View Javadoc

1   /*
2    * Licensed to the University Corporation for Advanced Internet Development, 
3    * Inc. (UCAID) under one or more contributor license agreements.  See the 
4    * NOTICE file distributed with this work for additional information regarding
5    * copyright ownership. The UCAID licenses this file to You under the Apache 
6    * License, Version 2.0 (the "License"); you may not use this file except in 
7    * compliance with the License.  You may obtain a copy of the License at
8    *
9    *    http://www.apache.org/licenses/LICENSE-2.0
10   *
11   * Unless required by applicable law or agreed to in writing, software
12   * distributed under the License is distributed on an "AS IS" BASIS,
13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14   * See the License for the specific language governing permissions and
15   * limitations under the License.
16   */
17  
18  package edu.internet2.middleware.shibboleth.common.binding.security;
19  
20  import java.util.Set;
21  
22  import org.opensaml.common.binding.security.SAMLMDClientCertAuthRule;
23  import org.opensaml.ws.security.provider.CertificateNameOptions;
24  import org.opensaml.xml.security.trust.TrustEngine;
25  import org.opensaml.xml.security.x509.X500DNHandler;
26  import org.opensaml.xml.security.x509.X509Credential;
27  import org.opensaml.xml.security.x509.X509Util;
28  
29  /**
30   * Specialization of {@link SAMLMDClientCertAuthRule} which may include Shibboleth-specific
31   * method overrides for client certificate authentication processing.
32   */
33  public class ShibbolethClientCertAuthRule extends SAMLMDClientCertAuthRule {
34  
35      /**
36       * Constructor.
37       *
38       * @param engine Trust engine used to verify the request X509Credential
39       * @param nameOptions options for deriving issuer names from an X.509 certificate
40       */
41      public ShibbolethClientCertAuthRule(TrustEngine<X509Credential> engine, CertificateNameOptions nameOptions) {
42          super(engine, nameOptions);
43      }
44      
45      /**
46       * Constructor.  The certificate name issuer derivation options are defaulted
47       * to be consistent with the Shibboleth 1.3 identity provider.
48       *
49       * @param engine Trust engine used to verify the request X509Credential
50       */
51      public ShibbolethClientCertAuthRule(TrustEngine<X509Credential> engine) {
52          super(engine, new CertificateNameOptions());
53          
54          CertificateNameOptions nameOptions = getCertificateNameOptions();
55          
56          // This is the behavior used by the Shibboleth 1.3 IdP.
57          nameOptions.setX500SubjectDNFormat(X500DNHandler.FORMAT_RFC2253);
58          nameOptions.setEvaluateSubjectDN(true);
59          nameOptions.setEvaluateSubjectCommonName(true);
60          Set<Integer> altNameTypes = nameOptions.getSubjectAltNames();
61          altNameTypes.add(X509Util.DNS_ALT_NAME);
62          altNameTypes.add(X509Util.URI_ALT_NAME);
63      }
64      
65  }