1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 package org.apache.wss4j.dom.validate;
21
22 import java.security.PublicKey;
23 import java.security.cert.X509Certificate;
24 import java.util.Collection;
25 import java.util.regex.Pattern;
26
27 import org.apache.wss4j.common.crypto.Crypto;
28 import org.apache.wss4j.common.ext.WSSecurityException;
29 import org.apache.wss4j.dom.handler.RequestData;
30
31
32
33
34
35 public class SignatureTrustValidator implements Validator {
36
37 private static final org.slf4j.Logger LOG =
38 org.slf4j.LoggerFactory.getLogger(SignatureTrustValidator.class);
39
40
41
42
43
44
45
46
47
48
49
50
51 public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
52 if (credential == null) {
53 throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noCredential");
54 }
55 X509Certificate[] certs = credential.getCertificates();
56 PublicKey publicKey = credential.getPublicKey();
57 Crypto crypto = getCrypto(data);
58
59 if (certs != null && certs.length > 0) {
60 validateCertificates(certs);
61 if (crypto == null) {
62 throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noSigCryptoFile");
63 }
64 verifyTrustInCerts(certs, crypto, data, data.isRevocationEnabled());
65 return credential;
66 }
67 if (publicKey != null) {
68 if (crypto == null) {
69 throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noSigCryptoFile");
70 }
71 validatePublicKey(publicKey, crypto);
72 return credential;
73 }
74 throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
75 }
76
77
78 protected Crypto getCrypto(RequestData data) {
79 return data.getSigVerCrypto();
80 }
81
82
83
84
85
86 protected void validateCertificates(X509Certificate[] certificates)
87 throws WSSecurityException {
88
89 }
90
91
92
93
94
95
96
97
98
99
100 protected void verifyTrustInCerts(
101 X509Certificate[] certificates,
102 Crypto crypto,
103 RequestData data,
104 boolean enableRevocation
105 ) throws WSSecurityException {
106
107
108
109
110 Collection<Pattern> subjectCertConstraints = data.getSubjectCertConstraints();
111 Collection<Pattern> issuerCertConstraints = data.getIssuerDNPatterns();
112 crypto.verifyTrust(certificates, enableRevocation, subjectCertConstraints, issuerCertConstraints);
113 String subjectString = certificates[0].getSubjectX500Principal().getName();
114 LOG.debug(
115 "Certificate path has been verified for certificate with subject {}", subjectString
116 );
117 }
118
119
120
121
122
123 protected void validatePublicKey(PublicKey publicKey, Crypto crypto)
124 throws WSSecurityException {
125 crypto.verifyTrust(publicKey);
126 }
127
128 }