Package org.opensaml.security.x509.impl

Class CertPathPKIXTrustEvaluator

  • All Implemented Interfaces:
    org.opensaml.security.x509.PKIXTrustEvaluator
    public class CertPathPKIXTrustEvaluator
extends Object
implements org.opensaml.security.x509.PKIXTrustEvaluator
    An implementation of PKIXTrustEvaluator that is based on the Java CertPath API.

    • Field Detail

      • log

        private final org.slf4j.Logger log
        Class logger.

      • x500DNHandler

        private org.opensaml.security.x509.X500DNHandler x500DNHandler
        Responsible for parsing and serializing X.500 names to/from X500Principal instances.

      • options

        private org.opensaml.security.x509.PKIXValidationOptions options
        Options influencing processing behavior.

    • Constructor Detail

      • CertPathPKIXTrustEvaluator

        public CertPathPKIXTrustEvaluator()
        Constructor.

      • CertPathPKIXTrustEvaluator

        public CertPathPKIXTrustEvaluator​(@Nonnull @ParameterName(name="newOptions")
                                  org.opensaml.security.x509.PKIXValidationOptions newOptions)
        Constructor.
        Parameters:
        newOptions - PKIX validation options

    • Method Detail

      • getPKIXValidationOptions

        @Nonnull
public org.opensaml.security.x509.PKIXValidationOptions getPKIXValidationOptions()
        Specified by:
        getPKIXValidationOptions in interface org.opensaml.security.x509.PKIXTrustEvaluator

      • setPKIXValidationOptions

        public void setPKIXValidationOptions​(@Nonnull
                                     org.opensaml.security.x509.PKIXValidationOptions newOptions)
        Set the desired PKIX validation options set.
        Parameters:
        newOptions - the new set of options

      • getX500DNHandler

        @Nonnull
public org.opensaml.security.x509.X500DNHandler getX500DNHandler()
        Get the handler which process X.500 distinguished names. Defaults to InternalX500DNHandler.
        Returns:
        returns the X500DNHandler instance

      • setX500DNHandler

        public void setX500DNHandler​(@Nonnull
                             org.opensaml.security.x509.X500DNHandler handler)
        Set the handler which process X.500 distinguished names. Defaults to InternalX500DNHandler.
        Parameters:
        handler - the new X500DNHandler instance

      • validate

        public boolean validate​(@Nonnull
                        org.opensaml.security.x509.PKIXValidationInformation validationInfo,
                        @Nonnull
                        org.opensaml.security.x509.X509Credential untrustedCredential)
                 throws org.opensaml.security.SecurityException
        Specified by:
        validate in interface org.opensaml.security.x509.PKIXTrustEvaluator
        Throws:
        org.opensaml.security.SecurityException

      • getPKIXBuilderParameters

        protected PKIXBuilderParameters getPKIXBuilderParameters​(@Nonnull
                                                         org.opensaml.security.x509.PKIXValidationInformation validationInfo,
                                                         @Nonnull
                                                         org.opensaml.security.x509.X509Credential untrustedCredential)
                                                  throws GeneralSecurityException
        Creates the set of PKIX builder parameters to use when building the cert path builder.
        Parameters:
        validationInfo - PKIX validation information
        untrustedCredential - credential to be validated
        Returns:
        PKIX builder params
        Throws:
        GeneralSecurityException - thrown if the parameters can not be created

      • storeContainsCRLs

        protected boolean storeContainsCRLs​(@Nonnull
                                    CertStore certStore)
        Determine whether there are any CRL's in the CertStore that is to be used.
        Parameters:
        certStore - the cert store that will be used for validation
        Returns:
        true iff the store contains at least 1 CRL instance

      • getEffectiveVerificationDepth

        @Nonnull
protected Integer getEffectiveVerificationDepth​(@Nonnull
                                                org.opensaml.security.x509.PKIXValidationInformation validationInfo)
        Get the effective maximum path depth to use when constructing PKIX cert path builder parameters.
        Parameters:
        validationInfo - PKIX validation information
        Returns:
        the effective max verification depth to use

      • getTrustAnchors

        @Nullable
protected Set<TrustAnchor> getTrustAnchors​(@Nonnull
                                           org.opensaml.security.x509.PKIXValidationInformation validationInfo)
        Creates the collection of trust anchors to use during validation.
        Parameters:
        validationInfo - PKIX validation information
        Returns:
        trust anchors to use during validation

      • buildTrustAnchor

        @Nonnull
protected TrustAnchor buildTrustAnchor​(@Nonnull
                                       X509Certificate cert)
        Build a trust anchor from the given X509 certificate. This could for example be extended by subclasses to add custom name constraints, if desired.
        Parameters:
        cert - the certificate which serves as the trust anchor
        Returns:
        the newly constructed TrustAnchor

      • buildCertStore

        @Nonnull
protected CertStore buildCertStore​(@Nonnull
                                   org.opensaml.security.x509.PKIXValidationInformation validationInfo,
                                   @Nonnull
                                   org.opensaml.security.x509.X509Credential untrustedCredential)
                            throws GeneralSecurityException
        Creates the certificate store that will be used during validation.
        Parameters:
        validationInfo - PKIX validation information
        untrustedCredential - credential to be validated
        Returns:
        certificate store used during validation
        Throws:
        GeneralSecurityException - thrown if the certificate store can not be created from the cert and CRL material

      • addCRLsToStoreMaterial

        protected void addCRLsToStoreMaterial​(@Nonnull
                                      List<Object> storeMaterial,
                                      @Nonnull
                                      Collection<X509CRL> crls,
                                      @Nonnull
                                      Date now)
        Add CRLs from the specified collection to the list of certs and CRLs being collected for the CertStore.
        Parameters:
        storeMaterial - list of certs and CRLs to be updated.
        crls - collection of CRLs to be processed
        now - current date/time

      • logCertPathDebug

        private void logCertPathDebug​(@Nonnull
                              PKIXCertPathBuilderResult buildResult,
                              @Nonnull
                              X509Certificate targetCert)
        Log information from the constructed cert path at level debug.
        Parameters:
        buildResult - the PKIX cert path builder result containing the cert path and trust anchor
        targetCert - the cert untrusted certificate that was being evaluated