/** * Based on the settings in the extended metadata either creates a PKIX trust engine with trusted keys specified * in the extended metadata as anchors or (by default) an explicit trust engine using data from the metadata or * from the values overridden in the ExtendedMetadata. The trust engine is used to verify SSL connections. * * @param samlContext context to populate */ protected void populateSSLTrustEngine(SAMLMessageContext samlContext) { TrustEngine<X509Credential> engine; if ("pkix".equalsIgnoreCase(samlContext.getLocalExtendedMetadata().getSslSecurityProfile())) { engine = new PKIXX509CredentialTrustEngine(pkixResolver, pkixTrustEvaluator, new BasicX509CredentialNameEvaluator()); } else { engine = new ExplicitX509CertificateTrustEngine(metadataResolver); } samlContext.setLocalSSLTrustEngine(engine); }
/** {@inheritDoc} */ protected Object createInstance() throws Exception { Set<String> names = getTrustedNames(); if (names == null) { names = Collections.emptySet(); } StaticPKIXValidationInformationResolver pkixResolver = new StaticPKIXValidationInformationResolver(getPKIXInfo(), names); PKIXX509CredentialTrustEngine engine = new PKIXX509CredentialTrustEngine(pkixResolver); if (getPKIXValidationOptions() != null) { ((CertPathPKIXTrustEvaluator)engine.getPKIXTrustEvaluator()).setPKIXValidationOptions(getPKIXValidationOptions()); } return engine; } }
/** {@inheritDoc} */ protected Object createInstance() throws Exception { MetadataPKIXValidationInformationResolver pviResolver = new MetadataPKIXValidationInformationResolver( getMetadataProvider()); PKIXX509CredentialTrustEngine engine = new PKIXX509CredentialTrustEngine(pviResolver); if (getPKIXValidationOptions() != null) { ((CertPathPKIXTrustEvaluator)engine.getPKIXTrustEvaluator()).setPKIXValidationOptions(getPKIXValidationOptions()); } return engine; } }
/** * Initializes internal SocketFactory used to create all sockets. By default uses PKIX algorithm with * configured trusted keys as trust anchors. * * @return socket factory */ protected SecureProtocolSocketFactory initializeDelegate() { CertPathPKIXValidationOptions pkixOptions = new CertPathPKIXValidationOptions(); PKIXValidationInformationResolver pkixResolver = getPKIXResolver(); CertPathPKIXTrustEvaluator pkixTrustEvaluator = new CertPathPKIXTrustEvaluator(pkixOptions); TrustEngine<X509Credential> trustEngine = new PKIXX509CredentialTrustEngine(pkixResolver, pkixTrustEvaluator, new BasicX509CredentialNameEvaluator()); X509KeyManager keyManager = new X509KeyManager((X509Credential) this.keyManager.getDefaultCredential()); X509TrustManager trustManager = new X509TrustManager(new CriteriaSet(), trustEngine); HostnameVerifier hostnameVerifier = SAMLUtil.getHostnameVerifier(sslHostnameVerification); if (isHostnameVerificationSupported()) { return new org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory(keyManager, trustManager, hostnameVerifier); } else { return new org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory(keyManager, trustManager); } }