Class SpiffeTrustManager
java.lang.Object
javax.net.ssl.X509ExtendedTrustManager
io.spiffe.provider.SpiffeTrustManager
- All Implemented Interfaces:
TrustManager,X509TrustManager
Implementation of an X.509 TrustManager for the SPIFFE Provider.
Provides methods to validate X.509 certificates chains using trusted certs provided by a BundleSource
maintained via the Workload API and to verify the SPIFFE IDs against a Set of accepted SPIFFE IDs
provided by a Supplier.
-
Constructor Summary
ConstructorsConstructorDescriptionSpiffeTrustManager(@NonNull io.spiffe.bundle.BundleSource<io.spiffe.bundle.x509bundle.X509Bundle> x509BundleSource) Constructor.SpiffeTrustManager(@NonNull io.spiffe.bundle.BundleSource<io.spiffe.bundle.x509bundle.X509Bundle> x509BundleSource, @NonNull SpiffeIdVerifier spiffeIdVerifier) Constructor.SpiffeTrustManager(@NonNull io.spiffe.bundle.BundleSource<io.spiffe.bundle.x509bundle.X509Bundle> x509BundleSource, @NonNull Supplier<Set<io.spiffe.spiffeid.SpiffeId>> acceptedSpiffeIdsSupplier) Constructor. -
Method Summary
Modifier and TypeMethodDescriptionvoidcheckClientTrusted(@NonNull X509Certificate[] chain, String authType) Given the partial or complete certificate chain provided by the peer, build a certificate path to a trusted root and return if it can be validated and is trusted for Client SSL authentication based on the authentication type.voidcheckClientTrusted(@NonNull X509Certificate[] chain, String authType, Socket socket) voidcheckClientTrusted(@NonNull X509Certificate[] chain, String authType, SSLEngine sslEngine) voidcheckServerTrusted(@NonNull X509Certificate[] chain, String authType) Given the partial or complete certificate chain provided by the peer, build a certificate path to a trusted root and return if it can be validated and is trusted for Server SSL authentication based on the authentication type.voidcheckServerTrusted(@NonNull X509Certificate[] chain, String authType, Socket socket) voidcheckServerTrusted(@NonNull X509Certificate[] chain, String authType, SSLEngine sslEngine)
-
Constructor Details
-
SpiffeTrustManager
public SpiffeTrustManager(@NonNull @NonNull io.spiffe.bundle.BundleSource<io.spiffe.bundle.x509bundle.X509Bundle> x509BundleSource, @NonNull @NonNull Supplier<Set<io.spiffe.spiffeid.SpiffeId>> acceptedSpiffeIdsSupplier) Constructor.Creates a
SpiffeTrustManagerwith an X.509 bundle source used to provide the trusted bundles, and aSupplierof a Set of acceptedSpiffeIdto be used during peer SVID validation.- Parameters:
x509BundleSource- an implementation of aBundleSourceacceptedSpiffeIdsSupplier- aSupplierof a Set of accepted SPIFFE IDs.
-
SpiffeTrustManager
public SpiffeTrustManager(@NonNull @NonNull io.spiffe.bundle.BundleSource<io.spiffe.bundle.x509bundle.X509Bundle> x509BundleSource, @NonNull @NonNull SpiffeIdVerifier spiffeIdVerifier) Constructor.Creates a
SpiffeTrustManagerwith an X.509 bundle source used to provide the trusted bundles, and aSpiffeIdVerifierwhich will be called to determine if aSpiffeIdshould be accepted during peer SVID validation.- Parameters:
x509BundleSource- an implementation of aBundleSourcespiffeIdVerifier- aSpiffeIdVerifierthat will be called to determine if a peer's SPIFFE ID is acceptable
-
SpiffeTrustManager
public SpiffeTrustManager(@NonNull @NonNull io.spiffe.bundle.BundleSource<io.spiffe.bundle.x509bundle.X509Bundle> x509BundleSource) Constructor.Creates a
SpiffeTrustManagerwith an X.509 bundle source used to provide the trusted bundles, and a flag to indicate that any SPIFFE ID will be accepted.Any SPIFFE ID will be accepted during peer SVID validation.
- Parameters:
x509BundleSource- an implementation of aBundleSource
-
-
Method Details
-
checkClientTrusted
public void checkClientTrusted(@NonNull @NonNull X509Certificate[] chain, String authType) throws CertificateException Given the partial or complete certificate chain provided by the peer, build a certificate path to a trusted root and return if it can be validated and is trusted for Client SSL authentication based on the authentication type.Throws a
CertificateExceptionif the chain cannot be chained to a trusted bundled, or if the SPIFFE ID in the chain is not in the Set of accepted SPIFFE IDs.- Parameters:
chain- the peer certificate chainauthType- not used- Throws:
CertificateException- when the chain or the SPIFFE ID presented are not trusted.
-
checkServerTrusted
public void checkServerTrusted(@NonNull @NonNull X509Certificate[] chain, String authType) throws CertificateException Given the partial or complete certificate chain provided by the peer, build a certificate path to a trusted root and return if it can be validated and is trusted for Server SSL authentication based on the authentication type.Throws a
CertificateExceptionif the chain cannot be chained to a trusted bundled, or if the SPIFFE ID in the chain is not in the Set of accepted SPIFFE IDs.- Parameters:
chain- the peer certificate chainauthType- not used- Throws:
CertificateException- when the chain or the SPIFFE ID presented are not trusted.
-
getAcceptedIssuers
-
checkClientTrusted
public void checkClientTrusted(@NonNull @NonNull X509Certificate[] chain, String authType, Socket socket) throws CertificateException - Specified by:
checkClientTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(@NonNull @NonNull X509Certificate[] chain, String authType, Socket socket) throws CertificateException - Specified by:
checkServerTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkClientTrusted
public void checkClientTrusted(@NonNull @NonNull X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException - Specified by:
checkClientTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(@NonNull @NonNull X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException - Specified by:
checkServerTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-