return new PKIXSignatureTrustEngine( getPKIXResolver(provider, trustedKeys, null), Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver(),
/** {@inheritDoc} */ public boolean validate(Signature signature, CriteriaSet trustBasisCriteria) throws SecurityException { checkParams(signature, trustBasisCriteria); Pair<Set<String>, Iterable<PKIXValidationInformation>> validationPair = resolveValidationInfo(trustBasisCriteria); if (validate(signature, validationPair)) { return true; } log.debug("PKIX validation of signature failed, unable to resolve valid and trusted signing key"); return false; }
checkParamsRaw(signature, content, algorithmURI, trustBasisCriteria); resolveValidationInfo(trustBasisCriteria); log.debug("Successfully verified raw signature using supplied candidate credential"); log.debug("Attempting to establish trust of supplied candidate credential"); if (evaluateTrust(candidateCredential, validationPair)) { log.debug("Successfully established trust of supplied candidate credential"); return true;
/** {@inheritDoc} */ protected Object createInstance() throws Exception { MetadataPKIXValidationInformationResolver pviResolver = new MetadataPKIXValidationInformationResolver( getMetadataProvider()); List<KeyInfoProvider> keyInfoProviders = new ArrayList<KeyInfoProvider>(); keyInfoProviders.add(new DSAKeyValueProvider()); keyInfoProviders.add(new RSAKeyValueProvider()); keyInfoProviders.add(new InlineX509DataProvider()); KeyInfoCredentialResolver keyInfoCredResolver = new BasicProviderKeyInfoCredentialResolver(keyInfoProviders); PKIXSignatureTrustEngine engine = new PKIXSignatureTrustEngine(pviResolver, keyInfoCredResolver); if (getPKIXValidationOptions() != null) { ((CertPathPKIXTrustEvaluator)engine.getPKIXTrustEvaluator()).setPKIXValidationOptions(getPKIXValidationOptions()); } return engine; } }
/** {@inheritDoc} */ protected boolean evaluateTrust(Credential untrustedCredential, Pair<Set<String>, Iterable<PKIXValidationInformation>> validationPair) throws SecurityException { if (!(untrustedCredential instanceof X509Credential)) { log.debug("Can not evaluate trust of non-X509Credential"); return false; } X509Credential untrustedX509Credential = (X509Credential) untrustedCredential; Set<String> trustedNames = validationPair.getFirst(); Iterable<PKIXValidationInformation> validationInfoSet = validationPair.getSecond(); if (!checkNames(trustedNames, untrustedX509Credential)) { log.debug("Evaluation of credential against trusted names failed. Aborting PKIX validation"); return false; } for (PKIXValidationInformation validationInfo : validationInfoSet) { try { if (pkixTrustEvaluator.validate(validationInfo, untrustedX509Credential)) { log.debug("Signature trust established via PKIX validation of signing credential"); return true; } } catch (SecurityException e) { // log the operational error, but allow other validation info sets to be tried log.debug("Error performing PKIX validation on untrusted credential", e); } } log.debug("Signature trust could not be established via PKIX validation of signing credential"); return false; }
/** {@inheritDoc} */ public boolean validate(Signature signature, CriteriaSet trustBasisCriteria) throws SecurityException { checkParams(signature, trustBasisCriteria); Pair<Set<String>, Iterable<PKIXValidationInformation>> validationPair = resolveValidationInfo(trustBasisCriteria); if (validate(signature, validationPair)) { return true; } log.debug("PKIX validation of signature failed, unable to resolve valid and trusted signing key"); return false; }
checkParamsRaw(signature, content, algorithmURI, trustBasisCriteria); resolveValidationInfo(trustBasisCriteria); log.debug("Successfully verified raw signature using supplied candidate credential"); log.debug("Attempting to establish trust of supplied candidate credential"); if (evaluateTrust(candidateCredential, validationPair)) { log.debug("Successfully established trust of supplied candidate credential"); return true;
/** {@inheritDoc} */ protected Object createInstance() throws Exception { Set<String> names = getTrustedNames(); if (names == null) { names = Collections.emptySet(); } StaticPKIXValidationInformationResolver pkixResolver = new StaticPKIXValidationInformationResolver(getPKIXInfo(), names); List<KeyInfoProvider> keyInfoProviders = new ArrayList<KeyInfoProvider>(); keyInfoProviders.add(new DSAKeyValueProvider()); keyInfoProviders.add(new RSAKeyValueProvider()); keyInfoProviders.add(new InlineX509DataProvider()); KeyInfoCredentialResolver keyInfoCredResolver = new BasicProviderKeyInfoCredentialResolver(keyInfoProviders); PKIXSignatureTrustEngine engine = new PKIXSignatureTrustEngine(pkixResolver, keyInfoCredResolver); if (getPKIXValidationOptions() != null) { ((CertPathPKIXTrustEvaluator)engine.getPKIXTrustEvaluator()).setPKIXValidationOptions(getPKIXValidationOptions()); } return engine; } }
/** {@inheritDoc} */ protected boolean evaluateTrust(Credential untrustedCredential, Pair<Set<String>, Iterable<PKIXValidationInformation>> validationPair) throws SecurityException { if (!(untrustedCredential instanceof X509Credential)) { log.debug("Can not evaluate trust of non-X509Credential"); return false; } X509Credential untrustedX509Credential = (X509Credential) untrustedCredential; Set<String> trustedNames = validationPair.getFirst(); Iterable<PKIXValidationInformation> validationInfoSet = validationPair.getSecond(); if (!checkNames(trustedNames, untrustedX509Credential)) { log.debug("Evaluation of credential against trusted names failed. Aborting PKIX validation"); return false; } for (PKIXValidationInformation validationInfo : validationInfoSet) { try { if (pkixTrustEvaluator.validate(validationInfo, untrustedX509Credential)) { log.debug("Signature trust established via PKIX validation of signing credential"); return true; } } catch (SecurityException e) { // log the operational error, but allow other validation info sets to be tried log.debug("Error performing PKIX validation on untrusted credential", e); } } log.debug("Signature trust could not be established via PKIX validation of signing credential"); return false; }
/** * Based on the settings in the extended metadata either creates a PKIX trust engine with trusted keys specified * in the extended metadata as anchors or (by default) an explicit trust engine using data from the metadata or * from the values overridden in the ExtendedMetadata. * * @param samlContext context to populate */ protected void populateTrustEngine(SAMLMessageContext samlContext) { SignatureTrustEngine engine; if ("pkix".equalsIgnoreCase(samlContext.getLocalExtendedMetadata().getSecurityProfile())) { engine = new PKIXSignatureTrustEngine(pkixResolver, Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver(), pkixTrustEvaluator, new BasicX509CredentialNameEvaluator()); } else { engine = new ExplicitKeySignatureTrustEngine(metadataResolver, Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver()); } samlContext.setLocalTrustEngine(engine); }
return new PKIXSignatureTrustEngine( getPKIXResolver(provider, trustedKeys, null), Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver(),