public class MetadataPKIXValidationInformationResolver extends Object implements org.opensaml.xml.security.x509.PKIXValidationInformationResolver
PKIXValidationInformationResolver
which resolves PKIXValidationInformation
based
on information stored in SAML 2 metadata. Validation information is retrieved from Shibboleth-specific metadata
extensions to EntityDescriptor
and EntitiesDescriptor
elements, represented by instances of
ShibbolethMetadataKeyAuthority
.
Resolution of trusted names for an entity is also supported, based on KeyName
information contained within
the KeyInfo
of a role descriptor's KeyDescriptor
element.Modifier and Type | Class and Description |
---|---|
protected class |
MetadataPKIXValidationInformationResolver.MetadataCacheKey
A class which serves as the key into the cache of information previously resolved.
|
protected class |
MetadataPKIXValidationInformationResolver.MetadataProviderObserver
An observer that clears the credential cache if the underlying metadata changes.
|
Modifier and Type | Field and Description |
---|---|
static int |
KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT
Default value for Shibboleth KeyAuthority verify depth.
|
Constructor and Description |
---|
MetadataPKIXValidationInformationResolver(org.opensaml.saml2.metadata.provider.MetadataProvider metadataProvider)
Constructor.
|
Modifier and Type | Method and Description |
---|---|
protected void |
cacheExtensionsInfo(org.opensaml.saml2.common.Extensions extensions,
List<org.opensaml.xml.security.x509.PKIXValidationInformation> pkixInfo)
Adds resolved PKIX validation information to the cache.
|
protected void |
cachePKIXInfo(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey,
List<org.opensaml.xml.security.x509.PKIXValidationInformation> pkixInfo)
Adds resolved PKIX validation information to the cache.
|
protected void |
cacheTrustedNames(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey,
Set<String> names)
Adds resolved trusted name information to the cache.
|
protected void |
checkCriteriaRequirements(org.opensaml.xml.security.CriteriaSet criteriaSet)
Check that all necessary criteria are available.
|
protected String |
getExtensionsParentName(org.opensaml.saml2.common.Extensions extensions)
Get the name of the parent element of an
Extensions element in metadata, mostly
useful for logging purposes. |
protected ReadWriteLock |
getReadWriteLock()
Get the lock instance used to synchronize access to the caches.
|
protected List<org.opensaml.saml2.metadata.RoleDescriptor> |
getRoleDescriptors(String entityID,
QName role,
String protocol)
Get the list of metadata role descriptors which match the given entityID, role and protocol.
|
protected Set<String> |
getTrustedNames(org.opensaml.xml.signature.KeyInfo keyInfo)
Extract trusted names from a KeyInfo element.
|
protected List<X509Certificate> |
getX509Certificates(org.opensaml.xml.signature.KeyInfo keyInfo)
Extract certificates from a KeyInfo element.
|
protected List<X509CRL> |
getX509CRLs(org.opensaml.xml.signature.KeyInfo keyInfo)
Extract CRL's from a KeyInfo element.
|
protected boolean |
matchUsage(org.opensaml.xml.security.credential.UsageType metadataUsage,
org.opensaml.xml.security.credential.UsageType criteriaUsage)
Match usage enum type values from metadata KeyDescriptor and from specified resolution criteria.
|
Iterable<org.opensaml.xml.security.x509.PKIXValidationInformation> |
resolve(org.opensaml.xml.security.CriteriaSet criteriaSet) |
protected List<org.opensaml.xml.security.x509.PKIXValidationInformation> |
resolvePKIXInfo(org.opensaml.saml2.common.Extensions extensions)
Retrieves validation information from the metadata extension element.
|
protected List<org.opensaml.xml.security.x509.PKIXValidationInformation> |
resolvePKIXInfo(org.opensaml.saml2.metadata.RoleDescriptor roleDescriptor)
Retrieves validation information from the provided role descriptor.
|
protected org.opensaml.xml.security.x509.PKIXValidationInformation |
resolvePKIXInfo(ShibbolethMetadataKeyAuthority keyAuthority)
Retrieves validation information from the Shibboleth KeyAuthority metadata extension element.
|
org.opensaml.xml.security.x509.PKIXValidationInformation |
resolveSingle(org.opensaml.xml.security.CriteriaSet criteriaSet) |
Set<String> |
resolveTrustedNames(org.opensaml.xml.security.CriteriaSet criteriaSet) |
protected List<org.opensaml.xml.security.x509.PKIXValidationInformation> |
retrieveExtensionsInfoFromCache(org.opensaml.saml2.common.Extensions extensions)
Retrieves pre-resolved PKIX validation information from the cache.
|
protected List<org.opensaml.xml.security.x509.PKIXValidationInformation> |
retrievePKIXInfoFromCache(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey)
Retrieves pre-resolved PKIX validation information from the cache.
|
protected List<org.opensaml.xml.security.x509.PKIXValidationInformation> |
retrievePKIXInfoFromMetadata(String entityID,
QName role,
String protocol,
org.opensaml.xml.security.credential.UsageType usage)
Retrieves validation information from the provided metadata.
|
protected Set<String> |
retrieveTrustedNamesFromCache(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey)
Retrieves pre-resolved trusted names from the cache.
|
protected Set<String> |
retrieveTrustedNamesFromMetadata(String entityID,
QName role,
String protocol,
org.opensaml.xml.security.credential.UsageType usage)
Retrieves trusted name information from the provided metadata.
|
boolean |
supportsTrustedNameResolution() |
public static final int KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT
public MetadataPKIXValidationInformationResolver(org.opensaml.saml2.metadata.provider.MetadataProvider metadataProvider)
metadataProvider
- provider of the metadataIllegalArgumentException
- thrown if the supplied provider is nullpublic org.opensaml.xml.security.x509.PKIXValidationInformation resolveSingle(org.opensaml.xml.security.CriteriaSet criteriaSet) throws org.opensaml.xml.security.SecurityException
resolveSingle
in interface org.opensaml.xml.security.Resolver<org.opensaml.xml.security.x509.PKIXValidationInformation,org.opensaml.xml.security.CriteriaSet>
org.opensaml.xml.security.SecurityException
public Iterable<org.opensaml.xml.security.x509.PKIXValidationInformation> resolve(org.opensaml.xml.security.CriteriaSet criteriaSet) throws org.opensaml.xml.security.SecurityException
resolve
in interface org.opensaml.xml.security.Resolver<org.opensaml.xml.security.x509.PKIXValidationInformation,org.opensaml.xml.security.CriteriaSet>
org.opensaml.xml.security.SecurityException
public Set<String> resolveTrustedNames(org.opensaml.xml.security.CriteriaSet criteriaSet) throws org.opensaml.xml.security.SecurityException, UnsupportedOperationException
resolveTrustedNames
in interface org.opensaml.xml.security.x509.PKIXValidationInformationResolver
org.opensaml.xml.security.SecurityException
UnsupportedOperationException
public boolean supportsTrustedNameResolution()
supportsTrustedNameResolution
in interface org.opensaml.xml.security.x509.PKIXValidationInformationResolver
protected ReadWriteLock getReadWriteLock()
protected void checkCriteriaRequirements(org.opensaml.xml.security.CriteriaSet criteriaSet)
criteriaSet
- the criteria set to evaluateprotected List<org.opensaml.xml.security.x509.PKIXValidationInformation> retrievePKIXInfoFromMetadata(String entityID, QName role, String protocol, org.opensaml.xml.security.credential.UsageType usage) throws org.opensaml.xml.security.SecurityException
entityID
- entity ID for which to resolve validation informationrole
- role in which the entity is operatingprotocol
- protocol over which the entity is operating (may be null)usage
- usage specifier for role descriptor key descriptors to evaluateorg.opensaml.xml.security.SecurityException
- thrown if the key, certificate, or CRL information is represented in an unsupported
formatprotected List<org.opensaml.xml.security.x509.PKIXValidationInformation> resolvePKIXInfo(org.opensaml.saml2.metadata.RoleDescriptor roleDescriptor) throws org.opensaml.xml.security.SecurityException
roleDescriptor
- the role descriptor from which to resolve information.org.opensaml.xml.security.SecurityException
- thrown if the key, certificate, or CRL information is represented in an unsupported
formatprotected List<org.opensaml.xml.security.x509.PKIXValidationInformation> resolvePKIXInfo(org.opensaml.saml2.common.Extensions extensions) throws org.opensaml.xml.security.SecurityException
extensions
- the extension element from which to resolve informationorg.opensaml.xml.security.SecurityException
- thrown if the key, certificate, or CRL information is represented in an unsupported
formatprotected org.opensaml.xml.security.x509.PKIXValidationInformation resolvePKIXInfo(ShibbolethMetadataKeyAuthority keyAuthority) throws org.opensaml.xml.security.SecurityException
keyAuthority
- the Shibboleth KeyAuthority element from which to resolve informationorg.opensaml.xml.security.SecurityException
- thrown if the key, certificate, or CRL information is represented in an unsupported
formatprotected List<X509Certificate> getX509Certificates(org.opensaml.xml.signature.KeyInfo keyInfo) throws org.opensaml.xml.security.SecurityException
keyInfo
- the KeyInfo instance from which to extract certificatesorg.opensaml.xml.security.SecurityException
- thrown if the certificate information is represented in an unsupported formatprotected List<X509CRL> getX509CRLs(org.opensaml.xml.signature.KeyInfo keyInfo) throws org.opensaml.xml.security.SecurityException
keyInfo
- the KeyInfo instance from which to extract CRL'sorg.opensaml.xml.security.SecurityException
- thrown if the CRL information is represented in an unsupported formatprotected Set<String> retrieveTrustedNamesFromMetadata(String entityID, QName role, String protocol, org.opensaml.xml.security.credential.UsageType usage) throws org.opensaml.xml.security.SecurityException
entityID
- entity ID for which to resolve trusted namesrole
- role in which the entity is operatingprotocol
- protocol over which the entity is operating (may be null)usage
- usage specifier for role descriptor key descriptors to evaluateorg.opensaml.xml.security.SecurityException
- thrown if there is an error extracting trusted name informationprotected Set<String> getTrustedNames(org.opensaml.xml.signature.KeyInfo keyInfo)
keyInfo
- the KeyInfo instance from which to extract trusted namesprotected boolean matchUsage(org.opensaml.xml.security.credential.UsageType metadataUsage, org.opensaml.xml.security.credential.UsageType criteriaUsage)
metadataUsage
- the value from the 'use' attribute of a metadata KeyDescriptor elementcriteriaUsage
- the value from specified criteriaprotected List<org.opensaml.saml2.metadata.RoleDescriptor> getRoleDescriptors(String entityID, QName role, String protocol) throws org.opensaml.xml.security.SecurityException
entityID
- entity ID of the metadata entity descriptor to resolverole
- role in which the entity is operatingprotocol
- protocol over which the entity is operating (may be null)org.opensaml.xml.security.SecurityException
- thrown if there is an error retrieving role descriptors from the metadata providerprotected List<org.opensaml.xml.security.x509.PKIXValidationInformation> retrievePKIXInfoFromCache(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey)
cacheKey
- the key to the metadata cacheprotected List<org.opensaml.xml.security.x509.PKIXValidationInformation> retrieveExtensionsInfoFromCache(org.opensaml.saml2.common.Extensions extensions)
extensions
- the key to the metadata cacheprotected Set<String> retrieveTrustedNamesFromCache(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey)
cacheKey
- the key to the metadata cacheprotected void cachePKIXInfo(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey, List<org.opensaml.xml.security.x509.PKIXValidationInformation> pkixInfo)
cacheKey
- the key for caching the informationpkixInfo
- collection of PKIX information to cacheprotected void cacheExtensionsInfo(org.opensaml.saml2.common.Extensions extensions, List<org.opensaml.xml.security.x509.PKIXValidationInformation> pkixInfo)
extensions
- the key for caching the informationpkixInfo
- collection of PKIX information to cacheprotected void cacheTrustedNames(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey, Set<String> names)
cacheKey
- the key for caching the informationnames
- collection of names to cacheprotected String getExtensionsParentName(org.opensaml.saml2.common.Extensions extensions)
Extensions
element in metadata, mostly
useful for logging purposes.
If the parent is an EntityDescriptor, return the entityID value. If an EntitiesDescriptor,
return the name value.extensions
- the Extensions elementCopyright © 1999–2014. All rights reserved.