Package se.litsec.swedisheid.opensaml.saml2.signservice

Class SADParser.SADValidator

  • Enclosing class:
    SADParser
    public static class SADParser.SADValidator
extends Object
    A validator for verifying the SAD JWT.
    Author:
    Martin Lindström (martin.lindstrom@litsec.se)

    • Constructor Detail

      • SADValidator

        public SADValidator​(X509Certificate... certificates)
        Constructor initializing the validator with a set of certificates that are to be used for JWT signature validation. These certificates are the IdP signing certificates obtained from the IdP metadata entry.
        Parameters:
        certificates - certificate(s) to be used when verifying the JWT signature

      • SADValidator

        public SADValidator​(MetadataProvider metadataProvider)
        Constructor creating a SAD validator initialized with a MetadataProvider instance. During JWT signature validation the IdP signature certificate will be obtained from the IdP metadata entry held by the metadata provider.
        Parameters:
        metadataProvider - metadata provider

      • SADValidator

        public SADValidator​(EntityDescriptor idpMetadata)
        Creates a SAD validator initialized with the IdP EntityDescriptor (metadata) from which the IdP signing key/certificate will be read (needed for JWT signature validation).
        Parameters:
        idpMetadata - the IdP metadata

    • Method Detail

      • validate

        public SAD validate​(String sadJwt,
                    String idpEntityID,
                    String expectedRecipientEntityID,
                    String expectedSubject,
                    String expectedLoa,
                    String sadRequestID,
                    int expectedNoDocs,
                    String signRequestID)
             throws SADValidationException
        Validates a SAD based on expected data. If the AuthnRequest and issued Assertion is available, the method validate(AuthnRequest, Assertion) is a better option.

        Note: It is assumed that the supplied expectedSubject parameter is a attribute value read from the assertion having the attribute name indicated in the 'attr' field of the SAD. If this attribute name is not known in advance, the SAD needs to be parsed (SADParser.parse(String)) so that the 'attr' field can be read, and the correct attribute value be located from the assertion.

        Parameters:
        sadJwt - the encoded SAD JWT (found in the sad attribute of a received assertion)
        idpEntityID - the entityID of the issuing IdP (the issuer of the received assertion holding the sad attribute)
        expectedRecipientEntityID - the entityID of the recipient (the signature service SP that issued the SADRequest)
        expectedSubject - the expected subject name (user ID). See note above
        expectedLoa - the expected level of assurance to be found in the SAD (should be the LoA found in the assertion)
        sadRequestID - the ID of the SADRequest extension that was sent to the IdP
        expectedNoDocs - expected number of documents (from the DocCount element of the SADRequest
        signRequestID - ID for the SignRequest that was included in the SADRequest
        Returns:
        a SAD object
        Throws:
        SADValidationException - for validation errors

      • verifyJwtSignature

        public void verifyJwtSignature​(String sadJwt,
                               String idpEntityID)
                        throws SADValidationException
        Verifies the signature on the supplied SAD JWT.
        Parameters:
        sadJwt - the SAD JWT
        idpEntityID - the entityID of the IdP that signed the JWT
        Throws:
        SADValidationException - for signature validation errors