public class KeySelectorImpl extends KeySelector
KeySelector
implementation that tries to get a
public or secret key from the given
KeyInfo
.
It supports the dereferencing of
RetrievalMethod
s and decryption of
EncryptedKey
s.
If a public key is required (e.g. for signature validation or for encryption)
this KeySelector first tries to find a
KeyValue
element in the given KeyInfo.
Then examines X509Data
elements for a
appropriate public key and finally looks for raw certificates referenced by a
RetrievalMethod
.
If a secret key is required this KeySelector looks for
EncryptedKey
s inside the given KeyInfo
and tries to decrypt them.
AgreementMethod
s are not directly
supported, however the method
select(javax.xml.crypto.enc.keyinfo.AgreementMethod, javax.xml.crypto.KeySelector.Purpose, javax.xml.crypto.AlgorithmMethod, javax.xml.crypto.XMLCryptoContext)
may be overwritten to add support for key agreement.
The selection of private keys is obviously not supported as private keys should not be present in the KeyInfo in any case.
If this KeySelector is unable to get the requested key from the given KeyInfo
select(iaik.xml.crypto.utils.KeySelectorImpl.KeyInfoHints, javax.xml.crypto.KeySelector.Purpose, javax.xml.crypto.AlgorithmMethod, javax.xml.crypto.XMLCryptoContext)
is called. Overwrite this method to support the retrieval of keys from
external sources using the
KeySelectorImpl.KeyInfoHints
collected from the
given KeyInfo.
Modifier and Type | Class and Description |
---|---|
static class |
KeySelectorImpl.KeyInfoHints
This class collects all information found in the KeyInfo.
|
static class |
KeySelectorImpl.KeySelectorResultImpl
An implementation of the
KeySelectorResult that carries the
selected key. |
static class |
KeySelectorImpl.X509KeySelectorResultImpl
An implementation of the
KeySelectorResult that carries the
selected key and certification and revocation information found in the
KeyInfo corresponding to the selected key. |
KeySelector.Purpose
Modifier and Type | Field and Description |
---|---|
protected String |
failReason_
The reason why selecting a key failed.
|
Constructor and Description |
---|
KeySelectorImpl()
Creates a new instance of this
KeySelectorImpl . |
Modifier and Type | Method and Description |
---|---|
String |
getFailReason()
Returns the reason why selecting a key has failed.
|
protected KeyFactory |
getKeyFactoryInstance(AlgorithmMethod method,
XSecProvider.Purpose purpose)
Uses the XSECT delegation mechanism to create an instance of a KeyFactory.
|
protected static String |
getSubjectDN(X509Certificate cert)
Get the SubjectDN from the
X509Certificate cert. |
protected XSecProvider.Purpose |
keySelectorPurpose2DelegationPurpose(KeySelector.Purpose purpose)
Maps a
Purpose on a XSecProvider.Purpose.KeyFactoryPurpose . |
protected boolean |
matchIssuerDN(X509Certificate cert,
X509IssuerSerial issuerSerial)
Evaluates if the issuer DN matches the certificate's issuer DN.
|
protected boolean |
matchIssuerSN(X509Certificate cert,
X509IssuerSerial issuerSerial)
Match the
X509Certificate cert IssuerSN against
X509IssuerSerial issuerSerial. |
protected static boolean |
matchSubjectDN(X509Certificate cert,
String x509SubjectName)
Evaluates if x509SubjectName does match SubjectDN of KeyInfo
X509Certificate.
|
protected KeySelectorImpl.KeyInfoHints |
newKeyInfoHints(KeyInfo keyInfo,
XMLCryptoContext context)
This method returns
KeySelectorImpl.KeyInfoHints which collects the following bits
of information from KeyInfo . |
protected KeySelectorResult |
select(AgreementMethod agreementMethod,
KeySelector.Purpose purpose,
AlgorithmMethod method,
XMLCryptoContext context)
Selects a key using the given AgreementMethod.
|
protected KeySelectorResult |
select(EncryptedKey encryptedKey,
KeySelector.Purpose purpose,
AlgorithmMethod method,
XMLCryptoContext context)
Selects a secret key from the given EncryptedKey.
|
KeySelectorResult |
select(KeyInfo keyInfo,
KeySelector.Purpose purpose,
AlgorithmMethod method,
XMLCryptoContext context)
Attempts to find a key that satisfies the specified constraints from the
information provided in the
keyInfo . |
protected KeySelectorResult |
select(KeySelector.Purpose purpose,
AlgorithmMethod method,
XMLCryptoContext context)
Override this method if your application does not take advantage of
KeyInfo . |
protected KeySelectorResult |
select(KeySelectorImpl.KeyInfoHints hints,
KeySelector.Purpose purpose,
AlgorithmMethod method,
XMLCryptoContext context)
Selects a key when the key is not in the key info.
|
protected KeySelectorResult |
select(KeySelectorImpl.KeyInfoHints hints,
KeySelectorResult[] results)
Returns the first result, however if necessary this method can be overidden
so that in the case of multiple
KeySelectorResult s a selection can
be done. |
protected KeySelectorResult |
select(KeyValue keyValue,
KeySelector.Purpose purpose,
AlgorithmMethod method,
XMLCryptoContext context)
Selects the public key form the given KeyValue.
|
protected KeySelectorResult |
select(X509Certificate cert,
KeySelector.Purpose purpose,
AlgorithmMethod method,
XMLCryptoContext context)
Selects the public key from the given X509 certificate and returns an
KeySelectorImpl.X509KeySelectorResultImpl bearing the selected key and the given
X509 certificate. |
protected KeySelectorResult |
select(X509Data x509Data,
KeySelector.Purpose purpose,
AlgorithmMethod method,
XMLCryptoContext context)
Selects a key using the given list of
X509Data elements. |
singletonKeySelector
protected String failReason_
public KeySelectorImpl()
KeySelectorImpl
.public final KeySelectorResult select(KeyInfo keyInfo, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) throws KeySelectorException
keyInfo
.select
in class KeySelector
keyInfo
- a KeyInfo
(may be null
)purpose
- the key's purpose KeySelector.Purpose.SIGN
, KeySelector.Purpose.VERIFY
,
KeySelector.Purpose.ENCRYPT
, or KeySelector.Purpose.DECRYPT
)method
- the algorithm method that this key is to be used for. Only keys that
are compatible with the algorithm and meet the constraints of the
specified algorithm should be returned.context
- an XMLCryptoContext
that may contain useful information
for finding an appropriate key. If this key selector supports
resolving RetrievalMethod
types, the context's baseURI
and
dereferencer
parameters (if specified) should be used
by the selector to resolve and dereference the URI.KeySelectorException
- if an exceptional condition occurs while attempting to find a key.
Note that an inability to find a key is not considered an exception
(null
should be returned in that case). However, an
error condition (ex: network communications failure) that prevented
the KeySelector
from finding a potential key should be
considered an exception.KeySelector.select(javax.xml.crypto.dsig.keyinfo.KeyInfo,
javax.xml.crypto.KeySelector.Purpose,
javax.xml.crypto.AlgorithmMethod, javax.xml.crypto.XMLCryptoContext)
protected XSecProvider.Purpose keySelectorPurpose2DelegationPurpose(KeySelector.Purpose purpose) throws KeySelectorException
Purpose
on a XSecProvider.Purpose.KeyFactoryPurpose
.purpose
- for which the key is to be selected.KeySelectorException
- if the purpose is null or a purpose of a newer API not mapped.protected KeySelectorImpl.KeyInfoHints newKeyInfoHints(KeyInfo keyInfo, XMLCryptoContext context) throws KeySelectorException
KeySelectorImpl.KeyInfoHints
which collects the following bits
of information from KeyInfo
. KeySelectorImpl.KeyInfoHints
if you need to resolve other KeyInfo
information, like keyInfo
- context
- KeySelectorException
protected KeySelectorResult select(KeySelectorImpl.KeyInfoHints hints, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) throws KeySelectorException
Overwrite this method to return a key using the hints given in the key info.
purpose
- one of KeySelector.Purpose.SIGN
,
KeySelector.Purpose.VERIFY
,
KeySelector.Purpose.ENCRYPT
or
KeySelector.Purpose.DECRYPT
.method
- the algorithm methodcontext
- the contextnull
KeySelectorException
protected KeySelectorResult select(EncryptedKey encryptedKey, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) throws KeySelectorException
This method tries to decrypt the given EncryptedKey.
encryptedKey
- the encrypted key elementpurpose
- one of KeySelector.Purpose.SIGN
,
KeySelector.Purpose.VERIFY
,
KeySelector.Purpose.ENCRYPT
or
KeySelector.Purpose.DECRYPT
.method
- the algorithm method to get the key forcontext
- the contextKeySelectorException
- if an exception occurs during decryption of the encrypted keyprotected KeySelectorResult select(AgreementMethod agreementMethod, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) throws KeySelectorException
Overwrite this method to return a key in case an AgreementMethod is given.
agreementMethod
- the agreement methodpurpose
- one of KeySelector.Purpose.SIGN
,
KeySelector.Purpose.VERIFY
,
KeySelector.Purpose.ENCRYPT
or
KeySelector.Purpose.DECRYPT
.method
- the algorithm method to get the key forcontext
- the contextnull
KeySelectorException
- if an exception occurs during key agreementprotected KeySelectorResult select(X509Data x509Data, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) throws KeySelectorException
X509Data
elements. This
method only returns a key within the KeySelectorResult if a
X509Certificate
element is included in the KeyInfo. X509Data
, such as X509IssuerSerial
or
X509SubjectName
, is included, the method checks if this data
matches the corresponding data of the X509Certificate
. If, for
example, the KeyInfo includes a X509Certificate
and a
X509SubjectName
, but the X509SubjectName
does not
match the SubjectDN (RFC2253 representation) of the certificate, the method
will not return a key.x509Data
- a list of X509DataImpl
spurpose
- one of KeySelector.Purpose.SIGN
,
KeySelector.Purpose.VERIFY
,
KeySelector.Purpose.ENCRYPT
or
KeySelector.Purpose.DECRYPT
.method
- the algorithm method to get the key forcontext
- the contextX509Certificate
is included in the KeyInfo and the
data of one certificate matches other X509Data (e.g.
X509SubjectName
, if present. The method does not
retrun a key if no X509Certificate
is included, even
if othe X509Data is present.KeySelectorException
- if exception occurs during key selectionprotected boolean matchIssuerSN(X509Certificate cert, X509IssuerSerial issuerSerial)
X509Certificate
cert IssuerSN against
X509IssuerSerial
issuerSerial.protected static String getSubjectDN(X509Certificate cert) throws RFC2253NameParserException
X509Certificate
cert.cert
- the certificate.String
representation of the SubjectDN.RFC2253NameParserException
protected static boolean matchSubjectDN(X509Certificate cert, String x509SubjectName) throws RFC2253NameParserException
cert
- x509SubjectName
- RFC2253NameParserException
protected boolean matchIssuerDN(X509Certificate cert, X509IssuerSerial issuerSerial) throws RFC2253NameParserException
cert
- issuerSerial
- RFC2253NameParserException
protected KeySelectorResult select(KeyValue keyValue, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) throws KeySelectorException
keyValue
- the KeyValue element to get the public key frompurpose
- one of KeySelector.Purpose.SIGN
,
KeySelector.Purpose.VERIFY
,
KeySelector.Purpose.ENCRYPT
or
KeySelector.Purpose.DECRYPT
.method
- the algorithm method to get the key forcontext
- the contextKeySelectorImpl
bearing the public key from the given
KeyValue, or null
if the key value is not appropriate
for the given method
KeySelectorException
protected KeySelectorResult select(X509Certificate cert, KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) throws KeySelectorException
KeySelectorImpl.X509KeySelectorResultImpl
bearing the selected key and the given
X509 certificate.
Overwrite this method if special key treatment is necessary.
cert
- the X509 certificate to get the public key frompurpose
- the purpose (one of
KeySelector.Purpose.VERIFY
,
KeySelector.Purpose.ENCRYPT
)method
- the algorithm method to get the key forcontext
- the contextKeySelectorImpl.X509KeySelectorResultImpl
bearing the public key from the
given certificate and the certificate itself, if the key algorithm
is appropriate for the given algorithm method and the purpose is
verify or encrypt, otherwise null
KeySelectorException
- if obtaining the key from the given certificate failsprotected KeySelectorResult select(KeySelectorImpl.KeyInfoHints hints, KeySelectorResult[] results)
KeySelectorResult
s a selection can
be done.hints
- the hints to determine the resultsresults
- the potential resultsprotected KeySelectorResult select(KeySelector.Purpose purpose, AlgorithmMethod method, XMLCryptoContext context) throws KeySelectorException
KeyInfo
. It will be called if no KeyInfo
is used or did not
yield a Result.purpose
- the purpose (one of
KeySelector.Purpose.SIGN
,
KeySelector.Purpose.DECRYPT
)
KeySelector.Purpose.VERIFY
,
KeySelector.Purpose.ENCRYPT
)method
- the algorithm method to get the key forcontext
- the contextKeySelectorResult
bearing the private or public key.KeySelectorException
- if obtaining the key failspublic String getFailReason()
protected KeyFactory getKeyFactoryInstance(AlgorithmMethod method, XSecProvider.Purpose purpose) throws NoSuchAlgorithmException
method
- The AlgorithmMethod
to create the factory for.purpose
- A XSecProvider.Purpose
.null
.NoSuchAlgorithmException
© 2002-2005 IAIK, © 2004, 2006 - 2019 Stiftung SIC