public class CertificateValidationUtil extends Object
Constructor and Description |
---|
CertificateValidationUtil() |
Modifier and Type | Method and Description |
---|---|
static String |
getSubjectAltNameUri(X509Certificate certificate) |
static void |
validateApplicationCertificateUsage(X509Certificate certificate) |
static void |
validateApplicationUri(X509Certificate certificate,
String applicationUri)
Validate that the application URI matches the SubjectAltName URI in the given certificate.
|
static void |
validateCertificateValidity(X509Certificate certificate) |
static void |
validateHostnameOrIpAddress(X509Certificate certificate,
String... hostnames)
Validate that one of
hostnames matches a SubjectAltName DNSName or IPAddress entry in the certificate. |
static boolean |
validateSubjectAltNameField(X509Certificate certificate,
int field,
Predicate<Object> fieldValidator) |
static void |
verifyTrustChain(List<X509Certificate> certificateChain,
Collection<X509Certificate> trustedCertificates,
Collection<X509CRL> trustedCrls,
Collection<X509Certificate> issuerCertificates,
Collection<X509CRL> issuerCrls)
Verify that a chain of trust can be established for a certificate or chain of certificates.
|
static void |
verifyTrustChain(List<X509Certificate> certificateChain,
Set<X509Certificate> trustedCertificates,
Set<X509Certificate> issuerCertificates)
Verify that a chain of trust can be established for a certificate or chain of certificates.
|
public static void verifyTrustChain(List<X509Certificate> certificateChain, Set<X509Certificate> trustedCertificates, Set<X509Certificate> issuerCertificates) throws UaException
The chain must begin with the end-entity certificate at index 0 followed by the remaining certificates in the chain, if any, in the correct order.
If the end-entity certificate is present in the trustedCertificates
set then trust is immediately
verified. Otherwise, an attempt to build a path to a trusted anchor is made using the provided
issuerCertificates
as the anchors.
certificateChain
- the certificate chain to verify.trustedCertificates
- the set of known-trusted certificates.issuerCertificates
- the set of CA certificates to use as trust anchors.UaException
- if a chain of trust could not be established.public static void verifyTrustChain(List<X509Certificate> certificateChain, Collection<X509Certificate> trustedCertificates, Collection<X509CRL> trustedCrls, Collection<X509Certificate> issuerCertificates, Collection<X509CRL> issuerCrls) throws UaException
The chain must begin with the end-entity certificate at index 0 followed by the remaining certificates in the chain, if any, in the correct order.
If the end-entity certificate is present in the trustedCertificates
set then trust is immediately
verified. Otherwise, an attempt to build a path to a trust anchor is made using the root CAs in
trustedCertificates
and the root CAs in issuerCertificates
as the trust anchors.
Once a valid certificate path has been established, at least one component of that path must be present in the
trustedCertificates
list.
certificateChain
- the certificate chain to verify.trustedCertificates
- a collection of known-trusted certificates and CAs. Root CAs are used as Trust
Anchors.trustedCrls
- a collection of X509CRL
s for CAs in trustedCertificates
, if any.issuerCertificates
- a collection of intermediate and root CA certificates used the purpose of path
validation, but that aren't trusted issuers. Root CAs are used as Trust Anchors.issuerCrls
- a collection of X509CRL
s for CAs in issuerCertificates
, if any.UaException
- if a chain of trust could not be established.public static void validateCertificateValidity(X509Certificate certificate) throws UaException
UaException
public static void validateHostnameOrIpAddress(X509Certificate certificate, String... hostnames) throws UaException
hostnames
matches a SubjectAltName DNSName or IPAddress entry in the certificate.certificate
- the certificate to validate against.hostnames
- the hostnames to look for.UaException
- if there is no matching DNSName or IPAddress entry.public static void validateApplicationUri(X509Certificate certificate, String applicationUri) throws UaException
certificate
- the certificate to validate against.applicationUri
- the URI to validate.UaException
- if the certificate is invalid, does not contain a uri, or contains a uri that does not match.public static void validateApplicationCertificateUsage(X509Certificate certificate) throws UaException
UaException
public static boolean validateSubjectAltNameField(X509Certificate certificate, int field, Predicate<Object> fieldValidator) throws UaException
UaException
public static String getSubjectAltNameUri(X509Certificate certificate) throws UaException
UaException
Copyright © 2020. All rights reserved.