public class PKIXSignatureTrustEngine extends BaseSignatureTrustEngine<net.shibboleth.utilities.java.support.collection.Pair<Set<String>,Iterable<org.opensaml.security.x509.PKIXValidationInformation>>> implements org.opensaml.security.x509.PKIXTrustEngine<Signature>
SignatureTrustEngine
which evaluates the validity
and trustworthiness of XML and raw signatures.
Processing is performed as described in BaseSignatureTrustEngine
. If based on this processing, it is
determined that the Signature's KeyInfo is not present or does not contain a valid (and trusted) signing key, then
trust engine validation fails. Since the PKIX engine is based on the assumption that trusted signing keys are not
known in advance, the signing key must be present in, or derivable from, the information in the Signature's KeyInfo
element.
Modifier and Type | Field and Description |
---|---|
private X509CredentialNameEvaluator |
credNameEvaluator
The external credential name evaluator used to establish trusted name compliance.
|
private org.slf4j.Logger |
log
Class logger.
|
private org.opensaml.security.x509.PKIXValidationInformationResolver |
pkixResolver
Resolver used for resolving trusted credentials.
|
private org.opensaml.security.x509.PKIXTrustEvaluator |
pkixTrustEvaluator
The external PKIX trust evaluator used to establish trust.
|
Constructor and Description |
---|
PKIXSignatureTrustEngine(org.opensaml.security.x509.PKIXValidationInformationResolver resolver,
KeyInfoCredentialResolver keyInfoResolver)
Constructor.
|
PKIXSignatureTrustEngine(org.opensaml.security.x509.PKIXValidationInformationResolver resolver,
KeyInfoCredentialResolver keyInfoResolver,
org.opensaml.security.x509.PKIXTrustEvaluator pkixEvaluator,
X509CredentialNameEvaluator nameEvaluator)
Constructor.
|
Modifier and Type | Method and Description |
---|---|
protected boolean |
checkNames(Set<String> trustedNames,
org.opensaml.security.x509.X509Credential untrustedCredential)
Evaluate the credential against the set of trusted names.
|
protected boolean |
doValidate(byte[] signature,
byte[] content,
String algorithmURI,
net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria,
org.opensaml.security.credential.Credential candidateCredential)
Determines whether a raw signature over specified content is valid and signed by a trusted credential.
|
protected boolean |
doValidate(Signature signature,
net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
Validate the signature using the supplied trust criteria.
|
protected boolean |
evaluateTrust(org.opensaml.security.credential.Credential untrustedCredential,
net.shibboleth.utilities.java.support.collection.Pair<Set<String>,Iterable<org.opensaml.security.x509.PKIXValidationInformation>> validationPair)
Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.
|
org.opensaml.security.x509.PKIXValidationInformationResolver |
getPKIXResolver() |
org.opensaml.security.x509.PKIXTrustEvaluator |
getPKIXTrustEvaluator()
Get the PKIXTrustEvaluator instance used to evaluate trust.
|
X509CredentialNameEvaluator |
getX509CredentialNameEvaluator()
Get the X509CredentialNameEvaluator instance used to evaluate a credential against trusted names.
|
protected net.shibboleth.utilities.java.support.collection.Pair<Set<String>,Iterable<org.opensaml.security.x509.PKIXValidationInformation>> |
resolveValidationInfo(net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
Resolve and return a set of trusted validation information.
|
checkParams, checkParamsRaw, getKeyInfoResolver, validate, validate, validate, verifySignature
private final org.slf4j.Logger log
private final org.opensaml.security.x509.PKIXValidationInformationResolver pkixResolver
private final org.opensaml.security.x509.PKIXTrustEvaluator pkixTrustEvaluator
private final X509CredentialNameEvaluator credNameEvaluator
public PKIXSignatureTrustEngine(@Nonnull @ParameterName(name="resolver") org.opensaml.security.x509.PKIXValidationInformationResolver resolver, @Nonnull @ParameterName(name="keyInfoResolver") KeyInfoCredentialResolver keyInfoResolver)
The PKIX trust evaluator used defaults to CertPathPKIXTrustEvaluator
.
The X.509 credential name evaluator used defaults to BasicX509CredentialNameEvaluator
.
resolver
- credential resolver used to resolve trusted credentials.keyInfoResolver
- KeyInfo credential resolver used to obtain the (advisory) signing credential from a
Signature's KeyInfo element.public PKIXSignatureTrustEngine(@Nonnull @ParameterName(name="resolver") org.opensaml.security.x509.PKIXValidationInformationResolver resolver, @Nonnull @ParameterName(name="keyInfoResolver") KeyInfoCredentialResolver keyInfoResolver, @Nonnull @ParameterName(name="pkixEvaluator") org.opensaml.security.x509.PKIXTrustEvaluator pkixEvaluator, @Nullable @ParameterName(name="nameEvaluator") X509CredentialNameEvaluator nameEvaluator)
resolver
- credential resolver used to resolve trusted credentials.keyInfoResolver
- KeyInfo credential resolver used to obtain the (advisory) signing credential from a
Signature's KeyInfo element.pkixEvaluator
- the PKIX trust evaluator to usenameEvaluator
- the X.509 credential name evaluator to use (may be null)@Nonnull public org.opensaml.security.x509.PKIXTrustEvaluator getPKIXTrustEvaluator()
The parameters of this evaluator may be modified to adjust trust evaluation processing.
@Nullable public X509CredentialNameEvaluator getX509CredentialNameEvaluator()
The parameters of this evaluator may be modified to adjust trust evaluation processing.
@Nonnull public org.opensaml.security.x509.PKIXValidationInformationResolver getPKIXResolver()
getPKIXResolver
in interface org.opensaml.security.x509.PKIXTrustEngine<Signature>
protected boolean doValidate(@Nonnull Signature signature, @Nullable net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria) throws org.opensaml.security.SecurityException
doValidate
in class BaseSignatureTrustEngine<net.shibboleth.utilities.java.support.collection.Pair<Set<String>,Iterable<org.opensaml.security.x509.PKIXValidationInformation>>>
signature
- the signature to validatetrustBasisCriteria
- criteria used to describe and/or resolve the information
which serves as the basis for trust evaluationorg.opensaml.security.SecurityException
- if there is a fatal error evaluating the signatureprotected boolean doValidate(@Nonnull byte[] signature, @Nonnull byte[] content, @Nonnull String algorithmURI, @Nullable net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria, @Nullable org.opensaml.security.credential.Credential candidateCredential) throws org.opensaml.security.SecurityException
A candidate verification credential may optionally be supplied. If one is supplied and is determined to successfully verify the signature, an attempt will be made to establish trust on this basis.
If a candidate credential is not supplied, or it does not successfully verify the signature, some implementations may be able to resolve candidate verification credential(s) in an implementation-specific manner based on the trusted criteria supplied, and then attempt to verify the signature and establish trust on this basis.
doValidate
in class BaseSignatureTrustEngine<net.shibboleth.utilities.java.support.collection.Pair<Set<String>,Iterable<org.opensaml.security.x509.PKIXValidationInformation>>>
signature
- the signature valuecontent
- the content that was signedalgorithmURI
- the signature algorithm URI which was used to sign the contenttrustBasisCriteria
- criteria used to describe and/or resolve the information
which serves as the basis for trust evaluationcandidateCredential
- the untrusted candidate credential containing the validation key
for the signature (optional)org.opensaml.security.SecurityException
- thrown if there is a problem attempting to verify the signature such as the signature
algorithm not being supportedprotected boolean evaluateTrust(@Nonnull org.opensaml.security.credential.Credential untrustedCredential, @Nullable net.shibboleth.utilities.java.support.collection.Pair<Set<String>,Iterable<org.opensaml.security.x509.PKIXValidationInformation>> validationPair) throws org.opensaml.security.SecurityException
evaluateTrust
in class BaseSignatureTrustEngine<net.shibboleth.utilities.java.support.collection.Pair<Set<String>,Iterable<org.opensaml.security.x509.PKIXValidationInformation>>>
untrustedCredential
- the untrusted credential being evaluatedvalidationPair
- the information which serves as the basis for trust evaluationorg.opensaml.security.SecurityException
- if an error occurs during trust processing@Nonnull protected net.shibboleth.utilities.java.support.collection.Pair<Set<String>,Iterable<org.opensaml.security.x509.PKIXValidationInformation>> resolveValidationInfo(@Nullable net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria) throws org.opensaml.security.SecurityException
trustBasisCriteria
- criteria used to describe and/or resolve the information which serves as the basis for
trust evaluationorg.opensaml.security.SecurityException
- thrown if there is an error resolving the information from the trusted resolverprotected boolean checkNames(@Nullable Set<String> trustedNames, @Nonnull org.opensaml.security.x509.X509Credential untrustedCredential) throws org.opensaml.security.SecurityException
Evaluates to true if no instance of X509CredentialNameEvaluator
is configured.
trustedNames
- set of trusted namesuntrustedCredential
- the credential being evaluatedorg.opensaml.security.SecurityException
- thrown if there is an error evaluation the credentialCopyright © 1999–2020 Shibboleth Consortium. All rights reserved.