1 /*
2 * Copyright [2006] [University Corporation for Advanced Internet Development, Inc.]
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 package org.opensaml.xml.security.trust;
18
19 import java.security.cert.X509Certificate;
20
21 import org.opensaml.xml.security.credential.Credential;
22 import org.opensaml.xml.security.x509.X509Credential;
23 import org.slf4j.Logger;
24 import org.slf4j.LoggerFactory;
25
26 /**
27 * Auxillary trust evaluator for evaluating an untrusted X509 certificate or credential against a trusted certificate or
28 * credential. Trust is established if the untrusted certificate supplied (or the certificate obtained from the
29 * untrusted credential's {@link X509Credential#getEntityCertificate()}) matches one of the trusted certificates
30 * supplied.
31 */
32 public class ExplicitX509CertificateTrustEvaluator {
33
34 /** Class logger. */
35 private final Logger log = LoggerFactory.getLogger(ExplicitX509CertificateTrustEvaluator.class);
36
37 /**
38 * Evaluate trust.
39 *
40 * @param untrustedCertificate the untrusted certificate to evaluate
41 * @param trustedCertificate basis for trust
42 * @return true if trust can be established, false otherwise
43 */
44 public boolean validate(X509Certificate untrustedCertificate, X509Certificate trustedCertificate) {
45 return untrustedCertificate.equals(trustedCertificate);
46 }
47
48 /**
49 * Evaluate trust.
50 *
51 * @param untrustedCertificate the untrusted certificate to evaluate
52 * @param trustedCertificates basis for trust
53 * @return true if trust can be established, false otherwise
54 */
55 public boolean validate(X509Certificate untrustedCertificate, Iterable<X509Certificate> trustedCertificates) {
56 for (X509Certificate trustedCertificate : trustedCertificates) {
57 if (untrustedCertificate.equals(trustedCertificate)) {
58 return true;
59 }
60 }
61 return false;
62 }
63
64 /**
65 * Evaluate trust.
66 *
67 * @param untrustedCredential the untrusted X509Credential to evaluate
68 * @param trustedCredential basis for trust
69 * @return true if trust can be established, false otherwise
70 */
71 public boolean validate(X509Credential untrustedCredential, X509Credential trustedCredential) {
72
73 X509Certificate untrustedCertificate = untrustedCredential.getEntityCertificate();
74 X509Certificate trustedCertificate = trustedCredential.getEntityCertificate();
75 if (untrustedCertificate == null) {
76 log.debug("Untrusted credential contained no entity certificate, unable to evaluate");
77 return false;
78 } else if (trustedCertificate == null) {
79 log.debug("Trusted credential contained no entity certificate, unable to evaluate");
80 return false;
81 }
82
83 if (validate(untrustedCertificate, trustedCertificate)) {
84 log.debug("Successfully validated untrusted credential against trusted certificate");
85 return true;
86 }
87
88 log.debug("Failed to validate untrusted credential against trusted certificate");
89 return false;
90 }
91
92 /**
93 * Evaluate trust.
94 *
95 * @param untrustedCredential the untrusted X509Credential to evaluate
96 * @param trustedCredentials basis for trust
97 * @return true if trust can be established, false otherwise
98 */
99 public boolean validate(X509Credential untrustedCredential, Iterable<Credential> trustedCredentials) {
100
101 for (Credential trustedCredential : trustedCredentials) {
102 if (!(trustedCredential instanceof X509Credential)) {
103 log.debug("Skipping evaluation against trusted, non-X509Credential");
104 continue;
105 }
106 X509Credential trustedX509Credential = (X509Credential) trustedCredential;
107 if (validate(untrustedCredential, trustedX509Credential)) {
108 return true;
109 }
110 }
111
112 return false;
113 }
114
115 }