Package org.opensaml.security.x509.impl

Class CertPathPKIXTrustEvaluator

java.lang.Object
org.opensaml.security.x509.impl.CertPathPKIXTrustEvaluator
All Implemented Interfaces:
PKIXTrustEvaluator
public class CertPathPKIXTrustEvaluator extends Object implements PKIXTrustEvaluator
An implementation of PKIXTrustEvaluator that is based on the Java CertPath API.

  • Field Details

    • log

      private final org.slf4j.Logger log
      Class logger.

    • x500DNHandler

      private X500DNHandler x500DNHandler
      Responsible for parsing and serializing X.500 names to/from X500Principal instances.

    • options

      private PKIXValidationOptions options
      Options influencing processing behavior.

  • Constructor Details

    • CertPathPKIXTrustEvaluator

      public CertPathPKIXTrustEvaluator()
      Constructor.

    • CertPathPKIXTrustEvaluator

      public CertPathPKIXTrustEvaluator(@Nonnull @ParameterName(name="newOptions") PKIXValidationOptions newOptions)
      Constructor.
      Parameters:
      newOptions - PKIX validation options

  • Method Details

    • getPKIXValidationOptions

      @Nonnull public PKIXValidationOptions getPKIXValidationOptions()
      Get the PKIXValidationOptions instance that is in use.
      Specified by:
      getPKIXValidationOptions in interface PKIXTrustEvaluator
      Returns:
      the PKIXValidationOptions instance

    • setPKIXValidationOptions

      public void setPKIXValidationOptions(@Nonnull PKIXValidationOptions newOptions)
      Set the desired PKIX validation options set.
      Parameters:
      newOptions - the new set of options

    • getX500DNHandler

      @Nonnull public X500DNHandler getX500DNHandler()
      Get the handler which process X.500 distinguished names. Defaults to InternalX500DNHandler.
      Returns:
      returns the X500DNHandler instance

    • setX500DNHandler

      public void setX500DNHandler(@Nonnull X500DNHandler handler)
      Set the handler which process X.500 distinguished names. Defaults to InternalX500DNHandler.
      Parameters:
      handler - the new X500DNHandler instance

    • validate

      public boolean validate(@Nonnull PKIXValidationInformation validationInfo, @Nonnull X509Credential untrustedCredential) throws SecurityException
      Validate the specified credential against the specified set of trusted validation information.
      Specified by:
      validate in interface PKIXTrustEvaluator
      Parameters:
      validationInfo - the set of trusted validation information
      untrustedCredential - the credential being evaluated
      Returns:
      true if the credential can be successfully evaluated, false otherwise
      Throws:
      SecurityException - thrown if there is an error evaluating the credential

    • getPKIXBuilderParameters

      protected PKIXBuilderParameters getPKIXBuilderParameters(@Nonnull PKIXValidationInformation validationInfo, @Nonnull X509Credential untrustedCredential) throws GeneralSecurityException
      Creates the set of PKIX builder parameters to use when building the cert path builder.
      Parameters:
      validationInfo - PKIX validation information
      untrustedCredential - credential to be validated
      Returns:
      PKIX builder params
      Throws:
      GeneralSecurityException - thrown if the parameters can not be created

    • storeContainsCRLs

      protected boolean storeContainsCRLs(@Nonnull CertStore certStore)
      Determine whether there are any CRL's in the CertStore that is to be used.
      Parameters:
      certStore - the cert store that will be used for validation
      Returns:
      true iff the store contains at least 1 CRL instance

    • getEffectiveVerificationDepth

      @Nonnull protected Integer getEffectiveVerificationDepth(@Nonnull PKIXValidationInformation validationInfo)
      Get the effective maximum path depth to use when constructing PKIX cert path builder parameters.
      Parameters:
      validationInfo - PKIX validation information
      Returns:
      the effective max verification depth to use

    • getTrustAnchors

      @Nullable protected Set<TrustAnchor> getTrustAnchors(@Nonnull PKIXValidationInformation validationInfo)
      Creates the collection of trust anchors to use during validation.
      Parameters:
      validationInfo - PKIX validation information
      Returns:
      trust anchors to use during validation

    • buildTrustAnchor

      @Nonnull protected TrustAnchor buildTrustAnchor(@Nonnull X509Certificate cert)
      Build a trust anchor from the given X509 certificate. This could for example be extended by subclasses to add custom name constraints, if desired.
      Parameters:
      cert - the certificate which serves as the trust anchor
      Returns:
      the newly constructed TrustAnchor

    • buildCertStore

      @Nonnull protected CertStore buildCertStore(@Nonnull PKIXValidationInformation validationInfo, @Nonnull X509Credential untrustedCredential) throws GeneralSecurityException
      Creates the certificate store that will be used during validation.
      Parameters:
      validationInfo - PKIX validation information
      untrustedCredential - credential to be validated
      Returns:
      certificate store used during validation
      Throws:
      GeneralSecurityException - thrown if the certificate store can not be created from the cert and CRL material

    • addCRLsToStoreMaterial

      protected void addCRLsToStoreMaterial(@Nonnull List<Object> storeMaterial, @Nonnull Collection<X509CRL> crls, @Nonnull Date now)
      Add CRLs from the specified collection to the list of certs and CRLs being collected for the CertStore.
      Parameters:
      storeMaterial - list of certs and CRLs to be updated.
      crls - collection of CRLs to be processed
      now - current date/time

    • logCertPathDebug

      private void logCertPathDebug(@Nonnull PKIXCertPathBuilderResult buildResult, @Nonnull X509Certificate targetCert)
      Log information from the constructed cert path at level debug.
      Parameters:
      buildResult - the PKIX cert path builder result containing the cert path and trust anchor
      targetCert - the cert untrusted certificate that was being evaluated