org.springframework.security.saml.trust

Class CertPathPKIXTrustEvaluator

java.lang.Object

org.opensaml.xml.security.x509.CertPathPKIXTrustEvaluator

org.springframework.security.saml.trust.CertPathPKIXTrustEvaluator

All Implemented Interfaces:

org.opensaml.xml.security.x509.PKIXTrustEvaluator

public class CertPathPKIXTrustEvaluator
extends org.opensaml.xml.security.x509.CertPathPKIXTrustEvaluator

PKIX trust evaluator based on Java CertPath API. Class first constructs PKIXBuilderParameters using call to getPKIXBuilderParameters. Parameters consult the options property for defaults of isForceRevocationEnabled, forcedRevocation, policyMappingInhibited, anyPolicyInhibited and initialPolicies settings. System then constructs CertPathBuilder with PKIX algorithm and selected securityProvider and builds the certificate path. If path building succeeds system also optionally verifies the resulting certificate chain using CertPathValidator. In earlier Java versions the builder implementation doesn't support e.g. OCSP checking. Running a separate path validation makes it possible to use these features..

Constructor Summary

Constructors

Constructor and Description
CertPathPKIXTrustEvaluator()
CertPathPKIXTrustEvaluator(org.opensaml.xml.security.x509.PKIXValidationOptions newOptions)

Method Summary

Modifier and Type	Method and Description
void	setSecurityProvider(String provider) Sets security provider used to instantiate CertPathBuilder and CertPathValidator instances from the CertPathBuilder and CertPathValidator factories.
void	setValidateCertPath(boolean validateCertPath) Flag indicating whether to execute additional certificate path validation using the java.security.cert.CertPathValidator factory.
boolean	validate(org.opensaml.xml.security.x509.PKIXValidationInformation validationInfo, org.opensaml.xml.security.x509.X509Credential untrustedCredential)

Methods inherited from class org.opensaml.xml.security.x509.CertPathPKIXTrustEvaluator

addCRLsToStoreMaterial, buildCertStore, buildTrustAnchor, getEffectiveVerificationDepth, getPKIXBuilderParameters, getPKIXValidationOptions, getTrustAnchors, getX500DNHandler, setPKIXValidationOptions, setX500DNHandler, storeContainsCRLs

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CertPathPKIXTrustEvaluator

public CertPathPKIXTrustEvaluator()

CertPathPKIXTrustEvaluator

public CertPathPKIXTrustEvaluator(org.opensaml.xml.security.x509.PKIXValidationOptions newOptions)

Method Detail

validate

public boolean validate(org.opensaml.xml.security.x509.PKIXValidationInformation validationInfo,
                        org.opensaml.xml.security.x509.X509Credential untrustedCredential)
                 throws org.opensaml.xml.security.SecurityException

Specified by:

validate in interface org.opensaml.xml.security.x509.PKIXTrustEvaluator

Overrides:

validate in class org.opensaml.xml.security.x509.CertPathPKIXTrustEvaluator

Throws:

org.opensaml.xml.security.SecurityException

setSecurityProvider

public void setSecurityProvider(String provider)

Sets security provider used to instantiate CertPathBuilder and CertPathValidator instances from the CertPathBuilder and CertPathValidator factories. When no value is specified system will use the default security provider. Default value is null.

Parameters:

provider - name of the security provider (e.g. BC for BouncyCastle)

setValidateCertPath

public void setValidateCertPath(boolean validateCertPath)

Flag indicating whether to execute additional certificate path validation using the java.security.cert.CertPathValidator factory. The CertPathBuilder typically performs most PKIX verifications already, but in some cases (e.g. for OCSP support and CRLDP support in certain Java versions) it is necessary to run additional checkins in the validator. Default value is false.

Parameters:

validateCertPath - flag indicating usage of the CertPathValidator.