Package org.apache.wss4j.common.crypto
Interface Crypto
-
- All Known Implementing Classes:
CertificateStore
,CryptoBase
,Merlin
,MerlinAKI
,MerlinDevice
public interface Crypto
-
-
Method Summary
All Methods Instance Methods Abstract Methods Modifier and Type Method Description byte[]
getBytesFromCertificates(X509Certificate[] certs)
Get a byte array given an array of X509 certificates.CertificateFactory
getCertificateFactory()
Get the CertificateFactory instance on this Crypto instanceX509Certificate[]
getCertificatesFromBytes(byte[] data)
Construct an array of X509Certificate's from the byte array.String
getCryptoProvider()
Get the crypto provider associated with this implementationString
getDefaultX509Identifier()
Retrieves the identifier name of the default certificate.PrivateKey
getPrivateKey(String identifier, String password)
Gets the private key corresponding to the identifier.PrivateKey
getPrivateKey(X509Certificate certificate, CallbackHandler callbackHandler)
Gets the private key corresponding to the certificate.PrivateKey
getPrivateKey(PublicKey publicKey, CallbackHandler callbackHandler)
Gets the private key corresponding to the given PublicKey.byte[]
getSKIBytesFromCert(X509Certificate cert)
Reads the SubjectKeyIdentifier information from the certificate.String
getTrustProvider()
Get the crypto provider used for truststore operation associated with this implementation.X509Certificate[]
getX509Certificates(CryptoType cryptoType)
Get an X509Certificate (chain) corresponding to the CryptoType argument.String
getX509Identifier(X509Certificate cert)
Get the implementation-specific identifier corresponding to the cert parameter, e.g.X509Certificate
loadCertificate(InputStream in)
Load a X509Certificate from the input stream.void
setCertificateFactory(CertificateFactory certFactory)
Sets the CertificateFactory instance on this Crypto instancevoid
setCryptoProvider(String provider)
Set the crypto provider associated with this implementationvoid
setDefaultX509Identifier(String identifier)
Sets the identifier name of the default certificate.void
setTrustProvider(String provider)
Set the crypto provider used for truststore operations associated with this implementationvoid
verifyTrust(X509Certificate[] certs, boolean enableRevocation, Collection<Pattern> subjectCertConstraints, Collection<Pattern> issuerCertConstraints)
Evaluate whether a given certificate chain should be trusted.void
verifyTrust(PublicKey publicKey)
Evaluate whether a given public key should be trusted.
-
-
-
Method Detail
-
getCryptoProvider
String getCryptoProvider()
Get the crypto provider associated with this implementation- Returns:
- the crypto provider
-
setCryptoProvider
void setCryptoProvider(String provider)
Set the crypto provider associated with this implementation- Parameters:
provider
- the crypto provider name to set
-
getTrustProvider
String getTrustProvider()
Get the crypto provider used for truststore operation associated with this implementation.- Returns:
- a crypto provider name
-
setTrustProvider
void setTrustProvider(String provider)
Set the crypto provider used for truststore operations associated with this implementation- Parameters:
provider
- the name of the provider
-
getDefaultX509Identifier
String getDefaultX509Identifier() throws WSSecurityException
Retrieves the identifier name of the default certificate. This should be the certificate that is used for signature and encryption. This identifier corresponds to the certificate that should be used whenever KeyInfo is not present in a signed or an encrypted message. May return null. The identifier is implementation specific, e.g. it could be the KeyStore alias.- Returns:
- name of the default X509 certificate.
- Throws:
WSSecurityException
-
setDefaultX509Identifier
void setDefaultX509Identifier(String identifier)
Sets the identifier name of the default certificate. This should be the certificate that is used for signature and encryption. This identifier corresponds to the certificate that should be used whenever KeyInfo is not present in a signed or an encrypted message. The identifier is implementation specific, e.g. it could be the KeyStore alias.- Parameters:
identifier
- name of the default X509 certificate.
-
setCertificateFactory
void setCertificateFactory(CertificateFactory certFactory)
Sets the CertificateFactory instance on this Crypto instance- Parameters:
certFactory
- the CertificateFactory the CertificateFactory instance to set
-
getCertificateFactory
CertificateFactory getCertificateFactory() throws WSSecurityException
Get the CertificateFactory instance on this Crypto instance- Returns:
- Returns a
CertificateFactory
to construct X509 certificates - Throws:
WSSecurityException
-
loadCertificate
X509Certificate loadCertificate(InputStream in) throws WSSecurityException
Load a X509Certificate from the input stream.- Parameters:
in
- TheInputStream
containing the X509 data- Returns:
- An X509 certificate
- Throws:
WSSecurityException
-
getSKIBytesFromCert
byte[] getSKIBytesFromCert(X509Certificate cert) throws WSSecurityException
Reads the SubjectKeyIdentifier information from the certificate. If the the certificate does not contain a SKI extension then try to compute the SKI according to RFC3280 using the SHA-1 hash value of the public key. The second method described in RFC3280 is not support. Also only RSA public keys are supported. If we cannot compute the SKI throw a WSSecurityException.- Parameters:
cert
- The certificate to read SKI- Returns:
- The byte array containing the binary SKI data
- Throws:
WSSecurityException
-
getBytesFromCertificates
byte[] getBytesFromCertificates(X509Certificate[] certs) throws WSSecurityException
Get a byte array given an array of X509 certificates.- Parameters:
certs
- The certificates to convert- Returns:
- The byte array for the certificates
- Throws:
WSSecurityException
-
getCertificatesFromBytes
X509Certificate[] getCertificatesFromBytes(byte[] data) throws WSSecurityException
Construct an array of X509Certificate's from the byte array.- Parameters:
data
- Thebyte
array containing the X509 data- Returns:
- An array of X509 certificates
- Throws:
WSSecurityException
-
getX509Certificates
X509Certificate[] getX509Certificates(CryptoType cryptoType) throws WSSecurityException
Get an X509Certificate (chain) corresponding to the CryptoType argument. The supported types are as follows: TYPE.ISSUER_SERIAL - A certificate (chain) is located by the issuer name and serial number TYPE.THUMBPRINT_SHA1 - A certificate (chain) is located by the SHA1 of the (root) cert TYPE.SKI_BYTES - A certificate (chain) is located by the SKI bytes of the (root) cert TYPE.SUBJECT_DN - A certificate (chain) is located by the Subject DN of the (root) cert TYPE.ALIAS - A certificate (chain) is located by an alias. This alias is implementation specific, for example - it could be a java KeyStore alias.- Throws:
WSSecurityException
-
getX509Identifier
String getX509Identifier(X509Certificate cert) throws WSSecurityException
Get the implementation-specific identifier corresponding to the cert parameter, e.g. the identifier could be a KeyStore alias.- Parameters:
cert
- The X509Certificate for which to search for an identifier- Returns:
- the identifier corresponding to the cert parameter
- Throws:
WSSecurityException
-
getPrivateKey
PrivateKey getPrivateKey(X509Certificate certificate, CallbackHandler callbackHandler) throws WSSecurityException
Gets the private key corresponding to the certificate.- Parameters:
certificate
- The X509Certificate corresponding to the private keycallbackHandler
- The callbackHandler needed to get the password- Returns:
- The private key
- Throws:
WSSecurityException
-
getPrivateKey
PrivateKey getPrivateKey(PublicKey publicKey, CallbackHandler callbackHandler) throws WSSecurityException
Gets the private key corresponding to the given PublicKey.- Parameters:
publicKey
- The PublicKey corresponding to the private keycallbackHandler
- The callbackHandler needed to get the password- Returns:
- The private key
- Throws:
WSSecurityException
-
getPrivateKey
PrivateKey getPrivateKey(String identifier, String password) throws WSSecurityException
Gets the private key corresponding to the identifier.- Parameters:
identifier
- The implementation-specific identifier corresponding to the keypassword
- The password needed to get the key- Returns:
- The private key
- Throws:
WSSecurityException
-
verifyTrust
void verifyTrust(X509Certificate[] certs, boolean enableRevocation, Collection<Pattern> subjectCertConstraints, Collection<Pattern> issuerCertConstraints) throws WSSecurityException
Evaluate whether a given certificate chain should be trusted.- Parameters:
certs
- Certificate chain to validateenableRevocation
- whether to enable CRL verification or notsubjectCertConstraints
- A set of constraints on the Subject DN of the certificatesissuerCertConstraints
- A set of constraints on the Issuer DN of the certificates- Throws:
WSSecurityException
- if the certificate chain is invalid
-
verifyTrust
void verifyTrust(PublicKey publicKey) throws WSSecurityException
Evaluate whether a given public key should be trusted.- Parameters:
publicKey
- The PublicKey to be evaluated- Throws:
WSSecurityException
- if the PublicKey is invalid
-
-