org.opensaml.xml.util.DatatypeHelper Java Examples

/**
 * Remove a Namespace from a set of Namespaces.  Equivalence of Namespace instances will be based 
 * on namespace URI and prefix only. The <code>alwaysDeclare</code> property will be ignored for
 * purpose of equivalence.
 * 
 * @param namespaces the set of namespaces
 * @param oldNamespace the namespace to add to the set
 */
private void removeNamespace(Set<Namespace> namespaces, Namespace oldNamespace) {
    if (oldNamespace == null) {
        return;
    }
    
    Iterator<Namespace> iter = namespaces.iterator();
    while (iter.hasNext()) {
        Namespace namespace = iter.next();
        if (DatatypeHelper.safeEquals(namespace.getNamespaceURI(), oldNamespace.getNamespaceURI()) &&
                DatatypeHelper.safeEquals(namespace.getNamespacePrefix(), oldNamespace.getNamespacePrefix())) {
            iter.remove();
        }
    }
    
}
 

/** {@inheritDoc} */
protected void processAttribute(XMLObject samlObject, Attr attribute) throws UnmarshallingException {

    Assertion assertion = (Assertion) samlObject;

    if (Assertion.ID_ATTRIB_NAME.equals(attribute.getLocalName())) {
        assertion.setID(attribute.getValue());
    } else if (Assertion.ISSUER_ATTRIB_NAME.equals(attribute.getLocalName())) {
        assertion.setIssuer(attribute.getValue());
    } else if (Assertion.ISSUEINSTANT_ATTRIB_NAME.equals(attribute.getLocalName())
            && !DatatypeHelper.isEmpty(attribute.getValue())) {
        assertion.setIssueInstant(new DateTime(attribute.getValue(), ISOChronology.getInstanceUTC()));
    } else if (Assertion.MINORVERSION_ATTRIB_NAME.equals(attribute.getLocalName())) {
        if (attribute.getValue().equals("0")) {
            assertion.setVersion(SAMLVersion.VERSION_10);
        } else {
            assertion.setVersion(SAMLVersion.VERSION_11);
        }
    } else {
        super.processAttribute(samlObject, attribute);
    }
}
 

/**
 * Determine whether the inbound message is signed.
 * 
 * @param messageContext the message context being evaluated
 * @return true if the inbound message is signed, otherwise false
 */
protected boolean isMessageSigned(SAMLMessageContext messageContext) {
    // TODO this really should be determined by the decoders and supplied to the rule
    // in some fashion, to handle binding-specific signature mechanisms. See JIRA issue JOWS-4.
    //
    // For now evaluate here inline for XML Signature and HTTP-Redirect and HTTP-Post-SimpleSign.
    
    SAMLObject samlMessage = messageContext.getInboundSAMLMessage();
    if (samlMessage instanceof SignableSAMLObject) {
        SignableSAMLObject signableMessage = (SignableSAMLObject) samlMessage;
        if (signableMessage.isSigned()) {
            return true;
        }
    }
    
    // This handles HTTP-Redirect and HTTP-POST-SimpleSign bindings.
    HTTPInTransport inTransport = (HTTPInTransport) messageContext.getInboundMessageTransport();
    String sigParam = inTransport.getParameterValue("Signature");
    return !DatatypeHelper.isEmpty(sigParam);
}
 

/**
 * Find and return the integer value contained within the HMACOutputLength element, if present.
 * 
 * @param signatureMethodElement the ds:SignatureMethod element
 * @return the HMAC output length value, or null if not present
 */
private Integer getHMACOutputLengthValue(Element signatureMethodElement) {
    if (signatureMethodElement == null) {
        return null;
    }
    // Should be at most one element
    List<Element> children = XMLHelper.getChildElementsByTagNameNS(signatureMethodElement, XMLConstants.XMLSIG_NS,
            "HMACOutputLength");
    if (!children.isEmpty()) {
        Element hmacElement = children.get(0);
        String value = DatatypeHelper.safeTrimOrNullString(hmacElement.getTextContent());
        if (value != null) {
            return new Integer(value);
        }
    }
    return null;
}
 

/** {@inheritDoc} */
protected byte[] getSignedContent(HttpServletRequest request) throws SecurityPolicyException {
    // We need the raw non-URL-decoded query string param values for HTTP-Redirect DEFLATE simple signature
    // validation.
    // We have to construct a string containing the signature input by accessing the
    // request directly. We can't use the decoded parameters because we need the raw
    // data and URL-encoding isn't canonical.
    String queryString = request.getQueryString();
    log.debug("Constructing signed content string from URL query string {}", queryString);

    String constructed = buildSignedContentString(queryString);
    if (DatatypeHelper.isEmpty(constructed)) {
        log.warn("Could not extract signed content string from query string");
        return null;
    }
    log.debug("Constructed signed content string for HTTP-Redirect DEFLATE {}", constructed);

    try {
        return constructed.getBytes("UTF-8");
    } catch (UnsupportedEncodingException e) {
        // JVM is required to support UTF-8
    }
    return null;
}
 

/**
 * Get the length of the key indicated by the algorithm URI, if applicable and available.
 * 
 * @param algorithmURI the algorithm URI to evaluate
 * @return the length of the key indicated by the algorithm URI, or null if the length is either unavailable or
 *         indeterminable from the URI
 */
public static Integer getKeyLengthFromURI(String algorithmURI) {
    Logger log = getLogger();
    String algoClass = DatatypeHelper.safeTrimOrNullString(JCEMapper.getAlgorithmClassFromURI(algorithmURI));

    if (ApacheXMLSecurityConstants.ALGO_CLASS_BLOCK_ENCRYPTION.equals(algoClass)
            || ApacheXMLSecurityConstants.ALGO_CLASS_SYMMETRIC_KEY_WRAP.equals(algoClass)) {

        try {
            int keyLength = JCEMapper.getKeyLengthFromURI(algorithmURI);
            return new Integer(keyLength);
        } catch (NumberFormatException e) {
            log.warn("XML Security config contained invalid key length value for algorithm URI: " + algorithmURI);
        }
    }

    log.info("Mapping from algorithm URI {} to key length not available", algorithmURI);
    return null;
}
 

/** {@inheritDoc} */
protected CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext)
    throws SecurityPolicyException {
    if (!(messageContext instanceof SAMLMessageContext)) {
        log.error("Supplied message context was not an instance of SAMLMessageContext, can not build criteria set from SAML metadata parameters");
        throw new SecurityPolicyException("Supplied message context was not an instance of SAMLMessageContext");
    }
    
    SAMLMessageContext samlContext = (SAMLMessageContext) messageContext;
    
    CriteriaSet criteriaSet = new CriteriaSet();
    if (! DatatypeHelper.isEmpty(entityID)) {
        criteriaSet.add(new EntityIDCriteria(entityID) );
    }
    
    MetadataCriteria mdCriteria = 
        new MetadataCriteria(samlContext.getPeerEntityRole(), samlContext.getInboundSAMLProtocol());
    criteriaSet.add(mdCriteria);
    
    criteriaSet.add( new UsageCriteria(UsageType.SIGNING) );
    
    return criteriaSet;
}
 

/**
 * Extract the signature value from the request, in the form suitable for
 * input into
 * {@link SignatureTrustEngine#validate(byte[], byte[], String, CriteriaSet, Credential)}
 * .
 * <p/>
 * Defaults to the Base64-decoded value of the HTTP request parameter named
 * <code>Signature</code>.
 *
 * @param queryString
 * @return
 * @throws SecurityPolicyException
 * @throws IdentitySAML2SSOException
 */
protected static byte[] getSignature(String queryString) throws SecurityPolicyException {
    String signatureQueryParam = HTTPTransportUtils.getRawQueryStringParameter(queryString, "Signature");
    if (DatatypeHelper.isEmpty(signatureQueryParam)) {
        throw new SecurityPolicyException("Could not extract the Signature from query string");
    }
    String signature = null;
    try {
        /* Split 'Signature=<sig_value>' query param using '=' as the delimiter,
    and get the Signature value */
        signature = URLDecoder.decode(signatureQueryParam.split("=")[1], "UTF-8");
    } catch (UnsupportedEncodingException e) {
        if (log.isDebugEnabled()) {
            log.debug("Encoding not supported.", e);
        }
        // JVM is required to support UTF-8
        return new byte[0];
    }
    return Base64.decode(signature);
}
 

/**
 * Check key encryption parameters for consistency and required values.
 * 
 * @param kekParams the key encryption parameters to check
 * @param allowEmpty if false, a null parameter is treated as an error
 * 
 * @throws EncryptionException thrown if any parameters are missing or have invalid values
 */
protected void checkParams(KeyEncryptionParameters kekParams, boolean allowEmpty) throws EncryptionException {
    if (kekParams == null) {
        if (allowEmpty) {
            return;
        } else {
            log.error("Key encryption parameters are required");
            throw new EncryptionException("Key encryption parameters are required");
        }
    }
    Key key = SecurityHelper.extractEncryptionKey(kekParams.getEncryptionCredential());
    if (key == null) {
        log.error("Key encryption credential and contained key are required");
        throw new EncryptionException("Key encryption credential and contained key are required");
    } else if (key instanceof DSAPublicKey) {
        log.error("Attempt made to use DSA key for encrypted key transport");
        throw new EncryptionException("DSA keys may not be used for encrypted key transport");
    } else if (key instanceof ECPublicKey) {
        log.error("Attempt made to use EC key for encrypted key transport");
        throw new EncryptionException("EC keys may not be used for encrypted key transport");
    } else if (DatatypeHelper.isEmpty(kekParams.getAlgorithm())) {
        log.error("Key encryption algorithm URI is required");
        throw new EncryptionException("Key encryption algorithm URI is required");
    }
}
 

/**
 * Gets a formatted string representing identifier information from the supplied credential.
 * 
 * <p>
 * This could for example be used in logging messages.
 * </p>
 * 
 * <p>
 * Often it will be the case that a given credential that is being evaluated will NOT have a value for the entity ID
 * property. So extract the certificate subject DN, and if present, the credential's entity ID.
 * </p>
 * 
 * @param credential the credential for which to produce a token.
 * @param handler the X.500 DN handler to use. If null, a new instance of {@link InternalX500DNHandler} will be
 *            used.
 * 
 * @return a formatted string containing identifier information present in the credential
 */
public static String getIdentifiersToken(X509Credential credential, X500DNHandler handler) {
    X500DNHandler x500DNHandler;
    if (handler != null) {
        x500DNHandler = handler;
    } else {
        x500DNHandler = new InternalX500DNHandler();
    }
    X500Principal x500Principal = credential.getEntityCertificate().getSubjectX500Principal();
    StringBuilder builder = new StringBuilder();
    builder.append('[');
    builder.append(String.format("subjectName='%s'", x500DNHandler.getName(x500Principal)));
    if (!DatatypeHelper.isEmpty(credential.getEntityId())) {
        builder.append(String.format(" |credential entityID='%s'", DatatypeHelper.safeTrimOrNullString(credential
                .getEntityId())));
    }
    builder.append(']');
    return builder.toString();
}
 

/**
 * Check that all necessary credential criteria are available.
 * 
 * @param criteriaSet the credential set to evaluate
 */
protected void checkCriteriaRequirements(CriteriaSet criteriaSet) {
    EntityIDCriteria entityCriteria = criteriaSet.get(EntityIDCriteria.class);
    MetadataCriteria mdCriteria = criteriaSet.get(MetadataCriteria.class);
    if (entityCriteria == null) {
        throw new IllegalArgumentException("Entity criteria must be supplied");
    }
    if (mdCriteria == null) {
        throw new IllegalArgumentException("SAML metadata criteria must be supplied");
    }
    if (DatatypeHelper.isEmpty(entityCriteria.getEntityID())) {
        throw new IllegalArgumentException("Credential owner entity ID criteria value must be supplied");
    }
    if (mdCriteria.getRole() == null) {
        throw new IllegalArgumentException("Credential metadata role criteria value must be supplied");
    }
}
 

/**
 * {@inheritDoc} 
 * 
 * <p>This SAML 2-specific implementation extracts the value of the protocol message Destination attribute.</p>
 * 
 * */
protected String getIntendedDestinationEndpointURI(SAMLMessageContext samlMsgCtx) throws MessageDecodingException {
    SAMLObject samlMessage = samlMsgCtx.getInboundSAMLMessage();
    String messageDestination = null;
    if (samlMessage instanceof RequestAbstractType) {
        RequestAbstractType request =  (RequestAbstractType) samlMessage;
        messageDestination = DatatypeHelper.safeTrimOrNullString(request.getDestination());
    } else if (samlMessage instanceof StatusResponseType) {
        StatusResponseType response = (StatusResponseType) samlMessage;
        messageDestination = DatatypeHelper.safeTrimOrNullString(response.getDestination());
    } else {
        log.error("Invalid SAML message type encountered: {}", samlMessage.getElementQName().toString());
        throw new MessageDecodingException("Invalid SAML message type encountered");
    }
    return messageDestination;
}
 

/**
 * Gets the <code>wsse11:TokenType</code> attribute from a given SOAP object.
 * 
 * @param soapObject the SOAP object to add the attribute to
 * 
 * @return the value of the tokenType attribute, or null if not present
 */
public static String getWSSE11TokenType(XMLObject soapObject) {
    String value = null;
    if (soapObject instanceof TokenTypeBearing) {
        value = DatatypeHelper.safeTrimOrNullString(((TokenTypeBearing)soapObject).getWSSE11TokenType());
        if (value != null) {
            return value;
        }
    }
    if (soapObject instanceof AttributeExtensibleXMLObject) {
        value = DatatypeHelper.safeTrimOrNullString(((AttributeExtensibleXMLObject)soapObject)
                    .getUnknownAttributes().get(TokenTypeBearing.WSSE11_TOKEN_TYPE_ATTR_NAME));
        return value;
    }
    return null;
}
 

/**
 * Evaluate whether an EncryptedKey's CarriedKeyName matches one of the KeyName values
 * from the EncryptedData context.
 * 
 * @param encryptedData the EncryptedData context
 * @param encryptedKey the candidate Encryptedkey to evaluate
 * @return true if the encrypted key's carried key name matches that of the encrytped data, 
 *          false otherwise
 */
protected boolean matchCarriedKeyName(EncryptedData encryptedData, EncryptedKey encryptedKey) {
    if (encryptedKey.getCarriedKeyName() == null 
            || DatatypeHelper.isEmpty(encryptedKey.getCarriedKeyName().getValue()) ) {
        return true;
    }
    
    if (encryptedData.getKeyInfo() == null 
            || encryptedData.getKeyInfo().getKeyNames().isEmpty() ) {
        return false;
    }
    
    String keyCarriedKeyName = encryptedKey.getCarriedKeyName().getValue();
    List<String> dataKeyNames = KeyInfoHelper.getKeyNames(encryptedData.getKeyInfo());
    
    return dataKeyNames.contains(keyCarriedKeyName);
}
 

/** {@inheritDoc} */
protected void processAttribute(XMLObject samlObject, Attr attribute) throws UnmarshallingException {
    EntityDescriptor entityDescriptor = (EntityDescriptor) samlObject;

    if (attribute.getLocalName().equals(EntityDescriptor.ENTITY_ID_ATTRIB_NAME)) {
        entityDescriptor.setEntityID(attribute.getValue());
    } else if (attribute.getLocalName().equals(EntityDescriptor.ID_ATTRIB_NAME)) {
        entityDescriptor.setID(attribute.getValue());
        attribute.getOwnerElement().setIdAttributeNode(attribute, true);
    } else if (attribute.getLocalName().equals(TimeBoundSAMLObject.VALID_UNTIL_ATTRIB_NAME)
            && !DatatypeHelper.isEmpty(attribute.getValue())) {
        entityDescriptor.setValidUntil(new DateTime(attribute.getValue(), ISOChronology.getInstanceUTC()));
    } else if (attribute.getLocalName().equals(CacheableSAMLObject.CACHE_DURATION_ATTRIB_NAME)) {
        entityDescriptor.setCacheDuration(XMLHelper.durationToLong(attribute.getValue()));
    } else {
        QName attribQName = XMLHelper.getNodeQName(attribute);
        if (attribute.isId()) {
            entityDescriptor.getUnknownAttributes().registerID(attribQName);
        }
        entityDescriptor.getUnknownAttributes().put(attribQName, attribute.getValue());
    }
}
 

/** {@inheritDoc} */
protected void processAttribute(XMLObject samlObject, Attr attribute) throws UnmarshallingException {
    EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) samlObject;

    if (attribute.getLocalName().equals(EntitiesDescriptor.ID_ATTRIB_NAME)) {
        entitiesDescriptor.setID(attribute.getValue());
        attribute.getOwnerElement().setIdAttributeNode(attribute, true);
    } else if (attribute.getLocalName().equals(TimeBoundSAMLObject.VALID_UNTIL_ATTRIB_NAME)
            && !DatatypeHelper.isEmpty(attribute.getValue())) {
        entitiesDescriptor.setValidUntil(new DateTime(attribute.getValue(), ISOChronology.getInstanceUTC()));
    } else if (attribute.getLocalName().equals(CacheableSAMLObject.CACHE_DURATION_ATTRIB_NAME)) {
        entitiesDescriptor.setCacheDuration(new Long(XMLHelper.durationToLong(attribute.getValue())));
    } else if (attribute.getLocalName().equals(EntitiesDescriptor.NAME_ATTRIB_NAME)) {
        entitiesDescriptor.setName(attribute.getValue());
    } else {
        super.processAttribute(samlObject, attribute);
    }
}
 

/** {@inheritDoc} */
protected void marshallAttributes(XMLObject xmlObject, Element domElement) throws MarshallingException {
    EnvironmentMatchType matchType = (EnvironmentMatchType) xmlObject;

    if (!DatatypeHelper.isEmpty(matchType.getMatchId())) {
        domElement.setAttribute(EnvironmentMatchType.MATCH_ID_ATTRIB_NAME, matchType.getMatchId());
    }
}
 

/**
 * Constructor.
 * 
 * @param path the path to the file for this resource
 * @param resourceFilter filter to apply to this resource
 * 
 * @throws ResourceException thrown if the resource path is null or empty or if the resource does not exist
 * 
 * @deprecated use {@link #setResourceFilter(ResourceFilter)} instead
 */
public ClasspathResource(String path, ResourceFilter resourceFilter) throws ResourceException {
    super(resourceFilter);
    
    if (DatatypeHelper.isEmpty(path)) {
        throw new ResourceException("Resource path may not be null or empty");
    }

    resource = getClass().getResource(path);
    if (resource == null) {
        throw new ResourceException("Classpath resource does not exist: " + path);
    }

    lastModTime = new DateTime();
}
 

/**
 * Find the certificate from the chain identified by one of the specified issuer serials.
 * 
 * @param certs list of certificates to evaluate
 * @param serials X509 issuer serials to use as search criteria
 * @return the matching certificate, or null
 */
protected X509Certificate findCertFromIssuerSerials(List<X509Certificate> certs, List<X509IssuerSerial> serials) {
    for (X509IssuerSerial issuerSerial : serials) {
        if (issuerSerial.getX509IssuerName() == null || issuerSerial.getX509SerialNumber() == null) {
            continue;
        }
        String issuerNameValue = issuerSerial.getX509IssuerName().getValue();
        BigInteger serialNumber  = issuerSerial.getX509SerialNumber().getValue();
        if (! DatatypeHelper.isEmpty(issuerNameValue)) {
            X500Principal issuerX500Principal = null;
            try {
                issuerX500Principal = x500DNHandler.parse(issuerNameValue);
            } catch (IllegalArgumentException e) {
                log.warn("X500 issuer name '{}' could not be parsed by configured X500DNHandler '{}'",
                        issuerNameValue, x500DNHandler.getClass().getName());
                return null;
            }
            for (X509Certificate cert : certs) {
                if (cert.getIssuerX500Principal().equals(issuerX500Principal) &&
                        cert.getSerialNumber().equals(serialNumber)) {
                    return cert;
                }
            }
        }
    }
    return null;
}
 

/** {@inheritDoc} */
protected void processAttribute(XMLObject samlObject, Attr attribute) throws UnmarshallingException {
    ResponseAbstractType response = (ResponseAbstractType) samlObject;

    if (attribute.getLocalName().equals(ResponseAbstractType.ID_ATTRIB_NAME)) {
        response.setID(attribute.getValue());
    } else if (attribute.getLocalName().equals(ResponseAbstractType.INRESPONSETO_ATTRIB_NAME)) {
        response.setInResponseTo(attribute.getValue());
    } else if (attribute.getLocalName().equals(ResponseAbstractType.ISSUEINSTANT_ATTRIB_NAME)
            && !DatatypeHelper.isEmpty(attribute.getValue())) {
        response.setIssueInstant(new DateTime(attribute.getValue(), ISOChronology.getInstanceUTC()));
    } else if (attribute.getLocalName().equals(ResponseAbstractType.MINORVERSION_ATTRIB_NAME)) {
        int minor;
        try {
            minor = Integer.parseInt(attribute.getValue());
        } catch (NumberFormatException n) {
            log.error("Parsing minor version ", n);
            throw new UnmarshallingException(n);
        }
        if (minor == 0) {
            response.setVersion(SAMLVersion.VERSION_10);
        } else if (minor == 1) {
            response.setVersion(SAMLVersion.VERSION_11);
        }
    } else if (attribute.getLocalName().equals(ResponseAbstractType.RECIPIENT_ATTRIB_NAME)) {
        response.setRecipient(attribute.getValue());
    } else {
        super.processAttribute(samlObject, attribute);
    }
}
 

/**
 * Constructor.
 * 
 * @param manager wrapped key manager
 * @param alias alias used to reference the credential in the key manager
 */
public X509KeyManagerX509CredentialAdapter(X509KeyManager manager, String alias) {
    if (manager == null) {
        throw new IllegalArgumentException("Key manager may not be null");
    }
    keyManager = manager;

    credentialAlias = DatatypeHelper.safeTrimOrNullString(alias);
    if (credentialAlias == null) {
        throw new IllegalArgumentException("Entity alias may not be null");
    }
}
 

/**
 * Set the key name criteria.
 * 
 * @param name The keyName to set.
 */
public void setKeyName(String name) {
    if (DatatypeHelper.isEmpty(name)) {
        throw new IllegalArgumentException("Key name criteria value must be supplied");
    }
    keyName = DatatypeHelper.safeTrimOrNullString(name);
}
 

/** {@inheritDoc} */
protected void processAttribute(XMLObject xmlObject, Attr attribute) throws UnmarshallingException {
    CombinerParameterType combinerParameterType = (CombinerParameterType) xmlObject;
  
    if(attribute.getLocalName().equals(CombinerParameterType.PARAMETER_NAMEATTRIB_NAME)){
        combinerParameterType.setParameterName(DatatypeHelper.safeTrimOrNullString(attribute.getValue()));
    } else {
        super.processAttribute(xmlObject, attribute);
    }
}
 

/**
 * Process the options related to generation of the X509IssuerSerial child element of X509Data 
 * based on certificate data.
 * 
 * @param x509Data the X509Data element being processed.
 * @param cert the certificate being processed
 */ 
protected void processCertX509IssuerSerial(X509Data x509Data, java.security.cert.X509Certificate cert) {
    if (options.emitX509IssuerSerial) {
        String issuerNameValue = getIssuerName(cert);
        if (! DatatypeHelper.isEmpty(issuerNameValue)) {
            x509Data.getX509IssuerSerials().add( 
                    KeyInfoHelper.buildX509IssuerSerial(issuerNameValue, cert.getSerialNumber()) );
        }
    }
}
 

/** {@inheritDoc} */
protected void marshallAttributes(XMLObject xmlObject, Element domElement) throws MarshallingException {
    ResourceMatchType matchType = (ResourceMatchType) xmlObject;

    if (!DatatypeHelper.isEmpty(matchType.getMatchId())) {
        domElement.setAttribute(ResourceMatchType.MATCH_ID_ATTRIB_NAME, matchType.getMatchId());
    }
}
 

/** Process the values of {@link Credential#getKeyNames()}.
 * 
 * @param keyInfo the KeyInfo that is being built
 * @param credential the Credential that is geing processed
 */
protected void processKeyNames(KeyInfo keyInfo, Credential credential) {
    if (options.emitKeyNames) {
        for (String keyNameValue : credential.getKeyNames()) {
            if ( ! DatatypeHelper.isEmpty(keyNameValue)) {
                KeyInfoHelper.addKeyName(keyInfo, keyNameValue);
            }
        }
    }
}
 

/** {@inheritDoc} */
public XMLObject unmarshall(Element domElement) throws UnmarshallingException {
    // After regular unmarshalling, check the minor version and set ID-ness if not SAML 1.0
    Assertion assertion = (Assertion) super.unmarshall(domElement);
    if (assertion.getMinorVersion() != 0 && !DatatypeHelper.isEmpty(assertion.getID())) {
        domElement.setIdAttributeNS(null, Assertion.ID_ATTRIB_NAME, true);
    }
    return assertion;
}
 

/**
 * Checks that the relay state is 80 bytes or less if it is not null.
 * 
 * @param relayState relay state to check
 * 
 * @return true if the relay state is not empty and is less than 80 bytes
 */
protected boolean checkRelayState(String relayState) {
    if (!DatatypeHelper.isEmpty(relayState)) {
        if (relayState.getBytes().length > 80) {
            log.warn("Relay state exceeds 80 bytes, some application may not support this.");
        }

        return true;
    }

    return false;
}
 

/** {@inheritDoc} */
public BigInteger getValueBigInt() {
    if (bigIntValue == null && !DatatypeHelper.isEmpty(getValue())) {
        bigIntValue = KeyInfoHelper.decodeBigIntegerFromCryptoBinary(getValue());
    }
    return bigIntValue;
}
 

/**
 * Build a criteria set suitable for input to the trust engine.
 *
 * @param issuer
 * @return
 * @throws SecurityPolicyException
 */
private static CriteriaSet buildCriteriaSet(String issuer) {
    CriteriaSet criteriaSet = new CriteriaSet();
    if (!DatatypeHelper.isEmpty(issuer)) {
        criteriaSet.add(new EntityIDCriteria(issuer));
    }
    criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
    return criteriaSet;
}