Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.opensaml.xml.security.x509
Class CertPathPKIXTrustEvaluator

java.lang.Object
  extended by org.opensaml.xml.security.x509.CertPathPKIXTrustEvaluator
All Implemented Interfaces:
PKIXTrustEvaluator
public class CertPathPKIXTrustEvaluator
extends java.lang.Object
implements PKIXTrustEvaluator

An implementation of PKIXTrustEvaluator that is based on the Java CertPath API.

Constructor Summary
CertPathPKIXTrustEvaluator()
          Constructor.
CertPathPKIXTrustEvaluator(PKIXValidationOptions newOptions)
          Constructor.
 
Method Summary
protected  void addCRLsToStoreMaterial(java.util.List<java.lang.Object> storeMaterial, java.util.Collection<java.security.cert.X509CRL> crls, java.util.Date now)
          Add CRL's from the specified collection to the list of certs and CRL's being collected for the CertStore.
protected  java.security.cert.CertStore buildCertStore(PKIXValidationInformation validationInfo, X509Credential untrustedCredential)
          Creates the certificate store that will be used during validation.
protected  java.security.cert.TrustAnchor buildTrustAnchor(java.security.cert.X509Certificate cert)
          Build a trust anchor from the given X509 certificate.
protected  java.lang.Integer getEffectiveVerificationDepth(PKIXValidationInformation validationInfo)
          Get the effective maximum path depth to use when constructing PKIX cert path builder parameters.
protected  java.security.cert.PKIXBuilderParameters getPKIXBuilderParameters(PKIXValidationInformation validationInfo, X509Credential untrustedCredential)
          Creates the set of PKIX builder parameters to use when building the cert path builder.
 PKIXValidationOptions getPKIXValidationOptions()
          Get the PKIXValidationOptions instance that is in use.
protected  java.util.Set<java.security.cert.TrustAnchor> getTrustAnchors(PKIXValidationInformation validationInfo)
          Creates the collection of trust anchors to use during validation.
 X500DNHandler getX500DNHandler()
          Get the handler which process X.500 distinguished names.
 void setPKIXValidationOptions(PKIXValidationOptions newOptions)
          Set the desired PKIX validation options set.
 void setX500DNHandler(X500DNHandler handler)
          Set the handler which process X.500 distinguished names.
protected  boolean storeContainsCRLs(java.security.cert.CertStore certStore)
          Determine whether there are any CRL's in the CertStore that is to be used.
 boolean validate(PKIXValidationInformation validationInfo, X509Credential untrustedCredential)
          Validate the specified credential against the specified set of trusted validation information.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

CertPathPKIXTrustEvaluator

public CertPathPKIXTrustEvaluator()
Constructor.

CertPathPKIXTrustEvaluator

public CertPathPKIXTrustEvaluator(PKIXValidationOptions newOptions)
Constructor.

Parameters:
newOptions - PKIX validation options
Method Detail

getPKIXValidationOptions

public PKIXValidationOptions getPKIXValidationOptions()
Get the PKIXValidationOptions instance that is in use.

Specified by:
getPKIXValidationOptions in interface PKIXTrustEvaluator
Returns:
the PKIXValidationOptions instance

setPKIXValidationOptions

public void setPKIXValidationOptions(PKIXValidationOptions newOptions)
Set the desired PKIX validation options set.

Parameters:
newOptions - the new set of options

getX500DNHandler

public X500DNHandler getX500DNHandler()
Get the handler which process X.500 distinguished names. Defaults to InternalX500DNHandler.

Returns:
returns the X500DNHandler instance

setX500DNHandler

public void setX500DNHandler(X500DNHandler handler)
Set the handler which process X.500 distinguished names. Defaults to InternalX500DNHandler.

Parameters:
handler - the new X500DNHandler instance

validate

public boolean validate(PKIXValidationInformation validationInfo,
                        X509Credential untrustedCredential)
                 throws SecurityException
Validate the specified credential against the specified set of trusted validation information.

Specified by:
validate in interface PKIXTrustEvaluator
Parameters:
validationInfo - the set of trusted validation information
untrustedCredential - the credential being evaluated
Returns:
true if the credential can be successfully evaluated, false otherwise
Throws:
SecurityException - thrown if there is an error evaluating the credential

getPKIXBuilderParameters

protected java.security.cert.PKIXBuilderParameters getPKIXBuilderParameters(PKIXValidationInformation validationInfo,
                                                                            X509Credential untrustedCredential)
                                                                     throws java.security.GeneralSecurityException
Creates the set of PKIX builder parameters to use when building the cert path builder.

Parameters:
validationInfo - PKIX validation information
untrustedCredential - credential to be validated
Returns:
PKIX builder params
Throws:
java.security.GeneralSecurityException - thrown if the parameters can not be created

storeContainsCRLs

protected boolean storeContainsCRLs(java.security.cert.CertStore certStore)
Determine whether there are any CRL's in the CertStore that is to be used.

Parameters:
certStore - the cert store that will be used for validation
Returns:
true if the store contains at least 1 CRL instance, false otherwise

getEffectiveVerificationDepth

protected java.lang.Integer getEffectiveVerificationDepth(PKIXValidationInformation validationInfo)
Get the effective maximum path depth to use when constructing PKIX cert path builder parameters.

Parameters:
validationInfo - PKIX validation information
Returns:
the effective max verification depth to use

getTrustAnchors

protected java.util.Set<java.security.cert.TrustAnchor> getTrustAnchors(PKIXValidationInformation validationInfo)
Creates the collection of trust anchors to use during validation.

Parameters:
validationInfo - PKIX validation information
Returns:
trust anchors to use during validation

buildTrustAnchor

protected java.security.cert.TrustAnchor buildTrustAnchor(java.security.cert.X509Certificate cert)
Build a trust anchor from the given X509 certificate. This could for example be extended by subclasses to add custom name constraints, if desired.

Parameters:
cert - the certificate which serves as the trust anchor
Returns:
the newly constructed TrustAnchor

buildCertStore

protected java.security.cert.CertStore buildCertStore(PKIXValidationInformation validationInfo,
                                                      X509Credential untrustedCredential)
                                               throws java.security.GeneralSecurityException
Creates the certificate store that will be used during validation.

Parameters:
validationInfo - PKIX validation information
untrustedCredential - credential to be validated
Returns:
certificate store used during validation
Throws:
java.security.GeneralSecurityException - thrown if the certificate store can not be created from the cert and CRL material

addCRLsToStoreMaterial

protected void addCRLsToStoreMaterial(java.util.List<java.lang.Object> storeMaterial,
                                      java.util.Collection<java.security.cert.X509CRL> crls,
                                      java.util.Date now)
Add CRL's from the specified collection to the list of certs and CRL's being collected for the CertStore.

Parameters:
storeMaterial - list of certs and CRL's to be updated.
crls - collection of CRL's to be processed
now - current date/time
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2006-2011 Internet2. All Rights Reserved.