org.opensaml.xml.signature.impl
Class PKIXSignatureTrustEngine

java.lang.Object
  org.opensaml.xml.signature.impl.BaseSignatureTrustEngine<Pair<Set<String>,Iterable<PKIXValidationInformation>>>
      org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine

All Implemented Interfaces:

TrustEngine<Signature>, PKIXTrustEngine<Signature>, SignatureTrustEngine

public class PKIXSignatureTrustEngine
extends BaseSignatureTrustEngine<Pair<Set<String>,Iterable<PKIXValidationInformation>>>
implements PKIXTrustEngine<Signature>

An implementation of SignatureTrustEngine which evaluates the validity and trustworthiness of XML and raw signatures.

Processing is performed as described in BaseSignatureTrustEngine. If based on this processing, it is determined that the Signature's KeyInfo is not present or does not contain a valid (and trusted) signing key, then trust engine validation fails. Since the PKIX engine is based on the assumption that trusted signing keys are not known in advance, the signing key must be present in, or derivable from, the information in the Signature's KeyInfo element.

Constructor Summary

PKIXSignatureTrustEngine(PKIXValidationInformationResolver resolver, KeyInfoCredentialResolver keyInfoResolver)
Constructor.

PKIXSignatureTrustEngine(PKIXValidationInformationResolver resolver, KeyInfoCredentialResolver keyInfoResolver, PKIXTrustEvaluator pkixEvaluator, X509CredentialNameEvaluator nameEvaluator)
Constructor.

Method Summary

protected boolean	checkNames(Set<String> trustedNames, X509Credential untrustedCredential) Evaluate the credential against the set of trusted names.
protected boolean	evaluateTrust(Credential untrustedCredential, Pair<Set<String>,Iterable<PKIXValidationInformation>> validationPair) Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.
PKIXValidationInformationResolver	getPKIXResolver() Get the resolver instance which will be used to resolve PKIX validation information.
PKIXTrustEvaluator	getPKIXTrustEvaluator() Get the PKIXTrustEvaluator instance used to evalute trust.
X509CredentialNameEvaluator	getX509CredentialNameEvaluator() Get the X509CredentialNameEvaluator instance used to evalute a credential against trusted names.
protected Pair<Set<String>,Iterable<PKIXValidationInformation>>	resolveValidationInfo(CriteriaSet trustBasisCriteria) Resolve and return a set of trusted validation information.
boolean	validate(byte[] signature, byte[] content, String algorithmURI, CriteriaSet trustBasisCriteria, Credential candidateCredential) Determines whether a raw signature over specified content is valid and signed by a trusted credential.
boolean	validate(Signature signature, CriteriaSet trustBasisCriteria) Validates the token against trusted information obtained in an implementation-specific manner.

Methods inherited from class org.opensaml.xml.signature.impl.BaseSignatureTrustEngine

checkParams, checkParamsRaw, getKeyInfoResolver, validate, verifySignature

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

PKIXSignatureTrustEngine

public PKIXSignatureTrustEngine(PKIXValidationInformationResolver resolver,
                                KeyInfoCredentialResolver keyInfoResolver)

Constructor.

The PKIX trust evaluator used defaults to CertPathPKIXTrustEvaluator.

The X.509 credential name evaluator used defaults to BasicX509CredentialNameEvaluator.

Parameters:

resolver - credential resolver used to resolve trusted credentials.

keyInfoResolver - KeyInfo credential resolver used to obtain the (advisory) signing credential from a Signature's KeyInfo element.

PKIXSignatureTrustEngine

public PKIXSignatureTrustEngine(PKIXValidationInformationResolver resolver,
                                KeyInfoCredentialResolver keyInfoResolver,
                                PKIXTrustEvaluator pkixEvaluator,
                                X509CredentialNameEvaluator nameEvaluator)

Constructor.

Parameters:

resolver - credential resolver used to resolve trusted credentials.

keyInfoResolver - KeyInfo credential resolver used to obtain the (advisory) signing credential from a Signature's KeyInfo element. * @param pkixEvaluator the PKIX trust evaluator to use

nameEvaluator - the X.509 credential name evaluator to use (may be null)

Method Detail

getPKIXTrustEvaluator

public PKIXTrustEvaluator getPKIXTrustEvaluator()

Get the PKIXTrustEvaluator instance used to evalute trust.

The parameters of this evaluator may be modified to adjust trust evaluation processing.

Returns:

the PKIX trust evaluator instance that will be used

getX509CredentialNameEvaluator

public X509CredentialNameEvaluator getX509CredentialNameEvaluator()

Get the X509CredentialNameEvaluator instance used to evalute a credential against trusted names.

The parameters of this evaluator may be modified to adjust trust evaluation processing.

Returns:

the PKIX trust evaluator instance that will be used

getPKIXResolver

public PKIXValidationInformationResolver getPKIXResolver()

Get the resolver instance which will be used to resolve PKIX validation information.

Specified by:

getPKIXResolver in interface PKIXTrustEngine<Signature>

Returns:

the currently configured resolver instance

validate

public boolean validate(Signature signature,
                        CriteriaSet trustBasisCriteria)
                 throws SecurityException

Validates the token against trusted information obtained in an implementation-specific manner.

Specified by:

validate in interface TrustEngine<Signature>

Parameters:

signature - security token to validate

trustBasisCriteria - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation

Returns:

true if the token is trusted and valid, false if not

Throws:

SecurityException - thrown if there is a problem validating the security token

validate

public boolean validate(byte[] signature,
                        byte[] content,
                        String algorithmURI,
                        CriteriaSet trustBasisCriteria,
                        Credential candidateCredential)
                 throws SecurityException

Determines whether a raw signature over specified content is valid and signed by a trusted credential.

A candidate verification credential may optionally be supplied. If one is supplied and is determined to successfully verify the signature, an attempt will be made to establish trust on this basis.

If a candidate credential is not supplied, or it does not successfully verify the signature, some implementations may be able to resolve candidate verification credential(s) in an implementation-specific manner based on the trusted criteria supplied, and then attempt to verify the signature and establish trust on this basis.

Specified by:

validate in interface SignatureTrustEngine

Parameters:

signature - the signature value

content - the content that was signed

algorithmURI - the signature algorithm URI which was used to sign the content

trustBasisCriteria - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation

candidateCredential - the untrusted candidate credential containing the validation key for the signature (optional)

Returns:

true if the signature was valid for the provided content and was signed by a key contained within a credential established as trusted based on the supplied criteria, otherwise false

Throws:

SecurityException - thrown if there is a problem attempting to verify the signature such as the signature algorithim not being supported

evaluateTrust

protected boolean evaluateTrust(Credential untrustedCredential,
                                Pair<Set<String>,Iterable<PKIXValidationInformation>> validationPair)
                         throws SecurityException

Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.

Specified by:

evaluateTrust in class BaseSignatureTrustEngine<Pair<Set<String>,Iterable<PKIXValidationInformation>>>

Parameters:

untrustedCredential - the untrusted credential being evaluated

validationPair - the information which serves as the basis for trust evaluation

Returns:

true if the trust can be established for the untrusted credential, otherwise false

Throws:

SecurityException - if an error occurs during trust processing

resolveValidationInfo

protected Pair<Set<String>,Iterable<PKIXValidationInformation>> resolveValidationInfo(CriteriaSet trustBasisCriteria)
                                                                               throws SecurityException

Resolve and return a set of trusted validation information.

Parameters:

trustBasisCriteria - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation

Returns:

a pair consisting of an optional set of trusted names, and an iterable of trusted PKIXValidationInformation

Throws:

SecurityException - thrown if there is an error resolving the information from the trusted resolver

checkNames

protected boolean checkNames(Set<String> trustedNames,
                             X509Credential untrustedCredential)
                      throws SecurityException

Evaluate the credential against the set of trusted names.

Evaluates to true if no intsance of X509CredentialNameEvaluator is configured.

Parameters:

trustedNames - set of trusted names

untrustedCredential - the credential being evaluated

Returns:

true if evaluation is successful, false otherwise

Throws:

SecurityException - thrown if there is an error evaluation the credential