Package org.opensaml.xmlsec.signature.support.impl

Class PKIXSignatureTrustEngine

  • All Implemented Interfaces:
    org.opensaml.security.trust.TrustEngine<org.opensaml.xmlsec.signature.Signature>, org.opensaml.security.x509.PKIXTrustEngine<org.opensaml.xmlsec.signature.Signature>, org.opensaml.xmlsec.signature.support.SignatureTrustEngine
    public class PKIXSignatureTrustEngine
extends BaseSignatureTrustEngine<net.shibboleth.utilities.java.support.collection.Pair<Set<String>,​Iterable<org.opensaml.security.x509.PKIXValidationInformation>>>
implements org.opensaml.security.x509.PKIXTrustEngine<org.opensaml.xmlsec.signature.Signature>
    An implementation of SignatureTrustEngine which evaluates the validity and trustworthiness of XML and raw signatures.

    Processing is performed as described in BaseSignatureTrustEngine. If based on this processing, it is determined that the Signature's KeyInfo is not present or does not contain a valid (and trusted) signing key, then trust engine validation fails. Since the PKIX engine is based on the assumption that trusted signing keys are not known in advance, the signing key must be present in, or derivable from, the information in the Signature's KeyInfo element.

    • Field Summary

      Fields 
      Modifier and Type Field Description
      private org.opensaml.security.x509.impl.X509CredentialNameEvaluator credNameEvaluator
      The external credential name evaluator used to establish trusted name compliance.
      private org.slf4j.Logger log
      Class logger.
      private org.opensaml.security.x509.PKIXValidationInformationResolver pkixResolver
      Resolver used for resolving trusted credentials.
      private org.opensaml.security.x509.PKIXTrustEvaluator pkixTrustEvaluator
      The external PKIX trust evaluator used to establish trust.

    • Constructor Summary

      Constructors 
      Constructor Description
      PKIXSignatureTrustEngine​(org.opensaml.security.x509.PKIXValidationInformationResolver resolver, org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver keyInfoResolver)
      Constructor.
      PKIXSignatureTrustEngine​(org.opensaml.security.x509.PKIXValidationInformationResolver resolver, org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver keyInfoResolver, org.opensaml.security.x509.PKIXTrustEvaluator pkixEvaluator, org.opensaml.security.x509.impl.X509CredentialNameEvaluator nameEvaluator)
      Constructor.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected boolean checkNames​(Set<String> trustedNames, org.opensaml.security.x509.X509Credential untrustedCredential)
      Evaluate the credential against the set of trusted names.
      protected boolean doValidate​(byte[] signature, byte[] content, String algorithmURI, net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria, org.opensaml.security.credential.Credential candidateCredential)
      Determines whether a raw signature over specified content is valid and signed by a trusted credential.
      protected boolean doValidate​(org.opensaml.xmlsec.signature.Signature signature, net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
      Validate the signature using the supplied trust criteria.
      protected boolean evaluateTrust​(org.opensaml.security.credential.Credential untrustedCredential, net.shibboleth.utilities.java.support.collection.Pair<Set<String>,​Iterable<org.opensaml.security.x509.PKIXValidationInformation>> validationPair)
      Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.
      org.opensaml.security.x509.PKIXValidationInformationResolver getPKIXResolver()
      org.opensaml.security.x509.PKIXTrustEvaluator getPKIXTrustEvaluator()
      Get the PKIXTrustEvaluator instance used to evaluate trust.
      org.opensaml.security.x509.impl.X509CredentialNameEvaluator getX509CredentialNameEvaluator()
      Get the X509CredentialNameEvaluator instance used to evaluate a credential against trusted names.
      protected net.shibboleth.utilities.java.support.collection.Pair<Set<String>,​Iterable<org.opensaml.security.x509.PKIXValidationInformation>> resolveValidationInfo​(net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
      Resolve and return a set of trusted validation information.

      • Methods inherited from interface org.opensaml.security.trust.TrustEngine

        validate

    • Field Detail

      • log

        private final org.slf4j.Logger log
        Class logger.

      • pkixResolver

        private final org.opensaml.security.x509.PKIXValidationInformationResolver pkixResolver
        Resolver used for resolving trusted credentials.

      • pkixTrustEvaluator

        private final org.opensaml.security.x509.PKIXTrustEvaluator pkixTrustEvaluator
        The external PKIX trust evaluator used to establish trust.

      • credNameEvaluator

        private final org.opensaml.security.x509.impl.X509CredentialNameEvaluator credNameEvaluator
        The external credential name evaluator used to establish trusted name compliance.

    • Constructor Detail

      • PKIXSignatureTrustEngine

        public PKIXSignatureTrustEngine​(@Nonnull @ParameterName(name="resolver")
                                org.opensaml.security.x509.PKIXValidationInformationResolver resolver,
                                @Nonnull @ParameterName(name="keyInfoResolver")
                                org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver keyInfoResolver)
        Constructor.

        The PKIX trust evaluator used defaults to CertPathPKIXTrustEvaluator.

        The X.509 credential name evaluator used defaults to BasicX509CredentialNameEvaluator.

        Parameters:
        resolver - credential resolver used to resolve trusted credentials.
        keyInfoResolver - KeyInfo credential resolver used to obtain the (advisory) signing credential from a Signature's KeyInfo element.

      • PKIXSignatureTrustEngine

        public PKIXSignatureTrustEngine​(@Nonnull @ParameterName(name="resolver")
                                org.opensaml.security.x509.PKIXValidationInformationResolver resolver,
                                @Nonnull @ParameterName(name="keyInfoResolver")
                                org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver keyInfoResolver,
                                @Nonnull @ParameterName(name="pkixEvaluator")
                                org.opensaml.security.x509.PKIXTrustEvaluator pkixEvaluator,
                                @Nullable @ParameterName(name="nameEvaluator")
                                org.opensaml.security.x509.impl.X509CredentialNameEvaluator nameEvaluator)
        Constructor.
        Parameters:
        resolver - credential resolver used to resolve trusted credentials.
        keyInfoResolver - KeyInfo credential resolver used to obtain the (advisory) signing credential from a Signature's KeyInfo element.
        pkixEvaluator - the PKIX trust evaluator to use
        nameEvaluator - the X.509 credential name evaluator to use (may be null)

    • Method Detail

      • getPKIXTrustEvaluator

        @Nonnull
public org.opensaml.security.x509.PKIXTrustEvaluator getPKIXTrustEvaluator()
        Get the PKIXTrustEvaluator instance used to evaluate trust.

        The parameters of this evaluator may be modified to adjust trust evaluation processing.

        Returns:
        the PKIX trust evaluator instance that will be used

      • getX509CredentialNameEvaluator

        @Nullable
public org.opensaml.security.x509.impl.X509CredentialNameEvaluator getX509CredentialNameEvaluator()
        Get the X509CredentialNameEvaluator instance used to evaluate a credential against trusted names.

        The parameters of this evaluator may be modified to adjust trust evaluation processing.

        Returns:
        the PKIX trust evaluator instance that will be used

      • getPKIXResolver

        @Nonnull
public org.opensaml.security.x509.PKIXValidationInformationResolver getPKIXResolver()
        Specified by:
        getPKIXResolver in interface org.opensaml.security.x509.PKIXTrustEngine<org.opensaml.xmlsec.signature.Signature>

      • doValidate

        protected boolean doValidate​(@Nonnull
                             org.opensaml.xmlsec.signature.Signature signature,
                             @Nullable
                             net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
                      throws org.opensaml.security.SecurityException
        Validate the signature using the supplied trust criteria.
        Specified by:
        doValidate in class BaseSignatureTrustEngine<net.shibboleth.utilities.java.support.collection.Pair<Set<String>,​Iterable<org.opensaml.security.x509.PKIXValidationInformation>>>
        Parameters:
        signature - the signature to validate
        trustBasisCriteria - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation
        Returns:
        true if signature is valid and trusted, false otherwise
        Throws:
        org.opensaml.security.SecurityException - if there is a fatal error evaluating the signature

      • doValidate

        protected boolean doValidate​(@Nonnull
                             byte[] signature,
                             @Nonnull
                             byte[] content,
                             @Nonnull
                             String algorithmURI,
                             @Nullable
                             net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria,
                             @Nullable
                             org.opensaml.security.credential.Credential candidateCredential)
                      throws org.opensaml.security.SecurityException
        Determines whether a raw signature over specified content is valid and signed by a trusted credential.

        A candidate verification credential may optionally be supplied. If one is supplied and is determined to successfully verify the signature, an attempt will be made to establish trust on this basis.

        If a candidate credential is not supplied, or it does not successfully verify the signature, some implementations may be able to resolve candidate verification credential(s) in an implementation-specific manner based on the trusted criteria supplied, and then attempt to verify the signature and establish trust on this basis.

        Specified by:
        doValidate in class BaseSignatureTrustEngine<net.shibboleth.utilities.java.support.collection.Pair<Set<String>,​Iterable<org.opensaml.security.x509.PKIXValidationInformation>>>
        Parameters:
        signature - the signature value
        content - the content that was signed
        algorithmURI - the signature algorithm URI which was used to sign the content
        trustBasisCriteria - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation
        candidateCredential - the untrusted candidate credential containing the validation key for the signature (optional)
        Returns:
        true if the signature was valid for the provided content and was signed by a key contained within a credential established as trusted based on the supplied criteria, otherwise false
        Throws:
        org.opensaml.security.SecurityException - thrown if there is a problem attempting to verify the signature such as the signature algorithm not being supported

      • evaluateTrust

        protected boolean evaluateTrust​(@Nonnull
                                org.opensaml.security.credential.Credential untrustedCredential,
                                @Nullable
                                net.shibboleth.utilities.java.support.collection.Pair<Set<String>,​Iterable<org.opensaml.security.x509.PKIXValidationInformation>> validationPair)
                         throws org.opensaml.security.SecurityException
        Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.
        Specified by:
        evaluateTrust in class BaseSignatureTrustEngine<net.shibboleth.utilities.java.support.collection.Pair<Set<String>,​Iterable<org.opensaml.security.x509.PKIXValidationInformation>>>
        Parameters:
        untrustedCredential - the untrusted credential being evaluated
        validationPair - the information which serves as the basis for trust evaluation
        Returns:
        true if the trust can be established for the untrusted credential, otherwise false
        Throws:
        org.opensaml.security.SecurityException - if an error occurs during trust processing

      • resolveValidationInfo

        @Nonnull
protected net.shibboleth.utilities.java.support.collection.Pair<Set<String>,​Iterable<org.opensaml.security.x509.PKIXValidationInformation>> resolveValidationInfo​(@Nullable
                                                                                                                                                                        net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
                                                                                                                                                                 throws org.opensaml.security.SecurityException
        Resolve and return a set of trusted validation information.
        Parameters:
        trustBasisCriteria - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation
        Returns:
        a pair consisting of an optional set of trusted names, and an iterable of trusted PKIXValidationInformation
        Throws:
        org.opensaml.security.SecurityException - thrown if there is an error resolving the information from the trusted resolver

      • checkNames

        protected boolean checkNames​(@Nullable
                             Set<String> trustedNames,
                             @Nonnull
                             org.opensaml.security.x509.X509Credential untrustedCredential)
                      throws org.opensaml.security.SecurityException
        Evaluate the credential against the set of trusted names.

        Evaluates to true if no instance of X509CredentialNameEvaluator is configured.

        Parameters:
        trustedNames - set of trusted names
        untrustedCredential - the credential being evaluated
        Returns:
        true if evaluation is successful, false otherwise
        Throws:
        org.opensaml.security.SecurityException - thrown if there is an error evaluation the credential