|
![]() |
||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectorg.openpermis.cert.ChainCertificateVerifier
public class ChainCertificateVerifier
This certificate verifier supports mutiple trusted issuers ("trusted anchors") and certificate
chains.
This verifier maintains a set of trusted root issuer certificates and a maximum chain length.
When verifying a certificate, this class looks for a certificate chain to one of the trusted
root certificates by asking the specified CertificateRepository
for any required
intermediate certificates.
A CertificateRepository
may for example return certificates from an LDAP directory or a
file directory.
This class supports certificate chains greater than one.
A chain depth of one means that the trusted root directly signed the certificate to be
verifer (only one signature involved).
CAUTION: Be extremely careful when using a chain length greater than one! A length
if two, for example, means that you implicitly trust all entities that have been signed by
the trusted roots. This is normally not the case in reality (trust is not transitive!).
If a specific crypto provider should be used when using JCE functions, you can use method
setProvider(String)
to specify it.
Field Summary | |
---|---|
private CertificateRepository |
certificateRepository
The certificate repository to ask for intermediate certificates if necessary. |
private int |
maxChainLength
The maximum length of a certificate chain. |
(package private) String |
provider
The crypto provider or null if non is secified. |
private Map<Principal,X509Certificate> |
trustAnchorCertsBySubject
The set of trusted issuer (trust anchors, root certificates). |
Constructor Summary | |
---|---|
ChainCertificateVerifier(Set<X509Certificate> trustedRoots)
Creates a certificate verifier using the trusted roots, allowing only chains of length one and therefore needs no certificate repository to get intermediate certificates from. |
|
ChainCertificateVerifier(Set<X509Certificate> trustedRoots,
CertificateRepository certificateRepository,
int maxChainLength)
Creates a certificate verifier using the trusted roots and a certificate repository that can be asked for intermediate certificates if required and restricting the maximum chain depth to the indicated value. |
|
ChainCertificateVerifier(Set<X509Certificate> trustedRoots,
Set<X509Certificate> intermediateCerts,
int maxChainLength)
This is a convenience constructor doing the same as ChainCertificateVerifier(Set, CertificateRepository, int) but using the
specified set of intermediate certificates as in-memory certificate repository. |
Method Summary | |
---|---|
private void |
computeChainInternal(List<X509Certificate> resultChain,
int remainingChainLength,
Set<Certificate> visitedCerts,
Certificate certToVerify)
Internal method that is called recursively to go up the certificate chain. |
void |
setProvider(String provider)
Allows to set a specific crypto provider. |
void |
verifyCertificate(Certificate certificate)
Verifies the specified certificate and returns without exception if the certificate could successfully be verified.. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
private final Map<Principal,X509Certificate> trustAnchorCertsBySubject
private final CertificateRepository certificateRepository
private final int maxChainLength
String provider
Constructor Detail |
---|
public ChainCertificateVerifier(Set<X509Certificate> trustedRoots, CertificateRepository certificateRepository, int maxChainLength)
trustedRoots
- A set of trusted root certificates. The subjects of the specified
certificates must be trusted and their public keys in the certificates must be
authentic. This parameter must not be null
.certificateRepository
- The certificate repository is used to ask for
intermediate certificates needed to build a certificate chain. Using null
as
value tells the class not to use a certificate repository.maxChainLength
- The maximum allowed chain length. The value must be one or greater.public ChainCertificateVerifier(Set<X509Certificate> trustedRoots)
trustedRoots
- A set of trusted root certificates. The subjects of the specified
certificates must be trusted and their public keys in the certificates must be
authentic. This parameter must not be null
.public ChainCertificateVerifier(Set<X509Certificate> trustedRoots, Set<X509Certificate> intermediateCerts, int maxChainLength) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException
ChainCertificateVerifier(Set, CertificateRepository, int)
but using the
specified set of intermediate certificates as in-memory certificate repository.
It the trusted roots and restricts the maximum chain depth to the indicated value.
A chain depth of one means that the trusted root directly signed the certificate to be
verifer (only one signature involved).
CAUTION: Be extremely careful when using a chain length greater than one! A length
if two, for example, means that you implicitly trust all entities that have been signed by
the trusted roots. This is normally not the case in reality (trust is not transitive!).
trustedRoots
- A set of trusted root certificates. The subjects of the specified
certificates must be trusted and their public keys in the certificates must be
authentic. This parameter must not be null
.intermediateCerts
- A set of certificates that may serve as intermediate certificates
in certifiate chains. Must not be null.maxChainLength
- The maximum allowed chain length. The value must be one or greater.
NoSuchAlgorithmException
- Thrown if no collection based CertStore
implementation is availabel from the underlying crypto provider.
InvalidAlgorithmParameterException
- Thrown if the parameters passed to the
collection based CertStore
are invalid.Method Detail |
---|
public void verifyCertificate(Certificate certificate) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException
verifyCertificate
in interface CertificateVerifier
certificate
- The certificate to be verified. Must not be null
.
CertificateException
- Thrown on certificate encoding errors.
NoSuchAlgorithmException
- Thrown on unsupported signature algorithms.
InvalidKeyException
- Thrown on incorrect keys.
NoSuchProviderException
- Thrown on incorrect crypto provider usage.
SignatureException
- Thrown on incorrect signatures.public void setProvider(String provider)
null
is set
explicitly with this method), the default crypto provider is used.
provider
- The name of the crypto provider to use or null
.private void computeChainInternal(List<X509Certificate> resultChain, int remainingChainLength, Set<Certificate> visitedCerts, Certificate certToVerify) throws InvalidKeyException, CertificateException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException
resultChain
- The result chain that is build during the search.remainingChainLength
- The remaining maximum allowed chain length in this step.visitedCerts
- Internally keeps track of visited certificates in order to detect loops.certToVerify
- The certificate to verify in this step.
SignatureException
NoSuchProviderException
NoSuchAlgorithmException
CertificateException
InvalidKeyException
|
![]() |
||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
PERMIS Role Based Access Control 0.4.0 (Build 15)
2009/05/20 08:14:59
Copyright (c) 2002-2007 Ergon Informatik AG