@ThreadSafe public class HolderOfKeySubjectConfirmationValidator extends AbstractSubjectConfirmationValidator
A subject confirmation is considered confirmed if one of the following checks has passed:
KeyValue
or DEREncodedKeyValue
within one of the KeyInfo
entries in the confirmation data
org.opensaml.xml.signature.X509Certificate
within one of the
KeyInfo
entries in the confirmation data
equals()
comparison.
In addition to parameters defined in AbstractSubjectConfirmationValidator
:
Supports the following ValidationContext
static parameters:
SAML2AssertionValidationParameters.SC_HOK_PRESENTER_CERT
:
Optional if key is supplied, otherwise required.
SAML2AssertionValidationParameters.SC_HOK_PRESENTER_KEY
:
Optional if certificate is supplied, otherwise required.
ValidationResult.INDETERMINATE
.
Supports the following ValidationContext
dynamic parameters:
SAML2AssertionValidationParameters.SC_HOK_CONFIRMED_KEYINFO
:
Optional.
Will be present after validation iff Holder of Key subject confirmation was successfully performed.
Modifier and Type | Field and Description |
---|---|
private org.slf4j.Logger |
log
Class logger.
|
Constructor and Description |
---|
HolderOfKeySubjectConfirmationValidator() |
Modifier and Type | Method and Description |
---|---|
protected ValidationResult |
doValidate(SubjectConfirmation confirmation,
Assertion assertion,
ValidationContext context)
Performs any further validation required for the specific confirmation method implementation.
|
protected net.shibboleth.utilities.java.support.collection.Pair<PublicKey,X509Certificate> |
getKeyAndCertificate(ValidationContext context)
Extracts the presenter's key and/or certificate from the validation context.
|
String |
getServicedMethod() |
protected List<org.opensaml.xmlsec.signature.KeyInfo> |
getSubjectConfirmationKeyInformation(SubjectConfirmation confirmation,
Assertion assertion,
ValidationContext context)
Extracts the
KeyInfo s from the given subject confirmation data. |
protected boolean |
isValidConfirmationDataType(SubjectConfirmation confirmation)
Checks to see whether the schema type of the subject confirmation data, if present, is the required
KeyInfoConfirmationDataType.TYPE_NAME . |
protected boolean |
matchesDEREncodedKeyValue(PublicKey key,
List<org.opensaml.xmlsec.signature.DEREncodedKeyValue> derEncodedKeyValues)
Checks whether the supplied public key matches one of the supplied
DEREncodedKeyValue elements. |
protected boolean |
matchesKeyValue(PublicKey key,
org.opensaml.xmlsec.signature.KeyInfo keyInfo)
Checks whether the supplied public key matches one of the keys in the given KeyInfo.
|
protected boolean |
matchesKeyValue(PublicKey key,
List<org.opensaml.xmlsec.signature.KeyValue> keyValues)
Checks whether the supplied public key matches one of the supplied
KeyValue elements. |
protected boolean |
matchesX509Certificate(X509Certificate cert,
org.opensaml.xmlsec.signature.KeyInfo keyInfo)
Checks whether the presenter's certificate matches a certificate described by the X509Data within the KeyInfo.
|
validate, validateAddress, validateNotBefore, validateNotOnOrAfter, validateRecipient
public HolderOfKeySubjectConfirmationValidator()
@Nonnull protected ValidationResult doValidate(@Nonnull SubjectConfirmation confirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
doValidate
in class AbstractSubjectConfirmationValidator
confirmation
- confirmation method being validatedassertion
- assertion bearing the confirmation methodcontext
- current validation contextAssertionValidationException
- thrown if further validation finds the confirmation method to be invalidprotected boolean isValidConfirmationDataType(@Nonnull SubjectConfirmation confirmation) throws AssertionValidationException
KeyInfoConfirmationDataType.TYPE_NAME
.confirmation
- subject confirmation bearing the confirmation data to be checkedAssertionValidationException
- thrown if there is a problem validating the confirmation data type@Nonnull protected net.shibboleth.utilities.java.support.collection.Pair<PublicKey,X509Certificate> getKeyAndCertificate(@Nonnull ValidationContext context) throws AssertionValidationException
context
- current validation contextAssertionValidationException
- thrown if there is a problem obtaining the data@Nonnull protected List<org.opensaml.xmlsec.signature.KeyInfo> getSubjectConfirmationKeyInformation(@Nonnull SubjectConfirmation confirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
KeyInfo
s from the given subject confirmation data.confirmation
- subject confirmation dataassertion
- assertion bearing the subject to be confirmedcontext
- current message processing contextAssertionValidationException
- if there is a problem processing the SubjectConfirmationprotected boolean matchesKeyValue(@Nullable PublicKey key, @Nonnull org.opensaml.xmlsec.signature.KeyInfo keyInfo) throws AssertionValidationException
Evaluates both KeyValue
and DEREncodedKeyValue
children of the KeyInfo.
Matches are performed using Java equals()
against PublicKey
s decoded
from the KeyInfo data.
key
- public key presenter of the assertionkeyInfo
- key info from subject confirmation of the assertionAssertionValidationException
- thrown if there is a problem matching the key valueprotected boolean matchesKeyValue(@Nonnull PublicKey key, @Nullable List<org.opensaml.xmlsec.signature.KeyValue> keyValues)
KeyValue
elements.
Matches are performed using Java equals()
against PublicKey
s decoded
from the KeyInfo data.
key
- public key presenter of the assertionkeyValues
- candidate KeyValue elementsAssertionValidationException
- thrown if there is a problem matching the key valueprotected boolean matchesDEREncodedKeyValue(@Nonnull PublicKey key, @Nullable List<org.opensaml.xmlsec.signature.DEREncodedKeyValue> derEncodedKeyValues)
DEREncodedKeyValue
elements.
Matches are performed using Java equals()
against PublicKey
s decoded
from the KeyInfo data.
key
- public key presenter of the assertionderEncodedKeyValues
- candidate DEREncodedKeyValue elementsAssertionValidationException
- thrown if there is a problem matching the key valueprotected boolean matchesX509Certificate(@Nullable X509Certificate cert, @Nonnull org.opensaml.xmlsec.signature.KeyInfo keyInfo) throws AssertionValidationException
Matches are performed using Java equals()
against X509Certificate
s decoded
from the KeyInfo data.
cert
- certificate of the presenter of the assertionkeyInfo
- key info from subject confirmation of the assertionAssertionValidationException
- thrown if there is a problem matching the certificateCopyright © 1999–2020 Shibboleth Consortium. All rights reserved.