Package org.apache.wss4j.common.crypto

Class Merlin

  • All Implemented Interfaces:
    Crypto
    Direct Known Subclasses:
    MerlinAKI, MerlinDevice
    public class Merlin
extends CryptoBase
    A Crypto implementation based on two Java KeyStore objects, one being the keystore, and one being the truststore.

    • Method Detail

      • getKeyStore

        public KeyStore getKeyStore()
        Gets the Keystore that was loaded
        Returns:
        the Keystore

      • setKeyStore

        public void setKeyStore​(KeyStore keyStore)
        Set the Keystore on this Crypto instance
        Parameters:
        keyStore - the Keystore to set

      • getTrustStore

        public KeyStore getTrustStore()
        Gets the trust store that was loaded by the underlying implementation
        Returns:
        the trust store

      • setTrustStore

        public void setTrustStore​(KeyStore trustStore)
        Set the trust store on this Crypto instance
        Parameters:
        trustStore - the trust store to set

      • setCRLCertStore

        public void setCRLCertStore​(CertStore crlCertStore)
        Set the CertStore from which to obtain a list of CRLs for Certificate Revocation checking.
        Parameters:
        crlCertStore - the CertStore from which to obtain a list of CRLs for Certificate Revocation checking.

      • getCRLCertStore

        public CertStore getCRLCertStore()
        Get the CertStore from which to obtain a list of CRLs for Certificate Revocation checking.
        Returns:
        the CertStore from which to obtain a list of CRLs for Certificate Revocation checking.

      • getDefaultX509Identifier

        public String getDefaultX509Identifier()
                                throws WSSecurityException
        Retrieves the identifier name of the default certificate. This should be the certificate that is used for signature and encryption. This identifier corresponds to the certificate that should be used whenever KeyInfo is not present in a signed or an encrypted message. May return null. The identifier is implementation specific, e.g. it could be the KeyStore alias.
        Specified by:
        getDefaultX509Identifier in interface Crypto
        Overrides:
        getDefaultX509Identifier in class CryptoBase
        Returns:
        name of the default X509 certificate.
        Throws:
        WSSecurityException

      • getX509Certificates

        public X509Certificate[] getX509Certificates​(CryptoType cryptoType)
                                      throws WSSecurityException
        Get an X509Certificate (chain) corresponding to the CryptoType argument. The supported types are as follows: TYPE.ISSUER_SERIAL - A certificate (chain) is located by the issuer name and serial number TYPE.THUMBPRINT_SHA1 - A certificate (chain) is located by the SHA1 of the (root) cert TYPE.SKI_BYTES - A certificate (chain) is located by the SKI bytes of the (root) cert TYPE.SUBJECT_DN - A certificate (chain) is located by the Subject DN of the (root) cert TYPE.ALIAS - A certificate (chain) is located by an alias, which for this implementation means an alias of the keystore or truststore.
        Throws:
        WSSecurityException

      • getX509Identifier

        public String getX509Identifier​(X509Certificate cert)
                         throws WSSecurityException
        Get the implementation-specific identifier corresponding to the cert parameter. In this case, the identifier corresponds to a KeyStore alias.
        Parameters:
        cert - The X509Certificate for which to search for an identifier
        Returns:
        the identifier corresponding to the cert parameter
        Throws:
        WSSecurityException

      • getPrivateKey

        public PrivateKey getPrivateKey​(X509Certificate certificate,
                                CallbackHandler callbackHandler)
                         throws WSSecurityException
        Gets the private key corresponding to the certificate.
        Parameters:
        certificate - The X509Certificate corresponding to the private key
        callbackHandler - The callbackHandler needed to get the password
        Returns:
        The private key
        Throws:
        WSSecurityException

      • getPrivateKey

        public PrivateKey getPrivateKey​(PublicKey publicKey,
                                CallbackHandler callbackHandler)
                         throws WSSecurityException
        Gets the private key corresponding to the given PublicKey.
        Parameters:
        publicKey - The PublicKey corresponding to the private key
        callbackHandler - The callbackHandler needed to get the password
        Returns:
        The private key
        Throws:
        WSSecurityException

      • getPrivateKey

        public PrivateKey getPrivateKey​(String identifier,
                                String password)
                         throws WSSecurityException
        Gets the private key corresponding to the identifier.
        Parameters:
        identifier - The implementation-specific identifier corresponding to the key
        password - The password needed to get the key
        Returns:
        The private key
        Throws:
        WSSecurityException

      • verifyTrust

        protected void verifyTrust​(X509Certificate[] certs,
                           boolean enableRevocation,
                           Collection<Pattern> subjectCertConstraints)
                    throws WSSecurityException
        Evaluate whether a given certificate chain should be trusted.
        Parameters:
        certs - Certificate chain to validate
        enableRevocation - whether to enable CRL verification or not
        subjectCertConstraints - A set of constraints on the Subject DN of the certificates
        Throws:
        WSSecurityException - if the certificate chain is invalid

      • verifyTrust

        public void verifyTrust​(X509Certificate[] certs,
                        boolean enableRevocation,
                        Collection<Pattern> subjectCertConstraints,
                        Collection<Pattern> issuerCertConstraints)
                 throws WSSecurityException
        Description copied from interface: Crypto
        Evaluate whether a given certificate chain should be trusted.
        Parameters:
        certs - Certificate chain to validate
        enableRevocation - whether to enable CRL verification or not
        subjectCertConstraints - A set of constraints on the Subject DN of the certificates
        issuerCertConstraints - A set of constraints on the Issuer DN of the certificates
        Throws:
        WSSecurityException - if the certificate chain is invalid

      • verifyTrust

        public void verifyTrust​(PublicKey publicKey)
                 throws WSSecurityException
        Evaluate whether a given public key should be trusted.
        Parameters:
        publicKey - The PublicKey to be evaluated
        Throws:
        WSSecurityException - if the PublicKey is invalid

      • addTrustAnchors

        protected void addTrustAnchors​(Set<TrustAnchor> set,
                               KeyStore keyStore)
                        throws KeyStoreException,
                               WSSecurityException
        Adds TrustAnchors found in the provided key store to the set.

        When the Trust Anchors are constructed, the value of the CRYPTO_CERT_PROVIDER_HANDLES_NAME_CONSTRAINTS property will be checked. If it has been set to true, then NameConstraints will be added to their Trust Anchors; if unset or set to false, the Name Constraints will be nulled out on their Trust Anchors. The default Sun PKIX Path Validator does not support Name Constraints on Trust Anchors and will throw an InvalidAlgorithmParameterException if they are provided. Other implementations may also be unsafe.

        Parameters:
        set - the set to which to add the TrustAnchors
        keyStore - the store to search for X509Certificates
        Throws:
        KeyStoreException - if a problem occurs accessing the keyStore
        WSSecurityException

      • setPasswordEncryptor

        public void setPasswordEncryptor​(PasswordEncryptor passwordEncryptor)

      • clearCache

        public void clearCache()

      • isEnablePrivateKeyCaching

        public boolean isEnablePrivateKeyCaching()

      • setEnablePrivateKeyCaching

        public void setEnablePrivateKeyCaching​(boolean enablePrivateKeyCaching)