Class ExplicitKeySignatureTrustEngine
- java.lang.Object
-
- org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine<Iterable<org.opensaml.security.credential.Credential>>
-
- org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine
-
- All Implemented Interfaces:
org.opensaml.security.trust.TrustedCredentialTrustEngine<org.opensaml.xmlsec.signature.Signature>
,org.opensaml.security.trust.TrustEngine<org.opensaml.xmlsec.signature.Signature>
,org.opensaml.xmlsec.signature.support.SignatureTrustEngine
public class ExplicitKeySignatureTrustEngine extends BaseSignatureTrustEngine<Iterable<org.opensaml.security.credential.Credential>> implements org.opensaml.security.trust.TrustedCredentialTrustEngine<org.opensaml.xmlsec.signature.Signature>
An implementation ofSignatureTrustEngine
which evaluates the validity and trustworthiness of XML and raw signatures.Processing is first performed as described in
BaseSignatureTrustEngine
. If based on this processing, it is determined that the Signature's KeyInfo is not present or does not contain a resolveable valid (and trusted) signing key, then all trusted credentials obtained by the trusted credential resolver will be used to attempt to validate the signature.
-
-
Field Summary
Fields Modifier and Type Field Description private org.opensaml.security.credential.CredentialResolver
credentialResolver
Resolver used for resolving trusted credentials.private org.opensaml.security.trust.impl.ExplicitKeyTrustEvaluator
keyTrust
The external explicit key trust engine to use as a basis for trust in this implementation.private org.slf4j.Logger
log
Class logger.
-
Constructor Summary
Constructors Constructor Description ExplicitKeySignatureTrustEngine(org.opensaml.security.credential.CredentialResolver resolver, org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver keyInfoResolver)
Constructor.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected boolean
doValidate(byte[] signature, byte[] content, String algorithmURI, net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria, org.opensaml.security.credential.Credential candidateCredential)
Determines whether a raw signature over specified content is valid and signed by a trusted credential.protected boolean
doValidate(org.opensaml.xmlsec.signature.Signature signature, net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
Validate the signature using the supplied trust criteria.protected boolean
evaluateTrust(org.opensaml.security.credential.Credential untrustedCredential, Iterable<org.opensaml.security.credential.Credential> trustedCredentials)
Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.org.opensaml.security.credential.CredentialResolver
getCredentialResolver()
-
Methods inherited from class org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine
checkParams, checkParamsRaw, getKeyInfoResolver, validate, validate, validate, verifySignature
-
-
-
-
Field Detail
-
log
private final org.slf4j.Logger log
Class logger.
-
credentialResolver
private final org.opensaml.security.credential.CredentialResolver credentialResolver
Resolver used for resolving trusted credentials.
-
keyTrust
private final org.opensaml.security.trust.impl.ExplicitKeyTrustEvaluator keyTrust
The external explicit key trust engine to use as a basis for trust in this implementation.
-
-
Constructor Detail
-
ExplicitKeySignatureTrustEngine
public ExplicitKeySignatureTrustEngine(@Nonnull @ParameterName(name="resolver") org.opensaml.security.credential.CredentialResolver resolver, @Nonnull @ParameterName(name="keyInfoResolver") org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver keyInfoResolver)
Constructor.- Parameters:
resolver
- credential resolver used to resolve trusted credentials.keyInfoResolver
- KeyInfo credential resolver used to obtain the (advisory) signing credential from a Signature's KeyInfo element.
-
-
Method Detail
-
getCredentialResolver
@Nonnull public org.opensaml.security.credential.CredentialResolver getCredentialResolver()
- Specified by:
getCredentialResolver
in interfaceorg.opensaml.security.trust.TrustedCredentialTrustEngine<org.opensaml.xmlsec.signature.Signature>
-
doValidate
protected boolean doValidate(@Nonnull org.opensaml.xmlsec.signature.Signature signature, @Nullable net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria) throws org.opensaml.security.SecurityException
Validate the signature using the supplied trust criteria.- Specified by:
doValidate
in classBaseSignatureTrustEngine<Iterable<org.opensaml.security.credential.Credential>>
- Parameters:
signature
- the signature to validatetrustBasisCriteria
- criteria used to describe and/or resolve the information which serves as the basis for trust evaluation- Returns:
- true if signature is valid and trusted, false otherwise
- Throws:
org.opensaml.security.SecurityException
- if there is a fatal error evaluating the signature
-
doValidate
protected boolean doValidate(@Nonnull byte[] signature, @Nonnull byte[] content, @Nonnull String algorithmURI, @Nullable net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria, @Nullable org.opensaml.security.credential.Credential candidateCredential) throws org.opensaml.security.SecurityException
Determines whether a raw signature over specified content is valid and signed by a trusted credential.A candidate verification credential may optionally be supplied. If one is supplied and is determined to successfully verify the signature, an attempt will be made to establish trust on this basis.
If a candidate credential is not supplied, or it does not successfully verify the signature, some implementations may be able to resolve candidate verification credential(s) in an implementation-specific manner based on the trusted criteria supplied, and then attempt to verify the signature and establish trust on this basis.
- Specified by:
doValidate
in classBaseSignatureTrustEngine<Iterable<org.opensaml.security.credential.Credential>>
- Parameters:
signature
- the signature valuecontent
- the content that was signedalgorithmURI
- the signature algorithm URI which was used to sign the contenttrustBasisCriteria
- criteria used to describe and/or resolve the information which serves as the basis for trust evaluationcandidateCredential
- the untrusted candidate credential containing the validation key for the signature (optional)- Returns:
- true if the signature was valid for the provided content and was signed by a key contained within a credential established as trusted based on the supplied criteria, otherwise false
- Throws:
org.opensaml.security.SecurityException
- thrown if there is a problem attempting to verify the signature such as the signature algorithm not being supported
-
evaluateTrust
protected boolean evaluateTrust(@Nonnull org.opensaml.security.credential.Credential untrustedCredential, @Nullable Iterable<org.opensaml.security.credential.Credential> trustedCredentials) throws org.opensaml.security.SecurityException
Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.- Specified by:
evaluateTrust
in classBaseSignatureTrustEngine<Iterable<org.opensaml.security.credential.Credential>>
- Parameters:
untrustedCredential
- the untrusted credential being evaluatedtrustedCredentials
- the information which serves as the basis for trust evaluation- Returns:
- true if the trust can be established for the untrusted credential, otherwise false
- Throws:
org.opensaml.security.SecurityException
- if an error occurs during trust processing
-
-