Package org.apache.wss4j.common.crypto
Class CryptoBase
- java.lang.Object
-
- org.apache.wss4j.common.crypto.CryptoBase
-
- All Implemented Interfaces:
Crypto
- Direct Known Subclasses:
CertificateStore
,Merlin
public abstract class CryptoBase extends Object implements Crypto
This Abstract Base Class implements the accessor and keystore-independent methods and functionality of the Crypto interface.
-
-
Field Summary
Fields Modifier and Type Field Description protected CertificateFactory
certificateFactory
static String
NAME_CONSTRAINTS_OID
OID For the NameConstraints Extension to X.509 http://java.sun.com/j2se/1.4.2/docs/api/ http://www.ietf.org/rfc/rfc3280.txt (s.static String
SKI_OID
-
Constructor Summary
Constructors Modifier Constructor Description protected
CryptoBase()
Constructor
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected Object
createBCX509Name(String s)
byte[]
getBytesFromCertificates(X509Certificate[] certs)
Get a byte array given an array of X509 certificates.CertificateFactory
getCertificateFactory()
Get the CertificateFactory instance on this Crypto instanceX509Certificate[]
getCertificatesFromBytes(byte[] data)
Construct an array of X509Certificate's from the byte array.String
getCryptoProvider()
Get the crypto provider associated with this implementationString
getDefaultX509Identifier()
Retrieves the identifier name of the default certificate.protected byte[]
getNameConstraints(X509Certificate cert)
Extracts the NameConstraints sequence from the certificate.byte[]
getSKIBytesFromCert(X509Certificate cert)
Reads the SubjectKeyIdentifier information from the certificate.String
getTrustProvider()
Get the crypto provider used for truststore operation associated with this implementation.X509Certificate
loadCertificate(InputStream in)
Load a X509Certificate from the input stream.protected boolean
matchesIssuerDnPattern(X509Certificate cert, Collection<Pattern> issuerDNPatterns)
protected boolean
matchesName(String name, Collection<Pattern> patterns)
protected boolean
matchesSubjectDnPattern(X509Certificate cert, Collection<Pattern> subjectDNPatterns)
void
setCertificateFactory(CertificateFactory certFactory)
Sets the CertificateFactory instance on this Crypto instancevoid
setCryptoProvider(String provider)
Set the crypto provider associated with this implementationvoid
setDefaultX509Identifier(String identifier)
Sets the identifier name of the default certificate.void
setTrustProvider(String provider)
Set the crypto provider used for truststore operations associated with this implementation-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.apache.wss4j.common.crypto.Crypto
getPrivateKey, getPrivateKey, getPrivateKey, getX509Certificates, getX509Identifier, verifyTrust, verifyTrust
-
-
-
-
Field Detail
-
SKI_OID
public static final String SKI_OID
- See Also:
- Constant Field Values
-
NAME_CONSTRAINTS_OID
public static final String NAME_CONSTRAINTS_OID
OID For the NameConstraints Extension to X.509 http://java.sun.com/j2se/1.4.2/docs/api/ http://www.ietf.org/rfc/rfc3280.txt (s. 4.2.1.11)- See Also:
- Constant Field Values
-
certificateFactory
protected CertificateFactory certificateFactory
-
-
Method Detail
-
getCryptoProvider
public String getCryptoProvider()
Get the crypto provider associated with this implementation- Specified by:
getCryptoProvider
in interfaceCrypto
- Returns:
- the crypto provider
-
setCryptoProvider
public void setCryptoProvider(String provider)
Set the crypto provider associated with this implementation- Specified by:
setCryptoProvider
in interfaceCrypto
- Parameters:
provider
- the crypto provider to set
-
setTrustProvider
public void setTrustProvider(String provider)
Set the crypto provider used for truststore operations associated with this implementation- Specified by:
setTrustProvider
in interfaceCrypto
- Parameters:
provider
- the name of the provider
-
getTrustProvider
public String getTrustProvider()
Get the crypto provider used for truststore operation associated with this implementation.- Specified by:
getTrustProvider
in interfaceCrypto
- Returns:
- a crypto provider name
-
getDefaultX509Identifier
public String getDefaultX509Identifier() throws WSSecurityException
Retrieves the identifier name of the default certificate. This should be the certificate that is used for signature and encryption. This identifier corresponds to the certificate that should be used whenever KeyInfo is not present in a signed or an encrypted message. May return null. The identifier is implementation specific, e.g. it could be the KeyStore alias.- Specified by:
getDefaultX509Identifier
in interfaceCrypto
- Returns:
- name of the default X509 certificate.
- Throws:
WSSecurityException
-
setDefaultX509Identifier
public void setDefaultX509Identifier(String identifier)
Sets the identifier name of the default certificate. This should be the certificate that is used for signature and encryption. This identifier corresponds to the certificate that should be used whenever KeyInfo is not present in a signed or an encrypted message. The identifier is implementation specific, e.g. it could be the KeyStore alias.- Specified by:
setDefaultX509Identifier
in interfaceCrypto
- Parameters:
identifier
- name of the default X509 certificate.
-
setCertificateFactory
public void setCertificateFactory(CertificateFactory certFactory)
Sets the CertificateFactory instance on this Crypto instance- Specified by:
setCertificateFactory
in interfaceCrypto
- Parameters:
certFactory
- the CertificateFactory the CertificateFactory instance to set
-
getCertificateFactory
public CertificateFactory getCertificateFactory() throws WSSecurityException
Get the CertificateFactory instance on this Crypto instance- Specified by:
getCertificateFactory
in interfaceCrypto
- Returns:
- Returns a
CertificateFactory
to construct X509 certificates - Throws:
WSSecurityException
-
loadCertificate
public X509Certificate loadCertificate(InputStream in) throws WSSecurityException
Load a X509Certificate from the input stream.- Specified by:
loadCertificate
in interfaceCrypto
- Parameters:
in
- TheInputStream
containing the X509Certificate- Returns:
- An X509 certificate
- Throws:
WSSecurityException
-
getSKIBytesFromCert
public byte[] getSKIBytesFromCert(X509Certificate cert) throws WSSecurityException
Reads the SubjectKeyIdentifier information from the certificate. If the the certificate does not contain a SKI extension then try to compute the SKI according to RFC3280 using the SHA-1 hash value of the public key. The second method described in RFC3280 is not support. Also only RSA public keys are supported. If we cannot compute the SKI throw a WSSecurityException.- Specified by:
getSKIBytesFromCert
in interfaceCrypto
- Parameters:
cert
- The certificate to read SKI- Returns:
- The byte array containing the binary SKI data
- Throws:
WSSecurityException
-
getBytesFromCertificates
public byte[] getBytesFromCertificates(X509Certificate[] certs) throws WSSecurityException
Get a byte array given an array of X509 certificates.- Specified by:
getBytesFromCertificates
in interfaceCrypto
- Parameters:
certs
- The certificates to convert- Returns:
- The byte array for the certificates
- Throws:
WSSecurityException
-
getCertificatesFromBytes
public X509Certificate[] getCertificatesFromBytes(byte[] data) throws WSSecurityException
Construct an array of X509Certificate's from the byte array.- Specified by:
getCertificatesFromBytes
in interfaceCrypto
- Parameters:
data
- Thebyte
array containing the X509 data- Returns:
- An array of X509 certificates
- Throws:
WSSecurityException
-
matchesSubjectDnPattern
protected boolean matchesSubjectDnPattern(X509Certificate cert, Collection<Pattern> subjectDNPatterns)
- Returns:
- true if the certificate's SubjectDN matches the constraints defined in the subject DNConstraints; false, otherwise. The certificate subject DN only has to match ONE of the subject cert constraints (not all).
-
matchesIssuerDnPattern
protected boolean matchesIssuerDnPattern(X509Certificate cert, Collection<Pattern> issuerDNPatterns)
- Returns:
- true if the certificate's Issuer DN matches the constraints defined in the subject DNConstraints; false, otherwise. The certificate subject DN only has to match ONE of the subject cert constraints (not all).
-
matchesName
protected boolean matchesName(String name, Collection<Pattern> patterns)
- Returns:
- true if the provided name matches the constraints defined in the subject DNConstraints; false, otherwise. The certificate (subject) DN only has to match ONE of the (subject) cert constraints (not all).
-
getNameConstraints
protected byte[] getNameConstraints(X509Certificate cert) throws WSSecurityException
Extracts the NameConstraints sequence from the certificate. Handles the case where the data is encoded directly asDERDecoder.TYPE_SEQUENCE
or where the sequence has been encoded as anDERDecoder.TYPE_OCTET_STRING
.By contract, the values retrieved from calls to
X509Extension.getExtensionValue(String)
should always be DER-encoded OCTET strings; however, because of ambiguity in the RFC and the potential for a future breaking change to this contract, testing whether the bytes returned are tagged as a sequence or an encoded octet string is prudent. Considering the fact that it is a single byte comparison, the performance hit is negligible.- Parameters:
cert
- the certificate to extract NameConstraints from- Returns:
- the NameConstraints, or null if not present
- Throws:
WSSecurityException
- if a processing error occurs decoding the Octet String
-
-