Package org.forgerock.secrets
Class SecretsTrustManager
java.lang.Object
javax.net.ssl.X509ExtendedTrustManager
org.forgerock.secrets.SecretsTrustManager
- All Implemented Interfaces:
TrustManager,X509TrustManager
Provides an implementation of a standard Java TLS
X509ExtendedTrustManager that will retrieve trusted
certificates from the Secrets API. This allows trusted certificates to be managed using any backend that the
Secrets API supports.-
Field Summary
FieldsModifier and TypeFieldDescriptionWhether the trust manager should perform recovation checking or not.static final Option<EnumSet<PKIXRevocationChecker.Option>>The options to pass to the revocation checker, if revocation checking is enabled.Algorithm to use for looking up the underlying X509ExtendedTrustManager. -
Method Summary
Modifier and TypeMethodDescriptionvoidcheckClientTrusted(X509Certificate[] chain, String authType) voidcheckClientTrusted(X509Certificate[] chain, String authType, Socket socket) voidcheckClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) voidcheckServerTrusted(X509Certificate[] chain, String authType) voidcheckServerTrusted(X509Certificate[] chain, String authType, Socket socket) voidcheckServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
-
Field Details
-
ENABLE_REVOCATION_CHECKING
Whether the trust manager should perform recovation checking or not. Defaults to true. -
TRUST_MANAGER_ALGORITHM
Algorithm to use for looking up the underlying X509ExtendedTrustManager. Defaults to PKIX. -
REVOCATION_OPTIONS
The options to pass to the revocation checker, if revocation checking is enabled. Defaults to SOFT_FAIL, which means that any failure to check the revocation status of a certificate will assume that the certificate is not revoked. This is usually the only feasible option for public certificates as public CA revocation checking is unreliable and/or misconfigured in a lot of cases.
-
-
Method Details
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException - Specified by:
checkClientTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException - Specified by:
checkServerTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException - Specified by:
checkClientTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException - Specified by:
checkServerTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException - Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException - Throws:
CertificateException
-
getAcceptedIssuers
-