1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package org.opensaml.xml.security.x509;
18
19 import java.util.Set;
20
21 import org.opensaml.xml.security.CriteriaSet;
22 import org.opensaml.xml.security.SecurityException;
23 import org.slf4j.Logger;
24 import org.slf4j.LoggerFactory;
25
26
27
28
29
30
31 public class PKIXX509CredentialTrustEngine implements PKIXTrustEngine<X509Credential> {
32
33
34 private final Logger log = LoggerFactory.getLogger(PKIXX509CredentialTrustEngine.class);
35
36
37 private PKIXValidationInformationResolver pkixResolver;
38
39
40 private PKIXTrustEvaluator pkixTrustEvaluator;
41
42
43 private X509CredentialNameEvaluator credNameEvaluator;
44
45
46
47
48
49
50
51
52
53
54 public PKIXX509CredentialTrustEngine(PKIXValidationInformationResolver resolver) {
55 if (resolver == null) {
56 throw new IllegalArgumentException("PKIX trust information resolver may not be null");
57 }
58 pkixResolver = resolver;
59
60 pkixTrustEvaluator = new CertPathPKIXTrustEvaluator();
61 credNameEvaluator = new BasicX509CredentialNameEvaluator();
62 }
63
64
65
66
67
68
69
70
71 public PKIXX509CredentialTrustEngine(PKIXValidationInformationResolver resolver, PKIXTrustEvaluator pkixEvaluator,
72 X509CredentialNameEvaluator nameEvaluator) {
73 if (resolver == null) {
74 throw new IllegalArgumentException("PKIX trust information resolver may not be null");
75 }
76 pkixResolver = resolver;
77
78 if (pkixEvaluator == null) {
79 throw new IllegalArgumentException("PKIX trust evaluator may not be null");
80 }
81 pkixTrustEvaluator = pkixEvaluator;
82 credNameEvaluator = nameEvaluator;
83 }
84
85
86 public PKIXValidationInformationResolver getPKIXResolver() {
87 return pkixResolver;
88 }
89
90
91
92
93
94
95
96
97
98 public PKIXTrustEvaluator getPKIXTrustEvaluator() {
99 return pkixTrustEvaluator;
100 }
101
102
103
104
105
106
107
108
109
110
111 public X509CredentialNameEvaluator getX509CredentialNameEvaluator() {
112 return credNameEvaluator;
113 }
114
115
116 public boolean validate(X509Credential untrustedCredential, CriteriaSet trustBasisCriteria)
117 throws SecurityException {
118
119 log.debug("Attempting PKIX validation of untrusted credential");
120
121 if (untrustedCredential == null) {
122 log.error("X.509 credential was null, unable to perform validation");
123 return false;
124 }
125
126 if (untrustedCredential.getEntityCertificate() == null) {
127 log.error("Untrusted X.509 credential's entity certificate was null, unable to perform validation");
128 return false;
129 }
130
131 Set<String> trustedNames = null;
132 if (pkixResolver.supportsTrustedNameResolution()) {
133 trustedNames = pkixResolver.resolveTrustedNames(trustBasisCriteria);
134 } else {
135 log.debug("PKIX resolver does not support resolution of trusted names, skipping name checking");
136 }
137
138 return validate(untrustedCredential, trustedNames, pkixResolver.resolve(trustBasisCriteria));
139 }
140
141
142
143
144
145
146
147
148
149
150
151
152
153 protected boolean validate(X509Credential untrustedX509Credential, Set<String> trustedNames,
154 Iterable<PKIXValidationInformation> validationInfoSet) throws SecurityException {
155
156 log.debug("Beginning PKIX validation using trusted validation information");
157
158 if (!checkNames(trustedNames, untrustedX509Credential)) {
159 log.error("Evaluation of credential against trusted names failed. Aborting PKIX validation");
160 return false;
161 }
162
163 for (PKIXValidationInformation validationInfo : validationInfoSet) {
164 try {
165 if (pkixTrustEvaluator.validate(validationInfo, untrustedX509Credential)) {
166 log.debug("Credential trust established via PKIX validation");
167 return true;
168 }
169 } catch (SecurityException e) {
170
171 log.error("Error performing PKIX validation on untrusted credential", e);
172 }
173 }
174 log.debug("Trust of untrusted credential could not be established via PKIX validation");
175 return false;
176 }
177
178
179
180
181
182
183
184
185
186
187
188 protected boolean checkNames(Set<String> trustedNames, X509Credential untrustedCredential)
189 throws SecurityException {
190
191 if (credNameEvaluator == null) {
192 log.debug("No credential name evaluator was available, skipping trusted name evaluation");
193 return true;
194 } else {
195 return credNameEvaluator.evaluate(untrustedCredential, trustedNames);
196 }
197
198 }
199
200 }