Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver(), new org.springframework.security.saml.trust.CertPathPKIXTrustEvaluator(pkixOptions), new BasicX509CredentialNameEvaluator());
X509Certificate entityCertificate = credential.getEntityCertificate(); if (checkSubjectAltNames()) { if (processSubjectAltNames(entityCertificate, trustedNames)) { if (log.isDebugEnabled()) { log.debug("Credential {} passed name check based on subject alt names.", if (checkSubjectDNCommonName()) { if (processSubjectDNCommonName(entityCertificate, trustedNames)) { if (log.isDebugEnabled()) { log.debug("Credential {} passed name check based on subject common name.", if (checkSubjectDN()) { if (processSubjectDN(entityCertificate, trustedNames)) { if (log.isDebugEnabled()) { log.debug("Credential {} passed name check based on subject DN.",
/** * Gets whether any of the supported name type checking is currently enabled. * * @return true if any of the supported name type checking categories is currently enabled, false otherwise */ public boolean isNameCheckingActive() { return checkSubjectAltNames() || checkSubjectDNCommonName() || checkSubjectDN(); }
/** Constructor. */ public BasicX509CredentialNameEvaluator() { x500DNHandler = new InternalX500DNHandler(); subjectAltNameTypes = new HashSet<Integer>(5); // Add some defaults setCheckSubjectAltNames(true); setCheckSubjectDNCommonName(true); setCheckSubjectDN(true); subjectAltNameTypes.add(X509Util.DNS_ALT_NAME); subjectAltNameTypes.add(X509Util.URI_ALT_NAME); }
/** * {@inheritDoc} * * <p> * If the set of trusted names is null or empty, or if no supported name types are configured to be * checked, then the evaluation is considered successful. * </p> * */ @SuppressWarnings("unchecked") public boolean evaluate(X509Credential credential, Set<String> trustedNames) throws SecurityException { if (!isNameCheckingActive()) { log.debug("No trusted name options are active, skipping name evaluation"); return true; } else if (trustedNames == null || trustedNames.isEmpty()) { log.debug("Supplied trusted names are null or empty, skipping name evaluation"); return true; } if (log.isDebugEnabled()) { log.debug("Checking trusted names against credential: {}", X509Util.getIdentifiersToken(credential, x500DNHandler)); log.debug("Trusted names being evaluated are: {}", trustedNames.toString()); } return processNameChecks(credential, trustedNames); }
X509Certificate entityCertificate = credential.getEntityCertificate(); if (checkSubjectAltNames()) { if (processSubjectAltNames(entityCertificate, trustedNames)) { if (log.isDebugEnabled()) { log.debug("Credential {} passed name check based on subject alt names.", if (checkSubjectDNCommonName()) { if (processSubjectDNCommonName(entityCertificate, trustedNames)) { if (log.isDebugEnabled()) { log.debug("Credential {} passed name check based on subject common name.", if (checkSubjectDN()) { if (processSubjectDN(entityCertificate, trustedNames)) { if (log.isDebugEnabled()) { log.debug("Credential {} passed name check based on subject DN.",
/** * Gets whether any of the supported name type checking is currently enabled. * * @return true if any of the supported name type checking categories is currently enabled, false otherwise */ public boolean isNameCheckingActive() { return checkSubjectAltNames() || checkSubjectDNCommonName() || checkSubjectDN(); }
/** Constructor. */ public BasicX509CredentialNameEvaluator() { x500DNHandler = new InternalX500DNHandler(); subjectAltNameTypes = new HashSet<Integer>(5); // Add some defaults setCheckSubjectAltNames(true); setCheckSubjectDNCommonName(true); setCheckSubjectDN(true); subjectAltNameTypes.add(X509Util.DNS_ALT_NAME); subjectAltNameTypes.add(X509Util.URI_ALT_NAME); }
/** * {@inheritDoc} * * <p> * If the set of trusted names is null or empty, or if no supported name types are configured to be * checked, then the evaluation is considered successful. * </p> * */ @SuppressWarnings("unchecked") public boolean evaluate(X509Credential credential, Set<String> trustedNames) throws SecurityException { if (!isNameCheckingActive()) { log.debug("No trusted name options are active, skipping name evaluation"); return true; } else if (trustedNames == null || trustedNames.isEmpty()) { log.debug("Supplied trusted names are null or empty, skipping name evaluation"); return true; } if (log.isDebugEnabled()) { log.debug("Checking trusted names against credential: {}", X509Util.getIdentifiersToken(credential, x500DNHandler)); log.debug("Trusted names being evaluated are: {}", trustedNames.toString()); } return processNameChecks(credential, trustedNames); }
/** * Constructor. * * <p>The PKIX trust evaluator used defaults to {@link CertPathPKIXTrustEvaluator}.</p> * * <p>The X.509 credential name evaluator used defaults to {@link BasicX509CredentialNameEvaluator}.</p> * * @param resolver credential resolver used to resolve trusted credentials */ public PKIXX509CredentialTrustEngine(PKIXValidationInformationResolver resolver) { if (resolver == null) { throw new IllegalArgumentException("PKIX trust information resolver may not be null"); } pkixResolver = resolver; pkixTrustEvaluator = new CertPathPKIXTrustEvaluator(); credNameEvaluator = new BasicX509CredentialNameEvaluator(); }
/** * Constructor. * * <p>The PKIX trust evaluator used defaults to {@link CertPathPKIXTrustEvaluator}.</p> * * <p>The X.509 credential name evaluator used defaults to {@link BasicX509CredentialNameEvaluator}.</p> * * @param resolver credential resolver used to resolve trusted credentials */ public PKIXX509CredentialTrustEngine(PKIXValidationInformationResolver resolver) { if (resolver == null) { throw new IllegalArgumentException("PKIX trust information resolver may not be null"); } pkixResolver = resolver; pkixTrustEvaluator = new CertPathPKIXTrustEvaluator(); credNameEvaluator = new BasicX509CredentialNameEvaluator(); }
/** * Constructor. * * <p>The PKIX trust evaluator used defaults to {@link CertPathPKIXTrustEvaluator}.</p> * * <p>The X.509 credential name evaluator used defaults to {@link BasicX509CredentialNameEvaluator}.</p> * * @param resolver credential resolver used to resolve trusted credentials. * @param keyInfoResolver KeyInfo credential resolver used to obtain the (advisory) signing credential from a * Signature's KeyInfo element. */ public PKIXSignatureTrustEngine(PKIXValidationInformationResolver resolver, KeyInfoCredentialResolver keyInfoResolver) { super(keyInfoResolver); if (resolver == null) { throw new IllegalArgumentException("PKIX trust information resolver may not be null"); } pkixResolver = resolver; pkixTrustEvaluator = new CertPathPKIXTrustEvaluator(); credNameEvaluator = new BasicX509CredentialNameEvaluator(); }
/** * Constructor. * * <p>The PKIX trust evaluator used defaults to {@link CertPathPKIXTrustEvaluator}.</p> * * <p>The X.509 credential name evaluator used defaults to {@link BasicX509CredentialNameEvaluator}.</p> * * @param resolver credential resolver used to resolve trusted credentials. * @param keyInfoResolver KeyInfo credential resolver used to obtain the (advisory) signing credential from a * Signature's KeyInfo element. */ public PKIXSignatureTrustEngine(PKIXValidationInformationResolver resolver, KeyInfoCredentialResolver keyInfoResolver) { super(keyInfoResolver); if (resolver == null) { throw new IllegalArgumentException("PKIX trust information resolver may not be null"); } pkixResolver = resolver; pkixTrustEvaluator = new CertPathPKIXTrustEvaluator(); credNameEvaluator = new BasicX509CredentialNameEvaluator(); }
/** * Based on the settings in the extended metadata either creates a PKIX trust engine with trusted keys specified * in the extended metadata as anchors or (by default) an explicit trust engine using data from the metadata or * from the values overridden in the ExtendedMetadata. The trust engine is used to verify SSL connections. * * @param samlContext context to populate */ protected void populateSSLTrustEngine(SAMLMessageContext samlContext) { TrustEngine<X509Credential> engine; if ("pkix".equalsIgnoreCase(samlContext.getLocalExtendedMetadata().getSslSecurityProfile())) { engine = new PKIXX509CredentialTrustEngine(pkixResolver, pkixTrustEvaluator, new BasicX509CredentialNameEvaluator()); } else { engine = new ExplicitX509CertificateTrustEngine(metadataResolver); } samlContext.setLocalSSLTrustEngine(engine); }
/** * Based on the settings in the extended metadata either creates a PKIX trust engine with trusted keys specified * in the extended metadata as anchors or (by default) an explicit trust engine using data from the metadata or * from the values overridden in the ExtendedMetadata. * * @param samlContext context to populate */ protected void populateTrustEngine(SAMLMessageContext samlContext) { SignatureTrustEngine engine; if ("pkix".equalsIgnoreCase(samlContext.getLocalExtendedMetadata().getSecurityProfile())) { engine = new PKIXSignatureTrustEngine(pkixResolver, Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver(), pkixTrustEvaluator, new BasicX509CredentialNameEvaluator()); } else { engine = new ExplicitKeySignatureTrustEngine(metadataResolver, Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver()); } samlContext.setLocalTrustEngine(engine); }
Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver(), new org.springframework.security.saml.trust.CertPathPKIXTrustEvaluator(pkixOptions), new BasicX509CredentialNameEvaluator());
/** * Initializes internal SocketFactory used to create all sockets. By default uses PKIX algorithm with * configured trusted keys as trust anchors. * * @return socket factory */ protected SecureProtocolSocketFactory initializeDelegate() { CertPathPKIXValidationOptions pkixOptions = new CertPathPKIXValidationOptions(); PKIXValidationInformationResolver pkixResolver = getPKIXResolver(); CertPathPKIXTrustEvaluator pkixTrustEvaluator = new CertPathPKIXTrustEvaluator(pkixOptions); TrustEngine<X509Credential> trustEngine = new PKIXX509CredentialTrustEngine(pkixResolver, pkixTrustEvaluator, new BasicX509CredentialNameEvaluator()); X509KeyManager keyManager = new X509KeyManager((X509Credential) this.keyManager.getDefaultCredential()); X509TrustManager trustManager = new X509TrustManager(new CriteriaSet(), trustEngine); HostnameVerifier hostnameVerifier = SAMLUtil.getHostnameVerifier(sslHostnameVerification); if (isHostnameVerificationSupported()) { return new org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory(keyManager, trustManager, hostnameVerifier); } else { return new org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory(keyManager, trustManager); } }