Package org.apache.wss4j.common.crypto

Class CryptoBase

  • All Implemented Interfaces:
    Crypto
    Direct Known Subclasses:
    CertificateStore, Merlin
    public abstract class CryptoBase
extends Object
implements Crypto
    This Abstract Base Class implements the accessor and keystore-independent methods and functionality of the Crypto interface.

    • Field Detail

      • NAME_CONSTRAINTS_OID

        public static final String NAME_CONSTRAINTS_OID
        OID For the NameConstraints Extension to X.509 http://java.sun.com/j2se/1.4.2/docs/api/ http://www.ietf.org/rfc/rfc3280.txt (s. 4.2.1.11)
        See Also:
        Constant Field Values

    • Constructor Detail

      • CryptoBase

        protected CryptoBase()
        Constructor

    • Method Detail

      • getCryptoProvider

        public String getCryptoProvider()
        Get the crypto provider associated with this implementation
        Specified by:
        getCryptoProvider in interface Crypto
        Returns:
        the crypto provider

      • setCryptoProvider

        public void setCryptoProvider​(String provider)
        Set the crypto provider associated with this implementation
        Specified by:
        setCryptoProvider in interface Crypto
        Parameters:
        provider - the crypto provider to set

      • setTrustProvider

        public void setTrustProvider​(String provider)
        Set the crypto provider used for truststore operations associated with this implementation
        Specified by:
        setTrustProvider in interface Crypto
        Parameters:
        provider - the name of the provider

      • getTrustProvider

        public String getTrustProvider()
        Get the crypto provider used for truststore operation associated with this implementation.
        Specified by:
        getTrustProvider in interface Crypto
        Returns:
        a crypto provider name

      • getDefaultX509Identifier

        public String getDefaultX509Identifier()
                                throws WSSecurityException
        Retrieves the identifier name of the default certificate. This should be the certificate that is used for signature and encryption. This identifier corresponds to the certificate that should be used whenever KeyInfo is not present in a signed or an encrypted message. May return null. The identifier is implementation specific, e.g. it could be the KeyStore alias.
        Specified by:
        getDefaultX509Identifier in interface Crypto
        Returns:
        name of the default X509 certificate.
        Throws:
        WSSecurityException

      • setDefaultX509Identifier

        public void setDefaultX509Identifier​(String identifier)
        Sets the identifier name of the default certificate. This should be the certificate that is used for signature and encryption. This identifier corresponds to the certificate that should be used whenever KeyInfo is not present in a signed or an encrypted message. The identifier is implementation specific, e.g. it could be the KeyStore alias.
        Specified by:
        setDefaultX509Identifier in interface Crypto
        Parameters:
        identifier - name of the default X509 certificate.

      • setCertificateFactory

        public void setCertificateFactory​(CertificateFactory certFactory)
        Sets the CertificateFactory instance on this Crypto instance
        Specified by:
        setCertificateFactory in interface Crypto
        Parameters:
        certFactory - the CertificateFactory the CertificateFactory instance to set

      • getSKIBytesFromCert

        public byte[] getSKIBytesFromCert​(X509Certificate cert)
                           throws WSSecurityException
        Reads the SubjectKeyIdentifier information from the certificate.

        If the the certificate does not contain a SKI extension then try to compute the SKI according to RFC3280 using the SHA-1 hash value of the public key. The second method described in RFC3280 is not support. Also only RSA public keys are supported. If we cannot compute the SKI throw a WSSecurityException.

        Specified by:
        getSKIBytesFromCert in interface Crypto
        Parameters:
        cert - The certificate to read SKI
        Returns:
        The byte array containing the binary SKI data
        Throws:
        WSSecurityException

      • createBCX509Name

        protected Object createBCX509Name​(String s)

      • matchesSubjectDnPattern

        protected boolean matchesSubjectDnPattern​(X509Certificate cert,
                                          Collection<Pattern> subjectDNPatterns)
        Returns:
        true if the certificate's SubjectDN matches the constraints defined in the subject DNConstraints; false, otherwise. The certificate subject DN only has to match ONE of the subject cert constraints (not all).

      • matchesIssuerDnPattern

        protected boolean matchesIssuerDnPattern​(X509Certificate cert,
                                         Collection<Pattern> issuerDNPatterns)
        Returns:
        true if the certificate's Issuer DN matches the constraints defined in the subject DNConstraints; false, otherwise. The certificate subject DN only has to match ONE of the subject cert constraints (not all).

      • matchesName

        protected boolean matchesName​(String name,
                              Collection<Pattern> patterns)
        Returns:
        true if the provided name matches the constraints defined in the subject DNConstraints; false, otherwise. The certificate (subject) DN only has to match ONE of the (subject) cert constraints (not all).

      • getNameConstraints

        protected byte[] getNameConstraints​(X509Certificate cert)
                             throws WSSecurityException
        Extracts the NameConstraints sequence from the certificate. Handles the case where the data is encoded directly as DERDecoder.TYPE_SEQUENCE or where the sequence has been encoded as an DERDecoder.TYPE_OCTET_STRING.

        By contract, the values retrieved from calls to X509Extension.getExtensionValue(String) should always be DER-encoded OCTET strings; however, because of ambiguity in the RFC and the potential for a future breaking change to this contract, testing whether the bytes returned are tagged as a sequence or an encoded octet string is prudent. Considering the fact that it is a single byte comparison, the performance hit is negligible.

        Parameters:
        cert - the certificate to extract NameConstraints from
        Returns:
        the NameConstraints, or null if not present
        Throws:
        WSSecurityException - if a processing error occurs decoding the Octet String