com.entrust.toolkit.credentials

Class GenericTokenReader.IdentityInfo

java.lang.Object

com.entrust.toolkit.credentials.GenericTokenReader.IdentityInfo

Enclosing class:

GenericTokenReader

public static class GenericTokenReader.IdentityInfo
extends java.lang.Object

IdentityInfo is a bean object that provides metadata to GenericTokenReader. It encapsulates parameters that GenericTokenReader will use to determine what is being searched for on the PKCS#11 device.

Encapsulated info are:

• subjectName of the certificate of interest being searched for
• CA certificate chain - these are anchor certificates for validating the certificate of interest, can by supplied in 3 ways: as a CA chain, or as a customized CertVerifier or as subjectNames of CA certificates to be found on the token
• GenericCertificateFilter, GenericIdentityFilter, TokenIdentityFilter - are filters used to control behavior of GenericTokenReader

Code Usage:

Set end-user-certificate and CA chain

IdentityInfo identityInfo = new IdentityInfo(subjectName);
identityInfo.setCertChain(new X509Certificate[] {rootCaCert, intermediateCert, caCert});


Set end-user-certificate and custom CertVerifier

IdentityInfo identityInfo = new IdentityInfo(subjectName);
identityInfo.setCertVerifier(certVerifier);


Set end-user-certificate and CA chain which are all found on the token

IdentityInfo identityInfo = new IdentityInfo(subjectName);
identityInfo.setRootCaCertSubjectName(rootCaCertSubjectName);
identityInfo.setCaCertSubjectName(caCertSubjectName);


Set end-user-certificate, CA chain and LDAP to invoke revocation checking

IdentityInfo identityInfo = new IdentityInfo(subjectName);
identityInfo.setCertChain(new X509Certificate[] {rootCaCert, intermediateCert, caCert});
identityInfo.setLdapIp(1.2.3.4);
identityInfo.setLdapPort(389);
identityInfo.setConnectionTimeout(30000);
identityInfo.setSoConnectionTimeout(30000);
identityInfo.setSearchTimeout(60000);


Set end-user-certificate, CA chain and overriding filter

IdentityInfo identityInfo = new IdentityInfo(subjectName);
identityInfo.setCertChain(new X509Certificate[] {rootCaCert, intermediateCert, caCert});
identityInfo.setGenericCertificateFilter(filter);


Since:

9.0

Constructor Summary

Constructors

Constructor and Description
IdentityInfo(Name subjectName) Creates a new IdentityInfo object with the given subject name of the certificate to find on the token
IdentityInfo(java.lang.String subjectName) Creates a new IdentityInfo object with the given subject name of the certificate to find on the token

Method Summary

Modifier and Type	Method and Description
Name	getCaCertSubjectName() Retrieve the CaCertSubjectName, if was set
X509Certificate[]	getCertChain() Retrieve the Certificate Chain
CertVerifier	getCertVerifier() Retrieve the CertVerifier used to validate the certificate chain
int	getConnectionTimeout() Retrieve the Directory connection timeout for the ldap
GenericCertificateFilter	getGenericCertificateFilter() Retrieve the current GenericCertificateFilter
GenericIdentityFilter	getGenericIdentityFilter() Retrieve the current GenericIdentityFilter
java.lang.String	getLdapIp() Retrieve Ldap Ip used by CertVerifier to validate the certificate chain
int	getLdapPort() Retrieve the Ldap Port used by CertVerifier to validate the certificate chain
Name	getRootCaCertSubjectName() Retrieve the RootCaCertSubjectName, if was set
int	getSearchTimeout() Retrieve the search timeout for the ldap
int	getSoConnectionTimeout() Retrieve the Directory socket connection timeout.
Name	getSubjectName() Retrieve the SubjectName
TokenIdentityFilter	getTokenIdentityFilter() Retrieve the current TokenIdentityFilter
void	setCaCertSubjectName(Name caCertSubjectName) Sets the caCert SubjectName to found on the token
void	setCaCertSubjectName(java.lang.String caCertSubjectName) Sets the caCert SubjectName to be found on the token
void	setCertChain(X509Certificate[] certChain) Set the certificate authority chain belonging to the certificate of interest on the PKCS#11 device.
void	setCertVerifier(CertVerifier certVerifier) Set a CertVerifier if any customization is required around this (optional)
void	setConnectionTimeout(int connectionTimeout) Sets the Directory connection timeout for the ldap in CertVerifier.
void	setGenericCertificateFilter(GenericCertificateFilter genericCertificateFilter) Allows you to override InternalGenericTokenReader.DefaultCertificateFilter which is applied to the selected identity to filter its certificates.
void	setGenericIdentityFilter(GenericIdentityFilter genericIdentityFilter) Allows you to override InternalGenericTokenReader.DefaultIdentityFilter which determines how an identity is selected on the token.
void	setLdapIp(java.lang.String ldapIp) Set the Ldap Ip to use in CertVerifier to validate the certificate chain (optional)
void	setLdapPort(int ldapPort) Set the Ldap Port to use in CertVerifier to validate the certificate chain (optional)
void	setRootCaCertSubjectName(Name rootCaCertSubjectName) Sets the rootCaCert SubjectName to be found on the token
void	setRootCaCertSubjectName(java.lang.String rootCACertSubjectName) Sets the rootCaCert SubjectName to be found on the token
void	setSearchTimeout(int searchTimeout) Sets the timeout when searching the Directory.
void	setSoConnectionTimeout(int soConnectionTimeout) Sets the Directory connection timeout used by the underlying socket implementation for the ldap in CertVerifier.
void	setTokenIdentityFilter(TokenIdentityFilter tokenIdentityFilter) Allows you to override the default InternalGenericTokenReader.DefaultTokenIdentityFilter which determines how an identity is defined.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

IdentityInfo

public IdentityInfo(Name subjectName)

Creates a new IdentityInfo object with the given subject name of the certificate to find on the token

Parameters:

subjectName -

IdentityInfo

public IdentityInfo(java.lang.String subjectName)

Creates a new IdentityInfo object with the given subject name of the certificate to find on the token

Parameters:

subjectName -

Method Detail

getSubjectName

public Name getSubjectName()

Retrieve the SubjectName

Returns:

Name

setCaCertSubjectName

public void setCaCertSubjectName(Name caCertSubjectName)

Sets the caCert SubjectName to found on the token

Parameters:

caCertSubjectName -

setCaCertSubjectName

public void setCaCertSubjectName(java.lang.String caCertSubjectName)

Sets the caCert SubjectName to be found on the token

Parameters:

caCertSubjectName -

getCaCertSubjectName

public Name getCaCertSubjectName()

Retrieve the CaCertSubjectName, if was set

Returns:

Name

setRootCaCertSubjectName

public void setRootCaCertSubjectName(Name rootCaCertSubjectName)

Sets the rootCaCert SubjectName to be found on the token

Parameters:

rootCaCertSubjectName -

setRootCaCertSubjectName

public void setRootCaCertSubjectName(java.lang.String rootCACertSubjectName)

Sets the rootCaCert SubjectName to be found on the token

Parameters:

rootCACertSubjectName -

getRootCaCertSubjectName

public Name getRootCaCertSubjectName()

Retrieve the RootCaCertSubjectName, if was set

Returns:

Name

getCertChain

public X509Certificate[] getCertChain()

Retrieve the Certificate Chain

Returns:

X509Certificate[]

setCertChain

public void setCertChain(X509Certificate[] certChain)

Set the certificate authority chain belonging to the certificate of interest on the PKCS#11 device. The certificate authority chain should be ordered: root, intermediate, and ca certificate. Set the trusted certificate chain required for certificate validation.

getLdapIp

public java.lang.String getLdapIp()

Retrieve Ldap Ip used by CertVerifier to validate the certificate chain

setLdapIp

public void setLdapIp(java.lang.String ldapIp)

Set the Ldap Ip to use in CertVerifier to validate the certificate chain (optional)

getLdapPort

public int getLdapPort()

Retrieve the Ldap Port used by CertVerifier to validate the certificate chain

setLdapPort

public void setLdapPort(int ldapPort)

Set the Ldap Port to use in CertVerifier to validate the certificate chain (optional)

getConnectionTimeout

public int getConnectionTimeout()

Retrieve the Directory connection timeout for the ldap

Returns:

connectionTimeout

setConnectionTimeout

public void setConnectionTimeout(int connectionTimeout)

Sets the Directory connection timeout for the ldap in CertVerifier. Only applicable if setLapIp is used. The Directory connection timeout indicates the maximum amount of time that will be spent attempting to establish a connection to the Directory. If exceeded, an exception is thrown indicating the timeout occurred.

Parameters:

connectionTimeout - connection process timeout in milliseconds; by default it is 0 which means no limit

getSoConnectionTimeout

public int getSoConnectionTimeout()

Retrieve the Directory socket connection timeout.

Returns:

soConnectionTimeout

setSoConnectionTimeout

public void setSoConnectionTimeout(int soConnectionTimeout)

Sets the Directory connection timeout used by the underlying socket implementation for the ldap in CertVerifier. Only applicable if setLapIp is used. The Directory connection timeout indicates the maximum amount of time that will be spent attempting to establish a socket connection to the Directory. If exceeded, an exception is thrown indicating the timeout occurred.

Parameters:

soConnectionTimeout - connection process timeout in milliseconds; by default it is 0 which means no limit

getSearchTimeout

public int getSearchTimeout()

Retrieve the search timeout for the ldap

Returns:

searchTimeout

setSearchTimeout

public void setSearchTimeout(int searchTimeout)

Sets the timeout when searching the Directory. Only applicable if setLapIp is used. This method uses the JNDI setting "com.sun.jndi.ldap.read.timeout"to specify the read timeout for an LDAP operation. If the search takes longer than the timeout it aborts the read attempt and a NamingException is thrown.

Parameters:

searchTimeout - the search timeout in milliseconds; by default it is 0 which means no search time out

getCertVerifier

public CertVerifier getCertVerifier()

Retrieve the CertVerifier used to validate the certificate chain

setCertVerifier

public void setCertVerifier(CertVerifier certVerifier)

Set a CertVerifier if any customization is required around this (optional)

getGenericCertificateFilter

public GenericCertificateFilter getGenericCertificateFilter()

Retrieve the current GenericCertificateFilter

Returns:

GenericCertificateFilter

setGenericCertificateFilter

public void setGenericCertificateFilter(GenericCertificateFilter genericCertificateFilter)

Allows you to override InternalGenericTokenReader.DefaultCertificateFilter which is applied to the selected identity to filter its certificates. The default filter only allows valid certificates based on today's date As example, certificates that are expired or are as of yet not valid are filtered out.

Parameters:

genericCertificateFilter -

getGenericIdentityFilter

public GenericIdentityFilter getGenericIdentityFilter()

Retrieve the current GenericIdentityFilter

Returns:

GenericIdentityFilter

setGenericIdentityFilter

public void setGenericIdentityFilter(GenericIdentityFilter genericIdentityFilter)

Allows you to override InternalGenericTokenReader.DefaultIdentityFilter which determines how an identity is selected on the token. Default is based on the literal subjectName

Parameters:

genericIdentityFilter -

getTokenIdentityFilter

public TokenIdentityFilter getTokenIdentityFilter()

Retrieve the current TokenIdentityFilter

Returns:

TokenIdentityFilter

setTokenIdentityFilter

public void setTokenIdentityFilter(TokenIdentityFilter tokenIdentityFilter)

Allows you to override the default InternalGenericTokenReader.DefaultTokenIdentityFilter which determines how an identity is defined. Default is based on a subjectName+issuerName.

Parameters:

tokenIdentityFilter -