Package org.apache.wss4j.common.crypto
Class CertificateStore
- java.lang.Object
-
- org.apache.wss4j.common.crypto.CryptoBase
-
- org.apache.wss4j.common.crypto.CertificateStore
-
- All Implemented Interfaces:
Crypto
public class CertificateStore extends CryptoBase
A Crypto implementation based on a simple array of X509Certificate(s). PrivateKeys are not supported, so this cannot be used for signature creation, or decryption.
-
-
Field Summary
-
Fields inherited from class org.apache.wss4j.common.crypto.CryptoBase
certificateFactory, NAME_CONSTRAINTS_OID, SKI_OID
-
-
Constructor Summary
Constructors Constructor Description CertificateStore(X509Certificate[] trustedCerts)
Constructor
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description PrivateKey
getPrivateKey(String identifier, String password)
Gets the private key corresponding to the identifier.PrivateKey
getPrivateKey(X509Certificate certificate, CallbackHandler callbackHandler)
Gets the private key corresponding to the certificate.PrivateKey
getPrivateKey(PublicKey publicKey, CallbackHandler callbackHandler)
Gets the private key corresponding to the given PublicKey.X509Certificate[]
getX509Certificates(CryptoType cryptoType)
Get an X509Certificate (chain) corresponding to the CryptoType argument.String
getX509Identifier(X509Certificate cert)
Get the implementation-specific identifier corresponding to the cert parameter.protected void
verifyTrust(X509Certificate[] certs, boolean enableRevocation, Collection<Pattern> subjectCertConstraints)
Evaluate whether a given certificate chain should be trusted.void
verifyTrust(X509Certificate[] certs, boolean enableRevocation, Collection<Pattern> subjectCertConstraints, Collection<Pattern> issuerCertConstraints)
Evaluate whether a given certificate chain should be trusted.void
verifyTrust(PublicKey publicKey)
Evaluate whether a given public key should be trusted.-
Methods inherited from class org.apache.wss4j.common.crypto.CryptoBase
createBCX509Name, getBytesFromCertificates, getCertificateFactory, getCertificatesFromBytes, getCryptoProvider, getDefaultX509Identifier, getNameConstraints, getSKIBytesFromCert, getTrustProvider, loadCertificate, matchesIssuerDnPattern, matchesName, matchesSubjectDnPattern, setCertificateFactory, setCryptoProvider, setDefaultX509Identifier, setTrustProvider
-
-
-
-
Constructor Detail
-
CertificateStore
public CertificateStore(X509Certificate[] trustedCerts)
Constructor
-
-
Method Detail
-
getX509Certificates
public X509Certificate[] getX509Certificates(CryptoType cryptoType) throws WSSecurityException
Get an X509Certificate (chain) corresponding to the CryptoType argument. The supported types are as follows: TYPE.ISSUER_SERIAL - A certificate (chain) is located by the issuer name and serial number TYPE.THUMBPRINT_SHA1 - A certificate (chain) is located by the SHA1 of the (root) cert TYPE.SKI_BYTES - A certificate (chain) is located by the SKI bytes of the (root) cert TYPE.SUBJECT_DN - A certificate (chain) is located by the Subject DN of the (root) cert Note that TYPE.ALIAS is not allowed, as it doesn't have any meaning with a CertificateStore- Throws:
WSSecurityException
-
getX509Identifier
public String getX509Identifier(X509Certificate cert) throws WSSecurityException
Get the implementation-specific identifier corresponding to the cert parameter. In this case, the identifier refers to the subject DN.- Parameters:
cert
- The X509Certificate for which to search for an identifier- Returns:
- the identifier corresponding to the cert parameter
- Throws:
WSSecurityException
-
getPrivateKey
public PrivateKey getPrivateKey(X509Certificate certificate, CallbackHandler callbackHandler) throws WSSecurityException
Gets the private key corresponding to the certificate. Not supported.- Parameters:
certificate
- The X509Certificate corresponding to the private keycallbackHandler
- The callbackHandler needed to get the password- Returns:
- The private key
- Throws:
WSSecurityException
-
getPrivateKey
public PrivateKey getPrivateKey(PublicKey publicKey, CallbackHandler callbackHandler) throws WSSecurityException
Gets the private key corresponding to the given PublicKey.- Parameters:
publicKey
- The PublicKey corresponding to the private keycallbackHandler
- The callbackHandler needed to get the password- Returns:
- The private key
- Throws:
WSSecurityException
-
getPrivateKey
public PrivateKey getPrivateKey(String identifier, String password) throws WSSecurityException
Gets the private key corresponding to the identifier. Not supported.- Parameters:
identifier
- The implementation-specific identifier corresponding to the keypassword
- The password needed to get the key- Returns:
- The private key
- Throws:
WSSecurityException
-
verifyTrust
protected void verifyTrust(X509Certificate[] certs, boolean enableRevocation, Collection<Pattern> subjectCertConstraints) throws WSSecurityException
Evaluate whether a given certificate chain should be trusted.- Parameters:
certs
- Certificate chain to validateenableRevocation
- whether to enable CRL verification or notsubjectCertConstraints
- A set of constraints on the Subject DN of the certificates- Throws:
WSSecurityException
- if the certificate chain is invalid
-
verifyTrust
public void verifyTrust(X509Certificate[] certs, boolean enableRevocation, Collection<Pattern> subjectCertConstraints, Collection<Pattern> issuerCertConstraints) throws WSSecurityException
Description copied from interface:Crypto
Evaluate whether a given certificate chain should be trusted.- Parameters:
certs
- Certificate chain to validateenableRevocation
- whether to enable CRL verification or notsubjectCertConstraints
- A set of constraints on the Subject DN of the certificatesissuerCertConstraints
- A set of constraints on the Issuer DN of the certificates- Throws:
WSSecurityException
- if the certificate chain is invalid
-
verifyTrust
public void verifyTrust(PublicKey publicKey) throws WSSecurityException
Evaluate whether a given public key should be trusted.- Parameters:
publicKey
- The PublicKey to be evaluated- Throws:
WSSecurityException
- if the PublicKey is invalid
-
-