Package org.opensaml.xmlsec.keyinfo.impl.provider

Class InlineX509DataProvider

java.lang.Object
org.opensaml.xmlsec.keyinfo.impl.provider.AbstractKeyInfoProvider
org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider
All Implemented Interfaces:
KeyInfoProvider
public class InlineX509DataProvider extends AbstractKeyInfoProvider
Implementation of KeyInfoProvider which provides basic support for extracting a X509Credential from an X509Data child of KeyInfo. This provider supports only inline X509Certificate's and X509CRLs. If only one certificate is present, it is assumed to be the end-entity certificate containing the public key represented by this KeyInfo. If multiple certificates are present, and any instances of X509SubjectName, X509IssuerSerial, X509SKI, or X509Digest are also present, they will be used to identify the end-entity certificate, in accordance with the XML Signature specification. If a public key from a previously resolved KeyValue is available in the resolution context, it will also be used to identify the end-entity certificate. If the end-entity certificate can not otherwise be identified, the cert contained in the first X509Certificate element will be treated as the end-entity certificate.

  • Field Details

    • log

      private final org.slf4j.Logger log
      Class logger.

    • x500DNHandler

      private X500DNHandler x500DNHandler
      Responsible for parsing and serializing X.500 names to/from X500Principal instances.

  • Constructor Details

    • InlineX509DataProvider

      public InlineX509DataProvider()
      Constructor.

  • Method Details

    • getX500DNHandler

      @Nonnull public X500DNHandler getX500DNHandler()
      Get the handler which process X.500 distinguished names.
      Returns:
      returns the X500DNHandler instance

    • setX500DNHandler

      public void setX500DNHandler(@Nonnull X500DNHandler handler)
      Set the handler which process X.500 distinguished names.
      Parameters:
      handler - the new X500DNHandler instance

    • handles

      public boolean handles(@Nonnull XMLObject keyInfoChild)
      Evaluate whether the given provider should attempt to handle resolving a credential from the specified KeyInfo child. An evaluation of true does not guarantee that a credential can or will be extracted form the particular KeyInfo child, only that processing should be attempted.
      Parameters:
      keyInfoChild - the KeyInfo child object to consider
      Returns:
      true if the provider should attempt to resolve credentials, false otherwise

    • process

      @Nullable public Collection<Credential> process(@Nonnull KeyInfoCredentialResolver resolver, @Nonnull XMLObject keyInfoChild, @Nullable CriteriaSet criteriaSet, @Nonnull KeyInfoResolutionContext kiContext) throws SecurityException
      Process a specified KeyInfo child (XMLobject) and attempt to resolve a credential from it.
      Parameters:
      resolver - reference to a resolver which is calling the provider
      keyInfoChild - the KeyInfo child being processed
      criteriaSet - the credential criteria the credential must satisfy
      kiContext - the resolution context, used for sharing state amongst resolvers and providers
      Returns:
      a resolved Credential collection, or null
      Throws:
      SecurityException - if there is an error during credential resolution. Note: failure to resolve a credential is not an error.

    • extractCRLs

      @Nonnull private List<X509CRL> extractCRLs(@Nonnull X509Data x509Data) throws SecurityException
      Extract CRLs from the X509Data.
      Parameters:
      x509Data - the X509Data element
      Returns:
      a list of X509CRLs
      Throws:
      SecurityException - thrown if there is an error extracting CRLs

    • extractCertificates

      @Nonnull private List<X509Certificate> extractCertificates(@Nonnull X509Data x509Data) throws SecurityException
      Extract certificates from the X509Data.
      Parameters:
      x509Data - the X509Data element
      Returns:
      a list of X509Certificates
      Throws:
      SecurityException - thrown if there is an error extracting certificates

    • findEntityCert

      @Nullable protected X509Certificate findEntityCert(@Nullable List<X509Certificate> certs, @Nonnull X509Data x509Data, @Nullable PublicKey resolvedKey)
      Find the end-entity cert in the list of certs contained in the X509Data.
      Parameters:
      certs - list of X509Certificate
      x509Data - X509Data element which might contain other info helping to finding the end-entity cert
      resolvedKey - a key which might have previously been resolved from a KeyValue
      Returns:
      the end-entity certificate, if found

    • findCertFromKey

      @Nullable protected X509Certificate findCertFromKey(@Nonnull List<X509Certificate> certs, @Nullable PublicKey key)
      Find the certificate from the chain that contains the specified key.
      Parameters:
      certs - list of certificates to evaluate
      key - key to use as search criteria
      Returns:
      the matching certificate, or null

    • findCertFromSubjectNames

      @Nullable protected X509Certificate findCertFromSubjectNames(@Nonnull List<X509Certificate> certs, @Nonnull List<X509SubjectName> names)
      Find the certificate from the chain that contains one of the specified subject names.
      Parameters:
      certs - list of certificates to evaluate
      names - X509 subject names to use as search criteria
      Returns:
      the matching certificate, or null

    • findCertFromIssuerSerials

      @Nullable protected X509Certificate findCertFromIssuerSerials(@Nonnull List<X509Certificate> certs, @Nonnull List<X509IssuerSerial> serials)
      Find the certificate from the chain identified by one of the specified issuer serials.
      Parameters:
      certs - list of certificates to evaluate
      serials - X509 issuer serials to use as search criteria
      Returns:
      the matching certificate, or null

    • findCertFromSubjectKeyIdentifier

      @Nullable protected X509Certificate findCertFromSubjectKeyIdentifier(@Nonnull List<X509Certificate> certs, @Nonnull List<X509SKI> skis)
      Find the certificate from the chain that contains one of the specified subject key identifiers.
      Parameters:
      certs - list of certificates to evaluate
      skis - X509 subject key identifiers to use as search criteria
      Returns:
      the matching certificate, or null

    • base64DecodeOrNull

      @Nullable private byte[] base64DecodeOrNull(@Nonnull String base64Encoded)
      Base64 decode the input, returning null if there is an issue with decoding.
      Parameters:
      base64Encoded - the base64 encoded string.
      Returns:
      the base64 decoded byte array, or null if there is an issue decoding.

    • findCertFromDigest

      @Nullable protected X509Certificate findCertFromDigest(@Nonnull List<X509Certificate> certs, @Nonnull List<X509Digest> digests)
      Find the certificate from the chain that matches one of the specified digests.
      Parameters:
      certs - list of certificates to evaluate
      digests - X509 digests to use as search criteria
      Returns:
      the matching certificate, or null