org.apache.wss4j.common.crypto

Class CryptoBase

java.lang.Object

org.apache.wss4j.common.crypto.CryptoBase

All Implemented Interfaces:

Crypto

Direct Known Subclasses:

CertificateStore, Merlin

public abstract class CryptoBase
extends Object
implements Crypto

This Abstract Base Class implements the accessor and keystore-independent methods and functionality of the Crypto interface.

Field Summary

Fields

Modifier and Type	Field and Description
protected CertificateFactory	certificateFactory
static String	NAME_CONSTRAINTS_OID OID For the NameConstraints Extension to X.509 http://java.sun.com/j2se/1.4.2/docs/api/ http://www.ietf.org/rfc/rfc3280.txt (s.
static String	SKI_OID

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	CryptoBase() Constructor

Method Summary

Modifier and Type	Method and Description
protected Object	createBCX509Name(String s)
byte[]	getBytesFromCertificates(X509Certificate[] certs) Get a byte array given an array of X509 certificates.
CertificateFactory	getCertificateFactory() Get the CertificateFactory instance on this Crypto instance
X509Certificate[]	getCertificatesFromBytes(byte[] data) Construct an array of X509Certificate's from the byte array.
String	getCryptoProvider() Get the crypto provider associated with this implementation
String	getDefaultX509Identifier() Retrieves the identifier name of the default certificate.
byte[]	getSKIBytesFromCert(X509Certificate cert) Reads the SubjectKeyIdentifier information from the certificate.
X509Certificate	loadCertificate(InputStream in) Load a X509Certificate from the input stream.
protected boolean	matches(X509Certificate cert, Collection<Pattern> subjectDNPatterns)
void	setCertificateFactory(CertificateFactory certFactory) Sets the CertificateFactory instance on this Crypto instance
void	setCryptoProvider(String provider) Set the crypto provider associated with this implementation
void	setDefaultX509Identifier(String identifier) Sets the identifier name of the default certificate.
void	verifyDirectTrust(X509Certificate[] certs) Evaluate whether a given public key should be trusted directly (located

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.wss4j.common.crypto.Crypto

getPrivateKey, getPrivateKey, getX509Certificates, getX509Identifier, verifyTrust, verifyTrust

Field Detail

SKI_OID

public static final String SKI_OID

See Also:

Constant Field Values

NAME_CONSTRAINTS_OID

public static final String NAME_CONSTRAINTS_OID

OID For the NameConstraints Extension to X.509 http://java.sun.com/j2se/1.4.2/docs/api/ http://www.ietf.org/rfc/rfc3280.txt (s. 4.2.1.11)

See Also:

Constant Field Values

certificateFactory

protected CertificateFactory certificateFactory

Constructor Detail

CryptoBase

protected CryptoBase()

Constructor

Method Detail

getCryptoProvider

public String getCryptoProvider()

Get the crypto provider associated with this implementation

Specified by:

getCryptoProvider in interface Crypto

Returns:

the crypto provider

setCryptoProvider

public void setCryptoProvider(String provider)

Set the crypto provider associated with this implementation

Specified by:

setCryptoProvider in interface Crypto

Parameters:

provider - the crypto provider to set

getDefaultX509Identifier

public String getDefaultX509Identifier()
                                throws WSSecurityException

Retrieves the identifier name of the default certificate. This should be the certificate that is used for signature and encryption. This identifier corresponds to the certificate that should be used whenever KeyInfo is not present in a signed or an encrypted message. May return null. The identifier is implementation specific, e.g. it could be the KeyStore alias.

Specified by:

getDefaultX509Identifier in interface Crypto

Returns:

name of the default X509 certificate.

Throws:

WSSecurityException

setDefaultX509Identifier

public void setDefaultX509Identifier(String identifier)

Sets the identifier name of the default certificate. This should be the certificate that is used for signature and encryption. This identifier corresponds to the certificate that should be used whenever KeyInfo is not present in a signed or an encrypted message. The identifier is implementation specific, e.g. it could be the KeyStore alias.

Specified by:

setDefaultX509Identifier in interface Crypto

Parameters:

identifier - name of the default X509 certificate.

setCertificateFactory

public void setCertificateFactory(CertificateFactory certFactory)

Sets the CertificateFactory instance on this Crypto instance

Specified by:

setCertificateFactory in interface Crypto

Parameters:

certFactory - the CertificateFactory the CertificateFactory instance to set

getCertificateFactory

public CertificateFactory getCertificateFactory()
                                         throws WSSecurityException

Get the CertificateFactory instance on this Crypto instance

Specified by:

getCertificateFactory in interface Crypto

Returns:

Returns a CertificateFactory to construct X509 certificates

Throws:

WSSecurityException

loadCertificate

public X509Certificate loadCertificate(InputStream in)
                                throws WSSecurityException

Load a X509Certificate from the input stream.

Specified by:

loadCertificate in interface Crypto

Parameters:

in - The InputStream containing the X509Certificate

Returns:

An X509 certificate

Throws:

WSSecurityException

getSKIBytesFromCert

public byte[] getSKIBytesFromCert(X509Certificate cert)
                           throws WSSecurityException

Reads the SubjectKeyIdentifier information from the certificate.

If the the certificate does not contain a SKI extension then try to compute the SKI according to RFC3280 using the SHA-1 hash value of the public key. The second method described in RFC3280 is not support. Also only RSA public keys are supported. If we cannot compute the SKI throw a WSSecurityException.

Specified by:

getSKIBytesFromCert in interface Crypto

Parameters:

cert - The certificate to read SKI

Returns:

The byte array containing the binary SKI data

Throws:

WSSecurityException

getBytesFromCertificates

public byte[] getBytesFromCertificates(X509Certificate[] certs)
                                throws WSSecurityException

Get a byte array given an array of X509 certificates.

Specified by:

getBytesFromCertificates in interface Crypto

Parameters:

certs - The certificates to convert

Returns:

The byte array for the certificates

Throws:

WSSecurityException

getCertificatesFromBytes

public X509Certificate[] getCertificatesFromBytes(byte[] data)
                                           throws WSSecurityException

Construct an array of X509Certificate's from the byte array.

Specified by:

getCertificatesFromBytes in interface Crypto

Parameters:

data - The byte array containing the X509 data

Returns:

An array of X509 certificates

Throws:

WSSecurityException

verifyDirectTrust

public void verifyDirectTrust(X509Certificate[] certs)
                       throws WSSecurityException

Description copied from interface: Crypto

Evaluate whether a given public key should be trusted directly (located

Specified by:

verifyDirectTrust in interface Crypto

Parameters:

certs - Certificate chain to validate

Throws:

WSSecurityException - if the certificate chain is invalid

createBCX509Name

protected Object createBCX509Name(String s)

matches

protected boolean matches(X509Certificate cert,
                          Collection<Pattern> subjectDNPatterns)

Returns:

true if the certificate's SubjectDN matches the constraints defined in the subject DNConstraints; false, otherwise. The certificate subject DN only has to match ONE of the subject cert constraints (not all).