View Javadoc

1   /*
2    * Copyright [2007] [University Corporation for Advanced Internet Development, Inc.]
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  
17  package org.opensaml.xml.signature.impl;
18  
19  import java.util.ArrayList;
20  import java.util.List;
21  
22  import org.opensaml.xml.security.CriteriaSet;
23  import org.opensaml.xml.security.SecurityException;
24  import org.opensaml.xml.security.credential.Credential;
25  import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
26  import org.opensaml.xml.signature.Signature;
27  import org.opensaml.xml.signature.SignatureTrustEngine;
28  import org.slf4j.Logger;
29  import org.slf4j.LoggerFactory;
30  
31  /**
32   * Evaluate a signature in sequence using a chain of subordinate trust engines. If the signature may be established as
33   * trusted by any of the subordinate engines, the token is considered trusted. Otherwise it is considered untrusted.
34   * 
35   */
36  public class ChainingSignatureTrustEngine implements SignatureTrustEngine {
37  
38      /** Class logger. */
39      private final Logger log = LoggerFactory.getLogger(ChainingSignatureTrustEngine.class);
40  
41      /** The chain of subordinate trust engines. */
42      private List<SignatureTrustEngine> engines;
43  
44      /** Constructor. */
45      public ChainingSignatureTrustEngine() {
46          engines = new ArrayList<SignatureTrustEngine>();
47      }
48  
49      /**
50       * Get the list of configured trust engines which constitute the trust evaluation chain.
51       * 
52       * @return the modifiable list of trust engines in the chain
53       */
54      public List<SignatureTrustEngine> getChain() {
55          return engines;
56      }
57  
58      /** {@inheritDoc} */
59      public KeyInfoCredentialResolver getKeyInfoResolver() {
60          // Chaining signature trust engine does not support an attached KeyInfoResolver
61          return null;
62      }
63  
64      /** {@inheritDoc} */
65      public boolean validate(Signature token, CriteriaSet trustBasisCriteria) throws SecurityException {
66          for (SignatureTrustEngine engine : engines) {
67              if (engine.validate(token, trustBasisCriteria)) {
68                  log.debug("Signature was trusted by chain member: {}", engine.getClass().getName());
69                  return true;
70              }
71          }
72          return false;
73      }
74  
75      /** {@inheritDoc} */
76      public boolean validate(byte[] signature, byte[] content, String algorithmURI, CriteriaSet trustBasisCriteria,
77              Credential candidateCredential) throws SecurityException {
78          for (SignatureTrustEngine engine : engines) {
79              if (engine.validate(signature, content, algorithmURI, trustBasisCriteria, candidateCredential)) {
80                  log.debug("Signature was trusted by chain member: {}", engine.getClass().getName());
81                  return true;
82              }
83          }
84          return false;
85      }
86  
87  }