Package net.shibboleth.idp.saml.security.impl

Class MetadataPKIXValidationInformationResolver

    • Field Detail

      • KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT

        public static final int KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT
        Default value for Shibboleth KeyAuthority verify depth.
        See Also:
        Constant Field Values

      • log

        @Nonnull
private final org.slf4j.Logger log
        Class logger.

      • roleDescriptorResolver

        @Nonnull
private RoleDescriptorResolver roleDescriptorResolver
        Metadata RoleDescriptor resolver used to resolve metadata information.

    • Constructor Detail

      • MetadataPKIXValidationInformationResolver

        public MetadataPKIXValidationInformationResolver​(@Nonnull @ParameterName(name="resolver")
                                                 RoleDescriptorResolver resolver)
        Constructor.
        Parameters:
        resolver - role descriptor resolver

    • Method Detail

      • getRoleDescriptorResolver

        @Nonnull
public RoleDescriptorResolver getRoleDescriptorResolver()
        Get the metadata RoleDescriptor resolver instance used by this resolver.
        Returns:
        the resolver's RoleDescriptor metadata resolver instance

      • checkCriteriaRequirements

        protected void checkCriteriaRequirements​(CriteriaSet criteriaSet)
        Check that all necessary criteria are available.
        Parameters:
        criteriaSet - the criteria set to evaluate

      • retrievePKIXInfoFromMetadata

        protected Collection<PKIXValidationInformation> retrievePKIXInfoFromMetadata​(CriteriaSet criteriaSet,
                                                                             String entityID,
                                                                             QName role,
                                                                             String protocol)
                                                                      throws ResolverException
        Retrieves validation information from the provided resolver.
        Parameters:
        criteriaSet - the criteria set being processed
        entityID - entity ID for which to resolve validation information
        role - role in which the entity is operating
        protocol - protocol over which the entity is operating (may be null)
        Returns:
        collection of resolved validation information, possibly empty
        Throws:
        ResolverException - thrown if the key, certificate, or CRL information is represented in an unsupported format

      • resolvePKIXInfo

        protected void resolvePKIXInfo​(Collection<PKIXValidationInformation> accumulator,
                               RoleDescriptor roleDescriptor)
                        throws ResolverException
        Retrieves validation information from the provided role descriptor.
        Parameters:
        roleDescriptor - the role descriptor from which to resolve information.
        accumulator - accumulator of PKIX validation information to return
        Throws:
        ResolverException - thrown if the key, certificate, or CRL information is represented in an unsupported format

      • resolvePKIXInfo

        protected void resolvePKIXInfo​(Collection<PKIXValidationInformation> accumulator,
                               Extensions extensions)
                        throws ResolverException
        Retrieves validation information from the resolver extension element.
        Parameters:
        extensions - the extension element from which to resolve information
        accumulator - accumulator of PKIX validation information to return
        Throws:
        ResolverException - thrown if the key, certificate, or CRL information is represented in an unsupported format

      • extractPKIXInfo

        protected void extractPKIXInfo​(@Nonnull
                               Collection<PKIXValidationInformation> accumulator,
                               @Nonnull
                               KeyAuthority keyAuthority)
                        throws ResolverException
        Retrieves validation information from the Shibboleth KeyAuthority resolver extension element.
        Parameters:
        keyAuthority - the Shibboleth KeyAuthority element from which to resolve information
        accumulator - accumulator of PKIX validation information to return
        Throws:
        ResolverException - thrown if the key, certificate, or CRL information is represented in an unsupported format

      • retrieveTrustedNamesFromMetadata

        protected Set<String> retrieveTrustedNamesFromMetadata​(CriteriaSet criteriaSet,
                                                       String entityID,
                                                       QName role,
                                                       String protocol,
                                                       UsageType usage)
                                                throws ResolverException
        Retrieves trusted name information from the provided resolver.
        Parameters:
        criteriaSet - the criteria set being processed
        entityID - entity ID for which to resolve trusted names
        role - role in which the entity is operating
        protocol - protocol over which the entity is operating (may be null)
        usage - usage specifier for role descriptor key descriptors to evaluate
        Returns:
        collection of resolved trusted name information, possibly empty
        Throws:
        SecurityException - thrown if there is an error extracting trusted name information
        ResolverException - if we have an error getting the role descriptors

      • getTrustedNames

        protected void getTrustedNames​(Set<String> accumulator,
                               KeyInfo keyInfo)
        Extract trusted names from a KeyInfo element.
        Parameters:
        keyInfo - the KeyInfo instance from which to extract trusted names
        accumulator - set of trusted names to return

      • matchUsage

        protected boolean matchUsage​(UsageType metadataUsage,
                             UsageType criteriaUsage)
        Match usage enum type values from resolver KeyDescriptor and from specified resolution criteria.
        Parameters:
        metadataUsage - the value from the 'use' attribute of a resolver KeyDescriptor element
        criteriaUsage - the value from specified criteria
        Returns:
        true if the two usage specifiers match for purposes of resolving validation information, false otherwise

      • getRoleDescriptors

        protected Iterable<RoleDescriptor> getRoleDescriptors​(CriteriaSet criteriaSet,
                                                      String entityID,
                                                      QName role,
                                                      String protocol)
                                               throws ResolverException
        Get the list of resolver role descriptors which match the given entityID, role and protocol.
        Parameters:
        criteriaSet - the criteria set being processed
        entityID - entity ID of the resolver entity descriptor to resolve
        role - role in which the entity is operating
        protocol - protocol over which the entity is operating (may be null)
        Returns:
        a list of role descriptors matching the given parameters, or null
        Throws:
        ResolverException - thrown if there is an error retrieving role descriptors from the resolver provider