org.xdi.oxauth.cert.validation.PathCertificateVerifier の継承関係図

org.xdi.oxauth.cert.validation.PathCertificateVerifier 連携図

公開メンバ関数
	PathCertificateVerifier (boolean verifySelfSignedCert)

ValidationStatus	validate (X509Certificate certificate, List< X509Certificate > issuers, Date validationDate)

PKIXCertPathBuilderResult	verifyCertificate (X509Certificate certificate, List< X509Certificate > additionalCerts)

void	destroy ()

静的公開メンバ関数
static boolean	isSelfSigned (X509Certificate certificate) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException

非公開メンバ関数
PKIXCertPathBuilderResult	verifyCertificate (X509Certificate certificate, Set< X509Certificate > trustedRootCerts, Set< X509Certificate > intermediateCerts) throws GeneralSecurityException

非公開変数類
boolean	verifySelfSignedCertificate

静的非公開変数類
static final Logger	log = LoggerFactory.getLogger(PathCertificateVerifier.class)

詳解

Chain certificate verifier

著者: Yuriy Movchan

バージョン: March 11, 2016

構築子と解体子

◆ PathCertificateVerifier()

org.xdi.oxauth.cert.validation.PathCertificateVerifier.PathCertificateVerifier ( boolean verifySelfSignedCert )

inline

                                                                      {
                 SecurityProviderUtility.installBCProvider(true);
 
                 this.verifySelfSignedCertificate = verifySelfSignedCert;
         }

関数詳解

◆ destroy()

void org.xdi.oxauth.cert.validation.PathCertificateVerifier.destroy ( )

inline

org.xdi.oxauth.cert.validation.CertificateVerifierを実装しています。

192 {

193 }

◆ isSelfSigned()

static boolean org.xdi.oxauth.cert.validation.PathCertificateVerifier.isSelfSigned ( X509Certificate certificate ) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException

inlinestatic

                                                                                                                                                        {
                 try {
                         // Try to verify certificate signature with its own public key
                         PublicKey key = certificate.getPublicKey();
                         certificate.verify(key);
 
                         return true;
                 } catch (SignatureException ex) {
                         // Not self-signed
                         return false;
                 } catch (InvalidKeyException ex) {
                         // Not self-signed
                         return false;
                 }
         }

◆ validate()

ValidationStatus org.xdi.oxauth.cert.validation.PathCertificateVerifier.validate	(	X509Certificate	certificate,
		List< X509Certificate >	issuers,
		Date	validationDate
	)

inline

org.xdi.oxauth.cert.validation.CertificateVerifierを実装しています。

                                                                                                                           {
                 X509Certificate issuer = issuers.get(0);
                 ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidatorSourceType.CHAIN, CertificateValidity.UNKNOWN);
 
                 try {
                         ArrayList<X509Certificate> chains = new ArrayList<X509Certificate>();
                         chains.add(certificate);
                         chains.addAll(issuers);
 
                         Principal subjectX500Principal = certificate.getSubjectX500Principal();
 
                         PKIXCertPathBuilderResult certPathResult = verifyCertificate(certificate, chains);
                         if (certPathResult == null) {
                                 log.warn("Chain status is not valid for '" + subjectX500Principal + "'");
                                 status.setValidity(CertificateValidity.INVALID);
                                 return status;
                         }
 
                         log.debug("Chain status is valid for '" + subjectX500Principal + "'");
                         status.setValidity(CertificateValidity.VALID);
                 } catch (Exception ex) {
                         log.error("OCSP exception: ", ex);
                 }
 
                 return status;
         }

◆ verifyCertificate() [1/2]

PKIXCertPathBuilderResult org.xdi.oxauth.cert.validation.PathCertificateVerifier.verifyCertificate	(	X509Certificate	certificate,
		List< X509Certificate >	additionalCerts
	)

inline

                                                                                                                                {
                 try {
                         // Check for self-signed certificate
                         if (!verifySelfSignedCertificate && isSelfSigned(certificate)) {
                                 log.error("The certificate is self-signed!");
 
                                 return null;
                         }
 
                         // Prepare a set of trusted root CA certificates and a set of
                         // intermediate certificates
                         Set<X509Certificate> trustedRootCerts = new HashSet<X509Certificate>();
                         Set<X509Certificate> intermediateCerts = new HashSet<X509Certificate>();
                         for (X509Certificate additionalCert : additionalCerts) {
                                 if (isSelfSigned(additionalCert)) {
                                         trustedRootCerts.add(additionalCert);
                                 } else {
                                         intermediateCerts.add(additionalCert);
                                 }
                         }
 
                         // Attempt to build the certification chain and verify it
                         PKIXCertPathBuilderResult certPathBuilderResult = verifyCertificate(certificate, trustedRootCerts, intermediateCerts);
 
                         // Check that first certificate is an EE certificate
                         CertPath certPath = certPathBuilderResult.getCertPath();
                         List<? extends Certificate> certList = certPath.getCertificates();
                         X509Certificate cert = (X509Certificate) certList.get(0);
                         if (cert.getBasicConstraints() != -1) {
                                 log.error("Target certificate is not an EE certificate!");
 
                                 return null;
                         }
 
                         // The chain is verified. Return it as a result
                         return certPathBuilderResult;
                 } catch (CertPathBuilderException ex) {
                         log.error("Failed to build certificate path", ex);
                 } catch (GeneralSecurityException ex) {
                         log.error("Failed to build certificate path", ex);
                 }
 
                 return null;
         }

◆ verifyCertificate() [2/2]

PKIXCertPathBuilderResult org.xdi.oxauth.cert.validation.PathCertificateVerifier.verifyCertificate	(	X509Certificate	certificate,
		Set< X509Certificate >	trustedRootCerts,
		Set< X509Certificate >	intermediateCerts
	)		throws GeneralSecurityException

inlineprivate

Attempts to build a certification chain for given certificate to verify it. Relies on a set of root CA certificates (trust anchors) and a set of intermediate certificates (to be used as part of the chain).

                                                         {
 
                 // Create the selector that specifies the starting certificate
                 X509CertSelector selector = new X509CertSelector();
                 selector.setBasicConstraints(-2);
                 selector.setCertificate(certificate);
 
                 // Create the trust anchors (set of root CA certificates)
                 Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
                 for (X509Certificate trustedRootCert : trustedRootCerts) {
                         trustAnchors.add(new TrustAnchor(trustedRootCert, null));
                 }
 
                 // Configure the PKIX certificate builder algorithm parameters
                 PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
 
                 // Turn off default revocation-checking mechanism
                 pkixParams.setRevocationEnabled(false);
 
                 // Specify a list of intermediate certificates
                 CertStore intermediateCertStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(intermediateCerts));
                 pkixParams.addCertStore(intermediateCertStore);
 
                 // Build and verify the certification chain
                 CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
                 PKIXCertPathBuilderResult certPathBuilderResult = (PKIXCertPathBuilderResult) builder.build(pkixParams);
 
                 // Additional check to Verify cert path
                 CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
                 PKIXCertPathValidatorResult certPathValidationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(certPathBuilderResult.getCertPath(), pkixParams);
 
                 return certPathBuilderResult;
         }

メンバ詳解

◆ log

final Logger org.xdi.oxauth.cert.validation.PathCertificateVerifier.log = LoggerFactory.getLogger(PathCertificateVerifier.class)

staticprivate

◆ verifySelfSignedCertificate

boolean org.xdi.oxauth.cert.validation.PathCertificateVerifier.verifySelfSignedCertificate

private

このクラス詳解は次のファイルから抽出されました:

D:/AppData/OpenId/gluu/src/oxAuth/Server/src/main/java/org/xdi/oxauth/cert/validation/PathCertificateVerifier.java

公開メンバ関数

静的公開メンバ関数

非公開メンバ関数

非公開変数類

静的非公開変数類

詳解

構築子と解体子

◆ PathCertificateVerifier()

関数詳解

◆ destroy()

◆ isSelfSigned()

◆ validate()

◆ verifyCertificate() [1/2]

◆ verifyCertificate() [2/2]

メンバ詳解

◆ log

◆ verifySelfSignedCertificate