Package com.nimbusds.openid.connect.sdk.federation.trust

Class TrustChain

java.lang.Object

com.nimbusds.openid.connect.sdk.federation.trust.TrustChain

@Immutable
public final class TrustChain
extends Object

Federation entity trust chain.

Related specifications:

• OpenID Connect Federation 1.0, sections 3.2 and 7.1.

Constructor Summary

Constructors

Constructor	Description
TrustChain(EntityStatement leaf, List<EntityStatement> superiors)	Creates a new trust chain.
TrustChain(EntityStatement leaf, List<EntityStatement> superiors, EntityStatement trustAnchor)	Creates a new trust chain.

Method Summary

Modifier and Type	Method	Description
EntityStatement	getLeafConfiguration()	Returns the leaf entity configuration.
List<EntityStatement>	getSuperiorStatements()	Returns the superior entity statements.
EntityStatement	getTrustAnchorConfiguration()	Returns the optional trust anchor entity configuration.
EntityID	getTrustAnchorEntityID()	Returns the entity ID of the trust anchor.
Iterator<EntityStatement>	iteratorFromLeaf()	Return an iterator starting from the leaf entity statement.
int	length()	Returns the length of this trust chain.
static TrustChain	parse(List<com.nimbusds.jwt.SignedJWT> statementJWTs)	Parses a trust chain from the specified JWT list.
static TrustChain	parseSerialized(List<String> statementJWTs)	Parses a trust chain from the specified serialised JWT list.
MetadataPolicy	resolveCombinedMetadataPolicy(EntityType type)	Resolves the combined metadata policy for this trust chain.
MetadataPolicy	resolveCombinedMetadataPolicy(EntityType type, PolicyOperationCombinationValidator combinationValidator)	Resolves the combined metadata policy for this trust chain.
Date	resolveExpirationTime()	Resolves the expiration time for this trust chain.
List<com.nimbusds.jwt.SignedJWT>	toJWTs()	Returns a JWT list representation of this trust chain.
List<String>	toSerializedJWTs()	Returns a serialised JWT list representation of this trust chain.
void	verifySignatures(com.nimbusds.jose.jwk.JWKSet trustAnchorJWKSet)	Verifies the signatures in this trust chain.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

TrustChain

public TrustChain(EntityStatement leaf,
                  List<EntityStatement> superiors)

Creates a new trust chain. Validates the subject - issuer chain, the signatures are not verified.

Parameters:

leaf - The leaf entity configuration. Must not be null.

superiors - The superior entity statements, starting with a statement of the first superior about the leaf, ending with the statement of the trust anchor about the last intermediate or the leaf (for a minimal trust chain). Must contain at least one entity statement.

Throws:

IllegalArgumentException - If the subject - issuer chain is broken.

TrustChain

public TrustChain(EntityStatement leaf,
                  List<EntityStatement> superiors,
                  EntityStatement trustAnchor)

Creates a new trust chain. Validates the subject - issuer chain, the signatures are not verified.

Parameters:

leaf - The leaf entity configuration. Must not be null.

superiors - The superior entity statements, starting with a statement of the first superior about the leaf, ending with the statement of the trust anchor about the last intermediate or the leaf (for a minimal trust chain). Must contain at least one entity statement.

trustAnchor - The optional trust anchor entity configuration, null if not specified.

Throws:

IllegalArgumentException - If the subject - issuer chain is broken.

Method Detail

getLeafConfiguration

public EntityStatement getLeafConfiguration()

Returns the leaf entity configuration.

Returns:

The leaf entity configuration.

getSuperiorStatements

public List<EntityStatement> getSuperiorStatements()

Returns the superior entity statements.

Returns:

The superior entity statements, starting with a statement of the first superior about the leaf, ending with the statement of the trust anchor about the last intermediate or the leaf (for a minimal trust chain).

getTrustAnchorConfiguration

public EntityStatement getTrustAnchorConfiguration()

Returns the optional trust anchor entity configuration.

Returns:

The trust anchor entity configuration, null if not specified.

getTrustAnchorEntityID

public EntityID getTrustAnchorEntityID()

Returns the entity ID of the trust anchor.

Returns:

The entity ID of the trust anchor.

length

public int length()

Returns the length of this trust chain. A minimal trust chain with a leaf and anchor has a length of one.

Returns:

The trust chain length, with a minimal length of one.

resolveCombinedMetadataPolicy

public MetadataPolicy resolveCombinedMetadataPolicy(EntityType type)
                                             throws PolicyViolationException

Resolves the combined metadata policy for this trust chain. Uses the default policy combination validator.

Parameters:

type - The entity type, such as openid_relying_party. Must not be null.

Returns:

The combined metadata policy, with no policy operations if no policies were found.

Throws:

PolicyViolationException - On a policy violation exception.

resolveCombinedMetadataPolicy

public MetadataPolicy resolveCombinedMetadataPolicy(EntityType type,
                                                    PolicyOperationCombinationValidator combinationValidator)
                                             throws PolicyViolationException

Resolves the combined metadata policy for this trust chain.

Parameters:

type - The entity type, such as openid_relying_party. Must not be null.

combinationValidator - The policy operation combination validator. Must not be null.

Returns:

The combined metadata policy, with no policy operations if no policies were found.

Throws:

PolicyViolationException - On a policy violation exception.

iteratorFromLeaf

public Iterator<EntityStatement> iteratorFromLeaf()

Return an iterator starting from the leaf entity statement. The optional trust anchor entity configuration is omitted.

Returns:

The iterator.

resolveExpirationTime

public Date resolveExpirationTime()

Resolves the expiration time for this trust chain. Equals the next expiration in time when all entity statements in the trust chain are considered.

Returns:

The expiration time for this trust chain.

verifySignatures

public void verifySignatures(com.nimbusds.jose.jwk.JWKSet trustAnchorJWKSet)
                      throws com.nimbusds.jose.proc.BadJOSEException,
                             com.nimbusds.jose.JOSEException

Verifies the signatures in this trust chain.

Parameters:

trustAnchorJWKSet - The trust anchor JWK set. Must not be null.

Throws:

com.nimbusds.jose.proc.BadJOSEException - If a signature is invalid or a statement is expired or before the issue time.

com.nimbusds.jose.JOSEException - On an internal JOSE exception.

toJWTs

public List<com.nimbusds.jwt.SignedJWT> toJWTs()

Returns a JWT list representation of this trust chain.

Returns:

The JWT list.

toSerializedJWTs

public List<String> toSerializedJWTs()

Returns a serialised JWT list representation of this trust chain.

Returns:

The serialised JWT list.

parse

public static TrustChain parse(List<com.nimbusds.jwt.SignedJWT> statementJWTs)
                        throws ParseException

Parses a trust chain from the specified JWT list.

Parameters:

statementJWTs - The JWT list. Must not be null.

Returns:

The trust chain.

Throws:

ParseException - If parsing failed.

parseSerialized

public static TrustChain parseSerialized(List<String> statementJWTs)
                                  throws ParseException

Parses a trust chain from the specified serialised JWT list.

Parameters:

statementJWTs - The serialised JWT list. Must not be null.

Returns:

The trust chain.

Throws:

ParseException - If parsing failed.