1 /* 2 * Licensed to the University Corporation for Advanced Internet Development, 3 * Inc. (UCAID) under one or more contributor license agreements. See the 4 * NOTICE file distributed with this work for additional information regarding 5 * copyright ownership. The UCAID licenses this file to You under the Apache 6 * License, Version 2.0 (the "License"); you may not use this file except in 7 * compliance with the License. You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 */ 17 18 package edu.internet2.middleware.shibboleth.common.binding.security; 19 20 import java.util.Set; 21 22 import org.opensaml.common.binding.security.SAMLMDClientCertAuthRule; 23 import org.opensaml.ws.security.provider.CertificateNameOptions; 24 import org.opensaml.xml.security.trust.TrustEngine; 25 import org.opensaml.xml.security.x509.X500DNHandler; 26 import org.opensaml.xml.security.x509.X509Credential; 27 import org.opensaml.xml.security.x509.X509Util; 28 29 /** 30 * Specialization of {@link SAMLMDClientCertAuthRule} which may include Shibboleth-specific 31 * method overrides for client certificate authentication processing. 32 */ 33 public class ShibbolethClientCertAuthRule extends SAMLMDClientCertAuthRule { 34 35 /** 36 * Constructor. 37 * 38 * @param engine Trust engine used to verify the request X509Credential 39 * @param nameOptions options for deriving issuer names from an X.509 certificate 40 */ 41 public ShibbolethClientCertAuthRule(TrustEngine<X509Credential> engine, CertificateNameOptions nameOptions) { 42 super(engine, nameOptions); 43 } 44 45 /** 46 * Constructor. The certificate name issuer derivation options are defaulted 47 * to be consistent with the Shibboleth 1.3 identity provider. 48 * 49 * @param engine Trust engine used to verify the request X509Credential 50 */ 51 public ShibbolethClientCertAuthRule(TrustEngine<X509Credential> engine) { 52 super(engine, new CertificateNameOptions()); 53 54 CertificateNameOptions nameOptions = getCertificateNameOptions(); 55 56 // This is the behavior used by the Shibboleth 1.3 IdP. 57 nameOptions.setX500SubjectDNFormat(X500DNHandler.FORMAT_RFC2253); 58 nameOptions.setEvaluateSubjectDN(true); 59 nameOptions.setEvaluateSubjectCommonName(true); 60 Set<Integer> altNameTypes = nameOptions.getSubjectAltNames(); 61 altNameTypes.add(X509Util.DNS_ALT_NAME); 62 altNameTypes.add(X509Util.URI_ALT_NAME); 63 } 64 65 }