org.apache.ws.security.validate
Class SignatureTrustValidator

java.lang.Object
  org.apache.ws.security.validate.SignatureTrustValidator

All Implemented Interfaces:

Validator

Direct Known Subclasses:

SamlAssertionValidator

public class SignatureTrustValidator
extends java.lang.Object
implements Validator

This class verifies trust in a credential used to verify a signature, which is extracted from the Credential passed to the validate method.

Constructor Summary

SignatureTrustValidator()

Method Summary

protected Crypto	getCrypto(RequestData data)
protected boolean	isCertificateInKeyStore(Crypto crypto, java.security.cert.X509Certificate cert) Check to see if the certificate argument is in the keystore
protected boolean	matches(java.security.cert.X509Certificate cert, java.util.Collection<java.util.regex.Pattern> subjectDNPatterns)
Credential	validate(Credential credential, RequestData data) Validate the credential argument.
protected void	validateCertificates(java.security.cert.X509Certificate[] certificates) Validate the certificates by checking the validity of each cert
protected boolean	validatePublicKey(java.security.PublicKey publicKey, Crypto crypto) Validate a public key
protected boolean	verifyTrustInCert(java.security.cert.X509Certificate cert, Crypto crypto) Deprecated.
protected boolean	verifyTrustInCert(java.security.cert.X509Certificate cert, Crypto crypto, boolean enableRevocation) Deprecated.
protected boolean	verifyTrustInCert(java.security.cert.X509Certificate cert, Crypto crypto, RequestData data, boolean enableRevocation) Evaluate whether a given certificate should be trusted.
protected boolean	verifyTrustInCerts(java.security.cert.X509Certificate[] certificates, Crypto crypto) Deprecated.
protected boolean	verifyTrustInCerts(java.security.cert.X509Certificate[] certificates, Crypto crypto, boolean enableRevocation) Deprecated.
protected boolean	verifyTrustInCerts(java.security.cert.X509Certificate[] certificates, Crypto crypto, RequestData data, boolean enableRevocation) Evaluate whether the given certificate chain should be trusted.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SignatureTrustValidator

public SignatureTrustValidator()

Method Detail

validate

public Credential validate(Credential credential,
                           RequestData data)
                    throws WSSecurityException

Validate the credential argument. It must contain a non-null X509Certificate chain or a PublicKey. A Crypto implementation is also required to be set. This implementation first attempts to verify trust on the certificate (chain). If this is not successful, then it will attempt to verify trust on the Public Key.

Specified by:

validate in interface Validator

Parameters:

credential - the Credential to be validated

data - the RequestData associated with the request

Returns:

a validated Credential

Throws:

WSSecurityException - on a failed validation

getCrypto

protected Crypto getCrypto(RequestData data)

validateCertificates

protected void validateCertificates(java.security.cert.X509Certificate[] certificates)
                             throws WSSecurityException

Validate the certificates by checking the validity of each cert

Throws:

WSSecurityException

verifyTrustInCert

@Deprecated
protected boolean verifyTrustInCert(java.security.cert.X509Certificate cert,
                                               Crypto crypto)
                             throws WSSecurityException

Deprecated.

Throws:

WSSecurityException

verifyTrustInCert

@Deprecated
protected boolean verifyTrustInCert(java.security.cert.X509Certificate cert,
                                               Crypto crypto,
                                               boolean enableRevocation)
                             throws WSSecurityException

Deprecated.

Throws:

WSSecurityException

verifyTrustInCert

protected boolean verifyTrustInCert(java.security.cert.X509Certificate cert,
                                    Crypto crypto,
                                    RequestData data,
                                    boolean enableRevocation)
                             throws WSSecurityException

Evaluate whether a given certificate should be trusted. Policy used in this implementation: 1. Search the keystore for the transmitted certificate 2. Search the keystore for a connection to the transmitted certificate (that is, search for certificate(s) of the issuer of the transmitted certificate 3. Verify the trust path for those certificates found because the search for the issuer might be fooled by a phony DN (String!)

Parameters:

cert - the certificate that should be validated against the keystore

crypto - A crypto instance to use for trust validation

data - A RequestData instance

enableRevocation - Whether revocation is enabled or not

Returns:

true if the certificate is trusted, false if not

Throws:

WSSecurityException

isCertificateInKeyStore

protected boolean isCertificateInKeyStore(Crypto crypto,
                                          java.security.cert.X509Certificate cert)
                                   throws WSSecurityException

Check to see if the certificate argument is in the keystore

Parameters:

crypto - A Crypto instance to use for trust validation

cert - The certificate to check

Returns:

true if cert is in the keystore

Throws:

WSSecurityException

verifyTrustInCerts

@Deprecated
protected boolean verifyTrustInCerts(java.security.cert.X509Certificate[] certificates,
                                                Crypto crypto)
                              throws WSSecurityException

Deprecated.

Throws:

WSSecurityException

verifyTrustInCerts

@Deprecated
protected boolean verifyTrustInCerts(java.security.cert.X509Certificate[] certificates,
                                                Crypto crypto,
                                                boolean enableRevocation)
                              throws WSSecurityException

Deprecated.

Throws:

WSSecurityException

verifyTrustInCerts

protected boolean verifyTrustInCerts(java.security.cert.X509Certificate[] certificates,
                                     Crypto crypto,
                                     RequestData data,
                                     boolean enableRevocation)
                              throws WSSecurityException

Evaluate whether the given certificate chain should be trusted.

Parameters:

certificates - the certificate chain that should be validated against the keystore

crypto - A Crypto instance

data - A RequestData instance

enableRevocation - Whether revocation is enabled or not

Returns:

true if the certificate chain is trusted, false if not

Throws:

WSSecurityException

validatePublicKey

protected boolean validatePublicKey(java.security.PublicKey publicKey,
                                    Crypto crypto)
                             throws WSSecurityException

Validate a public key

Throws:

WSSecurityException

matches

protected boolean matches(java.security.cert.X509Certificate cert,
                          java.util.Collection<java.util.regex.Pattern> subjectDNPatterns)

Returns:

true if the certificate's SubjectDN matches the constraints defined in the subject DNConstraints; false, otherwise. The certificate subject DN only has to match ONE of the subject cert constraints (not all).