Class BaseSignatureTrustEngine<TrustBasisType>
- java.lang.Object
-
- org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine<TrustBasisType>
-
- Type Parameters:
TrustBasisType
- the type of trusted information which has been resolved and which will serve as the basis for trust evaluation
- All Implemented Interfaces:
TrustEngine<Signature>
,SignatureTrustEngine
- Direct Known Subclasses:
ExplicitKeySignatureTrustEngine
,PKIXSignatureTrustEngine
public abstract class BaseSignatureTrustEngine<TrustBasisType> extends Object implements SignatureTrustEngine
A base implementation ofSignatureTrustEngine
which evaluates the validity and trustworthiness of XML and raw signatures.When processing XML signatures, the supplied KeyInfoCredentialResolver will be used to resolve credential(s) containing the (advisory) signing key from the KeyInfo element of the Signature, if present. If any of these credentials do contain the valid signing key, they will be evaluated for trustworthiness against trusted information, which will be resolved in an implementation-specific manner.
Subclasses are required to implement
evaluateTrust(Credential, Object)
using an implementation-specific trust model.
-
-
Field Summary
Fields Modifier and Type Field Description private KeyInfoCredentialResolver
keyInfoCredentialResolver
KeyInfo credential resolver used to obtain the signing credential from a Signature's KeyInfo.private org.slf4j.Logger
log
Class logger.
-
Constructor Summary
Constructors Constructor Description BaseSignatureTrustEngine(KeyInfoCredentialResolver keyInfoResolver)
Constructor.
-
Method Summary
All Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description protected void
checkParams(Signature signature, CriteriaSet trustBasisCriteria)
Check the signature and credential criteria for required values.protected void
checkParamsRaw(byte[] signature, byte[] content, String algorithmURI, CriteriaSet trustBasisCriteria)
Check the signature and credential criteria for required values.protected abstract boolean
doValidate(byte[] signature, byte[] content, String algorithmURI, CriteriaSet trustBasisCriteria, Credential candidateCredential)
Determines whether a raw signature over specified content is valid and signed by a trusted credential.protected abstract boolean
doValidate(Signature signature, CriteriaSet trustBasisCriteria)
Validate the signature using the supplied trust criteria.protected abstract boolean
evaluateTrust(Credential untrustedCredential, TrustBasisType trustBasis)
Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.KeyInfoCredentialResolver
getKeyInfoResolver()
boolean
validate(byte[] signature, byte[] content, String algorithmURI, CriteriaSet trustBasisCriteria, Credential candidateCredential)
boolean
validate(Signature signature, CriteriaSet trustBasisCriteria)
protected boolean
validate(Signature signature, TrustBasisType trustBasis)
Attempt to establish trust by resolving signature verification credentials from the Signature's KeyInfo.protected boolean
verifySignature(Signature signature, Credential credential)
Attempt to verify a signature using the key from the supplied credential.
-
-
-
Field Detail
-
log
private final org.slf4j.Logger log
Class logger.
-
keyInfoCredentialResolver
private final KeyInfoCredentialResolver keyInfoCredentialResolver
KeyInfo credential resolver used to obtain the signing credential from a Signature's KeyInfo.
-
-
Constructor Detail
-
BaseSignatureTrustEngine
public BaseSignatureTrustEngine(@Nonnull KeyInfoCredentialResolver keyInfoResolver)
Constructor.- Parameters:
keyInfoResolver
- KeyInfo credential resolver used to obtain the (advisory) signing credential from a Signature's KeyInfo element.
-
-
Method Detail
-
getKeyInfoResolver
@Nullable public KeyInfoCredentialResolver getKeyInfoResolver()
- Specified by:
getKeyInfoResolver
in interfaceSignatureTrustEngine
-
validate
public final boolean validate(@Nonnull Signature signature, @Nullable CriteriaSet trustBasisCriteria) throws SecurityException
- Specified by:
validate
in interfaceTrustEngine<TrustBasisType>
- Throws:
SecurityException
-
doValidate
protected abstract boolean doValidate(@Nonnull Signature signature, @Nullable CriteriaSet trustBasisCriteria) throws SecurityException
Validate the signature using the supplied trust criteria.- Parameters:
signature
- the signature to validatetrustBasisCriteria
- criteria used to describe and/or resolve the information which serves as the basis for trust evaluation- Returns:
- true if signature is valid and trusted, false otherwise
- Throws:
SecurityException
- if there is a fatal error evaluating the signature
-
validate
public final boolean validate(@Nonnull byte[] signature, @Nonnull byte[] content, @Nonnull String algorithmURI, @Nullable CriteriaSet trustBasisCriteria, @Nullable Credential candidateCredential) throws SecurityException
- Specified by:
validate
in interfaceSignatureTrustEngine
- Throws:
SecurityException
-
doValidate
protected abstract boolean doValidate(@Nonnull byte[] signature, @Nonnull byte[] content, @Nonnull String algorithmURI, @Nullable CriteriaSet trustBasisCriteria, @Nullable Credential candidateCredential) throws SecurityException
Determines whether a raw signature over specified content is valid and signed by a trusted credential.A candidate verification credential may optionally be supplied. If one is supplied and is determined to successfully verify the signature, an attempt will be made to establish trust on this basis.
If a candidate credential is not supplied, or it does not successfully verify the signature, some implementations may be able to resolve candidate verification credential(s) in an implementation-specific manner based on the trusted criteria supplied, and then attempt to verify the signature and establish trust on this basis.
- Parameters:
signature
- the signature valuecontent
- the content that was signedalgorithmURI
- the signature algorithm URI which was used to sign the contenttrustBasisCriteria
- criteria used to describe and/or resolve the information which serves as the basis for trust evaluationcandidateCredential
- the untrusted candidate credential containing the validation key for the signature (optional)- Returns:
- true if the signature was valid for the provided content and was signed by a key contained within a credential established as trusted based on the supplied criteria, otherwise false
- Throws:
SecurityException
- thrown if there is a problem attempting to verify the signature such as the signature algorithm not being supported
-
validate
protected boolean validate(@Nonnull Signature signature, @Nullable TrustBasisType trustBasis) throws SecurityException
Attempt to establish trust by resolving signature verification credentials from the Signature's KeyInfo. If any credentials so resolved correctly verify the signature, attempt to establish trust using subclass-specific trust logic against trusted information as implemented inevaluateTrust(Credential, Object)
.- Parameters:
signature
- the Signature to evaluatetrustBasis
- the information which serves as the basis for trust evaluation- Returns:
- true if the signature is verified by any KeyInfo-derived credential which can be established as trusted, otherwise false
- Throws:
SecurityException
- if an error occurs during signature verification or trust processing
-
evaluateTrust
protected abstract boolean evaluateTrust(@Nonnull Credential untrustedCredential, @Nullable TrustBasisType trustBasis) throws SecurityException
Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.- Parameters:
untrustedCredential
- the untrusted credential being evaluatedtrustBasis
- the information which serves as the basis for trust evaluation- Returns:
- true if the trust can be established for the untrusted credential, otherwise false
- Throws:
SecurityException
- if an error occurs during trust processing
-
verifySignature
protected boolean verifySignature(@Nonnull Signature signature, @Nonnull Credential credential)
Attempt to verify a signature using the key from the supplied credential.- Parameters:
signature
- the signature on which to attempt verificationcredential
- the credential containing the candidate validation key- Returns:
- true if the signature can be verified using the key from the credential, otherwise false
-
checkParams
protected void checkParams(@Nonnull Signature signature, @Nonnull CriteriaSet trustBasisCriteria) throws SecurityException
Check the signature and credential criteria for required values.- Parameters:
signature
- the signature to be evaluatedtrustBasisCriteria
- the set of trusted credential criteria- Throws:
SecurityException
- thrown if required values are absent or otherwise invalid
-
checkParamsRaw
protected void checkParamsRaw(@Nonnull byte[] signature, @Nonnull byte[] content, @Nonnull String algorithmURI, @Nonnull CriteriaSet trustBasisCriteria) throws SecurityException
Check the signature and credential criteria for required values.- Parameters:
signature
- the signature to be evaluatedcontent
- the data over which the signature was computedalgorithmURI
- the signing algorithm URI which was usedtrustBasisCriteria
- the set of trusted credential criteria- Throws:
SecurityException
- thrown if required values are absent or otherwise invalid
-
-