org.apache.wss4j.common.crypto

Interface Crypto

All Known Implementing Classes:

CertificateStore, CryptoBase, Merlin, MerlinAKI, MerlinDevice

public interface Crypto

Method Summary

Modifier and Type	Method and Description
byte[]	getBytesFromCertificates(X509Certificate[] certs) Get a byte array given an array of X509 certificates.
CertificateFactory	getCertificateFactory() Get the CertificateFactory instance on this Crypto instance
X509Certificate[]	getCertificatesFromBytes(byte[] data) Construct an array of X509Certificate's from the byte array.
String	getCryptoProvider() Get the crypto provider associated with this implementation
String	getDefaultX509Identifier() Retrieves the identifier name of the default certificate.
PrivateKey	getPrivateKey(String identifier, String password) Gets the private key corresponding to the identifier.
PrivateKey	getPrivateKey(X509Certificate certificate, CallbackHandler callbackHandler) Gets the private key corresponding to the certificate.
byte[]	getSKIBytesFromCert(X509Certificate cert) Reads the SubjectKeyIdentifier information from the certificate.
String	getTrustProvider() Get the crypto provider used for truststore operation associated with this implementation.
X509Certificate[]	getX509Certificates(CryptoType cryptoType) Get an X509Certificate (chain) corresponding to the CryptoType argument.
String	getX509Identifier(X509Certificate cert) Get the implementation-specific identifier corresponding to the cert parameter, e.g.
X509Certificate	loadCertificate(InputStream in) Load a X509Certificate from the input stream.
void	setCertificateFactory(CertificateFactory certFactory) Sets the CertificateFactory instance on this Crypto instance
void	setCryptoProvider(String provider) Set the crypto provider associated with this implementation
void	setDefaultX509Identifier(String identifier) Sets the identifier name of the default certificate.
void	setTrustProvider(String provider) Set the crypto provider used for truststore operations associated with this implementation
void	verifyDirectTrust(X509Certificate[] certs) Evaluate whether a given public key should be trusted directly (located
void	verifyTrust(PublicKey publicKey) Evaluate whether a given public key should be trusted.
void	verifyTrust(X509Certificate[] certs, boolean enableRevocation, Collection<Pattern> subjectCertConstraints) Evaluate whether a given certificate chain should be trusted.

Method Detail

getCryptoProvider

String getCryptoProvider()

Get the crypto provider associated with this implementation

Returns:

the crypto provider

setCryptoProvider

void setCryptoProvider(String provider)

Set the crypto provider associated with this implementation

Parameters:

provider - the crypto provider name to set

getTrustProvider

String getTrustProvider()

Get the crypto provider used for truststore operation associated with this implementation.

Returns:

a crypto provider name

setTrustProvider

void setTrustProvider(String provider)

Set the crypto provider used for truststore operations associated with this implementation

Parameters:

provider - the name of the provider

getDefaultX509Identifier

String getDefaultX509Identifier()
                         throws WSSecurityException

Retrieves the identifier name of the default certificate. This should be the certificate that is used for signature and encryption. This identifier corresponds to the certificate that should be used whenever KeyInfo is not present in a signed or an encrypted message. May return null. The identifier is implementation specific, e.g. it could be the KeyStore alias.

Returns:

name of the default X509 certificate.

Throws:

WSSecurityException

setDefaultX509Identifier

void setDefaultX509Identifier(String identifier)

Sets the identifier name of the default certificate. This should be the certificate that is used for signature and encryption. This identifier corresponds to the certificate that should be used whenever KeyInfo is not present in a signed or an encrypted message. The identifier is implementation specific, e.g. it could be the KeyStore alias.

Parameters:

identifier - name of the default X509 certificate.

setCertificateFactory

void setCertificateFactory(CertificateFactory certFactory)

Sets the CertificateFactory instance on this Crypto instance

Parameters:

certFactory - the CertificateFactory the CertificateFactory instance to set

getCertificateFactory

CertificateFactory getCertificateFactory()
                                  throws WSSecurityException

Get the CertificateFactory instance on this Crypto instance

Returns:

Returns a CertificateFactory to construct X509 certificates

Throws:

WSSecurityException

loadCertificate

X509Certificate loadCertificate(InputStream in)
                         throws WSSecurityException

Load a X509Certificate from the input stream.

Parameters:

in - The InputStream containing the X509 data

Returns:

An X509 certificate

Throws:

WSSecurityException

getSKIBytesFromCert

byte[] getSKIBytesFromCert(X509Certificate cert)
                    throws WSSecurityException

Reads the SubjectKeyIdentifier information from the certificate.

If the the certificate does not contain a SKI extension then try to compute the SKI according to RFC3280 using the SHA-1 hash value of the public key. The second method described in RFC3280 is not support. Also only RSA public keys are supported. If we cannot compute the SKI throw a WSSecurityException.

Parameters:

cert - The certificate to read SKI

Returns:

The byte array containing the binary SKI data

Throws:

WSSecurityException

getBytesFromCertificates

byte[] getBytesFromCertificates(X509Certificate[] certs)
                         throws WSSecurityException

Get a byte array given an array of X509 certificates.

Parameters:

certs - The certificates to convert

Returns:

The byte array for the certificates

Throws:

WSSecurityException

getCertificatesFromBytes

X509Certificate[] getCertificatesFromBytes(byte[] data)
                                    throws WSSecurityException

Construct an array of X509Certificate's from the byte array.

Parameters:

data - The byte array containing the X509 data

Returns:

An array of X509 certificates

Throws:

WSSecurityException

getX509Certificates

X509Certificate[] getX509Certificates(CryptoType cryptoType)
                               throws WSSecurityException

Get an X509Certificate (chain) corresponding to the CryptoType argument. The supported types are as follows: TYPE.ISSUER_SERIAL - A certificate (chain) is located by the issuer name and serial number TYPE.THUMBPRINT_SHA1 - A certificate (chain) is located by the SHA1 of the (root) cert TYPE.SKI_BYTES - A certificate (chain) is located by the SKI bytes of the (root) cert TYPE.SUBJECT_DN - A certificate (chain) is located by the Subject DN of the (root) cert TYPE.ALIAS - A certificate (chain) is located by an alias. This alias is implementation specific, for example - it could be a java KeyStore alias.

Throws:

WSSecurityException

getX509Identifier

String getX509Identifier(X509Certificate cert)
                  throws WSSecurityException

Get the implementation-specific identifier corresponding to the cert parameter, e.g. the identifier could be a KeyStore alias.

Parameters:

cert - The X509Certificate for which to search for an identifier

Returns:

the identifier corresponding to the cert parameter

Throws:

WSSecurityException

getPrivateKey

PrivateKey getPrivateKey(X509Certificate certificate,
                         CallbackHandler callbackHandler)
                  throws WSSecurityException

Gets the private key corresponding to the certificate.

Parameters:

certificate - The X509Certificate corresponding to the private key

callbackHandler - The callbackHandler needed to get the password

Returns:

The private key

Throws:

WSSecurityException

getPrivateKey

PrivateKey getPrivateKey(String identifier,
                         String password)
                  throws WSSecurityException

Gets the private key corresponding to the identifier.

Parameters:

identifier - The implementation-specific identifier corresponding to the key

password - The password needed to get the key

Returns:

The private key

Throws:

WSSecurityException

verifyTrust

void verifyTrust(X509Certificate[] certs,
                 boolean enableRevocation,
                 Collection<Pattern> subjectCertConstraints)
          throws WSSecurityException

Evaluate whether a given certificate chain should be trusted.

Parameters:

certs - Certificate chain to validate

enableRevocation - whether to enable CRL verification or not

subjectCertConstraints - A set of constraints on the Subject DN of the certificates

Throws:

WSSecurityException - if the certificate chain is invalid

verifyDirectTrust

void verifyDirectTrust(X509Certificate[] certs)
                throws WSSecurityException

Evaluate whether a given public key should be trusted directly (located

Parameters:

certs - Certificate chain to validate

Throws:

WSSecurityException - if the certificate chain is invalid

verifyTrust

void verifyTrust(PublicKey publicKey)
          throws WSSecurityException

Evaluate whether a given public key should be trusted.

Parameters:

publicKey - The PublicKey to be evaluated

Throws:

WSSecurityException - if the PublicKey is invalid