public class ExplicitKeySignatureTrustEngine extends BaseSignatureTrustEngine<Iterable<Credential>> implements TrustedCredentialTrustEngine<Signature>
SignatureTrustEngine
which evaluates the validity
and trustworthiness of XML and raw signatures.
Processing is first performed as described in BaseSignatureTrustEngine
. If based on this processing, it is
determined that the Signature's KeyInfo is not present or does not contain a resolveable valid (and trusted) signing
key, then all trusted credentials obtained by the trusted credential resolver will be used to attempt to validate the
signature.
Constructor and Description |
---|
ExplicitKeySignatureTrustEngine(CredentialResolver resolver,
KeyInfoCredentialResolver keyInfoResolver)
Constructor.
|
Modifier and Type | Method and Description |
---|---|
protected boolean |
doValidate(byte[] signature,
byte[] content,
String algorithmURI,
net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria,
Credential candidateCredential)
Determines whether a raw signature over specified content is valid and signed by a trusted credential.
|
protected boolean |
doValidate(Signature signature,
net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria)
Validate the signature using the supplied trust criteria.
|
protected boolean |
evaluateTrust(Credential untrustedCredential,
Iterable<Credential> trustedCredentials)
Evaluate the untrusted KeyInfo-derived credential with respect to the specified trusted information.
|
CredentialResolver |
getCredentialResolver()
Gets the credential resolver used to recover trusted credentials that
may be used to validate tokens.
|
checkParams, checkParamsRaw, getKeyInfoResolver, validate, validate, validate, verifySignature
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
validate
public ExplicitKeySignatureTrustEngine(@Nonnull CredentialResolver resolver, @Nonnull KeyInfoCredentialResolver keyInfoResolver)
resolver
- credential resolver used to resolve trusted credentials.keyInfoResolver
- KeyInfo credential resolver used to obtain the (advisory) signing credential from a
Signature's KeyInfo element.@Nonnull public CredentialResolver getCredentialResolver()
getCredentialResolver
in interface TrustedCredentialTrustEngine<Signature>
protected boolean doValidate(@Nonnull Signature signature, @Nullable net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria) throws SecurityException
doValidate
in class BaseSignatureTrustEngine<Iterable<Credential>>
signature
- the signature to validatetrustBasisCriteria
- criteria used to describe and/or resolve the information
which serves as the basis for trust evaluationSecurityException
- if there is a fatal error evaluating the signatureprotected boolean doValidate(@Nonnull byte[] signature, @Nonnull byte[] content, @Nonnull String algorithmURI, @Nullable net.shibboleth.utilities.java.support.resolver.CriteriaSet trustBasisCriteria, @Nullable Credential candidateCredential) throws SecurityException
A candidate verification credential may optionally be supplied. If one is supplied and is determined to successfully verify the signature, an attempt will be made to establish trust on this basis.
If a candidate credential is not supplied, or it does not successfully verify the signature, some implementations may be able to resolve candidate verification credential(s) in an implementation-specific manner based on the trusted criteria supplied, and then attempt to verify the signature and establish trust on this basis.
doValidate
in class BaseSignatureTrustEngine<Iterable<Credential>>
signature
- the signature valuecontent
- the content that was signedalgorithmURI
- the signature algorithm URI which was used to sign the contenttrustBasisCriteria
- criteria used to describe and/or resolve the information
which serves as the basis for trust evaluationcandidateCredential
- the untrusted candidate credential containing the validation key
for the signature (optional)SecurityException
- thrown if there is a problem attempting to verify the signature such as the signature
algorithm not being supportedprotected boolean evaluateTrust(@Nonnull Credential untrustedCredential, @Nullable Iterable<Credential> trustedCredentials) throws SecurityException
evaluateTrust
in class BaseSignatureTrustEngine<Iterable<Credential>>
untrustedCredential
- the untrusted credential being evaluatedtrustedCredentials
- the information which serves as the basis for trust evaluationSecurityException
- if an error occurs during trust processingCopyright © 2017. All rights reserved.