Java Code Examples for org.opensaml.xml.security.x509.X509Credential#getEntityCertificate()

The following examples show how to use org.opensaml.xml.security.x509.X509Credential#getEntityCertificate() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: ClientCertAuthRule.java    From lams with GNU General Public License v2.0 6 votes vote down vote up 
/**
 * Evaluate the presenter entity ID as derived from the cert subject DN.
 * 
 * @param requestCredential the X509Credential derived from the request
 * @param messageContext the message context being evaluated
 * @return a presenter entity ID which was successfully evaluated by the trust engine
 * @throws SecurityPolicyException thrown if there is error during processing
 */
protected String evaluateSubjectDN(X509Credential requestCredential, MessageContext messageContext)
        throws SecurityPolicyException {

    log.debug("Evaluating client cert by deriving presenter as cert subject DN");
    X509Certificate certificate = requestCredential.getEntityCertificate();
    String candidatePresenter = getSubjectName(certificate);
    if (candidatePresenter != null) {
        if (evaluate(requestCredential, candidatePresenter, messageContext)) {
            log.info("Authentication succeeded for presenter entity ID derived from subject DN {}",
                    candidatePresenter);
            return candidatePresenter;
        }
    }
    return null;
}
Example 2
Source File: ExplicitX509CertificateTrustEvaluator.java    From lams with GNU General Public License v2.0 6 votes vote down vote up 
/**
 * Evaluate trust.
 * 
 * @param untrustedCredential the untrusted X509Credential to evaluate
 * @param trustedCredential basis for trust
 * @return true if trust can be established, false otherwise
 */
public boolean validate(X509Credential untrustedCredential, X509Credential trustedCredential) {

    X509Certificate untrustedCertificate = untrustedCredential.getEntityCertificate();
    X509Certificate trustedCertificate = trustedCredential.getEntityCertificate();
    if (untrustedCertificate == null) {
        log.debug("Untrusted credential contained no entity certificate, unable to evaluate");
        return false;
    } else if (trustedCertificate == null) {
        log.debug("Trusted credential contained no entity certificate, unable to evaluate");
        return false;
    }

    if (validate(untrustedCertificate, trustedCertificate)) {
        log.debug("Successfully validated untrusted credential against trusted certificate");
        return true;
    }
    
    log.debug("Failed to validate untrusted credential against trusted certificate");
    return false;
}
Example 3
Source File: EvaluableX509SubjectNameCredentialCriteria.java    From lams with GNU General Public License v2.0 6 votes vote down vote up 
/** {@inheritDoc} */
public Boolean evaluate(Credential target) {
    if (target == null) {
        log.error("Credential target was null");
        return null;
    }
    if (!(target instanceof X509Credential)) {
        log.info("Credential is not an X509Credential, does not satisfy subject name criteria");
        return Boolean.FALSE;
    }
    X509Credential x509Cred = (X509Credential) target;

    X509Certificate entityCert = x509Cred.getEntityCertificate();
    if (entityCert == null) {
        log.info("X509Credential did not contain an entity certificate, does not satisfy criteria");
        return Boolean.FALSE;
    }

    Boolean result = entityCert.getSubjectX500Principal().equals(subjectName);
    return result;
}
Example 4
Source File: EvaluableX509IssuerSerialCredentialCriteria.java    From lams with GNU General Public License v2.0 6 votes vote down vote up 
/** {@inheritDoc} */
public Boolean evaluate(Credential target) {
    if (target == null) {
        log.error("Credential target was null");
        return null;
    }
    if (!(target instanceof X509Credential)) {
        log.info("Credential is not an X509Credential, does not satisfy issuer name and serial number criteria");
        return Boolean.FALSE;
    }
    X509Credential x509Cred = (X509Credential) target;

    X509Certificate entityCert = x509Cred.getEntityCertificate();
    if (entityCert == null) {
        log.info("X509Credential did not contain an entity certificate, does not satisfy criteria");
        return Boolean.FALSE;
    }

    if (!entityCert.getIssuerX500Principal().equals(issuer)) {
        return false;
    }
    Boolean result = entityCert.getSerialNumber().equals(serialNumber);
    return result;
}
Example 5
Source File: EvaluableX509CertSelectorCredentialCriteria.java    From lams with GNU General Public License v2.0 6 votes vote down vote up 
/** {@inheritDoc} */
public Boolean evaluate(Credential target) {
    if (target == null) {
        log.error("Credential target was null");
        return null;
    }
    if (!(target instanceof X509Credential)) {
        log.info("Credential is not an X509Credential, can not evaluate X509CertSelector criteria");
        return Boolean.FALSE;
    }
    X509Credential x509Cred = (X509Credential) target;

    X509Certificate entityCert = x509Cred.getEntityCertificate();
    if (entityCert == null) {
        log.info("X509Credential did not contain an entity certificate, can not evaluate X509CertSelector criteria");
        return Boolean.FALSE;
    }

    Boolean result = certSelector.match(entityCert);
    return result;
}
Example 6
Source File: ClientCertAuthRule.java    From lams with GNU General Public License v2.0 5 votes vote down vote up 
/**
 * Evaluate the presenter entity ID as derived from the cert subject common name (CN).
 * 
 * Only the first CN value from the subject DN is evaluated.
 * 
 * @param requestCredential the X509Credential derived from the request
 * @param messageContext the message context being evaluated
 * @return a presenter entity ID which was successfully evaluated by the trust engine
 * @throws SecurityPolicyException thrown if there is error during processing
 */
protected String evaluateSubjectCommonName(X509Credential requestCredential, MessageContext messageContext)
        throws SecurityPolicyException {

    log.debug("Evaluating client cert by deriving presenter as cert CN");
    X509Certificate certificate = requestCredential.getEntityCertificate();
    String candidatePresenter = getCommonName(certificate);
    if (candidatePresenter != null) {
        if (evaluate(requestCredential, candidatePresenter, messageContext)) {
            log.info("Authentication succeeded for presenter entity ID derived from CN {}", candidatePresenter);
            return candidatePresenter;
        }
    }
    return null;
}
Example 7
Source File: ClientCertAuthRule.java    From lams with GNU General Public License v2.0 5 votes vote down vote up 
/**
 * Evaluate the presenter entity ID as derived from the cert subject alternative names specified by types enumerated
 * in {@link CertificateNameOptions#getSubjectAltNames()}.
 * 
 * @param requestCredential the X509Credential derived from the request
 * @param messageContext the message context being evaluated
 * @return a presenter entity ID which was successfully evaluated by the trust engine
 * @throws SecurityPolicyException thrown if there is error during processing
 */
protected String evaluateSubjectAltNames(X509Credential requestCredential, MessageContext messageContext)
        throws SecurityPolicyException {

    log.debug("Evaluating client cert by deriving presenter from subject alt names");
    X509Certificate certificate = requestCredential.getEntityCertificate();
    for (Integer altNameType : certNameOptions.getSubjectAltNames()) {
        log.debug("Evaluating alt names of type: {}", altNameType.toString());
        List<String> altNames = getAltNames(certificate, altNameType);
        for (String altName : altNames) {
            if (evaluate(requestCredential, altName, messageContext)) {
                log.info("Authentication succeeded for presenter entity ID derived from subject alt name {}",
                        altName);
                return altName;
            }
        }
    }
    return null;
}
Example 8
Source File: EvaluableX509SubjectKeyIdentifierCredentialCriteria.java    From lams with GNU General Public License v2.0 5 votes vote down vote up 
/** {@inheritDoc} */
public Boolean evaluate(Credential target) {
    if (target == null) {
        log.error("Credential target was null");
        return null;
    }
    if (! (target instanceof X509Credential)) {
        log.info("Credential is not an X509Credential, does not satisfy subject key identifier criteria");
        return Boolean.FALSE;
    }
    X509Credential x509Cred = (X509Credential) target;
    
    X509Certificate entityCert = x509Cred.getEntityCertificate();
    if (entityCert == null) {
        log.info("X509Credential did not contain an entity certificate, does not satisfy criteria");
        return Boolean.FALSE;
    }
    
    byte[] credSKI = X509Util.getSubjectKeyIdentifier(entityCert);
    if (credSKI == null || credSKI.length == 0) {
        log.info("Could not evaluate criteria, certificate contained no subject key identifier extension");
        return null;
    }
    
    Boolean result = Arrays.equals(ski, credSKI);
    return result;
}