Class TrustChain


  • @Immutable
    public final class TrustChain
    extends Object
    Federation entity trust chain.

    Related specifications:

    • OpenID Connect Federation 1.0, sections 2.2 and 7.
    • Constructor Detail

      • TrustChain

        public TrustChain​(EntityStatement leaf,
                          List<EntityStatement> superiors)
        Creates a new federation entity trust chain. Validates the subject - issuer chain, the signatures are not verified.
        Parameters:
        leaf - The leaf entity self-statement. Must not be null.
        superiors - The superior entity statements, starting with a statement of the first superior about the leaf, ending with the statement of the trust anchor about the last intermediate or the leaf (for a minimal trust chain). Must contain at least one entity statement.
        Throws:
        IllegalArgumentException - If the subject - issuer chain is broken.
    • Method Detail

      • getSuperiorStatements

        public List<EntityStatementgetSuperiorStatements()
        Returns the superior entity statements.
        Returns:
        The superior entity statements, starting with a statement of the first superior about the leaf, ending with the statement of the trust anchor about the last intermediate or the leaf (for a minimal trust chain).
      • getTrustAnchorEntityID

        public EntityID getTrustAnchorEntityID()
        Returns the entity ID of the trust anchor.
        Returns:
        The entity ID of the trust anchor.
      • length

        public int length()
        Returns the length of this trust chain. A minimal trust chain with a leaf and anchor has a length of one.
        Returns:
        The trust chain length.
      • resolveExpirationTime

        public Date resolveExpirationTime()
        Resolves the expiration time for this trust chain. Equals the nearest expiration when all entity statements in the trust chain are considered.
        Returns:
        The expiration time for this trust chain.
      • verifySignatures

        public void verifySignatures​(com.nimbusds.jose.jwk.JWKSet trustAnchorJWKSet)
                              throws com.nimbusds.jose.proc.BadJOSEException,
                                     com.nimbusds.jose.JOSEException
        Verifies the signatures in this trust chain.
        Parameters:
        trustAnchorJWKSet - The trust anchor JWK set. Must not be null.
        Throws:
        com.nimbusds.jose.proc.BadJOSEException - If a signature is invalid or a statement is expired or before the issue time.
        com.nimbusds.jose.JOSEException - On a internal JOSE exception.