iaik.xml.crypto.utils

Class IndependentKeySelectorImpl

java.lang.Object

javax.xml.crypto.KeySelector

iaik.xml.crypto.utils.IndependentKeySelectorImpl

public class IndependentKeySelectorImpl
extends KeySelector

This KeySelector in contrast to KeySelectorImpl tries to prevent dependencies against the IAIK Libraries. It is experimental. A KeySelector implementation that tries to get a public or secret key from the given KeyInfo.

It supports the dereferencing of RetrievalMethods and decryption of EncryptedKeys.

If a public key is required (e.g. for signature validation or for encryption) this KeySelector first tries to find a KeyValue element in the given KeyInfo. Then examines X509Data elements for a appropriate public key and finally looks for raw certificates referenced by a RetrievalMethod.

If a secret key is required this KeySelector looks for EncryptedKeys inside the given KeyInfo and tries to decrypt them. AgreementMethods are not directly supported, however the method select(javax.xml.crypto.enc.keyinfo.AgreementMethod, javax.xml.crypto.KeySelector.Purpose, javax.xml.crypto.AlgorithmMethod, javax.xml.crypto.XMLCryptoContext) may be overwritten to add support for key agreement.

The selection of private keys is obviously not supported as private keys should not be present in the KeyInfo in any case.

If this KeySelector is unable to get the requested key from the given KeyInfo select(iaik.xml.crypto.utils.IndependentKeySelectorImpl.KeyInfoHints, javax.xml.crypto.KeySelector.Purpose, javax.xml.crypto.AlgorithmMethod, javax.xml.crypto.XMLCryptoContext) is called. Overwrite this method to support the retrieval of keys from external sources using the IndependentKeySelectorImpl.KeyInfoHints collected from the given KeyInfo.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	IndependentKeySelectorImpl.KeyInfoHints This class collects all information found in the KeyInfo.
static class	IndependentKeySelectorImpl.KeySelectorResultImpl An implementation of the KeySelectorResult that carries the selected key.
static class	IndependentKeySelectorImpl.X509KeySelectorResultImpl An implementation of the KeySelectorResult that carries the selected key and certification and revocation information found in the KeyInfo corresponding to the selected key.

Nested classes/interfaces inherited from class javax.xml.crypto.KeySelector

KeySelector.Purpose

Field Summary

Fields

Modifier and Type	Field and Description
protected String	failReason_ The reason why selecting a key failed.

Constructor Summary

Constructors

Constructor and Description
IndependentKeySelectorImpl() Creates a new instance of this KeySelectorImpl.

Method Summary

Modifier and Type	Method and Description
static X509Certificate[]	convertCertificateChain(Certificate[] acertificate)
String	getFailReason() Returns the reason why selecting a key has failed.
protected static boolean	matchIssuerDN(X509Certificate cert, X509IssuerSerial issuerSerial) Evaluates if the issuer DN matches the certificate's issuer DN.
protected boolean	matchIssuerSN(X509Certificate cert, X509IssuerSerial issuerSerial)
protected static boolean	matchSubjectDN(X509Certificate cert, String x509SubjectName) Evaluates if x509SubjectName does match SubjectDN of KeyInfo X509Certificate.
protected IndependentKeySelectorImpl.KeyInfoHints	newKeyInfoHints(KeyInfo keyInfo, XMLCryptoContext context) This method returns IndependentKeySelectorImpl.KeyInfoHints which collects the following bits of information from KeyInfo.
protected KeySelectorResult	select(AgreementMethod agreementMethod, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) Selects a key using the given AgreementMethod.
protected KeySelectorResult	select(EncryptedKey encryptedKey, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) Selects a secret key from the given EncryptedKey.
protected KeySelectorResult	select(IndependentKeySelectorImpl.KeyInfoHints hints, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) Selects a key when the key is not in the key info.
protected KeySelectorResult	select(IndependentKeySelectorImpl.KeyInfoHints hints, KeySelectorResult[] results) Returns the first result, however if necessary this method can be overidden so that in the case of multiple KeySelectorResults a selection can be done.
KeySelectorResult	select(KeyInfo keyInfo, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) Attempts to find a key that satisfies the specified constraints from the information provided in the keyInfo.
protected KeySelectorResult	select(KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) Override this method if your application does not take advantage of KeyInfo.
protected KeySelectorResult	select(KeyValue keyValue, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) Selects the public key form the given KeyValue.
protected KeySelectorResult	select(X509Certificate cert, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) Selects the public key from the given X509 certificate and returns an IndependentKeySelectorImpl.X509KeySelectorResultImpl bearing the selected key and the given X509 certificate.
protected KeySelectorResult	select(X509Data x509Data, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) Selects a key using the given list of X509Data elements.

Methods inherited from class javax.xml.crypto.KeySelector

singletonKeySelector

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

failReason_

protected String failReason_

The reason why selecting a key failed.

Constructor Detail

IndependentKeySelectorImpl

public IndependentKeySelectorImpl()

Creates a new instance of this KeySelectorImpl.

Method Detail

select

public final KeySelectorResult select(KeyInfo keyInfo,
                                      KeySelector.Purpose purpose,
                                      AlgorithmMethod method,
                                      XMLCryptoContext context)
                               throws KeySelectorException

Attempts to find a key that satisfies the specified constraints from the information provided in the keyInfo.

Specified by:

select in class KeySelector

Parameters:

keyInfo - a KeyInfo (may be null)

purpose - the key's purpose KeySelector.Purpose.SIGN, KeySelector.Purpose.VERIFY, KeySelector.Purpose.ENCRYPT, or KeySelector.Purpose.DECRYPT)

method - the algorithm method that this key is to be used for. Only keys that are compatible with the algorithm and meet the constraints of the specified algorithm should be returned.

context - an XMLCryptoContext that may contain useful information for finding an appropriate key. If this key selector supports resolving RetrievalMethod types, the context's baseURI and dereferencer parameters (if specified) should be used by the selector to resolve and dereference the URI.

Returns:

the result of the key selector

Throws:

KeySelectorException - if an exceptional condition occurs while attempting to find a key. Note that an inability to find a key is not considered an exception (null should be returned in that case). However, an error condition (ex: network communications failure) that prevented the KeySelector from finding a potential key should be considered an exception.

See Also:

KeySelector.select(javax.xml.crypto.dsig.keyinfo.KeyInfo, javax.xml.crypto.KeySelector.Purpose, javax.xml.crypto.AlgorithmMethod, javax.xml.crypto.XMLCryptoContext)

newKeyInfoHints

protected IndependentKeySelectorImpl.KeyInfoHints newKeyInfoHints(KeyInfo keyInfo,
                                                                  XMLCryptoContext context)
                                                           throws KeySelectorException

This method returns IndependentKeySelectorImpl.KeyInfoHints which collects the following bits of information from KeyInfo.

• <element ref="ds:KeyName"/>
• <element ref="ds:KeyValue"/>
• <element ref="ds:RetrievalMethod"/>
• <element ref="ds:X509Data"/>
• <element name='EncryptedKey' type='xenc:EncryptedKeyType'/>
• <element name="AgreementMethod" type="xenc:AgreementMethodType"/>

Override this method to return an extended Implementation of IndependentKeySelectorImpl.KeyInfoHints if you need to resolve other KeyInfo information, like

• <element ref="ds:PGPData"/>
• <element ref="ds:SPKIData"/>
• <element ref="ds:MgmtData"/>
• <any processContents="lax" namespace="##other"/> (Other)

Parameters:

keyInfo -

context -

Returns:

the KeyInfoHints.

Throws:

KeySelectorException

select

protected KeySelectorResult select(IndependentKeySelectorImpl.KeyInfoHints hints,
                                   KeySelector.Purpose purpose,
                                   AlgorithmMethod method,
                                   XMLCryptoContext context)
                            throws KeySelectorException

Selects a key when the key is not in the key info.

Overwrite this method to return a key using the hints given in the key info.

Parameters:

purpose - one of KeySelector.Purpose.SIGN, KeySelector.Purpose.VERIFY, KeySelector.Purpose.ENCRYPT or KeySelector.Purpose.DECRYPT.

method - the algorithm method

context - the context

Returns:

null

Throws:

KeySelectorException

select

protected KeySelectorResult select(EncryptedKey encryptedKey,
                                   KeySelector.Purpose purpose,
                                   AlgorithmMethod method,
                                   XMLCryptoContext context)
                            throws KeySelectorException

Selects a secret key from the given EncryptedKey.

This method tries to decrypt the given EncryptedKey.

Parameters:

encryptedKey - the encrypted key element

purpose - one of KeySelector.Purpose.SIGN, KeySelector.Purpose.VERIFY, KeySelector.Purpose.ENCRYPT or KeySelector.Purpose.DECRYPT.

method - the algorithm method to get the key for

context - the context

Returns:

a secret key

Throws:

KeySelectorException - if an exception occurs during decryption of the encrypted key

select

protected KeySelectorResult select(AgreementMethod agreementMethod,
                                   KeySelector.Purpose purpose,
                                   AlgorithmMethod method,
                                   XMLCryptoContext context)
                            throws KeySelectorException

Selects a key using the given AgreementMethod.

Overwrite this method to return a key in case an AgreementMethod is given.

Parameters:

agreementMethod - the agreement method

purpose - one of KeySelector.Purpose.SIGN, KeySelector.Purpose.VERIFY, KeySelector.Purpose.ENCRYPT or KeySelector.Purpose.DECRYPT.

method - the algorithm method to get the key for

context - the context

Returns:

null

Throws:

KeySelectorException - if an exception occurs during key agreement

select

protected KeySelectorResult select(X509Data x509Data,
                                   KeySelector.Purpose purpose,
                                   AlgorithmMethod method,
                                   XMLCryptoContext context)
                            throws KeySelectorException

Selects a key using the given list of X509Data elements. This method only returns a key within the KeySelectorResult if a X509Certificate element is included in the KeyInfo.
If other X509Data, such as X509IssuerSerial or X509SubjectName, is included, the method checks if this data matches the corresponding data of the X509Certificate. If, for example, the KeyInfo includes a X509Certificate and a X509SubjectName, but the X509SubjectName does not match the SubjectDN (RFC2253 representation) of the certificate, the method will not return a key.

Parameters:

x509Data - a list of X509DataImpls

purpose - one of KeySelector.Purpose.SIGN, KeySelector.Purpose.VERIFY, KeySelector.Purpose.ENCRYPT or KeySelector.Purpose.DECRYPT.

method - the algorithm method to get the key for

context - the context

Returns:

the key selected from the given X509Data, if at least one X509Certificate is included in the KeyInfo and the data of one certificate matches other X509Data (e.g. X509SubjectName, if present. The method does not retrun a key if no X509Certificate is included, even if othe X509Data is present.

Throws:

KeySelectorException - if exception occurs during key selection

convertCertificateChain

public static X509Certificate[] convertCertificateChain(Certificate[] acertificate)
                                                 throws KeySelectorException

Throws:

KeySelectorException

matchIssuerSN

protected boolean matchIssuerSN(X509Certificate cert,
                                X509IssuerSerial issuerSerial)

matchSubjectDN

protected static boolean matchSubjectDN(X509Certificate cert,
                                        String x509SubjectName)

Evaluates if x509SubjectName does match SubjectDN of KeyInfo X509Certificate.

Parameters:

cert -

x509SubjectName -

Returns:

true if x509SubjectName matches SubjectDN of cert.

matchIssuerDN

protected static boolean matchIssuerDN(X509Certificate cert,
                                       X509IssuerSerial issuerSerial)
                                throws KeySelectorException

Evaluates if the issuer DN matches the certificate's issuer DN.

Parameters:

cert - the certificate

issuerSerial -

Returns:

true iff the names match.

Throws:

KeySelectorException

select

protected KeySelectorResult select(KeyValue keyValue,
                                   KeySelector.Purpose purpose,
                                   AlgorithmMethod method,
                                   XMLCryptoContext context)
                            throws KeySelectorException

Selects the public key form the given KeyValue.

Parameters:

keyValue - the KeyValue element to get the public key from

purpose - one of KeySelector.Purpose.SIGN, KeySelector.Purpose.VERIFY, KeySelector.Purpose.ENCRYPT or KeySelector.Purpose.DECRYPT.

method - the algorithm method to get the key for

context - the context

Returns:

a IndependentKeySelectorImpl bearing the public key from the given KeyValue, or null if the key value is not appropriate for the given method

Throws:

KeySelectorException

select

protected KeySelectorResult select(X509Certificate cert,
                                   KeySelector.Purpose purpose,
                                   AlgorithmMethod method,
                                   XMLCryptoContext context)
                            throws KeySelectorException

Selects the public key from the given X509 certificate and returns an IndependentKeySelectorImpl.X509KeySelectorResultImpl bearing the selected key and the given X509 certificate.

Overwrite this method if special key treatment is necessary.

Parameters:

cert - the X509 certificate to get the public key from

purpose - the purpose (one of KeySelector.Purpose.VERIFY, KeySelector.Purpose.ENCRYPT)

method - the algorithm method to get the key for

context - the context

Returns:

a IndependentKeySelectorImpl.X509KeySelectorResultImplbearing the public key from the given certificate and the certificate itself, if the key algorithm is appropriate for the given algorithm method and the purpose is verify or encrypt, otherwise null

Throws:

KeySelectorException - if obtaining the key from the given certificate fails

select

protected KeySelectorResult select(IndependentKeySelectorImpl.KeyInfoHints hints,
                                   KeySelectorResult[] results)

Returns the first result, however if necessary this method can be overidden so that in the case of multiple KeySelectorResults a selection can be done.

Parameters:

hints - the hints to determine the results

results - the potential results

Returns:

the actual result (defaults to results[0])

select

protected KeySelectorResult select(KeySelector.Purpose purpose,
                                   AlgorithmMethod method,
                                   XMLCryptoContext context)
                            throws KeySelectorException

Override this method if your application does not take advantage of KeyInfo. It will be called if no KeyInfo is used or did not yield a Result.

Parameters:

purpose - the purpose (one of KeySelector.Purpose.SIGN, KeySelector.Purpose.DECRYPT) KeySelector.Purpose.VERIFY, KeySelector.Purpose.ENCRYPT)

method - the algorithm method to get the key for

context - the context

Returns:

a KeySelectorResult bearing the private or public key.

Throws:

KeySelectorException - if obtaining the key fails

getFailReason

public String getFailReason()

Returns the reason why selecting a key has failed.

Returns:

The reason why selecting a key has failed.