iaik.xml.crypto.utils

Class KeySelectorImpl

java.lang.Object

javax.xml.crypto.KeySelector

iaik.xml.crypto.utils.KeySelectorImpl

public class KeySelectorImpl
extends KeySelector

A KeySelector implementation that tries to get a public or secret key from the given KeyInfo.

It supports the dereferencing of RetrievalMethods and decryption of EncryptedKeys.

If a public key is required (e.g. for signature validation or for encryption) this KeySelector first tries to find a KeyValue element in the given KeyInfo. Then examines X509Data elements for a appropriate public key and finally looks for raw certificates referenced by a RetrievalMethod.

If a secret key is required this KeySelector looks for EncryptedKeys inside the given KeyInfo and tries to decrypt them. AgreementMethods are not directly supported, however the method select(javax.xml.crypto.enc.keyinfo.AgreementMethod, javax.xml.crypto.KeySelector.Purpose, javax.xml.crypto.AlgorithmMethod, javax.xml.crypto.XMLCryptoContext) may be overwritten to add support for key agreement.

The selection of private keys is obviously not supported as private keys should not be present in the KeyInfo in any case.

If this KeySelector is unable to get the requested key from the given KeyInfo select(iaik.xml.crypto.utils.KeySelectorImpl.KeyInfoHints, javax.xml.crypto.KeySelector.Purpose, javax.xml.crypto.AlgorithmMethod, javax.xml.crypto.XMLCryptoContext) is called. Overwrite this method to support the retrieval of keys from external sources using the KeySelectorImpl.KeyInfoHints collected from the given KeyInfo.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	KeySelectorImpl.KeyInfoHints This class collects all information found in the KeyInfo.
static class	KeySelectorImpl.KeySelectorResultImpl An implementation of the KeySelectorResult that carries the selected key.
static class	KeySelectorImpl.X509KeySelectorResultImpl An implementation of the KeySelectorResult that carries the selected key and certification and revocation information found in the KeyInfo corresponding to the selected key.

Nested classes/interfaces inherited from class javax.xml.crypto.KeySelector

KeySelector.Purpose

Field Summary

Fields

Modifier and Type	Field and Description
protected String	failReason_ The reason why selecting a key failed.

Constructor Summary

Constructors

Constructor and Description
KeySelectorImpl() Creates a new instance of this KeySelectorImpl.

Method Summary

Modifier and Type	Method and Description
String	getFailReason() Returns the reason why selecting a key has failed.
protected KeyFactory	getKeyFactoryInstance(AlgorithmMethod method, XSecProvider.Purpose purpose) Uses the XSECT delegation mechanism to create an instance of a KeyFactory.
protected static String	getSubjectDN(X509Certificate cert) Get the SubjectDN from the X509Certificate cert.
protected XSecProvider.Purpose	keySelectorPurpose2DelegationPurpose(KeySelector.Purpose purpose) Maps a Purpose on a XSecProvider.Purpose.KeyFactoryPurpose .
protected boolean	matchIssuerDN(X509Certificate cert, X509IssuerSerial issuerSerial) Evaluates if the issuer DN matches the certificate's issuer DN.
protected boolean	matchIssuerSN(X509Certificate cert, X509IssuerSerial issuerSerial) Match the X509Certificate cert IssuerSN against X509IssuerSerial issuerSerial.
protected static boolean	matchSubjectDN(X509Certificate cert, String x509SubjectName) Evaluates if x509SubjectName does match SubjectDN of KeyInfo X509Certificate.
protected KeySelectorImpl.KeyInfoHints	newKeyInfoHints(KeyInfo keyInfo, XMLCryptoContext context) This method returns KeySelectorImpl.KeyInfoHints which collects the following bits of information from KeyInfo.
protected KeySelectorResult	select(AgreementMethod agreementMethod, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) Selects a key using the given AgreementMethod.
protected KeySelectorResult	select(EncryptedKey encryptedKey, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) Selects a secret key from the given EncryptedKey.
KeySelectorResult	select(KeyInfo keyInfo, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) Attempts to find a key that satisfies the specified constraints from the information provided in the keyInfo.
protected KeySelectorResult	select(KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) Override this method if your application does not take advantage of KeyInfo.
protected KeySelectorResult	select(KeySelectorImpl.KeyInfoHints hints, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) Selects a key when the key is not in the key info.
protected KeySelectorResult	select(KeySelectorImpl.KeyInfoHints hints, KeySelectorResult[] results) Returns the first result, however if necessary this method can be overidden so that in the case of multiple KeySelectorResults a selection can be done.
protected KeySelectorResult	select(KeyValue keyValue, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) Selects the public key form the given KeyValue.
protected KeySelectorResult	select(X509Certificate cert, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) Selects the public key from the given X509 certificate and returns an KeySelectorImpl.X509KeySelectorResultImpl bearing the selected key and the given X509 certificate.
protected KeySelectorResult	select(X509Data x509Data, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) Selects a key using the given list of X509Data elements.

Methods inherited from class javax.xml.crypto.KeySelector

singletonKeySelector

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

failReason_

protected String failReason_

The reason why selecting a key failed.

Constructor Detail

KeySelectorImpl

public KeySelectorImpl()

Creates a new instance of this KeySelectorImpl.

Method Detail

select

public final KeySelectorResult select(KeyInfo keyInfo,
                                      KeySelector.Purpose purpose,
                                      AlgorithmMethod method,
                                      XMLCryptoContext context)
                               throws KeySelectorException

Attempts to find a key that satisfies the specified constraints from the information provided in the keyInfo.

Specified by:

select in class KeySelector

Parameters:

keyInfo - a KeyInfo (may be null)

purpose - the key's purpose KeySelector.Purpose.SIGN, KeySelector.Purpose.VERIFY, KeySelector.Purpose.ENCRYPT, or KeySelector.Purpose.DECRYPT)

method - the algorithm method that this key is to be used for. Only keys that are compatible with the algorithm and meet the constraints of the specified algorithm should be returned.

context - an XMLCryptoContext that may contain useful information for finding an appropriate key. If this key selector supports resolving RetrievalMethod types, the context's baseURI and dereferencer parameters (if specified) should be used by the selector to resolve and dereference the URI.

Returns:

the result of the key selector

Throws:

KeySelectorException - if an exceptional condition occurs while attempting to find a key. Note that an inability to find a key is not considered an exception (null should be returned in that case). However, an error condition (ex: network communications failure) that prevented the KeySelector from finding a potential key should be considered an exception.

See Also:

KeySelector.select(javax.xml.crypto.dsig.keyinfo.KeyInfo, javax.xml.crypto.KeySelector.Purpose, javax.xml.crypto.AlgorithmMethod, javax.xml.crypto.XMLCryptoContext)

keySelectorPurpose2DelegationPurpose

protected XSecProvider.Purpose keySelectorPurpose2DelegationPurpose(KeySelector.Purpose purpose)
                                                             throws KeySelectorException

Maps a Purpose on a XSecProvider.Purpose.KeyFactoryPurpose .

Parameters:

purpose - for which the key is to be selected.

Returns:

the purpose used in the delegation mechanism.

Throws:

KeySelectorException - if the purpose is null or a purpose of a newer API not mapped.

newKeyInfoHints

protected KeySelectorImpl.KeyInfoHints newKeyInfoHints(KeyInfo keyInfo,
                                                       XMLCryptoContext context)
                                                throws KeySelectorException

This method returns KeySelectorImpl.KeyInfoHints which collects the following bits of information from KeyInfo.

• <element ref="ds:KeyName"/>
• <element ref="ds:KeyValue"/>
• <element ref="ds:RetrievalMethod"/>
• <element ref="ds:X509Data"/>
• <element name='EncryptedKey' type='xenc:EncryptedKeyType'/>
• <element name="AgreementMethod" type="xenc:AgreementMethodType"/>

Override this method to return an extended Implementation of KeySelectorImpl.KeyInfoHints if you need to resolve other KeyInfo information, like

• <element ref="ds:PGPData"/>
• <element ref="ds:SPKIData"/>
• <element ref="ds:MgmtData"/>
• <any processContents="lax" namespace="##other"/> (Other)

Parameters:

keyInfo -

context -

Returns:

the KeyInfoHints.

Throws:

KeySelectorException

select

protected KeySelectorResult select(KeySelectorImpl.KeyInfoHints hints,
                                   KeySelector.Purpose purpose,
                                   AlgorithmMethod method,
                                   XMLCryptoContext context)
                            throws KeySelectorException

Selects a key when the key is not in the key info.

Overwrite this method to return a key using the hints given in the key info.

Parameters:

purpose - one of KeySelector.Purpose.SIGN, KeySelector.Purpose.VERIFY, KeySelector.Purpose.ENCRYPT or KeySelector.Purpose.DECRYPT.

method - the algorithm method

context - the context

Returns:

null

Throws:

KeySelectorException

select

protected KeySelectorResult select(EncryptedKey encryptedKey,
                                   KeySelector.Purpose purpose,
                                   AlgorithmMethod method,
                                   XMLCryptoContext context)
                            throws KeySelectorException

Selects a secret key from the given EncryptedKey.

This method tries to decrypt the given EncryptedKey.

Parameters:

encryptedKey - the encrypted key element

purpose - one of KeySelector.Purpose.SIGN, KeySelector.Purpose.VERIFY, KeySelector.Purpose.ENCRYPT or KeySelector.Purpose.DECRYPT.

method - the algorithm method to get the key for

context - the context

Returns:

a secret key

Throws:

KeySelectorException - if an exception occurs during decryption of the encrypted key

select

protected KeySelectorResult select(AgreementMethod agreementMethod,
                                   KeySelector.Purpose purpose,
                                   AlgorithmMethod method,
                                   XMLCryptoContext context)
                            throws KeySelectorException

Selects a key using the given AgreementMethod.

Overwrite this method to return a key in case an AgreementMethod is given.

Parameters:

agreementMethod - the agreement method

purpose - one of KeySelector.Purpose.SIGN, KeySelector.Purpose.VERIFY, KeySelector.Purpose.ENCRYPT or KeySelector.Purpose.DECRYPT.

method - the algorithm method to get the key for

context - the context

Returns:

null

Throws:

KeySelectorException - if an exception occurs during key agreement

select

protected KeySelectorResult select(X509Data x509Data,
                                   KeySelector.Purpose purpose,
                                   AlgorithmMethod method,
                                   XMLCryptoContext context)
                            throws KeySelectorException

Selects a key using the given list of X509Data elements. This method only returns a key within the KeySelectorResult if a X509Certificate element is included in the KeyInfo.
If other X509Data, such as X509IssuerSerial or X509SubjectName, is included, the method checks if this data matches the corresponding data of the X509Certificate. If, for example, the KeyInfo includes a X509Certificate and a X509SubjectName, but the X509SubjectName does not match the SubjectDN (RFC2253 representation) of the certificate, the method will not return a key.

Parameters:

x509Data - a list of X509DataImpls

purpose - one of KeySelector.Purpose.SIGN, KeySelector.Purpose.VERIFY, KeySelector.Purpose.ENCRYPT or KeySelector.Purpose.DECRYPT.

method - the algorithm method to get the key for

context - the context

Returns:

the key selected from the given X509Data, if at least one X509Certificate is included in the KeyInfo and the data of one certificate matches other X509Data (e.g. X509SubjectName, if present. The method does not retrun a key if no X509Certificate is included, even if othe X509Data is present.

Throws:

KeySelectorException - if exception occurs during key selection

matchIssuerSN

protected boolean matchIssuerSN(X509Certificate cert,
                                X509IssuerSerial issuerSerial)

Match the X509Certificate cert IssuerSN against X509IssuerSerial issuerSerial.

Returns:

true iff matches.

getSubjectDN

protected static String getSubjectDN(X509Certificate cert)
                              throws RFC2253NameParserException

Get the SubjectDN from the X509Certificate cert.

Parameters:

cert - the certificate.

Returns:

the String representation of the SubjectDN.

Throws:

RFC2253NameParserException

matchSubjectDN

protected static boolean matchSubjectDN(X509Certificate cert,
                                        String x509SubjectName)
                                 throws RFC2253NameParserException

Evaluates if x509SubjectName does match SubjectDN of KeyInfo X509Certificate.

Parameters:

cert -

x509SubjectName -

Returns:

true if x509SubjectName matches SubjectDN of cert

Throws:

RFC2253NameParserException

matchIssuerDN

protected boolean matchIssuerDN(X509Certificate cert,
                                X509IssuerSerial issuerSerial)
                         throws RFC2253NameParserException

Evaluates if the issuer DN matches the certificate's issuer DN.

Parameters:

cert -

issuerSerial -

Returns:

true iff the names match.

Throws:

RFC2253NameParserException

select

protected KeySelectorResult select(KeyValue keyValue,
                                   KeySelector.Purpose purpose,
                                   AlgorithmMethod method,
                                   XMLCryptoContext context)
                            throws KeySelectorException

Selects the public key form the given KeyValue.

Parameters:

keyValue - the KeyValue element to get the public key from

purpose - one of KeySelector.Purpose.SIGN, KeySelector.Purpose.VERIFY, KeySelector.Purpose.ENCRYPT or KeySelector.Purpose.DECRYPT.

method - the algorithm method to get the key for

context - the context

Returns:

a KeySelectorImpl bearing the public key from the given KeyValue, or null if the key value is not appropriate for the given method

Throws:

KeySelectorException

select

protected KeySelectorResult select(X509Certificate cert,
                                   KeySelector.Purpose purpose,
                                   AlgorithmMethod method,
                                   XMLCryptoContext context)
                            throws KeySelectorException

Selects the public key from the given X509 certificate and returns an KeySelectorImpl.X509KeySelectorResultImpl bearing the selected key and the given X509 certificate.

Overwrite this method if special key treatment is necessary.

Parameters:

cert - the X509 certificate to get the public key from

purpose - the purpose (one of KeySelector.Purpose.VERIFY, KeySelector.Purpose.ENCRYPT)

method - the algorithm method to get the key for

context - the context

Returns:

a KeySelectorImpl.X509KeySelectorResultImplbearing the public key from the given certificate and the certificate itself, if the key algorithm is appropriate for the given algorithm method and the purpose is verify or encrypt, otherwise null

Throws:

KeySelectorException - if obtaining the key from the given certificate fails

select

protected KeySelectorResult select(KeySelectorImpl.KeyInfoHints hints,
                                   KeySelectorResult[] results)

Returns the first result, however if necessary this method can be overidden so that in the case of multiple KeySelectorResults a selection can be done.

Parameters:

hints - the hints to determine the results

results - the potential results

Returns:

the actual result (defaults to results[0])

select

protected KeySelectorResult select(KeySelector.Purpose purpose,
                                   AlgorithmMethod method,
                                   XMLCryptoContext context)
                            throws KeySelectorException

Override this method if your application does not take advantage of KeyInfo. It will be called if no KeyInfo is used or did not yield a Result.

Parameters:

purpose - the purpose (one of KeySelector.Purpose.SIGN, KeySelector.Purpose.DECRYPT) KeySelector.Purpose.VERIFY, KeySelector.Purpose.ENCRYPT)

method - the algorithm method to get the key for

context - the context

Returns:

a KeySelectorResult bearing the private or public key.

Throws:

KeySelectorException - if obtaining the key fails

getFailReason

public String getFailReason()

Returns the reason why selecting a key has failed.

Returns:

The reason why selecting a key has failed.

getKeyFactoryInstance

protected KeyFactory getKeyFactoryInstance(AlgorithmMethod method,
                                           XSecProvider.Purpose purpose)
                                    throws NoSuchAlgorithmException

Uses the XSECT delegation mechanism to create an instance of a KeyFactory.

Parameters:

method - The AlgorithmMethod to create the factory for.

purpose - A XSecProvider.Purpose.

Returns:

An instance of a KeyFactory. Maybe null.

Throws:

NoSuchAlgorithmException