org.apache.ws.security.validate
Class SignatureTrustValidator

java.lang.Object
  extended by org.apache.ws.security.validate.SignatureTrustValidator
All Implemented Interfaces:
Validator
Direct Known Subclasses:
SamlAssertionValidator

public class SignatureTrustValidator
extends Object
implements Validator

This class verifies trust in a credential used to verify a signature, which is extracted from the Credential passed to the validate method.


Constructor Summary
SignatureTrustValidator()
           
 
Method Summary
protected  Crypto getCrypto(RequestData data)
           
protected  boolean isCertificateInKeyStore(Crypto crypto, X509Certificate cert)
          Check to see if the certificate argument is in the keystore
 Credential validate(Credential credential, RequestData data)
          Validate the credential argument.
protected  void validateCertificates(X509Certificate[] certificates)
          Validate the certificates by checking the validity of each cert
protected  boolean validatePublicKey(PublicKey publicKey, Crypto crypto)
          Validate a public key
protected  boolean verifyTrustInCert(X509Certificate cert, Crypto crypto)
          Deprecated. 
protected  boolean verifyTrustInCert(X509Certificate cert, Crypto crypto, boolean enableRevocation)
          Evaluate whether a given certificate should be trusted.
protected  boolean verifyTrustInCerts(X509Certificate[] certificates, Crypto crypto)
          Deprecated. 
protected  boolean verifyTrustInCerts(X509Certificate[] certificates, Crypto crypto, boolean enableRevocation)
          Evaluate whether the given certificate chain should be trusted.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

SignatureTrustValidator

public SignatureTrustValidator()
Method Detail

validate

public Credential validate(Credential credential,
                           RequestData data)
                    throws WSSecurityException
Validate the credential argument. It must contain a non-null X509Certificate chain or a PublicKey. A Crypto implementation is also required to be set. This implementation first attempts to verify trust on the certificate (chain). If this is not successful, then it will attempt to verify trust on the Public Key.

Specified by:
validate in interface Validator
Parameters:
credential - the Credential to be validated
data - the RequestData associated with the request
Returns:
a validated Credential
Throws:
WSSecurityException - on a failed validation

getCrypto

protected Crypto getCrypto(RequestData data)

validateCertificates

protected void validateCertificates(X509Certificate[] certificates)
                             throws WSSecurityException
Validate the certificates by checking the validity of each cert

Throws:
WSSecurityException

verifyTrustInCert

@Deprecated
protected boolean verifyTrustInCert(X509Certificate cert,
                                               Crypto crypto)
                             throws WSSecurityException
Deprecated. 

Evaluate whether a given certificate should be trusted. Policy used in this implementation: 1. Search the keystore for the transmitted certificate 2. Search the keystore for a connection to the transmitted certificate (that is, search for certificate(s) of the issuer of the transmitted certificate 3. Verify the trust path for those certificates found because the search for the issuer might be fooled by a phony DN (String!)

Parameters:
cert - the certificate that should be validated against the keystore
crypto - A crypto instance to use for trust validation
Returns:
true if the certificate is trusted, false if not
Throws:
WSSecurityException

verifyTrustInCert

protected boolean verifyTrustInCert(X509Certificate cert,
                                    Crypto crypto,
                                    boolean enableRevocation)
                             throws WSSecurityException
Evaluate whether a given certificate should be trusted. Policy used in this implementation: 1. Search the keystore for the transmitted certificate 2. Search the keystore for a connection to the transmitted certificate (that is, search for certificate(s) of the issuer of the transmitted certificate 3. Verify the trust path for those certificates found because the search for the issuer might be fooled by a phony DN (String!)

Parameters:
cert - the certificate that should be validated against the keystore
crypto - A crypto instance to use for trust validation
enableRevocation - Whether revocation is enabled or not
Returns:
true if the certificate is trusted, false if not
Throws:
WSSecurityException

isCertificateInKeyStore

protected boolean isCertificateInKeyStore(Crypto crypto,
                                          X509Certificate cert)
                                   throws WSSecurityException
Check to see if the certificate argument is in the keystore

Parameters:
crypto - A Crypto instance to use for trust validation
cert - The certificate to check
Returns:
true if cert is in the keystore
Throws:
WSSecurityException

verifyTrustInCerts

@Deprecated
protected boolean verifyTrustInCerts(X509Certificate[] certificates,
                                                Crypto crypto)
                              throws WSSecurityException
Deprecated. 

Evaluate whether the given certificate chain should be trusted.

Parameters:
certificates - the certificate chain that should be validated against the keystore
crypto - A Crypto instance to use for trust validation
Returns:
true if the certificate chain is trusted, false if not
Throws:
WSSecurityException

verifyTrustInCerts

protected boolean verifyTrustInCerts(X509Certificate[] certificates,
                                     Crypto crypto,
                                     boolean enableRevocation)
                              throws WSSecurityException
Evaluate whether the given certificate chain should be trusted.

Parameters:
certificates - the certificate chain that should be validated against the keystore
crypto - A Crypto instance
enableRevocation - Whether revocation is enabled or not
Returns:
true if the certificate chain is trusted, false if not
Throws:
WSSecurityException

validatePublicKey

protected boolean validatePublicKey(PublicKey publicKey,
                                    Crypto crypto)
                             throws WSSecurityException
Validate a public key

Throws:
WSSecurityException


Copyright © 2004-2013 The Apache Software Foundation. All Rights Reserved.