Package com.nimbusds.openid.connect.sdk.federation.trust

Class TrustChain

java.lang.Object

com.nimbusds.openid.connect.sdk.federation.trust.TrustChain

@Immutable
public final class TrustChain
extends Object

Federation entity trust chain.

Related specifications:

• OpenID Connect Federation 1.0, sections 2.2 and 7.

Constructor Summary

Constructors

Constructor	Description
TrustChain(EntityStatement leaf, List<EntityStatement> superiors)	Creates a new federation entity trust chain.

Method Summary

Modifier and Type	Method	Description
EntityStatement	getLeafSelfStatement()	Returns the leaf entity self-statement.
List<EntityStatement>	getSuperiorStatements()	Returns the superior entity statements.
EntityID	getTrustAnchorEntityID()	Returns the entity ID of the trust anchor.
Iterator<EntityStatement>	iteratorFromLeaf()	Return an iterator starting from the leaf entity statement.
int	length()	Returns the length of this trust chain.
MetadataPolicy	resolveCombinedMetadataPolicy(FederationMetadataType type)	Resolves the combined metadata policy for this trust chain.
MetadataPolicy	resolveCombinedMetadataPolicy(FederationMetadataType type, PolicyOperationCombinationValidator combinationValidator)	Resolves the combined metadata policy for this trust chain.
Date	resolveExpirationTime()	Resolves the expiration time for this trust chain.
void	verifySignatures(com.nimbusds.jose.jwk.JWKSet trustAnchorJWKSet)	Verifies the signatures in this trust chain.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

TrustChain

public TrustChain(EntityStatement leaf,
                  List<EntityStatement> superiors)

Creates a new federation entity trust chain. Validates the subject - issuer chain, the signatures are not verified.

Parameters:

leaf - The leaf entity self-statement. Must not be null.

superiors - The superior entity statements, starting with a statement of the first superior about the leaf, ending with the statement of the trust anchor about the last intermediate or the leaf (for a minimal trust chain). Must contain at least one entity statement.

Throws:

IllegalArgumentException - If the subject - issuer chain is broken.

Method Detail

getLeafSelfStatement

public EntityStatement getLeafSelfStatement()

Returns the leaf entity self-statement.

Returns:

The leaf entity self-statement.

getSuperiorStatements

public List<EntityStatement> getSuperiorStatements()

Returns the superior entity statements.

Returns:

The superior entity statements, starting with a statement of the first superior about the leaf, ending with the statement of the trust anchor about the last intermediate or the leaf (for a minimal trust chain).

getTrustAnchorEntityID

public EntityID getTrustAnchorEntityID()

Returns the entity ID of the trust anchor.

Returns:

The entity ID of the trust anchor.

length

public int length()

Returns the length of this trust chain. A minimal trust chain with a leaf and anchor has a length of one.

Returns:

The trust chain length.

resolveCombinedMetadataPolicy

public MetadataPolicy resolveCombinedMetadataPolicy(FederationMetadataType type)
                                             throws PolicyViolationException

Resolves the combined metadata policy for this trust chain. Uses the default policy combination validator.

Parameters:

type - The metadata type, such as openid_relying_party. Must not be null.

Returns:

The combined metadata policy, with no policy operations if no policies were found.

Throws:

PolicyViolationException - On a policy violation exception.

resolveCombinedMetadataPolicy

public MetadataPolicy resolveCombinedMetadataPolicy(FederationMetadataType type,
                                                    PolicyOperationCombinationValidator combinationValidator)
                                             throws PolicyViolationException

Resolves the combined metadata policy for this trust chain.

Parameters:

type - The metadata type, such as openid_relying_party. Must not be null.

combinationValidator - The policy operation combination validator. Must not be null.

Returns:

The combined metadata policy, with no policy operations if no policies were found.

Throws:

PolicyViolationException - On a policy violation exception.

iteratorFromLeaf

public Iterator<EntityStatement> iteratorFromLeaf()

Return an iterator starting from the leaf entity statement.

Returns:

The iterator.

resolveExpirationTime

public Date resolveExpirationTime()

Resolves the expiration time for this trust chain. Equals the nearest expiration when all entity statements in the trust chain are considered.

Returns:

The expiration time for this trust chain.

verifySignatures

public void verifySignatures(com.nimbusds.jose.jwk.JWKSet trustAnchorJWKSet)
                      throws com.nimbusds.jose.proc.BadJOSEException,
                             com.nimbusds.jose.JOSEException

Verifies the signatures in this trust chain.

Parameters:

trustAnchorJWKSet - The trust anchor JWK set. Must not be null.

Throws:

com.nimbusds.jose.proc.BadJOSEException - If a signature is invalid or a statement is expired or before the issue time.

com.nimbusds.jose.JOSEException - On a internal JOSE exception.