Package com.nimbusds.openid.connect.sdk.federation.trust

Class TrustChain

java.lang.Object
com.nimbusds.openid.connect.sdk.federation.trust.TrustChain
@Immutable public final class TrustChain extends Object
Federation entity trust chain.

Related specifications:

  • OpenID Connect Federation 1.0, sections 2.2 and 7.

  • Constructor Details

    • TrustChain

      public TrustChain(EntityStatement leaf, List<EntityStatement> superiors)
      Creates a new federation entity trust chain. Validates the subject - issuer chain, the signatures are not verified.
      Parameters:
      leaf - The leaf entity self-statement. Must not be null.
      superiors - The superior entity statements, starting with a statement of the first superior about the leaf, ending with the statement of the trust anchor about the last intermediate or the leaf (for a minimal trust chain). Must contain at least one entity statement.
      Throws:
      IllegalArgumentException - If the subject - issuer chain is broken.

  • Method Details

    • getLeafSelfStatement

      public EntityStatement getLeafSelfStatement()
      Returns the leaf entity self-statement.
      Returns:
      The leaf entity self-statement.

    • getSuperiorStatements

      public List<EntityStatement> getSuperiorStatements()
      Returns the superior entity statements.
      Returns:
      The superior entity statements, starting with a statement of the first superior about the leaf, ending with the statement of the trust anchor about the last intermediate or the leaf (for a minimal trust chain).

    • getTrustAnchorEntityID

      public EntityID getTrustAnchorEntityID()
      Returns the entity ID of the trust anchor.
      Returns:
      The entity ID of the trust anchor.

    • length

      public int length()
      Returns the length of this trust chain. A minimal trust chain with a leaf and anchor has a length of one.
      Returns:
      The trust chain length.

    • resolveCombinedMetadataPolicy

      public MetadataPolicy resolveCombinedMetadataPolicy(FederationMetadataType type) throws PolicyViolationException
      Resolves the combined metadata policy for this trust chain. Uses the default policy combination validator.
      Parameters:
      type - The metadata type, such as openid_relying_party. Must not be null.
      Returns:
      The combined metadata policy, with no policy operations if no policies were found.
      Throws:
      PolicyViolationException - On a policy violation exception.

    • resolveCombinedMetadataPolicy

      public MetadataPolicy resolveCombinedMetadataPolicy(FederationMetadataType type, PolicyOperationCombinationValidator combinationValidator) throws PolicyViolationException
      Resolves the combined metadata policy for this trust chain.
      Parameters:
      type - The metadata type, such as openid_relying_party. Must not be null.
      combinationValidator - The policy operation combination validator. Must not be null.
      Returns:
      The combined metadata policy, with no policy operations if no policies were found.
      Throws:
      PolicyViolationException - On a policy violation exception.

    • iteratorFromLeaf

      public Iterator<EntityStatement> iteratorFromLeaf()
      Return an iterator starting from the leaf entity statement.
      Returns:
      The iterator.

    • resolveExpirationTime

      public Date resolveExpirationTime()
      Resolves the expiration time for this trust chain. Equals the nearest expiration when all entity statements in the trust chain are considered.
      Returns:
      The expiration time for this trust chain.

    • verifySignatures

      public void verifySignatures(com.nimbusds.jose.jwk.JWKSet trustAnchorJWKSet) throws com.nimbusds.jose.proc.BadJOSEException, com.nimbusds.jose.JOSEException
      Verifies the signatures in this trust chain.
      Parameters:
      trustAnchorJWKSet - The trust anchor JWK set. Must not be null.
      Throws:
      com.nimbusds.jose.proc.BadJOSEException - If a signature is invalid or a statement is expired or before the issue time.
      com.nimbusds.jose.JOSEException - On a internal JOSE exception.