| Methods Summary |
|---|
| private java.security.cert.X509Certificate | getCertificateFromTrustStore(byte[] ski)
try {
Enumeration aliases = trustStore.aliases();
while (aliases.hasMoreElements()) {
String alias = (String) aliases.nextElement();
Certificate cert = trustStore.getCertificate(alias);
if (cert == null || !"X.509".equals(cert.getType())) {
continue;
}
X509Certificate x509Cert = (X509Certificate) cert;
byte[] keyId = getSubjectKeyIdentifier(x509Cert);
if (keyId == null) {
// Cert does not contain a key identifier
continue;
}
if (Arrays.equals(ski, keyId)) {
return x509Cert;
}
}
} catch (Exception e) {
throw new IOException(e.getMessage());
}
return null;
|
| private java.security.cert.X509Certificate | getCertificateFromTrustStore(java.lang.String issuerName, java.math.BigInteger serialNumber)
try {
Enumeration aliases = trustStore.aliases();
while (aliases.hasMoreElements()) {
String alias = (String) aliases.nextElement();
Certificate cert = trustStore.getCertificate(alias);
if (cert == null || !"X.509".equals(cert.getType())) {
continue;
}
X509Certificate x509Cert = (X509Certificate) cert;
String thisIssuerName =
RFC2253Parser.normalize(x509Cert.getIssuerDN().getName());
BigInteger thisSerialNumber = x509Cert.getSerialNumber();
if (thisIssuerName.equals(issuerName) &&
thisSerialNumber.equals(serialNumber)) {
return x509Cert;
}
}
} catch (Exception e) {
throw new IOException(e.getMessage());
}
return null;
|
| private java.security.cert.X509Certificate | getCertificateFromTrustStoreForThumbprint(byte[] ski)
try {
Enumeration aliases = trustStore.aliases();
while (aliases.hasMoreElements()) {
String alias = (String) aliases.nextElement();
Certificate cert = trustStore.getCertificate(alias);
if (cert == null || !"X.509".equals(cert.getType())) {
continue;
}
X509Certificate x509Cert = (X509Certificate) cert;
byte[] keyId = getThumbprintIdentifier(x509Cert);
if (keyId == null) {
// Cert does not contain a key identifier
continue;
}
//System.out.println("Alias = " + alias + " ti=" + Base64.encode(keyId));
if (Arrays.equals(ski, keyId)) {
return x509Cert;
}
}
} catch (Exception e) {
throw new IOException(e.getMessage());
}
return null;
|
| private void | getDefaultCertificateFromTrustStore(EncryptionKeyCallback.AliasX509CertificateRequest req)
try {
Enumeration aliases = trustStore.aliases();
while (aliases.hasMoreElements()) {
String currentAlias = (String) aliases.nextElement();
if (!"certificate-authority".equals(currentAlias)) {
X509Certificate thisCertificate = (X509Certificate)
trustStore.getCertificate(currentAlias);
req.setX509Certificate(thisCertificate);
return;
}
}
} catch (Exception e) {
throw new RuntimeException(e);
}
|
| private void | getDefaultPrivKeyCert(SignatureKeyCallback.DefaultPrivKeyCertRequest request)
String uniqueAlias = null;
try {
Enumeration aliases = keyStore.aliases();
while (aliases.hasMoreElements()) {
String currentAlias = (String) aliases.nextElement();
if (keyStore.isKeyEntry(currentAlias)) {
Certificate thisCertificate = keyStore.getCertificate(currentAlias);
if (thisCertificate != null) {
if (thisCertificate instanceof X509Certificate) {
if (uniqueAlias == null) {
uniqueAlias = currentAlias;
} else {
// Not unique!
uniqueAlias = null;
break;
}
}
}
}
}
if (uniqueAlias != null) {
request.setX509Certificate(
(X509Certificate) keyStore.getCertificate(uniqueAlias));
request.setPrivateKey(
(PrivateKey) keyStore.getKey(uniqueAlias, keyStorePassword.toCharArray()));
}
} catch (Exception e) {
throw new IOException(e.getMessage());
}
|
| private static java.util.Date | getFreshnessAndSkewAdjustedDate(long maxClockSkew, long timestampFreshnessLimit)
Calendar c = new GregorianCalendar();
long offset = c.get(Calendar.ZONE_OFFSET);
if (c.getTimeZone().inDaylightTime(c.getTime())) {
offset += c.getTimeZone().getDSTSavings();
}
long beforeTime = c.getTimeInMillis();
long currentTime = beforeTime - offset;
long adjustedTime = currentTime - maxClockSkew - timestampFreshnessLimit;
c.setTimeInMillis(adjustedTime);
return c.getTime();
|
| private static java.util.Date | getGMTDateWithSkewAdjusted(java.util.Calendar c, long maxClockSkew, boolean addSkew)
long offset = c.get(Calendar.ZONE_OFFSET);
if (c.getTimeZone().inDaylightTime(c.getTime())) {
offset += c.getTimeZone().getDSTSavings();
}
long beforeTime = c.getTimeInMillis();
long currentTime = beforeTime - offset;
if (addSkew)
currentTime = currentTime + maxClockSkew;
else
currentTime = currentTime - maxClockSkew;
c.setTimeInMillis(currentTime);
return c.getTime();
|
| public java.security.PrivateKey | getPrivateKey(java.security.cert.X509Certificate certificate)
try {
Enumeration aliases = keyStore.aliases();
while (aliases.hasMoreElements()) {
String alias = (String) aliases.nextElement();
if (!keyStore.isKeyEntry(alias))
continue;
Certificate cert = keyStore.getCertificate(alias);
if (cert != null && cert.equals(certificate))
return (PrivateKey) keyStore.getKey(alias, keyStorePassword.toCharArray());
}
} catch (Exception e) {
throw new IOException(e.getMessage());
}
return null;
|
| public java.security.PrivateKey | getPrivateKey(byte[] ski)
try {
Enumeration aliases = keyStore.aliases();
while (aliases.hasMoreElements()) {
String alias = (String) aliases.nextElement();
if (!keyStore.isKeyEntry(alias))
continue;
Certificate cert = keyStore.getCertificate(alias);
if (cert == null || !"X.509".equals(cert.getType())) {
continue;
}
X509Certificate x509Cert = (X509Certificate) cert;
byte[] keyId = getSubjectKeyIdentifier(x509Cert);
if (keyId == null) {
// Cert does not contain a key identifier
continue;
}
if (Arrays.equals(ski, keyId)) {
// Asuumed key password same as the keystore password
return (PrivateKey) keyStore.getKey(alias, keyStorePassword.toCharArray());
}
}
} catch (Exception e) {
throw new IOException(e.getMessage());
}
return null;
|
| public java.security.PrivateKey | getPrivateKey(java.lang.String issuerName, java.math.BigInteger serialNumber)
try {
Enumeration aliases = keyStore.aliases();
while (aliases.hasMoreElements()) {
String alias = (String) aliases.nextElement();
if (!keyStore.isKeyEntry(alias))
continue;
Certificate cert = keyStore.getCertificate(alias);
if (cert == null || !"X.509".equals(cert.getType())) {
continue;
}
X509Certificate x509Cert = (X509Certificate) cert;
String thisIssuerName =
RFC2253Parser.normalize(x509Cert.getIssuerDN().getName());
BigInteger thisSerialNumber = x509Cert.getSerialNumber();
if (thisIssuerName.equals(issuerName) &&
thisSerialNumber.equals(serialNumber)) {
return (PrivateKey) keyStore.getKey(alias, keyStorePassword.toCharArray());
}
}
} catch (Exception e) {
throw new IOException(e.getMessage());
}
return null;
|
| public java.security.PrivateKey | getPrivateKeyForThumbprint(byte[] ski)
try {
Enumeration aliases = keyStore.aliases();
while (aliases.hasMoreElements()) {
String alias = (String) aliases.nextElement();
if (!keyStore.isKeyEntry(alias))
continue;
Certificate cert = keyStore.getCertificate(alias);
if (cert == null || !"X.509".equals(cert.getType())) {
continue;
}
X509Certificate x509Cert = (X509Certificate) cert;
byte[] keyId = getThumbprintIdentifier(x509Cert);
if (keyId == null) {
// Cert does not contain a key identifier
continue;
}
if (Arrays.equals(ski, keyId)) {
// Asuumed key password same as the keystore password
return (PrivateKey) keyStore.getKey(alias, keyStorePassword.toCharArray());
}
}
} catch (Exception e) {
throw new IOException(e.getMessage());
}
return null;
|
| private static byte[] | getSubjectKeyIdentifier(java.security.cert.X509Certificate cert)
String SUBJECT_KEY_IDENTIFIER_OID = "2.5.29.14";
byte[] subjectKeyIdentifier =
cert.getExtensionValue(SUBJECT_KEY_IDENTIFIER_OID);
if (subjectKeyIdentifier == null)
return null;
try {
sun.security.x509.KeyIdentifier keyId = null;
sun.security.util.DerValue derVal = new sun.security.util.DerValue(
new sun.security.util.DerInputStream(subjectKeyIdentifier).getOctetString());
keyId = new sun.security.x509.KeyIdentifier(derVal.getOctetString());
return keyId.getIdentifier();
} catch (NoClassDefFoundError ncde) {
if (subjectKeyIdentifier == null)
return null;
byte[] dest = new byte[subjectKeyIdentifier.length - 4];
System.arraycopy(
subjectKeyIdentifier, 4, dest, 0, subjectKeyIdentifier.length - 4);
return dest;
} catch ( java.io.IOException ex) {
//ignore
return null;
}
|
| public static byte[] | getThumbprintIdentifier(java.security.cert.X509Certificate cert)
byte[] thumbPrintIdentifier = null;
try {
thumbPrintIdentifier = MessageDigest.getInstance("SHA-1").digest(cert.getEncoded());
} catch ( NoSuchAlgorithmException ex ) {
throw new Exception("Digest algorithm SHA-1 not found");
} catch ( CertificateEncodingException ex) {
throw new Exception("Error while getting certificate's raw content");
}
return thumbPrintIdentifier;
|
| public void | handle(javax.security.auth.callback.Callback[] callbacks)
for (int i=0; i < callbacks.length; i++) {
if (callbacks[i] instanceof PasswordValidationCallback) {
PasswordValidationCallback cb = (PasswordValidationCallback) callbacks[i];
if (cb.getRequest() instanceof PasswordValidationCallback.PlainTextPasswordRequest) {
cb.setValidator(new PlainTextPasswordValidator());
} else if (cb.getRequest() instanceof PasswordValidationCallback.DigestPasswordRequest) {
PasswordValidationCallback.DigestPasswordRequest request =
(PasswordValidationCallback.DigestPasswordRequest) cb.getRequest();
String username = request.getUsername();
if ("Ron".equals(username)) {
request.setPassword("noR");
cb.setValidator(new PasswordValidationCallback.DigestPasswordValidator());
}
} else {
throw unsupported;
}
} else if (callbacks[i] instanceof TimestampValidationCallback) {
TimestampValidationCallback cb = (TimestampValidationCallback) callbacks[i];
cb.setValidator(new DefaultTimestampValidator());
} else if (callbacks[i] instanceof SignatureVerificationKeyCallback) {
SignatureVerificationKeyCallback cb = (SignatureVerificationKeyCallback)callbacks[i];
if (cb.getRequest() instanceof SignatureVerificationKeyCallback.X509SubjectKeyIdentifierBasedRequest) {
// subject keyid request
SignatureVerificationKeyCallback.X509SubjectKeyIdentifierBasedRequest request =
(SignatureVerificationKeyCallback.X509SubjectKeyIdentifierBasedRequest) cb.getRequest();
if (trustStore == null)
initTrustStore();
X509Certificate cert =
getCertificateFromTrustStore(
request.getSubjectKeyIdentifier());
request.setX509Certificate(cert);
} else if (cb.getRequest() instanceof SignatureVerificationKeyCallback.X509IssuerSerialBasedRequest) {
// issuer serial request
SignatureVerificationKeyCallback.X509IssuerSerialBasedRequest request =
(SignatureVerificationKeyCallback.X509IssuerSerialBasedRequest) cb.getRequest();
if (trustStore == null)
initTrustStore();
X509Certificate cert =
getCertificateFromTrustStore(
request.getIssuerName(),
request.getSerialNumber());
request.setX509Certificate(cert);
} else if (cb.getRequest() instanceof SignatureVerificationKeyCallback.ThumbprintBasedRequest) {
SignatureVerificationKeyCallback.ThumbprintBasedRequest request =
(SignatureVerificationKeyCallback.ThumbprintBasedRequest) cb.getRequest();
if (trustStore == null)
initTrustStore();
X509Certificate cert =
getCertificateFromTrustStoreForThumbprint(
request.getThumbprintIdentifier());
request.setX509Certificate(cert);
} else {
throw unsupported;
}
} else if (callbacks[i] instanceof SignatureKeyCallback) {
SignatureKeyCallback cb = (SignatureKeyCallback)callbacks[i];
if (cb.getRequest() instanceof SignatureKeyCallback.DefaultPrivKeyCertRequest) {
// default priv key cert req
SignatureKeyCallback.DefaultPrivKeyCertRequest request =
(SignatureKeyCallback.DefaultPrivKeyCertRequest) cb.getRequest();
if (keyStore == null)
initKeyStore();
getDefaultPrivKeyCert(request);
} else if (cb.getRequest() instanceof SignatureKeyCallback.AliasPrivKeyCertRequest) {
SignatureKeyCallback.AliasPrivKeyCertRequest request =
(SignatureKeyCallback.AliasPrivKeyCertRequest) cb.getRequest();
String alias = request.getAlias();
if (keyStore == null)
initKeyStore();
try {
X509Certificate cert =
(X509Certificate) keyStore.getCertificate(alias);
request.setX509Certificate(cert);
// Assuming key passwords same as the keystore password
PrivateKey privKey =
(PrivateKey) keyStore.getKey(alias, keyStorePassword.toCharArray());
request.setPrivateKey(privKey);
} catch (Exception e) {
throw new IOException(e.getMessage());
}
} else {
throw unsupported;
}
} else if (callbacks[i] instanceof DecryptionKeyCallback) {
DecryptionKeyCallback cb = (DecryptionKeyCallback)callbacks[i];
if (cb.getRequest() instanceof DecryptionKeyCallback.X509SubjectKeyIdentifierBasedRequest) {
DecryptionKeyCallback.X509SubjectKeyIdentifierBasedRequest request =
(DecryptionKeyCallback.X509SubjectKeyIdentifierBasedRequest) cb.getRequest();
byte[] ski = request.getSubjectKeyIdentifier();
if (keyStore == null)
initKeyStore();
PrivateKey privKey = getPrivateKey(ski);
request.setPrivateKey(privKey);
} else if (cb.getRequest() instanceof DecryptionKeyCallback.X509IssuerSerialBasedRequest) {
DecryptionKeyCallback.X509IssuerSerialBasedRequest request =
(DecryptionKeyCallback.X509IssuerSerialBasedRequest) cb.getRequest();
String issuerName = request.getIssuerName();
BigInteger serialNumber = request.getSerialNumber();
if (keyStore == null)
initKeyStore();
PrivateKey privKey = getPrivateKey(issuerName, serialNumber);
request.setPrivateKey(privKey);
} else if (cb.getRequest() instanceof DecryptionKeyCallback.X509CertificateBasedRequest) {
DecryptionKeyCallback.X509CertificateBasedRequest request =
(DecryptionKeyCallback.X509CertificateBasedRequest) cb.getRequest();
X509Certificate cert = request.getX509Certificate();
if (keyStore == null)
initKeyStore();
PrivateKey privKey = getPrivateKey(cert);
request.setPrivateKey(privKey);
} else if (cb.getRequest() instanceof DecryptionKeyCallback.AliasSymmetricKeyRequest) {
DecryptionKeyCallback.AliasSymmetricKeyRequest request =
(DecryptionKeyCallback.AliasSymmetricKeyRequest) cb.getRequest();
if (symmKeyStore == null)
initSymmKeyStore();
String alias = request.getAlias();
try {
// Assuming key password same as key store password
SecretKey symmKey =
(SecretKey) symmKeyStore.getKey(alias, symmKeyStorePassword.toCharArray());
request.setSymmetricKey(symmKey);
} catch (Exception e) {
throw new IOException(e.getMessage());
}
} else if (cb.getRequest() instanceof DecryptionKeyCallback.ThumbprintBasedRequest) {
DecryptionKeyCallback.ThumbprintBasedRequest request =
(DecryptionKeyCallback.ThumbprintBasedRequest) cb.getRequest();
byte[] ski = request.getThumbprintIdentifier();
if (keyStore == null)
initKeyStore();
PrivateKey privKey = getPrivateKeyForThumbprint(ski);
request.setPrivateKey(privKey);
} else {
throw unsupported;
}
} else if (callbacks[i] instanceof EncryptionKeyCallback) {
EncryptionKeyCallback cb = (EncryptionKeyCallback)callbacks[i];
if (cb.getRequest() instanceof EncryptionKeyCallback.AliasX509CertificateRequest) {
EncryptionKeyCallback.AliasX509CertificateRequest request =
(EncryptionKeyCallback.AliasX509CertificateRequest) cb.getRequest();
if (trustStore == null)
initTrustStore();
String alias = request.getAlias();
if ("".equals(alias) || (alias == null)) {
getDefaultCertificateFromTrustStore(request);
} else {
try {
X509Certificate cert =
(X509Certificate) trustStore.getCertificate(alias);
request.setX509Certificate(cert);
} catch (Exception e) {
throw new IOException(e.getMessage());
}
}
} else if (cb.getRequest() instanceof EncryptionKeyCallback.AliasSymmetricKeyRequest) {
EncryptionKeyCallback.AliasSymmetricKeyRequest request =
(EncryptionKeyCallback.AliasSymmetricKeyRequest) cb.getRequest();
if (symmKeyStore == null)
initSymmKeyStore();
String alias = request.getAlias();
try {
// Assuming key password same as key store password
SecretKey symmKey =
(SecretKey) symmKeyStore.getKey(alias, symmKeyStorePassword.toCharArray());
request.setSymmetricKey(symmKey);
} catch (Exception e) {
throw new IOException(e.getMessage());
}
} else {
throw unsupported;
}
} else if (callbacks[i] instanceof CertificateValidationCallback) {
CertificateValidationCallback cb = (CertificateValidationCallback)callbacks[i];
cb.setValidator(new X509CertificateValidatorImpl());
} else if (callbacks[i] instanceof DynamicPolicyCallback) {
DynamicPolicyCallback dp = (DynamicPolicyCallback)callbacks[i];
SecurityPolicy policy = dp.getSecurityPolicy();
// This simplistic callback will simply set a Dummy Assertion
// An actual implementation can locate the saml assertion and set it
if (policy instanceof AuthenticationTokenPolicy.SAMLAssertionBinding) {
AuthenticationTokenPolicy.SAMLAssertionBinding samlBinding =
(AuthenticationTokenPolicy.SAMLAssertionBinding)
((AuthenticationTokenPolicy.SAMLAssertionBinding)policy).clone();
if ((samlBinding.getAssertion() == null) && (samlBinding.getAuthorityBinding() == null)) {
//populateAssertion(samlBinding, dp);
} else if (samlBinding.getAssertion() != null) {
//validateSAMLAssertion(samlBinding);
} else if ((samlBinding.getAuthorityBinding() != null) && (samlBinding.getAssertionId() != null)) {
//locateSAMLAssertion(samlBinding);
} else {
throw new UnsupportedCallbackException(null, "Missing information from SAML Policy");
}
} else {
throw unsupported;
}
} else {
throw unsupported;
}
}
|
| private void | initKeyStore()
try {
keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(new FileInputStream(keyStoreURL), keyStorePassword.toCharArray());
} catch (Exception e) {
throw new IOException(e.getMessage());
}
|
| private void | initSymmKeyStore()
try {
symmKeyStore = KeyStore.getInstance(symmKeyStoreType);
symmKeyStore.load(new FileInputStream(symmKeyStoreURL), symmKeyStorePassword.toCharArray());
} catch (Exception e) {
throw new IOException(e.getMessage());
}
|
| private void | initTrustStore()
try {
trustStore = KeyStore.getInstance(trustStoreType);
trustStore.load(new FileInputStream(trustStoreURL), trustStorePassword.toCharArray());
} catch (Exception e) {
throw new IOException(e.getMessage());
}
|
| public void | validateCreationTime(java.util.Date created, long maxClockSkew, long timestampFreshnessLimit)
//System.out.println("Validate Creation time called");
Date current = getFreshnessAndSkewAdjustedDate(maxClockSkew, timestampFreshnessLimit);
if (created.before(current)) {
throw new TimestampValidationCallback.TimestampValidationException(
"The creation time is older than " +
" currenttime - timestamp-freshness-limit - max-clock-skew");
}
Date currentTime =
getGMTDateWithSkewAdjusted(new GregorianCalendar(), maxClockSkew, true);
if (currentTime.before(created)) {
throw new TimestampValidationCallback.TimestampValidationException(
"The creation time is ahead of the current time.");
}
|
| public void | validateExpirationTime(java.util.Date expires, long maxClockSkew, long timestampFreshnessLimit)
//System.out.println("Validate Expiration time called");
Date currentTime =
getGMTDateWithSkewAdjusted(new GregorianCalendar(), maxClockSkew, false);
if (expires.before(currentTime)) {
throw new TimestampValidationCallback.TimestampValidationException(
"The current time is ahead of the expiration time in Timestamp");
}
|
