@Override protected PKIXValidationInformationResolver getPKIXResolver(MetadataProvider provider, Set<String> trustedKeys, Set<String> trustedNames) { // Use all available keys if (trustedKeys == null) { trustedKeys = keyManager.getAvailableCredentials(); } // Resolve allowed certificates to build the anchors List<X509Certificate> certificates = new LinkedList<X509Certificate>(); for (String key : trustedKeys) { log.debug("Adding PKIX trust anchor {} for metadata verification of provider {}", key, provider); X509Certificate certificate = keyManager.getCertificate(key); if (certificate != null) { certificates.add(certificate); } else { log.warn("Cannot construct PKIX trust anchor for key with alias {} for provider {}, key isn't included in the keystore", key, provider); } } List<PKIXValidationInformation> info = new LinkedList<PKIXValidationInformation>(); info.add(new BasicPKIXValidationInformation(certificates, null, 4)); return new StaticPKIXValidationInformationResolver(info, trustedNames); }
CertPathPKIXValidationOptions pkixOptions = new CertPathPKIXValidationOptions(); pkixOptions.setForceRevocationEnabled(true); } else { log.debug("Revocation checking not forced"); pkixOptions.setForceRevocationEnabled(false); Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver(), new org.springframework.security.saml.trust.CertPathPKIXTrustEvaluator(pkixOptions), new BasicX509CredentialNameEvaluator());
/** {@inheritDoc} */ public KeyInfoGenerator newInstance() { //TODO lock options during cloning ? X509Options newOptions = options.clone(); return new X509KeyInfoGenerator(newOptions); }
spSSODescriptor.setAuthnRequestsSigned(true); X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory(); keyInfoGeneratorFactory.setEmitEntityCertificate(true); KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance(); encKeyDescriptor.setUse(UsageType.ENCRYPTION); BasicX509Credential signingCredential = new BasicX509Credential(); signingCredential.setEntityCertificate(spMetadata.getSigningCertificate()); BasicX509Credential encryptionCredential = new BasicX509Credential(); encryptionCredential.setEntityCertificate(spMetadata.getEncryptionCertificate());
/** * Process the options related to generation of child elements of X509Data based on certificate data. * * @param x509Data the X509Data element being processed. * @param cert the certificate being processed */ protected void processCertX509DataOptions(X509Data x509Data, java.security.cert.X509Certificate cert) { processCertX509SubjectName(x509Data, cert); processCertX509IssuerSerial(x509Data, cert); processCertX509SKI(x509Data, cert); processCertX509Digest(x509Data, cert); }
/** * Gets whether any of the supported name type checking is currently enabled. * * @return true if any of the supported name type checking categories is currently enabled, false otherwise */ public boolean isNameCheckingActive() { return checkSubjectAltNames() || checkSubjectDNCommonName() || checkSubjectDN(); }
/** Constructor. */ public CertPathPKIXTrustEvaluator() { options = new PKIXValidationOptions(); x500DNHandler = new InternalX500DNHandler(); }
/** * Process the options related to generation of KeyName elements based on certificate data. * * @param keyInfo the KeyInfo element being processed. * @param cert the certificate being processed */ protected void processCertKeyNameOptions(KeyInfo keyInfo, java.security.cert.X509Certificate cert) { processSubjectDNKeyName(keyInfo, cert); processSubjectCNKeyName(keyInfo, cert); processSubjectAltNameKeyNames(keyInfo, cert); }
/** * Get the effective maximum path depth to use when constructing PKIX cert path builder parameters. * * @param validationInfo PKIX validation information * @return the effective max verification depth to use */ protected Integer getEffectiveVerificationDepth(PKIXValidationInformation validationInfo) { Integer effectiveVerifyDepth = validationInfo.getVerificationDepth(); if (effectiveVerifyDepth == null) { effectiveVerifyDepth = options.getDefaultVerificationDepth(); } return effectiveVerifyDepth; }
/** * Constructor. * * @param alg algorithm of digest computation * @param digest certificate digest */ public X509DigestCriteria(String alg, byte[] digest) { setAlgorithm(alg); setDigest(digest); }
/** {@inheritDoc} */ public X500DNHandler clone() { // We don't have any state, just return a new instance to maintain the clone() contract. return new InternalX500DNHandler(); }
/** * Constructor. * * @param issuer certificate issuer name * @param serial certificate serial number */ public X509IssuerSerialCriteria(X500Principal issuer, BigInteger serial) { setIssuerName(issuer); setSerialNumber(serial); }
/** * Constructor. * * @param subject certificate subject name */ public X509SubjectNameCriteria(X500Principal subject) { setSubjectName(subject); }
/** * Process the options related to generation of child elements of X509Data based on certificate data. * * @param x509Data the X509Data element being processed. * @param cert the certificate being processed */ protected void processCertX509DataOptions(X509Data x509Data, java.security.cert.X509Certificate cert) { processCertX509SubjectName(x509Data, cert); processCertX509IssuerSerial(x509Data, cert); processCertX509SKI(x509Data, cert); processCertX509Digest(x509Data, cert); }
/** * Gets whether any of the supported name type checking is currently enabled. * * @return true if any of the supported name type checking categories is currently enabled, false otherwise */ public boolean isNameCheckingActive() { return checkSubjectAltNames() || checkSubjectDNCommonName() || checkSubjectDN(); }
/** Constructor. */ public CertPathPKIXTrustEvaluator() { options = new PKIXValidationOptions(); x500DNHandler = new InternalX500DNHandler(); }
/** {@inheritDoc} */ public KeyInfoGenerator newInstance() { //TODO lock options during cloning ? X509Options newOptions = options.clone(); return new X509KeyInfoGenerator(newOptions); }
/** * Get the effective maximum path depth to use when constructing PKIX cert path builder parameters. * * @param validationInfo PKIX validation information * @return the effective max verification depth to use */ protected Integer getEffectiveVerificationDepth(PKIXValidationInformation validationInfo) { Integer effectiveVerifyDepth = validationInfo.getVerificationDepth(); if (effectiveVerifyDepth == null) { effectiveVerifyDepth = options.getDefaultVerificationDepth(); } return effectiveVerifyDepth; }
/** * Constructor. * * @param alg algorithm of digest computation * @param digest certificate digest */ public X509DigestCriteria(String alg, byte[] digest) { setAlgorithm(alg); setDigest(digest); }
/** * Constructor. */ public InlineX509DataProvider() { x500DNHandler = new InternalX500DNHandler(); }