View Javadoc

1   /*
2    * Licensed to the University Corporation for Advanced Internet Development, 
3    * Inc. (UCAID) under one or more contributor license agreements.  See the 
4    * NOTICE file distributed with this work for additional information regarding
5    * copyright ownership. The UCAID licenses this file to You under the Apache 
6    * License, Version 2.0 (the "License"); you may not use this file except in 
7    * compliance with the License.  You may obtain a copy of the License at
8    *
9    *    http://www.apache.org/licenses/LICENSE-2.0
10   *
11   * Unless required by applicable law or agreed to in writing, software
12   * distributed under the License is distributed on an "AS IS" BASIS,
13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14   * See the License for the specific language governing permissions and
15   * limitations under the License.
16   */
17  
18  package edu.internet2.middleware.shibboleth.common.config.security;
19  
20  import java.util.ArrayList;
21  import java.util.List;
22  
23  import org.opensaml.saml2.metadata.provider.MetadataProvider;
24  import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver;
25  import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
26  import org.opensaml.xml.security.keyinfo.KeyInfoProvider;
27  import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider;
28  import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider;
29  import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider;
30  import org.opensaml.xml.security.x509.CertPathPKIXTrustEvaluator;
31  import org.opensaml.xml.security.x509.PKIXValidationOptions;
32  import org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine;
33  import org.springframework.beans.factory.config.AbstractFactoryBean;
34  
35  import edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver;
36  
37  /**
38   * Spring factory bean used to created {@link PKIXSignatureTrustEngine}s based on a metadata provider.
39   */
40  public class MetadataPKIXSignatureTrustEngineFactoryBean extends AbstractFactoryBean {
41  
42      /** Metadata provider used to look up PKIX information for peer entities. */
43      private MetadataProvider metadataProvider;
44      
45      /** PKIX validation options. */
46      private PKIXValidationOptions pkixOptions;
47      
48      /**
49       * Get the PKIX validation options.
50       * 
51       * @return the set of validation options
52       */
53      public PKIXValidationOptions getPKIXValidationOptions() {
54          return pkixOptions;
55      }
56  
57      /**
58       * Set the PKIX validation options.
59       * 
60       * @param newOptions the new set of validation options
61       */
62      public void setPKIXValidationOptions(PKIXValidationOptions newOptions) {
63          pkixOptions = newOptions;
64      }
65  
66      /**
67       * Gets the metadata provider used to look up PKIX information for peer entities.
68       * 
69       * @return metadata provider used to look up PKIX information for peer entities
70       */
71      public MetadataProvider getMetadataProvider() {
72          return metadataProvider;
73      }
74  
75      /**
76       * Sets the metadata provider used to look up PKIX information for peer entities.
77       * 
78       * @param provider metadata provider used to look up PKIX information for peer entities
79       */
80      public void setMetadataProvider(MetadataProvider provider) {
81          metadataProvider = provider;
82      }
83  
84      /** {@inheritDoc} */
85      public Class getObjectType() {
86          return PKIXSignatureTrustEngine.class;
87      }
88  
89      /** {@inheritDoc} */
90      protected Object createInstance() throws Exception {
91          MetadataPKIXValidationInformationResolver pviResolver = new MetadataPKIXValidationInformationResolver(
92                  getMetadataProvider());
93  
94          List<KeyInfoProvider> keyInfoProviders = new ArrayList<KeyInfoProvider>();
95          keyInfoProviders.add(new DSAKeyValueProvider());
96          keyInfoProviders.add(new RSAKeyValueProvider());
97          keyInfoProviders.add(new InlineX509DataProvider());
98          KeyInfoCredentialResolver keyInfoCredResolver = new BasicProviderKeyInfoCredentialResolver(keyInfoProviders);
99  
100         PKIXSignatureTrustEngine engine = new PKIXSignatureTrustEngine(pviResolver, keyInfoCredResolver);
101         
102         if (getPKIXValidationOptions() != null) {
103             ((CertPathPKIXTrustEvaluator)engine.getPKIXTrustEvaluator()).setPKIXValidationOptions(getPKIXValidationOptions());
104         }
105         
106         return engine;
107     }
108 }