edu.internet2.middleware.shibboleth.common.security

クラス MetadataPKIXValidationInformationResolver

java.lang.Object

edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver

すべての実装されたインタフェース:

Resolver<PKIXValidationInformation,CriteriaSet>, PKIXValidationInformationResolver

public class MetadataPKIXValidationInformationResolver
extends Object
implements PKIXValidationInformationResolver

An implementation of PKIXValidationInformationResolver which resolves PKIXValidationInformation based on information stored in SAML 2 metadata. Validation information is retrieved from Shibboleth-specific metadata extensions to EntityDescriptor and EntitiesDescriptor elements, represented by instances of ShibbolethMetadataKeyAuthority. Resolution of trusted names for an entity is also supported, based on KeyName information contained within the KeyInfo of a role descriptor's KeyDescriptor element.

ネストされたクラスの概要

ネストされたクラス

修飾子とタイプ	クラスと説明
protected class	MetadataPKIXValidationInformationResolver.MetadataCacheKey A class which serves as the key into the cache of information previously resolved.
protected class	MetadataPKIXValidationInformationResolver.MetadataProviderObserver An observer that clears the credential cache if the underlying metadata changes.

フィールドの概要

フィールド

修飾子とタイプ	フィールドと説明
static int	KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT Default value for Shibboleth KeyAuthority verify depth.

コンストラクタの概要

コンストラクタ

コンストラクタと説明
MetadataPKIXValidationInformationResolver(MetadataProvider metadataProvider) Constructor.

メソッドの概要

メソッド

修飾子とタイプ	メソッドと説明
protected void	cacheExtensionsInfo(Extensions extensions, List<PKIXValidationInformation> pkixInfo) Adds resolved PKIX validation information to the cache.
protected void	cachePKIXInfo(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey, List<PKIXValidationInformation> pkixInfo) Adds resolved PKIX validation information to the cache.
protected void	cacheTrustedNames(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey, Set<String> names) Adds resolved trusted name information to the cache.
protected void	checkCriteriaRequirements(CriteriaSet criteriaSet) Check that all necessary criteria are available.
protected String	getExtensionsParentName(Extensions extensions) Get the name of the parent element of an Extensions element in metadata, mostly useful for logging purposes.
protected ReadWriteLock	getReadWriteLock() Get the lock instance used to synchronize access to the caches.
protected List<RoleDescriptor>	getRoleDescriptors(String entityID, QName role, String protocol) Get the list of metadata role descriptors which match the given entityID, role and protocol.
protected Set<String>	getTrustedNames(KeyInfo keyInfo) Extract trusted names from a KeyInfo element.
protected List<X509Certificate>	getX509Certificates(KeyInfo keyInfo) Extract certificates from a KeyInfo element.
protected List<X509CRL>	getX509CRLs(KeyInfo keyInfo) Extract CRL's from a KeyInfo element.
protected boolean	matchUsage(UsageType metadataUsage, UsageType criteriaUsage) Match usage enum type values from metadata KeyDescriptor and from specified resolution criteria.
Iterable<PKIXValidationInformation>	resolve(CriteriaSet criteriaSet) Process the specified criteria and return the resulting instances the the product type which satisfy the criteria.
protected List<PKIXValidationInformation>	resolvePKIXInfo(Extensions extensions) Retrieves validation information from the metadata extension element.
protected List<PKIXValidationInformation>	resolvePKIXInfo(RoleDescriptor roleDescriptor) Retrieves validation information from the provided role descriptor.
protected PKIXValidationInformation	resolvePKIXInfo(ShibbolethMetadataKeyAuthority keyAuthority) Retrieves validation information from the Shibboleth KeyAuthority metadata extension element.
PKIXValidationInformation	resolveSingle(CriteriaSet criteriaSet) Process the specified criteria and return a single instance of the product type which satisfies the criteria.
Set<String>	resolveTrustedNames(CriteriaSet criteriaSet) Resolve a set of trusted names associated with the entity indicated by the criteria.
protected List<PKIXValidationInformation>	retrieveExtensionsInfoFromCache(Extensions extensions) Retrieves pre-resolved PKIX validation information from the cache.
protected List<PKIXValidationInformation>	retrievePKIXInfoFromCache(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey) Retrieves pre-resolved PKIX validation information from the cache.
protected List<PKIXValidationInformation>	retrievePKIXInfoFromMetadata(String entityID, QName role, String protocol, UsageType usage) Retrieves validation information from the provided metadata.
protected Set<String>	retrieveTrustedNamesFromCache(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey) Retrieves pre-resolved trusted names from the cache.
protected Set<String>	retrieveTrustedNamesFromMetadata(String entityID, QName role, String protocol, UsageType usage) Retrieves trusted name information from the provided metadata.
boolean	supportsTrustedNameResolution() Check whether resolution of trusted names is supported.

クラスから継承されたメソッド java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

フィールドの詳細

KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT

public static final int KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT

Default value for Shibboleth KeyAuthority verify depth.

関連項目:

定数フィールド値

コンストラクタの詳細

MetadataPKIXValidationInformationResolver

public MetadataPKIXValidationInformationResolver(MetadataProvider metadataProvider)

Constructor.

パラメータ:

metadataProvider - provider of the metadata

例外:

IllegalArgumentException - thrown if the supplied provider is null

メソッドの詳細

resolveSingle

public PKIXValidationInformation resolveSingle(CriteriaSet criteriaSet)
                                        throws SecurityException

Process the specified criteria and return a single instance of the product type which satisfies the criteria. If multiple items satisfy the criteria, the choice of which single item to return is implementation-dependent.

定義:

resolveSingle インタフェース内 Resolver<PKIXValidationInformation,CriteriaSet>

パラメータ:

criteriaSet - the criteria to evaluate or process

戻り値:

instances which satisfy the criteria

例外:

SecurityException - thrown if there is an error processing the specified criteria

resolve

public Iterable<PKIXValidationInformation> resolve(CriteriaSet criteriaSet)
                                            throws SecurityException

Process the specified criteria and return the resulting instances the the product type which satisfy the criteria.

定義:

resolve インタフェース内 Resolver<PKIXValidationInformation,CriteriaSet>

パラメータ:

criteriaSet - the criteria to evaluate or process

戻り値:

instances which satisfy the criteria

例外:

SecurityException - thrown if there is an error processing the specified criteria

resolveTrustedNames

public Set<String> resolveTrustedNames(CriteriaSet criteriaSet)
                                throws SecurityException,
                                       UnsupportedOperationException

Resolve a set of trusted names associated with the entity indicated by the criteria. This method is optional to implement.

定義:

resolveTrustedNames インタフェース内 PKIXValidationInformationResolver

パラメータ:

criteriaSet - set of criteria used to determine or resolve the trusted names

戻り値:

the set of certificate names trusted for an entity

例外:

SecurityException - thrown if there is an error resolving the trusted names

UnsupportedOperationException - thrown if this optional method is not supported by the implementation

supportsTrustedNameResolution

public boolean supportsTrustedNameResolution()

Check whether resolution of trusted names is supported.

定義:

supportsTrustedNameResolution インタフェース内 PKIXValidationInformationResolver

戻り値:

true if the implementation supports resolution of trusted names, otherwise false

getReadWriteLock

protected ReadWriteLock getReadWriteLock()

Get the lock instance used to synchronize access to the caches.

戻り値:

a read-write lock instance

checkCriteriaRequirements

protected void checkCriteriaRequirements(CriteriaSet criteriaSet)

Check that all necessary criteria are available.

パラメータ:

criteriaSet - the criteria set to evaluate

retrievePKIXInfoFromMetadata

protected List<PKIXValidationInformation> retrievePKIXInfoFromMetadata(String entityID,
                                                           QName role,
                                                           String protocol,
                                                           UsageType usage)
                                                                throws SecurityException

Retrieves validation information from the provided metadata.

パラメータ:

entityID - entity ID for which to resolve validation information

role - role in which the entity is operating

protocol - protocol over which the entity is operating (may be null)

usage - usage specifier for role descriptor key descriptors to evaluate

戻り値:

collection of resolved validation information, possibly empty

例外:

SecurityException - thrown if the key, certificate, or CRL information is represented in an unsupported format

resolvePKIXInfo

protected List<PKIXValidationInformation> resolvePKIXInfo(RoleDescriptor roleDescriptor)
                                                   throws SecurityException

Retrieves validation information from the provided role descriptor.

パラメータ:

roleDescriptor - the role descriptor from which to resolve information.

戻り値:

collection of resolved validation information, possibly empty

例外:

SecurityException - thrown if the key, certificate, or CRL information is represented in an unsupported format

resolvePKIXInfo

protected List<PKIXValidationInformation> resolvePKIXInfo(Extensions extensions)
                                                   throws SecurityException

Retrieves validation information from the metadata extension element.

パラメータ:

extensions - the extension element from which to resolve information

戻り値:

collection of resolved validation information, possibly empty

例外:

SecurityException - thrown if the key, certificate, or CRL information is represented in an unsupported format

resolvePKIXInfo

protected PKIXValidationInformation resolvePKIXInfo(ShibbolethMetadataKeyAuthority keyAuthority)
                                             throws SecurityException

Retrieves validation information from the Shibboleth KeyAuthority metadata extension element.

パラメータ:

keyAuthority - the Shibboleth KeyAuthority element from which to resolve information

戻り値:

an instance of resolved validation information

例外:

SecurityException - thrown if the key, certificate, or CRL information is represented in an unsupported format

getX509Certificates

protected List<X509Certificate> getX509Certificates(KeyInfo keyInfo)
                                             throws SecurityException

Extract certificates from a KeyInfo element.

パラメータ:

keyInfo - the KeyInfo instance from which to extract certificates

戻り値:

a collection of X509 certificates, possibly empty

例外:

SecurityException - thrown if the certificate information is represented in an unsupported format

getX509CRLs

protected List<X509CRL> getX509CRLs(KeyInfo keyInfo)
                             throws SecurityException

Extract CRL's from a KeyInfo element.

パラメータ:

keyInfo - the KeyInfo instance from which to extract CRL's

戻り値:

a collection of X509 CRL's, possibly empty

例外:

SecurityException - thrown if the CRL information is represented in an unsupported format

retrieveTrustedNamesFromMetadata

protected Set<String> retrieveTrustedNamesFromMetadata(String entityID,
                                           QName role,
                                           String protocol,
                                           UsageType usage)
                                                throws SecurityException

Retrieves trusted name information from the provided metadata.

パラメータ:

entityID - entity ID for which to resolve trusted names

role - role in which the entity is operating

protocol - protocol over which the entity is operating (may be null)

usage - usage specifier for role descriptor key descriptors to evaluate

戻り値:

collection of resolved trusted name information, possibly empty

例外:

SecurityException - thrown if there is an error extracting trusted name information

getTrustedNames

protected Set<String> getTrustedNames(KeyInfo keyInfo)

Extract trusted names from a KeyInfo element.

パラメータ:

keyInfo - the KeyInfo instance from which to extract trusted names

戻り値:

set of trusted names, possibly empty

matchUsage

protected boolean matchUsage(UsageType metadataUsage,
                 UsageType criteriaUsage)

Match usage enum type values from metadata KeyDescriptor and from specified resolution criteria.

パラメータ:

metadataUsage - the value from the 'use' attribute of a metadata KeyDescriptor element

criteriaUsage - the value from specified criteria

戻り値:

true if the two usage specifiers match for purposes of resolving validation information, false otherwise

getRoleDescriptors

protected List<RoleDescriptor> getRoleDescriptors(String entityID,
                                      QName role,
                                      String protocol)
                                           throws SecurityException

Get the list of metadata role descriptors which match the given entityID, role and protocol.

パラメータ:

entityID - entity ID of the metadata entity descriptor to resolve

role - role in which the entity is operating

protocol - protocol over which the entity is operating (may be null)

戻り値:

a list of role descriptors matching the given parameters, or null

例外:

SecurityException - thrown if there is an error retrieving role descriptors from the metadata provider

retrievePKIXInfoFromCache

protected List<PKIXValidationInformation> retrievePKIXInfoFromCache(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey)

Retrieves pre-resolved PKIX validation information from the cache.

パラメータ:

cacheKey - the key to the metadata cache

戻り値:

the collection of cached info or null

retrieveExtensionsInfoFromCache

protected List<PKIXValidationInformation> retrieveExtensionsInfoFromCache(Extensions extensions)

Retrieves pre-resolved PKIX validation information from the cache.

パラメータ:

extensions - the key to the metadata cache

戻り値:

the collection of cached info or null

retrieveTrustedNamesFromCache

protected Set<String> retrieveTrustedNamesFromCache(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey)

Retrieves pre-resolved trusted names from the cache.

パラメータ:

cacheKey - the key to the metadata cache

戻り値:

the set of cached info or null

cachePKIXInfo

protected void cachePKIXInfo(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey,
                 List<PKIXValidationInformation> pkixInfo)

Adds resolved PKIX validation information to the cache.

パラメータ:

cacheKey - the key for caching the information

pkixInfo - collection of PKIX information to cache

cacheExtensionsInfo

protected void cacheExtensionsInfo(Extensions extensions,
                       List<PKIXValidationInformation> pkixInfo)

Adds resolved PKIX validation information to the cache.

パラメータ:

extensions - the key for caching the information

pkixInfo - collection of PKIX information to cache

cacheTrustedNames

protected void cacheTrustedNames(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey,
                     Set<String> names)

Adds resolved trusted name information to the cache.

パラメータ:

cacheKey - the key for caching the information

names - collection of names to cache

getExtensionsParentName

protected String getExtensionsParentName(Extensions extensions)

Get the name of the parent element of an Extensions element in metadata, mostly useful for logging purposes. If the parent is an EntityDescriptor, return the entityID value. If an EntitiesDescriptor, return the name value.

パラメータ:

extensions - the Extensions element

戻り値:

the Extensions element's parent's name