The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

IdPPKIXValidationOptions

Owned by Brent Putman
Last updated: May 03, 2011Version comment
2 min read

Define PKIXValidationOptions

PKIX validation options are used to optionally influence how PKIX validation processing is performed. The Shibboleth IdP leverages the Java CertPath API to perform PKIX processing. These options are provided to enable advanced configuration scenarios making use of options present on particular CertPath providers, such as provided by Sun, IBM and Bouncy Castle. Some of these flags may also be useful in dealing with implementation bugs known to have existed in some versions of some CertPath providers.

PKIX validation options are defined by the element <ValidationOptions xsi:type="CertPathValidationOptionsType" />.

  • processEmptyCRLs - (boolean) Default is true. Flag indicates whether or not an empty CRL should be processed, whether specified as trusted validation info or carried inline in the X509Credential being evaluated (e.g. within a signature's KeyInfo element). Some implementations have been known to fail on empty CRL's.
  • processExpiredCRLs - (boolean) Default is true. Flag indicates whether or not an expired CRL should be processed, whether specified as trusted validation info or carried inline in the X509Credential being evaluated (e.g. within a signature's KeyInfo element).
  • processCredentialCRLs - (boolean) Default is true. Flag indicates whether CRL's carried inline with an X509Credential should be processed (e.g. within a signature's KeyInfo element).
  • defaultVerificationDepth - (intenger) Default is 1. The PKIX path verification depth to use, of not otherwise specified in the resolved PKIX validation info (e.g. from metadata shibmd:KeyAuthority elements or from static ValidationInfo on the trust engine.)
  • forceRevocationEnabled - (boolean) Default is false. If true, the revocation behavior of the CertPath PKIXBuilderParameters setRevocationEnabled will be forced to the value supplied by revocationEnabled. If false, the revocation behavior is determined dynamically as follows: if any CRL's are effectively present from validation info or in the untrusted X509Credential being evaluated (taking into consideration the processing of the other flags detailed above), revocation is set to true. If no CRL's are present, revocation is set to false.
  • revocationEnabled - (boolean) Default is true. See description of forceRevocationEnabled.
<!-- Force CertPath API PKIXBuilderParameters setRevocationEnabled to "true" -->
<ValidationOptions xsi:type="CertPathValidationOptionsType" forceRevocationEnabled="true" revocationEnabled="true" xmlns="urn:mace:shibboleth:2.0:security"/>

<!-- Force CertPath API PKIXBuilderParameters setRevocationEnabled to "false" -->
<ValidationOptions xsi:type="CertPathValidationOptionsType" forceRevocationEnabled="true" revocationEnabled="false" xmlns="urn:mace:shibboleth:2.0:security"/>

<!-- Allow CertPath API PKIXBuilderParameters setRevocationEnabled to be determined dynamically by the trust engine. -->
<ValidationOptions xsi:type="CertPathValidationOptionsType" forceRevocationEnabled="false" xmlns="urn:mace:shibboleth:2.0:security"/>