MetadataPKIXValidationInformationResolver (Shibboleth IdP :: SAML Profile Implementation 3.3.2 API)

java.lang.Object
- net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
- - net.shibboleth.idp.saml.security.impl.MetadataPKIXValidationInformationResolver

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, Resolver<org.opensaml.security.x509.PKIXValidationInformation,CriteriaSet>, org.opensaml.security.x509.PKIXValidationInformationResolver
```
public class MetadataPKIXValidationInformationResolver
extends AbstractInitializableComponent
implements org.opensaml.security.x509.PKIXValidationInformationResolver
```
An implementation of PKIXValidationInformationResolver which resolves PKIXValidationInformation based on information stored in SAML 2 metadata. Validation information is retrieved from Shibboleth-specific metadata extensions to EntityDescriptor represented by instances of KeyAuthority, as well as instances of PKIXValidationInformation which have been previously populated within the data set available from XMLObject.getObjectMetadata(). Resolution of trusted names for an entity is also supported, based on KeyName information contained within the KeyInfo of a role descriptor's KeyDescriptor element.

Field Summary

Fields
Modifier and Type	Field and Description
`static int`	`KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT` Default value for Shibboleth KeyAuthority verify depth.
`private org.slf4j.Logger`	`log` Class logger.
`private org.opensaml.saml.metadata.resolver.RoleDescriptorResolver`	`roleDescriptorResolver` Metadata RoleDescriptor resolver used to resolve metadata information.

Constructor Summary

Constructors
Constructor and Description

MetadataPKIXValidationInformationResolver(org.opensaml.saml.metadata.resolver.RoleDescriptorResolver resolver)
Constructor.

Constructors
Constructor and Description
`MetadataPKIXValidationInformationResolver(org.opensaml.saml.metadata.resolver.RoleDescriptorResolver resolver)` Constructor.

Method Summary

Methods
Modifier and Type	Method and Description
`protected void`	`checkCriteriaRequirements(CriteriaSet criteriaSet)` Check that all necessary criteria are available.
`protected void`	`extractPKIXInfo(Collection<org.opensaml.security.x509.PKIXValidationInformation> accumulator, KeyAuthority keyAuthority)` Retrieves validation information from the Shibboleth KeyAuthority resolver extension element.
`org.opensaml.saml.metadata.resolver.RoleDescriptorResolver`	`getRoleDescriptorResolver()` Get the metadata RoleDescriptor resolver instance used by this resolver.
`protected Iterable<org.opensaml.saml.saml2.metadata.RoleDescriptor>`	`getRoleDescriptors(CriteriaSet criteriaSet, String entityID, QName role, String protocol)` Get the list of resolver role descriptors which match the given entityID, role and protocol.
`protected void`	`getTrustedNames(Set<String> accumulator, org.opensaml.xmlsec.signature.KeyInfo keyInfo)` Extract trusted names from a KeyInfo element.
`protected boolean`	`matchUsage(org.opensaml.security.credential.UsageType metadataUsage, org.opensaml.security.credential.UsageType criteriaUsage)` Match usage enum type values from resolver KeyDescriptor and from specified resolution criteria.
`Iterable<org.opensaml.security.x509.PKIXValidationInformation>`	`resolve(CriteriaSet criteriaSet)`
`protected void`	`resolvePKIXInfo(Collection<org.opensaml.security.x509.PKIXValidationInformation> accumulator, org.opensaml.saml.saml2.metadata.Extensions extensions)` Retrieves validation information from the resolver extension element.
`protected void`	`resolvePKIXInfo(Collection<org.opensaml.security.x509.PKIXValidationInformation> accumulator, org.opensaml.saml.saml2.metadata.RoleDescriptor roleDescriptor)` Retrieves validation information from the provided role descriptor.
`org.opensaml.security.x509.PKIXValidationInformation`	`resolveSingle(CriteriaSet criteriaSet)`
`Set<String>`	`resolveTrustedNames(CriteriaSet criteriaSet)`
`protected Collection<org.opensaml.security.x509.PKIXValidationInformation>`	`retrievePKIXInfoFromMetadata(CriteriaSet criteriaSet, String entityID, QName role, String protocol)` Retrieves validation information from the provided resolver.
`protected Set<String>`	`retrieveTrustedNamesFromMetadata(CriteriaSet criteriaSet, String entityID, QName role, String protocol, org.opensaml.security.credential.UsageType usage)` Retrieves trusted name information from the provided resolver.
`boolean`	`supportsTrustedNameResolution()`

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT
```
public static final int KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT
```
    Default value for Shibboleth KeyAuthority verify depth.
    
    See Also:
    Constant Field Values
  - log
```
@Nonnull
private final org.slf4j.Logger log
```
    Class logger.
  - roleDescriptorResolver
```
@Nonnull
private org.opensaml.saml.metadata.resolver.RoleDescriptorResolver roleDescriptorResolver
```
    Metadata RoleDescriptor resolver used to resolve metadata information.
- Constructor Detail
  - MetadataPKIXValidationInformationResolver
```
public MetadataPKIXValidationInformationResolver(@Nonnull@ParameterName(name="resolver")
                                         org.opensaml.saml.metadata.resolver.RoleDescriptorResolver resolver)
```
    Constructor.
    
    Parameters:
    resolver - role descriptor resolver
- Method Detail
  - getRoleDescriptorResolver
```
@Nonnull
public org.opensaml.saml.metadata.resolver.RoleDescriptorResolver getRoleDescriptorResolver()
```
    Get the metadata RoleDescriptor resolver instance used by this resolver.
    
    Returns:
    the resolver's RoleDescriptor metadata resolver instance
  - resolveSingle
```
public org.opensaml.security.x509.PKIXValidationInformation resolveSingle(CriteriaSet criteriaSet)
                                                                   throws ResolverException
```
    Specified by:
    
    resolveSingle in interface Resolver<org.opensaml.security.x509.PKIXValidationInformation,CriteriaSet>
    
    Throws:
    
    ResolverException
  - resolve
```
public Iterable<org.opensaml.security.x509.PKIXValidationInformation> resolve(CriteriaSet criteriaSet)
                                                                       throws ResolverException
```
    Specified by:
    
    resolve in interface Resolver<org.opensaml.security.x509.PKIXValidationInformation,CriteriaSet>
    
    Throws:
    
    ResolverException
  - resolveTrustedNames
```
@Nonnull
public Set<String> resolveTrustedNames(CriteriaSet criteriaSet)
                                throws ResolverException
```
    Specified by:
    
    resolveTrustedNames in interface org.opensaml.security.x509.PKIXValidationInformationResolver
    
    Throws:
    
    ResolverException
  - supportsTrustedNameResolution
```
public boolean supportsTrustedNameResolution()
```
    Specified by:
    
    supportsTrustedNameResolution in interface org.opensaml.security.x509.PKIXValidationInformationResolver
  - checkCriteriaRequirements
```
protected void checkCriteriaRequirements(CriteriaSet criteriaSet)
```
    Check that all necessary criteria are available.
    
    Parameters:
    criteriaSet - the criteria set to evaluate
  - retrievePKIXInfoFromMetadata
```
protected Collection<org.opensaml.security.x509.PKIXValidationInformation> retrievePKIXInfoFromMetadata(CriteriaSet criteriaSet,
                                                                                            String entityID,
                                                                                            QName role,
                                                                                            String protocol)
                                                                                                 throws ResolverException
```
    Retrieves validation information from the provided resolver.
    
    Parameters:
    criteriaSet - the criteria set being processed
    entityID - entity ID for which to resolve validation information
    role - role in which the entity is operating
    protocol - protocol over which the entity is operating (may be null)
    
    Returns:
    collection of resolved validation information, possibly empty
    
    Throws:
    
    ResolverException - thrown if the key, certificate, or CRL information is represented in an unsupported format
  - resolvePKIXInfo
```
protected void resolvePKIXInfo(Collection<org.opensaml.security.x509.PKIXValidationInformation> accumulator,
                   org.opensaml.saml.saml2.metadata.RoleDescriptor roleDescriptor)
                        throws ResolverException
```
    Retrieves validation information from the provided role descriptor.
    
    Parameters:
    roleDescriptor - the role descriptor from which to resolve information.
    accumulator - accumulator of PKIX validation information to return
    
    Throws:
    
    ResolverException - thrown if the key, certificate, or CRL information is represented in an unsupported format
  - resolvePKIXInfo
```
protected void resolvePKIXInfo(Collection<org.opensaml.security.x509.PKIXValidationInformation> accumulator,
                   org.opensaml.saml.saml2.metadata.Extensions extensions)
                        throws ResolverException
```
    Retrieves validation information from the resolver extension element.
    
    Parameters:
    extensions - the extension element from which to resolve information
    accumulator - accumulator of PKIX validation information to return
    
    Throws:
    
    ResolverException - thrown if the key, certificate, or CRL information is represented in an unsupported format
  - extractPKIXInfo
```
protected void extractPKIXInfo(@Nonnull
                   Collection<org.opensaml.security.x509.PKIXValidationInformation> accumulator,
                   @Nonnull
                   KeyAuthority keyAuthority)
                        throws ResolverException
```
    Retrieves validation information from the Shibboleth KeyAuthority resolver extension element.
    
    Parameters:
    keyAuthority - the Shibboleth KeyAuthority element from which to resolve information
    accumulator - accumulator of PKIX validation information to return
    
    Throws:
    
    ResolverException - thrown if the key, certificate, or CRL information is represented in an unsupported format
  - retrieveTrustedNamesFromMetadata
```
protected Set<String> retrieveTrustedNamesFromMetadata(CriteriaSet criteriaSet,
                                           String entityID,
                                           QName role,
                                           String protocol,
                                           org.opensaml.security.credential.UsageType usage)
                                                throws ResolverException
```
    Retrieves trusted name information from the provided resolver.
    
    Parameters:
    criteriaSet - the criteria set being processed
    entityID - entity ID for which to resolve trusted names
    role - role in which the entity is operating
    protocol - protocol over which the entity is operating (may be null)
    usage - usage specifier for role descriptor key descriptors to evaluate
    
    Returns:
    collection of resolved trusted name information, possibly empty
    
    Throws:
    
    SecurityException - thrown if there is an error extracting trusted name information
    
    ResolverException - if we have an error getting the role descriptors
  - getTrustedNames
```
protected void getTrustedNames(Set<String> accumulator,
                   org.opensaml.xmlsec.signature.KeyInfo keyInfo)
```
    Extract trusted names from a KeyInfo element.
    
    Parameters:
    keyInfo - the KeyInfo instance from which to extract trusted names
    accumulator - set of trusted names to return
  - matchUsage
```
protected boolean matchUsage(org.opensaml.security.credential.UsageType metadataUsage,
                 org.opensaml.security.credential.UsageType criteriaUsage)
```
    Match usage enum type values from resolver KeyDescriptor and from specified resolution criteria.
    
    Parameters:
    metadataUsage - the value from the 'use' attribute of a resolver KeyDescriptor element
    criteriaUsage - the value from specified criteria
    
    Returns:
    true if the two usage specifiers match for purposes of resolving validation information, false otherwise
  - getRoleDescriptors
```
protected Iterable<org.opensaml.saml.saml2.metadata.RoleDescriptor> getRoleDescriptors(CriteriaSet criteriaSet,
                                                                           String entityID,
                                                                           QName role,
                                                                           String protocol)
                                                                                throws ResolverException
```
    Get the list of resolver role descriptors which match the given entityID, role and protocol.
    
    Parameters:
    criteriaSet - the criteria set being processed
    entityID - entity ID of the resolver entity descriptor to resolve
    role - role in which the entity is operating
    protocol - protocol over which the entity is operating (may be null)
    
    Returns:
    a list of role descriptors matching the given parameters, or null
    
    Throws:
    
    ResolverException - thrown if there is an error retrieving role descriptors from the resolver provider

Class MetadataPKIXValidationInformationResolver

Field Summary

Constructor Summary

Method Summary

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

Methods inherited from class java.lang.Object

Field Detail

KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT

log

roleDescriptorResolver

Constructor Detail

MetadataPKIXValidationInformationResolver

Method Detail

getRoleDescriptorResolver

resolveSingle

resolve

resolveTrustedNames

supportsTrustedNameResolution

checkCriteriaRequirements

retrievePKIXInfoFromMetadata

resolvePKIXInfo

resolvePKIXInfo

extractPKIXInfo

retrieveTrustedNamesFromMetadata

getTrustedNames

matchUsage

getRoleDescriptors