1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package org.opensaml.xml.security.credential.criteria;
18
19 import java.security.cert.X509Certificate;
20 import java.util.Arrays;
21
22 import org.opensaml.xml.security.credential.Credential;
23 import org.opensaml.xml.security.x509.X509Credential;
24 import org.opensaml.xml.security.x509.X509SubjectKeyIdentifierCriteria;
25 import org.opensaml.xml.security.x509.X509Util;
26 import org.slf4j.Logger;
27 import org.slf4j.LoggerFactory;
28
29
30
31
32
33 public class EvaluableX509SubjectKeyIdentifierCredentialCriteria implements EvaluableCredentialCriteria {
34
35
36 private final Logger log = LoggerFactory.getLogger(EvaluableX509SubjectKeyIdentifierCredentialCriteria.class);
37
38
39 private byte[] ski;
40
41
42
43
44
45
46 public EvaluableX509SubjectKeyIdentifierCredentialCriteria(X509SubjectKeyIdentifierCriteria criteria) {
47 if (criteria == null) {
48 throw new NullPointerException("Criteria instance may not be null");
49 }
50 ski = criteria.getSubjectKeyIdentifier();
51 }
52
53
54
55
56
57
58 public EvaluableX509SubjectKeyIdentifierCredentialCriteria(byte[] newSKI) {
59 if (newSKI == null || newSKI.length == 0) {
60 throw new IllegalArgumentException("Subject key identifier may not be null or empty");
61 }
62 ski = newSKI;
63 }
64
65
66 public Boolean evaluate(Credential target) {
67 if (target == null) {
68 log.error("Credential target was null");
69 return null;
70 }
71 if (! (target instanceof X509Credential)) {
72 log.info("Credential is not an X509Credential, does not satisfy subject key identifier criteria");
73 return Boolean.FALSE;
74 }
75 X509Credential x509Cred = (X509Credential) target;
76
77 X509Certificate entityCert = x509Cred.getEntityCertificate();
78 if (entityCert == null) {
79 log.info("X509Credential did not contain an entity certificate, does not satisfy criteria");
80 return Boolean.FALSE;
81 }
82
83 byte[] credSKI = X509Util.getSubjectKeyIdentifier(entityCert);
84 if (credSKI == null || credSKI.length == 0) {
85 log.info("Could not evaluate criteria, certificate contained no subject key identifier extension");
86 return null;
87 }
88
89 Boolean result = Arrays.equals(ski, credSKI);
90 return result;
91 }
92
93 }