Package org.opensaml.xmlsec.signature.support.impl

Class ExplicitKeySignatureTrustEngine

java.lang.Object

org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine<Iterable<Credential>>

org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine

All Implemented Interfaces:

TrustedCredentialTrustEngine<Signature>, TrustEngine<Signature>, SignatureTrustEngine

public class ExplicitKeySignatureTrustEngine
extends BaseSignatureTrustEngine<Iterable<Credential>>
implements TrustedCredentialTrustEngine<Signature>

An implementation of SignatureTrustEngine which evaluates the validity and trustworthiness of XML and raw signatures.

Processing is first performed as described in BaseSignatureTrustEngine. If based on this processing, it is determined that the Signature's KeyInfo is not present or does not contain a resolveable valid (and trusted) signing key, then all trusted credentials obtained by the trusted credential resolver will be used to attempt to validate the signature.

Field Summary

Fields

Modifier and Type	Field	Description
private CredentialResolver	credentialResolver	Resolver used for resolving trusted credentials.
private ExplicitKeyTrustEvaluator	keyTrust	The external explicit key trust engine to use as a basis for trust in this implementation.
private org.slf4j.Logger	log	Class logger.

Constructor Summary

Constructors

Constructor	Description
ExplicitKeySignatureTrustEngine(CredentialResolver resolver, KeyInfoCredentialResolver keyInfoResolver)	Constructor.

Method Summary

Modifier and Type	Method	Description
protected boolean	doValidate(byte[] signature, byte[] content, String algorithmURI, CriteriaSet trustBasisCriteria, Credential candidateCredential)	Determines whether a raw signature over specified content is valid and signed by a trusted credential.
protected boolean	doValidate(Signature signature, CriteriaSet trustBasisCriteria)	Validate the signature using the supplied trust criteria.
protected boolean	evaluateTrust(Credential untrustedCredential, Iterable<Credential> trustedCredentials)	Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.
CredentialResolver	getCredentialResolver()

Methods inherited from class org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine

checkParams, checkParamsRaw, getKeyInfoResolver, validate, validate, validate, verifySignature

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.opensaml.security.trust.TrustEngine

validate

Field Detail

log

private final org.slf4j.Logger log

Class logger.

credentialResolver

private final CredentialResolver credentialResolver

Resolver used for resolving trusted credentials.

keyTrust

private final ExplicitKeyTrustEvaluator keyTrust

The external explicit key trust engine to use as a basis for trust in this implementation.

Constructor Detail

ExplicitKeySignatureTrustEngine

public ExplicitKeySignatureTrustEngine(@Nonnull @ParameterName(name="resolver")
                                       CredentialResolver resolver,
                                       @Nonnull @ParameterName(name="keyInfoResolver")
                                       KeyInfoCredentialResolver keyInfoResolver)

Constructor.

Parameters:

resolver - credential resolver used to resolve trusted credentials.

keyInfoResolver - KeyInfo credential resolver used to obtain the (advisory) signing credential from a Signature's KeyInfo element.

Method Detail

getCredentialResolver

@Nonnull
public CredentialResolver getCredentialResolver()

Specified by:

getCredentialResolver in interface TrustedCredentialTrustEngine<Signature>

doValidate

protected boolean doValidate(@Nonnull
                             Signature signature,
                             @Nullable
                             CriteriaSet trustBasisCriteria)
                      throws SecurityException

Validate the signature using the supplied trust criteria.

Specified by:

doValidate in class BaseSignatureTrustEngine<Iterable<Credential>>

Parameters:

signature - the signature to validate

trustBasisCriteria - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation

Returns:

true if signature is valid and trusted, false otherwise

Throws:

SecurityException - if there is a fatal error evaluating the signature

doValidate

protected boolean doValidate(@Nonnull
                             byte[] signature,
                             @Nonnull
                             byte[] content,
                             @Nonnull
                             String algorithmURI,
                             @Nullable
                             CriteriaSet trustBasisCriteria,
                             @Nullable
                             Credential candidateCredential)
                      throws SecurityException

Determines whether a raw signature over specified content is valid and signed by a trusted credential.

A candidate verification credential may optionally be supplied. If one is supplied and is determined to successfully verify the signature, an attempt will be made to establish trust on this basis.

If a candidate credential is not supplied, or it does not successfully verify the signature, some implementations may be able to resolve candidate verification credential(s) in an implementation-specific manner based on the trusted criteria supplied, and then attempt to verify the signature and establish trust on this basis.

Specified by:

doValidate in class BaseSignatureTrustEngine<Iterable<Credential>>

Parameters:

signature - the signature value

content - the content that was signed

algorithmURI - the signature algorithm URI which was used to sign the content

trustBasisCriteria - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation

candidateCredential - the untrusted candidate credential containing the validation key for the signature (optional)

Returns:

true if the signature was valid for the provided content and was signed by a key contained within a credential established as trusted based on the supplied criteria, otherwise false

Throws:

SecurityException - thrown if there is a problem attempting to verify the signature such as the signature algorithm not being supported

evaluateTrust

protected boolean evaluateTrust(@Nonnull
                                Credential untrustedCredential,
                                @Nullable
                                Iterable<Credential> trustedCredentials)
                         throws SecurityException

Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.

Specified by:

evaluateTrust in class BaseSignatureTrustEngine<Iterable<Credential>>

Parameters:

untrustedCredential - the untrusted credential being evaluated

trustedCredentials - the information which serves as the basis for trust evaluation

Returns:

true if the trust can be established for the untrusted credential, otherwise false

Throws:

SecurityException - if an error occurs during trust processing