org.opends.server.util
Class ExpirationCheckTrustManager

java.lang.Object
  extended by org.opends.server.util.ExpirationCheckTrustManager
All Implemented Interfaces:
javax.net.ssl.TrustManager, javax.net.ssl.X509TrustManager

@PublicAPI(stability=UNCOMMITTED,
           mayInstantiate=true,
           mayExtend=false,
           mayInvoke=true)
public final class ExpirationCheckTrustManager
extends java.lang.Object
implements javax.net.ssl.X509TrustManager

This class implements an X.509 trust manager that will be used to wrap an existing trust manager and makes it possible to reject a presented certificate if that certificate is outside the validity window.


Constructor Summary
ExpirationCheckTrustManager(javax.net.ssl.X509TrustManager trustManager)
          Creates a new instance of this trust manager that will wrap the provided trust manager.
 
Method Summary
 void checkClientTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType)
          Determines whether to trust the peer based on the provided certificate chain.
 void checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType)
          Determines whether to trust the peer based on the provided certificate chain.
 java.security.cert.X509Certificate[] getAcceptedIssuers()
          Retrieves the set of CA certificates which are trusted for authenticating peers.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

ExpirationCheckTrustManager

public ExpirationCheckTrustManager(javax.net.ssl.X509TrustManager trustManager)
Creates a new instance of this trust manager that will wrap the provided trust manager.

Parameters:
trustManager - The trust manager to be wrapped by this trust manager.
Method Detail

checkClientTrusted

public void checkClientTrusted(java.security.cert.X509Certificate[] chain,
                               java.lang.String authType)
                        throws java.security.cert.CertificateException
Determines whether to trust the peer based on the provided certificate chain. In this case, the peer will only be trusted if all certificates in the chain are within the validity window and the parent trust manager also accepts the certificate.

Specified by:
checkClientTrusted in interface javax.net.ssl.X509TrustManager
Parameters:
chain - The peer certificate chain.
authType - The authentication type based on the client certificate.
Throws:
java.security.cert.CertificateException - If the client certificate chain is not trusted.

checkServerTrusted

public void checkServerTrusted(java.security.cert.X509Certificate[] chain,
                               java.lang.String authType)
                        throws java.security.cert.CertificateException
Determines whether to trust the peer based on the provided certificate chain. In this case, the peer will only be trusted if all certificates in the chain are within the validity window and the parent trust manager also accepts the certificate.

Specified by:
checkServerTrusted in interface javax.net.ssl.X509TrustManager
Parameters:
chain - The peer certificate chain.
authType - The key exchange algorithm used.
Throws:
java.security.cert.CertificateException - If the server certificate chain is not trusted.

getAcceptedIssuers

public java.security.cert.X509Certificate[] getAcceptedIssuers()
Retrieves the set of CA certificates which are trusted for authenticating peers. This will be taken from the parent trust manager.

Specified by:
getAcceptedIssuers in interface javax.net.ssl.X509TrustManager
Returns:
A non-null (possibly empty) array of acceptable CA issuer certificates.