std::string> m_policyOIDs;

        /** A list of trusted names (subject DNs / CN attributes / subjectAltName entries). */
        std::set<std::string> m_trustedNames;

        /**
         * Checks that either the name of the peer with the given credentials or the names
         * of the credentials match the subject or subject alternate names of the certificate.
         * Alternatively explicit trusted names can be supplied statically via configuration.
         * 
         * @param certEE        the credential for the entity to validate
         * @param credResolver  source of trusted credentials
         * @param criteria      criteria for selecting credentials, including the peer name
         * 
         * @return true the name check succeeds, false if not
         */
        bool checkEntityNames(X509* certEE, const CredentialResolver& credResolver, const CredentialCriteria& criteria) const;

    public:
        virtual ~AbstractPKIXTrustEngine();

        bool validate(
            xmlsignature::Signature& sig,
            const CredentialResolver& credResolver,
            CredentialCriteria* criteria=nullptr
            ) const;

        bool validate(
            const XMLCh* sigAlgorithm,
            const char* sig,
            xmlsignature::KeyInfo* keyInfo,
            const char* in,
            unsigned int in_len,
            const CredentialResolver& credResolver,
            CredentialCriteria* criteria=nullptr
            ) const;

        bool validate(
            XSECCryptoX509* certEE,
            const std::vector<XSECCryptoX509*>& certChain,
            const CredentialResolver& credResolver,
            CredentialCriteria* criteria=nullptr
            ) const;

        bool validate(
            X509* certEE,
            STACK_OF(X509)* certChain,
            const CredentialResolver& credResolver,
            CredentialCriteria* criteria=nullptr
            ) const;

        /**
         * Stateful interface that supplies PKIX validation data to the trust engine.
         * Applications can adapt this TrustEngine to their environment by returning
         * implementations of this interface from the getPKIXValidationInfoIterator
         * method.
         */
        class XMLTOOL_API PKIXValidationInfoIterator {
            MAKE_NONCOPYABLE(PKIXValidationInfoIterator);
        protected:
            PKIXValidationInfoIterator();
            
        public:
            virtual ~PKIXValidationInfoIterator();
            
            /**
             * Advances to the next set of information, if any.
             * 
             * @return true iff another set of information is available
             */
            virtual bool next()=0;
            
            /**
             * Returns the allowable trust chain verification depth for the
             * validation data in the current position.
             * 
             * @return  allowable trust chain verification depth
             */
            virtual int getVerificationDepth() const=0;
            
            /**
             * Returns the set of trust anchors for the validation data in the
             * current position. Keeping the certificates beyond the lifetime
             * of the iterator or after advancing to the next position requires
             * copying them.
             * 
             * @return  set of trust anchors
             */
            virtual const std::vector<XSECCryptoX509*>& getTrustAnchors() const=0;

            /**
             * Returns the set of CRLs for the validation data in the
             * current position. Keeping the CRLs beyond the lifetime
             * of the iterator or after advancing to the next position requires
             * copying them.
             * 
             * @return  set of CRLs
             */
            virtual const std::vector<XSECCryptoX509CRL*>& getCRLs() const=0;
        };
        
        /**
         * Provides access to the information necessary, for the given credential source, for
         * PKIX validation of credentials. Each set of validation information returned
         * will be tried, in turn, until one succeeds or no more remain.
         * The caller must free the returned interface when finished with it.
         * 
         * @param pkixSource        the peer for which validation rules are required
         * @param criteria          criteria for selecting validation rules
         * @return interface for obtaining validation data
         */
        virtual PKIXValidationInfoIterator* getPKIXValidationInfoIterator(
            const CredentialResolver& pkixSource, CredentialCriteria* criteria=nullptr
            ) const=0;

    private:
        bool validateWithCRLs(
            X509* certEE,
            STACK_OF(X509)* certChain,
            const CredentialResolver& credResolver,
            CredentialCriteria* criteria=nullptr,
            const std::vector<XSECCryptoX509CRL*>* inlineCRLs=nullptr
            ) const;

        friend class XMLTOOL_DLLLOCAL PKIXParams;
    };
};

#endif /* __xmltooling_pkixtrust_h__ */