Package org.opensaml.xmlsec.signature.support.impl

Class PKIXSignatureTrustEngine

java.lang.Object
org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine<Pair<Set<String>,Iterable<PKIXValidationInformation>>>
org.opensaml.xmlsec.signature.support.impl.PKIXSignatureTrustEngine
All Implemented Interfaces:
TrustEngine<Signature>, PKIXTrustEngine<Signature>, SignatureTrustEngine
public class PKIXSignatureTrustEngine extends BaseSignatureTrustEngine<Pair<Set<String>,Iterable<PKIXValidationInformation>>> implements PKIXTrustEngine<Signature>
An implementation of SignatureTrustEngine which evaluates the validity and trustworthiness of XML and raw signatures.

Processing is performed as described in BaseSignatureTrustEngine. If based on this processing, it is determined that the Signature's KeyInfo is not present or does not contain a valid (and trusted) signing key, then trust engine validation fails. Since the PKIX engine is based on the assumption that trusted signing keys are not known in advance, the signing key must be present in, or derivable from, the information in the Signature's KeyInfo element.

  • Field Details

    • log

      private final org.slf4j.Logger log
      Class logger.

    • pkixResolver

      private final PKIXValidationInformationResolver pkixResolver
      Resolver used for resolving trusted credentials.

    • pkixTrustEvaluator

      private final PKIXTrustEvaluator pkixTrustEvaluator
      The external PKIX trust evaluator used to establish trust.

    • credNameEvaluator

      private final X509CredentialNameEvaluator credNameEvaluator
      The external credential name evaluator used to establish trusted name compliance.

  • Constructor Details

  • Method Details

    • getPKIXTrustEvaluator

      @Nonnull public PKIXTrustEvaluator getPKIXTrustEvaluator()
      Get the PKIXTrustEvaluator instance used to evaluate trust.

      The parameters of this evaluator may be modified to adjust trust evaluation processing.

      Returns:
      the PKIX trust evaluator instance that will be used

    • getX509CredentialNameEvaluator

      @Nullable public X509CredentialNameEvaluator getX509CredentialNameEvaluator()
      Get the X509CredentialNameEvaluator instance used to evaluate a credential against trusted names.

      The parameters of this evaluator may be modified to adjust trust evaluation processing.

      Returns:
      the PKIX trust evaluator instance that will be used

    • getPKIXResolver

      @Nonnull public PKIXValidationInformationResolver getPKIXResolver()
      Get the resolver instance which will be used to resolve PKIX validation information.
      Specified by:
      getPKIXResolver in interface PKIXTrustEngine<Signature>
      Returns:
      the currently configured resolver instance

    • doValidate

      protected boolean doValidate(@Nonnull Signature signature, @Nullable CriteriaSet trustBasisCriteria) throws SecurityException
      Validate the signature using the supplied trust criteria.
      Specified by:
      doValidate in class BaseSignatureTrustEngine<Pair<Set<String>,Iterable<PKIXValidationInformation>>>
      Parameters:
      signature - the signature to validate
      trustBasisCriteria - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation
      Returns:
      true if signature is valid and trusted, false otherwise
      Throws:
      SecurityException - if there is a fatal error evaluating the signature

    • doValidate

      protected boolean doValidate(@Nonnull byte[] signature, @Nonnull byte[] content, @Nonnull String algorithmURI, @Nullable CriteriaSet trustBasisCriteria, @Nullable Credential candidateCredential) throws SecurityException
      Determines whether a raw signature over specified content is valid and signed by a trusted credential.

      A candidate verification credential may optionally be supplied. If one is supplied and is determined to successfully verify the signature, an attempt will be made to establish trust on this basis.

      If a candidate credential is not supplied, or it does not successfully verify the signature, some implementations may be able to resolve candidate verification credential(s) in an implementation-specific manner based on the trusted criteria supplied, and then attempt to verify the signature and establish trust on this basis.

      Specified by:
      doValidate in class BaseSignatureTrustEngine<Pair<Set<String>,Iterable<PKIXValidationInformation>>>
      Parameters:
      signature - the signature value
      content - the content that was signed
      algorithmURI - the signature algorithm URI which was used to sign the content
      trustBasisCriteria - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation
      candidateCredential - the untrusted candidate credential containing the validation key for the signature (optional)
      Returns:
      true if the signature was valid for the provided content and was signed by a key contained within a credential established as trusted based on the supplied criteria, otherwise false
      Throws:
      SecurityException - thrown if there is a problem attempting to verify the signature such as the signature algorithm not being supported

    • evaluateTrust

      protected boolean evaluateTrust(@Nonnull Credential untrustedCredential, @Nullable Pair<Set<String>,Iterable<PKIXValidationInformation>> validationPair) throws SecurityException
      Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.
      Specified by:
      evaluateTrust in class BaseSignatureTrustEngine<Pair<Set<String>,Iterable<PKIXValidationInformation>>>
      Parameters:
      untrustedCredential - the untrusted credential being evaluated
      validationPair - the information which serves as the basis for trust evaluation
      Returns:
      true if the trust can be established for the untrusted credential, otherwise false
      Throws:
      SecurityException - if an error occurs during trust processing

    • resolveValidationInfo

      @Nonnull protected Pair<Set<String>,Iterable<PKIXValidationInformation>> resolveValidationInfo(@Nullable CriteriaSet trustBasisCriteria) throws SecurityException
      Resolve and return a set of trusted validation information.
      Parameters:
      trustBasisCriteria - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation
      Returns:
      a pair consisting of an optional set of trusted names, and an iterable of trusted PKIXValidationInformation
      Throws:
      SecurityException - thrown if there is an error resolving the information from the trusted resolver

    • checkNames

      protected boolean checkNames(@Nullable Set<String> trustedNames, @Nonnull X509Credential untrustedCredential) throws SecurityException
      Evaluate the credential against the set of trusted names.

      Evaluates to true if no instance of X509CredentialNameEvaluator is configured.

      Parameters:
      trustedNames - set of trusted names
      untrustedCredential - the credential being evaluated
      Returns:
      true if evaluation is successful, false otherwise
      Throws:
      SecurityException - thrown if there is an error evaluation the credential