org.opensaml.xml.security.CriteriaSet Java Examples

@Override
public Iterable<Credential> resolveFromSource(CriteriaSet criteriaSet) throws SecurityException {
    try {
        credentialSet = new HashSet<Credential>();
        Enumeration<String> en = keyStore.aliases();
        while (en.hasMoreElements()) {
            String alias = en.nextElement();
            X509Certificate cert = (X509Certificate) keyStore.getCertificate(alias);
            Credential credential = new X509CredentialImpl(cert);
            if (criteriaSet.get(EntityIDCriteria.class) != null) {
                if (criteriaSet.get(EntityIDCriteria.class).getEntityID().equals(alias)) {
                    credentialSet.add(credential);
                    break;
                }
            } else {
                credentialSet.add(credential);
            }
        }
        return credentialSet;
    } catch (KeyStoreException e) {
        log.error(e);
        throw new SecurityException("Error reading certificates from key store");
    }
}
 

/**
 * Resolve the key from any KeyValue or DEREncodedKeyValue element that may be present, and store the resulting
 * key in the resolution context.
 * 
 * Each element is processed in turn in document order. Each element will be processed by each provider in
 * the ordered list of registered providers. The key from the first credential successfully resolved
 * will be stored in the resolution context.
 * 
 * Note: This resolver implementation assumes that KeyInfo will not be abused via-a-vis the Signature
 * specificiation, and that therefore all elements (if there are even more than one) will all resolve to the
 * same key value. The KeyInfo might, for example have multiple KeyValue children, containing different
 * representations of the same key. Therefore, only the first credential derived will be be utilized.
 * 
 * @param kiContext KeyInfo resolution context
 * @param criteriaSet the credential criteria used to resolve credentials
 * @param keyValues the KeyValue or DEREncodedKeyValue children to evaluate
 * @throws SecurityException thrown if there is an error resolving the key from the KeyValue
 */
protected void resolveKeyValue(KeyInfoResolutionContext kiContext, CriteriaSet criteriaSet,
        List<? extends XMLObject> keyValues) throws SecurityException {

    for (XMLObject keyValue : keyValues) {
        if (!(keyValue instanceof KeyValue) && !(keyValue instanceof DEREncodedKeyValue)) {
            continue;
        }
        Collection<Credential> creds = processKeyInfoChild(kiContext, criteriaSet, keyValue);
        if (creds != null) {
            for (Credential cred : creds) {
                Key key = extractKeyValue(cred);
                if (key != null) {
                    kiContext.setKey(key);
                    log.debug("Found a credential based on a KeyValue/DEREncodedKeyValue having key type: {}",
                            key.getAlgorithm());
                    return;
                }
            }
        }
    }
}
 

/**
 * Initialize the resolution context that will be used by the providers.
 * 
 * The supplied KeyInfo object is stored in the context, as well as the values of any {@link KeyName} children
 * present. Finally if a credential is resolveble by any registered provider from a plain {@link KeyValue} child,
 * the key from that credential is also stored in the context.
 * 
 * @param kiContext KeyInfo resolution context
 * @param keyInfo the KeyInfo to evaluate
 * @param criteriaSet the credential criteria used to resolve credentials
 * @throws SecurityException thrown if there is an error processing the KeyValue children
 */
protected void initResolutionContext(KeyInfoResolutionContext kiContext, KeyInfo keyInfo, CriteriaSet criteriaSet)
        throws SecurityException {

    kiContext.setKeyInfo(keyInfo);

    // Extract all KeyNames
    kiContext.getKeyNames().addAll(KeyInfoHelper.getKeyNames(keyInfo));
    log.debug("Found {} key names: {}", kiContext.getKeyNames().size(), kiContext.getKeyNames());

    // Extract the Credential based on the (singular) key from an existing KeyValue(s).
    resolveKeyValue(kiContext, criteriaSet, keyInfo.getKeyValues());

    // Extract the Credential based on the (singular) key from an existing DEREncodedKeyValue(s).
    resolveKeyValue(kiContext, criteriaSet, keyInfo.getXMLObjects(DEREncodedKeyValue.DEFAULT_ELEMENT_NAME));
}
 

/**
 * Process the given KeyInfo child with the registered providers.
 * 
 * The child element is processed by each provider in the ordered list of providers. The credential or credentials
 * resolved by the first provider to successfully do so are returned and processing of the child element is
 * terminated.
 * 
 * @param kiContext KeyInfo resolution context
 * @param criteriaSet the credential criteria used to resolve credentials
 * @param keyInfoChild the KeyInfo to evaluate
 * @return the collection of resolved credentials, or null
 * @throws SecurityException thrown if there is a provider error processing the KeyInfo child
 */
protected Collection<Credential> processKeyInfoChild(KeyInfoResolutionContext kiContext, CriteriaSet criteriaSet,
        XMLObject keyInfoChild) throws SecurityException {

    for (KeyInfoProvider provider : getProviders()) {

        if (!provider.handles(keyInfoChild)) {
            log.debug("Provider {} doesn't handle objects of type {}, skipping", provider.getClass().getName(),
                    keyInfoChild.getElementQName());
            continue;
        }

        log.debug("Processing KeyInfo child {} with provider {}", keyInfoChild.getElementQName(), provider
                .getClass().getName());
        Collection<Credential> creds = provider.process(this, keyInfoChild, criteriaSet, kiContext);

        if (creds != null && !creds.isEmpty()) {
            log.debug("Credentials successfully extracted from child {} by provider {}", keyInfoChild
                    .getElementQName(), provider.getClass().getName());
            return creds;
        }
    }
    return null;
}
 

/**
 * Check the signature and credential criteria for required values.
 * 
 * @param signature the signature to be evaluated
 * @param content the data over which the signature was computed
 * @param algorithmURI the signing algorithm URI which was used
 * @param trustBasisCriteria the set of trusted credential criteria
 * @throws SecurityException thrown if required values are absent or otherwise invalid
 */
protected void checkParamsRaw(byte[] signature, byte[] content, String algorithmURI, CriteriaSet trustBasisCriteria)
        throws SecurityException {

    if (signature == null || signature.length == 0) {
        throw new SecurityException("Signature byte array was null or empty");
    }
    if (content == null || content.length == 0) {
        throw new SecurityException("Content byte array was null or empty");
    }
    if (DatatypeHelper.isEmpty(algorithmURI)) {
        throw new SecurityException("Signature algorithm was null or empty");
    }
    if (trustBasisCriteria == null) {
        throw new SecurityException("Trust basis criteria set was null");
    }
    if (trustBasisCriteria.isEmpty()) {
        throw new SecurityException("Trust basis criteria set was empty");
    }
}
 

/**
 * Resolve and return a set of trusted validation information.
 * 
 * @param trustBasisCriteria criteria used to describe and/or resolve the information which serves as the basis for
 *            trust evaluation
 * @return a pair consisting of an optional set of trusted names, and an iterable of trusted
 *         PKIXValidationInformation
 * @throws SecurityException thrown if there is an error resolving the information from the trusted resolver
 */
protected Pair<Set<String>, Iterable<PKIXValidationInformation>> resolveValidationInfo(
        CriteriaSet trustBasisCriteria) throws SecurityException {

    Set<String> trustedNames = null;
    if (pkixResolver.supportsTrustedNameResolution()) {
        trustedNames = pkixResolver.resolveTrustedNames(trustBasisCriteria);
    } else {
        log.debug("PKIX resolver does not support resolution of trusted names, skipping name checking");
    }
    Iterable<PKIXValidationInformation> validationInfoSet = pkixResolver.resolve(trustBasisCriteria);

    Pair<Set<String>, Iterable<PKIXValidationInformation>> validationPair = 
        new Pair<Set<String>, Iterable<PKIXValidationInformation>>(trustedNames, validationInfoSet);

    return validationPair;
}
 

/** {@inheritDoc} */
protected void postProcess(KeyInfoResolutionContext kiContext, CriteriaSet criteriaSet,
        List<Credential> credentials) throws SecurityException {
    
    ArrayList<Credential> localCreds = new ArrayList<Credential>();
    
    for (Credential cred : credentials) {
        if (isLocalCredential(cred)) {
            localCreds.add(cred);
        } else if (cred.getPublicKey() != null) {
           localCreds.addAll(resolveByPublicKey(cred.getPublicKey()));
        }
    }
    
    // Also resolve local creds based on any key names that are known
    for (String keyName : kiContext.getKeyNames()) {
        localCreds.addAll(resolveByKeyName(keyName));
    }
    
    credentials.clear();
    credentials.addAll(localCreds);
}
 

/**
 * Check that all necessary credential criteria are available.
 * 
 * @param criteriaSet the credential set to evaluate
 */
protected void checkCriteriaRequirements(CriteriaSet criteriaSet) {
    EntityIDCriteria entityCriteria = criteriaSet.get(EntityIDCriteria.class);
    MetadataCriteria mdCriteria = criteriaSet.get(MetadataCriteria.class);
    if (entityCriteria == null) {
        throw new IllegalArgumentException("Entity criteria must be supplied");
    }
    if (mdCriteria == null) {
        throw new IllegalArgumentException("SAML metadata criteria must be supplied");
    }
    if (DatatypeHelper.isEmpty(entityCriteria.getEntityID())) {
        throw new IllegalArgumentException("Credential owner entity ID criteria value must be supplied");
    }
    if (mdCriteria.getRole() == null) {
        throw new IllegalArgumentException("Credential metadata role criteria value must be supplied");
    }
}
 

/**
 * Build a criteria set suitable for input to the trust engine.
 * 
 * @param entityID the candidate issuer entity ID which is being evaluated
 * @param samlContext the message context which is being evaluated
 * @return a newly constructly set of criteria suitable for the configured trust engine
 * @throws SecurityPolicyException thrown if criteria set can not be constructed
 */
protected CriteriaSet buildCriteriaSet(String entityID, SAMLMessageContext samlContext)
        throws SecurityPolicyException {

    CriteriaSet criteriaSet = new CriteriaSet();
    if (!DatatypeHelper.isEmpty(entityID)) {
        criteriaSet.add(new EntityIDCriteria(entityID));
    }

    MetadataCriteria mdCriteria = new MetadataCriteria(samlContext.getPeerEntityRole(), samlContext
            .getInboundSAMLProtocol());
    criteriaSet.add(mdCriteria);

    criteriaSet.add(new UsageCriteria(UsageType.SIGNING));

    return criteriaSet;
}
 

/** {@inheritDoc} */
protected CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext)
    throws SecurityPolicyException {
    if (!(messageContext instanceof SAMLMessageContext)) {
        log.error("Supplied message context was not an instance of SAMLMessageContext, can not build criteria set from SAML metadata parameters");
        throw new SecurityPolicyException("Supplied message context was not an instance of SAMLMessageContext");
    }
    
    SAMLMessageContext samlContext = (SAMLMessageContext) messageContext;
    
    CriteriaSet criteriaSet = new CriteriaSet();
    if (! DatatypeHelper.isEmpty(entityID)) {
        criteriaSet.add(new EntityIDCriteria(entityID) );
    }
    
    MetadataCriteria mdCriteria = 
        new MetadataCriteria(samlContext.getPeerEntityRole(), samlContext.getInboundSAMLProtocol());
    criteriaSet.add(mdCriteria);
    
    criteriaSet.add( new UsageCriteria(UsageType.SIGNING) );
    
    return criteriaSet;
}
 

/** {@inheritDoc} */
protected CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext) 
    throws SecurityPolicyException {
    
    if (!(messageContext instanceof SAMLMessageContext)) {
        log.error("Supplied message context was not an instance of SAMLMessageContext, can not build criteria set from SAML metadata parameters");
        throw new SecurityPolicyException("Supplied message context was not an instance of SAMLMessageContext");
    }
    
    SAMLMessageContext samlContext = (SAMLMessageContext) messageContext;

    CriteriaSet criteriaSet = super.buildCriteriaSet(entityID, messageContext);
    MetadataCriteria mdCriteria = 
        new MetadataCriteria(samlContext.getPeerEntityRole(), samlContext.getInboundSAMLProtocol());
    criteriaSet.add(mdCriteria);

    return criteriaSet;
}
 

/**
 * Extract the evaluable credential criteria from the criteria set.
 * 
 * @param criteriaSet the set of credential criteria to process.
 * @return a set of evaluable Credential criteria
 * @throws SecurityException thrown if there is an error obtaining an instance of EvaluableCredentialCriteria
 *                           from the EvaluableCredentialCriteriaRegistry
 */
private Set<EvaluableCriteria<Credential>> getEvaluableCriteria(CriteriaSet criteriaSet) throws SecurityException {
    Set<EvaluableCriteria<Credential>> evaluable = new HashSet<EvaluableCriteria<Credential>>(criteriaSet.size());
    for (Criteria criteria : criteriaSet) {
        if (criteria instanceof EvaluableCredentialCriteria) {
            evaluable.add((EvaluableCredentialCriteria) criteria);
        } else {
            EvaluableCredentialCriteria evaluableCriteria = 
                EvaluableCredentialCriteriaRegistry.getEvaluator(criteria);
            if (evaluableCriteria != null) {
                evaluable.add(evaluableCriteria);
            }
        }
    }
    return evaluable;
}
 

private void checkMessageSignature(MessageContext messageContext,SignableSAMLObject samlMessage) throws SecurityPolicyException {
	CriteriaSet criteriaSet = new CriteriaSet();
	logger.debug("Inbound issuer is {}", messageContext.getInboundMessageIssuer());
	// System.out.println("Inbound issuer is {} "+ messageContext.getInboundMessageIssuer());
	//https://localhost-dev-ed.my.salesforce.com
	criteriaSet.add( new EntityIDCriteria(messageContext.getInboundMessageIssuer()));	
	//criteriaSet.add( new EntityIDCriteria("https://localhost-dev-ed.my.salesforce.com"));
	criteriaSet.add( new UsageCriteria(UsageType.SIGNING) );

	try {
		if (!trustEngine.validate( samlMessage.getSignature(), criteriaSet)) {
			throw new SecurityPolicyException("Signature was either invalid or signing key could not be established as trusted");
		}
	} catch (SecurityException se) {
		// System.out.println("Error evaluating the signature"+se.toString());
		throw new SecurityPolicyException("Error evaluating the signature",se);
	}
}
 

public void afterPropertiesSet() throws Exception {

		authnRequestGenerator = new AuthnRequestGenerator(keyStoreLoader.getEntityName(), timeService, idService);
		endpointGenerator = new EndpointGenerator();

		CriteriaSet criteriaSet = new CriteriaSet();
		criteriaSet.add(new EntityIDCriteria(keyStoreLoader.getEntityName()));
		criteriaSet.add(new UsageCriteria(UsageType.SIGNING));

		try {
			signingCredential = credentialResolver.resolveSingle(criteriaSet);
		} catch (SecurityException e) {
			logger.error("证书解析出错", e);
			throw new Exception(e);
		}
		Validate.notNull(signingCredential);

	}
 

public Credential  buildSPSigningCredential() throws Exception{
	KeyStore trustKeyStore = KeyStoreUtil.bytes2KeyStore(getSaml20Details().getKeyStore(),
			getKeyStoreLoader().getKeyStore().getType(),
			getKeyStoreLoader().getKeystorePassword());
	
	TrustResolver trustResolver=new TrustResolver();
	KeyStoreCredentialResolver credentialResolver =trustResolver.buildKeyStoreCredentialResolver(
						trustKeyStore, 
						getSaml20Details().getEntityId(), 
						getKeyStoreLoader().getKeystorePassword());

	CriteriaSet criteriaSet = new CriteriaSet();
	criteriaSet.add(new EntityIDCriteria(getSaml20Details().getEntityId()));
	criteriaSet.add(new UsageCriteria(UsageType.ENCRYPTION));

	try {
		spSigningCredential = credentialResolver.resolveSingle(criteriaSet);
	} catch (SecurityException e) {
		logger.error("Credential Resolver error . ", e);
		throw new Exception(e);
	}
	Validate.notNull(spSigningCredential);
	
	return spSigningCredential;
}
 

/** {@inheritDoc} */
public boolean validate(X509Credential untrustedCredential, CriteriaSet trustBasisCriteria)
    throws SecurityException {
    
    log.debug("Attempting PKIX validation of untrusted credential");

    if (untrustedCredential == null) {
        log.error("X.509 credential was null, unable to perform validation");
        return false;
    }

    if (untrustedCredential.getEntityCertificate() == null) {
        log.error("Untrusted X.509 credential's entity certificate was null, unable to perform validation");
        return false;
    }

    Set<String> trustedNames = null;
    if (pkixResolver.supportsTrustedNameResolution()) {
        trustedNames = pkixResolver.resolveTrustedNames(trustBasisCriteria);
    } else {
        log.debug("PKIX resolver does not support resolution of trusted names, skipping name checking");
    }

    return validate(untrustedCredential, trustedNames, pkixResolver.resolve(trustBasisCriteria));
}
 

/**
 * @param queryString
 * @param issuer
 * @param alias
 * @param domainName
 * @return
 * @throws SecurityException
 * @throws IdentitySAML2SSOException
 */
@Override
public boolean validateSignature(String queryString, String issuer, String alias,
                                 String domainName) throws SecurityException,
        IdentitySAML2SSOException {
    byte[] signature = getSignature(queryString);
    byte[] signedContent = getSignedContent(queryString);
    String algorithmUri = getSigAlg(queryString);
    CriteriaSet criteriaSet = buildCriteriaSet(issuer);

    // creating the SAML2HTTPRedirectDeflateSignatureRule
    X509CredentialImpl credential =
            SAMLSSOUtil.getX509CredentialImplForTenant(domainName,
                    alias);

    List<Credential> credentials = new ArrayList<Credential>();
    credentials.add(credential);
    CollectionCredentialResolver credResolver = new CollectionCredentialResolver(credentials);
    KeyInfoCredentialResolver kiResolver = SecurityHelper.buildBasicInlineKeyInfoResolver();
    SignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine(credResolver, kiResolver);
    return engine.validate(signature, signedContent, algorithmUri, criteriaSet, null);
}
 

/**
 * Build a criteria set suitable for input to the trust engine.
 *
 * @param issuer
 * @return
 * @throws SecurityPolicyException
 */
private static CriteriaSet buildCriteriaSet(String issuer) {
    CriteriaSet criteriaSet = new CriteriaSet();
    if (!DatatypeHelper.isEmpty(issuer)) {
        criteriaSet.add(new EntityIDCriteria(issuer));
    }
    criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
    return criteriaSet;
}
 

/**
 * Validate the simple signature.
 * 
 * @param signature the signature value
 * @param signedContent the content that was signed
 * @param algorithmURI the signature algorithm URI which was used to sign the content
 * @param criteriaSet criteria used to describe and/or resolve the information which serves as the basis for trust
 *            evaluation
 * @param candidateCredentials the request-derived candidate credential(s) containing the validation key for the
 *            signature (optional)
 * @return true if signature can be verified successfully, false otherwise
 * 
 * @throws SecurityPolicyException thrown if there are errors during the signature validation process
 * 
 */
protected boolean validateSignature(byte[] signature, byte[] signedContent, String algorithmURI,
        CriteriaSet criteriaSet, List<Credential> candidateCredentials) throws SecurityPolicyException {

    SignatureTrustEngine engine = getTrustEngine();

    // Some bindings allow candidate signing credentials to be supplied (e.g. via ds:KeyInfo), some do not.
    // So have 2 slightly different cases.
    try {
        if (candidateCredentials == null || candidateCredentials.isEmpty()) {
            if (engine.validate(signature, signedContent, algorithmURI, criteriaSet, null)) {
                log.debug("Simple signature validation (with no request-derived credentials) was successful");
                return true;
            } else {
                log.warn("Simple signature validation (with no request-derived credentials) failed");
                return false;
            }
        } else {
            for (Credential cred : candidateCredentials) {
                if (engine.validate(signature, signedContent, algorithmURI, criteriaSet, cred)) {
                    log.debug("Simple signature validation succeeded with a request-derived credential");
                    return true;
                }
            }
            log.warn("Signature validation using request-derived credentials failed");
            return false;
        }
    } catch (SecurityException e) {
        log.warn("There was an error evaluating the request's simple signature using the trust engine", e);
        throw new SecurityPolicyException("Error during trust engine evaluation of the simple signature", e);
    }
}
 

/**
 * Build the criteria set which will be used as input to the configured trust engine.
 * 
 * @param signedMetadata the metadata element whose signature is being verified
 * @param metadataEntryName the EntityDescriptor entityID, EntitiesDescriptor Name,
 *                          AffiliationDescriptor affiliationOwnerID, 
 *                          or RoleDescriptor {@link #getRoleIDToken(String, RoleDescriptor)}
 *                          corresponding to the element whose signature is being evaluated.
 *                          This is used exclusively for logging/debugging purposes and
 *                          should not be used operationally (e.g. for building the criteria set).
 * @param isEntityGroup flag indicating whether the signed object is a metadata group (EntitiesDescriptor)
 * @return the newly constructed criteria set
 */
protected CriteriaSet buildCriteriaSet(SignableXMLObject signedMetadata,
        String metadataEntryName, boolean isEntityGroup) {
    
    CriteriaSet newCriteriaSet = new CriteriaSet();
    
    if (getDefaultCriteria() != null) {
        newCriteriaSet.addAll( getDefaultCriteria() );
    }
    
    if (!newCriteriaSet.contains(UsageCriteria.class)) {
        newCriteriaSet.add( new UsageCriteria(UsageType.SIGNING) );
    }
    
    // TODO how to handle adding dynamic entity ID and/or other criteria for trust engine consumption?
    //
    // Have 4 signed metadata types:
    // 1) EntitiesDescriptor
    // 2) EntityDescriptor
    // 3) RoleDescriptor
    // 4) AffiliationDescriptor
    //
    // Logic will likely vary for how to specify criteria to trust engine for different types + specific use cases,
    // e.g. for federation metadata publishers of EntitiesDescriptors vs. "self-signed" EntityDescriptors.
    // May need to delegate to more specialized subclasses.
    
    return newCriteriaSet;
}
 

/**
 * Evaluate the signature on the signed metadata instance.
 * 
 * @param signedMetadata the metadata object whose signature is to be verified
 * @param metadataEntryName the EntityDescriptor entityID, EntitiesDescriptor Name,
 *                          AffiliationDescriptor affiliationOwnerID, 
 *                          or RoleDescriptor {@link #getRoleIDToken(String, RoleDescriptor)}
 *                          corresponding to the element whose signature is being evaluated.
 *                          This is used exclusively for logging/debugging purposes and
 *                          should not be used operationally (e.g. for building a criteria set).
 * @param isEntityGroup flag indicating whether the signed object is a metadata group (EntitiesDescriptor),
 *                      primarily useful for constructing a criteria set for the trust engine
 * @throws FilterException thrown if the metadata entry's signature can not be established as trusted,
 *                         or if an error occurs during the signature verification process
 */
protected void verifySignature(SignableXMLObject signedMetadata, String metadataEntryName, 
        boolean isEntityGroup) throws FilterException {
    
    log.debug("Verifying signature on metadata entry: {}", metadataEntryName);
    
    Signature signature = signedMetadata.getSignature();
    if (signature == null) {
        // We shouldn't ever be calling this on things that aren't actually signed, but just to be safe...
        log.warn("Signature was null, skipping processing on metadata entry: {}", metadataEntryName);
        return;
    }
    
    performPreValidation(signature, metadataEntryName);
    
    CriteriaSet criteriaSet = buildCriteriaSet(signedMetadata, metadataEntryName, isEntityGroup);
    
    try {
        if ( getSignatureTrustEngine().validate(signature, criteriaSet) ) {
            log.trace("Signature trust establishment succeeded for metadata entry {}", metadataEntryName);
            return;
        } else {
            log.error("Signature trust establishment failed for metadata entry {}", metadataEntryName);
            throw new FilterException("Signature trust establishment failed for metadata entry");
        }
    } catch (SecurityException e) {
        // Treat evaluation errors as fatal
        log.error("Error processing signature verification for metadata entry '{}': {} ",
                metadataEntryName, e.getMessage());
        throw new FilterException("Error processing signature verification for metadata entry", e);
    }
}
 

public void  buildCredentialResolver(CredentialResolver credentialResolver) throws Exception{
	this.credentialResolver=credentialResolver;
	CriteriaSet criteriaSet = new CriteriaSet();
	criteriaSet.add(new EntityIDCriteria(getKeyStoreLoader().getEntityName()));
	criteriaSet.add(new UsageCriteria(UsageType.SIGNING));

	try {
		signingCredential = credentialResolver.resolveSingle(criteriaSet);
	} catch (SecurityException e) {
		logger.error("Credential Resolver error . ", e);
		throw new Exception(e);
	}
	Validate.notNull(signingCredential);
}
 

/** {@inheritDoc} */
public boolean validate(Signature token, CriteriaSet trustBasisCriteria) throws SecurityException {
    for (SignatureTrustEngine engine : engines) {
        if (engine.validate(token, trustBasisCriteria)) {
            log.debug("Signature was trusted by chain member: {}", engine.getClass().getName());
            return true;
        }
    }
    return false;
}
 

/**
 * Constructor.
 * 
 * @param resolver the chaining parent of this iterable
 * @param criteriaSet the set of criteria which is input to the underyling resolvers
 */
public CredentialIterator(ChainingCredentialResolver resolver, CriteriaSet criteriaSet) {
    parent = resolver;
    critSet = criteriaSet;
    resolverIterator = parent.getResolverChain().iterator();
    credentialIterator = getNextCredentialIterator();
    nextCredential = null;
}
 

/**
 * Check that required credential criteria are available.
 * 
 * @param criteriaSet the credential criteria set to evaluate
 */
protected void checkCriteriaRequirements(CriteriaSet criteriaSet) {
    EntityIDCriteria entityCriteria = criteriaSet.get(EntityIDCriteria.class);
    if (entityCriteria == null) {
        log.error("EntityIDCriteria was not specified in the criteria set, resolution can not be attempted");
        throw new IllegalArgumentException("No EntityIDCriteria was available in criteria set");
    }
}
 

/**
 * Check the signature and credential criteria for required values.
 * 
 * @param signature the signature to be evaluated
 * @param trustBasisCriteria the set of trusted credential criteria
 * @throws SecurityException thrown if required values are absent or otherwise invalid
 */
protected void checkParams(Signature signature, CriteriaSet trustBasisCriteria) throws SecurityException {

    if (signature == null) {
        throw new SecurityException("Signature was null");
    }
    if (trustBasisCriteria == null) {
        throw new SecurityException("Trust basis criteria set was null");
    }
    if (trustBasisCriteria.isEmpty()) {
        throw new SecurityException("Trust basis criteria set was empty");
    }
}
 

/** {@inheritDoc} */
protected CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext)
        throws SecurityPolicyException {

    CriteriaSet criteriaSet = new CriteriaSet();
    if (!DatatypeHelper.isEmpty(entityID)) {
        criteriaSet.add(new EntityIDCriteria(entityID));
    }

    criteriaSet.add(new UsageCriteria(UsageType.SIGNING));

    return criteriaSet;
}
 

/**
 * Attempt to establish trust by resolving signature verification credentials from the Signature's KeyInfo. If any
 * credentials so resolved correctly verify the signature, attempt to establish trust using subclass-specific trust
 * logic against trusted information as implemented in {@link #evaluateTrust(Credential, Object)}.
 * 
 * @param signature the Signature to evaluate
 * @param trustBasis the information which serves as the basis for trust evaluation
 * @return true if the signature is verified by any KeyInfo-derived credential which can be established as trusted,
 *         otherwise false
 * @throws SecurityException if an error occurs during signature verification or trust processing
 */
protected boolean validate(Signature signature, TrustBasisType trustBasis) throws SecurityException {

    log.debug("Attempting to verify signature and establish trust using KeyInfo-derived credentials");

    if (signature.getKeyInfo() != null) {

        KeyInfoCriteria keyInfoCriteria = new KeyInfoCriteria(signature.getKeyInfo());
        CriteriaSet keyInfoCriteriaSet = new CriteriaSet(keyInfoCriteria);

        for (Credential kiCred : getKeyInfoResolver().resolve(keyInfoCriteriaSet)) {
            if (verifySignature(signature, kiCred)) {
                log.debug("Successfully verified signature using KeyInfo-derived credential");
                log.debug("Attempting to establish trust of KeyInfo-derived credential");
                if (evaluateTrust(kiCred, trustBasis)) {
                    log.debug("Successfully established trust of KeyInfo-derived credential");
                    return true;
                } else {
                    log.debug("Failed to establish trust of KeyInfo-derived credential");
                }
            }
        }
    } else {
        log.debug("Signature contained no KeyInfo element, could not resolve verification credentials");
    }

    log.debug("Failed to verify signature and/or establish trust using any KeyInfo-derived credentials");
    return false;
}
 

/** {@inheritDoc} */
public boolean validate(Signature signature, CriteriaSet trustBasisCriteria) throws SecurityException {

    checkParams(signature, trustBasisCriteria);

    CriteriaSet criteriaSet = new CriteriaSet();
    criteriaSet.addAll(trustBasisCriteria);
    if (!criteriaSet.contains(UsageCriteria.class)) {
        criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
    }
    String jcaAlgorithm = SecurityHelper.getKeyAlgorithmFromURI(signature.getSignatureAlgorithm());
    if (!DatatypeHelper.isEmpty(jcaAlgorithm)) {
        criteriaSet.add(new KeyAlgorithmCriteria(jcaAlgorithm), true);
    }

    Iterable<Credential> trustedCredentials = getCredentialResolver().resolve(criteriaSet);

    if (validate(signature, trustedCredentials)) {
        return true;
    }

    // If the credentials extracted from Signature's KeyInfo (if any) did not verify the
    // signature and/or establish trust, as a fall back attempt to verify the signature with
    // the trusted credentials directly.
    log.debug("Attempting to verify signature using trusted credentials");

    for (Credential trustedCredential : trustedCredentials) {
        if (verifySignature(signature, trustedCredential)) {
            log.debug("Successfully verified signature using resolved trusted credential");
            return true;
        }
    }
    log.debug("Failed to verify signature using either KeyInfo-derived or directly trusted credentials");
    return false;
}
 

/** {@inheritDoc} */
public Iterable<Credential> resolve(CriteriaSet criteriaSet) throws SecurityException {
    Iterable<Credential> storeCandidates = resolveFromSource(criteriaSet);
    Set<EvaluableCriteria<Credential>> evaluableCriteria = getEvaluableCriteria(criteriaSet);
    if (evaluableCriteria.isEmpty()) {
        return storeCandidates;
    } else {
        return new CriteriaFilteringIterable<Credential>(storeCandidates, evaluableCriteria, 
                meetAllCriteria, unevaluableSatisfies);
    }
}