issrg.security
Class DefaultVerifier

java.lang.Object
  extended by issrg.security.DefaultVerifier
All Implemented Interfaces:
Verifier
Direct Known Subclasses:
DefaultSecurity, SamlPKCHandler

public class DefaultVerifier
extends java.lang.Object
implements Verifier

This is the default implementation of a Verifier. It can validate signatures on the given objects. This component doesn't require any user interaction and can be used in interface-less applications (e.g. servers).

This default security supports:

Author:
A.Otenko

Constructor Summary
DefaultVerifier()
          This constructor initialises the DefaultVerifier.
 
Method Summary
 PKCRepository getPKCRepository()
          gets the repository that will be used to retrieve user's signature verification Public Key Certificates.
 java.security.cert.X509Certificate[] getRootCAs()
          This method returns the array of PKCs of multiple roots of trust.
 java.security.cert.X509Certificate[] getVerificationCertificates(TokenLocator signerName)
          Retrieves the valid certificates of the signer.
 void setPKCRepository(PKCRepository repository)
          Sets the repository that will be used to retrieve user's signature verification Public Key Certificates.
 void setRootCA(byte[] pkc)
          Sets the root CA by specifying its PKC.
 void setRootCA(java.security.cert.X509Certificate pkc)
          Sets the root CA by specifying its PKC.
 void setRootCAs(byte[][] pkcs)
          This method lets you specify multiple Root CAs.
 void setRootCAs(java.security.cert.X509Certificate[] pkcs)
          This method sets multiple roots of trust by providing their X.509 PKCs.
 boolean verify(byte[] data, byte[] signature, java.lang.String algorithmID, java.security.cert.X509Certificate[] certs)
          This method verifies a signature on the data.
 boolean verifyByRoot(byte[] data, byte[] signature, java.lang.String algorithmID)
          This method checks if the given data was signed by any of the Root CAs.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

DefaultVerifier

public DefaultVerifier()
                throws SecurityException
This constructor initialises the DefaultVerifier.

Throws:
SecurityException, - if there were no CertificateFactories found for "X.509" certificates in this instance of JVM
SecurityException
Method Detail

setRootCA

public void setRootCA(byte[] pkc)
               throws SecurityException
Sets the root CA by specifying its PKC.

Parameters:
pkc - is the BER encoded X.509 PKC of the root CA
Throws:
SecurityException

setRootCA

public void setRootCA(java.security.cert.X509Certificate pkc)
Sets the root CA by specifying its PKC.

Parameters:
pkc - is the X.509 PKC of the root CA

setRootCAs

public void setRootCAs(java.security.cert.X509Certificate[] pkcs)
This method sets multiple roots of trust by providing their X.509 PKCs.

Parameters:
pkcs - - the Public Key Certificates of the CAs

getRootCAs

public java.security.cert.X509Certificate[] getRootCAs()
This method returns the array of PKCs of multiple roots of trust.

Specified by:
getRootCAs in interface Verifier
Returns:
array of X509Certificate, which can be empty or null, if no roots of trust have been specified

setRootCAs

public void setRootCAs(byte[][] pkcs)
                throws SecurityException
This method lets you specify multiple Root CAs. If any of them is a malformed PKC, there will be a SecurityException.

Parameters:
pkcs - - an array of BER-encoded X.509 PKCs
Throws:
SecurityException

setPKCRepository

public void setPKCRepository(PKCRepository repository)
Sets the repository that will be used to retrieve user's signature verification Public Key Certificates.

Parameters:
repository - - the PKCRepository that can return the PKCs for a given principal

getPKCRepository

public PKCRepository getPKCRepository()
gets the repository that will be used to retrieve user's signature verification Public Key Certificates.

Specified by:
getPKCRepository in interface Verifier

getVerificationCertificates

public java.security.cert.X509Certificate[] getVerificationCertificates(TokenLocator signerName)
                                                                 throws SecurityException
Retrieves the valid certificates of the signer. For this purpose it contacts the PKCRepository and retrieves all user certificates from the specified entry. Then the signatures are verified on them. They should be signed by one of the Root CAs directly. Malformed user certificates are discarded.

Certification path validation will be added later.

Specified by:
getVerificationCertificates in interface Verifier
Parameters:
signerName - is the name of the signer's LDAP entry
Returns:
all valid certificates located in that LDAP entry; never null, but can be an empty array
Throws:
SecurityException - if there were errors during processing the request

verify

public boolean verify(byte[] data,
                      byte[] signature,
                      java.lang.String algorithmID,
                      java.security.cert.X509Certificate[] certs)
               throws SecurityException
This method verifies a signature on the data. It assumes that all X.509 certificates are still valid and non-revoked in the array. It is so if they have been retrieved using getVerificationCertificates method. In fact, for this reason it uses only the first certificate in the array, which should be the signature verification certificate of the signer.

Specified by:
verify in interface Verifier
Parameters:
data - is the to-be-signed array
signature - is the signature of that array
certs - is the array of X.509 PKCs, but only the first one is used in this implementation
Returns:
true, if the signature validates; false otherwise
Throws:
SecurityException, - if there were errors during processing the request
SecurityException - if a definite decision cannot be derived

verifyByRoot

public boolean verifyByRoot(byte[] data,
                            byte[] signature,
                            java.lang.String algorithmID)
This method checks if the given data was signed by any of the Root CAs.

Parameters:
data - - the to-be-signed byte array
signature - - the matching signature
algorithmID - - the signature algorithm identifier
Returns:
true, if the signature can be verified using one of the PKCs of the roots of trust; false otherwise (e.g. no Root CAs have been configured, or there was a problem during signature verification)