edu.internet2.middleware.shibboleth.common.security
Class MetadataPKIXValidationInformationResolver

java.lang.Object
  extended by edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver
All Implemented Interfaces:
org.opensaml.xml.security.Resolver<org.opensaml.xml.security.x509.PKIXValidationInformation,org.opensaml.xml.security.CriteriaSet>, org.opensaml.xml.security.x509.PKIXValidationInformationResolver

public class MetadataPKIXValidationInformationResolver
extends Object
implements org.opensaml.xml.security.x509.PKIXValidationInformationResolver

An implementation of PKIXValidationInformationResolver which resolves PKIXValidationInformation based on information stored in SAML 2 metadata. Validation information is retrieved from Shibboleth-specific metadata extensions to EntityDescriptor and EntitiesDescriptor elements, represented by instances of ShibbolethMetadataKeyAuthority. Resolution of trusted names for an entity is also supported, based on KeyName information contained within the KeyInfo of a role descriptor's KeyDescriptor element.


Nested Class Summary
protected  class MetadataPKIXValidationInformationResolver.MetadataCacheKey
          A class which serves as the key into the cache of information previously resolved.
protected  class MetadataPKIXValidationInformationResolver.MetadataProviderObserver
          An observer that clears the credential cache if the underlying metadata changes.
 
Field Summary
static int KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT
          Default value for Shibboleth KeyAuthority verify depth.
 
Constructor Summary
MetadataPKIXValidationInformationResolver(org.opensaml.saml2.metadata.provider.MetadataProvider metadataProvider)
          Constructor.
 
Method Summary
protected  void cacheExtensionsInfo(org.opensaml.saml2.common.Extensions extensions, List<org.opensaml.xml.security.x509.PKIXValidationInformation> pkixInfo)
          Adds resolved PKIX validation information to the cache.
protected  void cachePKIXInfo(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey, List<org.opensaml.xml.security.x509.PKIXValidationInformation> pkixInfo)
          Adds resolved PKIX validation information to the cache.
protected  void cacheTrustedNames(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey, Set<String> names)
          Adds resolved trusted name information to the cache.
protected  void checkCriteriaRequirements(org.opensaml.xml.security.CriteriaSet criteriaSet)
          Check that all necessary criteria are available.
protected  String getExtensionsParentName(org.opensaml.saml2.common.Extensions extensions)
          Get the name of the parent element of an Extensions element in metadata, mostly useful for logging purposes.
protected  ReadWriteLock getReadWriteLock()
          Get the lock instance used to synchronize access to the caches.
protected  List<org.opensaml.saml2.metadata.RoleDescriptor> getRoleDescriptors(String entityID, QName role, String protocol)
          Get the list of metadata role descriptors which match the given entityID, role and protocol.
protected  Set<String> getTrustedNames(org.opensaml.xml.signature.KeyInfo keyInfo)
          Extract trusted names from a KeyInfo element.
protected  List<X509Certificate> getX509Certificates(org.opensaml.xml.signature.KeyInfo keyInfo)
          Extract certificates from a KeyInfo element.
protected  List<X509CRL> getX509CRLs(org.opensaml.xml.signature.KeyInfo keyInfo)
          Extract CRL's from a KeyInfo element.
protected  boolean matchUsage(org.opensaml.xml.security.credential.UsageType metadataUsage, org.opensaml.xml.security.credential.UsageType criteriaUsage)
          Match usage enum type values from metadata KeyDescriptor and from specified resolution criteria.
 Iterable<org.opensaml.xml.security.x509.PKIXValidationInformation> resolve(org.opensaml.xml.security.CriteriaSet criteriaSet)
          
protected  List<org.opensaml.xml.security.x509.PKIXValidationInformation> resolvePKIXInfo(org.opensaml.saml2.common.Extensions extensions)
          Retrieves validation information from the metadata extension element.
protected  List<org.opensaml.xml.security.x509.PKIXValidationInformation> resolvePKIXInfo(org.opensaml.saml2.metadata.RoleDescriptor roleDescriptor)
          Retrieves validation information from the provided role descriptor.
protected  org.opensaml.xml.security.x509.PKIXValidationInformation resolvePKIXInfo(ShibbolethMetadataKeyAuthority keyAuthority)
          Retrieves validation information from the Shibboleth KeyAuthority metadata extension element.
 org.opensaml.xml.security.x509.PKIXValidationInformation resolveSingle(org.opensaml.xml.security.CriteriaSet criteriaSet)
          
 Set<String> resolveTrustedNames(org.opensaml.xml.security.CriteriaSet criteriaSet)
          
protected  List<org.opensaml.xml.security.x509.PKIXValidationInformation> retrieveExtensionsInfoFromCache(org.opensaml.saml2.common.Extensions extensions)
          Retrieves pre-resolved PKIX validation information from the cache.
protected  List<org.opensaml.xml.security.x509.PKIXValidationInformation> retrievePKIXInfoFromCache(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey)
          Retrieves pre-resolved PKIX validation information from the cache.
protected  List<org.opensaml.xml.security.x509.PKIXValidationInformation> retrievePKIXInfoFromMetadata(String entityID, QName role, String protocol, org.opensaml.xml.security.credential.UsageType usage)
          Retrieves validation information from the provided metadata.
protected  Set<String> retrieveTrustedNamesFromCache(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey)
          Retrieves pre-resolved trusted names from the cache.
protected  Set<String> retrieveTrustedNamesFromMetadata(String entityID, QName role, String protocol, org.opensaml.xml.security.credential.UsageType usage)
          Retrieves trusted name information from the provided metadata.
 boolean supportsTrustedNameResolution()
          
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT

public static final int KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT
Default value for Shibboleth KeyAuthority verify depth.

See Also:
Constant Field Values
Constructor Detail

MetadataPKIXValidationInformationResolver

public MetadataPKIXValidationInformationResolver(org.opensaml.saml2.metadata.provider.MetadataProvider metadataProvider)
Constructor.

Parameters:
metadataProvider - provider of the metadata
Throws:
IllegalArgumentException - thrown if the supplied provider is null
Method Detail

resolveSingle

public org.opensaml.xml.security.x509.PKIXValidationInformation resolveSingle(org.opensaml.xml.security.CriteriaSet criteriaSet)
                                                                       throws org.opensaml.xml.security.SecurityException

Specified by:
resolveSingle in interface org.opensaml.xml.security.Resolver<org.opensaml.xml.security.x509.PKIXValidationInformation,org.opensaml.xml.security.CriteriaSet>
Throws:
org.opensaml.xml.security.SecurityException

resolve

public Iterable<org.opensaml.xml.security.x509.PKIXValidationInformation> resolve(org.opensaml.xml.security.CriteriaSet criteriaSet)
                                                                           throws org.opensaml.xml.security.SecurityException

Specified by:
resolve in interface org.opensaml.xml.security.Resolver<org.opensaml.xml.security.x509.PKIXValidationInformation,org.opensaml.xml.security.CriteriaSet>
Throws:
org.opensaml.xml.security.SecurityException

resolveTrustedNames

public Set<String> resolveTrustedNames(org.opensaml.xml.security.CriteriaSet criteriaSet)
                                throws org.opensaml.xml.security.SecurityException,
                                       UnsupportedOperationException

Specified by:
resolveTrustedNames in interface org.opensaml.xml.security.x509.PKIXValidationInformationResolver
Throws:
org.opensaml.xml.security.SecurityException
UnsupportedOperationException

supportsTrustedNameResolution

public boolean supportsTrustedNameResolution()

Specified by:
supportsTrustedNameResolution in interface org.opensaml.xml.security.x509.PKIXValidationInformationResolver

getReadWriteLock

protected ReadWriteLock getReadWriteLock()
Get the lock instance used to synchronize access to the caches.

Returns:
a read-write lock instance

checkCriteriaRequirements

protected void checkCriteriaRequirements(org.opensaml.xml.security.CriteriaSet criteriaSet)
Check that all necessary criteria are available.

Parameters:
criteriaSet - the criteria set to evaluate

retrievePKIXInfoFromMetadata

protected List<org.opensaml.xml.security.x509.PKIXValidationInformation> retrievePKIXInfoFromMetadata(String entityID,
                                                                                                      QName role,
                                                                                                      String protocol,
                                                                                                      org.opensaml.xml.security.credential.UsageType usage)
                                                                                               throws org.opensaml.xml.security.SecurityException
Retrieves validation information from the provided metadata.

Parameters:
entityID - entity ID for which to resolve validation information
role - role in which the entity is operating
protocol - protocol over which the entity is operating (may be null)
usage - usage specifier for role descriptor key descriptors to evaluate
Returns:
collection of resolved validation information, possibly empty
Throws:
org.opensaml.xml.security.SecurityException - thrown if the key, certificate, or CRL information is represented in an unsupported format

resolvePKIXInfo

protected List<org.opensaml.xml.security.x509.PKIXValidationInformation> resolvePKIXInfo(org.opensaml.saml2.metadata.RoleDescriptor roleDescriptor)
                                                                                  throws org.opensaml.xml.security.SecurityException
Retrieves validation information from the provided role descriptor.

Parameters:
roleDescriptor - the role descriptor from which to resolve information.
Returns:
collection of resolved validation information, possibly empty
Throws:
org.opensaml.xml.security.SecurityException - thrown if the key, certificate, or CRL information is represented in an unsupported format

resolvePKIXInfo

protected List<org.opensaml.xml.security.x509.PKIXValidationInformation> resolvePKIXInfo(org.opensaml.saml2.common.Extensions extensions)
                                                                                  throws org.opensaml.xml.security.SecurityException
Retrieves validation information from the metadata extension element.

Parameters:
extensions - the extension element from which to resolve information
Returns:
collection of resolved validation information, possibly empty
Throws:
org.opensaml.xml.security.SecurityException - thrown if the key, certificate, or CRL information is represented in an unsupported format

resolvePKIXInfo

protected org.opensaml.xml.security.x509.PKIXValidationInformation resolvePKIXInfo(ShibbolethMetadataKeyAuthority keyAuthority)
                                                                            throws org.opensaml.xml.security.SecurityException
Retrieves validation information from the Shibboleth KeyAuthority metadata extension element.

Parameters:
keyAuthority - the Shibboleth KeyAuthority element from which to resolve information
Returns:
an instance of resolved validation information
Throws:
org.opensaml.xml.security.SecurityException - thrown if the key, certificate, or CRL information is represented in an unsupported format

getX509Certificates

protected List<X509Certificate> getX509Certificates(org.opensaml.xml.signature.KeyInfo keyInfo)
                                             throws org.opensaml.xml.security.SecurityException
Extract certificates from a KeyInfo element.

Parameters:
keyInfo - the KeyInfo instance from which to extract certificates
Returns:
a collection of X509 certificates, possibly empty
Throws:
org.opensaml.xml.security.SecurityException - thrown if the certificate information is represented in an unsupported format

getX509CRLs

protected List<X509CRL> getX509CRLs(org.opensaml.xml.signature.KeyInfo keyInfo)
                             throws org.opensaml.xml.security.SecurityException
Extract CRL's from a KeyInfo element.

Parameters:
keyInfo - the KeyInfo instance from which to extract CRL's
Returns:
a collection of X509 CRL's, possibly empty
Throws:
org.opensaml.xml.security.SecurityException - thrown if the CRL information is represented in an unsupported format

retrieveTrustedNamesFromMetadata

protected Set<String> retrieveTrustedNamesFromMetadata(String entityID,
                                                       QName role,
                                                       String protocol,
                                                       org.opensaml.xml.security.credential.UsageType usage)
                                                throws org.opensaml.xml.security.SecurityException
Retrieves trusted name information from the provided metadata.

Parameters:
entityID - entity ID for which to resolve trusted names
role - role in which the entity is operating
protocol - protocol over which the entity is operating (may be null)
usage - usage specifier for role descriptor key descriptors to evaluate
Returns:
collection of resolved trusted name information, possibly empty
Throws:
org.opensaml.xml.security.SecurityException - thrown if there is an error extracting trusted name information

getTrustedNames

protected Set<String> getTrustedNames(org.opensaml.xml.signature.KeyInfo keyInfo)
Extract trusted names from a KeyInfo element.

Parameters:
keyInfo - the KeyInfo instance from which to extract trusted names
Returns:
set of trusted names, possibly empty

matchUsage

protected boolean matchUsage(org.opensaml.xml.security.credential.UsageType metadataUsage,
                             org.opensaml.xml.security.credential.UsageType criteriaUsage)
Match usage enum type values from metadata KeyDescriptor and from specified resolution criteria.

Parameters:
metadataUsage - the value from the 'use' attribute of a metadata KeyDescriptor element
criteriaUsage - the value from specified criteria
Returns:
true if the two usage specifiers match for purposes of resolving validation information, false otherwise

getRoleDescriptors

protected List<org.opensaml.saml2.metadata.RoleDescriptor> getRoleDescriptors(String entityID,
                                                                              QName role,
                                                                              String protocol)
                                                                       throws org.opensaml.xml.security.SecurityException
Get the list of metadata role descriptors which match the given entityID, role and protocol.

Parameters:
entityID - entity ID of the metadata entity descriptor to resolve
role - role in which the entity is operating
protocol - protocol over which the entity is operating (may be null)
Returns:
a list of role descriptors matching the given parameters, or null
Throws:
org.opensaml.xml.security.SecurityException - thrown if there is an error retrieving role descriptors from the metadata provider

retrievePKIXInfoFromCache

protected List<org.opensaml.xml.security.x509.PKIXValidationInformation> retrievePKIXInfoFromCache(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey)
Retrieves pre-resolved PKIX validation information from the cache.

Parameters:
cacheKey - the key to the metadata cache
Returns:
the collection of cached info or null

retrieveExtensionsInfoFromCache

protected List<org.opensaml.xml.security.x509.PKIXValidationInformation> retrieveExtensionsInfoFromCache(org.opensaml.saml2.common.Extensions extensions)
Retrieves pre-resolved PKIX validation information from the cache.

Parameters:
extensions - the key to the metadata cache
Returns:
the collection of cached info or null

retrieveTrustedNamesFromCache

protected Set<String> retrieveTrustedNamesFromCache(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey)
Retrieves pre-resolved trusted names from the cache.

Parameters:
cacheKey - the key to the metadata cache
Returns:
the set of cached info or null

cachePKIXInfo

protected void cachePKIXInfo(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey,
                             List<org.opensaml.xml.security.x509.PKIXValidationInformation> pkixInfo)
Adds resolved PKIX validation information to the cache.

Parameters:
cacheKey - the key for caching the information
pkixInfo - collection of PKIX information to cache

cacheExtensionsInfo

protected void cacheExtensionsInfo(org.opensaml.saml2.common.Extensions extensions,
                                   List<org.opensaml.xml.security.x509.PKIXValidationInformation> pkixInfo)
Adds resolved PKIX validation information to the cache.

Parameters:
extensions - the key for caching the information
pkixInfo - collection of PKIX information to cache

cacheTrustedNames

protected void cacheTrustedNames(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey,
                                 Set<String> names)
Adds resolved trusted name information to the cache.

Parameters:
cacheKey - the key for caching the information
names - collection of names to cache

getExtensionsParentName

protected String getExtensionsParentName(org.opensaml.saml2.common.Extensions extensions)
Get the name of the parent element of an Extensions element in metadata, mostly useful for logging purposes. If the parent is an EntityDescriptor, return the entityID value. If an EntitiesDescriptor, return the name value.

Parameters:
extensions - the Extensions element
Returns:
the Extensions element's parent's name


Copyright © 2006-2011 Internet2. All Rights Reserved.