Class HolderOfKeySubjectConfirmationValidator

java.lang.Object
org.opensaml.saml.saml2.assertion.impl.AbstractSubjectConfirmationValidator
org.opensaml.saml.saml2.assertion.impl.HolderOfKeySubjectConfirmationValidator
All Implemented Interfaces:
SubjectConfirmationValidator

@ThreadSafe
public class HolderOfKeySubjectConfirmationValidator
extends AbstractSubjectConfirmationValidator
Validates a Holder of Key subject confirmation.

A subject confirmation is considered confirmed if one of the following checks has passed:

  • the presenter's public key (either given explicitly or extracted from the given certificate) matches a KeyValue or DEREncodedKeyValue within one of the KeyInfo entries in the confirmation data
  • the presenter's public cert matches an X509Certificate within one of the KeyInfo entries in the confirmation data

In both cases a "match" is determined via Java equals() comparison.

In addition to parameters defined in AbstractSubjectConfirmationValidator:

Supports the following ValidationContext static parameters:

If both key and certificate are supplied, the public key of the supplied certificate must match the supplied public key, otherwise a evaluation results in ValidationResult.INDETERMINATE.

Supports the following ValidationContext dynamic parameters:

  • Field Details

    • log

      private org.slf4j.Logger log
      Class logger.
  • Constructor Details

    • HolderOfKeySubjectConfirmationValidator

      public HolderOfKeySubjectConfirmationValidator()
  • Method Details

    • getServicedMethod

      @Nonnull public String getServicedMethod()
      Gets the subject confirmation method handled by this validator.
      Returns:
      subject confirmation method handled by this validator
    • doValidate

      @Nonnull protected ValidationResult doValidate​(@Nonnull SubjectConfirmation confirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
      Performs any further validation required for the specific confirmation method implementation.
      Specified by:
      doValidate in class AbstractSubjectConfirmationValidator
      Parameters:
      confirmation - confirmation method being validated
      assertion - assertion bearing the confirmation method
      context - current validation context
      Returns:
      the result of the validation evaluation
      Throws:
      AssertionValidationException - thrown if further validation finds the confirmation method to be invalid
    • isValidConfirmationDataType

      protected boolean isValidConfirmationDataType​(@Nonnull SubjectConfirmation confirmation) throws AssertionValidationException
      Checks to see whether the schema type of the subject confirmation data, if present, is the required KeyInfoConfirmationDataType.TYPE_NAME.
      Parameters:
      confirmation - subject confirmation bearing the confirmation data to be checked
      Returns:
      true if the confirmation data's schema type is correct, false otherwise
      Throws:
      AssertionValidationException - thrown if there is a problem validating the confirmation data type
    • getKeyAndCertificate

      @Nonnull protected Pair<PublicKey,​X509Certificate> getKeyAndCertificate​(@Nonnull ValidationContext context) throws AssertionValidationException
      Extracts the presenter's key and/or certificate from the validation context.
      Parameters:
      context - current validation context
      Returns:
      the presenter's key/cert pair, information not available in the context is null
      Throws:
      AssertionValidationException - thrown if there is a problem obtaining the data
    • getSubjectConfirmationKeyInformation

      @Nonnull protected List<KeyInfo> getSubjectConfirmationKeyInformation​(@Nonnull SubjectConfirmation confirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext context) throws AssertionValidationException
      Extracts the KeyInfos from the given subject confirmation data.
      Parameters:
      confirmation - subject confirmation data
      assertion - assertion bearing the subject to be confirmed
      context - current message processing context
      Returns:
      list of key informations available in the subject confirmation data, never null
      Throws:
      AssertionValidationException - if there is a problem processing the SubjectConfirmation
    • matchesKeyValue

      protected boolean matchesKeyValue​(@Nullable PublicKey key, @Nonnull KeyInfo keyInfo) throws AssertionValidationException
      Checks whether the supplied public key matches one of the keys in the given KeyInfo.

      Evaluates both KeyValue and DEREncodedKeyValue children of the KeyInfo.

      Matches are performed using Java equals() against PublicKeys decoded from the KeyInfo data.

      Parameters:
      key - public key presenter of the assertion
      keyInfo - key info from subject confirmation of the assertion
      Returns:
      true if the public key in the certificate matches one of the key values in the key info, false otherwise
      Throws:
      AssertionValidationException - thrown if there is a problem matching the key value
    • matchesKeyValue

      protected boolean matchesKeyValue​(@Nonnull PublicKey key, @Nullable List<KeyValue> keyValues)
      Checks whether the supplied public key matches one of the supplied KeyValue elements.

      Matches are performed using Java equals() against PublicKeys decoded from the KeyInfo data.

      Parameters:
      key - public key presenter of the assertion
      keyValues - candidate KeyValue elements
      Returns:
      true if the public key in the certificate matches one of the key values, false otherwise
    • matchesDEREncodedKeyValue

      protected boolean matchesDEREncodedKeyValue​(@Nonnull PublicKey key, @Nullable List<DEREncodedKeyValue> derEncodedKeyValues)
      Checks whether the supplied public key matches one of the supplied DEREncodedKeyValue elements.

      Matches are performed using Java equals() against PublicKeys decoded from the KeyInfo data.

      Parameters:
      key - public key presenter of the assertion
      derEncodedKeyValues - candidate DEREncodedKeyValue elements
      Returns:
      true if the public key in the certificate matches one of the DER-encoded key values, false otherwise
    • matchesX509Certificate

      protected boolean matchesX509Certificate​(@Nullable X509Certificate cert, @Nonnull KeyInfo keyInfo) throws AssertionValidationException
      Checks whether the presenter's certificate matches a certificate described by the X509Data within the KeyInfo.

      Matches are performed using Java equals() against X509Certificates decoded from the KeyInfo data.

      Parameters:
      cert - certificate of the presenter of the assertion
      keyInfo - key info from subject confirmation of the assertion
      Returns:
      true if the presenter's certificate matches the key described by an X509Data within the KeyInfo, false otherwise.
      Throws:
      AssertionValidationException - thrown if there is a problem matching the certificate