1 /*
2 * Copyright [2007] [University Corporation for Advanced Internet Development, Inc.]
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 package org.opensaml.xml.security.keyinfo;
18
19 import java.security.PublicKey;
20 import java.util.ArrayList;
21 import java.util.Collection;
22 import java.util.List;
23
24 import org.opensaml.xml.encryption.Decrypter;
25 import org.opensaml.xml.security.CriteriaSet;
26 import org.opensaml.xml.security.SecurityException;
27 import org.opensaml.xml.security.credential.Credential;
28 import org.opensaml.xml.security.credential.CredentialResolver;
29 import org.opensaml.xml.security.criteria.KeyNameCriteria;
30 import org.opensaml.xml.security.criteria.PublicKeyCriteria;
31 import org.opensaml.xml.signature.KeyInfo;
32
33 /**
34 * A simple specialization of {@link BasicProviderKeyInfoCredentialResolver}
35 * which is capable of using information from a {@link KeyInfo} to resolve
36 * local credentials from a supplied {@link CredentialResolver} which manages local credentials.
37 *
38 * <p>
39 * The local credential resolver supplied should manage and return credentials
40 * which contain either a secret (symmetric) key or the private key half of a
41 * key pair.
42 * </p>
43 *
44 * <p>
45 * A typical use case for this class would be as a resolver of decryption keys,
46 * such as is needed by {@link Decrypter}.
47 * </p>
48 *
49 * <p>
50 * Resolution proceeds as follows:
51 * <ol>
52 * <li>Any credential resolved via the standard {@link BasicProviderKeyInfoCredentialResolver}
53 * resolution process which is not a local credential will be removed
54 * from the effective set of credentials to be returned. Note that a configured
55 * {@link KeyInfoProvider} may have itself already resolved local credentials using a
56 * different mechanism. These will not be removed.</li>
57 * <li>If a credential so removed contained a public key, that key will be used as a
58 * resolution criteria input to the local credential resolver. Any local credentials
59 * so resolved will be added to the set to be returned.</li>
60 * <li>Similarly, any key names from {@link KeyInfoResolutionContext#getKeyNames()} will also
61 * be used as resolution criteria for local credentials and the resultant credentials
62 * added to the set to be returned.</li>
63 * </ol>
64 * </p>
65 */
66 public class LocalKeyInfoCredentialResolver extends BasicProviderKeyInfoCredentialResolver {
67
68 /** The resovler which is used to resolve local credentials. */
69 private CredentialResolver localCredResolver;
70
71 /**
72 * Constructor.
73 *
74 * @param keyInfoProviders the list of KeyInfoProvider's to use in this resolver
75 * @param localCredentialResolver resolver of local credentials
76 */
77 public LocalKeyInfoCredentialResolver(List<KeyInfoProvider> keyInfoProviders,
78 CredentialResolver localCredentialResolver) {
79 super(keyInfoProviders);
80
81 if (localCredentialResolver == null) {
82 throw new IllegalArgumentException("Local credential resolver must be supplied");
83 }
84
85 localCredResolver = localCredentialResolver;
86 }
87
88 /**
89 * Get the resolver for local credentials.
90 *
91 * The credentials managed and returned by this resolver should all contain
92 * either a secret (symmetric) or private key.
93 *
94 * @return resolver of local credentials
95 */
96 public CredentialResolver getLocalCredentialResolver() {
97 return localCredResolver;
98 }
99
100 /** {@inheritDoc} */
101 protected void postProcess(KeyInfoResolutionContext kiContext, CriteriaSet criteriaSet,
102 List<Credential> credentials) throws SecurityException {
103
104 ArrayList<Credential> localCreds = new ArrayList<Credential>();
105
106 for (Credential cred : credentials) {
107 if (isLocalCredential(cred)) {
108 localCreds.add(cred);
109 } else if (cred.getPublicKey() != null) {
110 localCreds.addAll(resolveByPublicKey(cred.getPublicKey()));
111 }
112 }
113
114 // Also resolve local creds based on any key names that are known
115 for (String keyName : kiContext.getKeyNames()) {
116 localCreds.addAll(resolveByKeyName(keyName));
117 }
118
119 credentials.clear();
120 credentials.addAll(localCreds);
121 }
122
123 /**
124 * Determine whether the credential is a local credential.
125 *
126 * A local credential will have either a private key or a secret (symmetric) key.
127 *
128 * @param credential the credential to evaluate
129 * @return true if the credential has either a private or secret key, false otherwise
130 */
131 protected boolean isLocalCredential(Credential credential) {
132 return credential.getPrivateKey() != null || credential.getSecretKey() != null;
133 }
134
135 /**
136 * Resolve credentials from local resolver using key name criteria.
137 *
138 * @param keyName the key name criteria
139 * @return collection of local credentials identified by the specified key name
140 * @throws SecurityException thrown if there is a problem resolving credentials from the
141 * local credential resolver
142 */
143 protected Collection<? extends Credential> resolveByKeyName(String keyName) throws SecurityException {
144 ArrayList<Credential> localCreds = new ArrayList<Credential>();
145
146 CriteriaSet criteriaSet = new CriteriaSet( new KeyNameCriteria(keyName) );
147 for (Credential cred : getLocalCredentialResolver().resolve(criteriaSet)) {
148 if (isLocalCredential(cred)) {
149 localCreds.add(cred);
150 }
151 }
152
153 return localCreds;
154 }
155
156 /**
157 * Resolve credentials from local resolver using public key criteria.
158 *
159 * @param publicKey the public key criteria
160 * @return collection of local credentials which contain the private key
161 * corresponding to the specified public key
162 * @throws SecurityException thrown if there is a problem resolving credentials from the
163 * local credential resolver
164 */
165 protected Collection<? extends Credential> resolveByPublicKey(PublicKey publicKey) throws SecurityException {
166 ArrayList<Credential> localCreds = new ArrayList<Credential>();
167
168 CriteriaSet criteriaSet = new CriteriaSet( new PublicKeyCriteria(publicKey) );
169 for (Credential cred : getLocalCredentialResolver().resolve(criteriaSet)) {
170 if (isLocalCredential(cred)) {
171 localCreds.add(cred);
172 }
173 }
174
175 return localCreds;
176 }
177
178 }