Package org.opensaml.security.x509.impl

Class CertPathPKIXTrustEvaluator

    • Field Detail

      • log

        private final org.slf4j.Logger log
        Class logger.

      • x500DNHandler

        private X500DNHandler x500DNHandler
        Responsible for parsing and serializing X.500 names to/from X500Principal instances.

    • Constructor Detail

      • CertPathPKIXTrustEvaluator

        public CertPathPKIXTrustEvaluator()
        Constructor.

      • CertPathPKIXTrustEvaluator

        public CertPathPKIXTrustEvaluator​(@Nonnull @ParameterName(name="newOptions")
                                  PKIXValidationOptions newOptions)
        Constructor.
        Parameters:
        newOptions - PKIX validation options

    • Method Detail

      • setPKIXValidationOptions

        public void setPKIXValidationOptions​(@Nonnull
                                     PKIXValidationOptions newOptions)
        Set the desired PKIX validation options set.
        Parameters:
        newOptions - the new set of options

      • getX500DNHandler

        @Nonnull
public X500DNHandler getX500DNHandler()
        Get the handler which process X.500 distinguished names. Defaults to InternalX500DNHandler.
        Returns:
        returns the X500DNHandler instance

      • setX500DNHandler

        public void setX500DNHandler​(@Nonnull
                             X500DNHandler handler)
        Set the handler which process X.500 distinguished names. Defaults to InternalX500DNHandler.
        Parameters:
        handler - the new X500DNHandler instance

      • storeContainsCRLs

        protected boolean storeContainsCRLs​(@Nonnull
                                    CertStore certStore)
        Determine whether there are any CRL's in the CertStore that is to be used.
        Parameters:
        certStore - the cert store that will be used for validation
        Returns:
        true iff the store contains at least 1 CRL instance

      • getEffectiveVerificationDepth

        @Nonnull
protected Integer getEffectiveVerificationDepth​(@Nonnull
                                                PKIXValidationInformation validationInfo)
        Get the effective maximum path depth to use when constructing PKIX cert path builder parameters.
        Parameters:
        validationInfo - PKIX validation information
        Returns:
        the effective max verification depth to use

      • getTrustAnchors

        @Nullable
protected Set<TrustAnchor> getTrustAnchors​(@Nonnull
                                           PKIXValidationInformation validationInfo)
        Creates the collection of trust anchors to use during validation.
        Parameters:
        validationInfo - PKIX validation information
        Returns:
        trust anchors to use during validation

      • buildTrustAnchor

        @Nonnull
protected TrustAnchor buildTrustAnchor​(@Nonnull
                                       X509Certificate cert)
        Build a trust anchor from the given X509 certificate. This could for example be extended by subclasses to add custom name constraints, if desired.
        Parameters:
        cert - the certificate which serves as the trust anchor
        Returns:
        the newly constructed TrustAnchor

      • buildCertStore

        @Nonnull
protected CertStore buildCertStore​(@Nonnull
                                   PKIXValidationInformation validationInfo,
                                   @Nonnull
                                   X509Credential untrustedCredential)
                            throws GeneralSecurityException
        Creates the certificate store that will be used during validation.
        Parameters:
        validationInfo - PKIX validation information
        untrustedCredential - credential to be validated
        Returns:
        certificate store used during validation
        Throws:
        GeneralSecurityException - thrown if the certificate store can not be created from the cert and CRL material

      • addCRLsToStoreMaterial

        protected void addCRLsToStoreMaterial​(@Nonnull
                                      List<Object> storeMaterial,
                                      @Nonnull
                                      Collection<X509CRL> crls,
                                      @Nonnull
                                      Date now)
        Add CRLs from the specified collection to the list of certs and CRLs being collected for the CertStore.
        Parameters:
        storeMaterial - list of certs and CRLs to be updated.
        crls - collection of CRLs to be processed
        now - current date/time

      • logCertPathDebug

        private void logCertPathDebug​(@Nonnull
                              PKIXCertPathBuilderResult buildResult,
                              @Nonnull
                              X509Certificate targetCert)
        Log information from the constructed cert path at level debug.
        Parameters:
        buildResult - the PKIX cert path builder result containing the cert path and trust anchor
        targetCert - the cert untrusted certificate that was being evaluated