Package org.certificateservices.messages

Class TruststoreHelper

  • public class TruststoreHelper
extends java.lang.Object
    Helper class containing parsing methods for managing trust in MessageSecurityProviders, providing a in common way to handle trust stores between for instance SimpleMessageSecurityProvider and PKCS11MessageSecurityProvider

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description
      static class  TruststoreHelper.ExtendedKeyUsageChecker
      Special class for handling certificate validation of chains that contains critical extended key usage.

    • Constructor Summary

      Constructors 
      Constructor Description
      TruststoreHelper​(java.util.Properties config, java.security.KeyStore trustStore, java.lang.String settingPrefix)
      Constructor of TruststoreHelper parsing settings.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected boolean checkCertificateMatchFromTruststore​(java.security.cert.X509Certificate certificate)
      Method to check that given certificate exist in related trust store.
      protected org.bouncycastle.asn1.ASN1ObjectIdentifier getMatchSubjectField​(java.lang.String trustStoreMatchFieldName, java.lang.String settingPrefix)
      Help method to fetch configured match subject field from configuration.
      protected java.lang.String getMatchSubjectValue​(java.util.Properties config, java.lang.String settingPrefix)
      Help method to fetch configured match subject value from configuration.
      protected java.lang.String getTrustStoreType​(java.util.Properties config, java.lang.String settingPrefix)
      Help method to parse truststore type used.
      boolean isTrusted​(ContextMessageSecurityProvider.Context context, java.security.cert.X509Certificate signCertificate)
      Method in charge of validating a certificate is trusted by the message security provider
      protected boolean matchCertificateField​(java.security.cert.X509Certificate certificate)
      Help method to check if a certificate contains a specific field value.
      protected boolean useSubjectMatch​(java.util.Properties config, java.lang.String settingPrefix)
      Help method to parse truststore subject match should be used.
      protected boolean validateCertificateChain​(java.security.cert.X509Certificate certificate)
      Help method to validate the certificate chain related to

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • TRUSTKEYSTORE_TYPE_ENDENTITY

        public static java.lang.String TRUSTKEYSTORE_TYPE_ENDENTITY

      • TRUSTKEYSTORE_TYPE_CA

        public static java.lang.String TRUSTKEYSTORE_TYPE_CA

      • SETTING_TRUSTKEYSTORE_TYPE

        public static final java.lang.String SETTING_TRUSTKEYSTORE_TYPE
        Setting defining the type of trust store used, can be either CA or ENDENTITY depending on trust policy used. If CA should the trust store contain the issuer of a received signing certificate (from other parties) and if ENDENTITY it should contain the actual trusted signing certificates.
        If CA is used should settings: simplesecurityprovider.trustkeystore.matchdnfield and simplesecurityprovider.trustkeystore.matchdnvalue be set to authorize who can send messages. Default value: ENDENTITY
        See Also:
        Constant Field Values

      • DEFAULT_TRUSTKEYSTORE_TYPE

        public static final java.lang.String DEFAULT_TRUSTKEYSTORE_TYPE

      • SETTING_TRUSTKEYSTORE_PATH

        public static final java.lang.String SETTING_TRUSTKEYSTORE_PATH
        Setting indicating the path to the trust JKS key store (required)
        See Also:
        Constant Field Values

      • SETTING_TRUSTKEYSTORE_PASSWORD

        public static final java.lang.String SETTING_TRUSTKEYSTORE_PASSWORD
        Setting indicating the password to the trust JKS key store (required)
        See Also:
        Constant Field Values

      • SETTING_TRUSTKEYSTORE_MATCHSUBJECT

        public static final java.lang.String SETTING_TRUSTKEYSTORE_MATCHSUBJECT
        Setting used if truststore type is CA and indicates that a subject DN check should be added to authorize the sender. If setting below is false will all messages that is issued by any trusted CA by the configuration be accepted. Default: true
        See Also:
        Constant Field Values

      • DEFAULT_TRUSTKEYSTORE_MATCHSUBJECT

        public static final java.lang.String DEFAULT_TRUSTKEYSTORE_MATCHSUBJECT
        See Also:
        Constant Field Values

      • SETTING_TRUSTKEYSTORE_MATCHDNFIELD

        public static final java.lang.String SETTING_TRUSTKEYSTORE_MATCHDNFIELD
        Setting indicating which field in client certificate subject dn that should be matched. Example "OU","O" or "CN". Required if truststore type is CA and matchsubject is true
        See Also:
        Constant Field Values

      • SETTING_TRUSTKEYSTORE_MATCHDNVALUE

        public static final java.lang.String SETTING_TRUSTKEYSTORE_MATCHDNVALUE
        Setting indicating the value that should be matched (case-sensitive) in the subject dn. Example if set to "frontend" and matchdnfield is "OU" only systems that have a trusted client certificate with a subjectdn containing "OU=frontend" will be accepted. Required if truststore type is CA and matchsubject is true
        See Also:
        Constant Field Values

    • Constructor Detail

      • TruststoreHelper

        public TruststoreHelper​(java.util.Properties config,
                        java.security.KeyStore trustStore,
                        java.lang.String settingPrefix)
                 throws MessageProcessingException
        Constructor of TruststoreHelper parsing settings.
        Parameters:
        config - the message security provider settings.
        trustStore - related truststore keystore.
        settingPrefix - prefix setting used by related provider.
        Throws:
        MessageProcessingException - if missconfigration found.

    • Method Detail

      • isTrusted

        public boolean isTrusted​(ContextMessageSecurityProvider.Context context,
                         java.security.cert.X509Certificate signCertificate)
                  throws java.lang.IllegalArgumentException,
                         MessageProcessingException
        Method in charge of validating a certificate is trusted by the message security provider
        Parameters:
        context - is currently ignored.
        signCertificate - the certificate used to sign the message.
        Returns:
        true if the sign certificate is valid and authorized to sign messages.
        Throws:
        java.lang.IllegalArgumentException - if arguments were invalid.
        MessageProcessingException - if internal error occurred validating the certificate.

      • getTrustStoreType

        protected java.lang.String getTrustStoreType​(java.util.Properties config,
                                             java.lang.String settingPrefix)
                                      throws MessageProcessingException
        Help method to parse truststore type used.
        Parameters:
        config - the message security provider configuration
        settingPrefix - prefix setting used by related provider.
        Returns:
        one of accepted type CA or ENDENTIY
        Throws:
        MessageProcessingException - if invalid type configuration was found.

      • useSubjectMatch

        protected boolean useSubjectMatch​(java.util.Properties config,
                                  java.lang.String settingPrefix)
                           throws MessageProcessingException
        Help method to parse truststore subject match should be used.
        Parameters:
        config - the message security provider configuration
        settingPrefix - prefix setting used by related provider.
        Returns:
        true if subject match should be used.
        Throws:
        MessageProcessingException - if invalid type configuration was found.

      • getMatchSubjectField

        protected org.bouncycastle.asn1.ASN1ObjectIdentifier getMatchSubjectField​(java.lang.String trustStoreMatchFieldName,
                                                                          java.lang.String settingPrefix)
                                                                   throws MessageProcessingException
        Help method to fetch configured match subject field from configuration.
        Parameters:
        trustStoreMatchFieldName - the configured subject dn name value.
        settingPrefix - prefix setting used by related provider.
        Returns:
        the configured dn value to use when matching subject.
        Throws:
        MessageProcessingException - if setting wasn't set of invalid value.

      • getMatchSubjectValue

        protected java.lang.String getMatchSubjectValue​(java.util.Properties config,
                                                java.lang.String settingPrefix)
                                         throws MessageProcessingException
        Help method to fetch configured match subject value from configuration.
        Parameters:
        config - the message security provider configuration
        settingPrefix - prefix setting used by related provider.
        Returns:
        the configured dn value to use when matching subject.
        Throws:
        MessageProcessingException - if setting wasn't set of invalid value.

      • validateCertificateChain

        protected boolean validateCertificateChain​(java.security.cert.X509Certificate certificate)
        Help method to validate the certificate chain related to
        Parameters:
        certificate - the certificate to validate against the trust store.
        Returns:
        true if chain validates successfully.

      • matchCertificateField

        protected boolean matchCertificateField​(java.security.cert.X509Certificate certificate)
        Help method to check if a certificate contains a specific field value.
        Parameters:
        certificate - the certificate to match against configuration.
        Returns:
        true if fields match

      • checkCertificateMatchFromTruststore

        protected boolean checkCertificateMatchFromTruststore​(java.security.cert.X509Certificate certificate)
                                               throws MessageProcessingException
        Method to check that given certificate exist in related trust store. Used if truststore mode is ENDENTITY.
        Parameters:
        certificate - the certificate to lookup.
        Returns:
        true if the certificate exists in trust store.
        Throws:
        MessageProcessingException - if problems detected checking the trust store.