public class X509KeySelector
extends javax.xml.crypto.KeySelector
KeySelector that returns PublicKeys of trusted
X509Certificates stored in a KeyStore.
This KeySelector uses the specified KeyStore
to find a trusted X509Certificate that matches information
specified in the KeyInfo passed to the select(javax.xml.crypto.dsig.keyinfo.KeyInfo, javax.xml.crypto.KeySelector.Purpose, javax.xml.crypto.AlgorithmMethod, javax.xml.crypto.XMLCryptoContext) method.
The public key from the first match is returned. If no match,
null is returned. See the select method for more
information.
NOTE!: This X509KeySelector requires J2SE 1.4 because it uses the java.security.cert.X509CertSelector & javax.security.auth.x500.X500Principal classes to parse X.500 DNs and match on certificate attributes.
| Constructor and Description |
|---|
X509KeySelector(java.security.KeyStore keyStore)
Creates an
X509KeySelector. |
| Modifier and Type | Method and Description |
|---|---|
javax.xml.crypto.KeySelectorResult |
select(javax.xml.crypto.dsig.keyinfo.KeyInfo keyInfo,
javax.xml.crypto.KeySelector.Purpose purpose,
javax.xml.crypto.AlgorithmMethod method,
javax.xml.crypto.XMLCryptoContext context)
Finds a key from the keystore satisfying the specified constraints.
|
public X509KeySelector(java.security.KeyStore keyStore)
throws java.security.KeyStoreException
X509KeySelector.keyStore - the keystorejava.security.KeyStoreException - if the keystore has not been initializedjava.lang.NullPointerException - if keyStore is
nullpublic javax.xml.crypto.KeySelectorResult select(javax.xml.crypto.dsig.keyinfo.KeyInfo keyInfo,
javax.xml.crypto.KeySelector.Purpose purpose,
javax.xml.crypto.AlgorithmMethod method,
javax.xml.crypto.XMLCryptoContext context)
throws javax.xml.crypto.KeySelectorException
This method compares data contained in KeyInfo entries
with information stored in the KeyStore. The implementation
iterates over the KeyInfo types and returns the first PublicKey
of an X509Certificate in the keystore that is compatible with the
specified AlgorithmMethod according to the following rules for each
keyinfo type:
X509Data X509Certificate: if it contains a KeyUsage
extension that asserts the digitalSignature bit and
matches an X509Certificate in the KeyStore.
X509Data X509IssuerSerial: if the serial number and issuer DN match an
X509Certificate in the KeyStore.
X509Data X509SubjectName: if the subject DN matches an
X509Certificate in the KeyStore.
X509Data X509SKI: if the subject key identifier matches an
X509Certificate in the KeyStore.
KeyName: if the keyname matches an alias in the KeyStore.
RetrievalMethod: supports rawX509Certificate and X509Data types. If
rawX509Certificate type, it must match an X509Certificate
in the KeyStore.
select in class javax.xml.crypto.KeySelectorkeyInfo - a KeyInfo (may be nullpurpose - the key's purposemethod - the algorithm method that this key is to be used for.
Only keys that are compatible with the algorithm and meet the
constraints of the specified algorithm should be returned.an - XMLCryptoContext that may contain additional
useful information for finding an appropriate keyjavax.xml.crypto.KeySelectorException - if an exceptional condition occurs while
attempting to find a key. Note that an inability to find a key is not
considered an exception (null should be
returned in that case). However, an error condition (ex: network
communications failure) that prevented the KeySelector
from finding a potential key should be considered an exception.java.lang.ClassCastException - if the data type of method
is not supported by this key selector