@Override protected PKIXValidationInformationResolver getPKIXResolver(MetadataProvider provider, Set<String> trustedKeys, Set<String> trustedNames) { // Use all available keys if (trustedKeys == null) { trustedKeys = keyManager.getAvailableCredentials(); } // Resolve allowed certificates to build the anchors List<X509Certificate> certificates = new LinkedList<X509Certificate>(); for (String key : trustedKeys) { log.debug("Adding PKIX trust anchor {} for metadata verification of provider {}", key, provider); X509Certificate certificate = keyManager.getCertificate(key); if (certificate != null) { certificates.add(certificate); } else { log.warn("Cannot construct PKIX trust anchor for key with alias {} for provider {}, key isn't included in the keystore", key, provider); } } List<PKIXValidationInformation> info = new LinkedList<PKIXValidationInformation>(); info.add(new BasicPKIXValidationInformation(certificates, null, 4)); return new StaticPKIXValidationInformationResolver(info, trustedNames); }
@Override public Set<String> resolveTrustedNames(CriteriaSet criteriaSet) throws SecurityException, UnsupportedOperationException { Set<String> names = super.resolveTrustedNames(criteriaSet); //previous implementation returned true //if trustedNames was empty(), not just null //https://git.shibboleth.net/view/?p=java-xmltooling.git;a=commitdiff;h=c3c19e4857b815c7c05fa3b675f9cd1adde43429#patch2 if (names.isEmpty()) { return null; } else { return names; } } };
/** * Method is expected to construct information resolver with all trusted data available for the given provider. * * @return information resolver */ protected PKIXValidationInformationResolver getPKIXResolver() { // Use all available keys if (trustedKeys == null) { trustedKeys = keyManager.getAvailableCredentials(); } // Resolve allowed certificates to build the anchors List<X509Certificate> certificates = new ArrayList<X509Certificate>(trustedKeys.size()); for (String key : trustedKeys) { log.debug("Adding PKIX trust anchor {} for SSL/TLS verification {}", key); certificates.add(keyManager.getCertificate(key)); } List<PKIXValidationInformation> info = new LinkedList<PKIXValidationInformation>(); info.add(new BasicPKIXValidationInformation(certificates, null, 4)); return new StaticPKIXValidationInformationResolver(info, null); }
/** {@inheritDoc} */ protected Object createInstance() throws Exception { Set<String> names = getTrustedNames(); if (names == null) { names = Collections.emptySet(); } StaticPKIXValidationInformationResolver pkixResolver = new StaticPKIXValidationInformationResolver(getPKIXInfo(), names); List<KeyInfoProvider> keyInfoProviders = new ArrayList<KeyInfoProvider>(); keyInfoProviders.add(new DSAKeyValueProvider()); keyInfoProviders.add(new RSAKeyValueProvider()); keyInfoProviders.add(new InlineX509DataProvider()); KeyInfoCredentialResolver keyInfoCredResolver = new BasicProviderKeyInfoCredentialResolver(keyInfoProviders); PKIXSignatureTrustEngine engine = new PKIXSignatureTrustEngine(pkixResolver, keyInfoCredResolver); if (getPKIXValidationOptions() != null) { ((CertPathPKIXTrustEvaluator)engine.getPKIXTrustEvaluator()).setPKIXValidationOptions(getPKIXValidationOptions()); } return engine; } }
/** {@inheritDoc} */ protected Object createInstance() throws Exception { Set<String> names = getTrustedNames(); if (names == null) { names = Collections.emptySet(); } StaticPKIXValidationInformationResolver pkixResolver = new StaticPKIXValidationInformationResolver(getPKIXInfo(), names); PKIXX509CredentialTrustEngine engine = new PKIXX509CredentialTrustEngine(pkixResolver); if (getPKIXValidationOptions() != null) { ((CertPathPKIXTrustEvaluator)engine.getPKIXTrustEvaluator()).setPKIXValidationOptions(getPKIXValidationOptions()); } return engine; } }