|
![]() |
||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectorg.openpermis.cert.verify.ChainCertificateVerifier
public class ChainCertificateVerifier
This certificate verifier supports mutiple trusted issuers ("trusted anchors") and certificate
chains.
This verifier maintains a set of trusted root issuer certificates and a maximum chain length.
When verifying a certificate, this class looks for a certificate chain to one of the trusted
root certificates by asking the specified CertificateRepository
for any required
intermediate certificates.
A CertificateRepository
may for example return certificates from an LDAP directory or a
file directory.
This class supports certificate chains greater than one.
A chain depth of one means that the trusted root directly signed the certificate to be
verifer (only one signature involved).
CAUTION: Be extremely careful when using a chain length greater than one! A length
if two, for example, means that you implicitly trust all entities that have been signed by
the trusted roots. This is normally not the case in reality (trust is not transitive!).
If a specific crypto provider should be used when using JCE functions, you can use method
setProvider(String)
to specify it.
Constructor Summary | |
---|---|
ChainCertificateVerifier(Set<X509Certificate> trustedRoots)
Creates a certificate verifier using the trusted roots, allowing only chains of length one and therefore needs no certificate repository to get intermediate certificates from. |
|
ChainCertificateVerifier(Set<X509Certificate> trustedRoots,
CertificateRepository certificateRepository,
int maxChainLength)
Creates a certificate verifier using the trusted roots and a certificate repository that can be asked for intermediate certificates if required and restricting the maximum chain depth to the indicated value. |
|
ChainCertificateVerifier(Set<X509Certificate> trustedRoots,
Set<X509Certificate> intermediateCerts,
int maxChainLength)
This is a convenience constructor doing the same as ChainCertificateVerifier(Set, CertificateRepository, int) but using the
specified set of intermediate certificates as in-memory certificate repository. |
Method Summary | |
---|---|
void |
setProvider(String provider)
Allows to set a specific crypto provider. |
void |
verifyCertificate(Certificate certificate)
Verifies the specified certificate and returns without exception if the certificate could successfully be verified. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public ChainCertificateVerifier(Set<X509Certificate> trustedRoots, CertificateRepository certificateRepository, int maxChainLength)
trustedRoots
- A set of trusted root certificates. The subjects of the specified
certificates must be trusted and their public keys in the certificates must be
authentic. This parameter must not be null
.certificateRepository
- The certificate repository is used to ask for
intermediate certificates needed to build a certificate chain. Using null
as
value tells the class not to use a certificate repository.maxChainLength
- The maximum allowed chain length. The value must be one or greater.public ChainCertificateVerifier(Set<X509Certificate> trustedRoots)
trustedRoots
- A set of trusted root certificates. The subjects of the specified
certificates must be trusted and their public keys in the certificates must be
authentic. This parameter must not be null
.public ChainCertificateVerifier(Set<X509Certificate> trustedRoots, Set<X509Certificate> intermediateCerts, int maxChainLength) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException
ChainCertificateVerifier(Set, CertificateRepository, int)
but using the
specified set of intermediate certificates as in-memory certificate repository.
It the trusted roots and restricts the maximum chain depth to the indicated value.
A chain depth of one means that the trusted root directly signed the certificate to be
verifer (only one signature involved).
CAUTION: Be extremely careful when using a chain length greater than one! A length
if two, for example, means that you implicitly trust all entities that have been signed by
the trusted roots. This is normally not the case in reality (trust is not transitive!).
trustedRoots
- A set of trusted root certificates. The subjects of the specified
certificates must be trusted and their public keys in the certificates must be
authentic. This parameter must not be null
.intermediateCerts
- A set of certificates that may serve as intermediate certificates
in certifiate chains. Must not be null.maxChainLength
- The maximum allowed chain length. The value must be one or greater.
NoSuchAlgorithmException
- Thrown if no collection based CertStore
implementation is availabel from the underlying crypto provider.
InvalidAlgorithmParameterException
- Thrown if the parameters passed to the
collection based CertStore
are invalid.Method Detail |
---|
public void verifyCertificate(Certificate certificate) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException
verifyCertificate
in interface CertificateVerifier
certificate
- The certificate to be verified. Must not be null
.
CertificateException
- Thrown on certificate encoding errors.
NoSuchAlgorithmException
- Thrown on unsupported signature algorithms.
InvalidKeyException
- Thrown on incorrect keys.
NoSuchProviderException
- Thrown on incorrect crypto provider usage.
SignatureException
- Thrown on incorrect signatures.public void setProvider(String provider)
null
is set
explicitly with this method), the default crypto provider is used.
provider
- The name of the crypto provider to use or null
.
|
![]() |
||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
OpenPermis Role Based Access Control 0.9.0 (Build 16)
2009/08/13 07:16:59
Copyright (c) 2002-2007 Ergon Informatik AG