Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.opensaml.xml.signature.impl
Class BaseSignatureTrustEngine<TrustBasisType>

java.lang.Object
  extended by org.opensaml.xml.signature.impl.BaseSignatureTrustEngine<TrustBasisType>
Type Parameters:
TrustBasisType - the type of trusted information which has been resolved and which will serve as the basis for trust evaluation
All Implemented Interfaces:
TrustEngine<Signature>, SignatureTrustEngine
Direct Known Subclasses:
ExplicitKeySignatureTrustEngine, PKIXSignatureTrustEngine
public abstract class BaseSignatureTrustEngine<TrustBasisType>
extends Object
implements SignatureTrustEngine

A base implementation of SignatureTrustEngine which evaluates the validity and trustworthiness of XML and raw signatures.

When processing XML signatures, the supplied KeyInfoCredentialResolver will be used to resolve credential(s) containing the (advisory) signing key from the KeyInfo element of the Signature, if present. If any of these credentials do contain the valid signing key, they will be evaluated for trustworthiness against trusted information, which will be resolved in an implementation-specific manner.

Subclasses are required to implement evaluateTrust(Credential, Object) using an implementation-specific trust model.

Constructor Summary
BaseSignatureTrustEngine(KeyInfoCredentialResolver keyInfoResolver)
          Constructor.
 
Method Summary
protected  void checkParams(Signature signature, CriteriaSet trustBasisCriteria)
          Check the signature and credential criteria for required values.
protected  void checkParamsRaw(byte[] signature, byte[] content, String algorithmURI, CriteriaSet trustBasisCriteria)
          Check the signature and credential criteria for required values.
protected abstract  boolean evaluateTrust(Credential untrustedCredential, TrustBasisType trustBasis)
          Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.
 KeyInfoCredentialResolver getKeyInfoResolver()
          Get the KeyInfoCredentialResolver instance used to resolve (advisory) signing credential information from KeyInfo elements contained within a Signature element.
protected  boolean validate(Signature signature, TrustBasisType trustBasis)
          Attempt to establish trust by resolving signature verification credentials from the Signature's KeyInfo.
protected  boolean verifySignature(Signature signature, Credential credential)
          Attempt to verify a signature using the key from the supplied credential.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 
Methods inherited from interface org.opensaml.xml.signature.SignatureTrustEngine
validate
 
Methods inherited from interface org.opensaml.xml.security.trust.TrustEngine
validate
 

Constructor Detail

BaseSignatureTrustEngine

public BaseSignatureTrustEngine(KeyInfoCredentialResolver keyInfoResolver)
Constructor.

Parameters:
keyInfoResolver - KeyInfo credential resolver used to obtain the (advisory) signing credential from a Signature's KeyInfo element.
Method Detail

getKeyInfoResolver

public KeyInfoCredentialResolver getKeyInfoResolver()
Get the KeyInfoCredentialResolver instance used to resolve (advisory) signing credential information from KeyInfo elements contained within a Signature element. Note that credential(s) obtained via this resolver are not themselves trusted. They must be evaluated against the trusted credential information obtained from the trusted credential resolver.

Specified by:
getKeyInfoResolver in interface SignatureTrustEngine
Returns:
a KeyInfoCredentialResolver instance

validate

protected boolean validate(Signature signature,
                           TrustBasisType trustBasis)
                    throws SecurityException
Attempt to establish trust by resolving signature verification credentials from the Signature's KeyInfo. If any credentials so resolved correctly verify the signature, attempt to establish trust using subclass-specific trust logic against trusted information as implemented in evaluateTrust(Credential, Object).

Parameters:
signature - the Signature to evaluate
trustBasis - the information which serves as the basis for trust evaluation
Returns:
true if the signature is verified by any KeyInfo-derived credential which can be established as trusted, otherwise false
Throws:
SecurityException - if an error occurs during signature verification or trust processing

evaluateTrust

protected abstract boolean evaluateTrust(Credential untrustedCredential,
                                         TrustBasisType trustBasis)
                                  throws SecurityException
Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.

Parameters:
untrustedCredential - the untrusted credential being evaluated
trustBasis - the information which serves as the basis for trust evaluation
Returns:
true if the trust can be established for the untrusted credential, otherwise false
Throws:
SecurityException - if an error occurs during trust processing

verifySignature

protected boolean verifySignature(Signature signature,
                                  Credential credential)
Attempt to verify a signature using the key from the supplied credential.

Parameters:
signature - the signature on which to attempt verification
credential - the credential containing the candidate validation key
Returns:
true if the signature can be verified using the key from the credential, otherwise false

checkParams

protected void checkParams(Signature signature,
                           CriteriaSet trustBasisCriteria)
                    throws SecurityException
Check the signature and credential criteria for required values.

Parameters:
signature - the signature to be evaluated
trustBasisCriteria - the set of trusted credential criteria
Throws:
SecurityException - thrown if required values are absent or otherwise invalid

checkParamsRaw

protected void checkParamsRaw(byte[] signature,
                              byte[] content,
                              String algorithmURI,
                              CriteriaSet trustBasisCriteria)
                       throws SecurityException
Check the signature and credential criteria for required values.

Parameters:
signature - the signature to be evaluated
content - the data over which the signature was computed
algorithmURI - the signing algorithm URI which was used
trustBasisCriteria - the set of trusted credential criteria
Throws:
SecurityException - thrown if required values are absent or otherwise invalid
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2006-2011 Internet2. All Rights Reserved.