/**
* Try to get certificate locally. First try using the supplied CryptoType. If this does not work,
* and if the supplied CryptoType is a ALIAS, then try again with SUBJECT_DN in case the supplied
* Alias is actually a Certificate's Subject DN
*
* @param cryptoType
* @return if found certificate otherwise null returned
*/
private X509Certificate[] getCertificateLocaly(CryptoType cryptoType) {
// This only applies if we've configured a local Crypto instance...
if (fallbackCrypto == null) {
return null;
}
// First try using the supplied CryptoType instance
X509Certificate[] localCerts = null;
try {
localCerts = fallbackCrypto.getX509Certificates(cryptoType);
} catch (Exception e) {
LOG.info(
"Certificate is not found in local keystore using desired CryptoType: "
+ cryptoType.getType().name());
}
if (localCerts == null && cryptoType.getType() == CryptoType.TYPE.ALIAS) {
// If none found then try using either the Subject DN. This is because an
// Encryption username in CXF is configured as an Alias in WSS4J, but may in fact
// be a Subject DN
CryptoType newCryptoType = new CryptoType(CryptoType.TYPE.SUBJECT_DN);
newCryptoType.setSubjectDN(cryptoType.getAlias());
try {
localCerts = fallbackCrypto.getX509Certificates(newCryptoType);
} catch (Exception e) {
LOG.info(
"Certificate is not found in local keystore and will be requested from "
+ "XKMS (first trying the cache): "
+ cryptoType.getAlias());
}
}
return localCerts;
}
private X509Certificate[] getX509(CryptoType cryptoType) {
// Try to get X509 certificate from local keystore if it is configured
if (allowX509FromJKS && fallbackCrypto != null) {
X509Certificate[] localCerts = getCertificateLocaly(cryptoType);
if (localCerts != null && localCerts.length > 0) {
return localCerts;
}
}
CryptoType.TYPE type = cryptoType.getType();
if (type == TYPE.SUBJECT_DN) {
return getX509FromXKMSByID(Applications.PKIX, cryptoType.getSubjectDN());
} else if (type == TYPE.ENDPOINT) {
return getX509FromXKMSByEndpoint(cryptoType.getEndpoint());
} else if (type == TYPE.ALIAS) {
Applications appId = null;
boolean isServiceName = isServiceName(cryptoType);
if (!isServiceName) {
appId = Applications.PKIX;
} else {
appId = Applications.SERVICE_NAME;
}
return getX509FromXKMSByID(appId, cryptoType.getAlias());
} else if (type == TYPE.ISSUER_SERIAL) {
return getX509FromXKMSByIssuerSerial(cryptoType.getIssuer(), cryptoType.getSerial());
}
throw new IllegalArgumentException("Unsupported type " + type);
}
@Override
public X509Certificate[] getX509Certificates(CryptoType cryptoType) throws WSSecurityException {
if (LOG.isLoggable(Level.INFO)) {
LOG.info(
String.format(
"XKMS Runtime: getting public certificate for alias: %s; issuer: %s; subjectDN: %s",
cryptoType.getAlias(), cryptoType.getIssuer(), cryptoType.getSubjectDN()));
}
X509Certificate[] certs = getX509(cryptoType);
if (certs == null) {
LOG.warning(
String.format(
"Cannot find certificate for alias: %s, issuer: %s; subjectDN: %s",
cryptoType.getAlias(), cryptoType.getIssuer(), cryptoType.getSubjectDN()));
}
return certs;
}
/**
* Service Aliases contain namespace
*
* @param cryptoType
* @return
*/
private boolean isServiceName(CryptoType cryptoType) {
return cryptoType.getAlias().contains("{");
}