OcspCertificateValidator (nifi-web-security 0.0.1-incubating API)

java.lang.Object
- org.apache.nifi.web.security.x509.ocsp.OcspCertificateValidator

public class OcspCertificateValidator
extends Object

Field Summary

Fields
Modifier and Type	Field and Description
`private com.sun.jersey.api.client.Client`	`client`
`private static int`	`CONNECT_TIMEOUT`
`private static String`	`CONTENT_TYPE_HEADER`
`private static String`	`HTTPS`
`private static org.slf4j.Logger`	`logger`
`private static String`	`OCSP_REQUEST_CONTENT_TYPE`
`private com.google.common.cache.LoadingCache<OcspRequest,OcspStatus>`	`ocspCache`
`private static int`	`READ_TIMEOUT`
`private Map<String,X509Certificate>`	`trustedCAs`
`private URI`	`validationAuthorityURI`

Constructor Summary

Constructors
Constructor and Description

OcspCertificateValidator(NiFiProperties properties)

Constructors
Constructor and Description
`OcspCertificateValidator(NiFiProperties properties)`

Method Summary

Methods
Modifier and Type	Method and Description
`private X509Certificate`	`getIssuerCertificate(X509Certificate[] certificates)` Gets the issuer certificate.
`private X509Certificate`	`getOcspCertificate(NiFiProperties properties)` Loads the ocsp certificate if specified.
`private OcspStatus`	`getOcspStatus(OcspRequest ocspStatusKey)` Gets the OCSP status for the specified subject and issuer certificates.
`private X509Certificate`	`getSubjectCertificate(X509Certificate[] certificates)` Gets the subject certificate.
`private Map<String,X509Certificate>`	`getTrustedCAs(NiFiProperties properties)` Loads the trusted certificate authorities according to the specified properties.
`private X509Certificate`	`getTrustedResponderCertificate(X509Certificate responderCertificate, X509Certificate issuerCertificate)` Gets the trusted responder certificate.
`void`	`validate(javax.servlet.http.HttpServletRequest request)` Validates the specified certificate using OCSP if configured.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - logger
```
private static final org.slf4j.Logger logger
```
  - HTTPS
```
private static final String HTTPS
```
    See Also:
    Constant Field Values
  - CONTENT_TYPE_HEADER
```
private static final String CONTENT_TYPE_HEADER
```
    See Also:
    Constant Field Values
  - OCSP_REQUEST_CONTENT_TYPE
```
private static final String OCSP_REQUEST_CONTENT_TYPE
```
    See Also:
    Constant Field Values
  - CONNECT_TIMEOUT
```
private static final int CONNECT_TIMEOUT
```
    See Also:
    Constant Field Values
  - READ_TIMEOUT
```
private static final int READ_TIMEOUT
```
    See Also:
    Constant Field Values
  - validationAuthorityURI
```
private URI validationAuthorityURI
```
  - client
```
private com.sun.jersey.api.client.Client client
```
  - trustedCAs
```
private Map<String,X509Certificate> trustedCAs
```
  - ocspCache
```
private com.google.common.cache.LoadingCache<OcspRequest,OcspStatus> ocspCache
```
- Constructor Detail
  - OcspCertificateValidator
```
public OcspCertificateValidator(NiFiProperties properties)
```
- Method Detail
  - getOcspCertificate
```
private X509Certificate getOcspCertificate(NiFiProperties properties)
```
    Loads the ocsp certificate if specified. Null otherwise.
    
    Parameters:
    properties -
    
    Returns:
  - getTrustedCAs
```
private Map<String,X509Certificate> getTrustedCAs(NiFiProperties properties)
```
    Loads the trusted certificate authorities according to the specified properties.
    
    Parameters:
    properties -
    
    Returns:
  - validate
```
public void validate(javax.servlet.http.HttpServletRequest request)
              throws CertificateStatusException
```
    Validates the specified certificate using OCSP if configured.
    
    Parameters:
    request -
    
    Throws:
    
    CertificateStatusException
  - getSubjectCertificate
```
private X509Certificate getSubjectCertificate(X509Certificate[] certificates)
```
    Gets the subject certificate.
    
    Parameters:
    certificates -
    
    Returns:
  - getIssuerCertificate
```
private X509Certificate getIssuerCertificate(X509Certificate[] certificates)
```
    Gets the issuer certificate.
    
    Parameters:
    certificates -
    
    Returns:
  - getOcspStatus
```
private OcspStatus getOcspStatus(OcspRequest ocspStatusKey)
```
    Gets the OCSP status for the specified subject and issuer certificates.
    
    Parameters:
    subjectCertificate -
    issuerCertificate -
    
    Returns:
  - getTrustedResponderCertificate
```
private X509Certificate getTrustedResponderCertificate(X509Certificate responderCertificate,
                                             X509Certificate issuerCertificate)
```
    Gets the trusted responder certificate. The response contains the responder certificate, however we cannot blindly trust it. Instead, we use a configured trusted CA. If the responder certificate is a trusted CA, then we can use it. If the responder certificate is not directly trusted, we still may be able to trust it if it was issued by the same CA that issued the subject certificate. Other various checks may be required (this portion is currently not implemented).
    
    Parameters:
    responderCertificate -
    issuerCertificate -
    
    Returns:

Class OcspCertificateValidator

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

logger

HTTPS

CONTENT_TYPE_HEADER

OCSP_REQUEST_CONTENT_TYPE

CONNECT_TIMEOUT

READ_TIMEOUT

validationAuthorityURI

client

trustedCAs

ocspCache

Constructor Detail

OcspCertificateValidator

Method Detail

getOcspCertificate

getTrustedCAs

validate

getSubjectCertificate

getIssuerCertificate

getOcspStatus

getTrustedResponderCertificate