org.wildfly.security.credential.Credential Maven / Gradle / Ivy
Go to download
This artifact provides a single jar that contains all classes required to use remote EJB and JMS, including
all dependencies. It is intended for use by those not using maven, maven users should just import the EJB and
JMS BOM's instead (shaded JAR's cause lots of problems with maven, as it is very easy to inadvertently end up
with different versions on classes on the class path).
/*
* JBoss, Home of Professional Open Source.
* Copyright 2015 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.wildfly.security.credential;
import static org.wildfly.security.provider.util.ProviderUtil.INSTALLED_PROVIDERS;
import java.security.KeyStore;
import java.security.Provider;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.util.function.Function;
import java.util.function.Supplier;
import org.wildfly.common.Assert;
import org.wildfly.security.evidence.AlgorithmEvidence;
import org.wildfly.security.evidence.Evidence;
import org.wildfly.security.keystore.PasswordEntry;
import org.wildfly.security.x500.X500;
/**
* A credential is a piece of information that can be used to verify or produce evidence.
*/
public interface Credential extends Cloneable {
/**
* An array with no credentials.
*/
Credential[] NO_CREDENTIALS = new Credential[0];
/**
* Determine whether this credential can, generally speaking, verify the given evidence type.
*
* @param evidenceClass the evidence type (must not be {@code null})
* @param algorithmName the evidence algorithm name (may be {@code null} if the type of evidence does not support
* algorithm names)
*
* @return {@code true} if the evidence can be verified by this credential, {@code false} otherwise
*/
default boolean canVerify(Class extends Evidence> evidenceClass, String algorithmName) {
Assert.checkNotNullParam("evidenceClass", evidenceClass);
return false;
}
/**
* Determine whether this credential can verify the given evidence.
*
* @param evidence the evidence (must not be {@code null})
*
* @return {@code true} if the evidence can be verified by this credential, {@code false} otherwise
*/
default boolean canVerify(Evidence evidence) {
Assert.checkNotNullParam("evidence", evidence);
return canVerify(evidence.getClass(), evidence instanceof AlgorithmEvidence ? ((AlgorithmEvidence) evidence).getAlgorithm() : null);
}
/**
* Verify the given evidence.
*
* @param evidence the evidence to verify (must not be {@code null})
*
* @return {@code true} if the evidence is verified, {@code false} otherwise
* @deprecated use {@link #verify(Supplier, Evidence)} instead
*/
@Deprecated
default boolean verify(Evidence evidence) {
return verify(INSTALLED_PROVIDERS, evidence);
}
/**
* Verify the given evidence.
*
* @param providerSupplier the provider supplier to use for verification purposes
* @param evidence the evidence to verify (must not be {@code null})
*
* @return {@code true} if the evidence is verified, {@code false} otherwise
*/
default boolean verify(Supplier providerSupplier, Evidence evidence) {
Assert.checkNotNullParam("providerSupplier", providerSupplier);
Assert.checkNotNullParam("evidence", evidence);
return false;
}
/**
* Cast this credential type if the type, algorithm, and parameters match.
*
* @param credentialType the credential type class to check
* @param algorithmName the name of the algorithm or {@code null} if any algorithm is acceptable
* @param parameterSpec the parameter specification or {@code null} if any parameter specification is acceptable
* @param the credential type
* @return the credential cast as the target type, or {@code null} if the credential does not match the criteria
*/
default C castAs(Class credentialType, String algorithmName, AlgorithmParameterSpec parameterSpec) {
return castAndApply(credentialType, algorithmName, parameterSpec, Function.identity());
}
/**
* Cast this credential type if the type and algorithm matches.
*
* @param credentialType the credential type class to check
* @param algorithmName the name of the algorithm or {@code null} if any algorithm is acceptable
* @param the credential type
* @return the credential cast as the target type, or {@code null} if the credential does not match the criteria
*/
default C castAs(Class credentialType, String algorithmName) {
return castAndApply(credentialType, algorithmName, Function.identity());
}
/**
* Cast this credential type if the type matches.
*
* @param credentialType the credential type class to check
* @param the credential type
* @return the credential cast as the target type, or {@code null} if the credential does not match the criteria
*/
default C castAs(Class credentialType) {
return castAndApply(credentialType, Function.identity());
}
/**
* Cast this credential type and apply a function if the type matches.
*
* @param credentialType the credential type class to check
* @param algorithmName the name of the algorithm or {@code null} if any algorithm is acceptable
* @param parameterSpec the parameter specification or {@code null} if any parameter specification is acceptable
* @param function the function to apply
* @param the credential type
* @param the return type
* @return the result of the function, or {@code null} if the credential is not of the given type
*/
default R castAndApply(Class credentialType, String algorithmName, AlgorithmParameterSpec parameterSpec, Function function) {
return matches(credentialType, algorithmName, parameterSpec) ? function.apply(credentialType.cast(this)) : null;
}
/**
* Cast this credential type and apply a function if the type matches.
*
* @param credentialType the credential type class to check
* @param algorithmName the name of the algorithm or {@code null} if any algorithm is acceptable
* @param function the function to apply
* @param the credential type
* @param the return type
* @return the result of the function, or {@code null} if the credential is not of the given type
*/
default R castAndApply(Class credentialType, String algorithmName, Function function) {
return matches(credentialType, algorithmName, null) ? function.apply(credentialType.cast(this)) : null;
}
/**
* Cast this credential type and apply a function if the type matches.
*
* @param credentialType the credential type class to check
* @param function the function to apply
* @param the credential type
* @param the return type
* @return the result of the function, or {@code null} if the credential is not of the given type
*/
default R castAndApply(Class credentialType, Function function) {
return credentialType.isInstance(this) ? function.apply(credentialType.cast(this)) : null;
}
/**
* Creates and returns a copy of this {@link Credential}.
*
* @return a copy of this {@link Credential}.
*/
Credential clone();
/**
* Determine if this credential is the same kind of credential as the given credential.
*
* @param other the other credential
* @return {@code true} if the credentials are of the same kind, {@code false} otherwise
*/
default boolean matches(Credential other) {
return other instanceof AlgorithmCredential ? matches((AlgorithmCredential) other) : other != null && getClass() == other.getClass();
}
/**
* Determine if this credential is the same kind of credential as the given credential.
*
* @param other the other credential
* @return {@code true} if the credentials are of the same kind, {@code false} otherwise
*/
default boolean matches(AlgorithmCredential other) {
return false;
}
/**
* Determine if this credential matches the given criteria.
*
* @param credentialType the credential type class to check
* @param algorithmName the name of the algorithm or {@code null} if any algorithm is acceptable
* @param parameterSpec the parameter specification or {@code null} if any parameter specification is acceptable
* @return {@code true} if the credential matches the specification, {@code false} otherwise
*/
default boolean matches(Class extends Credential> credentialType, String algorithmName, AlgorithmParameterSpec parameterSpec) {
return credentialType.isInstance(this) && algorithmName == null && parameterSpec == null;
}
/**
* Convert a key store entry into a credential object.
*
* @param keyStoreEntry the key store entry to convert (must not be {@code null})
* @return the corresponding credential, or {@code null} if the entry type is unrecognized
*/
static Credential fromKeyStoreEntry(KeyStore.Entry keyStoreEntry) {
Assert.checkNotNullParam("keyStoreEntry", keyStoreEntry);
if (keyStoreEntry instanceof PasswordEntry) {
return new PasswordCredential(((PasswordEntry) keyStoreEntry).getPassword());
} else if (keyStoreEntry instanceof KeyStore.PrivateKeyEntry) {
return new X509CertificateChainPrivateCredential(((KeyStore.PrivateKeyEntry) keyStoreEntry).getPrivateKey(), X500.asX509CertificateArray(((KeyStore.PrivateKeyEntry) keyStoreEntry).getCertificateChain()));
} else if (keyStoreEntry instanceof KeyStore.TrustedCertificateEntry) {
return new X509CertificateChainPublicCredential((X509Certificate) ((KeyStore.TrustedCertificateEntry) keyStoreEntry).getTrustedCertificate());
} else if (keyStoreEntry instanceof KeyStore.SecretKeyEntry) {
return new SecretKeyCredential(((KeyStore.SecretKeyEntry) keyStoreEntry).getSecretKey());
} else {
return null;
}
}
}