Package org.eclipse.jetty.util.security
Class CertificateValidator
java.lang.Object
org.eclipse.jetty.util.security.CertificateValidator
Convenience class to handle validation of certificates, aliases and keystores
Allows specifying Certificate Revocation List (CRL), as well as enabling
CRL Distribution Points Protocol (CRLDP) certificate extension support,
and also enabling On-Line Certificate Status Protocol (OCSP) support.
IMPORTANT: at least one of the above mechanisms *MUST* be configured and
operational, otherwise certificate validation *WILL FAIL* unconditionally.
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate static AtomicLong
private Collection<? extends CRL>
private boolean
CRL Distribution Points (CRLDP) supportprivate boolean
On-Line Certificate Status Protocol (OCSP) supportprivate int
Maximum certification path length (n - number of intermediate certs, -1 for unlimited)private String
Location of OCSP Responderprivate KeyStore
private static final Logger
-
Constructor Summary
ConstructorsConstructorDescriptionCertificateValidator
(KeyStore trustStore, Collection<? extends CRL> crls) creates an instance of the certificate validator -
Method Summary
Modifier and TypeMethodDescriptionCollection<? extends CRL>
getCrls()
int
boolean
boolean
void
setEnableCRLDP
(boolean enableCRLDP) Enables CRL Distribution Points Supportvoid
setEnableOCSP
(boolean enableOCSP) Enables On-Line Certificate Status Protocol supportvoid
setMaxCertPathLength
(int maxCertPathLength) void
setOcspResponderURL
(String ocspResponderURL) Set the location of the OCSP Responder.void
validate
(Certificate[] certChain) void
validates all aliases inside of a given keystorevalidates a specific alias inside of the keystore being passed invoid
validate
(KeyStore keyStore, Certificate cert) validates a specific certificate inside of the keystore being passed in
-
Field Details
-
LOG
-
__aliasCount
-
_trustStore
-
_crls
-
_maxCertPathLength
private int _maxCertPathLengthMaximum certification path length (n - number of intermediate certs, -1 for unlimited) -
_enableCRLDP
private boolean _enableCRLDPCRL Distribution Points (CRLDP) support -
_enableOCSP
private boolean _enableOCSPOn-Line Certificate Status Protocol (OCSP) support -
_ocspResponderURL
Location of OCSP Responder
-
-
Constructor Details
-
CertificateValidator
creates an instance of the certificate validator- Parameters:
trustStore
- the truststore to usecrls
- the Certificate Revocation List to use
-
-
Method Details
-
validate
validates all aliases inside of a given keystore- Parameters:
keyStore
- the keystore to validate- Throws:
CertificateException
- if keystore error and unable to validate
-
validate
validates a specific alias inside of the keystore being passed in- Parameters:
keyStore
- the keystore to validatekeyAlias
- the keyalias in the keystore to valid with- Returns:
- the keyAlias if valid
- Throws:
CertificateException
- if keystore error and unable to validate
-
validate
validates a specific certificate inside of the keystore being passed in- Parameters:
keyStore
- the keystore to validate againstcert
- the certificate to validate- Throws:
CertificateException
- if keystore error and unable to validate
-
validate
- Throws:
CertificateException
-
getTrustStore
-
getCrls
-
getMaxCertPathLength
public int getMaxCertPathLength()- Returns:
- Maximum number of intermediate certificates in the certification path (-1 for unlimited)
-
setMaxCertPathLength
public void setMaxCertPathLength(int maxCertPathLength) - Parameters:
maxCertPathLength
- maximum number of intermediate certificates in the certification path (-1 for unlimited)
-
isEnableCRLDP
public boolean isEnableCRLDP()- Returns:
- true if CRL Distribution Points support is enabled
-
setEnableCRLDP
public void setEnableCRLDP(boolean enableCRLDP) Enables CRL Distribution Points Support- Parameters:
enableCRLDP
- true - turn on, false - turns off
-
isEnableOCSP
public boolean isEnableOCSP()- Returns:
- true if On-Line Certificate Status Protocol support is enabled
-
setEnableOCSP
public void setEnableOCSP(boolean enableOCSP) Enables On-Line Certificate Status Protocol support- Parameters:
enableOCSP
- true - turn on, false - turn off
-
getOcspResponderURL
- Returns:
- Location of the OCSP Responder
-
setOcspResponderURL
Set the location of the OCSP Responder.- Parameters:
ocspResponderURL
- location of the OCSP Responder
-