org.opensaml.xmlsec.keyinfo.impl.provider

Class InlineX509DataProvider

java.lang.Object

org.opensaml.xmlsec.keyinfo.impl.provider.AbstractKeyInfoProvider

org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider

All Implemented Interfaces:

KeyInfoProvider

public class InlineX509DataProvider
extends AbstractKeyInfoProvider

Implementation of KeyInfoProvider which provides basic support for extracting a X509Credential from an X509Data child of KeyInfo. This provider supports only inline X509Certificate's and X509CRLs. If only one certificate is present, it is assumed to be the end-entity certificate containing the public key represented by this KeyInfo. If multiple certificates are present, and any instances of X509SubjectName, X509IssuerSerial, X509SKI, or X509Digest are also present, they will be used to identify the end-entity certificate, in accordance with the XML Signature specification. If a public key from a previously resolved KeyValue is available in the resolution context, it will also be used to identify the end-entity certificate. If the end-entity certificate can not otherwise be identified, the cert contained in the first X509Certificate element will be treated as the end-entity certificate.

Field Summary

Fields

Modifier and Type	Field and Description
private org.slf4j.Logger	log Class logger.
private X500DNHandler	x500DNHandler Responsible for parsing and serializing X.500 names to/from X500Principal instances.

Constructor Summary

Constructors

Constructor and Description
InlineX509DataProvider() Constructor.

Method Summary

Modifier and Type	Method and Description
private java.util.List<java.security.cert.X509Certificate>	extractCertificates(X509Data x509Data) Extract certificates from the X509Data.
private java.util.List<java.security.cert.X509CRL>	extractCRLs(X509Data x509Data) Extract CRLs from the X509Data.
protected java.security.cert.X509Certificate	findCertFromDigest(java.util.List<java.security.cert.X509Certificate> certs, java.util.List<X509Digest> digests) Find the certificate from the chain that matches one of the specified digests.
protected java.security.cert.X509Certificate	findCertFromIssuerSerials(java.util.List<java.security.cert.X509Certificate> certs, java.util.List<X509IssuerSerial> serials) Find the certificate from the chain identified by one of the specified issuer serials.
protected java.security.cert.X509Certificate	findCertFromKey(java.util.List<java.security.cert.X509Certificate> certs, java.security.PublicKey key) Find the certificate from the chain that contains the specified key.
protected java.security.cert.X509Certificate	findCertFromSubjectKeyIdentifier(java.util.List<java.security.cert.X509Certificate> certs, java.util.List<X509SKI> skis) Find the certificate from the chain that contains one of the specified subject key identifiers.
protected java.security.cert.X509Certificate	findCertFromSubjectNames(java.util.List<java.security.cert.X509Certificate> certs, java.util.List<X509SubjectName> names) Find the certificate from the chain that contains one of the specified subject names.
protected java.security.cert.X509Certificate	findEntityCert(java.util.List<java.security.cert.X509Certificate> certs, X509Data x509Data, java.security.PublicKey resolvedKey) Find the end-entity cert in the list of certs contained in the X509Data.
X500DNHandler	getX500DNHandler() Get the handler which process X.500 distinguished names.
boolean	handles(XMLObject keyInfoChild) Evaluate whether the given provider should attempt to handle resolving a credential from the specified KeyInfo child.
java.util.Collection<Credential>	process(KeyInfoCredentialResolver resolver, XMLObject keyInfoChild, net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet, KeyInfoResolutionContext kiContext) Process a specified KeyInfo child (XMLobject) and attempt to resolve a credential from it.
void	setX500DNHandler(X500DNHandler handler) Set the handler which process X.500 distinguished names.

Methods inherited from class org.opensaml.xmlsec.keyinfo.impl.provider.AbstractKeyInfoProvider

buildCredentialContext, extractKeyValue

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

private final org.slf4j.Logger log

Class logger.

x500DNHandler

private X500DNHandler x500DNHandler

Responsible for parsing and serializing X.500 names to/from X500Principal instances.

Constructor Detail

InlineX509DataProvider

public InlineX509DataProvider()

Constructor.

Method Detail

getX500DNHandler

@Nonnull
public X500DNHandler getX500DNHandler()

Get the handler which process X.500 distinguished names.

Returns:

returns the X500DNHandler instance

setX500DNHandler

public void setX500DNHandler(@Nonnull
                             X500DNHandler handler)

Set the handler which process X.500 distinguished names.

Parameters:

handler - the new X500DNHandler instance

handles

public boolean handles(@Nonnull
                       XMLObject keyInfoChild)

Evaluate whether the given provider should attempt to handle resolving a credential from the specified KeyInfo child. An evaluation of true does not guarantee that a credential can or will be extracted form the particular KeyInfo child, only that processing should be attempted.

Parameters:

keyInfoChild - the KeyInfo child object to consider

Returns:

true if the provider should attempt to resolve credentials, false otherwise

process

@Nullable
public java.util.Collection<Credential> process(@Nonnull
                                                          KeyInfoCredentialResolver resolver,
                                                          @Nonnull
                                                          XMLObject keyInfoChild,
                                                          @Nullable
                                                          net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet,
                                                          @Nonnull
                                                          KeyInfoResolutionContext kiContext)
                                                   throws SecurityException

Process a specified KeyInfo child (XMLobject) and attempt to resolve a credential from it.

Parameters:

resolver - reference to a resolver which is calling the provider

keyInfoChild - the KeyInfo child being processed

criteriaSet - the credential criteria the credential must satisfy

kiContext - the resolution context, used for sharing state amongst resolvers and providers

Returns:

a resolved Credential collection, or null

Throws:

SecurityException - if there is an error during credential resolution. Note: failure to resolve a credential is not an error.

extractCRLs

@Nonnull
private java.util.List<java.security.cert.X509CRL> extractCRLs(@Nonnull
                                                                        X509Data x509Data)
                                                                 throws SecurityException

Extract CRLs from the X509Data.

Parameters:

x509Data - the X509Data element

Returns:

a list of X509CRLs

Throws:

SecurityException - thrown if there is an error extracting CRLs

extractCertificates

@Nonnull
private java.util.List<java.security.cert.X509Certificate> extractCertificates(@Nonnull
                                                                                        X509Data x509Data)
                                                                                 throws SecurityException

Extract certificates from the X509Data.

Parameters:

x509Data - the X509Data element

Returns:

a list of X509Certificates

Throws:

SecurityException - thrown if there is an error extracting certificates

findEntityCert

@Nullable
protected java.security.cert.X509Certificate findEntityCert(@Nullable
                                                                      java.util.List<java.security.cert.X509Certificate> certs,
                                                                      @Nonnull
                                                                      X509Data x509Data,
                                                                      @Nullable
                                                                      java.security.PublicKey resolvedKey)

Find the end-entity cert in the list of certs contained in the X509Data.

Parameters:

certs - list of X509Certificate

x509Data - X509Data element which might contain other info helping to finding the end-entity cert

resolvedKey - a key which might have previously been resolved from a KeyValue

Returns:

the end-entity certificate, if found

findCertFromKey

@Nullable
protected java.security.cert.X509Certificate findCertFromKey(@Nonnull
                                                                       java.util.List<java.security.cert.X509Certificate> certs,
                                                                       @Nullable
                                                                       java.security.PublicKey key)

Find the certificate from the chain that contains the specified key.

Parameters:

certs - list of certificates to evaluate

key - key to use as search criteria

Returns:

the matching certificate, or null

findCertFromSubjectNames

@Nullable
protected java.security.cert.X509Certificate findCertFromSubjectNames(@Nonnull
                                                                                java.util.List<java.security.cert.X509Certificate> certs,
                                                                                @Nonnull
                                                                                java.util.List<X509SubjectName> names)

Find the certificate from the chain that contains one of the specified subject names.

Parameters:

certs - list of certificates to evaluate

names - X509 subject names to use as search criteria

Returns:

the matching certificate, or null

findCertFromIssuerSerials

@Nullable
protected java.security.cert.X509Certificate findCertFromIssuerSerials(@Nonnull
                                                                                 java.util.List<java.security.cert.X509Certificate> certs,
                                                                                 @Nonnull
                                                                                 java.util.List<X509IssuerSerial> serials)

Find the certificate from the chain identified by one of the specified issuer serials.

Parameters:

certs - list of certificates to evaluate

serials - X509 issuer serials to use as search criteria

Returns:

the matching certificate, or null

findCertFromSubjectKeyIdentifier

@Nullable
protected java.security.cert.X509Certificate findCertFromSubjectKeyIdentifier(@Nonnull
                                                                                        java.util.List<java.security.cert.X509Certificate> certs,
                                                                                        @Nonnull
                                                                                        java.util.List<X509SKI> skis)

Find the certificate from the chain that contains one of the specified subject key identifiers.

Parameters:

certs - list of certificates to evaluate

skis - X509 subject key identifiers to use as search criteria

Returns:

the matching certificate, or null

findCertFromDigest

@Nullable
protected java.security.cert.X509Certificate findCertFromDigest(@Nonnull
                                                                          java.util.List<java.security.cert.X509Certificate> certs,
                                                                          @Nonnull
                                                                          java.util.List<X509Digest> digests)

Find the certificate from the chain that matches one of the specified digests.

Parameters:

certs - list of certificates to evaluate

digests - X509 digests to use as search criteria

Returns:

the matching certificate, or null