public class PKIXX509CredentialTrustEngine extends Object implements PKIXTrustEngine<X509Credential>
X509Credential
token based on PKIX validation processing using
validation information from a trusted source.Modifier and Type | Field and Description |
---|---|
private X509CredentialNameEvaluator |
credNameEvaluator
The external credential name evaluator used to establish trusted name compliance.
|
private org.slf4j.Logger |
log
Class logger.
|
private PKIXValidationInformationResolver |
pkixResolver
Resolver used for resolving trusted credentials.
|
private PKIXTrustEvaluator |
pkixTrustEvaluator
The external PKIX trust evaluator used to establish trust.
|
Constructor and Description |
---|
PKIXX509CredentialTrustEngine(PKIXValidationInformationResolver resolver)
Constructor.
|
PKIXX509CredentialTrustEngine(PKIXValidationInformationResolver resolver,
PKIXTrustEvaluator pkixEvaluator,
X509CredentialNameEvaluator nameEvaluator)
Constructor.
|
Modifier and Type | Method and Description |
---|---|
protected boolean |
checkNames(Set<String> trustedNames,
X509Credential untrustedCredential)
Evaluate the credential against the set of trusted names.
|
PKIXValidationInformationResolver |
getPKIXResolver() |
PKIXTrustEvaluator |
getPKIXTrustEvaluator()
Get the
PKIXTrustEvaluator instance used to evaluate trust. |
X509CredentialNameEvaluator |
getX509CredentialNameEvaluator()
Get the
X509CredentialNameEvaluator instance used to evaluate a credential
against trusted names. |
boolean |
validate(X509Credential untrustedCredential,
CriteriaSet trustBasisCriteria) |
protected boolean |
validate(X509Credential untrustedX509Credential,
Set<String> trustedNames,
Iterable<PKIXValidationInformation> validationInfoSet)
Perform PKIX validation on the untrusted credential, using PKIX validation information based on the supplied set
of trusted credentials.
|
private final org.slf4j.Logger log
private final PKIXValidationInformationResolver pkixResolver
private final PKIXTrustEvaluator pkixTrustEvaluator
private final X509CredentialNameEvaluator credNameEvaluator
public PKIXX509CredentialTrustEngine(@Nonnull PKIXValidationInformationResolver resolver)
The PKIX trust evaluator used defaults to CertPathPKIXTrustEvaluator
.
The X.509 credential name evaluator used defaults to BasicX509CredentialNameEvaluator
.
resolver
- credential resolver used to resolve trusted credentialspublic PKIXX509CredentialTrustEngine(@Nonnull PKIXValidationInformationResolver resolver, @Nonnull PKIXTrustEvaluator pkixEvaluator, @Nullable X509CredentialNameEvaluator nameEvaluator)
resolver
- credential resolver used to resolve trusted credentialspkixEvaluator
- the PKIX trust evaluator to usenameEvaluator
- the X.509 credential name evaluator to use (may be null)@Nonnull public PKIXValidationInformationResolver getPKIXResolver()
getPKIXResolver
in interface PKIXTrustEngine<X509Credential>
@Nonnull public PKIXTrustEvaluator getPKIXTrustEvaluator()
PKIXTrustEvaluator
instance used to evaluate trust.
The parameters of this evaluator may be modified to adjust trust evaluation processing.
@Nullable public X509CredentialNameEvaluator getX509CredentialNameEvaluator()
X509CredentialNameEvaluator
instance used to evaluate a credential
against trusted names.
The parameters of this evaluator may be modified to adjust trust evaluation processing.
public boolean validate(@Nonnull X509Credential untrustedCredential, @Nullable CriteriaSet trustBasisCriteria) throws SecurityException
validate
in interface TrustEngine<X509Credential>
SecurityException
protected boolean validate(@Nonnull X509Credential untrustedX509Credential, @Nullable Set<String> trustedNames, @Nonnull Iterable<PKIXValidationInformation> validationInfoSet) throws SecurityException
untrustedX509Credential
- the credential to evaluatetrustedNames
- the set of trusted names for name checking purposesvalidationInfoSet
- the set of validation information which serves as the basis for trust evaluationSecurityException
- thrown if there is an error validating the untrusted credential
against trusted names or validation informationprotected boolean checkNames(@Nullable Set<String> trustedNames, @Nonnull X509Credential untrustedCredential) throws SecurityException
Evaluates to true if no instance of X509CredentialNameEvaluator
is configured.
trustedNames
- set of trusted namesuntrustedCredential
- the credential being evaluatedSecurityException
- thrown if there is an error evaluation the credentialCopyright © 1999–2018 Shibboleth Consortium. All rights reserved.