Class CertificateValidator

java.lang.Object
org.eclipse.jetty.util.security.CertificateValidator

public class CertificateValidator extends Object
Convenience class to handle validation of certificates, aliases and keystores Allows specifying Certificate Revocation List (CRL), as well as enabling CRL Distribution Points Protocol (CRLDP) certificate extension support, and also enabling On-Line Certificate Status Protocol (OCSP) support. IMPORTANT: at least one of the above mechanisms *MUST* be configured and operational, otherwise certificate validation *WILL FAIL* unconditionally.
  • Field Details

    • LOG

      private static final Logger LOG
    • __aliasCount

      private static AtomicLong __aliasCount
    • _trustStore

      private KeyStore _trustStore
    • _crls

      private Collection<? extends CRL> _crls
    • _maxCertPathLength

      private int _maxCertPathLength
      Maximum certification path length (n - number of intermediate certs, -1 for unlimited)
    • _enableCRLDP

      private boolean _enableCRLDP
      CRL Distribution Points (CRLDP) support
    • _enableOCSP

      private boolean _enableOCSP
      On-Line Certificate Status Protocol (OCSP) support
    • _ocspResponderURL

      private String _ocspResponderURL
      Location of OCSP Responder
  • Constructor Details

    • CertificateValidator

      public CertificateValidator(KeyStore trustStore, Collection<? extends CRL> crls)
      creates an instance of the certificate validator
      Parameters:
      trustStore - the truststore to use
      crls - the Certificate Revocation List to use
  • Method Details

    • validate

      public void validate(KeyStore keyStore) throws CertificateException
      validates all aliases inside of a given keystore
      Parameters:
      keyStore - the keystore to validate
      Throws:
      CertificateException - if keystore error and unable to validate
    • validate

      public String validate(KeyStore keyStore, String keyAlias) throws CertificateException
      validates a specific alias inside of the keystore being passed in
      Parameters:
      keyStore - the keystore to validate
      keyAlias - the keyalias in the keystore to valid with
      Returns:
      the keyAlias if valid
      Throws:
      CertificateException - if keystore error and unable to validate
    • validate

      public void validate(KeyStore keyStore, Certificate cert) throws CertificateException
      validates a specific certificate inside of the keystore being passed in
      Parameters:
      keyStore - the keystore to validate against
      cert - the certificate to validate
      Throws:
      CertificateException - if keystore error and unable to validate
    • validate

      public void validate(Certificate[] certChain) throws CertificateException
      Throws:
      CertificateException
    • getTrustStore

      public KeyStore getTrustStore()
    • getCrls

      public Collection<? extends CRL> getCrls()
    • getMaxCertPathLength

      public int getMaxCertPathLength()
      Returns:
      Maximum number of intermediate certificates in the certification path (-1 for unlimited)
    • setMaxCertPathLength

      public void setMaxCertPathLength(int maxCertPathLength)
      Parameters:
      maxCertPathLength - maximum number of intermediate certificates in the certification path (-1 for unlimited)
    • isEnableCRLDP

      public boolean isEnableCRLDP()
      Returns:
      true if CRL Distribution Points support is enabled
    • setEnableCRLDP

      public void setEnableCRLDP(boolean enableCRLDP)
      Enables CRL Distribution Points Support
      Parameters:
      enableCRLDP - true - turn on, false - turns off
    • isEnableOCSP

      public boolean isEnableOCSP()
      Returns:
      true if On-Line Certificate Status Protocol support is enabled
    • setEnableOCSP

      public void setEnableOCSP(boolean enableOCSP)
      Enables On-Line Certificate Status Protocol support
      Parameters:
      enableOCSP - true - turn on, false - turn off
    • getOcspResponderURL

      public String getOcspResponderURL()
      Returns:
      Location of the OCSP Responder
    • setOcspResponderURL

      public void setOcspResponderURL(String ocspResponderURL)
      Set the location of the OCSP Responder.
      Parameters:
      ocspResponderURL - location of the OCSP Responder