Class PKIXSignatureTrustEngine
- java.lang.Object
-
- org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine<Pair<Set<String>,Iterable<PKIXValidationInformation>>>
-
- org.opensaml.xmlsec.signature.support.impl.PKIXSignatureTrustEngine
-
- All Implemented Interfaces:
TrustEngine<Signature>
,PKIXTrustEngine<Signature>
,SignatureTrustEngine
public class PKIXSignatureTrustEngine extends BaseSignatureTrustEngine<Pair<Set<String>,Iterable<PKIXValidationInformation>>> implements PKIXTrustEngine<Signature>
An implementation ofSignatureTrustEngine
which evaluates the validity and trustworthiness of XML and raw signatures.Processing is performed as described in
BaseSignatureTrustEngine
. If based on this processing, it is determined that the Signature's KeyInfo is not present or does not contain a valid (and trusted) signing key, then trust engine validation fails. Since the PKIX engine is based on the assumption that trusted signing keys are not known in advance, the signing key must be present in, or derivable from, the information in the Signature's KeyInfo element.
-
-
Field Summary
Fields Modifier and Type Field Description private X509CredentialNameEvaluator
credNameEvaluator
The external credential name evaluator used to establish trusted name compliance.private org.slf4j.Logger
log
Class logger.private PKIXValidationInformationResolver
pkixResolver
Resolver used for resolving trusted credentials.private PKIXTrustEvaluator
pkixTrustEvaluator
The external PKIX trust evaluator used to establish trust.
-
Constructor Summary
Constructors Constructor Description PKIXSignatureTrustEngine(PKIXValidationInformationResolver resolver, KeyInfoCredentialResolver keyInfoResolver)
Constructor.PKIXSignatureTrustEngine(PKIXValidationInformationResolver resolver, KeyInfoCredentialResolver keyInfoResolver, PKIXTrustEvaluator pkixEvaluator, X509CredentialNameEvaluator nameEvaluator)
Constructor.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected boolean
checkNames(Set<String> trustedNames, X509Credential untrustedCredential)
Evaluate the credential against the set of trusted names.protected boolean
doValidate(byte[] signature, byte[] content, String algorithmURI, CriteriaSet trustBasisCriteria, Credential candidateCredential)
Determines whether a raw signature over specified content is valid and signed by a trusted credential.protected boolean
doValidate(Signature signature, CriteriaSet trustBasisCriteria)
Validate the signature using the supplied trust criteria.protected boolean
evaluateTrust(Credential untrustedCredential, Pair<Set<String>,Iterable<PKIXValidationInformation>> validationPair)
Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.PKIXValidationInformationResolver
getPKIXResolver()
PKIXTrustEvaluator
getPKIXTrustEvaluator()
Get the PKIXTrustEvaluator instance used to evaluate trust.X509CredentialNameEvaluator
getX509CredentialNameEvaluator()
Get the X509CredentialNameEvaluator instance used to evaluate a credential against trusted names.protected Pair<Set<String>,Iterable<PKIXValidationInformation>>
resolveValidationInfo(CriteriaSet trustBasisCriteria)
Resolve and return a set of trusted validation information.-
Methods inherited from class org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine
checkParams, checkParamsRaw, getKeyInfoResolver, validate, validate, validate, verifySignature
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.opensaml.security.trust.TrustEngine
validate
-
-
-
-
Field Detail
-
log
private final org.slf4j.Logger log
Class logger.
-
pkixResolver
private final PKIXValidationInformationResolver pkixResolver
Resolver used for resolving trusted credentials.
-
pkixTrustEvaluator
private final PKIXTrustEvaluator pkixTrustEvaluator
The external PKIX trust evaluator used to establish trust.
-
credNameEvaluator
private final X509CredentialNameEvaluator credNameEvaluator
The external credential name evaluator used to establish trusted name compliance.
-
-
Constructor Detail
-
PKIXSignatureTrustEngine
public PKIXSignatureTrustEngine(@Nonnull @ParameterName(name="resolver") PKIXValidationInformationResolver resolver, @Nonnull @ParameterName(name="keyInfoResolver") KeyInfoCredentialResolver keyInfoResolver)
Constructor.The PKIX trust evaluator used defaults to
CertPathPKIXTrustEvaluator
.The X.509 credential name evaluator used defaults to
BasicX509CredentialNameEvaluator
.- Parameters:
resolver
- credential resolver used to resolve trusted credentials.keyInfoResolver
- KeyInfo credential resolver used to obtain the (advisory) signing credential from a Signature's KeyInfo element.
-
PKIXSignatureTrustEngine
public PKIXSignatureTrustEngine(@Nonnull @ParameterName(name="resolver") PKIXValidationInformationResolver resolver, @Nonnull @ParameterName(name="keyInfoResolver") KeyInfoCredentialResolver keyInfoResolver, @Nonnull @ParameterName(name="pkixEvaluator") PKIXTrustEvaluator pkixEvaluator, @Nullable @ParameterName(name="nameEvaluator") X509CredentialNameEvaluator nameEvaluator)
Constructor.- Parameters:
resolver
- credential resolver used to resolve trusted credentials.keyInfoResolver
- KeyInfo credential resolver used to obtain the (advisory) signing credential from a Signature's KeyInfo element.pkixEvaluator
- the PKIX trust evaluator to usenameEvaluator
- the X.509 credential name evaluator to use (may be null)
-
-
Method Detail
-
getPKIXTrustEvaluator
@Nonnull public PKIXTrustEvaluator getPKIXTrustEvaluator()
Get the PKIXTrustEvaluator instance used to evaluate trust.The parameters of this evaluator may be modified to adjust trust evaluation processing.
- Returns:
- the PKIX trust evaluator instance that will be used
-
getX509CredentialNameEvaluator
@Nullable public X509CredentialNameEvaluator getX509CredentialNameEvaluator()
Get the X509CredentialNameEvaluator instance used to evaluate a credential against trusted names.The parameters of this evaluator may be modified to adjust trust evaluation processing.
- Returns:
- the PKIX trust evaluator instance that will be used
-
getPKIXResolver
@Nonnull public PKIXValidationInformationResolver getPKIXResolver()
- Specified by:
getPKIXResolver
in interfacePKIXTrustEngine<Signature>
-
doValidate
protected boolean doValidate(@Nonnull Signature signature, @Nullable CriteriaSet trustBasisCriteria) throws SecurityException
Validate the signature using the supplied trust criteria.- Specified by:
doValidate
in classBaseSignatureTrustEngine<Pair<Set<String>,Iterable<PKIXValidationInformation>>>
- Parameters:
signature
- the signature to validatetrustBasisCriteria
- criteria used to describe and/or resolve the information which serves as the basis for trust evaluation- Returns:
- true if signature is valid and trusted, false otherwise
- Throws:
SecurityException
- if there is a fatal error evaluating the signature
-
doValidate
protected boolean doValidate(@Nonnull byte[] signature, @Nonnull byte[] content, @Nonnull String algorithmURI, @Nullable CriteriaSet trustBasisCriteria, @Nullable Credential candidateCredential) throws SecurityException
Determines whether a raw signature over specified content is valid and signed by a trusted credential.A candidate verification credential may optionally be supplied. If one is supplied and is determined to successfully verify the signature, an attempt will be made to establish trust on this basis.
If a candidate credential is not supplied, or it does not successfully verify the signature, some implementations may be able to resolve candidate verification credential(s) in an implementation-specific manner based on the trusted criteria supplied, and then attempt to verify the signature and establish trust on this basis.
- Specified by:
doValidate
in classBaseSignatureTrustEngine<Pair<Set<String>,Iterable<PKIXValidationInformation>>>
- Parameters:
signature
- the signature valuecontent
- the content that was signedalgorithmURI
- the signature algorithm URI which was used to sign the contenttrustBasisCriteria
- criteria used to describe and/or resolve the information which serves as the basis for trust evaluationcandidateCredential
- the untrusted candidate credential containing the validation key for the signature (optional)- Returns:
- true if the signature was valid for the provided content and was signed by a key contained within a credential established as trusted based on the supplied criteria, otherwise false
- Throws:
SecurityException
- thrown if there is a problem attempting to verify the signature such as the signature algorithm not being supported
-
evaluateTrust
protected boolean evaluateTrust(@Nonnull Credential untrustedCredential, @Nullable Pair<Set<String>,Iterable<PKIXValidationInformation>> validationPair) throws SecurityException
Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.- Specified by:
evaluateTrust
in classBaseSignatureTrustEngine<Pair<Set<String>,Iterable<PKIXValidationInformation>>>
- Parameters:
untrustedCredential
- the untrusted credential being evaluatedvalidationPair
- the information which serves as the basis for trust evaluation- Returns:
- true if the trust can be established for the untrusted credential, otherwise false
- Throws:
SecurityException
- if an error occurs during trust processing
-
resolveValidationInfo
@Nonnull protected Pair<Set<String>,Iterable<PKIXValidationInformation>> resolveValidationInfo(@Nullable CriteriaSet trustBasisCriteria) throws SecurityException
Resolve and return a set of trusted validation information.- Parameters:
trustBasisCriteria
- criteria used to describe and/or resolve the information which serves as the basis for trust evaluation- Returns:
- a pair consisting of an optional set of trusted names, and an iterable of trusted PKIXValidationInformation
- Throws:
SecurityException
- thrown if there is an error resolving the information from the trusted resolver
-
checkNames
protected boolean checkNames(@Nullable Set<String> trustedNames, @Nonnull X509Credential untrustedCredential) throws SecurityException
Evaluate the credential against the set of trusted names.Evaluates to true if no instance of
X509CredentialNameEvaluator
is configured.- Parameters:
trustedNames
- set of trusted namesuntrustedCredential
- the credential being evaluated- Returns:
- true if evaluation is successful, false otherwise
- Throws:
SecurityException
- thrown if there is an error evaluation the credential
-
-