TrustBasisType
- the type of trusted information which has been resolved and which will serve as the basis for
trust evaluationpublic abstract class BaseSignatureTrustEngine<TrustBasisType> extends Object implements SignatureTrustEngine
SignatureTrustEngine
which evaluates the validity and trustworthiness of XML and raw
signatures.
When processing XML signatures, the supplied KeyInfoCredentialResolver will be used to resolve credential(s) containing the (advisory) signing key from the KeyInfo element of the Signature, if present. If any of these credentials do contain the valid signing key, they will be evaluated for trustworthiness against trusted information, which will be resolved in an implementation-specific manner.
Subclasses are required to implement evaluateTrust(Credential, Object)
using an implementation-specific
trust model.
Constructor and Description |
---|
BaseSignatureTrustEngine(KeyInfoCredentialResolver keyInfoResolver)
Constructor.
|
Modifier and Type | Method and Description |
---|---|
protected void |
checkParams(Signature signature,
net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
Check the signature and credential criteria for required values.
|
protected void |
checkParamsRaw(byte[] signature,
byte[] content,
String algorithmURI,
net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
Check the signature and credential criteria for required values.
|
protected abstract boolean |
doValidate(byte[] signature,
byte[] content,
String algorithmURI,
net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria,
Credential candidateCredential)
Determines whether a raw signature over specified content is valid and signed by a trusted credential.
|
protected abstract boolean |
doValidate(Signature signature,
net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
Validate the signature using the supplied trust criteria.
|
protected abstract boolean |
evaluateTrust(Credential untrustedCredential,
TrustBasisType trustBasis)
Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.
|
KeyInfoCredentialResolver |
getKeyInfoResolver()
Get the KeyInfoCredentialResolver instance used to resolve (advisory) signing credential information
from KeyInfo elements contained within a Signature element.
|
boolean |
validate(byte[] signature,
byte[] content,
String algorithmURI,
net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria,
Credential candidateCredential)
Determines whether a raw signature over specified content is valid and signed by a trusted credential.
|
boolean |
validate(Signature signature,
net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
Validates the token against trusted information obtained in an
implementation-specific manner.
|
protected boolean |
validate(Signature signature,
TrustBasisType trustBasis)
Attempt to establish trust by resolving signature verification credentials from the Signature's KeyInfo.
|
protected boolean |
verifySignature(Signature signature,
Credential credential)
Attempt to verify a signature using the key from the supplied credential.
|
public BaseSignatureTrustEngine(@Nonnull KeyInfoCredentialResolver keyInfoResolver)
keyInfoResolver
- KeyInfo credential resolver used to obtain the (advisory) signing credential from a
Signature's KeyInfo element.@Nullable public KeyInfoCredentialResolver getKeyInfoResolver()
getKeyInfoResolver
in interface SignatureTrustEngine
public final boolean validate(@Nonnull Signature signature, @Nullable net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria) throws SecurityException
validate
in interface TrustEngine<Signature>
signature
- security token to validatetrustBasisCriteria
- criteria used to describe and/or resolve the information
which serves as the basis for trust evaluationSecurityException
- thrown if there is a problem validating the security tokenprotected abstract boolean doValidate(@Nonnull Signature signature, @Nullable net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria) throws SecurityException
signature
- the signature to validatetrustBasisCriteria
- criteria used to describe and/or resolve the information
which serves as the basis for trust evaluationSecurityException
- if there is a fatal error evaluating the signaturepublic final boolean validate(@Nonnull byte[] signature, @Nonnull byte[] content, @Nonnull String algorithmURI, @Nullable net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria, @Nullable Credential candidateCredential) throws SecurityException
A candidate verification credential may optionally be supplied. If one is supplied and is determined to successfully verify the signature, an attempt will be made to establish trust on this basis.
If a candidate credential is not supplied, or it does not successfully verify the signature, some implementations may be able to resolve candidate verification credential(s) in an implementation-specific manner based on the trusted criteria supplied, and then attempt to verify the signature and establish trust on this basis.
validate
in interface SignatureTrustEngine
signature
- the signature valuecontent
- the content that was signedalgorithmURI
- the signature algorithm URI which was used to sign the contenttrustBasisCriteria
- criteria used to describe and/or resolve the information
which serves as the basis for trust evaluationcandidateCredential
- the untrusted candidate credential containing the validation key
for the signature (optional)SecurityException
- thrown if there is a problem attempting to verify the signature such as the signature
algorithm not being supportedprotected abstract boolean doValidate(@Nonnull byte[] signature, @Nonnull byte[] content, @Nonnull String algorithmURI, @Nullable net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria, @Nullable Credential candidateCredential) throws SecurityException
A candidate verification credential may optionally be supplied. If one is supplied and is determined to successfully verify the signature, an attempt will be made to establish trust on this basis.
If a candidate credential is not supplied, or it does not successfully verify the signature, some implementations may be able to resolve candidate verification credential(s) in an implementation-specific manner based on the trusted criteria supplied, and then attempt to verify the signature and establish trust on this basis.
signature
- the signature valuecontent
- the content that was signedalgorithmURI
- the signature algorithm URI which was used to sign the contenttrustBasisCriteria
- criteria used to describe and/or resolve the information
which serves as the basis for trust evaluationcandidateCredential
- the untrusted candidate credential containing the validation key
for the signature (optional)SecurityException
- thrown if there is a problem attempting to verify the signature such as the signature
algorithm not being supportedprotected boolean validate(@Nonnull Signature signature, @Nullable TrustBasisType trustBasis) throws SecurityException
evaluateTrust(Credential, Object)
.signature
- the Signature to evaluatetrustBasis
- the information which serves as the basis for trust evaluationSecurityException
- if an error occurs during signature verification or trust processingprotected abstract boolean evaluateTrust(@Nonnull Credential untrustedCredential, @Nullable TrustBasisType trustBasis) throws SecurityException
untrustedCredential
- the untrusted credential being evaluatedtrustBasis
- the information which serves as the basis for trust evaluationSecurityException
- if an error occurs during trust processingprotected boolean verifySignature(@Nonnull Signature signature, @Nonnull Credential credential)
signature
- the signature on which to attempt verificationcredential
- the credential containing the candidate validation keyprotected void checkParams(@Nonnull Signature signature, @Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria) throws SecurityException
signature
- the signature to be evaluatedtrustBasisCriteria
- the set of trusted credential criteriaSecurityException
- thrown if required values are absent or otherwise invalidprotected void checkParamsRaw(@Nonnull byte[] signature, @Nonnull byte[] content, @Nonnull String algorithmURI, @Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria) throws SecurityException
signature
- the signature to be evaluatedcontent
- the data over which the signature was computedalgorithmURI
- the signing algorithm URI which was usedtrustBasisCriteria
- the set of trusted credential criteriaSecurityException
- thrown if required values are absent or otherwise invalidCopyright © 2017. All rights reserved.