Package org.forgerock.secrets
Class SecretsTrustManager
- java.lang.Object
-
- javax.net.ssl.X509ExtendedTrustManager
-
- org.forgerock.secrets.SecretsTrustManager
-
- All Implemented Interfaces:
TrustManager,X509TrustManager
public class SecretsTrustManager extends X509ExtendedTrustManager
Provides an implementation of a standard Java TLSX509ExtendedTrustManagerthat will retrieve trusted certificates from the Secrets API. This allows trusted certificates to be managed using any backend that the Secrets API supports.
-
-
Field Summary
Fields Modifier and Type Field Description static Option<Boolean>ENABLE_REVOCATION_CHECKINGWhether the trust manager should perform recovation checking or not.static Option<EnumSet<PKIXRevocationChecker.Option>>REVOCATION_OPTIONSThe options to pass to the revocation checker, if revocation checking is enabled.static Option<String>TRUST_MANAGER_ALGORITHMAlgorithm to use for looking up the underlying X509ExtendedTrustManager.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description voidcheckClientTrusted(X509Certificate[] chain, String authType)voidcheckClientTrusted(X509Certificate[] chain, String authType, Socket socket)voidcheckClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine)voidcheckServerTrusted(X509Certificate[] chain, String authType)voidcheckServerTrusted(X509Certificate[] chain, String authType, Socket socket)voidcheckServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine)X509Certificate[]getAcceptedIssuers()
-
-
-
Field Detail
-
ENABLE_REVOCATION_CHECKING
public static final Option<Boolean> ENABLE_REVOCATION_CHECKING
Whether the trust manager should perform recovation checking or not. Defaults to true.
-
TRUST_MANAGER_ALGORITHM
public static final Option<String> TRUST_MANAGER_ALGORITHM
Algorithm to use for looking up the underlying X509ExtendedTrustManager. Defaults to PKIX.
-
REVOCATION_OPTIONS
public static final Option<EnumSet<PKIXRevocationChecker.Option>> REVOCATION_OPTIONS
The options to pass to the revocation checker, if revocation checking is enabled. Defaults to SOFT_FAIL, which means that any failure to check the revocation status of a certificate will assume that the certificate is not revoked. This is usually the only feasible option for public certificates as public CA revocation checking is unreliable and/or misconfigured in a lot of cases.
-
-
Method Detail
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException
- Specified by:
checkClientTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException
- Specified by:
checkServerTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException
- Specified by:
checkClientTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException
- Specified by:
checkServerTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException
- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException
- Throws:
CertificateException
-
getAcceptedIssuers
public X509Certificate[] getAcceptedIssuers()
-
-