org.keycloak.authentication.authenticators.x509.CertificateValidator 連携図

クラス
class	BouncyCastleOCSPChecker

class	CertificateValidatorBuilder

class	CRLFileLoader

class	CRLLoaderImpl

class	CRLLoaderProxy

enum	KeyUsageBits

class	LdapContext

class	OCSPChecker

公開メンバ関数
	CertificateValidator ()

CertificateValidator	validateKeyUsage () throws GeneralSecurityException

CertificateValidator	validateExtendedKeyUsage () throws GeneralSecurityException

CertificateValidator	checkRevocationStatus () throws GeneralSecurityException

限定公開メンバ関数
	CertificateValidator (X509Certificate[] certChain, int keyUsageBits, List< String > extendedKeyUsage, boolean cRLCheckingEnabled, boolean cRLDPCheckingEnabled, CRLLoaderImpl crlLoader, boolean oCSPCheckingEnabled, OCSPChecker ocspChecker)

変数
X509Certificate []	_certChain

int	_keyUsageBits

List< String >	_extendedKeyUsage

boolean	_crlCheckingEnabled

boolean	_crldpEnabled

CRLLoaderImpl	_crlLoader

boolean	_ocspEnabled

OCSPChecker	ocspChecker

非公開メンバ関数
void	checkRevocationUsingOCSP (X509Certificate[] certs) throws GeneralSecurityException

静的非公開メンバ関数
static void	validateKeyUsage (X509Certificate[] certs, int expected) throws GeneralSecurityException

static void	validateExtendedKeyUsage (X509Certificate[] certs, List< String > expectedEKU) throws GeneralSecurityException

static void	checkRevocationStatusUsingCRL (X509Certificate[] certs, CRLLoaderImpl crLoader) throws GeneralSecurityException

static List< String >	getCRLDistributionPoints (X509Certificate cert)

static void	checkRevocationStatusUsingCRLDistributionPoints (X509Certificate[] certs) throws GeneralSecurityException

静的非公開変数類
static final ServicesLogger	logger = ServicesLogger.LOGGER

詳解

著者: Peter Nalyvayko

バージョン

Revision: 1

日付: 7/30/2016

構築子と解体子

◆ CertificateValidator() [1/2]

org.keycloak.authentication.authenticators.x509.CertificateValidator.CertificateValidator ( )

inline

                                   {
 
     }

◆ CertificateValidator() [2/2]

org.keycloak.authentication.authenticators.x509.CertificateValidator.CertificateValidator	(	X509Certificate []	certChain,
		int	keyUsageBits,
		List< String >	extendedKeyUsage,
		boolean	cRLCheckingEnabled,
		boolean	cRLDPCheckingEnabled,
		CRLLoaderImpl	crlLoader,
		boolean	oCSPCheckingEnabled,
		OCSPChecker	ocspChecker
	)

inlineprotected

                                                             {
         _certChain = certChain;
         _keyUsageBits = keyUsageBits;
         _extendedKeyUsage = extendedKeyUsage;
         _crlCheckingEnabled = cRLCheckingEnabled;
         _crldpEnabled = cRLDPCheckingEnabled;
         _crlLoader = crlLoader;
         _ocspEnabled = oCSPCheckingEnabled;
         this.ocspChecker = ocspChecker;
 
         if (ocspChecker == null)
             throw new IllegalArgumentException("ocspChecker");
     }

関数詳解

◆ checkRevocationStatus()

CertificateValidator org.keycloak.authentication.authenticators.x509.CertificateValidator.checkRevocationStatus ( ) throws GeneralSecurityException

inline

                                                                                         {
         if (!(_crlCheckingEnabled || _ocspEnabled)) {
             return this;
         }
         if (_crlCheckingEnabled) {
             if (!_crldpEnabled) {
                 checkRevocationStatusUsingCRL(_certChain, _crlLoader /*"crl.pem"*/);
             } else {
                 checkRevocationStatusUsingCRLDistributionPoints(_certChain);
             }
         }
         if (_ocspEnabled) {
             checkRevocationUsingOCSP(_certChain);
         }
         return this;
     }

◆ checkRevocationStatusUsingCRL()

static void org.keycloak.authentication.authenticators.x509.CertificateValidator.checkRevocationStatusUsingCRL	(	X509Certificate []	certs,
		CRLLoaderImpl	crLoader
	)		throws GeneralSecurityException

inlinestaticprivate

                                                                                                                                        {
         Collection<X509CRL> crlColl = crLoader.getX509CRLs();
         if (crlColl != null && crlColl.size() > 0) {
             for (X509CRL it : crlColl) {
                 if (it.isRevoked(certs[0])) {
                     String message = String.format("Certificate has been revoked, certificate's subject: %s", certs[0].getSubjectDN().getName());
                     logger.debug(message);
                     throw new GeneralSecurityException(message);
                 }
             }
         }
     }

◆ checkRevocationStatusUsingCRLDistributionPoints()

static void org.keycloak.authentication.authenticators.x509.CertificateValidator.checkRevocationStatusUsingCRLDistributionPoints ( X509Certificate [] certs ) throws GeneralSecurityException

inlinestaticprivate

                                                                                                                                  {
 
         List<String> distributionPoints = getCRLDistributionPoints(certs[0]);
         if (distributionPoints == null || distributionPoints.size() == 0) {
             throw new GeneralSecurityException("Could not find any CRL distribution points in the certificate, unable to check the certificate revocation status using CRL/DP.");
         }
         for (String dp : distributionPoints) {
             logger.tracef("CRL Distribution point: \"%s\"", dp);
             checkRevocationStatusUsingCRL(certs, new CRLFileLoader(dp));
         }
     }

◆ checkRevocationUsingOCSP()

void org.keycloak.authentication.authenticators.x509.CertificateValidator.checkRevocationUsingOCSP ( X509Certificate [] certs ) throws GeneralSecurityException

inlineprivate

                                                                                                    {
 
         if (certs.length < 2) {
             // OCSP requires a responder certificate to verify OCSP
             // signed response.
             String message = "OCSP requires a responder certificate. OCSP cannot be used to verify the revocation status of self-signed certificates.";
             throw new GeneralSecurityException(message);
         }
 
         for (X509Certificate cert : certs) {
             logger.debugf("Certificate: %s", cert.getSubjectDN().getName());
         }
 
         OCSPUtils.OCSPRevocationStatus rs = ocspChecker.check(certs[0], certs[1]);
 
         if (rs == null) {
             throw new GeneralSecurityException("Unable to check client revocation status using OCSP");
         }
 
         if (rs.getRevocationStatus() == OCSPUtils.RevocationStatus.UNKNOWN) {
             throw new GeneralSecurityException("Unable to determine certificate's revocation status.");
         }
         else if (rs.getRevocationStatus() == OCSPUtils.RevocationStatus.REVOKED) {
 
             StringBuilder sb = new StringBuilder();
             sb.append("Certificate's been revoked.");
             sb.append("\n");
             sb.append(rs.getRevocationReason().toString());
             sb.append("\n");
             sb.append(String.format("Revoked on: %s",rs.getRevocationTime().toString()));
 
             throw new GeneralSecurityException(sb.toString());
         }
     }

◆ getCRLDistributionPoints()

static List<String> org.keycloak.authentication.authenticators.x509.CertificateValidator.getCRLDistributionPoints ( X509Certificate cert )

inlinestaticprivate

                                                                                {
         try {
             return CRLUtils.getCRLDistributionPoints(cert);
         }
         catch(IOException e) {
             logger.error(e.getMessage());
         }
         return new ArrayList<>();
     }

◆ validateExtendedKeyUsage() [1/2]

static void org.keycloak.authentication.authenticators.x509.CertificateValidator.validateExtendedKeyUsage	(	X509Certificate []	certs,
		List< String >	expectedEKU
	)		throws GeneralSecurityException

inlinestaticprivate

                                                                                                                                     {
         if (expectedEKU == null || expectedEKU.size() == 0) {
             logger.debug("Extended Key Usage validation is not enabled.");
             return;
         }
         List<String> extendedKeyUsage = certs[0].getExtendedKeyUsage();
         if (extendedKeyUsage == null) {
             String message = "Extended key usage extension is expected, but unavailable";
             throw new GeneralSecurityException(message);
         }
 
         boolean isCritical = false;
         Set critSet = certs[0].getCriticalExtensionOIDs();
         if (critSet != null) {
             isCritical = critSet.contains("2.5.29.37");
         }
 
         List<String> ekuList = new LinkedList<>();
         extendedKeyUsage.forEach(s -> ekuList.add(s.toLowerCase()));
 
         for (String eku : expectedEKU) {
             if (!ekuList.contains(eku.toLowerCase())) {
                 String message = String.format("Extended Key Usage \'%s\' is missing.", eku);
                 if (isCritical) {
                     throw new GeneralSecurityException(message);
                 }
                 logger.warn(message);
             }
         }
     }

◆ validateExtendedKeyUsage() [2/2]

CertificateValidator org.keycloak.authentication.authenticators.x509.CertificateValidator.validateExtendedKeyUsage ( ) throws GeneralSecurityException

inline

                                                                                            {
         validateExtendedKeyUsage(_certChain, _extendedKeyUsage);
         return this;
     }

◆ validateKeyUsage() [1/2]

static void org.keycloak.authentication.authenticators.x509.CertificateValidator.validateKeyUsage	(	X509Certificate []	certs,
		int	expected
	)		throws GeneralSecurityException

inlinestaticprivate

                                                                                                                 {
         boolean[] keyUsageBits = certs[0].getKeyUsage();
         if (keyUsageBits == null) {
             if (expected != 0) {
                 String message = "Key usage extension is expected, but unavailable.";
                 throw new GeneralSecurityException(message);
             }
             return;
         }
 
         boolean isCritical = false;
         Set critSet = certs[0].getCriticalExtensionOIDs();
         if (critSet != null) {
             isCritical = critSet.contains("2.5.29.15");
         }
 
         int n = expected;
 
         StringBuilder sb = new StringBuilder();
         for (int i = 0; i < keyUsageBits.length; i++, n >>= 1) {
             boolean value = keyUsageBits[i];
             if ((n & 1) == 1 && !value) {
                 String message = String.format("Key Usage bit \'%s\' is not set.", CertificateValidator.KeyUsageBits.fromValue(i).getName());
                 if (sb.length() > 0) sb.append("\n");
                 sb.append(message);
 
                 logger.warn(message);
             }
         }
         if (sb.length() > 0) {
             if (isCritical) {
                 throw new GeneralSecurityException(sb.toString());
             }
         }
     }

◆ validateKeyUsage() [2/2]

CertificateValidator org.keycloak.authentication.authenticators.x509.CertificateValidator.validateKeyUsage ( ) throws GeneralSecurityException

inline

                                                                                    {
         validateKeyUsage(_certChain, _keyUsageBits);
         return this;
     }

メンバ詳解

◆ _certChain

X509Certificate [] org.keycloak.authentication.authenticators.x509.CertificateValidator._certChain

package

◆ _crlCheckingEnabled

boolean org.keycloak.authentication.authenticators.x509.CertificateValidator._crlCheckingEnabled

package

◆ _crldpEnabled

boolean org.keycloak.authentication.authenticators.x509.CertificateValidator._crldpEnabled

package

◆ _crlLoader

CRLLoaderImpl org.keycloak.authentication.authenticators.x509.CertificateValidator._crlLoader

package

◆ _extendedKeyUsage

List<String> org.keycloak.authentication.authenticators.x509.CertificateValidator._extendedKeyUsage

package

◆ _keyUsageBits

int org.keycloak.authentication.authenticators.x509.CertificateValidator._keyUsageBits

package

◆ _ocspEnabled

boolean org.keycloak.authentication.authenticators.x509.CertificateValidator._ocspEnabled

package

◆ logger

final ServicesLogger org.keycloak.authentication.authenticators.x509.CertificateValidator.logger = ServicesLogger.LOGGER

staticprivate

◆ ocspChecker

OCSPChecker org.keycloak.authentication.authenticators.x509.CertificateValidator.ocspChecker

package

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/authentication/authenticators/x509/CertificateValidator.java

クラス

公開メンバ関数

限定公開メンバ関数

変数

非公開メンバ関数

静的非公開メンバ関数

静的非公開変数類

詳解

構築子と解体子

◆ CertificateValidator() [1/2]

◆ CertificateValidator() [2/2]

関数詳解

◆ checkRevocationStatus()

◆ checkRevocationStatusUsingCRL()

◆ checkRevocationStatusUsingCRLDistributionPoints()

◆ checkRevocationUsingOCSP()

◆ getCRLDistributionPoints()

◆ validateExtendedKeyUsage() [1/2]

◆ validateExtendedKeyUsage() [2/2]

◆ validateKeyUsage() [1/2]

◆ validateKeyUsage() [2/2]

メンバ詳解

◆ _certChain

◆ _crlCheckingEnabled

◆ _crldpEnabled

◆ _crlLoader

◆ _extendedKeyUsage

◆ _keyUsageBits

◆ _ocspEnabled

◆ logger

◆ ocspChecker