Class TrustChain
- java.lang.Object
-
- com.nimbusds.openid.connect.sdk.federation.trust.TrustChain
-
@Immutable public final class TrustChain extends Object
Federation entity trust chain.Related specifications:
- OpenID Connect Federation 1.0, sections 3.2 and 7.1.
-
-
Constructor Summary
Constructors Constructor Description TrustChain(EntityStatement leaf, List<EntityStatement> superiors)
Creates a new trust chain.TrustChain(EntityStatement leaf, List<EntityStatement> superiors, EntityStatement trustAnchor)
Creates a new trust chain.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description EntityStatement
getLeafConfiguration()
Returns the leaf entity configuration.List<EntityStatement>
getSuperiorStatements()
Returns the superior entity statements.EntityStatement
getTrustAnchorConfiguration()
Returns the optional trust anchor entity configuration.EntityID
getTrustAnchorEntityID()
Returns the entity ID of the trust anchor.Iterator<EntityStatement>
iteratorFromLeaf()
Return an iterator starting from the leaf entity statement.int
length()
Returns the length of this trust chain.static TrustChain
parse(List<com.nimbusds.jwt.SignedJWT> statementJWTs)
Parses a trust chain from the specified JWT list.static TrustChain
parseSerialized(List<String> statementJWTs)
Parses a trust chain from the specified serialised JWT list.MetadataPolicy
resolveCombinedMetadataPolicy(EntityType type)
Resolves the combined metadata policy for this trust chain.MetadataPolicy
resolveCombinedMetadataPolicy(EntityType type, PolicyOperationCombinationValidator combinationValidator)
Resolves the combined metadata policy for this trust chain.Date
resolveExpirationTime()
Resolves the expiration time for this trust chain.List<com.nimbusds.jwt.SignedJWT>
toJWTs()
Returns a JWT list representation of this trust chain.List<String>
toSerializedJWTs()
Returns a serialised JWT list representation of this trust chain.void
verifySignatures(com.nimbusds.jose.jwk.JWKSet trustAnchorJWKSet)
Verifies the signatures in this trust chain.
-
-
-
Constructor Detail
-
TrustChain
public TrustChain(EntityStatement leaf, List<EntityStatement> superiors)
Creates a new trust chain. Validates the subject - issuer chain, the signatures are not verified.- Parameters:
leaf
- The leaf entity configuration. Must not benull
.superiors
- The superior entity statements, starting with a statement of the first superior about the leaf, ending with the statement of the trust anchor about the last intermediate or the leaf (for a minimal trust chain). Must contain at least one entity statement.- Throws:
IllegalArgumentException
- If the subject - issuer chain is broken.
-
TrustChain
public TrustChain(EntityStatement leaf, List<EntityStatement> superiors, EntityStatement trustAnchor)
Creates a new trust chain. Validates the subject - issuer chain, the signatures are not verified.- Parameters:
leaf
- The leaf entity configuration. Must not benull
.superiors
- The superior entity statements, starting with a statement of the first superior about the leaf, ending with the statement of the trust anchor about the last intermediate or the leaf (for a minimal trust chain). Must contain at least one entity statement.trustAnchor
- The optional trust anchor entity configuration,null
if not specified.- Throws:
IllegalArgumentException
- If the subject - issuer chain is broken.
-
-
Method Detail
-
getLeafConfiguration
public EntityStatement getLeafConfiguration()
Returns the leaf entity configuration.- Returns:
- The leaf entity configuration.
-
getSuperiorStatements
public List<EntityStatement> getSuperiorStatements()
Returns the superior entity statements.- Returns:
- The superior entity statements, starting with a statement of the first superior about the leaf, ending with the statement of the trust anchor about the last intermediate or the leaf (for a minimal trust chain).
-
getTrustAnchorConfiguration
public EntityStatement getTrustAnchorConfiguration()
Returns the optional trust anchor entity configuration.- Returns:
- The trust anchor entity configuration,
null
if not specified.
-
getTrustAnchorEntityID
public EntityID getTrustAnchorEntityID()
Returns the entity ID of the trust anchor.- Returns:
- The entity ID of the trust anchor.
-
length
public int length()
Returns the length of this trust chain. A minimal trust chain with a leaf and anchor has a length of one.- Returns:
- The trust chain length, with a minimal length of one.
-
resolveCombinedMetadataPolicy
public MetadataPolicy resolveCombinedMetadataPolicy(EntityType type) throws PolicyViolationException
Resolves the combined metadata policy for this trust chain. Uses thedefault policy combination validator
.- Parameters:
type
- The entity type, such asopenid_relying_party
. Must not benull
.- Returns:
- The combined metadata policy, with no policy operations if no policies were found.
- Throws:
PolicyViolationException
- On a policy violation exception.
-
resolveCombinedMetadataPolicy
public MetadataPolicy resolveCombinedMetadataPolicy(EntityType type, PolicyOperationCombinationValidator combinationValidator) throws PolicyViolationException
Resolves the combined metadata policy for this trust chain.- Parameters:
type
- The entity type, such asopenid_relying_party
. Must not benull
.combinationValidator
- The policy operation combination validator. Must not benull
.- Returns:
- The combined metadata policy, with no policy operations if no policies were found.
- Throws:
PolicyViolationException
- On a policy violation exception.
-
iteratorFromLeaf
public Iterator<EntityStatement> iteratorFromLeaf()
Return an iterator starting from the leaf entity statement. The optional trust anchor entity configuration is omitted.- Returns:
- The iterator.
-
resolveExpirationTime
public Date resolveExpirationTime()
Resolves the expiration time for this trust chain. Equals the next expiration in time when all entity statements in the trust chain are considered.- Returns:
- The expiration time for this trust chain.
-
verifySignatures
public void verifySignatures(com.nimbusds.jose.jwk.JWKSet trustAnchorJWKSet) throws com.nimbusds.jose.proc.BadJOSEException, com.nimbusds.jose.JOSEException
Verifies the signatures in this trust chain.- Parameters:
trustAnchorJWKSet
- The trust anchor JWK set. Must not benull
.- Throws:
com.nimbusds.jose.proc.BadJOSEException
- If a signature is invalid or a statement is expired or before the issue time.com.nimbusds.jose.JOSEException
- On an internal JOSE exception.
-
toJWTs
public List<com.nimbusds.jwt.SignedJWT> toJWTs()
Returns a JWT list representation of this trust chain.- Returns:
- The JWT list.
-
toSerializedJWTs
public List<String> toSerializedJWTs()
Returns a serialised JWT list representation of this trust chain.- Returns:
- The serialised JWT list.
-
parse
public static TrustChain parse(List<com.nimbusds.jwt.SignedJWT> statementJWTs) throws ParseException
Parses a trust chain from the specified JWT list.- Parameters:
statementJWTs
- The JWT list. Must not benull
.- Returns:
- The trust chain.
- Throws:
ParseException
- If parsing failed.
-
parseSerialized
public static TrustChain parseSerialized(List<String> statementJWTs) throws ParseException
Parses a trust chain from the specified serialised JWT list.- Parameters:
statementJWTs
- The serialised JWT list. Must not benull
.- Returns:
- The trust chain.
- Throws:
ParseException
- If parsing failed.
-
-