uk.gov.ida.saml.security.MetadataBackedSignatureValidator Maven / Gradle / Ivy

Go to download
Show more of this group Show more artifacts with this name
Show all versions of saml-lib Show documentation
Library for saml-lib
There is a newer version: 3.4.6-277
package uk.gov.ida.saml.security;

import net.shibboleth.utilities.java.support.resolver.Criterion;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.trust.TrustEngine;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;

import javax.xml.namespace.QName;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;

public class MetadataBackedSignatureValidator extends SignatureValidator {

    private final ExplicitKeySignatureTrustEngine explicitKeySignatureTrustEngine;
    private final Optional certificateChainEvaluableCriteria;

    public static MetadataBackedSignatureValidator withoutCertificateChainValidation(ExplicitKeySignatureTrustEngine explicitKeySignatureTrustEngine) {
        return new MetadataBackedSignatureValidator(explicitKeySignatureTrustEngine);
    }

    public static MetadataBackedSignatureValidator withCertificateChainValidation(ExplicitKeySignatureTrustEngine explicitKeySignatureTrustEngine, CertificateChainEvaluableCriterion certificateChainEvaluableCriterion) {
        return new MetadataBackedSignatureValidator(explicitKeySignatureTrustEngine, certificateChainEvaluableCriterion);
    }

    private MetadataBackedSignatureValidator(ExplicitKeySignatureTrustEngine explicitKeySignatureTrustEngine) {
        this.explicitKeySignatureTrustEngine = explicitKeySignatureTrustEngine;
        this.certificateChainEvaluableCriteria = Optional.empty();
    }

    private MetadataBackedSignatureValidator(ExplicitKeySignatureTrustEngine explicitKeySignatureTrustEngine, CertificateChainEvaluableCriterion certificateChainEvaluableCriterion) {
        this.explicitKeySignatureTrustEngine = explicitKeySignatureTrustEngine;
        this.certificateChainEvaluableCriteria = Optional.of(certificateChainEvaluableCriterion);
    }

    @Override
    protected List getAdditionalCriteria(String entityId, QName role) {
        List criteriaSet = new ArrayList<>();
        criteriaSet.add(new EntityIdCriterion(entityId));
        criteriaSet.add(new EntityRoleCriterion(role));
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        this.certificateChainEvaluableCriteria.map(criteriaSet::add);

        return criteriaSet;
    }

    @Override
    protected TrustEngine getTrustEngine(String entityId) {
        return explicitKeySignatureTrustEngine;
    }
}