org.opensaml.xml.security.x509

Class CertPathPKIXTrustEvaluator

java.lang.Object

org.opensaml.xml.security.x509.CertPathPKIXTrustEvaluator

All Implemented Interfaces:

PKIXTrustEvaluator

public class CertPathPKIXTrustEvaluator
extends Object
implements PKIXTrustEvaluator

An implementation of PKIXTrustEvaluator that is based on the Java CertPath API.

Field Summary

Fields

Modifier and Type	Field and Description
private Logger	log Class logger.
private PKIXValidationOptions	options Options influencing processing behavior.
private X500DNHandler	x500DNHandler Responsible for parsing and serializing X.500 names to/from X500Principal instances.

Constructor Summary

Constructors

Constructor and Description
CertPathPKIXTrustEvaluator() Constructor.
CertPathPKIXTrustEvaluator(PKIXValidationOptions newOptions) Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
protected void	addCRLsToStoreMaterial(List<Object> storeMaterial, Collection<X509CRL> crls, Date now) Add CRL's from the specified collection to the list of certs and CRL's being collected for the CertStore.
protected CertStore	buildCertStore(PKIXValidationInformation validationInfo, X509Credential untrustedCredential) Creates the certificate store that will be used during validation.
protected TrustAnchor	buildTrustAnchor(X509Certificate cert) Build a trust anchor from the given X509 certificate.
protected Integer	getEffectiveVerificationDepth(PKIXValidationInformation validationInfo) Get the effective maximum path depth to use when constructing PKIX cert path builder parameters.
protected PKIXBuilderParameters	getPKIXBuilderParameters(PKIXValidationInformation validationInfo, X509Credential untrustedCredential) Creates the set of PKIX builder parameters to use when building the cert path builder.
PKIXValidationOptions	getPKIXValidationOptions() Get the PKIXValidationOptions instance that is in use.
protected Set<TrustAnchor>	getTrustAnchors(PKIXValidationInformation validationInfo) Creates the collection of trust anchors to use during validation.
X500DNHandler	getX500DNHandler() Get the handler which process X.500 distinguished names.
private void	logCertPathDebug(PKIXCertPathBuilderResult buildResult, X509Certificate targetCert) Log information from the constructed cert path at level debug.
void	setPKIXValidationOptions(PKIXValidationOptions newOptions) Set the desired PKIX validation options set.
void	setX500DNHandler(X500DNHandler handler) Set the handler which process X.500 distinguished names.
protected boolean	storeContainsCRLs(CertStore certStore) Determine whether there are any CRL's in the CertStore that is to be used.
boolean	validate(PKIXValidationInformation validationInfo, X509Credential untrustedCredential) Validate the specified credential against the specified set of trusted validation information.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

private final Logger log

Class logger.

x500DNHandler

private X500DNHandler x500DNHandler

Responsible for parsing and serializing X.500 names to/from X500Principal instances.

options

private PKIXValidationOptions options

Options influencing processing behavior.

Constructor Detail

CertPathPKIXTrustEvaluator

public CertPathPKIXTrustEvaluator()

Constructor.

CertPathPKIXTrustEvaluator

public CertPathPKIXTrustEvaluator(PKIXValidationOptions newOptions)

Constructor.

Parameters:

newOptions - PKIX validation options

Method Detail

getPKIXValidationOptions

public PKIXValidationOptions getPKIXValidationOptions()

Get the PKIXValidationOptions instance that is in use.

Specified by:

getPKIXValidationOptions in interface PKIXTrustEvaluator

Returns:

the PKIXValidationOptions instance

setPKIXValidationOptions

public void setPKIXValidationOptions(PKIXValidationOptions newOptions)

Set the desired PKIX validation options set.

Parameters:

newOptions - the new set of options

getX500DNHandler

public X500DNHandler getX500DNHandler()

Get the handler which process X.500 distinguished names. Defaults to InternalX500DNHandler.

Returns:

returns the X500DNHandler instance

setX500DNHandler

public void setX500DNHandler(X500DNHandler handler)

Set the handler which process X.500 distinguished names. Defaults to InternalX500DNHandler.

Parameters:

handler - the new X500DNHandler instance

validate

public boolean validate(PKIXValidationInformation validationInfo,
               X509Credential untrustedCredential)
                 throws SecurityException

Validate the specified credential against the specified set of trusted validation information.

Specified by:

validate in interface PKIXTrustEvaluator

Parameters:

validationInfo - the set of trusted validation information

untrustedCredential - the credential being evaluated

Returns:

true if the credential can be successfully evaluated, false otherwise

Throws:

SecurityException - thrown if there is an error evaluating the credential

getPKIXBuilderParameters

protected PKIXBuilderParameters getPKIXBuilderParameters(PKIXValidationInformation validationInfo,
                                             X509Credential untrustedCredential)
                                                  throws GeneralSecurityException

Creates the set of PKIX builder parameters to use when building the cert path builder.

Parameters:

validationInfo - PKIX validation information

untrustedCredential - credential to be validated

Returns:

PKIX builder params

Throws:

GeneralSecurityException - thrown if the parameters can not be created

storeContainsCRLs

protected boolean storeContainsCRLs(CertStore certStore)

Determine whether there are any CRL's in the CertStore that is to be used.

Parameters:

certStore - the cert store that will be used for validation

Returns:

true if the store contains at least 1 CRL instance, false otherwise

getEffectiveVerificationDepth

protected Integer getEffectiveVerificationDepth(PKIXValidationInformation validationInfo)

Get the effective maximum path depth to use when constructing PKIX cert path builder parameters.

Parameters:

validationInfo - PKIX validation information

Returns:

the effective max verification depth to use

getTrustAnchors

protected Set<TrustAnchor> getTrustAnchors(PKIXValidationInformation validationInfo)

Creates the collection of trust anchors to use during validation.

Parameters:

validationInfo - PKIX validation information

Returns:

trust anchors to use during validation

buildTrustAnchor

protected TrustAnchor buildTrustAnchor(X509Certificate cert)

Build a trust anchor from the given X509 certificate. This could for example be extended by subclasses to add custom name constraints, if desired.

Parameters:

cert - the certificate which serves as the trust anchor

Returns:

the newly constructed TrustAnchor

buildCertStore

protected CertStore buildCertStore(PKIXValidationInformation validationInfo,
                       X509Credential untrustedCredential)
                            throws GeneralSecurityException

Creates the certificate store that will be used during validation.

Parameters:

validationInfo - PKIX validation information

untrustedCredential - credential to be validated

Returns:

certificate store used during validation

Throws:

GeneralSecurityException - thrown if the certificate store can not be created from the cert and CRL material

addCRLsToStoreMaterial

protected void addCRLsToStoreMaterial(List<Object> storeMaterial,
                          Collection<X509CRL> crls,
                          Date now)

Add CRL's from the specified collection to the list of certs and CRL's being collected for the CertStore.

Parameters:

storeMaterial - list of certs and CRL's to be updated.

crls - collection of CRL's to be processed

now - current date/time

logCertPathDebug

private void logCertPathDebug(PKIXCertPathBuilderResult buildResult,
                    X509Certificate targetCert)

Log information from the constructed cert path at level debug.

Parameters:

buildResult - the PKIX cert path builder result containing the cert path and trust anchor

targetCert - the cert untrusted certificate that was being evaluated