Class InlineX509DataProvider
- java.lang.Object
-
- org.opensaml.xmlsec.keyinfo.impl.provider.AbstractKeyInfoProvider
-
- org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider
-
- All Implemented Interfaces:
KeyInfoProvider
public class InlineX509DataProvider extends AbstractKeyInfoProvider
Implementation ofKeyInfoProvider
which provides basic support for extracting aX509Credential
from anX509Data
child of KeyInfo. This provider supports only inlineX509Certificate
's andX509CRL
s. If only one certificate is present, it is assumed to be the end-entity certificate containing the public key represented by this KeyInfo. If multiple certificates are present, and any instances ofX509SubjectName
,X509IssuerSerial
,X509SKI
, orX509Digest
are also present, they will be used to identify the end-entity certificate, in accordance with the XML Signature specification. If a public key from a previously resolvedKeyValue
is available in the resolution context, it will also be used to identify the end-entity certificate. If the end-entity certificate can not otherwise be identified, the cert contained in the first X509Certificate element will be treated as the end-entity certificate.
-
-
Field Summary
Fields Modifier and Type Field Description private org.slf4j.Logger
log
Class logger.private org.opensaml.security.x509.X500DNHandler
x500DNHandler
Responsible for parsing and serializing X.500 names to/fromX500Principal
instances.
-
Constructor Summary
Constructors Constructor Description InlineX509DataProvider()
Constructor.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description private byte[]
base64DecodeOrNull(String base64Encoded)
Base64 decode the input, returning null if there is an issue with decoding.private List<X509Certificate>
extractCertificates(org.opensaml.xmlsec.signature.X509Data x509Data)
Extract certificates from the X509Data.private List<X509CRL>
extractCRLs(org.opensaml.xmlsec.signature.X509Data x509Data)
Extract CRLs from the X509Data.protected X509Certificate
findCertFromDigest(List<X509Certificate> certs, List<org.opensaml.xmlsec.signature.X509Digest> digests)
Find the certificate from the chain that matches one of the specified digests.protected X509Certificate
findCertFromIssuerSerials(List<X509Certificate> certs, List<org.opensaml.xmlsec.signature.X509IssuerSerial> serials)
Find the certificate from the chain identified by one of the specified issuer serials.protected X509Certificate
findCertFromKey(List<X509Certificate> certs, PublicKey key)
Find the certificate from the chain that contains the specified key.protected X509Certificate
findCertFromSubjectKeyIdentifier(List<X509Certificate> certs, List<org.opensaml.xmlsec.signature.X509SKI> skis)
Find the certificate from the chain that contains one of the specified subject key identifiers.protected X509Certificate
findCertFromSubjectNames(List<X509Certificate> certs, List<org.opensaml.xmlsec.signature.X509SubjectName> names)
Find the certificate from the chain that contains one of the specified subject names.protected X509Certificate
findEntityCert(List<X509Certificate> certs, org.opensaml.xmlsec.signature.X509Data x509Data, PublicKey resolvedKey)
Find the end-entity cert in the list of certs contained in the X509Data.org.opensaml.security.x509.X500DNHandler
getX500DNHandler()
Get the handler which process X.500 distinguished names.boolean
handles(org.opensaml.core.xml.XMLObject keyInfoChild)
Evaluate whether the given provider should attempt to handle resolving a credential from the specified KeyInfo child.Collection<org.opensaml.security.credential.Credential>
process(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver resolver, org.opensaml.core.xml.XMLObject keyInfoChild, net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet, KeyInfoResolutionContext kiContext)
Process a specified KeyInfo child (XMLobject) and attempt to resolve a credential from it.void
setX500DNHandler(org.opensaml.security.x509.X500DNHandler handler)
Set the handler which process X.500 distinguished names.-
Methods inherited from class org.opensaml.xmlsec.keyinfo.impl.provider.AbstractKeyInfoProvider
buildCredentialContext, extractKeyValue
-
-
-
-
Field Detail
-
log
private final org.slf4j.Logger log
Class logger.
-
x500DNHandler
private org.opensaml.security.x509.X500DNHandler x500DNHandler
Responsible for parsing and serializing X.500 names to/fromX500Principal
instances.
-
-
Method Detail
-
getX500DNHandler
@Nonnull public org.opensaml.security.x509.X500DNHandler getX500DNHandler()
Get the handler which process X.500 distinguished names.- Returns:
- returns the X500DNHandler instance
-
setX500DNHandler
public void setX500DNHandler(@Nonnull org.opensaml.security.x509.X500DNHandler handler)
Set the handler which process X.500 distinguished names.- Parameters:
handler
- the new X500DNHandler instance
-
handles
public boolean handles(@Nonnull org.opensaml.core.xml.XMLObject keyInfoChild)
Evaluate whether the given provider should attempt to handle resolving a credential from the specified KeyInfo child. An evaluation oftrue
does not guarantee that a credential can or will be extracted form the particular KeyInfo child, only that processing should be attempted.- Parameters:
keyInfoChild
- the KeyInfo child object to consider- Returns:
- true if the provider should attempt to resolve credentials, false otherwise
-
process
@Nullable public Collection<org.opensaml.security.credential.Credential> process(@Nonnull org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver resolver, @Nonnull org.opensaml.core.xml.XMLObject keyInfoChild, @Nullable net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet, @Nonnull KeyInfoResolutionContext kiContext) throws org.opensaml.security.SecurityException
Process a specified KeyInfo child (XMLobject) and attempt to resolve a credential from it.- Parameters:
resolver
- reference to a resolver which is calling the providerkeyInfoChild
- the KeyInfo child being processedcriteriaSet
- the credential criteria the credential must satisfykiContext
- the resolution context, used for sharing state amongst resolvers and providers- Returns:
- a resolved Credential collection, or null
- Throws:
org.opensaml.security.SecurityException
- if there is an error during credential resolution. Note: failure to resolve a credential is not an error.
-
extractCRLs
@Nonnull private List<X509CRL> extractCRLs(@Nonnull org.opensaml.xmlsec.signature.X509Data x509Data) throws org.opensaml.security.SecurityException
Extract CRLs from the X509Data.- Parameters:
x509Data
- the X509Data element- Returns:
- a list of X509CRLs
- Throws:
org.opensaml.security.SecurityException
- thrown if there is an error extracting CRLs
-
extractCertificates
@Nonnull private List<X509Certificate> extractCertificates(@Nonnull org.opensaml.xmlsec.signature.X509Data x509Data) throws org.opensaml.security.SecurityException
Extract certificates from the X509Data.- Parameters:
x509Data
- the X509Data element- Returns:
- a list of X509Certificates
- Throws:
org.opensaml.security.SecurityException
- thrown if there is an error extracting certificates
-
findEntityCert
@Nullable protected X509Certificate findEntityCert(@Nullable List<X509Certificate> certs, @Nonnull org.opensaml.xmlsec.signature.X509Data x509Data, @Nullable PublicKey resolvedKey)
Find the end-entity cert in the list of certs contained in the X509Data.- Parameters:
certs
- list ofX509Certificate
x509Data
- X509Data element which might contain other info helping to finding the end-entity certresolvedKey
- a key which might have previously been resolved from a KeyValue- Returns:
- the end-entity certificate, if found
-
findCertFromKey
@Nullable protected X509Certificate findCertFromKey(@Nonnull List<X509Certificate> certs, @Nullable PublicKey key)
Find the certificate from the chain that contains the specified key.- Parameters:
certs
- list of certificates to evaluatekey
- key to use as search criteria- Returns:
- the matching certificate, or null
-
findCertFromSubjectNames
@Nullable protected X509Certificate findCertFromSubjectNames(@Nonnull List<X509Certificate> certs, @Nonnull List<org.opensaml.xmlsec.signature.X509SubjectName> names)
Find the certificate from the chain that contains one of the specified subject names.- Parameters:
certs
- list of certificates to evaluatenames
- X509 subject names to use as search criteria- Returns:
- the matching certificate, or null
-
findCertFromIssuerSerials
@Nullable protected X509Certificate findCertFromIssuerSerials(@Nonnull List<X509Certificate> certs, @Nonnull List<org.opensaml.xmlsec.signature.X509IssuerSerial> serials)
Find the certificate from the chain identified by one of the specified issuer serials.- Parameters:
certs
- list of certificates to evaluateserials
- X509 issuer serials to use as search criteria- Returns:
- the matching certificate, or null
-
findCertFromSubjectKeyIdentifier
@Nullable protected X509Certificate findCertFromSubjectKeyIdentifier(@Nonnull List<X509Certificate> certs, @Nonnull List<org.opensaml.xmlsec.signature.X509SKI> skis)
Find the certificate from the chain that contains one of the specified subject key identifiers.- Parameters:
certs
- list of certificates to evaluateskis
- X509 subject key identifiers to use as search criteria- Returns:
- the matching certificate, or null
-
base64DecodeOrNull
@Nullable private byte[] base64DecodeOrNull(@Nonnull String base64Encoded)
Base64 decode the input, returning null if there is an issue with decoding.- Parameters:
base64Encoded
- the base64 encoded string.- Returns:
- the base64 decoded byte array, or null if there is an issue decoding.
-
findCertFromDigest
@Nullable protected X509Certificate findCertFromDigest(@Nonnull List<X509Certificate> certs, @Nonnull List<org.opensaml.xmlsec.signature.X509Digest> digests)
Find the certificate from the chain that matches one of the specified digests.- Parameters:
certs
- list of certificates to evaluatedigests
- X509 digests to use as search criteria- Returns:
- the matching certificate, or null
-
-