/** {@inheritDoc} */ protected Object createInstance() throws Exception { MetadataPKIXValidationInformationResolver pviResolver = new MetadataPKIXValidationInformationResolver( getMetadataProvider()); PKIXX509CredentialTrustEngine engine = new PKIXX509CredentialTrustEngine(pviResolver); if (getPKIXValidationOptions() != null) { ((CertPathPKIXTrustEvaluator)engine.getPKIXTrustEvaluator()).setPKIXValidationOptions(getPKIXValidationOptions()); } return engine; } }
if (!checkNames(trustedNames, untrustedX509Credential)) { log.debug("Evaluation of credential against trusted names failed. Aborting PKIX validation"); return false;
/** {@inheritDoc} */ public boolean validate(X509Credential untrustedCredential, CriteriaSet trustBasisCriteria) throws SecurityException { log.debug("Attempting PKIX validation of untrusted credential"); if (untrustedCredential == null) { log.error("X.509 credential was null, unable to perform validation"); return false; } if (untrustedCredential.getEntityCertificate() == null) { log.error("Untrusted X.509 credential's entity certificate was null, unable to perform validation"); return false; } Set<String> trustedNames = null; if (pkixResolver.supportsTrustedNameResolution()) { trustedNames = pkixResolver.resolveTrustedNames(trustBasisCriteria); } else { log.debug("PKIX resolver does not support resolution of trusted names, skipping name checking"); } return validate(untrustedCredential, trustedNames, pkixResolver.resolve(trustBasisCriteria)); }
/** * Based on the settings in the extended metadata either creates a PKIX trust engine with trusted keys specified * in the extended metadata as anchors or (by default) an explicit trust engine using data from the metadata or * from the values overridden in the ExtendedMetadata. The trust engine is used to verify SSL connections. * * @param samlContext context to populate */ protected void populateSSLTrustEngine(SAMLMessageContext samlContext) { TrustEngine<X509Credential> engine; if ("pkix".equalsIgnoreCase(samlContext.getLocalExtendedMetadata().getSslSecurityProfile())) { engine = new PKIXX509CredentialTrustEngine(pkixResolver, pkixTrustEvaluator, new BasicX509CredentialNameEvaluator()); } else { engine = new ExplicitX509CertificateTrustEngine(metadataResolver); } samlContext.setLocalSSLTrustEngine(engine); }
/** * Initializes internal SocketFactory used to create all sockets. By default uses PKIX algorithm with * configured trusted keys as trust anchors. * * @return socket factory */ protected SecureProtocolSocketFactory initializeDelegate() { CertPathPKIXValidationOptions pkixOptions = new CertPathPKIXValidationOptions(); PKIXValidationInformationResolver pkixResolver = getPKIXResolver(); CertPathPKIXTrustEvaluator pkixTrustEvaluator = new CertPathPKIXTrustEvaluator(pkixOptions); TrustEngine<X509Credential> trustEngine = new PKIXX509CredentialTrustEngine(pkixResolver, pkixTrustEvaluator, new BasicX509CredentialNameEvaluator()); X509KeyManager keyManager = new X509KeyManager((X509Credential) this.keyManager.getDefaultCredential()); X509TrustManager trustManager = new X509TrustManager(new CriteriaSet(), trustEngine); HostnameVerifier hostnameVerifier = SAMLUtil.getHostnameVerifier(sslHostnameVerification); if (isHostnameVerificationSupported()) { return new org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory(keyManager, trustManager, hostnameVerifier); } else { return new org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory(keyManager, trustManager); } }
/** {@inheritDoc} */ protected Object createInstance() throws Exception { Set<String> names = getTrustedNames(); if (names == null) { names = Collections.emptySet(); } StaticPKIXValidationInformationResolver pkixResolver = new StaticPKIXValidationInformationResolver(getPKIXInfo(), names); PKIXX509CredentialTrustEngine engine = new PKIXX509CredentialTrustEngine(pkixResolver); if (getPKIXValidationOptions() != null) { ((CertPathPKIXTrustEvaluator)engine.getPKIXTrustEvaluator()).setPKIXValidationOptions(getPKIXValidationOptions()); } return engine; } }
/** {@inheritDoc} */ public boolean validate(X509Credential untrustedCredential, CriteriaSet trustBasisCriteria) throws SecurityException { log.debug("Attempting PKIX validation of untrusted credential"); if (untrustedCredential == null) { log.error("X.509 credential was null, unable to perform validation"); return false; } if (untrustedCredential.getEntityCertificate() == null) { log.error("Untrusted X.509 credential's entity certificate was null, unable to perform validation"); return false; } Set<String> trustedNames = null; if (pkixResolver.supportsTrustedNameResolution()) { trustedNames = pkixResolver.resolveTrustedNames(trustBasisCriteria); } else { log.debug("PKIX resolver does not support resolution of trusted names, skipping name checking"); } return validate(untrustedCredential, trustedNames, pkixResolver.resolve(trustBasisCriteria)); }
if (!checkNames(trustedNames, untrustedX509Credential)) { log.debug("Evaluation of credential against trusted names failed. Aborting PKIX validation"); return false;