Package org.opensaml.security.x509.impl

Class PKIXX509CredentialTrustEngine

  • All Implemented Interfaces:
    org.opensaml.security.trust.TrustEngine<org.opensaml.security.x509.X509Credential>, org.opensaml.security.x509.PKIXTrustEngine<org.opensaml.security.x509.X509Credential>
    public class PKIXX509CredentialTrustEngine
extends Object
implements org.opensaml.security.x509.PKIXTrustEngine<org.opensaml.security.x509.X509Credential>
    Trust engine implementation which evaluates an X509Credential token based on PKIX validation processing using validation information from a trusted source.

    • Field Detail

      • log

        private final org.slf4j.Logger log
        Class logger.

      • pkixResolver

        private final org.opensaml.security.x509.PKIXValidationInformationResolver pkixResolver
        Resolver used for resolving trusted credentials.

      • pkixTrustEvaluator

        private final org.opensaml.security.x509.PKIXTrustEvaluator pkixTrustEvaluator
        The external PKIX trust evaluator used to establish trust.

      • credNameEvaluator

        private final X509CredentialNameEvaluator credNameEvaluator
        The external credential name evaluator used to establish trusted name compliance.

    • Constructor Detail

      • PKIXX509CredentialTrustEngine

        public PKIXX509CredentialTrustEngine​(@Nonnull @ParameterName(name="resolver")
                                     org.opensaml.security.x509.PKIXValidationInformationResolver resolver)
        Constructor.

        The PKIX trust evaluator used defaults to CertPathPKIXTrustEvaluator.

        The X.509 credential name evaluator used defaults to BasicX509CredentialNameEvaluator.

        Parameters:
        resolver - credential resolver used to resolve trusted credentials

      • PKIXX509CredentialTrustEngine

        public PKIXX509CredentialTrustEngine​(@Nonnull @ParameterName(name="resolver")
                                     org.opensaml.security.x509.PKIXValidationInformationResolver resolver,
                                     @Nullable @ParameterName(name="nameEvaluator")
                                     X509CredentialNameEvaluator nameEvaluator)
        Constructor.
        Parameters:
        resolver - credential resolver used to resolve trusted credentials
        nameEvaluator - the X.509 credential name evaluator to use (may be null)

      • PKIXX509CredentialTrustEngine

        public PKIXX509CredentialTrustEngine​(@Nonnull @ParameterName(name="resolver")
                                     org.opensaml.security.x509.PKIXValidationInformationResolver resolver,
                                     @Nonnull @ParameterName(name="pkixEvaluator")
                                     org.opensaml.security.x509.PKIXTrustEvaluator pkixEvaluator,
                                     @Nullable @ParameterName(name="nameEvaluator")
                                     X509CredentialNameEvaluator nameEvaluator)
        Constructor.
        Parameters:
        resolver - credential resolver used to resolve trusted credentials
        pkixEvaluator - the PKIX trust evaluator to use
        nameEvaluator - the X.509 credential name evaluator to use (may be null)

    • Method Detail

      • getPKIXResolver

        @Nonnull
public org.opensaml.security.x509.PKIXValidationInformationResolver getPKIXResolver()
        Specified by:
        getPKIXResolver in interface org.opensaml.security.x509.PKIXTrustEngine<org.opensaml.security.x509.X509Credential>

      • getPKIXTrustEvaluator

        @Nonnull
public org.opensaml.security.x509.PKIXTrustEvaluator getPKIXTrustEvaluator()
        Get the PKIXTrustEvaluator instance used to evaluate trust.

        The parameters of this evaluator may be modified to adjust trust evaluation processing.

        Returns:
        the PKIX trust evaluator instance that will be used

      • getX509CredentialNameEvaluator

        @Nullable
public X509CredentialNameEvaluator getX509CredentialNameEvaluator()
        Get the X509CredentialNameEvaluator instance used to evaluate a credential against trusted names.

        The parameters of this evaluator may be modified to adjust trust evaluation processing.

        Returns:
        the PKIX trust evaluator instance that will be used

      • validate

        public boolean validate​(@Nonnull
                        org.opensaml.security.x509.X509Credential untrustedCredential,
                        @Nullable
                        net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
                 throws org.opensaml.security.SecurityException
        Specified by:
        validate in interface org.opensaml.security.trust.TrustEngine<org.opensaml.security.x509.X509Credential>
        Throws:
        org.opensaml.security.SecurityException

      • validate

        protected boolean validate​(@Nonnull
                           org.opensaml.security.x509.X509Credential untrustedX509Credential,
                           @Nullable
                           Set<String> trustedNames,
                           @Nonnull
                           Iterable<org.opensaml.security.x509.PKIXValidationInformation> validationInfoSet)
                    throws org.opensaml.security.SecurityException
        Perform PKIX validation on the untrusted credential, using PKIX validation information based on the supplied set of trusted credentials.
        Parameters:
        untrustedX509Credential - the credential to evaluate
        trustedNames - the set of trusted names for name checking purposes
        validationInfoSet - the set of validation information which serves as the basis for trust evaluation
        Returns:
        true if PKIX validation of the untrusted credential is successful, otherwise false
        Throws:
        org.opensaml.security.SecurityException - thrown if there is an error validating the untrusted credential against trusted names or validation information

      • checkNames

        protected boolean checkNames​(@Nullable
                             Set<String> trustedNames,
                             @Nonnull
                             org.opensaml.security.x509.X509Credential untrustedCredential)
                      throws org.opensaml.security.SecurityException
        Evaluate the credential against the set of trusted names.

        Evaluates to true if no instance of X509CredentialNameEvaluator is configured.

        Parameters:
        trustedNames - set of trusted names
        untrustedCredential - the credential being evaluated
        Returns:
        true if evaluation is successful, false otherwise
        Throws:
        org.opensaml.security.SecurityException - thrown if there is an error evaluation the credential