1 /* 2 * Copyright [2006] [University Corporation for Advanced Internet Development, Inc.] 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package org.opensaml.xml.signature; 18 19 import org.opensaml.xml.security.CriteriaSet; 20 import org.opensaml.xml.security.SecurityException; 21 import org.opensaml.xml.security.credential.Credential; 22 import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver; 23 import org.opensaml.xml.security.trust.TrustEngine; 24 25 /** 26 * Evaluates the trustworthiness and validity of XML or raw Signatures against implementation-specific requirements. 27 */ 28 public interface SignatureTrustEngine extends TrustEngine<Signature> { 29 30 /** 31 * Get the KeyInfoCredentialResolver instance used to resolve (advisory) signing credential information 32 * from KeyInfo elements contained within a Signature element. 33 * 34 * Note that credential(s) obtained via this resolver are not themselves trusted. They must be evaluated 35 * against the trusted credential information obtained from the trusted credential resolver. 36 * 37 * @return a KeyInfoCredentialResolver instance 38 */ 39 public KeyInfoCredentialResolver getKeyInfoResolver(); 40 41 /** 42 * Determines whether a raw signature over specified content is valid and signed by a trusted credential. 43 * 44 * <p>A candidate verification credential may optionally be supplied. If one is supplied and is 45 * determined to successfully verify the signature, an attempt will be made to establish 46 * trust on this basis.</p> 47 * 48 * <p>If a candidate credential is not supplied, or it does not successfully verify the signature, 49 * some implementations may be able to resolve candidate verification credential(s) in an 50 * implementation-specific manner based on the trusted criteria supplied, and then attempt 51 * to verify the signature and establish trust on this basis.</p> 52 * 53 * @param signature the signature value 54 * @param content the content that was signed 55 * @param algorithmURI the signature algorithm URI which was used to sign the content 56 * @param trustBasisCriteria criteria used to describe and/or resolve the information 57 * which serves as the basis for trust evaluation 58 * @param candidateCredential the untrusted candidate credential containing the validation key 59 * for the signature (optional) 60 * 61 * @return true if the signature was valid for the provided content and was signed by a key 62 * contained within a credential established as trusted based on the supplied criteria, 63 * otherwise false 64 * 65 * @throws SecurityException thrown if there is a problem attempting to verify the signature such as the signature 66 * algorithim not being supported 67 */ 68 public boolean validate(byte[] signature, byte[] content, String algorithmURI, CriteriaSet trustBasisCriteria, 69 Credential candidateCredential) throws SecurityException; 70 }