Package org.opensaml.security.x509.impl

Class BasicX509CredentialNameEvaluator

  • All Implemented Interfaces:
    X509CredentialNameEvaluator
    public class BasicX509CredentialNameEvaluator
extends Object
implements X509CredentialNameEvaluator
    A basic implementaion of X509CredentialNameEvaluator which evaluates various identifiers extracted from an X509Credential's entity certificate against a set of trusted names.

    Supported types of entity certificate-derived names for name checking purposes are:

    1. Subject alternative names.
    2. The first (i.e. most specific) common name (CN) from the subject distinguished name.
    3. The complete subject distinguished name.

    Name checking is enabled by default for all of the supported name types. The types of subject alternative names to process are specified by using the appropriate constant values defined in X509Support. By default the following types of subject alternative names are checked: DNS (X509Support.DNS_ALT_NAME) and URI (X509Support.URI_ALT_NAME).

    The subject distinguished name from the entity certificate is compared to the trusted key names for complete DN matching purposes by parsing each trusted key name into an X500Principal as returned by the configured instance of X500DNHandler. The resulting distinguished name is then compared with the certificate subject using X500Principal.equals(Object). The default X500DNHandler used is InternalX500DNHandler.

    • Field Detail

      • log

        private final org.slf4j.Logger log
        Class logger.

      • checkSubjectAltNames

        private boolean checkSubjectAltNames
        Flag as to whether to perform name checking using credential's subject alt names.

      • checkSubjectDNCommonName

        private boolean checkSubjectDNCommonName
        Flag as to whether to perform name checking using credential's subject DN's common name (CN).

      • checkSubjectDN

        private boolean checkSubjectDN
        Flag as to whether to perform name checking using credential's subject DN.

      • subjectAltNameTypes

        private Set<Integer> subjectAltNameTypes
        The set of types of subject alternative names to process.

      • x500DNHandler

        private X500DNHandler x500DNHandler
        Responsible for parsing and serializing X.500 names to/from X500Principal instances.

    • Constructor Detail

      • BasicX509CredentialNameEvaluator

        public BasicX509CredentialNameEvaluator()
        Constructor.

    • Method Detail

      • isNameCheckingActive

        public boolean isNameCheckingActive()
        Gets whether any of the supported name type checking is currently enabled.
        Returns:
        true if any of the supported name type checking categories is currently enabled, false otherwise

      • getSubjectAltNameTypes

        @Nonnull
@NonnullElements
@NotLive
@Unmodifiable
public Set<Integer> getSubjectAltNameTypes()
        Get the set of types of subject alternative names to process. Name types are represented using the constant OID tag name values defined in X509Support.
        Returns:
        the immutable set of alt name identifiers

      • setSubjectAltNameTypes

        public void setSubjectAltNameTypes​(@Nullable @NonnullElements
                                   Set<Integer> nameTypes)
        Set the set of types of subject alternative names to process. Name types are represented using the constant OID tag name values defined in X509Support.
        Parameters:
        nameTypes - the new set of alt name identifiers

      • checkSubjectAltNames

        public boolean checkSubjectAltNames()
        Gets whether to check the credential's entity certificate subject alt names against the trusted key name values.
        Returns:
        whether to check the credential's entity certificate subject alt names against the trusted key names

      • setCheckSubjectAltNames

        public void setCheckSubjectAltNames​(boolean check)
        Sets whether to check the credential's entity certificate subject alt names against the trusted key name values.
        Parameters:
        check - whether to check the credential's entity certificate subject alt names against the trusted key names

      • checkSubjectDNCommonName

        public boolean checkSubjectDNCommonName()
        Gets whether to check the credential's entity certificate subject DN's common name (CN) against the trusted key name values.
        Returns:
        whether to check the credential's entity certificate subject DN's CN against the trusted key names

      • setCheckSubjectDNCommonName

        public void setCheckSubjectDNCommonName​(boolean check)
        Sets whether to check the credential's entity certificate subject DN's common name (CN) against the trusted key name values.
        Parameters:
        check - whether to check the credential's entity certificate subject DN's CN against the trusted key names

      • checkSubjectDN

        public boolean checkSubjectDN()
        Gets whether to check the credential's entity certificate subject DN against the trusted key name values.
        Returns:
        whether to check the credential's entity certificate subject DN against the trusted key names

      • setCheckSubjectDN

        public void setCheckSubjectDN​(boolean check)
        Sets whether to check the credential's entity certificate subject DN against the trusted key name values.
        Parameters:
        check - whether to check the credential's entity certificate subject DN against the trusted key names

      • getX500DNHandler

        @Nonnull
public X500DNHandler getX500DNHandler()
        Get the handler which process X.500 distinguished names. Defaults to InternalX500DNHandler.
        Returns:
        returns the X500DNHandler instance

      • setX500DNHandler

        public void setX500DNHandler​(@Nonnull
                             X500DNHandler handler)
        Set the handler which process X.500 distinguished names. Defaults to InternalX500DNHandler.
        Parameters:
        handler - the new X500DNHandler instance

      • evaluate

        public boolean evaluate​(@Nonnull
                        X509Credential credential,
                        @Nullable
                        Set<String> trustedNames)
                 throws SecurityException
        Evaluate the specified credential against the specified set of trusted names.

        The types of names supported, and the manner in which they are evaluated, is implementation-specific.

        If the set of trusted names is null or empty, or if no supported name types are configured to be checked, then the evaluation is considered successful.

        Specified by:
        evaluate in interface X509CredentialNameEvaluator
        Parameters:
        credential - the X.509 credential to evaluate
        trustedNames - trusted names against which the credential will be evaluated
        Returns:
        true if the name evaluation succeeds, false otherwise
        Throws:
        SecurityException - thrown if there is an error during name evaluation

      • processNameChecks

        protected boolean processNameChecks​(@Nonnull
                                    X509Credential credential,
                                    @Nonnull
                                    Set<String> trustedNames)
        Process any name checks that are enabled.
        Parameters:
        credential - the credential for the entity to validate
        trustedNames - trusted names against which the credential will be evaluated
        Returns:
        true iff the name check succeeds

      • processSubjectDNCommonName

        protected boolean processSubjectDNCommonName​(@Nonnull
                                             X509Certificate certificate,
                                             @Nonnull
                                             Set<String> trustedNames)
        Process name checking for a certificate subject DN's common name.
        Parameters:
        certificate - the certificate to process
        trustedNames - the set of trusted names
        Returns:
        true if the subject DN common name matches the set of trusted names, false otherwise

      • processSubjectDN

        protected boolean processSubjectDN​(@Nonnull
                                   X509Certificate certificate,
                                   @Nonnull
                                   Set<String> trustedNames)
        Process name checking for the certificate subject DN.
        Parameters:
        certificate - the certificate to process
        trustedNames - the set of trusted names
        Returns:
        true if the subject DN matches the set of trusted names, false otherwise

      • processSubjectAltNames

        protected boolean processSubjectAltNames​(@Nonnull
                                         X509Certificate certificate,
                                         @Nonnull
                                         Set<String> trustedNames)
        Process name checking for the subject alt names within the certificate.
        Parameters:
        certificate - the certificate to process
        trustedNames - the set of trusted names
        Returns:
        true if one of the subject alt names matches the set of trusted names, false otherwise