View Javadoc

1   /*
2    * Copyright [2007] [University Corporation for Advanced Internet Development, Inc.]
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  
17  package org.opensaml.xml.security.credential.criteria;
18  
19  import java.security.cert.X509Certificate;
20  import java.util.Arrays;
21  
22  import org.opensaml.xml.security.credential.Credential;
23  import org.opensaml.xml.security.x509.X509Credential;
24  import org.opensaml.xml.security.x509.X509SubjectKeyIdentifierCriteria;
25  import org.opensaml.xml.security.x509.X509Util;
26  import org.slf4j.Logger;
27  import org.slf4j.LoggerFactory;
28  
29  /**
30   * Instance of evaluable credential criteria for evaluating whether a credential's certificate contains a particular
31   * subject key identifier.
32   */
33  public class EvaluableX509SubjectKeyIdentifierCredentialCriteria implements EvaluableCredentialCriteria {
34      
35      /** Logger. */
36      private final Logger log = LoggerFactory.getLogger(EvaluableX509SubjectKeyIdentifierCredentialCriteria.class);
37      
38      /** Base criteria. */
39      private byte[] ski;
40      
41      /**
42       * Constructor.
43       *
44       * @param criteria the criteria which is the basis for evaluation
45       */
46      public EvaluableX509SubjectKeyIdentifierCredentialCriteria(X509SubjectKeyIdentifierCriteria criteria) {
47          if (criteria == null) {
48              throw new NullPointerException("Criteria instance may not be null");
49          }
50          ski = criteria.getSubjectKeyIdentifier();
51      }
52      
53      /**
54       * Constructor.
55       *
56       * @param newSKI the criteria value which is the basis for evaluation
57       */
58      public EvaluableX509SubjectKeyIdentifierCredentialCriteria(byte[] newSKI) {
59          if (newSKI == null || newSKI.length == 0) {
60              throw new IllegalArgumentException("Subject key identifier may not be null or empty");
61          }
62          ski = newSKI;
63      }
64  
65      /** {@inheritDoc} */
66      public Boolean evaluate(Credential target) {
67          if (target == null) {
68              log.error("Credential target was null");
69              return null;
70          }
71          if (! (target instanceof X509Credential)) {
72              log.info("Credential is not an X509Credential, does not satisfy subject key identifier criteria");
73              return Boolean.FALSE;
74          }
75          X509Credential x509Cred = (X509Credential) target;
76          
77          X509Certificate entityCert = x509Cred.getEntityCertificate();
78          if (entityCert == null) {
79              log.info("X509Credential did not contain an entity certificate, does not satisfy criteria");
80              return Boolean.FALSE;
81          }
82          
83          byte[] credSKI = X509Util.getSubjectKeyIdentifier(entityCert);
84          if (credSKI == null || credSKI.length == 0) {
85              log.info("Could not evaluate criteria, certificate contained no subject key identifier extension");
86              return null;
87          }
88          
89          Boolean result = Arrays.equals(ski, credSKI);
90          return result;
91      }
92  
93  }