Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.opensaml.xml.security.x509
Class BasicX509CredentialNameEvaluator

java.lang.Object
  extended by org.opensaml.xml.security.x509.BasicX509CredentialNameEvaluator
All Implemented Interfaces:
X509CredentialNameEvaluator
public class BasicX509CredentialNameEvaluator
extends Object
implements X509CredentialNameEvaluator

A basic implementaion of X509CredentialNameEvaluator which evaluates various identifiers extracted from an X509Credential's entity certificate against a set of trusted names.

Supported types of entity certificate-derived names for name checking purposes are:

  1. Subject alternative names.
  2. The first (i.e. most specific) common name (CN) from the subject distinguished name.
  3. The complete subject distinguished name.

Name checking is enabled by default for all of the supported name types. The types of subject alternative names to process are specified by using the appropriate constant values defined in X509Util. By default the following types of subject alternative names are checked: DNS (X509Util.DNS_ALT_NAME) and URI (X509Util.URI_ALT_NAME).

The subject distinguished name from the entity certificate is compared to the trusted key names for complete DN matching purposes by parsing each trusted key name into an X500Principal as returned by the configured instance of X500DNHandler. The resulting distinguished name is then compared with the certificate subject using X500Principal.equals(Object). The default X500DNHandler used is InternalX500DNHandler.

Constructor Summary
BasicX509CredentialNameEvaluator()
          Constructor.
 
Method Summary
 boolean checkSubjectAltNames()
          Gets whether to check the credential's entity certificate subject alt names against the trusted key name values.
 boolean checkSubjectDN()
          Gets whether to check the credential's entity certificate subject DN against the trusted key name values.
 boolean checkSubjectDNCommonName()
          Gets whether to check the credential's entity certificate subject DN's common name (CN) against the trusted key name values.
 boolean evaluate(X509Credential credential, Set<String> trustedNames)
          Evaluate the specified credential against the specified set of trusted names.
 Set<Integer> getSubjectAltNameTypes()
          The set of types of subject alternative names to process.
 X500DNHandler getX500DNHandler()
          Get the handler which process X.500 distinguished names.
 boolean isNameCheckingActive()
          Gets whether any of the supported name type checking is currently enabled.
protected  boolean processNameChecks(X509Credential credential, Set<String> trustedNames)
          Process any name checks that are enabled.
protected  boolean processSubjectAltNames(X509Certificate certificate, Set<String> trustedNames)
          Process name checking for the subject alt names within the certificate.
protected  boolean processSubjectDN(X509Certificate certificate, Set<String> trustedNames)
          Process name checking for the certificate subject DN.
protected  boolean processSubjectDNCommonName(X509Certificate certificate, Set<String> trustedNames)
          Process name checking for a certificate subject DN's common name.
 void setCheckSubjectAltNames(boolean check)
          Sets whether to check the credential's entity certificate subject alt names against the trusted key name values.
 void setCheckSubjectDN(boolean check)
          Sets whether to check the credential's entity certificate subject DN against the trusted key name values.
 void setCheckSubjectDNCommonName(boolean check)
          Sets whether to check the credential's entity certificate subject DN's common name (CN) against the trusted key name values.
 void setX500DNHandler(X500DNHandler handler)
          Set the handler which process X.500 distinguished names.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

BasicX509CredentialNameEvaluator

public BasicX509CredentialNameEvaluator()
Constructor.

Method Detail

isNameCheckingActive

public boolean isNameCheckingActive()
Gets whether any of the supported name type checking is currently enabled.

Returns:
true if any of the supported name type checking categories is currently enabled, false otherwise

getSubjectAltNameTypes

public Set<Integer> getSubjectAltNameTypes()
The set of types of subject alternative names to process. Name types are represented using the constant OID tag name values defined in X509Util.

Returns:
the modifiable set of alt name identifiers

checkSubjectAltNames

public boolean checkSubjectAltNames()
Gets whether to check the credential's entity certificate subject alt names against the trusted key name values.

Returns:
whether to check the credential's entity certificate subject alt names against the trusted key names

setCheckSubjectAltNames

public void setCheckSubjectAltNames(boolean check)
Sets whether to check the credential's entity certificate subject alt names against the trusted key name values.

Parameters:
check - whether to check the credential's entity certificate subject alt names against the trusted key names

checkSubjectDNCommonName

public boolean checkSubjectDNCommonName()
Gets whether to check the credential's entity certificate subject DN's common name (CN) against the trusted key name values.

Returns:
whether to check the credential's entity certificate subject DN's CN against the trusted key names

setCheckSubjectDNCommonName

public void setCheckSubjectDNCommonName(boolean check)
Sets whether to check the credential's entity certificate subject DN's common name (CN) against the trusted key name values.

Parameters:
check - whether to check the credential's entity certificate subject DN's CN against the trusted key names

checkSubjectDN

public boolean checkSubjectDN()
Gets whether to check the credential's entity certificate subject DN against the trusted key name values.

Returns:
whether to check the credential's entity certificate subject DN against the trusted key names

setCheckSubjectDN

public void setCheckSubjectDN(boolean check)
Sets whether to check the credential's entity certificate subject DN against the trusted key name values.

Parameters:
check - whether to check the credential's entity certificate subject DN against the trusted key names

getX500DNHandler

public X500DNHandler getX500DNHandler()
Get the handler which process X.500 distinguished names. Defaults to InternalX500DNHandler.

Returns:
returns the X500DNHandler instance

setX500DNHandler

public void setX500DNHandler(X500DNHandler handler)
Set the handler which process X.500 distinguished names. Defaults to InternalX500DNHandler.

Parameters:
handler - the new X500DNHandler instance

evaluate

public boolean evaluate(X509Credential credential,
                        Set<String> trustedNames)
                 throws SecurityException
Evaluate the specified credential against the specified set of trusted names.

The types of names supported, and the manner in which they are evaluated, is implementation-specific.

If the set of trusted names is null or empty, or if no supported name types are configured to be checked, then the evaluation is considered successful.

Specified by:
evaluate in interface X509CredentialNameEvaluator
Parameters:
credential - the X.509 credential to evaluate
trustedNames - trusted names against which the credential will be evaluated
Returns:
true if the name evaluation succeeds, false otherwise
Throws:
SecurityException - thrown if there is an error during name evaluation

processNameChecks

protected boolean processNameChecks(X509Credential credential,
                                    Set<String> trustedNames)
Process any name checks that are enabled.

Parameters:
credential - the credential for the entity to validate
trustedNames - trusted names against which the credential will be evaluated
Returns:
if true the name check succeeds, false if not

processSubjectDNCommonName

protected boolean processSubjectDNCommonName(X509Certificate certificate,
                                             Set<String> trustedNames)
Process name checking for a certificate subject DN's common name.

Parameters:
certificate - the certificate to process
trustedNames - the set of trusted names
Returns:
true if the subject DN common name matches the set of trusted names, false otherwise

processSubjectDN

protected boolean processSubjectDN(X509Certificate certificate,
                                   Set<String> trustedNames)
Process name checking for the certificate subject DN.

Parameters:
certificate - the certificate to process
trustedNames - the set of trusted names
Returns:
true if the subject DN matches the set of trusted names, false otherwise

processSubjectAltNames

protected boolean processSubjectAltNames(X509Certificate certificate,
                                         Set<String> trustedNames)
Process name checking for the subject alt names within the certificate.

Parameters:
certificate - the certificate to process
trustedNames - the set of trusted names
Returns:
true if one of the subject alt names matches the set of trusted names, false otherwise
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2006-2011 Internet2. All Rights Reserved.