Class KeyStoreCrypto

java.lang.Object
org.apache.wss4j.common.crypto.CryptoBase
org.frankframework.soap.KeyStoreCrypto
All Implemented Interfaces:
org.apache.wss4j.common.crypto.Crypto
public class KeyStoreCrypto extends org.apache.wss4j.common.crypto.CryptoBase
A WSS4J Crypto implementation based on a Java KeyStore.
WSS4J does not come with a method to use a KeyStore. There is a property based WSS4J Merlin implementation, but that does not suit the configuration based approach we use in the Frank!Framework. This way the keystore element can be used to provided a certificate. NOTE: When no TrustStore is provided the default (CACERTS) is used. The KeyStore is used for signing and encrypting SOAP Messages, the TrustStore is used to validate the CA Chains. The default should suffice but it's configurable for those who have their own Certificate Authority.
Author:
Niels Meijer

  • Field Details

    • keystore

      protected KeyStore keystore

    • truststore

      protected KeyStore truststore

  • Constructor Details

    • KeyStoreCrypto

      public KeyStoreCrypto(KeyStore keystore)

    • KeyStoreCrypto

      public KeyStoreCrypto(KeyStore keystore, KeyStore truststore)

  • Method Details

    • getCertificateFactory

      public CertificateFactory getCertificateFactory() throws org.apache.wss4j.common.ext.WSSecurityException
      Singleton certificate factory for this Crypto instance.

      Specified by:
      getCertificateFactory in interface org.apache.wss4j.common.crypto.Crypto
      Overrides:
      getCertificateFactory in class org.apache.wss4j.common.crypto.CryptoBase
      Returns:
      Returns a CertificateFactory to construct X509 certificates
      Throws:
      org.apache.wss4j.common.ext.WSSecurityException

    • getDefaultX509Identifier

      public String getDefaultX509Identifier() throws org.apache.wss4j.common.ext.WSSecurityException
      Retrieves the identifier name of the default certificate. This should be the certificate that is used for signature and encryption. This identifier corresponds to the certificate that should be used whenever KeyInfo is not present in a signed or an encrypted message. May return null. The identifier is implementation specific, e.g. it could be the KeyStore alias.
      Specified by:
      getDefaultX509Identifier in interface org.apache.wss4j.common.crypto.Crypto
      Overrides:
      getDefaultX509Identifier in class org.apache.wss4j.common.crypto.CryptoBase
      Returns:
      name of the default X509 certificate.
      Throws:
      org.apache.wss4j.common.ext.WSSecurityException

    • getX509Certificates

      public X509Certificate[] getX509Certificates(org.apache.wss4j.common.crypto.CryptoType cryptoType) throws org.apache.wss4j.common.ext.WSSecurityException
      Get an X509Certificate (chain) corresponding to the CryptoType argument. The supported types are as follows: TYPE.ISSUER_SERIAL - A certificate (chain) is located by the issuer name and serial number TYPE.THUMBPRINT_SHA1 - A certificate (chain) is located by the SHA1 of the (root) cert TYPE.SKI_BYTES - A certificate (chain) is located by the SKI bytes of the (root) cert TYPE.SUBJECT_DN - A certificate (chain) is located by the Subject DN of the (root) cert TYPE.ALIAS - A certificate (chain) is located by an alias, which for this implementation means an alias of the keystore or truststore.
      Throws:
      org.apache.wss4j.common.ext.WSSecurityException

    • getX509Identifier

      public String getX509Identifier(X509Certificate cert) throws org.apache.wss4j.common.ext.WSSecurityException
      Get the implementation-specific identifier corresponding to the cert parameter. In this case, the identifier corresponds to a KeyStore alias.
      Parameters:
      cert - The X509Certificate for which to search for an identifier
      Returns:
      the identifier corresponding to the cert parameter
      Throws:
      org.apache.wss4j.common.ext.WSSecurityException

    • getPrivateKey

      public PrivateKey getPrivateKey(X509Certificate certificate, CallbackHandler callbackHandler) throws org.apache.wss4j.common.ext.WSSecurityException
      Gets the private key corresponding to the certificate.
      Parameters:
      certificate - The X509Certificate corresponding to the private key
      callbackHandler - The callbackHandler needed to get the password
      Returns:
      The private key
      Throws:
      org.apache.wss4j.common.ext.WSSecurityException

    • getPrivateKey

      public PrivateKey getPrivateKey(PublicKey publicKey, CallbackHandler callbackHandler) throws org.apache.wss4j.common.ext.WSSecurityException
      Gets the private key corresponding to the given PublicKey.
      Parameters:
      publicKey - The PublicKey corresponding to the private key
      callbackHandler - The callbackHandler needed to get the password
      Returns:
      The private key
      Throws:
      org.apache.wss4j.common.ext.WSSecurityException

    • getPrivateKey

      public PrivateKey getPrivateKey(String identifier, String password) throws org.apache.wss4j.common.ext.WSSecurityException
      Gets the private key corresponding to the identifier.
      Parameters:
      identifier - The implementation-specific identifier corresponding to the key
      password - The password needed to get the key
      Returns:
      The private key
      Throws:
      org.apache.wss4j.common.ext.WSSecurityException

    • verifyTrust

      public void verifyTrust(X509Certificate[] certs, boolean enableRevocation, Collection<Pattern> subjectCertConstraints, Collection<Pattern> issuerCertConstraints) throws org.apache.wss4j.common.ext.WSSecurityException
      Throws:
      org.apache.wss4j.common.ext.WSSecurityException

    • verifyTrust

      public void verifyTrust(PublicKey publicKey) throws org.apache.wss4j.common.ext.WSSecurityException
      Evaluate whether a given public key should be trusted.
      Parameters:
      publicKey - The PublicKey to be evaluated
      Throws:
      org.apache.wss4j.common.ext.WSSecurityException - if the PublicKey is invalid

    • addTrustAnchors

      protected void addTrustAnchors(Set<TrustAnchor> set, KeyStore keyStore) throws KeyStoreException
      Adds TrustAnchors found in the provided key store to the set.

      When the Trust Anchors are constructed, the value of the

      invalid reference 
      #CRYPTO_CERT_PROVIDER_HANDLES_NAME_CONSTRAINTS
      property will be checked. If it has been set to true, then NameConstraints will be added to their Trust Anchors; if unset or set to false, the Name Constraints will be nulled out on their Trust Anchors. The default Sun PKIX Path Validator does not support Name Constraints on Trust Anchors and will throw an InvalidAlgorithmParameterException if they are provided. Other implementations may also be unsafe.
      Parameters:
      set - the set to which to add the TrustAnchors
      keyStore - the store to search for X509Certificates
      Throws:
      KeyStoreException