Package org.opensaml.xmlsec.signature.support.impl

Class BaseSignatureTrustEngine<TrustBasisType>

  • Type Parameters:
    TrustBasisType - the type of trusted information which has been resolved and which will serve as the basis for trust evaluation
    All Implemented Interfaces:
    org.opensaml.security.trust.TrustEngine<org.opensaml.xmlsec.signature.Signature>, org.opensaml.xmlsec.signature.support.SignatureTrustEngine
    Direct Known Subclasses:
    ExplicitKeySignatureTrustEngine, PKIXSignatureTrustEngine
    public abstract class BaseSignatureTrustEngine<TrustBasisType>
extends Object
implements org.opensaml.xmlsec.signature.support.SignatureTrustEngine
    A base implementation of SignatureTrustEngine which evaluates the validity and trustworthiness of XML and raw signatures.

    When processing XML signatures, the supplied KeyInfoCredentialResolver will be used to resolve credential(s) containing the (advisory) signing key from the KeyInfo element of the Signature, if present. If any of these credentials do contain the valid signing key, they will be evaluated for trustworthiness against trusted information, which will be resolved in an implementation-specific manner.

    Subclasses are required to implement evaluateTrust(Credential, Object) using an implementation-specific trust model.

    • Field Summary

      Fields 
      Modifier and Type Field Description
      private org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver keyInfoCredentialResolver
      KeyInfo credential resolver used to obtain the signing credential from a Signature's KeyInfo.
      private org.slf4j.Logger log
      Class logger.

    • Constructor Summary

      Constructors 
      Constructor Description
      BaseSignatureTrustEngine​(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver keyInfoResolver)
      Constructor.

    • Method Summary

      All Methods Instance Methods Abstract Methods Concrete Methods 
      Modifier and Type Method Description
      protected void checkParams​(org.opensaml.xmlsec.signature.Signature signature, net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
      Check the signature and credential criteria for required values.
      protected void checkParamsRaw​(byte[] signature, byte[] content, String algorithmURI, net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
      Check the signature and credential criteria for required values.
      protected abstract boolean doValidate​(byte[] signature, byte[] content, String algorithmURI, net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria, org.opensaml.security.credential.Credential candidateCredential)
      Determines whether a raw signature over specified content is valid and signed by a trusted credential.
      protected abstract boolean doValidate​(org.opensaml.xmlsec.signature.Signature signature, net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
      Validate the signature using the supplied trust criteria.
      protected abstract boolean evaluateTrust​(org.opensaml.security.credential.Credential untrustedCredential, TrustBasisType trustBasis)
      Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.
      org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver getKeyInfoResolver()
      boolean validate​(byte[] signature, byte[] content, String algorithmURI, net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria, org.opensaml.security.credential.Credential candidateCredential)
      boolean validate​(org.opensaml.xmlsec.signature.Signature signature, net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
      protected boolean validate​(org.opensaml.xmlsec.signature.Signature signature, TrustBasisType trustBasis)
      Attempt to establish trust by resolving signature verification credentials from the Signature's KeyInfo.
      protected boolean verifySignature​(org.opensaml.xmlsec.signature.Signature signature, org.opensaml.security.credential.Credential credential)
      Attempt to verify a signature using the key from the supplied credential.

    • Field Detail

      • log

        private final org.slf4j.Logger log
        Class logger.

      • keyInfoCredentialResolver

        private final org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver keyInfoCredentialResolver
        KeyInfo credential resolver used to obtain the signing credential from a Signature's KeyInfo.

    • Constructor Detail

      • BaseSignatureTrustEngine

        public BaseSignatureTrustEngine​(@Nonnull
                                org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver keyInfoResolver)
        Constructor.
        Parameters:
        keyInfoResolver - KeyInfo credential resolver used to obtain the (advisory) signing credential from a Signature's KeyInfo element.

    • Method Detail

      • getKeyInfoResolver

        @Nullable
public org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver getKeyInfoResolver()
        Specified by:
        getKeyInfoResolver in interface org.opensaml.xmlsec.signature.support.SignatureTrustEngine

      • validate

        public final boolean validate​(@Nonnull
                              org.opensaml.xmlsec.signature.Signature signature,
                              @Nullable
                              net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
                       throws org.opensaml.security.SecurityException
        Specified by:
        validate in interface org.opensaml.security.trust.TrustEngine<TrustBasisType>
        Throws:
        org.opensaml.security.SecurityException

      • doValidate

        protected abstract boolean doValidate​(@Nonnull
                                      org.opensaml.xmlsec.signature.Signature signature,
                                      @Nullable
                                      net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
                               throws org.opensaml.security.SecurityException
        Validate the signature using the supplied trust criteria.
        Parameters:
        signature - the signature to validate
        trustBasisCriteria - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation
        Returns:
        true if signature is valid and trusted, false otherwise
        Throws:
        org.opensaml.security.SecurityException - if there is a fatal error evaluating the signature

      • validate

        public final boolean validate​(@Nonnull
                              byte[] signature,
                              @Nonnull
                              byte[] content,
                              @Nonnull
                              String algorithmURI,
                              @Nullable
                              net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria,
                              @Nullable
                              org.opensaml.security.credential.Credential candidateCredential)
                       throws org.opensaml.security.SecurityException
        Specified by:
        validate in interface org.opensaml.xmlsec.signature.support.SignatureTrustEngine
        Throws:
        org.opensaml.security.SecurityException

      • doValidate

        protected abstract boolean doValidate​(@Nonnull
                                      byte[] signature,
                                      @Nonnull
                                      byte[] content,
                                      @Nonnull
                                      String algorithmURI,
                                      @Nullable
                                      net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria,
                                      @Nullable
                                      org.opensaml.security.credential.Credential candidateCredential)
                               throws org.opensaml.security.SecurityException
        Determines whether a raw signature over specified content is valid and signed by a trusted credential.

        A candidate verification credential may optionally be supplied. If one is supplied and is determined to successfully verify the signature, an attempt will be made to establish trust on this basis.

        If a candidate credential is not supplied, or it does not successfully verify the signature, some implementations may be able to resolve candidate verification credential(s) in an implementation-specific manner based on the trusted criteria supplied, and then attempt to verify the signature and establish trust on this basis.

        Parameters:
        signature - the signature value
        content - the content that was signed
        algorithmURI - the signature algorithm URI which was used to sign the content
        trustBasisCriteria - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation
        candidateCredential - the untrusted candidate credential containing the validation key for the signature (optional)
        Returns:
        true if the signature was valid for the provided content and was signed by a key contained within a credential established as trusted based on the supplied criteria, otherwise false
        Throws:
        org.opensaml.security.SecurityException - thrown if there is a problem attempting to verify the signature such as the signature algorithm not being supported

      • validate

        protected boolean validate​(@Nonnull
                           org.opensaml.xmlsec.signature.Signature signature,
                           @Nullable
                           TrustBasisType trustBasis)
                    throws org.opensaml.security.SecurityException
        Attempt to establish trust by resolving signature verification credentials from the Signature's KeyInfo. If any credentials so resolved correctly verify the signature, attempt to establish trust using subclass-specific trust logic against trusted information as implemented in evaluateTrust(Credential, Object).
        Parameters:
        signature - the Signature to evaluate
        trustBasis - the information which serves as the basis for trust evaluation
        Returns:
        true if the signature is verified by any KeyInfo-derived credential which can be established as trusted, otherwise false
        Throws:
        org.opensaml.security.SecurityException - if an error occurs during signature verification or trust processing

      • evaluateTrust

        protected abstract boolean evaluateTrust​(@Nonnull
                                         org.opensaml.security.credential.Credential untrustedCredential,
                                         @Nullable
                                         TrustBasisType trustBasis)
                                  throws org.opensaml.security.SecurityException
        Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.
        Parameters:
        untrustedCredential - the untrusted credential being evaluated
        trustBasis - the information which serves as the basis for trust evaluation
        Returns:
        true if the trust can be established for the untrusted credential, otherwise false
        Throws:
        org.opensaml.security.SecurityException - if an error occurs during trust processing

      • verifySignature

        protected boolean verifySignature​(@Nonnull
                                  org.opensaml.xmlsec.signature.Signature signature,
                                  @Nonnull
                                  org.opensaml.security.credential.Credential credential)
        Attempt to verify a signature using the key from the supplied credential.
        Parameters:
        signature - the signature on which to attempt verification
        credential - the credential containing the candidate validation key
        Returns:
        true if the signature can be verified using the key from the credential, otherwise false

      • checkParams

        protected void checkParams​(@Nonnull
                           org.opensaml.xmlsec.signature.Signature signature,
                           @Nonnull
                           net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
                    throws org.opensaml.security.SecurityException
        Check the signature and credential criteria for required values.
        Parameters:
        signature - the signature to be evaluated
        trustBasisCriteria - the set of trusted credential criteria
        Throws:
        org.opensaml.security.SecurityException - thrown if required values are absent or otherwise invalid

      • checkParamsRaw

        protected void checkParamsRaw​(@Nonnull
                              byte[] signature,
                              @Nonnull
                              byte[] content,
                              @Nonnull
                              String algorithmURI,
                              @Nonnull
                              net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
                       throws org.opensaml.security.SecurityException
        Check the signature and credential criteria for required values.
        Parameters:
        signature - the signature to be evaluated
        content - the data over which the signature was computed
        algorithmURI - the signing algorithm URI which was used
        trustBasisCriteria - the set of trusted credential criteria
        Throws:
        org.opensaml.security.SecurityException - thrown if required values are absent or otherwise invalid