Package org.apache.synapse.transport.certificatevalidation

Class CertificateVerificationManager

java.lang.Object

org.apache.synapse.transport.certificatevalidation.CertificateVerificationManager

public class CertificateVerificationManager
extends Object

Manager class responsible for verifying certificates. This class will use the available verifiers according to a predefined policy.

Constructor Summary

Constructors

Constructor	Description
CertificateVerificationManager(Integer cacheAllocatedSize, Integer cacheDelayMins)
CertificateVerificationManager(Integer cacheAllocatedSize, Integer cacheDelayMins, boolean isFullCertChainValidationEnabled, boolean isCertExpiryValidationEnabled)

Method Summary

Modifier and Type	Method	Description
X509Certificate	getPeerCertificate(X509Certificate[] convertedCertificates)
X509Certificate	getVerifiedIssuerCertOfPeerCert(X509Certificate peerCert, CertCache certCache)
boolean	isExpired(X509Certificate[] certificates)	Checks whether a provided certificate is expired or not at the time it is validated.
boolean	isPeerCertVerified(X509Certificate peerCert, X509Certificate issuerCert)
void	verifyCertificateValidity(Certificate[] peerCertificates)	This method verifies the given certificate chain or given peer certificate for revocation based on the requirement of full certificate chain validation.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

CertificateVerificationManager

public CertificateVerificationManager(Integer cacheAllocatedSize,
 Integer cacheDelayMins)

CertificateVerificationManager

public CertificateVerificationManager(Integer cacheAllocatedSize,
 Integer cacheDelayMins,
 boolean isFullCertChainValidationEnabled,
 boolean isCertExpiryValidationEnabled)

Method Details

verifyCertificateValidity

public void verifyCertificateValidity(Certificate[] peerCertificates)
                               throws CertificateVerificationException

This method verifies the given certificate chain or given peer certificate for revocation based on the requirement of full certificate chain validation. If full chain validation is enabled (default), the full certificate chain will be validated before checking the chain for revocation. If full chain validation is disabled, this method expects a single peer certificate, and it is validated with the immediate issuer certificate in the truststore (The truststore must contain the immediate issuer of the peer certificate). In both cases, OCSP and CRL verifiers are used for revocation verification. It first tries to verify using OCSP since OCSP verification is faster. If that fails it tries to do the verification using CRL.

Parameters:

peerCertificates - java.security.cert.Certificate[] array of peer certificate chain from peer/client.

Throws:

CertificateVerificationException

isExpired

public boolean isExpired(X509Certificate[] certificates)

Checks whether a provided certificate is expired or not at the time it is validated.

Parameters:

certificates - certificates to be validated for expiry

Returns:

true if one of the certs are expired, false otherwise

getPeerCertificate

public X509Certificate getPeerCertificate(X509Certificate[] convertedCertificates)
                                   throws CertificateVerificationException

Throws:

CertificateVerificationException

getVerifiedIssuerCertOfPeerCert

public X509Certificate getVerifiedIssuerCertOfPeerCert(X509Certificate peerCert,
 CertCache certCache)
                                                throws CertificateVerificationException

Throws:

CertificateVerificationException

isPeerCertVerified

public boolean isPeerCertVerified(X509Certificate peerCert,
 X509Certificate issuerCert)