Package org.opensaml.security.x509.impl

Class PKIXX509CredentialTrustEngine

java.lang.Object

org.opensaml.security.x509.impl.PKIXX509CredentialTrustEngine

All Implemented Interfaces:

TrustEngine<X509Credential>, PKIXTrustEngine<X509Credential>

public class PKIXX509CredentialTrustEngine
extends Object
implements PKIXTrustEngine<X509Credential>

Trust engine implementation which evaluates an X509Credential token based on PKIX validation processing using validation information from a trusted source.

Field Summary

Fields

Modifier and Type	Field	Description
private final X509CredentialNameEvaluator	credNameEvaluator	The external credential name evaluator used to establish trusted name compliance.
private final org.slf4j.Logger	log	Class logger.
private final PKIXValidationInformationResolver	pkixResolver	Resolver used for resolving trusted credentials.
private final PKIXTrustEvaluator	pkixTrustEvaluator	The external PKIX trust evaluator used to establish trust.

Constructor Summary

Constructors

Constructor	Description
PKIXX509CredentialTrustEngine(PKIXValidationInformationResolver resolver)	Constructor.
PKIXX509CredentialTrustEngine(PKIXValidationInformationResolver resolver, X509CredentialNameEvaluator nameEvaluator)	Constructor.
PKIXX509CredentialTrustEngine(PKIXValidationInformationResolver resolver, PKIXTrustEvaluator pkixEvaluator, X509CredentialNameEvaluator nameEvaluator)	Constructor.

Method Summary

Modifier and Type	Method	Description
protected boolean	checkNames(Set<String> trustedNames, X509Credential untrustedCredential)	Evaluate the credential against the set of trusted names.
PKIXValidationInformationResolver	getPKIXResolver()	Get the resolver instance which will be used to resolve PKIX validation information.
PKIXTrustEvaluator	getPKIXTrustEvaluator()	Get the PKIXTrustEvaluator instance used to evaluate trust.
X509CredentialNameEvaluator	getX509CredentialNameEvaluator()	Get the X509CredentialNameEvaluator instance used to evaluate a credential against trusted names.
protected boolean	validate(X509Credential untrustedX509Credential, Set<String> trustedNames, Iterable<PKIXValidationInformation> validationInfoSet)	Perform PKIX validation on the untrusted credential, using PKIX validation information based on the supplied set of trusted credentials.
boolean	validate(X509Credential untrustedCredential, CriteriaSet trustBasisCriteria)	Validates the token against trusted information obtained in an implementation-specific manner.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

pkixResolver

@Nonnull
private final PKIXValidationInformationResolver pkixResolver

Resolver used for resolving trusted credentials.

pkixTrustEvaluator

@Nonnull
private final PKIXTrustEvaluator pkixTrustEvaluator

The external PKIX trust evaluator used to establish trust.

credNameEvaluator

@Nullable
private final X509CredentialNameEvaluator credNameEvaluator

The external credential name evaluator used to establish trusted name compliance.

Constructor Details

PKIXX509CredentialTrustEngine

public PKIXX509CredentialTrustEngine(@Nonnull @ParameterName(name="resolver")
 PKIXValidationInformationResolver resolver)

Constructor.

The PKIX trust evaluator used defaults to CertPathPKIXTrustEvaluator.

The X.509 credential name evaluator used defaults to BasicX509CredentialNameEvaluator.

Parameters:

resolver - credential resolver used to resolve trusted credentials

PKIXX509CredentialTrustEngine

public PKIXX509CredentialTrustEngine(@Nonnull @ParameterName(name="resolver")
 PKIXValidationInformationResolver resolver,
 @Nullable @ParameterName(name="nameEvaluator")
 X509CredentialNameEvaluator nameEvaluator)

Constructor.

Parameters:

resolver - credential resolver used to resolve trusted credentials

nameEvaluator - the X.509 credential name evaluator to use (may be null)

PKIXX509CredentialTrustEngine

public PKIXX509CredentialTrustEngine(@Nonnull @ParameterName(name="resolver")
 PKIXValidationInformationResolver resolver,
 @Nonnull @ParameterName(name="pkixEvaluator")
 PKIXTrustEvaluator pkixEvaluator,
 @Nullable @ParameterName(name="nameEvaluator")
 X509CredentialNameEvaluator nameEvaluator)

Constructor.

Parameters:

resolver - credential resolver used to resolve trusted credentials

pkixEvaluator - the PKIX trust evaluator to use

nameEvaluator - the X.509 credential name evaluator to use (may be null)

Method Details

getPKIXResolver

@Nonnull
public PKIXValidationInformationResolver getPKIXResolver()

Get the resolver instance which will be used to resolve PKIX validation information.

Specified by:

getPKIXResolver in interface PKIXTrustEngine<X509Credential>

Returns:

the currently configured resolver instance

getPKIXTrustEvaluator

@Nonnull
public PKIXTrustEvaluator getPKIXTrustEvaluator()

Get the PKIXTrustEvaluator instance used to evaluate trust.

The parameters of this evaluator may be modified to adjust trust evaluation processing.

Returns:

the PKIX trust evaluator instance that will be used

getX509CredentialNameEvaluator

@Nullable
public X509CredentialNameEvaluator getX509CredentialNameEvaluator()

Get the X509CredentialNameEvaluator instance used to evaluate a credential against trusted names.

The parameters of this evaluator may be modified to adjust trust evaluation processing.

Returns:

the PKIX trust evaluator instance that will be used

validate

public boolean validate(@Nonnull
 X509Credential untrustedCredential,
 @Nullable
 CriteriaSet trustBasisCriteria)
                 throws SecurityException

Validates the token against trusted information obtained in an implementation-specific manner.

Specified by:

validate in interface TrustEngine<X509Credential>

Parameters:

untrustedCredential - security token to validate

trustBasisCriteria - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation

Returns:

true iff the token is trusted and valid

Throws:

SecurityException - thrown if there is a problem validating the security token

validate

protected boolean validate(@Nonnull
 X509Credential untrustedX509Credential,
 @Nullable
 Set<String> trustedNames,
 @Nonnull
 Iterable<PKIXValidationInformation> validationInfoSet)
                    throws SecurityException

Perform PKIX validation on the untrusted credential, using PKIX validation information based on the supplied set of trusted credentials.

Parameters:

untrustedX509Credential - the credential to evaluate

trustedNames - the set of trusted names for name checking purposes

validationInfoSet - the set of validation information which serves as the basis for trust evaluation

Returns:

true if PKIX validation of the untrusted credential is successful, otherwise false

Throws:

SecurityException - thrown if there is an error validating the untrusted credential against trusted names or validation information

checkNames

protected boolean checkNames(@Nullable
 Set<String> trustedNames,
 @Nonnull
 X509Credential untrustedCredential)
                      throws SecurityException

Evaluate the credential against the set of trusted names.

Evaluates to true if no instance of X509CredentialNameEvaluator is configured.

Parameters:

trustedNames - set of trusted names

untrustedCredential - the credential being evaluated

Returns:

true if evaluation is successful, false otherwise

Throws:

SecurityException - thrown if there is an error evaluation the credential