Package org.apache.wss4j.common.crypto

Class CryptoBase

java.lang.Object
org.apache.wss4j.common.crypto.CryptoBase
All Implemented Interfaces:
Crypto
Direct Known Subclasses:
CertificateStore, Merlin
public abstract class CryptoBase extends Object implements Crypto
This Abstract Base Class implements the accessor and keystore-independent methods and functionality of the Crypto interface.

  • Field Details

    • SKI_OID

      public static final String SKI_OID
      See Also:

    • NAME_CONSTRAINTS_OID

      public static final String NAME_CONSTRAINTS_OID
      OID For the NameConstraints Extension to X.509 http://java.sun.com/j2se/1.4.2/docs/api/ http://www.ietf.org/rfc/rfc3280.txt (s. 4.2.1.11)
      See Also:

    • certificateFactory

      protected CertificateFactory certificateFactory

  • Constructor Details

    • CryptoBase

      protected CryptoBase()
      Constructor

  • Method Details

    • getCryptoProvider

      public String getCryptoProvider()
      Get the crypto provider associated with this implementation
      Specified by:
      getCryptoProvider in interface Crypto
      Returns:
      the crypto provider

    • setCryptoProvider

      public void setCryptoProvider(String provider)
      Set the crypto provider associated with this implementation
      Specified by:
      setCryptoProvider in interface Crypto
      Parameters:
      provider - the crypto provider to set

    • setTrustProvider

      public void setTrustProvider(String provider)
      Set the crypto provider used for truststore operations associated with this implementation
      Specified by:
      setTrustProvider in interface Crypto
      Parameters:
      provider - the name of the provider

    • getTrustProvider

      public String getTrustProvider()
      Get the crypto provider used for truststore operation associated with this implementation.
      Specified by:
      getTrustProvider in interface Crypto
      Returns:
      a crypto provider name

    • getDefaultX509Identifier

      public String getDefaultX509Identifier() throws WSSecurityException
      Retrieves the identifier name of the default certificate. This should be the certificate that is used for signature and encryption. This identifier corresponds to the certificate that should be used whenever KeyInfo is not present in a signed or an encrypted message. May return null. The identifier is implementation specific, e.g. it could be the KeyStore alias.
      Specified by:
      getDefaultX509Identifier in interface Crypto
      Returns:
      name of the default X509 certificate.
      Throws:
      WSSecurityException

    • setDefaultX509Identifier

      public void setDefaultX509Identifier(String identifier)
      Sets the identifier name of the default certificate. This should be the certificate that is used for signature and encryption. This identifier corresponds to the certificate that should be used whenever KeyInfo is not present in a signed or an encrypted message. The identifier is implementation specific, e.g. it could be the KeyStore alias.
      Specified by:
      setDefaultX509Identifier in interface Crypto
      Parameters:
      identifier - name of the default X509 certificate.

    • setCertificateFactory

      public void setCertificateFactory(CertificateFactory certFactory)
      Sets the CertificateFactory instance on this Crypto instance
      Specified by:
      setCertificateFactory in interface Crypto
      Parameters:
      certFactory - the CertificateFactory the CertificateFactory instance to set

    • getCertificateFactory

      public CertificateFactory getCertificateFactory() throws WSSecurityException
      Get the CertificateFactory instance on this Crypto instance
      Specified by:
      getCertificateFactory in interface Crypto
      Returns:
      Returns a CertificateFactory to construct X509 certificates
      Throws:
      WSSecurityException

    • loadCertificate

      public X509Certificate loadCertificate(InputStream in) throws WSSecurityException
      Load a X509Certificate from the input stream.
      Specified by:
      loadCertificate in interface Crypto
      Parameters:
      in - The InputStream containing the X509Certificate
      Returns:
      An X509 certificate
      Throws:
      WSSecurityException

    • getSKIBytesFromCert

      public byte[] getSKIBytesFromCert(X509Certificate cert) throws WSSecurityException
      Reads the SubjectKeyIdentifier information from the certificate.

      If the the certificate does not contain a SKI extension then try to compute the SKI according to RFC3280 using the SHA-1 hash value of the public key. The second method described in RFC3280 is not support. Also only RSA public keys are supported. If we cannot compute the SKI throw a WSSecurityException.

      Specified by:
      getSKIBytesFromCert in interface Crypto
      Parameters:
      cert - The certificate to read SKI
      Returns:
      The byte array containing the binary SKI data
      Throws:
      WSSecurityException

    • getBytesFromCertificates

      public byte[] getBytesFromCertificates(X509Certificate[] certs) throws WSSecurityException
      Get a byte array given an array of X509 certificates.

      Specified by:
      getBytesFromCertificates in interface Crypto
      Parameters:
      certs - The certificates to convert
      Returns:
      The byte array for the certificates
      Throws:
      WSSecurityException

    • getCertificatesFromBytes

      public X509Certificate[] getCertificatesFromBytes(byte[] data) throws WSSecurityException
      Construct an array of X509Certificate's from the byte array.

      Specified by:
      getCertificatesFromBytes in interface Crypto
      Parameters:
      data - The byte array containing the X509 data
      Returns:
      An array of X509 certificates
      Throws:
      WSSecurityException

    • createBCX509Name

      protected Object createBCX509Name(String s)

    • matchesSubjectDnPattern

      protected boolean matchesSubjectDnPattern(X509Certificate cert, Collection<Pattern> subjectDNPatterns)
      Returns:
      true if the certificate's SubjectDN matches the constraints defined in the subject DNConstraints; false, otherwise. The certificate subject DN only has to match ONE of the subject cert constraints (not all).

    • matchesIssuerDnPattern

      protected boolean matchesIssuerDnPattern(X509Certificate cert, Collection<Pattern> issuerDNPatterns)
      Returns:
      true if the certificate's Issuer DN matches the constraints defined in the subject DNConstraints; false, otherwise. The certificate subject DN only has to match ONE of the subject cert constraints (not all).

    • matchesName

      protected boolean matchesName(String name, Collection<Pattern> patterns)
      Returns:
      true if the provided name matches the constraints defined in the subject DNConstraints; false, otherwise. The certificate (subject) DN only has to match ONE of the (subject) cert constraints (not all).

    • getNameConstraints

      protected byte[] getNameConstraints(X509Certificate cert) throws WSSecurityException
      Extracts the NameConstraints sequence from the certificate. Handles the case where the data is encoded directly as DERDecoder.TYPE_SEQUENCE or where the sequence has been encoded as an DERDecoder.TYPE_OCTET_STRING.

      By contract, the values retrieved from calls to X509Extension.getExtensionValue(String) should always be DER-encoded OCTET strings; however, because of ambiguity in the RFC and the potential for a future breaking change to this contract, testing whether the bytes returned are tagged as a sequence or an encoded octet string is prudent. Considering the fact that it is a single byte comparison, the performance hit is negligible.

      Parameters:
      cert - the certificate to extract NameConstraints from
      Returns:
      the NameConstraints, or null if not present
      Throws:
      WSSecurityException - if a processing error occurs decoding the Octet String