org.apache.ws.security.components.crypto.Merlin Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of wss4j Show documentation
Show all versions of wss4j Show documentation
The Apache WSS4J project provides a Java implementation of the primary security standards
for Web Services, namely the OASIS Web Services Security (WS-Security) specifications
from the OASIS Web Services Security TC.
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.ws.security.components.crypto;
import org.apache.ws.security.WSSecurityException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import java.util.Vector;
/**
* JDK1.4 based implementation of Crypto (uses keystore).
*
* @author Davanum Srinivas ([email protected]).
*/
public class Merlin extends AbstractCrypto {
/**
* OID For the NameConstraints Extension to X.509
*
* http://java.sun.com/j2se/1.4.2/docs/api/
* http://www.ietf.org/rfc/rfc3280.txt (s. 4.2.1.11)
*/
public static final String NAME_CONSTRAINTS_OID = "2.5.29.30";
/**
* Constructor.
*
* @param properties
* @throws CredentialException
* @throws IOException
*/
public Merlin(Properties properties) throws CredentialException, IOException {
super(properties);
}
public Merlin(Properties properties, ClassLoader loader)
throws CredentialException, IOException {
super(properties, loader);
}
/**
* Construct an array of X509Certificate's from the byte array.
*
* @param data
* The byte array containing the X509 data
* @param reverse
* If set the first certificate in input data will the last in
* the array
* @return An array of X509 certificates, ordered according to the reverse
* flag
* @throws WSSecurityException
*/
public X509Certificate[] getX509Certificates(byte[] data, boolean reverse)
throws WSSecurityException {
InputStream in = new ByteArrayInputStream(data);
CertPath path = null;
try {
path = getCertificateFactory().generateCertPath(in);
} catch (CertificateException e) {
throw new WSSecurityException(
WSSecurityException.SECURITY_TOKEN_UNAVAILABLE, "parseError", null, e
);
}
List l = path.getCertificates();
X509Certificate[] certs = new X509Certificate[l.size()];
Iterator iterator = l.iterator();
for (int i = 0; i < l.size(); i++) {
certs[(reverse) ? (l.size() - 1 - i) : i] = (X509Certificate) iterator.next();
}
return certs;
}
/**
* get a byte array given an array of X509 certificates.
*
* @param reverse
* If set the first certificate in the array data will the last
* in the byte array
* @param certs
* The certificates to convert
* @return The byte array for the certificates ordered according to the
* reverse flag
* @throws WSSecurityException
*/
public byte[] getCertificateData(boolean reverse, X509Certificate[] certs)
throws WSSecurityException {
List list = new Vector();
for (int i = 0; i < certs.length; i++) {
if (reverse) {
list.add(0, certs[i]);
} else {
list.add(certs[i]);
}
}
try {
CertPath path = getCertificateFactory().generateCertPath(list);
return path.getEncoded();
} catch (CertificateEncodingException e) {
throw new WSSecurityException(
WSSecurityException.SECURITY_TOKEN_UNAVAILABLE, "encodeError", null, e
);
} catch (CertificateException e) {
throw new WSSecurityException(
WSSecurityException.SECURITY_TOKEN_UNAVAILABLE, "parseError", null, e
);
}
}
public boolean validateCertPath(X509Certificate[] certs) throws WSSecurityException {
try {
// Generate cert path
java.util.List certList = java.util.Arrays.asList(certs);
CertPath path = this.getCertificateFactory().generateCertPath(certList);
java.util.Set set = new HashSet();
if (this.cacerts != null) {
Enumeration cacertsAliases = this.cacerts.aliases();
while (cacertsAliases.hasMoreElements()) {
String alias = (String) cacertsAliases.nextElement();
X509Certificate cert =
(X509Certificate) this.cacerts.getCertificate(alias);
TrustAnchor anchor =
new TrustAnchor(cert, cert.getExtensionValue(NAME_CONSTRAINTS_OID));
set.add(anchor);
}
}
// Add certificates from the keystore
Enumeration aliases = this.keystore.aliases();
while (aliases.hasMoreElements()) {
String alias = (String) aliases.nextElement();
X509Certificate cert =
(X509Certificate) this.keystore.getCertificate(alias);
TrustAnchor anchor =
new TrustAnchor(cert, cert.getExtensionValue(NAME_CONSTRAINTS_OID));
set.add(anchor);
}
PKIXParameters param = new PKIXParameters(set);
// Do not check a revocation list
param.setRevocationEnabled(false);
// Verify the trust path using the above settings
String provider =
properties.getProperty("org.apache.ws.security.crypto.merlin.cert.provider");
CertPathValidator certPathValidator;
if (provider == null || provider.length() == 0) {
certPathValidator = CertPathValidator.getInstance("PKIX");
} else {
certPathValidator = CertPathValidator.getInstance("PKIX", provider);
}
certPathValidator.validate(path, param);
} catch (NoSuchProviderException ex) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] { ex.getMessage() },
(Throwable) ex);
} catch (NoSuchAlgorithmException ex) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] { ex.getMessage() },
(Throwable) ex);
} catch (CertificateException ex) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] { ex.getMessage() },
(Throwable) ex);
} catch (InvalidAlgorithmParameterException ex) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] { ex.getMessage() },
(Throwable) ex);
} catch (CertPathValidatorException ex) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] { ex.getMessage() },
(Throwable) ex);
} catch (KeyStoreException ex) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"certpath", new Object[] { ex.getMessage() },
(Throwable) ex);
}
return true;
}
}