View Javadoc

1   /*
2    * Copyright [2007] [University Corporation for Advanced Internet Development, Inc.]
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  
17  package org.opensaml.xml.security.keyinfo;
18  
19  import java.security.PublicKey;
20  import java.util.ArrayList;
21  import java.util.Collection;
22  import java.util.List;
23  
24  import org.opensaml.xml.encryption.Decrypter;
25  import org.opensaml.xml.security.CriteriaSet;
26  import org.opensaml.xml.security.SecurityException;
27  import org.opensaml.xml.security.credential.Credential;
28  import org.opensaml.xml.security.credential.CredentialResolver;
29  import org.opensaml.xml.security.criteria.KeyNameCriteria;
30  import org.opensaml.xml.security.criteria.PublicKeyCriteria;
31  import org.opensaml.xml.signature.KeyInfo;
32  
33  /**
34   * A simple specialization of {@link BasicProviderKeyInfoCredentialResolver}
35   * which is capable of using information from a {@link KeyInfo} to resolve
36   * local credentials from a supplied {@link CredentialResolver} which manages local credentials.
37   * 
38   * <p>
39   * The local credential resolver supplied should manage and return credentials
40   * which contain either a secret (symmetric) key or the private key half of a
41   * key pair.
42   * </p>
43   * 
44   * <p>
45   * A typical use case for this class would be as a resolver of decryption keys,
46   * such as is needed by {@link Decrypter}.
47   * </p>
48   * 
49   * <p>
50   * Resolution proceeds as follows:
51   * <ol>
52   *   <li>Any credential resolved via the standard {@link BasicProviderKeyInfoCredentialResolver}
53   *       resolution process which is not a local credential will be removed
54   *       from the effective set of credentials to be returned.  Note that a configured
55   *       {@link KeyInfoProvider} may have itself already resolved local credentials using a
56   *       different mechanism.  These will not be removed.</li>
57   *   <li>If a credential so removed contained a public key, that key will be used as a
58   *       resolution criteria input to the local credential resolver.  Any local credentials
59   *       so resolved will be added to the set to be returned.</li>
60   *   <li>Similarly, any key names from {@link KeyInfoResolutionContext#getKeyNames()} will also
61   *       be used as resolution criteria for local credentials and the resultant credentials
62   *       added to the set to be returned.</li>
63   * </ol>
64   * </p>
65   */
66  public class LocalKeyInfoCredentialResolver extends BasicProviderKeyInfoCredentialResolver {
67      
68      /** The resovler which is used to resolve local credentials. */
69      private CredentialResolver localCredResolver;
70  
71      /**
72       * Constructor.
73       *
74       * @param keyInfoProviders the list of KeyInfoProvider's to use in this resolver
75       * @param localCredentialResolver resolver of local credentials
76       */
77      public LocalKeyInfoCredentialResolver(List<KeyInfoProvider> keyInfoProviders,
78              CredentialResolver localCredentialResolver) {
79          super(keyInfoProviders);
80          
81          if (localCredentialResolver == null) {
82              throw new IllegalArgumentException("Local credential resolver must be supplied");
83          }
84          
85          localCredResolver = localCredentialResolver;
86      }
87      
88      /**
89       * Get the resolver for local credentials.
90       * 
91       * The credentials managed and returned by this resolver should all contain
92       * either a secret (symmetric) or private key.
93       *
94       * @return resolver of local credentials
95       */
96      public CredentialResolver getLocalCredentialResolver() {
97          return localCredResolver;
98      }
99  
100     /** {@inheritDoc} */
101     protected void postProcess(KeyInfoResolutionContext kiContext, CriteriaSet criteriaSet,
102             List<Credential> credentials) throws SecurityException {
103         
104         ArrayList<Credential> localCreds = new ArrayList<Credential>();
105         
106         for (Credential cred : credentials) {
107             if (isLocalCredential(cred)) {
108                 localCreds.add(cred);
109             } else if (cred.getPublicKey() != null) {
110                localCreds.addAll(resolveByPublicKey(cred.getPublicKey()));
111             }
112         }
113         
114         // Also resolve local creds based on any key names that are known
115         for (String keyName : kiContext.getKeyNames()) {
116             localCreds.addAll(resolveByKeyName(keyName));
117         }
118         
119         credentials.clear();
120         credentials.addAll(localCreds);
121     }
122     
123     /**
124      * Determine whether the credential is a local credential.
125      * 
126      * A local credential will have either a private key or a secret (symmetric) key.
127      * 
128      * @param credential the credential to evaluate
129      * @return true if the credential has either a private or secret key, false otherwise
130      */
131     protected boolean isLocalCredential(Credential credential) {
132         return credential.getPrivateKey() != null || credential.getSecretKey() != null;
133     }
134 
135     /**
136      * Resolve credentials from local resolver using key name criteria.
137      * 
138      * @param keyName the key name criteria
139      * @return collection of local credentials identified by the specified key name
140      * @throws SecurityException  thrown if there is a problem resolving credentials from the 
141      *          local credential resolver
142      */
143     protected Collection<? extends Credential> resolveByKeyName(String keyName) throws SecurityException {
144         ArrayList<Credential> localCreds = new ArrayList<Credential>();
145         
146         CriteriaSet criteriaSet = new CriteriaSet( new KeyNameCriteria(keyName) );
147         for (Credential cred : getLocalCredentialResolver().resolve(criteriaSet)) {
148             if (isLocalCredential(cred)) {
149                 localCreds.add(cred);
150             }
151         }
152         
153         return localCreds;
154     }
155 
156     /**
157      * Resolve credentials from local resolver using public key criteria.
158      * 
159      * @param publicKey the public key criteria
160      * @return collection of local credentials which contain the private key
161      *          corresponding to the specified public key
162      * @throws SecurityException  thrown if there is a problem resolving credentials from the 
163      *          local credential resolver
164      */
165     protected Collection<? extends Credential> resolveByPublicKey(PublicKey publicKey) throws SecurityException {
166         ArrayList<Credential> localCreds = new ArrayList<Credential>();
167         
168         CriteriaSet criteriaSet = new CriteriaSet( new PublicKeyCriteria(publicKey) );
169         for (Credential cred : getLocalCredentialResolver().resolve(criteriaSet)) {
170             if (isLocalCredential(cred)) {
171                 localCreds.add(cred);
172             }
173         }
174         
175         return localCreds;
176     }
177 
178 }