public class KeyStoreCallbackHandler extends CryptographyCallbackHandler implements org.springframework.beans.factory.InitializingBean
KeyStores to handle cryptographic callbacks. Allows for
specific key stores to be set for various cryptographic operations.
This handler requires one or more key stores to be set. You can configure them in your application context by using a
KeyStoreFactoryBean. The exact stores to be set depends on the cryptographic operations that are to be
performed by this handler. The table underneath show the key store to be used for each operation:
| Cryptographic operation | Key store used |
| Certificate validation | first keyStore, then trustStore |
| Decryption based on private key | keyStore |
| Decryption based on symmetric key | symmetricStore |
| Encryption based on certificate | trustStore |
| Encryption based on symmetric key | symmetricStore |
| Signing | keyStore |
| Signature verification | trustStore |
symmetricStore is not set, it will default to the
keyStore. If the key or trust store is not set, this handler will use the standard Java mechanism to
load or create it. See loadDefaultKeyStore() and loadDefaultTrustStore().
KeyStoreCallbackHandler to validate incoming
certificates or signatures, you would use a trust store, like so:
<bean id="keyStoreHandler" class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
<property name="trustStore" ref="trustStore"/>
</bean>
<bean id="trustStore" class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
<property name="location" value="classpath:truststore.jks"/>
<property name="password" value="changeit"/>
</bean>
If you want to use it to decrypt incoming certificates or sign outgoing messages, you would use a key store, like
so:
<bean id="keyStoreHandler" class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
<property name="keyStore" ref="keyStore"/>
<property name="privateKeyPassword" value="changeit"/>
</bean>
<bean id="keyStore" class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
<property name="location" value="classpath:keystore.jks"/>
<property name="password" value="changeit"/>
</bean>
CertificateValidationCallbacks,
DecryptionKeyCallbacks, EncryptionKeyCallbacks, SignatureKeyCallbacks, and
SignatureVerificationKeyCallbacks. It throws an UnsupportedCallbackException for others.KeyStore,
KeyStoreFactoryBean,
CertificateValidationCallback,
DecryptionKeyCallback,
EncryptionKeyCallback,
SignatureKeyCallback,
SignatureVerificationKeyCallback,
The
standard Java trust store mechanismlogger| Constructor and Description |
|---|
KeyStoreCallbackHandler() |
| Modifier and Type | Method and Description |
|---|---|
void |
afterPropertiesSet() |
protected PKIXBuilderParameters |
createBuilderParameters(KeyStore trustStore,
X509CertSelector certSelector)
Creates a
PKIXBuilderParameters instance with the given parameters. |
protected X509Certificate |
getCertificate(PublicKey pk) |
protected X509Certificate |
getCertificate(String alias) |
protected X509Certificate |
getCertificateFromTrustStore(byte[] subjectKeyIdentifier) |
protected X509Certificate |
getCertificateFromTrustStore(PublicKey pk) |
protected X509Certificate |
getCertificateFromTrustStore(String alias) |
protected X509Certificate |
getCertificateFromTrustStore(String issuerName,
BigInteger serialNumber) |
protected PrivateKey |
getPrivateKey(byte[] keyIdentifier) |
protected PrivateKey |
getPrivateKey(PublicKey publicKey) |
protected PrivateKey |
getPrivateKey(String alias) |
protected PrivateKey |
getPrivateKey(String issuerName,
BigInteger serialNumber) |
protected PrivateKey |
getPrivateKey(X509Certificate certificate) |
protected byte[] |
getSubjectKeyIdentifier(X509Certificate cert) |
protected SecretKey |
getSymmetricKey(String alias) |
protected void |
handleAliasPrivKeyCertRequest(com.sun.xml.wss.impl.callback.SignatureKeyCallback callback,
com.sun.xml.wss.impl.callback.SignatureKeyCallback.AliasPrivKeyCertRequest request)
Template method that handles
SignatureKeyCallbacks with AliasPrivKeyCertRequests. |
protected void |
handleAliasSymmetricKeyRequest(com.sun.xml.wss.impl.callback.DecryptionKeyCallback callback,
com.sun.xml.wss.impl.callback.DecryptionKeyCallback.AliasSymmetricKeyRequest request)
Template method that handles
DecryptionKeyCallbacks with AliasSymmetricKeyRequests. |
protected void |
handleAliasSymmetricKeyRequest(com.sun.xml.wss.impl.callback.EncryptionKeyCallback callback,
com.sun.xml.wss.impl.callback.EncryptionKeyCallback.AliasSymmetricKeyRequest request)
Template method that handles
EncryptionKeyCallbacks with AliasSymmetricKeyRequests. |
protected void |
handleAliasX509CertificateRequest(com.sun.xml.wss.impl.callback.EncryptionKeyCallback callback,
com.sun.xml.wss.impl.callback.EncryptionKeyCallback.AliasX509CertificateRequest request)
Template method that handles
EncryptionKeyCallbacks with AliasX509CertificateRequests. |
protected void |
handleCertificateValidationCallback(com.sun.xml.wss.impl.callback.CertificateValidationCallback callback)
Template method that handles
CertificateValidationCallbacks. |
protected void |
handleDefaultPrivKeyCertRequest(com.sun.xml.wss.impl.callback.SignatureKeyCallback callback,
com.sun.xml.wss.impl.callback.SignatureKeyCallback.DefaultPrivKeyCertRequest request)
Template method that handles
SignatureKeyCallbacks with DefaultPrivKeyCertRequests. |
protected void |
handleDefaultX509CertificateRequest(com.sun.xml.wss.impl.callback.EncryptionKeyCallback callback,
com.sun.xml.wss.impl.callback.EncryptionKeyCallback.DefaultX509CertificateRequest request)
Template method that handles
EncryptionKeyCallbacks with DefaultX509CertificateRequests. |
protected void |
handlePublicKeyBasedPrivKeyCertRequest(com.sun.xml.wss.impl.callback.SignatureKeyCallback callback,
com.sun.xml.wss.impl.callback.SignatureKeyCallback.PublicKeyBasedPrivKeyCertRequest request)
Template method that handles
SignatureKeyCallbacks with PublicKeyBasedPrivKeyCertRequests. |
protected void |
handlePublicKeyBasedPrivKeyRequest(com.sun.xml.wss.impl.callback.DecryptionKeyCallback callback,
com.sun.xml.wss.impl.callback.DecryptionKeyCallback.PublicKeyBasedPrivKeyRequest request)
Template method that handles
DecryptionKeyCallbacks with PublicKeyBasedPrivKeyRequests. |
protected void |
handlePublicKeyBasedRequest(com.sun.xml.wss.impl.callback.EncryptionKeyCallback callback,
com.sun.xml.wss.impl.callback.EncryptionKeyCallback.PublicKeyBasedRequest request)
Template method that handles
EncryptionKeyCallbacks with PublicKeyBasedRequests. |
protected void |
handlePublicKeyBasedRequest(com.sun.xml.wss.impl.callback.SignatureVerificationKeyCallback callback,
com.sun.xml.wss.impl.callback.SignatureVerificationKeyCallback.PublicKeyBasedRequest request)
Template method that handles
SignatureKeyCallbacks with PublicKeyBasedRequests. |
protected void |
handleX509CertificateBasedRequest(com.sun.xml.wss.impl.callback.DecryptionKeyCallback callback,
com.sun.xml.wss.impl.callback.DecryptionKeyCallback.X509CertificateBasedRequest request)
Template method that handles
DecryptionKeyCallbacks with X509CertificateBasedRequests. |
protected void |
handleX509IssuerSerialBasedRequest(com.sun.xml.wss.impl.callback.DecryptionKeyCallback callback,
com.sun.xml.wss.impl.callback.DecryptionKeyCallback.X509IssuerSerialBasedRequest request)
Template method that handles
DecryptionKeyCallbacks with X509IssuerSerialBasedRequests. |
protected void |
handleX509IssuerSerialBasedRequest(com.sun.xml.wss.impl.callback.SignatureVerificationKeyCallback callback,
com.sun.xml.wss.impl.callback.SignatureVerificationKeyCallback.X509IssuerSerialBasedRequest request)
Template method that handles
SignatureKeyCallbacks with X509IssuerSerialBasedRequests. |
protected void |
handleX509SubjectKeyIdentifierBasedRequest(com.sun.xml.wss.impl.callback.DecryptionKeyCallback callback,
com.sun.xml.wss.impl.callback.DecryptionKeyCallback.X509SubjectKeyIdentifierBasedRequest request)
Template method that handles
DecryptionKeyCallbacks with X509SubjectKeyIdentifierBasedRequests. |
protected void |
handleX509SubjectKeyIdentifierBasedRequest(com.sun.xml.wss.impl.callback.SignatureVerificationKeyCallback callback,
com.sun.xml.wss.impl.callback.SignatureVerificationKeyCallback.X509SubjectKeyIdentifierBasedRequest request)
Template method that handles
SignatureKeyCallbacks with PublicKeyBasedPrivKeyCertRequests. |
protected void |
loadDefaultKeyStore()
Loads the key store indicated by system properties.
|
protected void |
loadDefaultTrustStore()
Loads a default trust store.
|
void |
setDefaultAlias(String defaultAlias)
Sets the key store alias for the default certificate and private key.
|
void |
setKeyStore(KeyStore keyStore)
Sets the default key store.
|
void |
setPrivateKeyPassword(String privateKeyPassword)
Sets the password used to retrieve private keys from the keystore.
|
void |
setRevocationEnabled(boolean revocationEnabled)
Determines if certificate revocation checking is enabled or not.
|
void |
setSymmetricKeyPassword(String symmetricKeyPassword)
Sets the password used to retrieve keys from the symmetric keystore.
|
void |
setSymmetricStore(KeyStore symmetricStore)
Sets the key store used for encryption and decryption using symmetric keys.
|
void |
setTrustStore(KeyStore trustStore)
Sets the key store used for signature verifications and encryptions.
|
handleDecryptionKeyCallback, handleEncryptionKeyCallback, handleInternal, handlePrivateKeyRequest, handlePrivKeyCertRequest, handleSignatureKeyCallback, handleSignatureVerificationKeyCallback, handleSymmetricKeyRequest, handleSymmetricKeyRequest, handleX509CertificateRequest, handleX509CertificateRequesthandlepublic void setDefaultAlias(String defaultAlias)
public void setKeyStore(KeyStore keyStore)
KeyStoreFactoryBean,
loadDefaultTrustStore()public void setPrivateKeyPassword(String privateKeyPassword)
public void setSymmetricKeyPassword(String symmetricKeyPassword)
setPrivateKeyPassword(String)public void setSymmetricStore(KeyStore symmetricStore)
keyStore property.public void setTrustStore(KeyStore trustStore)
KeyStoreFactoryBean,
loadDefaultTrustStore()public void setRevocationEnabled(boolean revocationEnabled)
false.public void afterPropertiesSet()
throws Exception
afterPropertiesSet in interface org.springframework.beans.factory.InitializingBeanExceptionprotected final void handleAliasPrivKeyCertRequest(com.sun.xml.wss.impl.callback.SignatureKeyCallback callback,
com.sun.xml.wss.impl.callback.SignatureKeyCallback.AliasPrivKeyCertRequest request)
throws IOException
CryptographyCallbackHandlerSignatureKeyCallbacks with AliasPrivKeyCertRequests.
Called from handlePrivKeyCertRequest(). Default implementation throws an
UnsupportedCallbackException.handleAliasPrivKeyCertRequest in class CryptographyCallbackHandlerIOExceptionprotected final void handleAliasSymmetricKeyRequest(com.sun.xml.wss.impl.callback.DecryptionKeyCallback callback,
com.sun.xml.wss.impl.callback.DecryptionKeyCallback.AliasSymmetricKeyRequest request)
throws IOException
CryptographyCallbackHandlerDecryptionKeyCallbacks with AliasSymmetricKeyRequests.
Called from handleSymmetricKeyRequest(). Default implementation throws an
UnsupportedCallbackException.handleAliasSymmetricKeyRequest in class CryptographyCallbackHandlerIOExceptionprotected final void handleAliasSymmetricKeyRequest(com.sun.xml.wss.impl.callback.EncryptionKeyCallback callback,
com.sun.xml.wss.impl.callback.EncryptionKeyCallback.AliasSymmetricKeyRequest request)
throws IOException
CryptographyCallbackHandlerEncryptionKeyCallbacks with AliasSymmetricKeyRequests.
Called from handleSymmetricKeyRequest(). Default implementation throws an
UnsupportedCallbackException.handleAliasSymmetricKeyRequest in class CryptographyCallbackHandlerIOExceptionprotected final void handleAliasX509CertificateRequest(com.sun.xml.wss.impl.callback.EncryptionKeyCallback callback,
com.sun.xml.wss.impl.callback.EncryptionKeyCallback.AliasX509CertificateRequest request)
throws IOException
CryptographyCallbackHandlerEncryptionKeyCallbacks with AliasX509CertificateRequests.
Called from handleX509CertificateRequest(). Default implementation throws an
UnsupportedCallbackException.handleAliasX509CertificateRequest in class CryptographyCallbackHandlerIOExceptionprotected final void handleCertificateValidationCallback(com.sun.xml.wss.impl.callback.CertificateValidationCallback callback)
CryptographyCallbackHandlerCertificateValidationCallbacks. Called from
handleInternal(). Default implementation throws an UnsupportedCallbackException.handleCertificateValidationCallback in class CryptographyCallbackHandlerprotected final void handleDefaultPrivKeyCertRequest(com.sun.xml.wss.impl.callback.SignatureKeyCallback callback,
com.sun.xml.wss.impl.callback.SignatureKeyCallback.DefaultPrivKeyCertRequest request)
throws IOException
CryptographyCallbackHandlerSignatureKeyCallbacks with DefaultPrivKeyCertRequests.
Called from handlePrivKeyCertRequest(). Default implementation throws an
UnsupportedCallbackException.handleDefaultPrivKeyCertRequest in class CryptographyCallbackHandlerIOExceptionprotected final void handleDefaultX509CertificateRequest(com.sun.xml.wss.impl.callback.EncryptionKeyCallback callback,
com.sun.xml.wss.impl.callback.EncryptionKeyCallback.DefaultX509CertificateRequest request)
throws IOException
CryptographyCallbackHandlerEncryptionKeyCallbacks with DefaultX509CertificateRequests.
Called from handleX509CertificateRequest(). Default implementation throws an
UnsupportedCallbackException.handleDefaultX509CertificateRequest in class CryptographyCallbackHandlerIOExceptionprotected final void handlePublicKeyBasedPrivKeyCertRequest(com.sun.xml.wss.impl.callback.SignatureKeyCallback callback,
com.sun.xml.wss.impl.callback.SignatureKeyCallback.PublicKeyBasedPrivKeyCertRequest request)
throws IOException
CryptographyCallbackHandlerSignatureKeyCallbacks with PublicKeyBasedPrivKeyCertRequests.
Called from handlePrivKeyCertRequest(). Default implementation throws an
UnsupportedCallbackException.handlePublicKeyBasedPrivKeyCertRequest in class CryptographyCallbackHandlerIOExceptionprotected final void handlePublicKeyBasedPrivKeyRequest(com.sun.xml.wss.impl.callback.DecryptionKeyCallback callback,
com.sun.xml.wss.impl.callback.DecryptionKeyCallback.PublicKeyBasedPrivKeyRequest request)
throws IOException
CryptographyCallbackHandlerDecryptionKeyCallbacks with PublicKeyBasedPrivKeyRequests.
Called from handlePrivateKeyRequest(). Default implementation throws an
UnsupportedCallbackException.handlePublicKeyBasedPrivKeyRequest in class CryptographyCallbackHandlerIOExceptionprotected final void handlePublicKeyBasedRequest(com.sun.xml.wss.impl.callback.EncryptionKeyCallback callback,
com.sun.xml.wss.impl.callback.EncryptionKeyCallback.PublicKeyBasedRequest request)
throws IOException
CryptographyCallbackHandlerEncryptionKeyCallbacks with PublicKeyBasedRequests. Called
from handleX509CertificateRequest(). Default implementation throws an
UnsupportedCallbackException.handlePublicKeyBasedRequest in class CryptographyCallbackHandlerIOExceptionprotected final void handlePublicKeyBasedRequest(com.sun.xml.wss.impl.callback.SignatureVerificationKeyCallback callback,
com.sun.xml.wss.impl.callback.SignatureVerificationKeyCallback.PublicKeyBasedRequest request)
throws IOException
CryptographyCallbackHandlerSignatureKeyCallbacks with PublicKeyBasedRequests. Called
from handlePrivKeyCertRequest(). Default implementation throws an
UnsupportedCallbackException.handlePublicKeyBasedRequest in class CryptographyCallbackHandlerIOExceptionprotected final void handleX509CertificateBasedRequest(com.sun.xml.wss.impl.callback.DecryptionKeyCallback callback,
com.sun.xml.wss.impl.callback.DecryptionKeyCallback.X509CertificateBasedRequest request)
throws IOException
CryptographyCallbackHandlerDecryptionKeyCallbacks with X509CertificateBasedRequests.
Called from handlePrivateKeyRequest(). Default implementation throws an
UnsupportedCallbackException.handleX509CertificateBasedRequest in class CryptographyCallbackHandlerIOExceptionprotected final void handleX509IssuerSerialBasedRequest(com.sun.xml.wss.impl.callback.DecryptionKeyCallback callback,
com.sun.xml.wss.impl.callback.DecryptionKeyCallback.X509IssuerSerialBasedRequest request)
throws IOException
CryptographyCallbackHandlerDecryptionKeyCallbacks with X509IssuerSerialBasedRequests.
Called from handlePrivateKeyRequest(). Default implementation throws an
UnsupportedCallbackException.handleX509IssuerSerialBasedRequest in class CryptographyCallbackHandlerIOExceptionprotected final void handleX509IssuerSerialBasedRequest(com.sun.xml.wss.impl.callback.SignatureVerificationKeyCallback callback,
com.sun.xml.wss.impl.callback.SignatureVerificationKeyCallback.X509IssuerSerialBasedRequest request)
throws IOException
CryptographyCallbackHandlerSignatureKeyCallbacks with X509IssuerSerialBasedRequests.
Called from handlePrivKeyCertRequest(). Default implementation throws an
UnsupportedCallbackException.handleX509IssuerSerialBasedRequest in class CryptographyCallbackHandlerIOExceptionprotected final void handleX509SubjectKeyIdentifierBasedRequest(com.sun.xml.wss.impl.callback.DecryptionKeyCallback callback,
com.sun.xml.wss.impl.callback.DecryptionKeyCallback.X509SubjectKeyIdentifierBasedRequest request)
throws IOException
CryptographyCallbackHandlerDecryptionKeyCallbacks with X509SubjectKeyIdentifierBasedRequests.
Called from handlePrivateKeyRequest(). Default implementation throws an
UnsupportedCallbackException.handleX509SubjectKeyIdentifierBasedRequest in class CryptographyCallbackHandlerIOExceptionprotected final void handleX509SubjectKeyIdentifierBasedRequest(com.sun.xml.wss.impl.callback.SignatureVerificationKeyCallback callback,
com.sun.xml.wss.impl.callback.SignatureVerificationKeyCallback.X509SubjectKeyIdentifierBasedRequest request)
throws IOException
CryptographyCallbackHandlerSignatureKeyCallbacks with PublicKeyBasedPrivKeyCertRequests.
Called from handlePrivKeyCertRequest(). Default implementation throws an
UnsupportedCallbackException.handleX509SubjectKeyIdentifierBasedRequest in class CryptographyCallbackHandlerIOExceptionprotected X509Certificate getCertificate(String alias) throws IOException
IOExceptionprotected X509Certificate getCertificate(PublicKey pk) throws IOException
IOExceptionprotected X509Certificate getCertificateFromTrustStore(String alias) throws IOException
IOExceptionprotected X509Certificate getCertificateFromTrustStore(byte[] subjectKeyIdentifier) throws IOException
IOExceptionprotected X509Certificate getCertificateFromTrustStore(PublicKey pk) throws IOException
IOExceptionprotected X509Certificate getCertificateFromTrustStore(String issuerName, BigInteger serialNumber) throws IOException
IOExceptionprotected PrivateKey getPrivateKey(String alias) throws IOException
IOExceptionprotected PrivateKey getPrivateKey(PublicKey publicKey) throws IOException
IOExceptionprotected PrivateKey getPrivateKey(X509Certificate certificate) throws IOException
IOExceptionprotected PrivateKey getPrivateKey(byte[] keyIdentifier) throws IOException
IOExceptionprotected PrivateKey getPrivateKey(String issuerName, BigInteger serialNumber) throws IOException
IOExceptionprotected final byte[] getSubjectKeyIdentifier(X509Certificate cert)
protected SecretKey getSymmetricKey(String alias) throws IOException
IOExceptionprotected void loadDefaultKeyStore()
KeyStoreUtils.loadDefaultKeyStore().protected void loadDefaultTrustStore()
KeyStoreUtils.loadDefaultTrustStore().protected PKIXBuilderParameters createBuilderParameters(KeyStore trustStore, X509CertSelector certSelector) throws GeneralSecurityException
PKIXBuilderParameters instance with the given parameters.
Default implementation simply instantiates one, without setting additional
parameters.trustStore - the trust store to usecertSelector - the certificate selector to useGeneralSecurityException - in case of errorssetRevocationEnabled(boolean)