View Javadoc

1   /*
2    * Licensed to the University Corporation for Advanced Internet Development, 
3    * Inc. (UCAID) under one or more contributor license agreements.  See the 
4    * NOTICE file distributed with this work for additional information regarding
5    * copyright ownership. The UCAID licenses this file to You under the Apache 
6    * License, Version 2.0 (the "License"); you may not use this file except in 
7    * compliance with the License.  You may obtain a copy of the License at
8    *
9    *    http://www.apache.org/licenses/LICENSE-2.0
10   *
11   * Unless required by applicable law or agreed to in writing, software
12   * distributed under the License is distributed on an "AS IS" BASIS,
13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14   * See the License for the specific language governing permissions and
15   * limitations under the License.
16   */
17  
18  package edu.internet2.middleware.shibboleth.common.config.security;
19  
20  import java.security.PrivateKey;
21  import java.security.cert.X509CRL;
22  import java.security.cert.X509Certificate;
23  import java.util.ArrayList;
24  import java.util.List;
25  
26  import org.opensaml.xml.security.SecurityException;
27  import org.opensaml.xml.security.SecurityHelper;
28  import org.opensaml.xml.security.x509.BasicX509Credential;
29  import org.opensaml.xml.security.x509.X509Credential;
30  import org.slf4j.Logger;
31  import org.slf4j.LoggerFactory;
32  
33  /**
34   * Factory bean for building {@link X509Credential}s.
35   */
36  public class X509CredentialFactoryBean extends AbstractCredentialFactoryBean {
37      
38      /** Class logger. */
39      private final Logger log = LoggerFactory.getLogger(X509CredentialFactoryBean.class);
40  
41      /** Private key respresented by this credential. */
42      private PrivateKey privateKey;
43      
44      /** The end-entity certificate. */
45      private X509Certificate entityCertificate;
46  
47      /** Certificate respresented by this credential. */
48      private List<X509Certificate> certificates;
49  
50      /** CRL respresented by this credential. */
51      private List<X509CRL> x509crls;
52  
53      /** {@inheritDoc} */
54      protected Object createInstance() throws Exception {
55          BasicX509Credential credential = new BasicX509Credential();
56          
57          credential.setUsageType(getUsageType());
58          
59          credential.setEntityId(getEntityID());
60          
61          if(getKeyNames() != null){
62              credential.getKeyNames().addAll(getKeyNames());
63          }
64          
65          if(certificates != null){
66              credential.setEntityCertificateChain(new ArrayList<X509Certificate>(certificates));
67              if (entityCertificate != null) {
68                  credential.setEntityCertificate(entityCertificate);
69              } else {
70                  credential.setEntityCertificate(certificates.get(0));
71              }
72          }
73          
74          if(x509crls != null){
75              credential.setCRLs(new ArrayList<X509CRL>(x509crls));
76          }
77          
78          credential.setPrivateKey(privateKey);
79          //TODO may adjust BasicX509Credential to make this unnecessary
80          credential.setPublicKey(credential.getEntityCertificate().getPublicKey());
81          
82          // Sanity check that public and private key match
83          if (credential.getPublicKey() != null && credential.getPrivateKey() != null) {
84              boolean matched = false;
85              try {
86                  matched = SecurityHelper.matchKeyPair(credential.getPublicKey(), credential.getPrivateKey());
87              } catch (SecurityException e) {
88                  log.warn("Could not perform sanity check against credential public and private key: {}",
89                          e.getMessage());
90              }
91              if (!matched) {
92                  log.error("Mismatch detected between credential's public and private key");
93                  throw new SecurityException("Mismatch between credential public and private key");
94              }
95          } 
96          
97          return credential;
98      }
99      
100     /** {@inheritDoc} */
101     public Class getObjectType() {
102         return X509Credential.class;
103     }
104 
105     /**
106      * Gets the end-entity cerificate respresented by this credential.
107      * 
108      * @return entity certificate respresented by this credential
109      */
110     public X509Certificate getEntityCertificate() {
111         return entityCertificate;
112     }
113     
114     /**
115      * Gets the cerificates respresented by this credential.
116      * 
117      * @return cerificates respresented by this credential
118      */
119     public List<X509Certificate> getCertificates() {
120         return certificates;
121     }
122     
123     /**
124      * Gets the CRLs respresented by this credential.
125      * 
126      * @return CRLs respresented by this credential
127      */
128     public List<X509CRL> getCrls() {
129         return x509crls;
130     }
131 
132 
133     /**
134      * Gets the private key respresented by this credential.
135      * 
136      * @return private key respresented by this credential
137      */
138     public PrivateKey getPrivateKey() {
139         return privateKey;
140     }
141 
142     /**
143      * Sets the end-entity cerificate respresented by this credential.
144      * 
145      * @param newCert the new entity certificate respresented by this credential
146      */
147     public void setEntityCertificate(X509Certificate newCert) {
148         entityCertificate = newCert;
149     }
150     
151     /**
152      * Sets the cerificates respresented by this credential.
153      * 
154      * @param certs cerificates respresented by this credential
155      */
156     public void setCertificates(List<X509Certificate> certs) {
157         certificates = certs;
158     }
159 
160     /**
161      * Sets the CRLs respresented by this credential.
162      * 
163      * @param crls CRLs respresented by this credential
164      */
165     public void setCrls(List<X509CRL> crls) {
166         this.x509crls = crls;
167     }
168 
169     /**
170      * Sets the private key respresented by this credential.
171      * 
172      * @param key private key respresented by this credential
173      */
174     public void setPrivateKey(PrivateKey key) {
175         privateKey = key;
176     }
177     
178 }