/** * Decodes X.509 certificates in DER or PEM format. * * @param certs encoded certs * * @return decoded certs * * @throws CertificateException thrown if the certificates can not be decoded * * @since 1.2 */ public static Collection<X509Certificate> decodeCertificate(File certs) throws CertificateException{ if(!certs.exists()){ throw new CertificateException("Certificate file " + certs.getAbsolutePath() + " does not exist"); } if(!certs.canRead()){ throw new CertificateException("Certificate file " + certs.getAbsolutePath() + " is not readable"); } try{ return decodeCertificate(DatatypeHelper.fileToByteArray(certs)); }catch(IOException e){ throw new CertificateException("Error reading certificate file " + certs.getAbsolutePath(), e); } }
/** * Gets the common name components of the subject and all the subject alt names of a given type. * * @param certificate certificate to extract names from * @param altNameTypes type of alt names to extract * * @return list of subject names in the certificate */ @SuppressWarnings("unchecked") public static List getSubjectNames(X509Certificate certificate, Integer[] altNameTypes) { List issuerNames = new LinkedList(); List<String> entityCertCNs = X509Util.getCommonNames(certificate.getSubjectX500Principal()); issuerNames.add(entityCertCNs.get(0)); issuerNames.addAll(X509Util.getAltNames(certificate, altNameTypes)); return issuerNames; }
/** * {@inheritDoc} * * <p> * If the set of trusted names is null or empty, or if no supported name types are configured to be * checked, then the evaluation is considered successful. * </p> * */ @SuppressWarnings("unchecked") public boolean evaluate(X509Credential credential, Set<String> trustedNames) throws SecurityException { if (!isNameCheckingActive()) { log.debug("No trusted name options are active, skipping name evaluation"); return true; } else if (trustedNames == null || trustedNames.isEmpty()) { log.debug("Supplied trusted names are null or empty, skipping name evaluation"); return true; } if (log.isDebugEnabled()) { log.debug("Checking trusted names against credential: {}", X509Util.getIdentifiersToken(credential, x500DNHandler)); log.debug("Trusted names being evaluated are: {}", trustedNames.toString()); } return processNameChecks(credential, trustedNames); }
Logger log = getLogger(); if (certificate == null) { return null; for (Integer nameType : nameTypes) { if (altName.get(0).equals(nameType)) { names.add(convertAltNameType(nameType, altName.get(1))); break;
/** * Get the first common name (CN) value from the subject DN of the specified certificate. * * @param cert the certificate being processed * @return the first CN value, or null if there are none */ protected String getCommonName(X509Certificate cert) { List<String> names = X509Util.getCommonNames(cert.getSubjectX500Principal()); if (names != null && !names.isEmpty()) { String name = names.get(0); log.debug("Extracted common name from certificate: {}", name); return name; } return null; }
/** * Parses the CRLs from the credential configuration. * * @param configChildren children of the credential element * @param builder credential build */ protected void parseCRLs(Map<QName, List<Element>> configChildren, BeanDefinitionBuilder builder) { List<Element> crlElems = configChildren.get(new QName(SecurityNamespaceHandler.NAMESPACE, "CRL")); if (crlElems == null || crlElems.isEmpty()) { return; } log.debug("Parsing x509 credential CRLs"); ArrayList<X509CRL> crls = new ArrayList<X509CRL>(); byte[] encodedCRL; Collection<X509CRL> decodedCRLs; for (Element crlElem : crlElems) { encodedCRL = getEncodedCRL(DatatypeHelper.safeTrimOrNullString(crlElem.getTextContent())); if (encodedCRL == null) { continue; } try { decodedCRLs = X509Util.decodeCRLs(encodedCRL); crls.addAll(decodedCRLs); } catch (CRLException e) { throw new FatalBeanException("Unable to create X509 credential, unable to parse CRLs", e); } } builder.addPropertyValue("crls", crls); }
/** * Get the list of subject alt name values from the certificate which are of the specified alt name type. * * @param cert the certificate from which to extract alt names * @param altNameType the type of alt name to extract * * @return the list of certificate subject alt names */ protected List<String> getAltNames(X509Certificate cert, Integer altNameType) { log.debug("Extracting alt names from certificate of type: {}", altNameType.toString()); Integer[] nameTypes = new Integer[] { altNameType }; List altNames = X509Util.getAltNames(cert, nameTypes); List<String> names = new ArrayList<String>(); for (Object altNameValue : altNames) { if (!(altNameValue instanceof String)) { log.debug("Skipping non-String certificate alt name value"); } else { names.add((String) altNameValue); } } log.debug("Extracted alt names from certificate: {}", names.toString()); return names; }
Logger log = getLogger(); if (DIRECTORY_ALT_NAME.equals(nameType) || DNS_ALT_NAME.equals(nameType) || RFC822_ALT_NAME.equals(nameType) || URI_ALT_NAME.equals(nameType) || REGISTERED_ID_ALT_NAME.equals(nameType)) {
/** {@inheritDoc} */ public Boolean evaluate(Credential target) { if (target == null) { log.error("Credential target was null"); return null; } if (! (target instanceof X509Credential)) { log.info("Credential is not an X509Credential, does not satisfy subject key identifier criteria"); return Boolean.FALSE; } X509Credential x509Cred = (X509Credential) target; X509Certificate entityCert = x509Cred.getEntityCertificate(); if (entityCert == null) { log.info("X509Credential did not contain an entity certificate, does not satisfy criteria"); return Boolean.FALSE; } byte[] credSKI = X509Util.getSubjectKeyIdentifier(entityCert); if (credSKI == null || credSKI.length == 0) { log.info("Could not evaluate criteria, certificate contained no subject key identifier extension"); return null; } Boolean result = Arrays.equals(ski, credSKI); return result; }
for (X509Certificate cert : certs) { try { certValue = X509Util.getX509Digest(cert, digest.getAlgorithm()); if (certValue != null && Arrays.equals(xmlValue, certValue)) { return cert;
/** {@inheritDoc} */ public void check(String[] host, X509Certificate cert) throws SSLException { String[] cns = X509Util.getCommonNames(cert.getSubjectX500Principal()).toArray(new String[0]); String[] subjectAlts = Certificates.getDNSSubjectAlts(cert); //Note: could use X509Util for subject alt names also, per below. //List<String> subjectAltsList = X509Util.getAltNames(cert, new Integer[]{X509Util.DNS_ALT_NAME}); //String[] subjectAlts = subjectAltsList.toArray(new String[0]); check(host, cns, subjectAlts); }
/** * Convert an {@link org.opensaml.xml.signature.X509CRL} into a native Java representation. * * @param xmlCRL object to extract the CRL from * * @return a native Java {@link java.security.cert.X509CRL} object * * @throws CRLException thrown if there is a problem converting the * CRL data into {@link java.security.cert.X509CRL}s */ public static X509CRL getCRL(org.opensaml.xml.signature.X509CRL xmlCRL) throws CRLException { if (xmlCRL == null || xmlCRL.getValue() == null) { return null; } Collection<X509CRL> crls = X509Util.decodeCRLs(Base64.decode(xmlCRL.getValue())); return crls.iterator().next(); }
/** * Process name checking for the subject alt names within the certificate. * * @param certificate the certificate to process * @param trustedNames the set of trusted names * * @return true if one of the subject alt names matches the set of trusted names, false otherwise */ protected boolean processSubjectAltNames(X509Certificate certificate, Set<String> trustedNames) { log.debug("Processing subject alt names"); Integer[] nameTypes = new Integer[subjectAltNameTypes.size()]; subjectAltNameTypes.toArray(nameTypes); List altNames = X509Util.getAltNames(certificate, nameTypes); if (altNames != null) { log.debug("Extracted subject alt names from certificate: {}", altNames); for (Object altName : altNames) { if (trustedNames.contains(altName)) { log.debug("Matched subject alt name to trusted names: {}", altName.toString()); return true; } } } return false; }
Logger log = getLogger(); if (DIRECTORY_ALT_NAME.equals(nameType) || DNS_ALT_NAME.equals(nameType) || RFC822_ALT_NAME.equals(nameType) || URI_ALT_NAME.equals(nameType) || REGISTERED_ID_ALT_NAME.equals(nameType)) {
Logger log = getLogger(); if (certificate == null) { return null; for (Integer nameType : nameTypes) { if (altName.get(0).equals(nameType)) { names.add(convertAltNameType(nameType, altName.get(1))); break;
/** {@inheritDoc} */ public Boolean evaluate(Credential target) { if (target == null) { log.error("Credential target was null"); return null; } if (! (target instanceof X509Credential)) { log.info("Credential is not an X509Credential, does not satisfy subject key identifier criteria"); return Boolean.FALSE; } X509Credential x509Cred = (X509Credential) target; X509Certificate entityCert = x509Cred.getEntityCertificate(); if (entityCert == null) { log.info("X509Credential did not contain an entity certificate, does not satisfy criteria"); return Boolean.FALSE; } byte[] credSKI = X509Util.getSubjectKeyIdentifier(entityCert); if (credSKI == null || credSKI.length == 0) { log.info("Could not evaluate criteria, certificate contained no subject key identifier extension"); return null; } Boolean result = Arrays.equals(ski, credSKI); return result; }
for (X509Certificate cert : certs) { try { certValue = X509Util.getX509Digest(cert, digest.getAlgorithm()); if (certValue != null && Arrays.equals(xmlValue, certValue)) { return cert;
/** * Gets the common name components of the issuer and all the subject alt names of a given type. * * @param certificate certificate to extract names from * @param altNameTypes type of alt names to extract * * @return list of subject names in the certificate */ @SuppressWarnings("unchecked") public static List getSubjectNames(X509Certificate certificate, Integer[] altNameTypes) { List issuerNames = new LinkedList(); List<String> entityCertCNs = X509Util.getCommonNames(certificate.getSubjectX500Principal()); issuerNames.add(entityCertCNs.get(0)); issuerNames.addAll(X509Util.getAltNames(certificate, altNameTypes)); return issuerNames; }
/** * {@inheritDoc} * * <p> * If the set of trusted names is null or empty, or if no supported name types are configured to be * checked, then the evaluation is considered successful. * </p> * */ @SuppressWarnings("unchecked") public boolean evaluate(X509Credential credential, Set<String> trustedNames) throws SecurityException { if (!isNameCheckingActive()) { log.debug("No trusted name options are active, skipping name evaluation"); return true; } else if (trustedNames == null || trustedNames.isEmpty()) { log.debug("Supplied trusted names are null or empty, skipping name evaluation"); return true; } if (log.isDebugEnabled()) { log.debug("Checking trusted names against credential: {}", X509Util.getIdentifiersToken(credential, x500DNHandler)); log.debug("Trusted names being evaluated are: {}", trustedNames.toString()); } return processNameChecks(credential, trustedNames); }
/** * Process name checking for a certificate subject DN's common name. * * @param certificate the certificate to process * @param trustedNames the set of trusted names * * @return true if the subject DN common name matches the set of trusted names, false otherwise * */ protected boolean processSubjectDNCommonName(X509Certificate certificate, Set<String> trustedNames) { log.debug("Processing subject DN common name"); X500Principal subjectPrincipal = certificate.getSubjectX500Principal(); List<String> commonNames = X509Util.getCommonNames(subjectPrincipal); if (commonNames == null || commonNames.isEmpty()) { return false; } // TODO We only check the first one returned by X509Util. Maybe we should check all, // if there are multiple CN AVA's from the same (first) RDN. String commonName = commonNames.get(0); log.debug("Extracted common name from certificate: {}", commonName); if (DatatypeHelper.isEmpty(commonName)) { return false; } if (trustedNames.contains(commonName)) { log.debug("Matched subject DN common name to trusted names: {}", commonName); return true; } else { return false; } }