}
try {
String version = decryptedElem.getNamespaceURI();
TokenHolder holder = null;
if (version.equals(IdentityConstants.SAML10_URL)
|| version.equals(IdentityConstants.SAML11_URL)) {
holder = new SAML1TokenHolder(decryptedElem);
} else if (version.equals(IdentityConstants.SAML20_URL)) {
holder = new SAML2TokenHolder(decryptedElem);
} else {
throw new RelyingPartyException("invalidTokenType");
}
issuerName = holder.getIssuerName();
if (issuerName == null) {
throw new RelyingPartyException("issuerIsNull");
}
Signature sig = holder.getSAMLSignature();
X509CredentialImpl credential = null;
if (issuerName.equals(IdentityConstants.SELF_ISSUED_ISSUER)) {
credential = (X509CredentialImpl) X509CredentialUtil
.loadCredentialFromSignature(sig);
this.keyInfoElement = sig.getKeyInfo().getDOM();
} else {
String validationPolicy = rpData.getValidatePolicy();
String alias = null;
URI uri = new URI(issuerName);
alias = uri.getHost();
KeyStore trustStore = rpData.getTrustStore();
KeyStore systemStore = rpData.getSystemStore();
if (trustStore != null && alias != null) {
credential = (X509CredentialImpl) X509CredentialUtil
.loadCredentialFromTrustStore(alias, trustStore);
}
boolean isLoadedFromMessage = false;
if (credential == null) {
credential = (X509CredentialImpl) X509CredentialUtil
.loadCredentialFromSignature(sig);
if (credential == null)
throw new RelyingPartyException("credentialIsNull");
isLoadedFromMessage = true;
}
if (!validationPolicy.equals(TokenVerifierConstants.PROMISCUOUS)) {
this.signingCert = credential.getSigningCert();
if (signingCert == null)
throw new RelyingPartyException("signingCertNull");
/*
* do certificate validation for blacklist, whitelist and cert-validity
*/
signingCert.checkValidity();
if (isLoadedFromMessage) {
if (!IssuerCertificateUtil.checkSystemStore(signingCert, systemStore)
&& !IssuerCertificateUtil.checkSystemStore(signingCert, trustStore)) {
return false;
}
}
if (validationPolicy.equals(TokenVerifierConstants.BLACK_LIST)) {
if (IssuerCertificateUtil.isBlackListed(rpData.getBlackList(), signingCert)) {
return false;
}
} else if (validationPolicy.equals(TokenVerifierConstants.WHITE_LIST)) {
if (!IssuerCertificateUtil
.isWhiteListed(rpData.getWhiteList(), signingCert)) {
return false;
}
}
}
}
SignatureValidator validator = new SignatureValidator(credential);
validator.validate(sig);
holder.populateAttributeTable(this.attributeTable);
} catch (Exception e) {
log.debug(e);
throw new RelyingPartyException("errorInTokenVerification", e);
}