Class MetadataPKIXValidationInformationResolver

java.lang.Object
net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
net.shibboleth.idp.saml.security.impl.MetadataPKIXValidationInformationResolver
All Implemented Interfaces:
Component, DestructableComponent, InitializableComponent, Resolver<PKIXValidationInformation,​CriteriaSet>, PKIXValidationInformationResolver

public class MetadataPKIXValidationInformationResolver
extends AbstractInitializableComponent
implements PKIXValidationInformationResolver
An implementation of PKIXValidationInformationResolver which resolves PKIXValidationInformation based on information stored in SAML 2 metadata. Validation information is retrieved from Shibboleth-specific metadata extensions to EntityDescriptor represented by instances of KeyAuthority, as well as instances of PKIXValidationInformation which have been previously populated within the data set available from XMLObject.getObjectMetadata(). Resolution of trusted names for an entity is also supported, based on KeyName information contained within the KeyInfo of a role descriptor's KeyDescriptor element.
  • Field Details

    • KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT

      public static final int KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT
      Default value for Shibboleth KeyAuthority verify depth.
      See Also:
      Constant Field Values
    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.
    • roleDescriptorResolver

      @Nonnull private RoleDescriptorResolver roleDescriptorResolver
      Metadata RoleDescriptor resolver used to resolve metadata information.
  • Constructor Details

    • MetadataPKIXValidationInformationResolver

      public MetadataPKIXValidationInformationResolver​(@Nonnull @ParameterName(name="resolver") RoleDescriptorResolver resolver)
      Constructor.
      Parameters:
      resolver - role descriptor resolver
  • Method Details

    • getRoleDescriptorResolver

      @Nonnull public RoleDescriptorResolver getRoleDescriptorResolver()
      Get the metadata RoleDescriptor resolver instance used by this resolver.
      Returns:
      the resolver's RoleDescriptor metadata resolver instance
    • resolveSingle

      public PKIXValidationInformation resolveSingle​(CriteriaSet criteriaSet) throws ResolverException
      Specified by:
      resolveSingle in interface Resolver<PKIXValidationInformation,​CriteriaSet>
      Throws:
      ResolverException
    • resolve

      public Iterable<PKIXValidationInformation> resolve​(CriteriaSet criteriaSet) throws ResolverException
      Specified by:
      resolve in interface Resolver<PKIXValidationInformation,​CriteriaSet>
      Throws:
      ResolverException
    • resolveTrustedNames

      @Nonnull public Set<String> resolveTrustedNames​(CriteriaSet criteriaSet) throws ResolverException
      Specified by:
      resolveTrustedNames in interface PKIXValidationInformationResolver
      Throws:
      ResolverException
    • supportsTrustedNameResolution

      public boolean supportsTrustedNameResolution()
      Specified by:
      supportsTrustedNameResolution in interface PKIXValidationInformationResolver
    • checkCriteriaRequirements

      protected void checkCriteriaRequirements​(CriteriaSet criteriaSet)
      Check that all necessary criteria are available.
      Parameters:
      criteriaSet - the criteria set to evaluate
    • retrievePKIXInfoFromMetadata

      protected Collection<PKIXValidationInformation> retrievePKIXInfoFromMetadata​(CriteriaSet criteriaSet, String entityID, QName role, String protocol) throws ResolverException
      Retrieves validation information from the provided resolver.
      Parameters:
      criteriaSet - the criteria set being processed
      entityID - entity ID for which to resolve validation information
      role - role in which the entity is operating
      protocol - protocol over which the entity is operating (may be null)
      Returns:
      collection of resolved validation information, possibly empty
      Throws:
      ResolverException - thrown if the key, certificate, or CRL information is represented in an unsupported format
    • resolvePKIXInfo

      protected void resolvePKIXInfo​(Collection<PKIXValidationInformation> accumulator, RoleDescriptor roleDescriptor) throws ResolverException
      Retrieves validation information from the provided role descriptor.
      Parameters:
      roleDescriptor - the role descriptor from which to resolve information.
      accumulator - accumulator of PKIX validation information to return
      Throws:
      ResolverException - thrown if the key, certificate, or CRL information is represented in an unsupported format
    • resolvePKIXInfo

      protected void resolvePKIXInfo​(Collection<PKIXValidationInformation> accumulator, Extensions extensions) throws ResolverException
      Retrieves validation information from the resolver extension element.
      Parameters:
      extensions - the extension element from which to resolve information
      accumulator - accumulator of PKIX validation information to return
      Throws:
      ResolverException - thrown if the key, certificate, or CRL information is represented in an unsupported format
    • extractPKIXInfo

      protected void extractPKIXInfo​(@Nonnull Collection<PKIXValidationInformation> accumulator, @Nonnull KeyAuthority keyAuthority) throws ResolverException
      Retrieves validation information from the Shibboleth KeyAuthority resolver extension element.
      Parameters:
      keyAuthority - the Shibboleth KeyAuthority element from which to resolve information
      accumulator - accumulator of PKIX validation information to return
      Throws:
      ResolverException - thrown if the key, certificate, or CRL information is represented in an unsupported format
    • retrieveTrustedNamesFromMetadata

      protected Set<String> retrieveTrustedNamesFromMetadata​(CriteriaSet criteriaSet, String entityID, QName role, String protocol, UsageType usage) throws ResolverException
      Retrieves trusted name information from the provided resolver.
      Parameters:
      criteriaSet - the criteria set being processed
      entityID - entity ID for which to resolve trusted names
      role - role in which the entity is operating
      protocol - protocol over which the entity is operating (may be null)
      usage - usage specifier for role descriptor key descriptors to evaluate
      Returns:
      collection of resolved trusted name information, possibly empty
      Throws:
      SecurityException - thrown if there is an error extracting trusted name information
      ResolverException - if we have an error getting the role descriptors
    • getTrustedNames

      protected void getTrustedNames​(Set<String> accumulator, KeyInfo keyInfo)
      Extract trusted names from a KeyInfo element.
      Parameters:
      keyInfo - the KeyInfo instance from which to extract trusted names
      accumulator - set of trusted names to return
    • matchUsage

      protected boolean matchUsage​(UsageType metadataUsage, UsageType criteriaUsage)
      Match usage enum type values from resolver KeyDescriptor and from specified resolution criteria.
      Parameters:
      metadataUsage - the value from the 'use' attribute of a resolver KeyDescriptor element
      criteriaUsage - the value from specified criteria
      Returns:
      true if the two usage specifiers match for purposes of resolving validation information, false otherwise
    • getRoleDescriptors

      protected Iterable<RoleDescriptor> getRoleDescriptors​(CriteriaSet criteriaSet, String entityID, QName role, String protocol) throws ResolverException
      Get the list of resolver role descriptors which match the given entityID, role and protocol.
      Parameters:
      criteriaSet - the criteria set being processed
      entityID - entity ID of the resolver entity descriptor to resolve
      role - role in which the entity is operating
      protocol - protocol over which the entity is operating (may be null)
      Returns:
      a list of role descriptors matching the given parameters, or null
      Throws:
      ResolverException - thrown if there is an error retrieving role descriptors from the resolver provider