Package org.apache.wss4j.common.crypto

Class Merlin

java.lang.Object
org.apache.wss4j.common.crypto.CryptoBase
org.apache.wss4j.common.crypto.Merlin
All Implemented Interfaces:
Crypto
Direct Known Subclasses:
MerlinAKI, MerlinDevice
public class Merlin extends CryptoBase
A Crypto implementation based on two Java KeyStore objects, one being the keystore, and one being the truststore.

  • Field Details

  • Constructor Details

  • Method Details

    • loadProperties

      public void loadProperties(Properties properties, ClassLoader loader, PasswordEncryptor passwordEncryptor) throws WSSecurityException, IOException
      Throws:
      WSSecurityException
      IOException

    • loadInputStream

      public static InputStream loadInputStream(ClassLoader loader, String location) throws WSSecurityException, IOException
      Load a KeyStore object as an InputStream, using the ClassLoader and location arguments
      Throws:
      WSSecurityException
      IOException

    • load

      protected KeyStore load(InputStream input, String storepass, String provider, String type) throws WSSecurityException
      Loads the keystore from an InputStream .

      Parameters:
      input - InputStream to read from
      Throws:
      WSSecurityException

    • getKeyStore

      public KeyStore getKeyStore()
      Gets the Keystore that was loaded
      Returns:
      the Keystore

    • setKeyStore

      public void setKeyStore(KeyStore keyStore)
      Set the Keystore on this Crypto instance
      Parameters:
      keyStore - the Keystore to set

    • getTrustStore

      public KeyStore getTrustStore()
      Gets the trust store that was loaded by the underlying implementation
      Returns:
      the trust store

    • setTrustStore

      public void setTrustStore(KeyStore trustStore)
      Set the trust store on this Crypto instance
      Parameters:
      trustStore - the trust store to set

    • setCRLCertStore

      public void setCRLCertStore(CertStore crlCertStore)
      Set the CertStore from which to obtain a list of CRLs for Certificate Revocation checking.
      Parameters:
      crlCertStore - the CertStore from which to obtain a list of CRLs for Certificate Revocation checking.

    • getCRLCertStore

      public CertStore getCRLCertStore()
      Get the CertStore from which to obtain a list of CRLs for Certificate Revocation checking.
      Returns:
      the CertStore from which to obtain a list of CRLs for Certificate Revocation checking.

    • getCertificateFactory

      public CertificateFactory getCertificateFactory() throws WSSecurityException
      Singleton certificate factory for this Crypto instance.

      Specified by:
      getCertificateFactory in interface Crypto
      Overrides:
      getCertificateFactory in class CryptoBase
      Returns:
      Returns a CertificateFactory to construct X509 certificates
      Throws:
      WSSecurityException

    • getDefaultX509Identifier

      public String getDefaultX509Identifier() throws WSSecurityException
      Retrieves the identifier name of the default certificate. This should be the certificate that is used for signature and encryption. This identifier corresponds to the certificate that should be used whenever KeyInfo is not present in a signed or an encrypted message. May return null. The identifier is implementation specific, e.g. it could be the KeyStore alias.
      Specified by:
      getDefaultX509Identifier in interface Crypto
      Overrides:
      getDefaultX509Identifier in class CryptoBase
      Returns:
      name of the default X509 certificate.
      Throws:
      WSSecurityException

    • getX509Certificates

      public X509Certificate[] getX509Certificates(CryptoType cryptoType) throws WSSecurityException
      Get an X509Certificate (chain) corresponding to the CryptoType argument. The supported types are as follows: TYPE.ISSUER_SERIAL - A certificate (chain) is located by the issuer name and serial number TYPE.THUMBPRINT_SHA1 - A certificate (chain) is located by the SHA1 of the (root) cert TYPE.SKI_BYTES - A certificate (chain) is located by the SKI bytes of the (root) cert TYPE.SUBJECT_DN - A certificate (chain) is located by the Subject DN of the (root) cert TYPE.ALIAS - A certificate (chain) is located by an alias, which for this implementation means an alias of the keystore or truststore.
      Throws:
      WSSecurityException

    • getX509Identifier

      public String getX509Identifier(X509Certificate cert) throws WSSecurityException
      Get the implementation-specific identifier corresponding to the cert parameter. In this case, the identifier corresponds to a KeyStore alias.
      Parameters:
      cert - The X509Certificate for which to search for an identifier
      Returns:
      the identifier corresponding to the cert parameter
      Throws:
      WSSecurityException

    • getPrivateKey

      public PrivateKey getPrivateKey(X509Certificate certificate, CallbackHandler callbackHandler) throws WSSecurityException
      Gets the private key corresponding to the certificate.
      Parameters:
      certificate - The X509Certificate corresponding to the private key
      callbackHandler - The callbackHandler needed to get the password
      Returns:
      The private key
      Throws:
      WSSecurityException

    • getPrivateKey

      public PrivateKey getPrivateKey(PublicKey publicKey, CallbackHandler callbackHandler) throws WSSecurityException
      Gets the private key corresponding to the given PublicKey.
      Parameters:
      publicKey - The PublicKey corresponding to the private key
      callbackHandler - The callbackHandler needed to get the password
      Returns:
      The private key
      Throws:
      WSSecurityException

    • getPrivateKey

      public PrivateKey getPrivateKey(String identifier, String password) throws WSSecurityException
      Gets the private key corresponding to the identifier.
      Parameters:
      identifier - The implementation-specific identifier corresponding to the key
      password - The password needed to get the key
      Returns:
      The private key
      Throws:
      WSSecurityException

    • verifyTrust

      protected void verifyTrust(X509Certificate[] certs, boolean enableRevocation, Collection<Pattern> subjectCertConstraints) throws WSSecurityException
      Evaluate whether a given certificate chain should be trusted.
      Parameters:
      certs - Certificate chain to validate
      enableRevocation - whether to enable CRL verification or not
      subjectCertConstraints - A set of constraints on the Subject DN of the certificates
      Throws:
      WSSecurityException - if the certificate chain is invalid

    • verifyTrust

      public void verifyTrust(X509Certificate[] certs, boolean enableRevocation, Collection<Pattern> subjectCertConstraints, Collection<Pattern> issuerCertConstraints) throws WSSecurityException
      Description copied from interface: Crypto
      Evaluate whether a given certificate chain should be trusted.
      Parameters:
      certs - Certificate chain to validate
      enableRevocation - whether to enable CRL verification or not
      subjectCertConstraints - A set of constraints on the Subject DN of the certificates
      issuerCertConstraints - A set of constraints on the Issuer DN of the certificates
      Throws:
      WSSecurityException - if the certificate chain is invalid

    • createPKIXParameters

      protected PKIXParameters createPKIXParameters(Set<TrustAnchor> trustAnchors, boolean enableRevocation) throws InvalidAlgorithmParameterException
      Throws:
      InvalidAlgorithmParameterException

    • verifyTrust

      public void verifyTrust(PublicKey publicKey) throws WSSecurityException
      Evaluate whether a given public key should be trusted.
      Parameters:
      publicKey - The PublicKey to be evaluated
      Throws:
      WSSecurityException - if the PublicKey is invalid

    • addTrustAnchors

      protected void addTrustAnchors(Set<TrustAnchor> set, KeyStore keyStore) throws KeyStoreException, WSSecurityException
      Adds TrustAnchors found in the provided key store to the set.

      When the Trust Anchors are constructed, the value of the CRYPTO_CERT_PROVIDER_HANDLES_NAME_CONSTRAINTS property will be checked. If it has been set to true, then NameConstraints will be added to their Trust Anchors; if unset or set to false, the Name Constraints will be nulled out on their Trust Anchors. The default Sun PKIX Path Validator does not support Name Constraints on Trust Anchors and will throw an InvalidAlgorithmParameterException if they are provided. Other implementations may also be unsafe.

      Parameters:
      set - the set to which to add the TrustAnchors
      keyStore - the store to search for X509Certificates
      Throws:
      KeyStoreException - if a problem occurs accessing the keyStore
      WSSecurityException

    • decryptPassword

      protected String decryptPassword(String password, PasswordEncryptor passwordEncryptor)

    • setPasswordEncryptor

      public void setPasswordEncryptor(PasswordEncryptor passwordEncryptor)

    • clearCache

      public void clearCache()

    • isEnablePrivateKeyCaching

      public boolean isEnablePrivateKeyCaching()

    • setEnablePrivateKeyCaching

      public void setEnablePrivateKeyCaching(boolean enablePrivateKeyCaching)