Package org.opensaml.xmlsec.signature.support.impl

Class ChainingSignatureTrustEngine

java.lang.Object

org.opensaml.xmlsec.signature.support.impl.ChainingSignatureTrustEngine

All Implemented Interfaces:

TrustEngine<Signature>, SignatureTrustEngine

public class ChainingSignatureTrustEngine
extends Object
implements SignatureTrustEngine

Evaluate a signature in sequence using a chain of subordinate trust engines. If the signature may be established as trusted by any of the subordinate engines, the token is considered trusted. Otherwise it is considered untrusted.

Field Summary

Fields

Modifier and Type	Field	Description
private List<SignatureTrustEngine>	engines	The chain of subordinate trust engines.
private final org.slf4j.Logger	log	Class logger.

Constructor Summary

Constructors

Constructor	Description
ChainingSignatureTrustEngine(List<SignatureTrustEngine> chain)	Constructor.

Method Summary

Modifier and Type	Method	Description
List<SignatureTrustEngine>	getChain()	Get the list of configured trust engines which constitute the trust evaluation chain.
KeyInfoCredentialResolver	getKeyInfoResolver()	Get the KeyInfoCredentialResolver instance used to resolve (advisory) signing credential information from KeyInfo elements contained within a Signature element.
boolean	validate(byte[] signature, byte[] content, String algorithmURI, CriteriaSet trustBasisCriteria, Credential candidateCredential)	Determines whether a raw signature over specified content is valid and signed by a trusted credential.
boolean	validate(Signature token, CriteriaSet trustBasisCriteria)	Validates the token against trusted information obtained in an implementation-specific manner.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

engines

@Nonnull
private List<SignatureTrustEngine> engines

The chain of subordinate trust engines.

Constructor Details

ChainingSignatureTrustEngine

public ChainingSignatureTrustEngine(@Nonnull @ParameterName(name="chain")
 List<SignatureTrustEngine> chain)

Constructor.

Parameters:

chain - the list of trust engines in the chain

Method Details

getChain

@Nonnull
@Unmodifiable
@NotLive
public List<SignatureTrustEngine> getChain()

Get the list of configured trust engines which constitute the trust evaluation chain.

Returns:

the modifiable list of trust engines in the chain

getKeyInfoResolver

@Nullable
public KeyInfoCredentialResolver getKeyInfoResolver()

Get the KeyInfoCredentialResolver instance used to resolve (advisory) signing credential information from KeyInfo elements contained within a Signature element. Note that credential(s) obtained via this resolver are not themselves trusted. They must be evaluated against the trusted credential information obtained from the trusted credential resolver.

Specified by:

getKeyInfoResolver in interface SignatureTrustEngine

Returns:

a KeyInfoCredentialResolver instance

validate

public boolean validate(@Nonnull
 Signature token,
 @Nullable
 CriteriaSet trustBasisCriteria)
                 throws SecurityException

Validates the token against trusted information obtained in an implementation-specific manner.

Specified by:

validate in interface TrustEngine<Signature>

Parameters:

token - security token to validate

trustBasisCriteria - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation

Returns:

true iff the token is trusted and valid

Throws:

SecurityException - thrown if there is a problem validating the security token

validate

public boolean validate(@Nonnull
 byte[] signature,
 @Nonnull
 byte[] content,
 @Nonnull
 String algorithmURI,
 @Nullable
 CriteriaSet trustBasisCriteria,
 @Nullable
 Credential candidateCredential)
                 throws SecurityException

Determines whether a raw signature over specified content is valid and signed by a trusted credential.

A candidate verification credential may optionally be supplied. If one is supplied and is determined to successfully verify the signature, an attempt will be made to establish trust on this basis.

If a candidate credential is not supplied, or it does not successfully verify the signature, some implementations may be able to resolve candidate verification credential(s) in an implementation-specific manner based on the trusted criteria supplied, and then attempt to verify the signature and establish trust on this basis.

Specified by:

validate in interface SignatureTrustEngine

Parameters:

signature - the signature value

content - the content that was signed

algorithmURI - the signature algorithm URI which was used to sign the content

trustBasisCriteria - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation

candidateCredential - the untrusted candidate credential containing the validation key for the signature (optional)

Returns:

true if the signature was valid for the provided content and was signed by a key contained within a credential established as trusted based on the supplied criteria, otherwise false

Throws:

SecurityException - thrown if there is a problem attempting to verify the signature such as the signature algorithm not being supported