com.netflix.msl.entityauth.X509Store
|
Message Security Layer (MSL) | |||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | |||||||||
java.lang.Object
public class X509Store
An X.509 certificate store.
This class provides a clearing house of X.509 certificate validation. It contains individual trusted certificates, trusted certificate chains, and may support CRLs in the future. It provides X.509 certificate signature verification, certificate chaining, validity (time) checks, and trust store management functionality.
| Field Summary | |
|---|---|
private Map<X500Principal,List<X509Certificate>> |
store
Map of certificate subject names onto X.509 certificates. |
| Constructor Summary | |
|---|---|
X509Store()
|
|
| Method Summary | |
|---|---|
void |
addTrusted(InputStream input)
Add one or more trusted certificates (in DER format, binary or Base64- encoded) to this X509Store. |
void |
addTrusted(List<X509Certificate> chain)
Add a chain of trusted certificates to this X509Store. |
void |
addTrusted(X509Certificate cert)
Add a trusted certificate (in DER format, binary or Base64-encoded) to this X509Store. |
private X509Certificate |
getIssuer(X509Certificate cert)
Return the issuing certificate for the provided certificate. |
private List<X509Certificate> |
getIssuerChain(X509Certificate cert)
Returns the chain of issuer certificates for the provided certificate. |
boolean |
isAccepted(X509Certificate cert)
Return true if the provided certificate is valid and accepted by a trusted certificate in this store. |
private boolean |
isPermittedByIssuer(X509Certificate cert)
Verifies that the provided certificate is allowed to be a CA certificate based on the issuer chain's path lengths. |
private static boolean |
isSelfSigned(X509Certificate cert)
Return true if the certificate is self-signed. |
private boolean |
isVerified(X509Certificate cert)
|
| Methods inherited from class java.lang.Object |
|---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
| Field Detail |
|---|
private final Map<X500Principal,List<X509Certificate>> store
| Constructor Detail |
|---|
public X509Store()
| Method Detail |
|---|
private X509Certificate getIssuer(X509Certificate cert)
Return the issuing certificate for the provided certificate. The certificate will only be returned if the provided certificate signature is verified by the issuing certificate.
cert - the certificate.
null if not found.
private List<X509Certificate> getIssuerChain(X509Certificate cert)
throws CertificateException
Returns the chain of issuer certificates for the provided certificate.
The first certificate in the chain will be self-signed and will be ordered with the root certificate in the first position.
cert - the certificate.
CertificateException - if an issuer certificate cannot be found.private static boolean isSelfSigned(X509Certificate cert)
Return true if the certificate is self-signed.
cert - the certificate.
private boolean isVerified(X509Certificate cert)
cert - the certificate.
private boolean isPermittedByIssuer(X509Certificate cert)
throws CertificateException
Verifies that the provided certificate is allowed to be a CA certificate based on the issuer chain's path lengths.
cert - the certificate.
CertificateException - if an issuer certificate cannot be found.
public void addTrusted(InputStream input)
throws CertificateExpiredException,
CertificateNotYetValidException,
CertificateException,
IOException,
InvalidKeyException,
SignatureException,
NoSuchAlgorithmException,
NoSuchProviderException
Add one or more trusted certificates (in DER format, binary or Base64- encoded) to this X509Store.
This method calls addTrusted(X509Certificate) on each
certificate found. If an exception is thrown, any certificates
parsed prior to the error will still be in the trust store.
input - the input stream.
IOException - if there is an error reading the input stream.
CertificateExpiredException - if the certificate is expired.
CertificateNotYetValidException - if the certificate is not yet
valid.
CertificateException - if a certificate is not a CA certificate, a
certificate is not self-signed and not trusted by an existing
trusted certificate, a certificate is not permitted as a
subordinate certificate, a certificate is malformed, or there is
no X.509 certificate factory.
SignatureException - if the certificate signature cannot be or
fails to verify for any reason including a malformed certificate.
NoSuchAlgorithmException - if the signature algorithm is
unsupported.
InvalidKeyException - if a certificate public key is invalid.
NoSuchProviderException - if there is no X.509 certificate
provider.
public void addTrusted(List<X509Certificate> chain)
throws CertificateExpiredException,
CertificateNotYetValidException,
CertificateException,
NoSuchAlgorithmException,
InvalidKeyException,
NoSuchProviderException,
SignatureException
Add a chain of trusted certificates to this X509Store.
The first certificate in the chain must be self-signed, and all certificates must be CA certificates. The list must be ordered with the root certificate in the first position and the leaf certificate in the last position.
chain - the ordered chain of certificates.
NoSuchAlgorithmException - if the signature algorithm is
unsupported.
InvalidKeyException - if an certificate's public key is invalid.
NoSuchProviderException - if there is no signature provider.
SignatureException - if a certificate signature verification fails.
CertificateExpiredException - if the certificate is expired.
CertificateNotYetValidException - if the certificate is not yet
valid.
CertificateException - if a certificate is malformed or the first
certificate is not a self-signed certificate.
public void addTrusted(X509Certificate cert)
throws CertificateExpiredException,
CertificateNotYetValidException,
CertificateException,
SignatureException,
InvalidKeyException,
NoSuchAlgorithmException,
NoSuchProviderException
Add a trusted certificate (in DER format, binary or Base64-encoded) to this X509Store.
This method verifies the certificate. That has the effect of requiring the CA root certificate to be added before any subordinate CA certificates.
To add a certificate chain, use addTrusted(List) instead.
cert - the X.509 certificate to add.
CertificateExpiredException - if the certificate is expired.
CertificateNotYetValidException - if the certificate is not yet
valid.
CertificateException - if the certificate is not a CA certificate,
the certificate is not self-signed and not trusted by an
existing trusted certificate, or the certificate is not
permitted as a subordinate certificate, or the certificate is
malformed.
SignatureException - if the certificate signature cannot be or
fails to verify for any reason including a malformed certificate.
NoSuchAlgorithmException - if the signature algorithm is
unsupported.
InvalidKeyException - if a certificate public key is invalid.
NoSuchProviderException - if there is no X.509 certificate
provider.
public boolean isAccepted(X509Certificate cert)
throws CertificateExpiredException,
CertificateNotYetValidException
Return true if the provided certificate is valid and accepted by a trusted certificate in this store.
cert - the certificate.
CertificateExpiredException - if the certificate is expired.
CertificateNotYetValidException - if the certificate is not yet
valid.
|
Message Security Layer (MSL) | |||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | |||||||||