iaik.ixsil.keyinfo.x509

Class KeyProviderImplX509Data

java.lang.Object

iaik.ixsil.keyinfo.x509.KeyProviderImplX509Data

All Implemented Interfaces:

KeyProviderInterface

public class KeyProviderImplX509Data
extends java.lang.Object
implements KeyProviderInterface

This class implements the KeyProviderInterface for X509Data key information hints.

Signature generation

The application can compose an arbitrary list of X509Data key information hints according to the XML Signature specification. The methods insertX509DataAt(iaik.ixsil.keyinfo.x509.X509Data, int), getX509DataAt(int) and removeX509DataAt(int) can be used for this purpose.

Signature validation

The trust management system used by this implementation to find out if a certificate is trusted, can be either set explicitely by the application using method setTrustManager(iaik.ixsil.keyinfo.x509.X509TrustManagerInterface). If no trust management system has been set, an instance of the default trust management system specified by the IXSIL keymananger property KeyProviderImplX509Data.X509TrustManagerDefaultImplementingClass will be created at first invocation of method getVerifierKey().

The X509Data key information hints will be processed according to the following algorithm to find out a trusted certificate and further to get the verification key for the signature:

1. All X509 certificate revocation lists are collected, and the trust management system is notified of all these lists.
2. All X509 certificates are collected and put into the trust management system for further use, regardless of their occurence in various X509Data XML elements.
3. These X509 certificates are processed in order of their occurence. Each certificate is checked if it is an end entity certificate. If yes, the trust status is queried from the trust management system. If the end entity certificate is trusted, its public key will be used as the verification key. If no trusted end entity certificate can be found, the next following will be performed.
4. All other certificate hints (IssuerSerial, SubjectKeyIdentifier, SubjectName) are processed in order of ther occurence. Each hint is used to ask the trust management system for a fitting certificate. If such a certificate can beprovided by the trust management system (it must be only a single certificate in case of a SubjectName hint), and if the certificate is again an end entity certificate, this certificate is presented to the trust management system to ask for its trust status. If the certificate is trusted, its public key will be used as the verification key.
5. If this step has been reached, no verification key has been found for the given key information, and the process will terminate with an exception.

Field Summary

Fields

Modifier and Type	Field and Description
protected static java.lang.String	JCA_CERTTYPE_X509_ The name to generate a certificate factory for X509 certificates in the Java Cryptography Architecture.
protected org.w3c.dom.Document	signatureDOMDoc_ Reference to the Signature DOM document.
protected X509TrustManagerInterface	trustManager_ The implementation of the trust management system interface X509TrustManagerInterface.
protected java.util.Vector	x509Data_ Contains the result of parsing all specified X509Data DOM elements.

Constructor Summary

Constructors

Constructor and Description
KeyProviderImplX509Data() This constructor will be used by IXSIL in the verification use case.
KeyProviderImplX509Data(org.w3c.dom.Document signatureDOMDoc) This constructor can be used by the application in the signature creation use case in order to create a new key provider for X509Data key information hints.

Method Summary

Methods

Modifier and Type	Method and Description
protected org.w3c.dom.Element	createX509CertificateDOMElem(java.security.cert.X509Certificate x509Certificate) Creates a X509Certificate DOM element from a corresponding object.
protected org.w3c.dom.Element	createX509CRLDOMElem(java.security.cert.X509CRL x509CRL) Creates a X509CRL DOM element from a corresponding object.
protected org.w3c.dom.Element	createX509IssuerSerialDOMElem(X509IssuerSerial x509IssuerSerial) Creates a X509IssuerSerial DOM element from a corresponding object.
protected org.w3c.dom.Element	createX509SKIDOMElem(X509SKI x509SKI) Creates a X509SKI DOM element from a corresponding object.
protected org.w3c.dom.Element	createX509SubjectNameDOMElem(X509SubjectName x509SubjectName) Creates a X509SubjectName DOM element from a corresponding object.
org.w3c.dom.Element[]	getKeyInfoSubelements() Produces an array of X509Data DOM elements representing the key information hints specified by the application by means of the method insertX509DataAt(iaik.ixsil.keyinfo.x509.X509Data, int).
java.security.Key	getVerifierKey() Gets the verification key by evaluating the parsed key information which has either been generated at execution of method setKeyInfoSubelements(org.w3c.dom.Element[]) or explicitely set by the application.
X509Data	getX509DataAt(int position) Gets the X509Data key information hint at the specified position from the list of hints which have been inserted so far.
int	getX509DataNumber() Gets the number of X509Data key information hints inserted so far.
X509Data	insertX509DataAt(X509Data data, int position) Inserts a X509Data key information hint at the specified position.
boolean	isEndEntityCertificate(java.security.cert.X509Certificate candidate, java.security.cert.X509Certificate[] context) Checks if a specified certificate is an end entity (EE) certificate.
protected java.security.cert.X509Certificate	parseX509Certificate(org.w3c.dom.Element x509CertificateDOMElem) Parses a X509Certificate DOM element.
protected java.security.cert.X509CRL	parseX509CRL(org.w3c.dom.Element x509CRLDOMElem) Parses a X509CRL DOM element.
protected X509IssuerSerial	parseX509IssuerSerial(org.w3c.dom.Element x509IssuerSerialDOMElem) Parses a X509IssuerSerial DOM element.
protected X509SKI	parseX509SKI(org.w3c.dom.Element x509SKIDOMElem) Parses a X509SKI DOM element.
protected X509SubjectName	parseX509SubjectName(org.w3c.dom.Element x509SubjectNameDOMElem) Parses a X509SubjectName DOM element.
X509Data	removeX509DataAt(int position) Removes the X509Data key information hint at the specified position from the list of hints which have been inserted so far.
void	setKeyInfoSubelements(org.w3c.dom.Element[] x509DataElements) Parses all specified X509Data DOM elements and produces an internal memory representation.
void	setTrustManager(X509TrustManagerInterface trustManager) This method can be used by the application in the verification use case to explicitely set the trust management system which should be used to evaluate the X509 related key information in the signature.
void	setURIResolverParameters(URIResolverParameters params) Sets the parameters to be used by the key provider when resolving URIs.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

JCA_CERTTYPE_X509_

protected static final java.lang.String JCA_CERTTYPE_X509_

The name to generate a certificate factory for X509 certificates in the Java Cryptography Architecture.

See Also:

Constant Field Values

x509Data_

protected java.util.Vector x509Data_

Contains the result of parsing all specified X509Data DOM elements. All elements of the vector are of type X509Data.

signatureDOMDoc_

protected org.w3c.dom.Document signatureDOMDoc_

Reference to the Signature DOM document. Used in method getKeyInfoSubelements().

trustManager_

protected X509TrustManagerInterface trustManager_

The implementation of the trust management system interface X509TrustManagerInterface.

Constructor Detail

KeyProviderImplX509Data

public KeyProviderImplX509Data()

This constructor will be used by IXSIL in the verification use case.

KeyProviderImplX509Data

public KeyProviderImplX509Data(org.w3c.dom.Document signatureDOMDoc)

This constructor can be used by the application in the signature creation use case in order to create a new key provider for X509Data key information hints.

Parameters:

signatureDOMDoc - A reference to the DOM document representing the XML Signature. Used in method getKeyInfoSubelements() to create DOM nodes.

Method Detail

setTrustManager

public void setTrustManager(X509TrustManagerInterface trustManager)

This method can be used by the application in the verification use case to explicitely set the trust management system which should be used to evaluate the X509 related key information in the signature.

Parameters:

trustManager - the trust management system which should back this key provider. Must not be null.

setKeyInfoSubelements

public void setKeyInfoSubelements(org.w3c.dom.Element[] x509DataElements)
                           throws KeyProviderException

Parses all specified X509Data DOM elements and produces an internal memory representation.

Specified by:

setKeyInfoSubelements in interface KeyProviderInterface

Parameters:

x509DataElements - The array of X509Data DOM Elements to be parsed. Must not be null, but may be an empty array.

Throws:

KeyProviderException - if parsing the specified DOM elements fails for any reason.

getKeyInfoSubelements

public org.w3c.dom.Element[] getKeyInfoSubelements()
                                            throws KeyProviderException

Produces an array of X509Data DOM elements representing the key information hints specified by the application by means of the method insertX509DataAt(iaik.ixsil.keyinfo.x509.X509Data, int).

Specified by:

getKeyInfoSubelements in interface KeyProviderInterface

Returns:

an array of X509Data elements or null, if no key information hints have been specified.

Throws:

KeyProviderException - if the wrong constructor has been used, and therefore no DOM Document has been specified for creation of DOM Nodes.

getVerifierKey

public java.security.Key getVerifierKey()
                                 throws KeyProviderException

Gets the verification key by evaluating the parsed key information which has either been generated at execution of method setKeyInfoSubelements(org.w3c.dom.Element[]) or explicitely set by the application.

Specified by:

getVerifierKey in interface KeyProviderInterface

Returns:

the key to be used for verifying the XML signature.

Throws:

KeyProviderException - if no trust manager has been set explicitely, and the default trust manager cannot be instantiated; or if the trust manager reports an error if one of its methods is invoked, or if no trusted verification key can be found.

insertX509DataAt

public X509Data insertX509DataAt(X509Data data,
                        int position)
                          throws KeyProviderException

Inserts a X509Data key information hint at the specified position.

Parameters:

data - The X509Data key information hint to be inserted. Must not be null, and must consist of at least one certificate hint.

position - The position where to insert the key information in the list with the hints which have been inserted so far. Must not be less than 0 and must not be greater than the number of hints inserted so far.

Returns:

the inserted key information hint or null if the specified position is invalid.

Throws:

KeyProviderException - if there are no certificate hints in the X509Data object.

getX509DataAt

public X509Data getX509DataAt(int position)

Gets the X509Data key information hint at the specified position from the list of hints which have been inserted so far.

Parameters:

position - The position of the key information hint to get. Must not be less than 0 and must not be greater than or equal the number of hints inserted so far.

Returns:

the X509Data key information hint at the specified position or null if the specified position is invalid.

removeX509DataAt

public X509Data removeX509DataAt(int position)

Removes the X509Data key information hint at the specified position from the list of hints which have been inserted so far.

Parameters:

position - The position of the key information hint to get. Must not be less than 0 and must not be greater than or equal the number of hints inserted so far.

Returns:

the X509Data key information hint which has been removed or null if the specified position is invalid.

getX509DataNumber

public int getX509DataNumber()

Gets the number of X509Data key information hints inserted so far.

Returns:

the number of X509Data key information hints inserted so far.

setURIResolverParameters

public void setURIResolverParameters(URIResolverParameters params)

Sets the parameters to be used by the key provider when resolving URIs.

Specified by:

setURIResolverParameters in interface KeyProviderInterface

Parameters:

params - The parameters to be set. May be null to indicate a restore of the default values.

parseX509CRL

protected java.security.cert.X509CRL parseX509CRL(org.w3c.dom.Element x509CRLDOMElem)
                                           throws KeyProviderException

Parses a X509CRL DOM element.

Parameters:

x509CRLDOMElem - The DOM element to be parsed.

Returns:

a X509CRL object generated from the parsed information.

Throws:

KeyProviderException - if parsing the X509CRL DOM element fails.

parseX509Certificate

protected java.security.cert.X509Certificate parseX509Certificate(org.w3c.dom.Element x509CertificateDOMElem)
                                                           throws KeyProviderException

Parses a X509Certificate DOM element.

Parameters:

x509CertificateDOMElem - The DOM element to be parsed.

Returns:

a X509Certificate object generated from the parsed information.

Throws:

KeyProviderException - if parsing the X509Certificate DOM element fails.

parseX509IssuerSerial

protected X509IssuerSerial parseX509IssuerSerial(org.w3c.dom.Element x509IssuerSerialDOMElem)
                                          throws KeyProviderException

Parses a X509IssuerSerial DOM element.

Parameters:

x509IssuerSerialDOMElem - The DOM element to be parsed.

Returns:

a X509IssuerSerial object generated from the parsed information.

Throws:

KeyProviderException - if parsing the X509IssuerSerial DOM element fails.

parseX509SKI

protected X509SKI parseX509SKI(org.w3c.dom.Element x509SKIDOMElem)
                        throws KeyProviderException

Parses a X509SKI DOM element.

Parameters:

x509SKIDOMElem - The DOM element to be parsed.

Returns:

a X509SKI object generated from the parsed information.

Throws:

KeyProviderException - if parsing the X509SKI DOM element fails.

parseX509SubjectName

protected X509SubjectName parseX509SubjectName(org.w3c.dom.Element x509SubjectNameDOMElem)
                                        throws KeyProviderException

Parses a X509SubjectName DOM element.

Parameters:

x509SubjectNameDOMElem - The DOM element to be parsed.

Returns:

a X509SubjectName object generated from the parsed information.

Throws:

KeyProviderException - if parsing the X509SubjectName DOM element fails.

createX509CRLDOMElem

protected org.w3c.dom.Element createX509CRLDOMElem(java.security.cert.X509CRL x509CRL)

Creates a X509CRL DOM element from a corresponding object.

Parameters:

x509CRL - The X509CRL object used to create the corresponding DOM element.

Returns:

the X509CRL DOM element representing the specified X509CRL object.

createX509CertificateDOMElem

protected org.w3c.dom.Element createX509CertificateDOMElem(java.security.cert.X509Certificate x509Certificate)

Creates a X509Certificate DOM element from a corresponding object.

Parameters:

x509Certificate - The X509Certificate object used to create the corresponding DOM element.

Returns:

the X509Certificate DOM element representing the specified X509Certificate object.

createX509SKIDOMElem

protected org.w3c.dom.Element createX509SKIDOMElem(X509SKI x509SKI)

Creates a X509SKI DOM element from a corresponding object.

Parameters:

x509SKI - The X509SKI object used to create the corresponding DOM element.

Returns:

the X509SKI DOM element representing the specified X509SKI object.

createX509IssuerSerialDOMElem

protected org.w3c.dom.Element createX509IssuerSerialDOMElem(X509IssuerSerial x509IssuerSerial)

Creates a X509IssuerSerial DOM element from a corresponding object.

Parameters:

x509IssuerSerial - The X509IssuerSerial object used to create the corresponding DOM element.

Returns:

the X509IssuerSerial DOM element representing the specified X509IssuerSerial object.

createX509SubjectNameDOMElem

protected org.w3c.dom.Element createX509SubjectNameDOMElem(X509SubjectName x509SubjectName)

Creates a X509SubjectName DOM element from a corresponding object.

Parameters:

x509SubjectName - The X509SubjectName object used to create the corresponding DOM element.

Returns:

the X509SubjectName DOM element representing the specified X509SubjectName object.

isEndEntityCertificate

public boolean isEndEntityCertificate(java.security.cert.X509Certificate candidate,
                             java.security.cert.X509Certificate[] context)
                               throws KeyProviderException

Checks if a specified certificate is an end entity (EE) certificate. This is done by calling the X509Certificate.isCertIssuingCaCert(iaik.x509.X509Certificate, boolean) method which determines if the certificate is a CA certificate. If it is not a CA certificate, then it must be an End-Entity certificate.

Parameters:

candidate - The certificate to be checked.

context - A bunch of certificates that should be used to find out if a certificate is the issuer of another certificate (no longer used).

Returns:

true if the candidate certificate is an end entity certificate.

Throws:

KeyProviderException - if the check fails for any reason.