The PKIX engines (type="PKIX", type="StaticPKIX") evaluate this Trust Engine evaluate certificates against "key names" identified in Metadata and then against a set of PXIX validation rules either embedded in a Metadata extension or configured locally/statically. It is a superset of the older ShibbolethTrustEngine.
...
It has the following behavior, implications, and problems.
Attributes
Common Attributes
...
The PKIX Trust Engine can only have the common attributes
...
| Name | Type | Default | Description |
|---|---|---|---|
| string | Required | Plugin type name. |
Specific Attributes (StaticPKIX only)
Name | Type | Default | Description |
|---|---|---|---|
| integer | 1 | Length of CA chain to permit. |
certificate | local pathname | Optional path to a file with one or more CA certificate to trust. | |
checkRevocation | "off", "entityOnly", "fullChain" | "off" | Controls the behavior of CRL checking by the trust engine. If omitted or set to "off", no CRLs are used at all. The other options require that at least one CRL be available and will fail the check otherwise. The "fullChain" option requires that a CRL be available for all untrusted certificates in the validation path, otherwise only a CRL for the end entity certificate is required. |
Child Elements
The PKIX Trust Engine can only have the child elements
...
Common child Elements
Name | Cardinality | Description | |
|---|---|---|---|
<KeyInfoResolver> | 0 or 1 | Advanced plugin interface for mapping | |
Specific Child Elements (StatixPKIX only)
Name | Cardinality | Description | |
|---|---|---|---|
<CredentialResolver> | 0 or 1 | A credential resolver plugin to use to load the CA certificate(s) to trust | |
...