Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver(), new org.springframework.security.saml.trust.CertPathPKIXTrustEvaluator(pkixOptions), new BasicX509CredentialNameEvaluator());
/** * Constructor. * * <p>The PKIX trust evaluator used defaults to {@link CertPathPKIXTrustEvaluator}.</p> * * <p>The X.509 credential name evaluator used defaults to {@link BasicX509CredentialNameEvaluator}.</p> * * @param resolver credential resolver used to resolve trusted credentials */ public PKIXX509CredentialTrustEngine(PKIXValidationInformationResolver resolver) { if (resolver == null) { throw new IllegalArgumentException("PKIX trust information resolver may not be null"); } pkixResolver = resolver; pkixTrustEvaluator = new CertPathPKIXTrustEvaluator(); credNameEvaluator = new BasicX509CredentialNameEvaluator(); }
/** * Constructor. * * <p>The PKIX trust evaluator used defaults to {@link CertPathPKIXTrustEvaluator}.</p> * * <p>The X.509 credential name evaluator used defaults to {@link BasicX509CredentialNameEvaluator}.</p> * * @param resolver credential resolver used to resolve trusted credentials. * @param keyInfoResolver KeyInfo credential resolver used to obtain the (advisory) signing credential from a * Signature's KeyInfo element. */ public PKIXSignatureTrustEngine(PKIXValidationInformationResolver resolver, KeyInfoCredentialResolver keyInfoResolver) { super(keyInfoResolver); if (resolver == null) { throw new IllegalArgumentException("PKIX trust information resolver may not be null"); } pkixResolver = resolver; pkixTrustEvaluator = new CertPathPKIXTrustEvaluator(); credNameEvaluator = new BasicX509CredentialNameEvaluator(); }
/** * Constructor. * * <p>The PKIX trust evaluator used defaults to {@link CertPathPKIXTrustEvaluator}.</p> * * <p>The X.509 credential name evaluator used defaults to {@link BasicX509CredentialNameEvaluator}.</p> * * @param resolver credential resolver used to resolve trusted credentials */ public PKIXX509CredentialTrustEngine(PKIXValidationInformationResolver resolver) { if (resolver == null) { throw new IllegalArgumentException("PKIX trust information resolver may not be null"); } pkixResolver = resolver; pkixTrustEvaluator = new CertPathPKIXTrustEvaluator(); credNameEvaluator = new BasicX509CredentialNameEvaluator(); }
/** * Constructor. * * <p>The PKIX trust evaluator used defaults to {@link CertPathPKIXTrustEvaluator}.</p> * * <p>The X.509 credential name evaluator used defaults to {@link BasicX509CredentialNameEvaluator}.</p> * * @param resolver credential resolver used to resolve trusted credentials. * @param keyInfoResolver KeyInfo credential resolver used to obtain the (advisory) signing credential from a * Signature's KeyInfo element. */ public PKIXSignatureTrustEngine(PKIXValidationInformationResolver resolver, KeyInfoCredentialResolver keyInfoResolver) { super(keyInfoResolver); if (resolver == null) { throw new IllegalArgumentException("PKIX trust information resolver may not be null"); } pkixResolver = resolver; pkixTrustEvaluator = new CertPathPKIXTrustEvaluator(); credNameEvaluator = new BasicX509CredentialNameEvaluator(); }
/** * Based on the settings in the extended metadata either creates a PKIX trust engine with trusted keys specified * in the extended metadata as anchors or (by default) an explicit trust engine using data from the metadata or * from the values overridden in the ExtendedMetadata. The trust engine is used to verify SSL connections. * * @param samlContext context to populate */ protected void populateSSLTrustEngine(SAMLMessageContext samlContext) { TrustEngine<X509Credential> engine; if ("pkix".equalsIgnoreCase(samlContext.getLocalExtendedMetadata().getSslSecurityProfile())) { engine = new PKIXX509CredentialTrustEngine(pkixResolver, pkixTrustEvaluator, new BasicX509CredentialNameEvaluator()); } else { engine = new ExplicitX509CertificateTrustEngine(metadataResolver); } samlContext.setLocalSSLTrustEngine(engine); }
/** * Based on the settings in the extended metadata either creates a PKIX trust engine with trusted keys specified * in the extended metadata as anchors or (by default) an explicit trust engine using data from the metadata or * from the values overridden in the ExtendedMetadata. * * @param samlContext context to populate */ protected void populateTrustEngine(SAMLMessageContext samlContext) { SignatureTrustEngine engine; if ("pkix".equalsIgnoreCase(samlContext.getLocalExtendedMetadata().getSecurityProfile())) { engine = new PKIXSignatureTrustEngine(pkixResolver, Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver(), pkixTrustEvaluator, new BasicX509CredentialNameEvaluator()); } else { engine = new ExplicitKeySignatureTrustEngine(metadataResolver, Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver()); } samlContext.setLocalTrustEngine(engine); }
Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver(), new org.springframework.security.saml.trust.CertPathPKIXTrustEvaluator(pkixOptions), new BasicX509CredentialNameEvaluator());
/** * Initializes internal SocketFactory used to create all sockets. By default uses PKIX algorithm with * configured trusted keys as trust anchors. * * @return socket factory */ protected SecureProtocolSocketFactory initializeDelegate() { CertPathPKIXValidationOptions pkixOptions = new CertPathPKIXValidationOptions(); PKIXValidationInformationResolver pkixResolver = getPKIXResolver(); CertPathPKIXTrustEvaluator pkixTrustEvaluator = new CertPathPKIXTrustEvaluator(pkixOptions); TrustEngine<X509Credential> trustEngine = new PKIXX509CredentialTrustEngine(pkixResolver, pkixTrustEvaluator, new BasicX509CredentialNameEvaluator()); X509KeyManager keyManager = new X509KeyManager((X509Credential) this.keyManager.getDefaultCredential()); X509TrustManager trustManager = new X509TrustManager(new CriteriaSet(), trustEngine); HostnameVerifier hostnameVerifier = SAMLUtil.getHostnameVerifier(sslHostnameVerification); if (isHostnameVerificationSupported()) { return new org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory(keyManager, trustManager, hostnameVerifier); } else { return new org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory(keyManager, trustManager); } }