org.opensaml.xml.signature.impl
Class PKIXSignatureTrustEngine

java.lang.Object
  extended by org.opensaml.xml.signature.impl.BaseSignatureTrustEngine<Pair<java.util.Set<java.lang.String>,java.lang.Iterable<PKIXValidationInformation>>>
      extended by org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine
All Implemented Interfaces:
TrustEngine<Signature>, PKIXTrustEngine<Signature>, SignatureTrustEngine

public class PKIXSignatureTrustEngine
extends BaseSignatureTrustEngine<Pair<java.util.Set<java.lang.String>,java.lang.Iterable<PKIXValidationInformation>>>
implements PKIXTrustEngine<Signature>

An implementation of SignatureTrustEngine which evaluates the validity and trustworthiness of XML and raw signatures.

Processing is performed as described in BaseSignatureTrustEngine. If based on this processing, it is determined that the Signature's KeyInfo is not present or does not contain a valid (and trusted) signing key, then trust engine validation fails. Since the PKIX engine is based on the assumption that trusted signing keys are not known in advance, the signing key must be present in, or derivable from, the information in the Signature's KeyInfo element.


Constructor Summary
PKIXSignatureTrustEngine(PKIXValidationInformationResolver resolver, KeyInfoCredentialResolver keyInfoResolver)
          Constructor.
 
Method Summary
protected  boolean evaluateTrust(Credential untrustedCredential, Pair<java.util.Set<java.lang.String>,java.lang.Iterable<PKIXValidationInformation>> validationPair)
          Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.
 PKIXValidationInformationResolver getPKIXResolver()
          Get the resolver instance which will be used to resolve PKIX validation information.
 PKIXTrustEvaluator getPKIXTrustEvaluator()
          Get the PKIXTrustEvaluator instance used to evalute trust.
 boolean validate(Signature signature, CriteriaSet trustBasisCriteria)
          Validates the token against trusted information obtained in an implementation-specific manner.
 
Methods inherited from class org.opensaml.xml.signature.impl.BaseSignatureTrustEngine
checkParams, getKeyInfoResolver, validate, validate, verifySignature
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

PKIXSignatureTrustEngine

public PKIXSignatureTrustEngine(PKIXValidationInformationResolver resolver,
                                KeyInfoCredentialResolver keyInfoResolver)
Constructor.

Parameters:
resolver - credential resolver used to resolve trusted credentials.
keyInfoResolver - KeyInfo credential resolver used to obtain the (advisory) signing credential from a Signature's KeyInfo element.
Method Detail

getPKIXTrustEvaluator

public PKIXTrustEvaluator getPKIXTrustEvaluator()
Get the PKIXTrustEvaluator instance used to evalute trust. The parameters of this evaluator may be modified to adjust trust evaluation processing.

Returns:
the PKIX trust evaluator instance that will be used

getPKIXResolver

public PKIXValidationInformationResolver getPKIXResolver()
Get the resolver instance which will be used to resolve PKIX validation information.

Specified by:
getPKIXResolver in interface PKIXTrustEngine<Signature>
Returns:
the currently configured resolver instance

validate

public boolean validate(Signature signature,
                        CriteriaSet trustBasisCriteria)
                 throws SecurityException
Validates the token against trusted information obtained in an implementation-specific manner.

Specified by:
validate in interface TrustEngine<Signature>
Parameters:
signature - security token to validate
trustBasisCriteria - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation
Returns:
true if the token is trusted and valid, false if not
Throws:
SecurityException - thrown if there is a problem validating the security token

evaluateTrust

protected boolean evaluateTrust(Credential untrustedCredential,
                                Pair<java.util.Set<java.lang.String>,java.lang.Iterable<PKIXValidationInformation>> validationPair)
                         throws SecurityException
Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.

Specified by:
evaluateTrust in class BaseSignatureTrustEngine<Pair<java.util.Set<java.lang.String>,java.lang.Iterable<PKIXValidationInformation>>>
Parameters:
untrustedCredential - the untrusted credential being evaluated
validationPair - the information which serves as the basis for trust evaluation
Returns:
true if the trust can be established for the untrusted credential, otherwise false
Throws:
SecurityException - if an error occurs during trust processing