public class BasicX509CredentialNameEvaluator extends Object implements X509CredentialNameEvaluator
X509CredentialNameEvaluator
which evaluates various identifiers
extracted from an X509Credential
's entity certificate against a set of trusted names.
Supported types of entity certificate-derived names for name checking purposes are:
Name checking is enabled by default for all of the supported name types. The types of subject alternative names to
process are specified by using the appropriate constant values defined in X509Util
. By default the following
types of subject alternative names are checked: DNS (X509Util.DNS_ALT_NAME
)
and URI (X509Util.URI_ALT_NAME
).
The subject distinguished name from the entity certificate is compared to the trusted key names for complete DN
matching purposes by parsing each trusted key name into an X500Principal
as returned by the configured
instance of X500DNHandler
. The resulting distinguished name is then compared with the certificate subject
using X500Principal.equals(Object)
. The default X500DNHandler used is InternalX500DNHandler
.
Constructor and Description |
---|
BasicX509CredentialNameEvaluator()
Constructor.
|
Modifier and Type | Method and Description |
---|---|
boolean |
checkSubjectAltNames()
Gets whether to check the credential's entity certificate subject alt names against the trusted key
name values.
|
boolean |
checkSubjectDN()
Gets whether to check the credential's entity certificate subject DN against the trusted key name
values.
|
boolean |
checkSubjectDNCommonName()
Gets whether to check the credential's entity certificate subject DN's common name (CN) against the
trusted key name values.
|
boolean |
evaluate(X509Credential credential,
Set<String> trustedNames)
Evaluate the specified credential against the specified set of trusted names.
|
Set<Integer> |
getSubjectAltNameTypes()
The set of types of subject alternative names to process.
|
X500DNHandler |
getX500DNHandler()
Get the handler which process X.500 distinguished names.
|
boolean |
isNameCheckingActive()
Gets whether any of the supported name type checking is currently enabled.
|
protected boolean |
processNameChecks(X509Credential credential,
Set<String> trustedNames)
Process any name checks that are enabled.
|
protected boolean |
processSubjectAltNames(X509Certificate certificate,
Set<String> trustedNames)
Process name checking for the subject alt names within the certificate.
|
protected boolean |
processSubjectDN(X509Certificate certificate,
Set<String> trustedNames)
Process name checking for the certificate subject DN.
|
protected boolean |
processSubjectDNCommonName(X509Certificate certificate,
Set<String> trustedNames)
Process name checking for a certificate subject DN's common name.
|
void |
setCheckSubjectAltNames(boolean check)
Sets whether to check the credential's entity certificate subject alt names against the trusted key
name values.
|
void |
setCheckSubjectDN(boolean check)
Sets whether to check the credential's entity certificate subject DN against the trusted key name
values.
|
void |
setCheckSubjectDNCommonName(boolean check)
Sets whether to check the credential's entity certificate subject DN's common name (CN) against the
trusted key name values.
|
void |
setX500DNHandler(X500DNHandler handler)
Set the handler which process X.500 distinguished names.
|
public BasicX509CredentialNameEvaluator()
public boolean isNameCheckingActive()
public Set<Integer> getSubjectAltNameTypes()
X509Util
.public boolean checkSubjectAltNames()
public void setCheckSubjectAltNames(boolean check)
check
- whether to check the credential's entity certificate subject alt names against the trusted
key namespublic boolean checkSubjectDNCommonName()
public void setCheckSubjectDNCommonName(boolean check)
check
- whether to check the credential's entity certificate subject DN's CN against the trusted
key namespublic boolean checkSubjectDN()
public void setCheckSubjectDN(boolean check)
check
- whether to check the credential's entity certificate subject DN against the trusted key
namespublic X500DNHandler getX500DNHandler()
InternalX500DNHandler
.public void setX500DNHandler(X500DNHandler handler)
InternalX500DNHandler
.handler
- the new X500DNHandler instancepublic boolean evaluate(X509Credential credential, Set<String> trustedNames) throws SecurityException
The types of names supported, and the manner in which they are evaluated, is implementation-specific.
If the set of trusted names is null or empty, or if no supported name types are configured to be checked, then the evaluation is considered successful.
evaluate
in interface X509CredentialNameEvaluator
credential
- the X.509 credential to evaluatetrustedNames
- trusted names against which the credential will be evaluatedSecurityException
- thrown if there is an error during name evaluationprotected boolean processNameChecks(X509Credential credential, Set<String> trustedNames)
credential
- the credential for the entity to validatetrustedNames
- trusted names against which the credential will be evaluatedprotected boolean processSubjectDNCommonName(X509Certificate certificate, Set<String> trustedNames)
certificate
- the certificate to processtrustedNames
- the set of trusted namesprotected boolean processSubjectDN(X509Certificate certificate, Set<String> trustedNames)
certificate
- the certificate to processtrustedNames
- the set of trusted namesprotected boolean processSubjectAltNames(X509Certificate certificate, Set<String> trustedNames)
certificate
- the certificate to processtrustedNames
- the set of trusted namesCopyright © 2018 JBoss by Red Hat. All rights reserved.