Java Code Examples for org.opensaml.xml.security.CriteriaSet#addAll()

The following examples show how to use org.opensaml.xml.security.CriteriaSet#addAll() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: ExplicitKeySignatureTrustEngine.java    From lams with GNU General Public License v2.0 5 votes vote down vote up 
/** {@inheritDoc} */
public boolean validate(Signature signature, CriteriaSet trustBasisCriteria) throws SecurityException {

    checkParams(signature, trustBasisCriteria);

    CriteriaSet criteriaSet = new CriteriaSet();
    criteriaSet.addAll(trustBasisCriteria);
    if (!criteriaSet.contains(UsageCriteria.class)) {
        criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
    }
    String jcaAlgorithm = SecurityHelper.getKeyAlgorithmFromURI(signature.getSignatureAlgorithm());
    if (!DatatypeHelper.isEmpty(jcaAlgorithm)) {
        criteriaSet.add(new KeyAlgorithmCriteria(jcaAlgorithm), true);
    }

    Iterable<Credential> trustedCredentials = getCredentialResolver().resolve(criteriaSet);

    if (validate(signature, trustedCredentials)) {
        return true;
    }

    // If the credentials extracted from Signature's KeyInfo (if any) did not verify the
    // signature and/or establish trust, as a fall back attempt to verify the signature with
    // the trusted credentials directly.
    log.debug("Attempting to verify signature using trusted credentials");

    for (Credential trustedCredential : trustedCredentials) {
        if (verifySignature(signature, trustedCredential)) {
            log.debug("Successfully verified signature using resolved trusted credential");
            return true;
        }
    }
    log.debug("Failed to verify signature using either KeyInfo-derived or directly trusted credentials");
    return false;
}
Example 2
Source File: Decrypter.java    From lams with GNU General Public License v2.0 5 votes vote down vote up 
/**
 * Utility method to build a new set of credential criteria based on the KeyInfo of an EncryptedData or
 * EncryptedKey, and any additional static criteria which might have been supplied to the decrypter.
 * 
 * @param encryptedType an EncryptedData or EncryptedKey for which to resolve decryption credentials
 * @param staticCriteria static set of credential criteria to add to the new criteria set
 * @return the new credential criteria set
 */
private CriteriaSet buildCredentialCriteria(EncryptedType encryptedType, CriteriaSet staticCriteria) {

    CriteriaSet newCriteriaSet = new CriteriaSet();

    // This is the main criteria based on the encrypted type's KeyInfo
    newCriteriaSet.add(new KeyInfoCriteria(encryptedType.getKeyInfo()));

    // Also attemtpt to dynamically construct key criteria based on information
    // in the encrypted object
    Set<Criteria> keyCriteria = buildKeyCriteria(encryptedType);
    if (keyCriteria != null && !keyCriteria.isEmpty()) {
        newCriteriaSet.addAll(keyCriteria);
    }

    // Add any static criteria which may have been supplied to the decrypter
    if (staticCriteria != null && !staticCriteria.isEmpty()) {
        newCriteriaSet.addAll(staticCriteria);
    }

    // If don't have a usage criteria yet from static criteria, add encryption usage
    if (!newCriteriaSet.contains(UsageCriteria.class)) {
        newCriteriaSet.add(new UsageCriteria(UsageType.ENCRYPTION));
    }

    return newCriteriaSet;
}
Example 3
Source File: SignatureValidationFilter.java    From lams with GNU General Public License v2.0 5 votes vote down vote up 
/**
 * Build the criteria set which will be used as input to the configured trust engine.
 * 
 * @param signedMetadata the metadata element whose signature is being verified
 * @param metadataEntryName the EntityDescriptor entityID, EntitiesDescriptor Name,
 *                          AffiliationDescriptor affiliationOwnerID, 
 *                          or RoleDescriptor {@link #getRoleIDToken(String, RoleDescriptor)}
 *                          corresponding to the element whose signature is being evaluated.
 *                          This is used exclusively for logging/debugging purposes and
 *                          should not be used operationally (e.g. for building the criteria set).
 * @param isEntityGroup flag indicating whether the signed object is a metadata group (EntitiesDescriptor)
 * @return the newly constructed criteria set
 */
protected CriteriaSet buildCriteriaSet(SignableXMLObject signedMetadata,
        String metadataEntryName, boolean isEntityGroup) {
    
    CriteriaSet newCriteriaSet = new CriteriaSet();
    
    if (getDefaultCriteria() != null) {
        newCriteriaSet.addAll( getDefaultCriteria() );
    }
    
    if (!newCriteriaSet.contains(UsageCriteria.class)) {
        newCriteriaSet.add( new UsageCriteria(UsageType.SIGNING) );
    }
    
    // TODO how to handle adding dynamic entity ID and/or other criteria for trust engine consumption?
    //
    // Have 4 signed metadata types:
    // 1) EntitiesDescriptor
    // 2) EntityDescriptor
    // 3) RoleDescriptor
    // 4) AffiliationDescriptor
    //
    // Logic will likely vary for how to specify criteria to trust engine for different types + specific use cases,
    // e.g. for federation metadata publishers of EntitiesDescriptors vs. "self-signed" EntityDescriptors.
    // May need to delegate to more specialized subclasses.
    
    return newCriteriaSet;
}