java.lang.Object
- org.opensaml.saml.saml2.assertion.impl.AbstractSubjectConfirmationValidator
- - org.opensaml.saml.saml2.assertion.impl.HolderOfKeySubjectConfirmationValidator

All Implemented Interfaces:

SubjectConfirmationValidator
```
@ThreadSafe
public class HolderOfKeySubjectConfirmationValidator
extends AbstractSubjectConfirmationValidator
```
Validates a Holder of Key subject confirmation.
A subject confirmation is considered confirmed if one of the following checks has passed:
- the presenter's public key (either given explicitly or extracted from the given certificate) matches a KeyValue or DEREncodedKeyValue within one of the KeyInfo entries in the confirmation data
- the presenter's public cert matches an X509Certificate within one of the KeyInfo entries in the confirmation data
In both cases a "match" is determined via Java equals() comparison.

In addition to parameters defined in AbstractSubjectConfirmationValidator:

Supports the following ValidationContext static parameters:
- SAML2AssertionValidationParameters.SC_HOK_PRESENTER_CERT: Optional if key is supplied, otherwise required.
- SAML2AssertionValidationParameters.SC_HOK_PRESENTER_KEY: Optional if certificate is supplied, otherwise required.
If both key and certificate are supplied, the public key of the supplied certificate must match the supplied public key, otherwise a evaluation results in ValidationResult.INDETERMINATE.

Supports the following ValidationContext dynamic parameters:
- SAML2AssertionValidationParameters.SC_HOK_CONFIRMED_KEYINFO: Optional. Will be present after validation iff Holder of Key subject confirmation was successfully performed.

Field Summary

Fields
Modifier and Type Field Description

private org.slf4j.Logger log
Class logger.

Constructor Summary

Constructors
Constructor Description

HolderOfKeySubjectConfirmationValidator()

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`protected ValidationResult`	`doValidate(SubjectConfirmation confirmation, Assertion assertion, ValidationContext context)`	Performs any further validation required for the specific confirmation method implementation.
`protected Pair<PublicKey,X509Certificate>`	`getKeyAndCertificate(ValidationContext context)`	Extracts the presenter's key and/or certificate from the validation context.
`String`	`getServicedMethod()`
`protected List<KeyInfo>`	`getSubjectConfirmationKeyInformation(SubjectConfirmation confirmation, Assertion assertion, ValidationContext context)`	Extracts the `KeyInfo`s from the given subject confirmation data.
`protected boolean`	`isValidConfirmationDataType(SubjectConfirmation confirmation)`	Checks to see whether the schema type of the subject confirmation data, if present, is the required `KeyInfoConfirmationDataType.TYPE_NAME`.
`protected boolean`	`matchesDEREncodedKeyValue(PublicKey key, List<DEREncodedKeyValue> derEncodedKeyValues)`	Checks whether the supplied public key matches one of the supplied `DEREncodedKeyValue` elements.
`protected boolean`	`matchesKeyValue(PublicKey key, List<KeyValue> keyValues)`	Checks whether the supplied public key matches one of the supplied `KeyValue` elements.
`protected boolean`	`matchesKeyValue(PublicKey key, KeyInfo keyInfo)`	Checks whether the supplied public key matches one of the keys in the given KeyInfo.
`protected boolean`	`matchesX509Certificate(X509Certificate cert, KeyInfo keyInfo)`	Checks whether the presenter's certificate matches a certificate described by the X509Data within the KeyInfo.

Methods inherited from class org.opensaml.saml.saml2.assertion.impl.AbstractSubjectConfirmationValidator
isAddressRequired, isInResponseToRequired, isNotBeforeRequired, isNotOnOrAfterRequired, isRecipientRequired, validate, validateAddress, validateInResponseTo, validateNotBefore, validateNotOnOrAfter, validateRecipient

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - log
```
private org.slf4j.Logger log
```
    Class logger.
- Constructor Detail
  - HolderOfKeySubjectConfirmationValidator
```
public HolderOfKeySubjectConfirmationValidator()
```
- Method Detail
  - getServicedMethod
```
@Nonnull
public String getServicedMethod()
```
  - doValidate
```
@Nonnull
protected ValidationResult doValidate(@Nonnull
                                      SubjectConfirmation confirmation,
                                      @Nonnull
                                      Assertion assertion,
                                      @Nonnull
                                      ValidationContext context)
                               throws AssertionValidationException
```
    Performs any further validation required for the specific confirmation method implementation.
    
    Specified by:
    
    doValidate in class AbstractSubjectConfirmationValidator
    
    Parameters:
    
    confirmation - confirmation method being validated
    
    assertion - assertion bearing the confirmation method
    
    context - current validation context
    
    Returns:
    
    the result of the validation evaluation
    
    Throws:
    
    AssertionValidationException - thrown if further validation finds the confirmation method to be invalid
  - isValidConfirmationDataType
```
protected boolean isValidConfirmationDataType(@Nonnull
                                              SubjectConfirmation confirmation)
                                       throws AssertionValidationException
```
    Checks to see whether the schema type of the subject confirmation data, if present, is the required KeyInfoConfirmationDataType.TYPE_NAME.
    
    Parameters:
    
    confirmation - subject confirmation bearing the confirmation data to be checked
    
    Returns:
    
    true if the confirmation data's schema type is correct, false otherwise
    
    Throws:
    
    AssertionValidationException - thrown if there is a problem validating the confirmation data type
  - getKeyAndCertificate
```
@Nonnull
protected Pair<PublicKey,X509Certificate> getKeyAndCertificate(@Nonnull
                                                                     ValidationContext context)
                                                              throws AssertionValidationException
```
    Extracts the presenter's key and/or certificate from the validation context.
    
    Parameters:
    
    context - current validation context
    
    Returns:
    
    the presenter's key/cert pair, information not available in the context is null
    
    Throws:
    
    AssertionValidationException - thrown if there is a problem obtaining the data
  - getSubjectConfirmationKeyInformation
```
@Nonnull
protected List<KeyInfo> getSubjectConfirmationKeyInformation(@Nonnull
                                                             SubjectConfirmation confirmation,
                                                             @Nonnull
                                                             Assertion assertion,
                                                             @Nonnull
                                                             ValidationContext context)
                                                      throws AssertionValidationException
```
    Extracts the KeyInfos from the given subject confirmation data.
    
    Parameters:
    
    confirmation - subject confirmation data
    
    assertion - assertion bearing the subject to be confirmed
    
    context - current message processing context
    
    Returns:
    
    list of key informations available in the subject confirmation data, never null
    
    Throws:
    
    AssertionValidationException - if there is a problem processing the SubjectConfirmation
  - matchesKeyValue
```
protected boolean matchesKeyValue(@Nullable
                                  PublicKey key,
                                  @Nonnull
                                  KeyInfo keyInfo)
                           throws AssertionValidationException
```
    Checks whether the supplied public key matches one of the keys in the given KeyInfo.
    Evaluates both KeyValue and DEREncodedKeyValue children of the KeyInfo.
    
    Matches are performed using Java equals() against PublicKeys decoded from the KeyInfo data.
    
    Parameters:
    
    key - public key presenter of the assertion
    
    keyInfo - key info from subject confirmation of the assertion
    
    Returns:
    
    true if the public key in the certificate matches one of the key values in the key info, false otherwise
    
    Throws:
    
    AssertionValidationException - thrown if there is a problem matching the key value
  - matchesKeyValue
```
protected boolean matchesKeyValue(@Nonnull
                                  PublicKey key,
                                  @Nullable
                                  List<KeyValue> keyValues)
```
    Checks whether the supplied public key matches one of the supplied KeyValue elements.
    Matches are performed using Java equals() against PublicKeys decoded from the KeyInfo data.
    
    Parameters:
    
    key - public key presenter of the assertion
    
    keyValues - candidate KeyValue elements
    
    Returns:
    
    true if the public key in the certificate matches one of the key values, false otherwise
  - matchesDEREncodedKeyValue
```
protected boolean matchesDEREncodedKeyValue(@Nonnull
                                            PublicKey key,
                                            @Nullable
                                            List<DEREncodedKeyValue> derEncodedKeyValues)
```
    Checks whether the supplied public key matches one of the supplied DEREncodedKeyValue elements.
    Matches are performed using Java equals() against PublicKeys decoded from the KeyInfo data.
    
    Parameters:
    
    key - public key presenter of the assertion
    
    derEncodedKeyValues - candidate DEREncodedKeyValue elements
    
    Returns:
    
    true if the public key in the certificate matches one of the DER-encoded key values, false otherwise
  - matchesX509Certificate
```
protected boolean matchesX509Certificate(@Nullable
                                         X509Certificate cert,
                                         @Nonnull
                                         KeyInfo keyInfo)
                                  throws AssertionValidationException
```
    Checks whether the presenter's certificate matches a certificate described by the X509Data within the KeyInfo.
    Matches are performed using Java equals() against X509Certificates decoded from the KeyInfo data.
    
    Parameters:
    
    cert - certificate of the presenter of the assertion
    
    keyInfo - key info from subject confirmation of the assertion
    
    Returns:
    
    true if the presenter's certificate matches the key described by an X509Data within the KeyInfo, false otherwise.
    
    Throws:
    
    AssertionValidationException - thrown if there is a problem matching the certificate

Class HolderOfKeySubjectConfirmationValidator

Field Summary

Constructor Summary

Method Summary

Methods inherited from class org.opensaml.saml.saml2.assertion.impl.AbstractSubjectConfirmationValidator

Methods inherited from class java.lang.Object

Field Detail

log

Constructor Detail

HolderOfKeySubjectConfirmationValidator

Method Detail

getServicedMethod

doValidate

isValidConfirmationDataType

getKeyAndCertificate

getSubjectConfirmationKeyInformation

matchesKeyValue

matchesKeyValue

matchesDEREncodedKeyValue

matchesX509Certificate