Package org.opensaml.security.x509.impl

Class PKIXX509CredentialTrustEngine

java.lang.Object
org.opensaml.security.x509.impl.PKIXX509CredentialTrustEngine
All Implemented Interfaces:
TrustEngine<X509Credential>, PKIXTrustEngine<X509Credential>
public class PKIXX509CredentialTrustEngine extends Object implements PKIXTrustEngine<X509Credential>
Trust engine implementation which evaluates an X509Credential token based on PKIX validation processing using validation information from a trusted source.

  • Field Details

    • log

      private final org.slf4j.Logger log
      Class logger.

    • pkixResolver

      private final PKIXValidationInformationResolver pkixResolver
      Resolver used for resolving trusted credentials.

    • pkixTrustEvaluator

      private final PKIXTrustEvaluator pkixTrustEvaluator
      The external PKIX trust evaluator used to establish trust.

    • credNameEvaluator

      private final X509CredentialNameEvaluator credNameEvaluator
      The external credential name evaluator used to establish trusted name compliance.

  • Constructor Details

  • Method Details

    • getPKIXResolver

      @Nonnull public PKIXValidationInformationResolver getPKIXResolver()
      Get the resolver instance which will be used to resolve PKIX validation information.
      Specified by:
      getPKIXResolver in interface PKIXTrustEngine<X509Credential>
      Returns:
      the currently configured resolver instance

    • getPKIXTrustEvaluator

      @Nonnull public PKIXTrustEvaluator getPKIXTrustEvaluator()
      Get the PKIXTrustEvaluator instance used to evaluate trust.

      The parameters of this evaluator may be modified to adjust trust evaluation processing.

      Returns:
      the PKIX trust evaluator instance that will be used

    • getX509CredentialNameEvaluator

      @Nullable public X509CredentialNameEvaluator getX509CredentialNameEvaluator()
      Get the X509CredentialNameEvaluator instance used to evaluate a credential against trusted names.

      The parameters of this evaluator may be modified to adjust trust evaluation processing.

      Returns:
      the PKIX trust evaluator instance that will be used

    • validate

      public boolean validate(@Nonnull X509Credential untrustedCredential, @Nullable CriteriaSet trustBasisCriteria) throws SecurityException
      Validates the token against trusted information obtained in an implementation-specific manner.
      Specified by:
      validate in interface TrustEngine<X509Credential>
      Parameters:
      untrustedCredential - security token to validate
      trustBasisCriteria - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation
      Returns:
      true iff the token is trusted and valid
      Throws:
      SecurityException - thrown if there is a problem validating the security token

    • validate

      protected boolean validate(@Nonnull X509Credential untrustedX509Credential, @Nullable Set<String> trustedNames, @Nonnull Iterable<PKIXValidationInformation> validationInfoSet) throws SecurityException
      Perform PKIX validation on the untrusted credential, using PKIX validation information based on the supplied set of trusted credentials.
      Parameters:
      untrustedX509Credential - the credential to evaluate
      trustedNames - the set of trusted names for name checking purposes
      validationInfoSet - the set of validation information which serves as the basis for trust evaluation
      Returns:
      true if PKIX validation of the untrusted credential is successful, otherwise false
      Throws:
      SecurityException - thrown if there is an error validating the untrusted credential against trusted names or validation information

    • checkNames

      protected boolean checkNames(@Nullable Set<String> trustedNames, @Nonnull X509Credential untrustedCredential) throws SecurityException
      Evaluate the credential against the set of trusted names.

      Evaluates to true if no instance of X509CredentialNameEvaluator is configured.

      Parameters:
      trustedNames - set of trusted names
      untrustedCredential - the credential being evaluated
      Returns:
      true if evaluation is successful, false otherwise
      Throws:
      SecurityException - thrown if there is an error evaluation the credential