Package org.opensaml.security.x509.impl

Class BasicX509CredentialNameEvaluator

java.lang.Object
org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator
All Implemented Interfaces:
X509CredentialNameEvaluator
public class BasicX509CredentialNameEvaluator extends Object implements X509CredentialNameEvaluator
A basic implementaion of X509CredentialNameEvaluator which evaluates various identifiers extracted from an X509Credential's entity certificate against a set of trusted names.

Supported types of entity certificate-derived names for name checking purposes are:

  1. Subject alternative names.
  2. The first (i.e. most specific) common name (CN) from the subject distinguished name.
  3. The complete subject distinguished name.

Name checking is enabled by default for all of the supported name types. The types of subject alternative names to process are specified by using the appropriate constant values defined in X509Support. By default the following types of subject alternative names are checked: DNS (X509Support.DNS_ALT_NAME) and URI (X509Support.URI_ALT_NAME).

The subject distinguished name from the entity certificate is compared to the trusted key names for complete DN matching purposes by parsing each trusted key name into an X500Principal as returned by the configured instance of X500DNHandler. The resulting distinguished name is then compared with the certificate subject using X500Principal.equals(Object). The default X500DNHandler used is InternalX500DNHandler.

  • Field Details

    • log

      private final org.slf4j.Logger log
      Class logger.

    • checkSubjectAltNames

      private boolean checkSubjectAltNames
      Flag as to whether to perform name checking using credential's subject alt names.

    • checkSubjectDNCommonName

      private boolean checkSubjectDNCommonName
      Flag as to whether to perform name checking using credential's subject DN's common name (CN).

    • checkSubjectDN

      private boolean checkSubjectDN
      Flag as to whether to perform name checking using credential's subject DN.

    • subjectAltNameTypes

      private Set<Integer> subjectAltNameTypes
      The set of types of subject alternative names to process.

    • x500DNHandler

      private X500DNHandler x500DNHandler
      Responsible for parsing and serializing X.500 names to/from X500Principal instances.

  • Constructor Details

    • BasicX509CredentialNameEvaluator

      public BasicX509CredentialNameEvaluator()
      Constructor.

  • Method Details

    • isNameCheckingActive

      public boolean isNameCheckingActive()
      Gets whether any of the supported name type checking is currently enabled.
      Returns:
      true if any of the supported name type checking categories is currently enabled, false otherwise

    • getSubjectAltNameTypes

      @Nonnull @NonnullElements @NotLive @Unmodifiable public Set<Integer> getSubjectAltNameTypes()
      Get the set of types of subject alternative names to process. Name types are represented using the constant OID tag name values defined in X509Support.
      Returns:
      the immutable set of alt name identifiers

    • setSubjectAltNameTypes

      public void setSubjectAltNameTypes(@Nullable @NonnullElements Set<Integer> nameTypes)
      Set the set of types of subject alternative names to process. Name types are represented using the constant OID tag name values defined in X509Support.
      Parameters:
      nameTypes - the new set of alt name identifiers

    • checkSubjectAltNames

      public boolean checkSubjectAltNames()
      Gets whether to check the credential's entity certificate subject alt names against the trusted key name values.
      Returns:
      whether to check the credential's entity certificate subject alt names against the trusted key names

    • setCheckSubjectAltNames

      public void setCheckSubjectAltNames(boolean check)
      Sets whether to check the credential's entity certificate subject alt names against the trusted key name values.
      Parameters:
      check - whether to check the credential's entity certificate subject alt names against the trusted key names

    • checkSubjectDNCommonName

      public boolean checkSubjectDNCommonName()
      Gets whether to check the credential's entity certificate subject DN's common name (CN) against the trusted key name values.
      Returns:
      whether to check the credential's entity certificate subject DN's CN against the trusted key names

    • setCheckSubjectDNCommonName

      public void setCheckSubjectDNCommonName(boolean check)
      Sets whether to check the credential's entity certificate subject DN's common name (CN) against the trusted key name values.
      Parameters:
      check - whether to check the credential's entity certificate subject DN's CN against the trusted key names

    • checkSubjectDN

      public boolean checkSubjectDN()
      Gets whether to check the credential's entity certificate subject DN against the trusted key name values.
      Returns:
      whether to check the credential's entity certificate subject DN against the trusted key names

    • setCheckSubjectDN

      public void setCheckSubjectDN(boolean check)
      Sets whether to check the credential's entity certificate subject DN against the trusted key name values.
      Parameters:
      check - whether to check the credential's entity certificate subject DN against the trusted key names

    • getX500DNHandler

      @Nonnull public X500DNHandler getX500DNHandler()
      Get the handler which process X.500 distinguished names. Defaults to InternalX500DNHandler.
      Returns:
      returns the X500DNHandler instance

    • setX500DNHandler

      public void setX500DNHandler(@Nonnull X500DNHandler handler)
      Set the handler which process X.500 distinguished names. Defaults to InternalX500DNHandler.
      Parameters:
      handler - the new X500DNHandler instance

    • evaluate

      public boolean evaluate(@Nonnull X509Credential credential, @Nullable Set<String> trustedNames) throws SecurityException
      Evaluate the specified credential against the specified set of trusted names.

      The types of names supported, and the manner in which they are evaluated, is implementation-specific.

      If the set of trusted names is null or empty, or if no supported name types are configured to be checked, then the evaluation is considered successful.

      Specified by:
      evaluate in interface X509CredentialNameEvaluator
      Parameters:
      credential - the X.509 credential to evaluate
      trustedNames - trusted names against which the credential will be evaluated
      Returns:
      true if the name evaluation succeeds, false otherwise
      Throws:
      SecurityException - thrown if there is an error during name evaluation

    • processNameChecks

      protected boolean processNameChecks(@Nonnull X509Credential credential, @Nonnull Set<String> trustedNames)
      Process any name checks that are enabled.
      Parameters:
      credential - the credential for the entity to validate
      trustedNames - trusted names against which the credential will be evaluated
      Returns:
      true iff the name check succeeds

    • processSubjectDNCommonName

      protected boolean processSubjectDNCommonName(@Nonnull X509Certificate certificate, @Nonnull Set<String> trustedNames)
      Process name checking for a certificate subject DN's common name.
      Parameters:
      certificate - the certificate to process
      trustedNames - the set of trusted names
      Returns:
      true if the subject DN common name matches the set of trusted names, false otherwise

    • processSubjectDN

      protected boolean processSubjectDN(@Nonnull X509Certificate certificate, @Nonnull Set<String> trustedNames)
      Process name checking for the certificate subject DN.
      Parameters:
      certificate - the certificate to process
      trustedNames - the set of trusted names
      Returns:
      true if the subject DN matches the set of trusted names, false otherwise

    • processSubjectAltNames

      protected boolean processSubjectAltNames(@Nonnull X509Certificate certificate, @Nonnull Set<String> trustedNames)
      Process name checking for the subject alt names within the certificate.
      Parameters:
      certificate - the certificate to process
      trustedNames - the set of trusted names
      Returns:
      true if one of the subject alt names matches the set of trusted names, false otherwise