org.opensaml.xmlsec.keyinfo.impl

Class BasicProviderKeyInfoCredentialResolver

java.lang.Object

org.opensaml.security.credential.impl.AbstractCredentialResolver

org.opensaml.security.credential.impl.AbstractCriteriaFilteringCredentialResolver

org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver

All Implemented Interfaces:

Resolver<Credential,CriteriaSet>, CredentialResolver, KeyInfoCredentialResolver

Direct Known Subclasses:

LocalKeyInfoCredentialResolver

public class BasicProviderKeyInfoCredentialResolver
extends AbstractCriteriaFilteringCredentialResolver
implements KeyInfoCredentialResolver

Implementation of KeyInfoCredentialResolver which resolves credentials based on a KeyInfo element using a configured list of KeyInfoProviders and optional post-processing hooks.

The majority of the processing of the KeyInfo and extraction of Credentials from the KeyInfo is handled by instances of KeyInfoProvider. An ordered list of KeyInfoProviders must be supplied to the resolver when it is constructed.

This resolver requires a KeyInfoCriterion to be supplied as the resolution criteria. It is permissible, however, for the criteria's KeyInfo data object to be null. This allows for more convenient processing logic, for example, in cases when a parent element allows an optional KeyInfo and when in fact a given instance does not contain one. Specialized subclasses of this resolver may still attempt to return credentials in an implementation or context-specific manner, as described below.

Processing of the supplied KeyInfo element proceeds as follows:

1. A KeyInfoResolutionContext is instantiated. This resolution context is used to hold state shared amongst all the providers and processing hooks which run within the resolver.
2. This resolution context is initialized and populated with the actual KeyInfo object being processed as well as the values of any KeyName child elements present.
3. An attempt is then made to resolve a credential from any KeyValue child elements as described for resolveKeyValue(KeyInfoResolutionContext, CriteriaSet, List) If a credential is so resolved, its key will also be placed in the resolution context
4. The remaining (non-KeyValue) children are then processed in document order. Each child element is processed by the registered providers in provider list order. The credential or credentials resolved by the first provider to successfully do so are added to the effective set of credentials returned by the resolver, and processing of that child element terminates. Processing continues with the next child element.
5. At this point all KeyInfo children have been processed. If the effective set of credentials to return is empty, and if a key was resolved from a KeyValue element and is available in the resolution context, a basic credential is built with that key and is added to the effective set. Since the KeyInfo may have a plain KeyValue representation of the key represented by the KeyInfo, in addition to a more specific key type/container (and hence credential) representation, this technique avoids the unnecessary return of duplicate keys, returning only the more specific credential representation of the key.
6. A post-processing hook is then called: postProcess(KeyInfoResolutionContext, CriteriaSet, List). The default implementation is a no-op. This is an extension point by which subclasses may implement custom post-processing of the effective credential set to be returned. One example use case is when the KeyInfo being processed represents the public aspects (e.g. public key, or a key name or other identifier) of an encryption key belonging to the resolving entity. The resolved public keys and other resolution context information may be used to further resolve the credential or credentials containing the associated decryption key (i.e. a private or symmetric key). For an example of such an implementation, see LocalKeyInfoCredentialResolver
7. Finally, if no credentials have been otherwise resolved, a final post-processing hook is called: postProcessEmptyCredentials(KeyInfoResolutionContext, CriteriaSet, List). The default implementation is a no-op. This is an extension point by which subclasses may implement custom logic to resolve credentials in an implementation or context-specific manner, if no other mechanism has succeeded. Example usages might be to return a default set of credentials, or to use non-KeyInfo-derived criteria or contextual information to determine the credential or credentials to return.

Constructor Summary

Constructors

Constructor and Description
BasicProviderKeyInfoCredentialResolver(List<KeyInfoProvider> keyInfoProviders) Constructor.

Method Summary

Modifier and Type	Method and Description
protected Credential	buildBasicCredential(Key key, Set<String> keyNames) Construct a basic credential containing the specified key and set of key names.
protected Key	extractKeyValue(Credential cred) Utility method to extract any key that might be present in the specified Credential.
protected List<KeyInfoProvider>	getProviders() Return the list of the KeyInfoProvider instances used in this resolver configuration.
protected void	initResolutionContext(KeyInfoResolutionContext kiContext, KeyInfo keyInfo, CriteriaSet criteriaSet) Initialize the resolution context that will be used by the providers.
protected void	postProcess(KeyInfoResolutionContext kiContext, CriteriaSet criteriaSet, List<Credential> credentials) Hook for subclasses to do post-processing of the credential set after all KeyInfo children have been processed.
protected void	postProcessEmptyCredentials(KeyInfoResolutionContext kiContext, CriteriaSet criteriaSet, List<Credential> credentials) Hook for processing the case where no credentials were returned by any resolution method by any provider, nor by the processing of the postProcess(KeyInfoResolutionContext, CriteriaSet, List) hook.
protected Collection<Credential>	processKeyInfoChild(KeyInfoResolutionContext kiContext, CriteriaSet criteriaSet, XMLObject keyInfoChild) Process the given KeyInfo child with the registered providers.
protected void	processKeyInfoChildren(KeyInfoResolutionContext kiContext, CriteriaSet criteriaSet, List<Credential> credentials) Use registered providers to process the non-KeyValue/DEREncodedKeyValue children of KeyInfo.
protected Iterable<Credential>	resolveFromSource(CriteriaSet criteriaSet) Subclasses are required to implement this method to resolve credentials from the implementation-specific type of underlying credential source.
protected void	resolveKeyValue(KeyInfoResolutionContext kiContext, CriteriaSet criteriaSet, List<? extends XMLObject> keyValues) Resolve the key from any KeyValue DEREncodedKeyValue element that may be present, and store the resulting key in the resolution context.

Methods inherited from class org.opensaml.security.credential.impl.AbstractCriteriaFilteringCredentialResolver

isSatisfyAllPredicates, resolve, setSatisfyAllPredicates

Methods inherited from class org.opensaml.security.credential.impl.AbstractCredentialResolver

resolveSingle

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.resolver.Resolver

resolve, resolveSingle

Constructor Detail

BasicProviderKeyInfoCredentialResolver

public BasicProviderKeyInfoCredentialResolver(@Nonnull
                                              List<KeyInfoProvider> keyInfoProviders)

Constructor.

Parameters:

keyInfoProviders - the list of KeyInfoProvider's to use in this resolver

Method Detail

getProviders

@Nonnull
protected List<KeyInfoProvider> getProviders()

Return the list of the KeyInfoProvider instances used in this resolver configuration.

Returns:

the list of providers configured for this resolver instance

resolveFromSource

@Nonnull
protected Iterable<Credential> resolveFromSource(@Nullable
                                                          CriteriaSet criteriaSet)
                                                   throws ResolverException

Subclasses are required to implement this method to resolve credentials from the implementation-specific type of underlying credential source.

Specified by:

resolveFromSource in class AbstractCriteriaFilteringCredentialResolver

Parameters:

criteriaSet - the set of criteria used to resolve credentials from the credential source

Returns:

an Iterable for the resolved set of credentials

Throws:

ResolverException - thrown if there is an error resolving credentials from the credential source

postProcess

protected void postProcess(@Nonnull
                           KeyInfoResolutionContext kiContext,
                           @Nullable
                           CriteriaSet criteriaSet,
                           @Nonnull
                           List<Credential> credentials)
                    throws ResolverException

Hook for subclasses to do post-processing of the credential set after all KeyInfo children have been processed. For example, the previously resolved credentials might be used to index into a store of local credentials, where the index is a key name or the public half of a key pair extracted from the KeyInfo.

Parameters:

kiContext - KeyInfo resolution context

criteriaSet - the credential criteria used to resolve credentials

credentials - the list which will store the resolved credentials

Throws:

ResolverException - thrown if there is an error during processing

postProcessEmptyCredentials

protected void postProcessEmptyCredentials(@Nonnull
                                           KeyInfoResolutionContext kiContext,
                                           @Nullable
                                           CriteriaSet criteriaSet,
                                           @Nonnull
                                           List<Credential> credentials)
                                    throws ResolverException

Hook for processing the case where no credentials were returned by any resolution method by any provider, nor by the processing of the postProcess(KeyInfoResolutionContext, CriteriaSet, List) hook.

Parameters:

kiContext - KeyInfo resolution context

criteriaSet - the credential criteria used to resolve credentials

credentials - the list which will store the resolved credentials

Throws:

ResolverException - thrown if there is an error during processing

processKeyInfoChildren

protected void processKeyInfoChildren(@Nonnull
                                      KeyInfoResolutionContext kiContext,
                                      @Nullable
                                      CriteriaSet criteriaSet,
                                      @Nonnull
                                      List<Credential> credentials)
                               throws ResolverException

Use registered providers to process the non-KeyValue/DEREncodedKeyValue children of KeyInfo. Each child element is processed in document order. Each child element is processed by each provider in the ordered list of providers. The credential or credentials resolved by the first provider to successfully do so are added to the effective set resolved by the KeyInfo resolver.

Parameters:

kiContext - KeyInfo resolution context

criteriaSet - the credential criteria used to resolve credentials

credentials - the list which will store the resolved credentials

Throws:

ResolverException - thrown if there is a provider error processing the KeyInfo children

processKeyInfoChild

@Nullable
protected Collection<Credential> processKeyInfoChild(@Nonnull
                                                               KeyInfoResolutionContext kiContext,
                                                               @Nullable
                                                               CriteriaSet criteriaSet,
                                                               @Nonnull
                                                               XMLObject keyInfoChild)
                                                        throws ResolverException

Process the given KeyInfo child with the registered providers. The child element is processed by each provider in the ordered list of providers. The credential or credentials resolved by the first provider to successfully do so are returned and processing of the child element is terminated.

Parameters:

kiContext - KeyInfo resolution context

criteriaSet - the credential criteria used to resolve credentials

keyInfoChild - the KeyInfo to evaluate

Returns:

the collection of resolved credentials, or null

Throws:

ResolverException - thrown if there is a provider error processing the KeyInfo child

initResolutionContext

protected void initResolutionContext(@Nonnull
                                     KeyInfoResolutionContext kiContext,
                                     @Nonnull
                                     KeyInfo keyInfo,
                                     @Nullable
                                     CriteriaSet criteriaSet)
                              throws ResolverException

Initialize the resolution context that will be used by the providers. The supplied KeyInfo object is stored in the context, as well as the values of any KeyName children present. Finally if a credential is resolveble by any registered provider from a plain KeyValue child, the key from that credential is also stored in the context.

Parameters:

kiContext - KeyInfo resolution context

keyInfo - the KeyInfo to evaluate

criteriaSet - the credential criteria used to resolve credentials

Throws:

ResolverException - thrown if there is an error processing the KeyValue children

resolveKeyValue

protected void resolveKeyValue(@Nonnull
                               KeyInfoResolutionContext kiContext,
                               @Nullable
                               CriteriaSet criteriaSet,
                               @Nonnull
                               List<? extends XMLObject> keyValues)
                        throws ResolverException

Resolve the key from any KeyValue DEREncodedKeyValue element that may be present, and store the resulting key in the resolution context. Each element is processed in turn in document order. Each element will be processed by each provider in the ordered list of registered providers. The key from the first credential successfully resolved from a KeyValue will be stored in the resolution context. Note: This resolver implementation assumes that KeyInfo will not be abused via-a-vis the Signature specification, and that therefore all elements (if there is even more than one) will all resolve to the same key value. The KeyInfo might, for example have multiple KeyValue children, containing different representations of the same key. Therefore, only the first credential derived will be be utilized.

Parameters:

kiContext - KeyInfo resolution context

criteriaSet - the credential criteria used to resolve credentials

keyValues - the KeyValue or DEREncodedKeyValue children to evaluate

Throws:

ResolverException - thrown if there is an error resolving the key from the KeyValue

buildBasicCredential

@Nullable
protected Credential buildBasicCredential(@Nullable
                                                    Key key,
                                                    @Nonnull
                                                    Set<String> keyNames)
                                             throws ResolverException

Construct a basic credential containing the specified key and set of key names.

Parameters:

key - the key to include in the credential

keyNames - the key names to include in the credential

Returns:

a basic credential with the specified key and key names

Throws:

ResolverException - if there is an error building the credential

extractKeyValue

@Nullable
protected Key extractKeyValue(@Nullable
                                        Credential cred)

Utility method to extract any key that might be present in the specified Credential.

Parameters:

cred - the Credential to evaluate

Returns:

the Key contained in the credential, or null if it does not contain a key.