Package org.opensaml.saml.saml2.assertion.impl

Class HolderOfKeySubjectConfirmationValidator

  • All Implemented Interfaces:
    org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator
    @ThreadSafe
public class HolderOfKeySubjectConfirmationValidator
extends AbstractSubjectConfirmationValidator
    Validates a Holder of Key subject confirmation.

    A subject confirmation is considered confirmed if one of the following checks has passed:

    • the presenter's public key (either given explicitly or extracted from the given certificate) matches a KeyValue or DEREncodedKeyValue within one of the KeyInfo entries in the confirmation data
    • the presenter's public cert matches an X509Certificate within one of the KeyInfo entries in the confirmation data

    In both cases a "match" is determined via Java equals() comparison.

    In addition to parameters defined in AbstractSubjectConfirmationValidator:

    Supports the following ValidationContext static parameters:

    • SAML2AssertionValidationParameters.SC_HOK_PRESENTER_CERT: Optional if key is supplied, otherwise required.
    • SAML2AssertionValidationParameters.SC_HOK_PRESENTER_KEY: Optional if certificate is supplied, otherwise required.

    If both key and certificate are supplied, the public key of the supplied certificate must match the supplied public key, otherwise a evaluation results in ValidationResult.INDETERMINATE.

    Supports the following ValidationContext dynamic parameters:

    • SAML2AssertionValidationParameters.SC_HOK_CONFIRMED_KEYINFO: Optional. Will be present after validation iff Holder of Key subject confirmation was successfully performed.

    • Field Detail

      • log

        private Logger log
        Class logger.

    • Constructor Detail

      • HolderOfKeySubjectConfirmationValidator

        public HolderOfKeySubjectConfirmationValidator()

    • Method Detail

      • getServicedMethod

        @Nonnull
public String getServicedMethod()

      • doValidate

        @Nonnull
protected org.opensaml.saml.common.assertion.ValidationResult doValidate​(@Nonnull
                                                                         org.opensaml.saml.saml2.core.SubjectConfirmation confirmation,
                                                                         @Nonnull
                                                                         org.opensaml.saml.saml2.core.Assertion assertion,
                                                                         @Nonnull
                                                                         org.opensaml.saml.common.assertion.ValidationContext context)
                                                                  throws org.opensaml.saml.common.assertion.AssertionValidationException
        Performs any further validation required for the specific confirmation method implementation.
        Specified by:
        doValidate in class AbstractSubjectConfirmationValidator
        Parameters:
        confirmation - confirmation method being validated
        assertion - assertion bearing the confirmation method
        context - current validation context
        Returns:
        the result of the validation evaluation
        Throws:
        org.opensaml.saml.common.assertion.AssertionValidationException - thrown if further validation finds the confirmation method to be invalid

      • isValidConfirmationDataType

        protected boolean isValidConfirmationDataType​(@Nonnull
                                              org.opensaml.saml.saml2.core.SubjectConfirmation confirmation)
                                       throws org.opensaml.saml.common.assertion.AssertionValidationException
        Checks to see whether the schema type of the subject confirmation data, if present, is the required KeyInfoConfirmationDataType.TYPE_NAME.
        Parameters:
        confirmation - subject confirmation bearing the confirmation data to be checked
        Returns:
        true if the confirmation data's schema type is correct, false otherwise
        Throws:
        org.opensaml.saml.common.assertion.AssertionValidationException - thrown if there is a problem validating the confirmation data type

      • getKeyAndCertificate

        @Nonnull
protected net.shibboleth.utilities.java.support.collection.Pair<PublicKey,​X509Certificate> getKeyAndCertificate​(@Nonnull
                                                                                                                      org.opensaml.saml.common.assertion.ValidationContext context)
                                                                                                               throws org.opensaml.saml.common.assertion.AssertionValidationException
        Extracts the presenter's key and/or certificate from the validation context.
        Parameters:
        context - current validation context
        Returns:
        the presenter's key/cert pair, information not available in the context is null
        Throws:
        org.opensaml.saml.common.assertion.AssertionValidationException - thrown if there is a problem obtaining the data

      • getSubjectConfirmationKeyInformation

        @Nonnull
protected List<org.opensaml.xmlsec.signature.KeyInfo> getSubjectConfirmationKeyInformation​(@Nonnull
                                                                                           org.opensaml.saml.saml2.core.SubjectConfirmation confirmation,
                                                                                           @Nonnull
                                                                                           org.opensaml.saml.saml2.core.Assertion assertion,
                                                                                           @Nonnull
                                                                                           org.opensaml.saml.common.assertion.ValidationContext context)
                                                                                    throws org.opensaml.saml.common.assertion.AssertionValidationException
        Extracts the KeyInfos from the given subject confirmation data.
        Parameters:
        confirmation - subject confirmation data
        assertion - assertion bearing the subject to be confirmed
        context - current message processing context
        Returns:
        list of key informations available in the subject confirmation data, never null
        Throws:
        org.opensaml.saml.common.assertion.AssertionValidationException - if there is a problem processing the SubjectConfirmation

      • matchesKeyValue

        protected boolean matchesKeyValue​(@Nullable
                                  PublicKey key,
                                  @Nonnull
                                  org.opensaml.xmlsec.signature.KeyInfo keyInfo)
                           throws org.opensaml.saml.common.assertion.AssertionValidationException
        Checks whether the supplied public key matches one of the keys in the given KeyInfo.

        Evaluates both KeyValue and DEREncodedKeyValue children of the KeyInfo.

        Matches are performed using Java equals() against PublicKeys decoded from the KeyInfo data.

        Parameters:
        key - public key presenter of the assertion
        keyInfo - key info from subject confirmation of the assertion
        Returns:
        true if the public key in the certificate matches one of the key values in the key info, false otherwise
        Throws:
        org.opensaml.saml.common.assertion.AssertionValidationException - thrown if there is a problem matching the key value

      • matchesKeyValue

        protected boolean matchesKeyValue​(@Nonnull
                                  PublicKey key,
                                  @Nullable
                                  List<org.opensaml.xmlsec.signature.KeyValue> keyValues)
        Checks whether the supplied public key matches one of the supplied KeyValue elements.

        Matches are performed using Java equals() against PublicKeys decoded from the KeyInfo data.

        Parameters:
        key - public key presenter of the assertion
        keyValues - candidate KeyValue elements
        Returns:
        true if the public key in the certificate matches one of the key values, false otherwise

      • matchesDEREncodedKeyValue

        protected boolean matchesDEREncodedKeyValue​(@Nonnull
                                            PublicKey key,
                                            @Nullable
                                            List<org.opensaml.xmlsec.signature.DEREncodedKeyValue> derEncodedKeyValues)
        Checks whether the supplied public key matches one of the supplied DEREncodedKeyValue elements.

        Matches are performed using Java equals() against PublicKeys decoded from the KeyInfo data.

        Parameters:
        key - public key presenter of the assertion
        derEncodedKeyValues - candidate DEREncodedKeyValue elements
        Returns:
        true if the public key in the certificate matches one of the DER-encoded key values, false otherwise

      • matchesX509Certificate

        protected boolean matchesX509Certificate​(@Nullable
                                         X509Certificate cert,
                                         @Nonnull
                                         org.opensaml.xmlsec.signature.KeyInfo keyInfo)
                                  throws org.opensaml.saml.common.assertion.AssertionValidationException
        Checks whether the presenter's certificate matches a certificate described by the X509Data within the KeyInfo.

        Matches are performed using Java equals() against X509Certificates decoded from the KeyInfo data.

        Parameters:
        cert - certificate of the presenter of the assertion
        keyInfo - key info from subject confirmation of the assertion
        Returns:
        true if the presenter's certificate matches the key described by an X509Data within the KeyInfo, false otherwise.
        Throws:
        org.opensaml.saml.common.assertion.AssertionValidationException - thrown if there is a problem matching the certificate