Package org.opensaml.xmlsec.keyinfo.impl.provider

Class InlineX509DataProvider

  • All Implemented Interfaces:
    KeyInfoProvider
    public class InlineX509DataProvider
extends AbstractKeyInfoProvider
    Implementation of KeyInfoProvider which provides basic support for extracting a X509Credential from an X509Data child of KeyInfo. This provider supports only inline X509Certificate's and X509CRLs. If only one certificate is present, it is assumed to be the end-entity certificate containing the public key represented by this KeyInfo. If multiple certificates are present, and any instances of X509SubjectName, X509IssuerSerial, X509SKI, or X509Digest are also present, they will be used to identify the end-entity certificate, in accordance with the XML Signature specification. If a public key from a previously resolved KeyValue is available in the resolution context, it will also be used to identify the end-entity certificate. If the end-entity certificate can not otherwise be identified, the cert contained in the first X509Certificate element will be treated as the end-entity certificate.

    • Field Detail

      • log

        private final org.slf4j.Logger log
        Class logger.

      • x500DNHandler

        private org.opensaml.security.x509.X500DNHandler x500DNHandler
        Responsible for parsing and serializing X.500 names to/from X500Principal instances.

    • Constructor Detail

      • InlineX509DataProvider

        public InlineX509DataProvider()
        Constructor.

    • Method Detail

      • getX500DNHandler

        @Nonnull
public org.opensaml.security.x509.X500DNHandler getX500DNHandler()
        Get the handler which process X.500 distinguished names.
        Returns:
        returns the X500DNHandler instance

      • setX500DNHandler

        public void setX500DNHandler​(@Nonnull
                             org.opensaml.security.x509.X500DNHandler handler)
        Set the handler which process X.500 distinguished names.
        Parameters:
        handler - the new X500DNHandler instance

      • handles

        public boolean handles​(@Nonnull
                       org.opensaml.core.xml.XMLObject keyInfoChild)
        Evaluate whether the given provider should attempt to handle resolving a credential from the specified KeyInfo child. An evaluation of true does not guarantee that a credential can or will be extracted form the particular KeyInfo child, only that processing should be attempted.
        Parameters:
        keyInfoChild - the KeyInfo child object to consider
        Returns:
        true if the provider should attempt to resolve credentials, false otherwise

      • process

        @Nullable
public Collection<org.opensaml.security.credential.Credential> process​(@Nonnull
                                                                       org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver resolver,
                                                                       @Nonnull
                                                                       org.opensaml.core.xml.XMLObject keyInfoChild,
                                                                       @Nullable
                                                                       net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet,
                                                                       @Nonnull
                                                                       KeyInfoResolutionContext kiContext)
                                                                throws org.opensaml.security.SecurityException
        Process a specified KeyInfo child (XMLobject) and attempt to resolve a credential from it.
        Parameters:
        resolver - reference to a resolver which is calling the provider
        keyInfoChild - the KeyInfo child being processed
        criteriaSet - the credential criteria the credential must satisfy
        kiContext - the resolution context, used for sharing state amongst resolvers and providers
        Returns:
        a resolved Credential collection, or null
        Throws:
        org.opensaml.security.SecurityException - if there is an error during credential resolution. Note: failure to resolve a credential is not an error.

      • extractCRLs

        @Nonnull
private List<X509CRL> extractCRLs​(@Nonnull
                                  org.opensaml.xmlsec.signature.X509Data x509Data)
                           throws org.opensaml.security.SecurityException
        Extract CRLs from the X509Data.
        Parameters:
        x509Data - the X509Data element
        Returns:
        a list of X509CRLs
        Throws:
        org.opensaml.security.SecurityException - thrown if there is an error extracting CRLs

      • extractCertificates

        @Nonnull
private List<X509Certificate> extractCertificates​(@Nonnull
                                                  org.opensaml.xmlsec.signature.X509Data x509Data)
                                           throws org.opensaml.security.SecurityException
        Extract certificates from the X509Data.
        Parameters:
        x509Data - the X509Data element
        Returns:
        a list of X509Certificates
        Throws:
        org.opensaml.security.SecurityException - thrown if there is an error extracting certificates

      • findEntityCert

        @Nullable
protected X509Certificate findEntityCert​(@Nullable
                                         List<X509Certificate> certs,
                                         @Nonnull
                                         org.opensaml.xmlsec.signature.X509Data x509Data,
                                         @Nullable
                                         PublicKey resolvedKey)
        Find the end-entity cert in the list of certs contained in the X509Data.
        Parameters:
        certs - list of X509Certificate
        x509Data - X509Data element which might contain other info helping to finding the end-entity cert
        resolvedKey - a key which might have previously been resolved from a KeyValue
        Returns:
        the end-entity certificate, if found

      • findCertFromKey

        @Nullable
protected X509Certificate findCertFromKey​(@Nonnull
                                          List<X509Certificate> certs,
                                          @Nullable
                                          PublicKey key)
        Find the certificate from the chain that contains the specified key.
        Parameters:
        certs - list of certificates to evaluate
        key - key to use as search criteria
        Returns:
        the matching certificate, or null

      • findCertFromSubjectNames

        @Nullable
protected X509Certificate findCertFromSubjectNames​(@Nonnull
                                                   List<X509Certificate> certs,
                                                   @Nonnull
                                                   List<org.opensaml.xmlsec.signature.X509SubjectName> names)
        Find the certificate from the chain that contains one of the specified subject names.
        Parameters:
        certs - list of certificates to evaluate
        names - X509 subject names to use as search criteria
        Returns:
        the matching certificate, or null

      • findCertFromIssuerSerials

        @Nullable
protected X509Certificate findCertFromIssuerSerials​(@Nonnull
                                                    List<X509Certificate> certs,
                                                    @Nonnull
                                                    List<org.opensaml.xmlsec.signature.X509IssuerSerial> serials)
        Find the certificate from the chain identified by one of the specified issuer serials.
        Parameters:
        certs - list of certificates to evaluate
        serials - X509 issuer serials to use as search criteria
        Returns:
        the matching certificate, or null

      • findCertFromSubjectKeyIdentifier

        @Nullable
protected X509Certificate findCertFromSubjectKeyIdentifier​(@Nonnull
                                                           List<X509Certificate> certs,
                                                           @Nonnull
                                                           List<org.opensaml.xmlsec.signature.X509SKI> skis)
        Find the certificate from the chain that contains one of the specified subject key identifiers.
        Parameters:
        certs - list of certificates to evaluate
        skis - X509 subject key identifiers to use as search criteria
        Returns:
        the matching certificate, or null

      • base64DecodeOrNull

        @Nullable
private byte[] base64DecodeOrNull​(@Nonnull
                                  String base64Encoded)
        Base64 decode the input, returning null if there is an issue with decoding.
        Parameters:
        base64Encoded - the base64 encoded string.
        Returns:
        the base64 decoded byte array, or null if there is an issue decoding.

      • findCertFromDigest

        @Nullable
protected X509Certificate findCertFromDigest​(@Nonnull
                                             List<X509Certificate> certs,
                                             @Nonnull
                                             List<org.opensaml.xmlsec.signature.X509Digest> digests)
        Find the certificate from the chain that matches one of the specified digests.
        Parameters:
        certs - list of certificates to evaluate
        digests - X509 digests to use as search criteria
        Returns:
        the matching certificate, or null