Package org.apache.wss4j.common.crypto
Class Merlin
- java.lang.Object
-
- org.apache.wss4j.common.crypto.CryptoBase
-
- org.apache.wss4j.common.crypto.Merlin
-
- All Implemented Interfaces:
Crypto
- Direct Known Subclasses:
MerlinAKI
,MerlinDevice
public class Merlin extends CryptoBase
A Crypto implementation based on two Java KeyStore objects, one being the keystore, and one being the truststore.
-
-
Field Summary
Fields Modifier and Type Field Description protected CertStore
crlCertStore
static String
CRYPTO_CERT_PROVIDER
static String
CRYPTO_CERT_PROVIDER_HANDLES_NAME_CONSTRAINTS
static String
CRYPTO_KEYSTORE_PROVIDER
static String
ENCRYPTED_PASSWORD_PREFIX
static String
ENCRYPTED_PASSWORD_SUFFIX
protected KeyStore
keystore
static String
KEYSTORE_ALIAS
static String
KEYSTORE_FILE
static String
KEYSTORE_PASSWORD
static String
KEYSTORE_PRIVATE_KEY_CACHING
static String
KEYSTORE_PRIVATE_PASSWORD
static String
KEYSTORE_TYPE
static String
LOAD_CA_CERTS
protected boolean
loadCACerts
static String
OLD_KEYSTORE_FILE
static String
OLD_PREFIX
protected PasswordEncryptor
passwordEncryptor
static String
PREFIX
protected boolean
privatePasswordSet
protected Properties
properties
protected KeyStore
truststore
static String
TRUSTSTORE_FILE
static String
TRUSTSTORE_PASSWORD
static String
TRUSTSTORE_PROVIDER
static String
TRUSTSTORE_TYPE
static String
X509_CRL_FILE
-
Fields inherited from class org.apache.wss4j.common.crypto.CryptoBase
certificateFactory, NAME_CONSTRAINTS_OID, SKI_OID
-
-
Constructor Summary
Constructors Constructor Description Merlin()
Merlin(boolean loadCACerts, String cacertsPasswd)
Merlin(Properties properties, ClassLoader loader, PasswordEncryptor passwordEncryptor)
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description protected void
addTrustAnchors(Set<TrustAnchor> set, KeyStore keyStore)
AddsTrustAnchor
s found in the provided key store to the set.void
clearCache()
protected PKIXParameters
createPKIXParameters(Set<TrustAnchor> trustAnchors, boolean enableRevocation)
protected String
decryptPassword(String password, PasswordEncryptor passwordEncryptor)
CertificateFactory
getCertificateFactory()
Singleton certificate factory for this Crypto instance.CertStore
getCRLCertStore()
Get the CertStore from which to obtain a list of CRLs for Certificate Revocation checking.String
getDefaultX509Identifier()
Retrieves the identifier name of the default certificate.KeyStore
getKeyStore()
Gets the Keystore that was loadedPrivateKey
getPrivateKey(String identifier, String password)
Gets the private key corresponding to the identifier.PrivateKey
getPrivateKey(X509Certificate certificate, CallbackHandler callbackHandler)
Gets the private key corresponding to the certificate.PrivateKey
getPrivateKey(PublicKey publicKey, CallbackHandler callbackHandler)
Gets the private key corresponding to the given PublicKey.KeyStore
getTrustStore()
Gets the trust store that was loaded by the underlying implementationX509Certificate[]
getX509Certificates(CryptoType cryptoType)
Get an X509Certificate (chain) corresponding to the CryptoType argument.String
getX509Identifier(X509Certificate cert)
Get the implementation-specific identifier corresponding to the cert parameter.boolean
isEnablePrivateKeyCaching()
protected KeyStore
load(InputStream input, String storepass, String provider, String type)
Loads the keystore from anInputStream
.static InputStream
loadInputStream(ClassLoader loader, String location)
Load a KeyStore object as an InputStream, using the ClassLoader and location argumentsvoid
loadProperties(Properties properties, ClassLoader loader, PasswordEncryptor passwordEncryptor)
void
setCRLCertStore(CertStore crlCertStore)
Set the CertStore from which to obtain a list of CRLs for Certificate Revocation checking.void
setEnablePrivateKeyCaching(boolean enablePrivateKeyCaching)
void
setKeyStore(KeyStore keyStore)
Set the Keystore on this Crypto instancevoid
setPasswordEncryptor(PasswordEncryptor passwordEncryptor)
void
setTrustStore(KeyStore trustStore)
Set the trust store on this Crypto instanceprotected void
verifyTrust(X509Certificate[] certs, boolean enableRevocation, Collection<Pattern> subjectCertConstraints)
Evaluate whether a given certificate chain should be trusted.void
verifyTrust(X509Certificate[] certs, boolean enableRevocation, Collection<Pattern> subjectCertConstraints, Collection<Pattern> issuerCertConstraints)
Evaluate whether a given certificate chain should be trusted.void
verifyTrust(PublicKey publicKey)
Evaluate whether a given public key should be trusted.-
Methods inherited from class org.apache.wss4j.common.crypto.CryptoBase
createBCX509Name, getBytesFromCertificates, getCertificatesFromBytes, getCryptoProvider, getNameConstraints, getSKIBytesFromCert, getTrustProvider, loadCertificate, matchesIssuerDnPattern, matchesName, matchesSubjectDnPattern, setCertificateFactory, setCryptoProvider, setDefaultX509Identifier, setTrustProvider
-
-
-
-
Field Detail
-
ENCRYPTED_PASSWORD_PREFIX
public static final String ENCRYPTED_PASSWORD_PREFIX
- See Also:
- Constant Field Values
-
ENCRYPTED_PASSWORD_SUFFIX
public static final String ENCRYPTED_PASSWORD_SUFFIX
- See Also:
- Constant Field Values
-
PREFIX
public static final String PREFIX
- See Also:
- Constant Field Values
-
OLD_PREFIX
public static final String OLD_PREFIX
- See Also:
- Constant Field Values
-
OLD_KEYSTORE_FILE
public static final String OLD_KEYSTORE_FILE
- See Also:
- Constant Field Values
-
CRYPTO_KEYSTORE_PROVIDER
public static final String CRYPTO_KEYSTORE_PROVIDER
- See Also:
- Constant Field Values
-
CRYPTO_CERT_PROVIDER
public static final String CRYPTO_CERT_PROVIDER
- See Also:
- Constant Field Values
-
CRYPTO_CERT_PROVIDER_HANDLES_NAME_CONSTRAINTS
public static final String CRYPTO_CERT_PROVIDER_HANDLES_NAME_CONSTRAINTS
- See Also:
- Constant Field Values
-
KEYSTORE_FILE
public static final String KEYSTORE_FILE
- See Also:
- Constant Field Values
-
KEYSTORE_PASSWORD
public static final String KEYSTORE_PASSWORD
- See Also:
- Constant Field Values
-
KEYSTORE_TYPE
public static final String KEYSTORE_TYPE
- See Also:
- Constant Field Values
-
KEYSTORE_ALIAS
public static final String KEYSTORE_ALIAS
- See Also:
- Constant Field Values
-
KEYSTORE_PRIVATE_PASSWORD
public static final String KEYSTORE_PRIVATE_PASSWORD
- See Also:
- Constant Field Values
-
KEYSTORE_PRIVATE_KEY_CACHING
public static final String KEYSTORE_PRIVATE_KEY_CACHING
- See Also:
- Constant Field Values
-
LOAD_CA_CERTS
public static final String LOAD_CA_CERTS
- See Also:
- Constant Field Values
-
TRUSTSTORE_FILE
public static final String TRUSTSTORE_FILE
- See Also:
- Constant Field Values
-
TRUSTSTORE_PASSWORD
public static final String TRUSTSTORE_PASSWORD
- See Also:
- Constant Field Values
-
TRUSTSTORE_TYPE
public static final String TRUSTSTORE_TYPE
- See Also:
- Constant Field Values
-
TRUSTSTORE_PROVIDER
public static final String TRUSTSTORE_PROVIDER
- See Also:
- Constant Field Values
-
X509_CRL_FILE
public static final String X509_CRL_FILE
- See Also:
- Constant Field Values
-
properties
protected Properties properties
-
keystore
protected KeyStore keystore
-
truststore
protected KeyStore truststore
-
crlCertStore
protected CertStore crlCertStore
-
loadCACerts
protected boolean loadCACerts
-
privatePasswordSet
protected boolean privatePasswordSet
-
passwordEncryptor
protected PasswordEncryptor passwordEncryptor
-
-
Constructor Detail
-
Merlin
public Merlin()
-
Merlin
public Merlin(boolean loadCACerts, String cacertsPasswd)
-
Merlin
public Merlin(Properties properties, ClassLoader loader, PasswordEncryptor passwordEncryptor) throws WSSecurityException, IOException
- Throws:
WSSecurityException
IOException
-
-
Method Detail
-
loadProperties
public void loadProperties(Properties properties, ClassLoader loader, PasswordEncryptor passwordEncryptor) throws WSSecurityException, IOException
- Throws:
WSSecurityException
IOException
-
loadInputStream
public static InputStream loadInputStream(ClassLoader loader, String location) throws WSSecurityException, IOException
Load a KeyStore object as an InputStream, using the ClassLoader and location arguments- Throws:
WSSecurityException
IOException
-
load
protected KeyStore load(InputStream input, String storepass, String provider, String type) throws WSSecurityException
Loads the keystore from anInputStream
.- Parameters:
input
-InputStream
to read from- Throws:
WSSecurityException
-
getKeyStore
public KeyStore getKeyStore()
Gets the Keystore that was loaded- Returns:
- the Keystore
-
setKeyStore
public void setKeyStore(KeyStore keyStore)
Set the Keystore on this Crypto instance- Parameters:
keyStore
- the Keystore to set
-
getTrustStore
public KeyStore getTrustStore()
Gets the trust store that was loaded by the underlying implementation- Returns:
- the trust store
-
setTrustStore
public void setTrustStore(KeyStore trustStore)
Set the trust store on this Crypto instance- Parameters:
trustStore
- the trust store to set
-
setCRLCertStore
public void setCRLCertStore(CertStore crlCertStore)
Set the CertStore from which to obtain a list of CRLs for Certificate Revocation checking.- Parameters:
crlCertStore
- the CertStore from which to obtain a list of CRLs for Certificate Revocation checking.
-
getCRLCertStore
public CertStore getCRLCertStore()
Get the CertStore from which to obtain a list of CRLs for Certificate Revocation checking.- Returns:
- the CertStore from which to obtain a list of CRLs for Certificate Revocation checking.
-
getCertificateFactory
public CertificateFactory getCertificateFactory() throws WSSecurityException
Singleton certificate factory for this Crypto instance.- Specified by:
getCertificateFactory
in interfaceCrypto
- Overrides:
getCertificateFactory
in classCryptoBase
- Returns:
- Returns a
CertificateFactory
to construct X509 certificates - Throws:
WSSecurityException
-
getDefaultX509Identifier
public String getDefaultX509Identifier() throws WSSecurityException
Retrieves the identifier name of the default certificate. This should be the certificate that is used for signature and encryption. This identifier corresponds to the certificate that should be used whenever KeyInfo is not present in a signed or an encrypted message. May return null. The identifier is implementation specific, e.g. it could be the KeyStore alias.- Specified by:
getDefaultX509Identifier
in interfaceCrypto
- Overrides:
getDefaultX509Identifier
in classCryptoBase
- Returns:
- name of the default X509 certificate.
- Throws:
WSSecurityException
-
getX509Certificates
public X509Certificate[] getX509Certificates(CryptoType cryptoType) throws WSSecurityException
Get an X509Certificate (chain) corresponding to the CryptoType argument. The supported types are as follows: TYPE.ISSUER_SERIAL - A certificate (chain) is located by the issuer name and serial number TYPE.THUMBPRINT_SHA1 - A certificate (chain) is located by the SHA1 of the (root) cert TYPE.SKI_BYTES - A certificate (chain) is located by the SKI bytes of the (root) cert TYPE.SUBJECT_DN - A certificate (chain) is located by the Subject DN of the (root) cert TYPE.ALIAS - A certificate (chain) is located by an alias, which for this implementation means an alias of the keystore or truststore.- Throws:
WSSecurityException
-
getX509Identifier
public String getX509Identifier(X509Certificate cert) throws WSSecurityException
Get the implementation-specific identifier corresponding to the cert parameter. In this case, the identifier corresponds to a KeyStore alias.- Parameters:
cert
- The X509Certificate for which to search for an identifier- Returns:
- the identifier corresponding to the cert parameter
- Throws:
WSSecurityException
-
getPrivateKey
public PrivateKey getPrivateKey(X509Certificate certificate, CallbackHandler callbackHandler) throws WSSecurityException
Gets the private key corresponding to the certificate.- Parameters:
certificate
- The X509Certificate corresponding to the private keycallbackHandler
- The callbackHandler needed to get the password- Returns:
- The private key
- Throws:
WSSecurityException
-
getPrivateKey
public PrivateKey getPrivateKey(PublicKey publicKey, CallbackHandler callbackHandler) throws WSSecurityException
Gets the private key corresponding to the given PublicKey.- Parameters:
publicKey
- The PublicKey corresponding to the private keycallbackHandler
- The callbackHandler needed to get the password- Returns:
- The private key
- Throws:
WSSecurityException
-
getPrivateKey
public PrivateKey getPrivateKey(String identifier, String password) throws WSSecurityException
Gets the private key corresponding to the identifier.- Parameters:
identifier
- The implementation-specific identifier corresponding to the keypassword
- The password needed to get the key- Returns:
- The private key
- Throws:
WSSecurityException
-
verifyTrust
protected void verifyTrust(X509Certificate[] certs, boolean enableRevocation, Collection<Pattern> subjectCertConstraints) throws WSSecurityException
Evaluate whether a given certificate chain should be trusted.- Parameters:
certs
- Certificate chain to validateenableRevocation
- whether to enable CRL verification or notsubjectCertConstraints
- A set of constraints on the Subject DN of the certificates- Throws:
WSSecurityException
- if the certificate chain is invalid
-
verifyTrust
public void verifyTrust(X509Certificate[] certs, boolean enableRevocation, Collection<Pattern> subjectCertConstraints, Collection<Pattern> issuerCertConstraints) throws WSSecurityException
Description copied from interface:Crypto
Evaluate whether a given certificate chain should be trusted.- Parameters:
certs
- Certificate chain to validateenableRevocation
- whether to enable CRL verification or notsubjectCertConstraints
- A set of constraints on the Subject DN of the certificatesissuerCertConstraints
- A set of constraints on the Issuer DN of the certificates- Throws:
WSSecurityException
- if the certificate chain is invalid
-
createPKIXParameters
protected PKIXParameters createPKIXParameters(Set<TrustAnchor> trustAnchors, boolean enableRevocation) throws InvalidAlgorithmParameterException
-
verifyTrust
public void verifyTrust(PublicKey publicKey) throws WSSecurityException
Evaluate whether a given public key should be trusted.- Parameters:
publicKey
- The PublicKey to be evaluated- Throws:
WSSecurityException
- if the PublicKey is invalid
-
addTrustAnchors
protected void addTrustAnchors(Set<TrustAnchor> set, KeyStore keyStore) throws KeyStoreException, WSSecurityException
AddsTrustAnchor
s found in the provided key store to the set.When the Trust Anchors are constructed, the value of the
CRYPTO_CERT_PROVIDER_HANDLES_NAME_CONSTRAINTS
property will be checked. If it has been set totrue
, thenNameConstraint
s will be added to their Trust Anchors; if unset or set to false, the Name Constraints will be nulled out on their Trust Anchors. The default Sun PKIX Path Validator does not support Name Constraints on Trust Anchors and will throw an InvalidAlgorithmParameterException if they are provided. Other implementations may also be unsafe.- Parameters:
set
- the set to which to add theTrustAnchor
skeyStore
- the store to search forX509Certificate
s- Throws:
KeyStoreException
- if a problem occurs accessing the keyStoreWSSecurityException
-
decryptPassword
protected String decryptPassword(String password, PasswordEncryptor passwordEncryptor)
-
setPasswordEncryptor
public void setPasswordEncryptor(PasswordEncryptor passwordEncryptor)
-
clearCache
public void clearCache()
-
isEnablePrivateKeyCaching
public boolean isEnablePrivateKeyCaching()
-
setEnablePrivateKeyCaching
public void setEnablePrivateKeyCaching(boolean enablePrivateKeyCaching)
-
-