org.opensaml.xml.security.x509
Class PKIXX509CredentialTrustEngine

java.lang.Object
  org.opensaml.xml.security.x509.PKIXX509CredentialTrustEngine

All Implemented Interfaces:

TrustEngine<X509Credential>, PKIXTrustEngine<X509Credential>

public class PKIXX509CredentialTrustEngine
extends Object
implements PKIXTrustEngine<X509Credential>

Trust engine implementation which evaluates an X509Credential token based on PKIX validation processing using validation information from a trusted source.

Constructor Summary

PKIXX509CredentialTrustEngine(PKIXValidationInformationResolver resolver)
Constructor.

PKIXX509CredentialTrustEngine(PKIXValidationInformationResolver resolver, PKIXTrustEvaluator pkixEvaluator, X509CredentialNameEvaluator nameEvaluator)
Constructor.

Method Summary

protected boolean	checkNames(Set<String> trustedNames, X509Credential untrustedCredential) Evaluate the credential against the set of trusted names.
PKIXValidationInformationResolver	getPKIXResolver() Get the resolver instance which will be used to resolve PKIX validation information.
PKIXTrustEvaluator	getPKIXTrustEvaluator() Get the PKIXTrustEvaluator instance used to evalute trust.
X509CredentialNameEvaluator	getX509CredentialNameEvaluator() Get the X509CredentialNameEvaluator instance used to evalute a credential against trusted names.
boolean	validate(X509Credential untrustedCredential, CriteriaSet trustBasisCriteria) Validates the token against trusted information obtained in an implementation-specific manner.
protected boolean	validate(X509Credential untrustedX509Credential, Set<String> trustedNames, Iterable<PKIXValidationInformation> validationInfoSet) Perform PKIX validation on the untrusted credential, using PKIX validation information based on the supplied set of trusted credentials.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

PKIXX509CredentialTrustEngine

public PKIXX509CredentialTrustEngine(PKIXValidationInformationResolver resolver)

Constructor.

The PKIX trust evaluator used defaults to CertPathPKIXTrustEvaluator.

The X.509 credential name evaluator used defaults to BasicX509CredentialNameEvaluator.

Parameters:

resolver - credential resolver used to resolve trusted credentials

PKIXX509CredentialTrustEngine

public PKIXX509CredentialTrustEngine(PKIXValidationInformationResolver resolver,
                                     PKIXTrustEvaluator pkixEvaluator,
                                     X509CredentialNameEvaluator nameEvaluator)

Constructor.

Parameters:

resolver - credential resolver used to resolve trusted credentials

pkixEvaluator - the PKIX trust evaluator to use

nameEvaluator - the X.509 credential name evaluator to use (may be null)

Method Detail

getPKIXResolver

public PKIXValidationInformationResolver getPKIXResolver()

Get the resolver instance which will be used to resolve PKIX validation information.

Specified by:

getPKIXResolver in interface PKIXTrustEngine<X509Credential>

Returns:

the currently configured resolver instance

getPKIXTrustEvaluator

public PKIXTrustEvaluator getPKIXTrustEvaluator()

Get the PKIXTrustEvaluator instance used to evalute trust.

The parameters of this evaluator may be modified to adjust trust evaluation processing.

Returns:

the PKIX trust evaluator instance that will be used

getX509CredentialNameEvaluator

public X509CredentialNameEvaluator getX509CredentialNameEvaluator()

Get the X509CredentialNameEvaluator instance used to evalute a credential against trusted names.

The parameters of this evaluator may be modified to adjust trust evaluation processing.

Returns:

the PKIX trust evaluator instance that will be used

validate

public boolean validate(X509Credential untrustedCredential,
                        CriteriaSet trustBasisCriteria)
                 throws SecurityException

Validates the token against trusted information obtained in an implementation-specific manner.

Specified by:

validate in interface TrustEngine<X509Credential>

Parameters:

untrustedCredential - security token to validate

trustBasisCriteria - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation

Returns:

true if the token is trusted and valid, false if not

Throws:

SecurityException - thrown if there is a problem validating the security token

validate

protected boolean validate(X509Credential untrustedX509Credential,
                           Set<String> trustedNames,
                           Iterable<PKIXValidationInformation> validationInfoSet)
                    throws SecurityException

Perform PKIX validation on the untrusted credential, using PKIX validation information based on the supplied set of trusted credentials.

Parameters:

untrustedX509Credential - the credential to evaluate

validationInfoSet - the set of validation information which serves as ths basis for trust evaluation

trustedNames - the set of trusted names for name checking purposes

Returns:

true if PKIX validation of the untrusted credential is successful, otherwise false

Throws:

SecurityException - thrown if there is an error validating the untrusted credential against trusted names or validation information

checkNames

protected boolean checkNames(Set<String> trustedNames,
                             X509Credential untrustedCredential)
                      throws SecurityException

Evaluate the credential against the set of trusted names.

Evaluates to true if no intsance of X509CredentialNameEvaluator is configured.

Parameters:

trustedNames - set of trusted names

untrustedCredential - the credential being evaluated

Returns:

true if evaluation is successful, false otherwise

Throws:

SecurityException - thrown if there is an error evaluation the credential