Package com.nimbusds.openid.connect.sdk.federation.trust

Class TrustChain

java.lang.Object
com.nimbusds.openid.connect.sdk.federation.trust.TrustChain
@Immutable public final class TrustChain extends Object
Federation entity trust chain.

Related specifications:

  • OpenID Connect Federation 1.0, sections 3.2 and 7.1.

  • Constructor Details

    • TrustChain

      public TrustChain(EntityStatement leaf, List<EntityStatement> superiors)
      Creates a new trust chain. Validates the subject - issuer chain, the signatures are not verified.
      Parameters:
      leaf - The leaf entity configuration. Must not be null.
      superiors - The superior entity statements, starting with a statement of the first superior about the leaf, ending with the statement of the trust anchor about the last intermediate or the leaf (for a minimal trust chain). Must contain at least one entity statement.
      Throws:
      IllegalArgumentException - If the subject - issuer chain is broken.

    • TrustChain

      public TrustChain(EntityStatement leaf, List<EntityStatement> superiors, EntityStatement trustAnchor)
      Creates a new trust chain. Validates the subject - issuer chain, the signatures are not verified.
      Parameters:
      leaf - The leaf entity configuration. Must not be null.
      superiors - The superior entity statements, starting with a statement of the first superior about the leaf, ending with the statement of the trust anchor about the last intermediate or the leaf (for a minimal trust chain). Must contain at least one entity statement.
      trustAnchor - The optional trust anchor entity configuration, null if not specified.
      Throws:
      IllegalArgumentException - If the subject - issuer chain is broken.

  • Method Details

    • getLeafConfiguration

      public EntityStatement getLeafConfiguration()
      Returns the leaf entity configuration.
      Returns:
      The leaf entity configuration.

    • getSuperiorStatements

      public List<EntityStatement> getSuperiorStatements()
      Returns the superior entity statements.
      Returns:
      The superior entity statements, starting with a statement of the first superior about the leaf, ending with the statement of the trust anchor about the last intermediate or the leaf (for a minimal trust chain).

    • getTrustAnchorConfiguration

      public EntityStatement getTrustAnchorConfiguration()
      Returns the optional trust anchor entity configuration.
      Returns:
      The trust anchor entity configuration, null if not specified.

    • getTrustAnchorEntityID

      public EntityID getTrustAnchorEntityID()
      Returns the entity ID of the trust anchor.
      Returns:
      The entity ID of the trust anchor.

    • length

      public int length()
      Returns the length of this trust chain. A minimal trust chain with a leaf and anchor has a length of one.
      Returns:
      The trust chain length, with a minimal length of one.

    • resolveCombinedMetadataPolicy

      public MetadataPolicy resolveCombinedMetadataPolicy(EntityType type) throws PolicyViolationException
      Resolves the combined metadata policy for this trust chain. Uses the default policy combination validator.
      Parameters:
      type - The entity type, such as openid_relying_party. Must not be null.
      Returns:
      The combined metadata policy, with no policy operations if no policies were found.
      Throws:
      PolicyViolationException - On a policy violation exception.

    • resolveCombinedMetadataPolicy

      public MetadataPolicy resolveCombinedMetadataPolicy(EntityType type, PolicyOperationCombinationValidator combinationValidator) throws PolicyViolationException
      Resolves the combined metadata policy for this trust chain.
      Parameters:
      type - The entity type, such as openid_relying_party. Must not be null.
      combinationValidator - The policy operation combination validator. Must not be null.
      Returns:
      The combined metadata policy, with no policy operations if no policies were found.
      Throws:
      PolicyViolationException - On a policy violation exception.

    • iteratorFromLeaf

      public Iterator<EntityStatement> iteratorFromLeaf()
      Return an iterator starting from the leaf entity statement. The optional trust anchor entity configuration is omitted.
      Returns:
      The iterator.

    • resolveExpirationTime

      public Date resolveExpirationTime()
      Resolves the expiration time for this trust chain. Equals the next expiration in time when all entity statements in the trust chain are considered.
      Returns:
      The expiration time for this trust chain.

    • verifySignatures

      public void verifySignatures(com.nimbusds.jose.jwk.JWKSet trustAnchorJWKSet) throws com.nimbusds.jose.proc.BadJOSEException, com.nimbusds.jose.JOSEException
      Verifies the signatures in this trust chain.
      Parameters:
      trustAnchorJWKSet - The trust anchor JWK set. Must not be null.
      Throws:
      com.nimbusds.jose.proc.BadJOSEException - If a signature is invalid or a statement is expired or before the issue time.
      com.nimbusds.jose.JOSEException - On an internal JOSE exception.

    • toJWTs

      public List<com.nimbusds.jwt.SignedJWT> toJWTs()
      Returns a JWT list representation of this trust chain.
      Returns:
      The JWT list.

    • toSerializedJWTs

      public List<String> toSerializedJWTs()
      Returns a serialised JWT list representation of this trust chain.
      Returns:
      The serialised JWT list.

    • parse

      public static TrustChain parse(List<com.nimbusds.jwt.SignedJWT> statementJWTs) throws ParseException
      Parses a trust chain from the specified JWT list.
      Parameters:
      statementJWTs - The JWT list. Must not be null.
      Returns:
      The trust chain.
      Throws:
      ParseException - If parsing failed.

    • parseSerialized

      public static TrustChain parseSerialized(List<String> statementJWTs) throws ParseException
      Parses a trust chain from the specified serialised JWT list.
      Parameters:
      statementJWTs - The serialised JWT list. Must not be null.
      Returns:
      The trust chain.
      Throws:
      ParseException - If parsing failed.