org.opensaml.xml.security.x509.X509Credential Java Examples

/**
 * Sign the SAML AuthnRequest message
 *
 * @param logoutRequest
 * @param signatureAlgorithm
 * @param cred
 * @return
 * @throws SSOAgentException
 */
public static LogoutRequest setSignature(LogoutRequest logoutRequest, String signatureAlgorithm,
                                         X509Credential cred) throws SSOAgentException {
    try {
        Signature signature = setSignatureRaw(signatureAlgorithm,cred);

        logoutRequest.setSignature(signature);

        List<Signature> signatureList = new ArrayList<Signature>();
        signatureList.add(signature);

        // Marshall and Sign
        MarshallerFactory marshallerFactory =
                org.opensaml.xml.Configuration.getMarshallerFactory();
        Marshaller marshaller = marshallerFactory.getMarshaller(logoutRequest);

        marshaller.marshall(logoutRequest);

        org.apache.xml.security.Init.init();
        Signer.signObjects(signatureList);
        return logoutRequest;

    } catch (Exception e) {
        throw new SSOAgentException("Error while signing the Logout Request message", e);
    }
}
 

/**
 * Build an X509Credential from a keystore private key entry.
 * 
 * @param privateKeyEntry the entry being processed
 * @param entityID the entityID to set
 * @param usage the usage type to set
 * @return new X509Credential instance
 */
protected X509Credential processPrivateKeyEntry(KeyStore.PrivateKeyEntry privateKeyEntry, String entityID,
        UsageType usage) {

    log.debug("Processing PrivateKeyEntry from keystore");

    BasicX509Credential credential = new BasicX509Credential();
    credential.setEntityId(entityID);
    credential.setUsageType(usage);

    credential.setPrivateKey(privateKeyEntry.getPrivateKey());

    credential.setEntityCertificate((X509Certificate) privateKeyEntry.getCertificate());
    credential.setEntityCertificateChain(Arrays.asList((X509Certificate[]) privateKeyEntry.getCertificateChain()));

    return credential;
}
 

public static void addDeflateSignatureToHTTPQueryString(StringBuilder httpQueryString,
                                                        X509Credential cred) throws SSOAgentException {
    doBootstrap();
    try {
        httpQueryString.append("&SigAlg="
                + URLEncoder.encode(XMLSignature.ALGO_ID_SIGNATURE_RSA, "UTF-8").trim());

        java.security.Signature signature = java.security.Signature.getInstance("SHA1withRSA");
        signature.initSign(cred.getPrivateKey());
        signature.update(httpQueryString.toString().getBytes(Charset.forName("UTF-8")));
        byte[] signatureByteArray = signature.sign();

        String signatureBase64encodedString = Base64.encodeBytes(signatureByteArray,
                Base64.DONT_BREAK_LINES);
        httpQueryString.append("&Signature="
                + URLEncoder.encode(signatureBase64encodedString, "UTF-8").trim());
    } catch (Exception e) {
        throw new SSOAgentException("Error applying SAML2 Redirect Binding signature", e);
    }
}
 

private static Signature setSignatureRaw(String signatureAlgorithm, X509Credential cred) throws SSOAgentException {
    Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
    signature.setSigningCredential(cred);
    signature.setSignatureAlgorithm(signatureAlgorithm);
    signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

    try {
        KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
        X509Data data = (X509Data) buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
        org.opensaml.xml.signature.X509Certificate cert =
                (org.opensaml.xml.signature.X509Certificate) buildXMLObject(org.opensaml.xml.signature.X509Certificate.DEFAULT_ELEMENT_NAME);
        String value =
                org.apache.xml.security.utils.Base64.encode(cred.getEntityCertificate().getEncoded());
        cert.setValue(value);
        data.getX509Certificates().add(cert);
        keyInfo.getX509Datas().add(data);
        signature.setKeyInfo(keyInfo);
        return signature;

    } catch (CertificateEncodingException e) {
        throw new SSOAgentException("Error getting certificate", e);
    }
}
 

@Override
public boolean validateXMLSignature(RequestAbstractType request, X509Credential cred,
                                    String alias) throws IdentityException {

    boolean isSignatureValid = false;

    if (request.getSignature() != null) {
        try {
            SignatureValidator validator = new SignatureValidator(cred);
            validator.validate(request.getSignature());
            isSignatureValid = true;
        } catch (ValidationException e) {
            throw IdentityException.error("Signature Validation Failed for the SAML Assertion : Signature is " +
                                        "invalid.", e);
        }
    }
    return isSignatureValid;
}
 

@Override
public void setSignature(String signatureAlgorithm, X509Credential cred) throws IdentityProviderException {
    Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
    signature.setSigningCredential(cred);
    signature.setSignatureAlgorithm(signatureAlgorithm);
    signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

    try {
        KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
        X509Data data = (X509Data) buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
        X509Certificate cert = (X509Certificate) buildXMLObject(X509Certificate.DEFAULT_ELEMENT_NAME);
        String value = Base64.encode(cred.getEntityCertificate().getEncoded());
        cert.setValue(value);
        data.getX509Certificates().add(cert);
        keyInfo.getX509Datas().add(data);
        signature.setKeyInfo(keyInfo);
    } catch (CertificateEncodingException e) {
        log.error("Error while getting the encoded certificate", e);
        throw new IdentityProviderException("Error while getting the encoded certificate");
    }

    assertion.setSignature(signature);
    signatureList.add(signature);
}
 

@Override
public void setSignature(String signatureAlgorithm, X509Credential cred) throws IdentityProviderException {
    Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
    signature.setSigningCredential(cred);
    signature.setSignatureAlgorithm(signatureAlgorithm);
    signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

    try {
        KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
        X509Data data = (X509Data) buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
        X509Certificate cert = (X509Certificate) buildXMLObject(X509Certificate.DEFAULT_ELEMENT_NAME);
        String value = Base64.encode(cred.getEntityCertificate().getEncoded());
        cert.setValue(value);
        data.getX509Certificates().add(cert);
        keyInfo.getX509Datas().add(data);
        signature.setKeyInfo(keyInfo);
    } catch (CertificateEncodingException e) {
        log.error("Failed to get encoded certificate", e);
        throw new IdentityProviderException("Error while getting encoded certificate");
    }

    assertion.setSignature(signature);
    signatureList.add(signature);
}
 

/**
 * Build an X509Credential from a keystore trusted certificate entry.
 * 
 * @param trustedCertEntry the entry being processed
 * @param entityID the entityID to set
 * @param usage the usage type to set
 * @return new X509Credential instance
 */
protected X509Credential processTrustedCertificateEntry(KeyStore.TrustedCertificateEntry trustedCertEntry,
        String entityID, UsageType usage) {

    log.debug("Processing TrustedCertificateEntry from keystore");

    BasicX509Credential credential = new BasicX509Credential();
    credential.setEntityId(entityID);
    credential.setUsageType(usage);

    X509Certificate cert = (X509Certificate) trustedCertEntry.getTrustedCertificate();

    credential.setEntityCertificate(cert);

    ArrayList<X509Certificate> certChain = new ArrayList<X509Certificate>();
    certChain.add(cert);
    credential.setEntityCertificateChain(certChain);

    return credential;
}
 

/** {@inheritDoc} */
public Boolean evaluate(Credential target) {
    if (target == null) {
        log.error("Credential target was null");
        return null;
    }
    if (!(target instanceof X509Credential)) {
        log.info("Credential is not an X509Credential, can not evaluate X509CertSelector criteria");
        return Boolean.FALSE;
    }
    X509Credential x509Cred = (X509Credential) target;

    X509Certificate entityCert = x509Cred.getEntityCertificate();
    if (entityCert == null) {
        log.info("X509Credential did not contain an entity certificate, can not evaluate X509CertSelector criteria");
        return Boolean.FALSE;
    }

    Boolean result = certSelector.match(entityCert);
    return result;
}
 

/** {@inheritDoc} */
public Boolean evaluate(Credential target) {
    if (target == null) {
        log.error("Credential target was null");
        return null;
    }
    if (!(target instanceof X509Credential)) {
        log.info("Credential is not an X509Credential, does not satisfy issuer name and serial number criteria");
        return Boolean.FALSE;
    }
    X509Credential x509Cred = (X509Credential) target;

    X509Certificate entityCert = x509Cred.getEntityCertificate();
    if (entityCert == null) {
        log.info("X509Credential did not contain an entity certificate, does not satisfy criteria");
        return Boolean.FALSE;
    }

    if (!entityCert.getIssuerX500Principal().equals(issuer)) {
        return false;
    }
    Boolean result = entityCert.getSerialNumber().equals(serialNumber);
    return result;
}
 

/** {@inheritDoc} */
public Boolean evaluate(Credential target) {
    if (target == null) {
        log.error("Credential target was null");
        return null;
    }
    if (!(target instanceof X509Credential)) {
        log.info("Credential is not an X509Credential, does not satisfy subject name criteria");
        return Boolean.FALSE;
    }
    X509Credential x509Cred = (X509Credential) target;

    X509Certificate entityCert = x509Cred.getEntityCertificate();
    if (entityCert == null) {
        log.info("X509Credential did not contain an entity certificate, does not satisfy criteria");
        return Boolean.FALSE;
    }

    Boolean result = entityCert.getSubjectX500Principal().equals(subjectName);
    return result;
}
 

/**
 * Evaluate trust.
 * 
 * @param untrustedCredential the untrusted X509Credential to evaluate
 * @param trustedCredentials basis for trust
 * @return true if trust can be established, false otherwise
 */
public boolean validate(X509Credential untrustedCredential, Iterable<Credential> trustedCredentials) {

    for (Credential trustedCredential : trustedCredentials) {
        if (!(trustedCredential instanceof X509Credential)) {
            log.debug("Skipping evaluation against trusted, non-X509Credential");
            continue;
        }
        X509Credential trustedX509Credential = (X509Credential) trustedCredential;
        if (validate(untrustedCredential, trustedX509Credential)) {
            return true;
        }
    }

    return false;
}
 

/**
 * Evaluate trust.
 * 
 * @param untrustedCredential the untrusted X509Credential to evaluate
 * @param trustedCredential basis for trust
 * @return true if trust can be established, false otherwise
 */
public boolean validate(X509Credential untrustedCredential, X509Credential trustedCredential) {

    X509Certificate untrustedCertificate = untrustedCredential.getEntityCertificate();
    X509Certificate trustedCertificate = trustedCredential.getEntityCertificate();
    if (untrustedCertificate == null) {
        log.debug("Untrusted credential contained no entity certificate, unable to evaluate");
        return false;
    } else if (trustedCertificate == null) {
        log.debug("Trusted credential contained no entity certificate, unable to evaluate");
        return false;
    }

    if (validate(untrustedCertificate, trustedCertificate)) {
        log.debug("Successfully validated untrusted credential against trusted certificate");
        return true;
    }
    
    log.debug("Failed to validate untrusted credential against trusted certificate");
    return false;
}
 

/**
 * Evaluate the presenter entity ID as derived from the cert subject DN.
 * 
 * @param requestCredential the X509Credential derived from the request
 * @param messageContext the message context being evaluated
 * @return a presenter entity ID which was successfully evaluated by the trust engine
 * @throws SecurityPolicyException thrown if there is error during processing
 */
protected String evaluateSubjectDN(X509Credential requestCredential, MessageContext messageContext)
        throws SecurityPolicyException {

    log.debug("Evaluating client cert by deriving presenter as cert subject DN");
    X509Certificate certificate = requestCredential.getEntityCertificate();
    String candidatePresenter = getSubjectName(certificate);
    if (candidatePresenter != null) {
        if (evaluate(requestCredential, candidatePresenter, messageContext)) {
            log.info("Authentication succeeded for presenter entity ID derived from subject DN {}",
                    candidatePresenter);
            return candidatePresenter;
        }
    }
    return null;
}
 

/**
 * Check the parameters for required values.
 * 
 * @param untrustedCredential the signature to be evaluated
 * @param trustBasisCriteria the set of trusted credential criteria
 * @throws SecurityException thrown if required values are absent or otherwise invalid
 */
protected void checkParams(X509Credential untrustedCredential, CriteriaSet trustBasisCriteria)
        throws SecurityException {

    if (untrustedCredential == null) {
        throw new SecurityException("Untrusted credential was null");
    }
    if (trustBasisCriteria == null) {
        throw new SecurityException("Trust basis criteria set was null");
    }
    if (trustBasisCriteria.isEmpty()) {
        throw new SecurityException("Trust basis criteria set was empty");
    }
}
 

/** {@inheritDoc} */
public void evaluate(MessageContext messageContext) throws SecurityPolicyException {

    Credential peerCredential = messageContext.getInboundMessageTransport().getPeerCredential();

    if (peerCredential == null) {
        log.info("Inbound message transport did not contain a peer credential, "
                + "skipping client certificate authentication");
        return;
    }
    if (!(peerCredential instanceof X509Credential)) {
        log.info("Inbound message transport did not contain an X509Credential, "
                + "skipping client certificate authentication");
        return;
    }

    X509Credential requestCredential = (X509Credential) peerCredential;
    if (log.isDebugEnabled()) {
        try {
            log.debug("Attempting to authenticate inbound connection that presented the certificate:");
            log.debug(Base64.encodeBytes(requestCredential.getEntityCertificate().getEncoded()));
        } catch (CertificateEncodingException e) {
            // do nothing
        }
    }
    doEvaluate(requestCredential, messageContext);
}
 

/**
 * Evaluate the request credential.
 * 
 * @param requestCredential the X509Credential derived from the request
 * @param messageContext the message context being evaluated
 * @throws SecurityPolicyException thrown if a certificate presenter entity ID available from the message context
 *             and the client certificate token can not be establishd as trusted on that basis, or if there is error
 *             during evaluation processing
 */
protected void doEvaluate(X509Credential requestCredential, MessageContext messageContext)
        throws SecurityPolicyException {

    String presenterEntityID = getCertificatePresenterEntityID(messageContext);

    if (presenterEntityID != null) {
        log.debug("Attempting client certificate authentication using context presenter entity ID: {}",
                presenterEntityID);
        if (evaluate(requestCredential, presenterEntityID, messageContext)) {
            log.info("Authentication via client certificate succeeded for context presenter entity ID: {}",
                    presenterEntityID);
            messageContext.getInboundMessageTransport().setAuthenticated(true);
        } else {
            log.error("Authentication via client certificate failed for context presenter entity ID {}",
                    presenterEntityID);
            throw new SecurityPolicyException(
                    "Client certificate authentication failed for context presenter entity ID");
        }
        return;
    }

    String derivedPresenter = evaluateCertificateNameDerivedPresenters(requestCredential, messageContext);
    if (derivedPresenter != null) {
        log.info("Authentication via client certificate succeeded for certificate-derived presenter entity ID {}",
                derivedPresenter);
        setAuthenticatedCertificatePresenterEntityID(messageContext, derivedPresenter);
        messageContext.getInboundMessageTransport().setAuthenticated(true);
        return;
    }

    derivedPresenter = evaluateDerivedPresenters(requestCredential, messageContext);
    if (derivedPresenter != null) {
        log.info("Authentication via client certificate succeeded for derived presenter entity ID {}",
                derivedPresenter);
        setAuthenticatedCertificatePresenterEntityID(messageContext, derivedPresenter);
        messageContext.getInboundMessageTransport().setAuthenticated(true);
        return;
    }
}
 

/**
 * Sign the SAML AuthnRequest message
 *
 * @param authnRequest
 * @param signatureAlgorithm
 * @param cred
 * @return
 * @throws org.wso2.carbon.identity.sso.agent.SSOAgentException
 */
public static AuthnRequest setSignature(AuthnRequest authnRequest, String signatureAlgorithm,
                                    X509Credential cred) throws SSOAgentException {
    doBootstrap();
    try {
        Signature signature = setSignatureRaw(signatureAlgorithm,cred);


        authnRequest.setSignature(signature);

        List<Signature> signatureList = new ArrayList<Signature>();
        signatureList.add(signature);

        // Marshall and Sign
        MarshallerFactory marshallerFactory =
                org.opensaml.xml.Configuration.getMarshallerFactory();
        Marshaller marshaller = marshallerFactory.getMarshaller(authnRequest);

        marshaller.marshall(authnRequest);

        org.apache.xml.security.Init.init();
        Signer.signObjects(signatureList);
        return authnRequest;

    } catch (Exception e) {
        throw new SSOAgentException("Error while signing the SAML Request message", e);
    }
}
 

@Override
public EncryptedAssertion doEncryptedAssertion(Assertion assertion, X509Credential cred, String alias, String encryptionAlgorithm) throws IdentityException {
    try {

        Credential symmetricCredential = SecurityHelper.getSimpleCredential(
                SecurityHelper.generateSymmetricKey(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256));

        EncryptionParameters encParams = new EncryptionParameters();
        encParams.setAlgorithm(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256);
        encParams.setEncryptionCredential(symmetricCredential);

        KeyEncryptionParameters keyEncryptionParameters = new KeyEncryptionParameters();
        keyEncryptionParameters.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15);
        keyEncryptionParameters.setEncryptionCredential(cred);

        Encrypter encrypter = new Encrypter(encParams, keyEncryptionParameters);
        encrypter.setKeyPlacement(Encrypter.KeyPlacement.INLINE);

        EncryptedAssertion encrypted = encrypter.encrypt(assertion);
        return encrypted;
    } catch (Exception e) {
        throw IdentityException.error("Error while Encrypting Assertion", e);
    }
}
 

/**
 * Evaluate candidate presenter entity ID's which may be derived from the request credential's entity certificate
 * according to the options supplied via {@link CertificateNameOptions}.
 * 
 * <p>
 * Configured certificate name types are derived as candidate presenter entity ID's and processed in the following
 * order:
 * <ol>
 * <li>The certificate subject DN string as serialized by the X500DNHandler obtained via
 * {@link CertificateNameOptions#getX500DNHandler()} and using the output format indicated by
 * {@link CertificateNameOptions#getX500SubjectDNFormat()}.</li>
 * <li>Subject alternative names of the types configured via {@link CertificateNameOptions#getSubjectAltNames()}.
 * Note that this is a LinkedHashSet, so the order of evaluation is the order of insertion.</li>
 * <li>The first common name (CN) value appearing in the certificate subject DN.</li>
 * </ol>
 * </p>
 * 
 * <p>
 * The first one of the above which is successfully evaluated by the trust engine using criteria built from
 * {@link BaseTrustEngineRule#buildCriteriaSet(String, MessageContext)} will be returned.
 * </p>
 * 
 * @param requestCredential the X509Credential derived from the request
 * @param messageContext the message context being evaluated
 * @return a certificate presenter entity ID which was successfully evaluated by the trust engine
 * @throws SecurityPolicyException thrown if there is error during processing
 */
protected String evaluateCertificateNameDerivedPresenters(X509Credential requestCredential,
        MessageContext messageContext) throws SecurityPolicyException {

    String candidatePresenter = null;

    if (certNameOptions.evaluateSubjectDN()) {
        candidatePresenter = evaluateSubjectDN(requestCredential, messageContext);
        if (candidatePresenter != null) {
            return candidatePresenter;
        }
    }

    if (!certNameOptions.getSubjectAltNames().isEmpty()) {
        candidatePresenter = evaluateSubjectAltNames(requestCredential, messageContext);
        if (candidatePresenter != null) {
            return candidatePresenter;
        }
    }

    if (certNameOptions.evaluateSubjectCommonName()) {
        candidatePresenter = evaluateSubjectCommonName(requestCredential, messageContext);
        if (candidatePresenter != null) {
            return candidatePresenter;
        }
    }

    return null;
}
 

/**
 * Evaluate the credential against the set of trusted names.
 * 
 * <p>Evaluates to true if no intsance of {@link X509CredentialNameEvaluator} is configured.</p>
 * 
 * @param trustedNames set of trusted names
 * @param untrustedCredential the credential being evaluated
 * @return true if evaluation is successful, false otherwise
 * @throws SecurityException thrown if there is an error evaluation the credential
 */
protected boolean checkNames(Set<String> trustedNames, X509Credential untrustedCredential) 
        throws SecurityException {
    
    if (credNameEvaluator == null) {
        log.debug("No credential name evaluator was available, skipping trusted name evaluation");
       return true; 
    } else {
        return credNameEvaluator.evaluate(untrustedCredential, trustedNames);
    }

}
 

/** {@inheritDoc} */
public boolean validate(X509Credential untrustedCredential, CriteriaSet trustBasisCriteria)
        throws SecurityException {

    checkParams(untrustedCredential, trustBasisCriteria);

    log.debug("Attempting to validate untrusted credential");
    Iterable<Credential> trustedCredentials = getCredentialResolver().resolve(trustBasisCriteria);

    return trustEvaluator.validate(untrustedCredential, trustedCredentials);
}
 

/**
 * Evaluate the presenter entity ID as derived from the cert subject alternative names specified by types enumerated
 * in {@link CertificateNameOptions#getSubjectAltNames()}.
 * 
 * @param requestCredential the X509Credential derived from the request
 * @param messageContext the message context being evaluated
 * @return a presenter entity ID which was successfully evaluated by the trust engine
 * @throws SecurityPolicyException thrown if there is error during processing
 */
protected String evaluateSubjectAltNames(X509Credential requestCredential, MessageContext messageContext)
        throws SecurityPolicyException {

    log.debug("Evaluating client cert by deriving presenter from subject alt names");
    X509Certificate certificate = requestCredential.getEntityCertificate();
    for (Integer altNameType : certNameOptions.getSubjectAltNames()) {
        log.debug("Evaluating alt names of type: {}", altNameType.toString());
        List<String> altNames = getAltNames(certificate, altNameType);
        for (String altName : altNames) {
            if (evaluate(requestCredential, altName, messageContext)) {
                log.info("Authentication succeeded for presenter entity ID derived from subject alt name {}",
                        altName);
                return altName;
            }
        }
    }
    return null;
}
 

/** {@inheritDoc} */
public Boolean evaluate(Credential target) {
    if (target == null) {
        log.error("Credential target was null");
        return null;
    }
    if (! (target instanceof X509Credential)) {
        log.info("Credential is not an X509Credential, does not satisfy subject key identifier criteria");
        return Boolean.FALSE;
    }
    X509Credential x509Cred = (X509Credential) target;
    
    X509Certificate entityCert = x509Cred.getEntityCertificate();
    if (entityCert == null) {
        log.info("X509Credential did not contain an entity certificate, does not satisfy criteria");
        return Boolean.FALSE;
    }
    
    byte[] credSKI = X509Util.getSubjectKeyIdentifier(entityCert);
    if (credSKI == null || credSKI.length == 0) {
        log.info("Could not evaluate criteria, certificate contained no subject key identifier extension");
        return null;
    }
    
    Boolean result = Arrays.equals(ski, credSKI);
    return result;
}
 

/**
 * Evaluate the presenter entity ID as derived from the cert subject common name (CN).
 * 
 * Only the first CN value from the subject DN is evaluated.
 * 
 * @param requestCredential the X509Credential derived from the request
 * @param messageContext the message context being evaluated
 * @return a presenter entity ID which was successfully evaluated by the trust engine
 * @throws SecurityPolicyException thrown if there is error during processing
 */
protected String evaluateSubjectCommonName(X509Credential requestCredential, MessageContext messageContext)
        throws SecurityPolicyException {

    log.debug("Evaluating client cert by deriving presenter as cert CN");
    X509Certificate certificate = requestCredential.getEntityCertificate();
    String candidatePresenter = getCommonName(certificate);
    if (candidatePresenter != null) {
        if (evaluate(requestCredential, candidatePresenter, messageContext)) {
            log.info("Authentication succeeded for presenter entity ID derived from CN {}", candidatePresenter);
            return candidatePresenter;
        }
    }
    return null;
}
 

/** {@inheritDoc} */
protected boolean evaluateTrust(Credential untrustedCredential,
        Pair<Set<String>, Iterable<PKIXValidationInformation>> validationPair) throws SecurityException {

    if (!(untrustedCredential instanceof X509Credential)) {
        log.debug("Can not evaluate trust of non-X509Credential");
        return false;
    }
    X509Credential untrustedX509Credential = (X509Credential) untrustedCredential;

    Set<String> trustedNames = validationPair.getFirst();
    Iterable<PKIXValidationInformation> validationInfoSet = validationPair.getSecond();
    
    if (!checkNames(trustedNames, untrustedX509Credential)) {
        log.debug("Evaluation of credential against trusted names failed. Aborting PKIX validation");
        return false;
    }

    for (PKIXValidationInformation validationInfo : validationInfoSet) {
        try {
            if (pkixTrustEvaluator.validate(validationInfo, untrustedX509Credential)) {
                log.debug("Signature trust established via PKIX validation of signing credential");
                return true;
            }
        } catch (SecurityException e) {
            // log the operational error, but allow other validation info sets to be tried
            log.debug("Error performing PKIX validation on untrusted credential", e);
        }
    }

    log.debug("Signature trust could not be established via PKIX validation of signing credential");
    return false;
}
 

/**
 * Evaluate any candidate presenter entity ID's which may be derived from the credential or other message context
 * information.
 * 
 * <p>
 * This serves primarily as an extension point for subclasses to implement application-specific logic.
 * </p>
 * 
 * <p>
 * If multiple derived candidate entity ID's would satisfy the trust engine criteria, the choice of which one to
 * return as the canonical presenter entity ID value is implementation-specific.
 * </p>
 * 
 * @param requestCredential the X509Credential derived from the request
 * @param messageContext the message context being evaluated
 * @return a presenter entity ID which was successfully evaluated by the trust engine
 * @throws SecurityPolicyException thrown if there is error during processing
 */
protected String evaluateDerivedPresenters(X509Credential requestCredential, MessageContext messageContext)
        throws SecurityPolicyException {

    return null;
}
 

/**
 * Evaluate any candidate presenter entity ID's which may be derived from the credential or other message context
 * information.
 * 
 * <p>
 * This serves primarily as an extension point for subclasses to implement application-specific logic.
 * </p>
 * 
 * <p>
 * If multiple derived candidate entity ID's would satisfy the trust engine criteria, the choice of which one to
 * return as the canonical presenter entity ID value is implementation-specific.
 * </p>
 * 
 * @param requestCredential the X509Credential derived from the request
 * @param messageContext the message context being evaluated
 * @return a presenter entity ID which was successfully evaluated by the trust engine
 * @throws SecurityPolicyException thrown if there is error during processing
 * @deprecated Use {@link #evaluateDerivedPresenters(X509Credential,MessageContext)} instead
 */
protected String evaluateDerivedIssuers(X509Credential requestCredential, MessageContext messageContext)
        throws SecurityPolicyException {
    return evaluateDerivedPresenters(requestCredential, messageContext);
}
 

/**
 * Encrypt the SAML assertion
 *
 * @param assertion           SAML assertion to be encrypted
 * @param cred                Encrypting credential
 * @param alias               Certificate alias against which use to Encrypt the assertion.
 * @param encryptionAlgorithm Encryption algorithm
 * @return SAML EncryptedAssertion
 * @throws IdentityException
 */
public EncryptedAssertion doEncryptedAssertion(Assertion assertion, X509Credential cred, String alias,
                                               String encryptionAlgorithm) throws IdentityException;
 

/**
 * Set the signature to XML object
 *
 * @param request
 * @param signatureAlgorithm
 * @param digestAlgorithm
 * @param cred
 * @return
 * @throws IdentityException
 */
public SignableXMLObject setSignature(SignableXMLObject signableXMLObject, String signatureAlgorithm, String
        digestAlgorithm, X509Credential cred) throws IdentityException;