org.apache.nifi.web.security.x509.ocsp

Class OcspCertificateValidator

java.lang.Object

org.apache.nifi.web.security.x509.ocsp.OcspCertificateValidator

public class OcspCertificateValidator
extends Object

Field Summary

Fields

Modifier and Type	Field and Description
private javax.ws.rs.client.Client	client
private static int	CONNECT_TIMEOUT
private static String	HTTPS
private static org.slf4j.Logger	logger
private static String	OCSP_REQUEST_CONTENT_TYPE
private com.github.benmanes.caffeine.cache.LoadingCache<OcspRequest,OcspStatus>	ocspCache
private static int	READ_TIMEOUT
private Map<String,X509Certificate>	trustedCAs
private URI	validationAuthorityURI

Constructor Summary

Constructors

Constructor and Description
OcspCertificateValidator(NiFiProperties properties)

Method Summary

Modifier and Type	Method and Description
private javax.ws.rs.core.Response	getClientResponse(org.bouncycastle.cert.ocsp.OCSPReq ocspRequest)
private X509Certificate	getIssuerCertificate(X509Certificate[] certificates) Gets the issuer certificate.
private X509Certificate	getOcspCertificate(NiFiProperties properties) Loads the ocsp certificate if specified.
private OcspStatus	getOcspStatus(OcspRequest ocspStatusKey) Gets the OCSP status for the specified subject and issuer certificates.
private X509Certificate	getSubjectCertificate(X509Certificate[] certificates) Gets the subject certificate.
private Map<String,X509Certificate>	getTrustedCAs(NiFiProperties properties) Loads the trusted certificate authorities according to the specified properties.
private X509Certificate	getTrustedResponderCertificate(org.bouncycastle.cert.X509CertificateHolder responderCertificateHolder, X509Certificate issuerCertificate) Gets the trusted responder certificate.
void	validate(X509Certificate[] certificates) Validates the specified certificate using OCSP if configured.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

private static final org.slf4j.Logger logger

HTTPS

private static final String HTTPS

See Also:

Constant Field Values

OCSP_REQUEST_CONTENT_TYPE

private static final String OCSP_REQUEST_CONTENT_TYPE

See Also:

Constant Field Values

CONNECT_TIMEOUT

private static final int CONNECT_TIMEOUT

See Also:

Constant Field Values

READ_TIMEOUT

private static final int READ_TIMEOUT

See Also:

Constant Field Values

validationAuthorityURI

private URI validationAuthorityURI

client

private javax.ws.rs.client.Client client

trustedCAs

private Map<String,X509Certificate> trustedCAs

ocspCache

private com.github.benmanes.caffeine.cache.LoadingCache<OcspRequest,OcspStatus> ocspCache

Constructor Detail

OcspCertificateValidator

public OcspCertificateValidator(NiFiProperties properties)

Method Detail

getOcspCertificate

private X509Certificate getOcspCertificate(NiFiProperties properties)

Loads the ocsp certificate if specified. Null otherwise.

Parameters:

properties - nifi properties

Returns:

certificate

getTrustedCAs

private Map<String,X509Certificate> getTrustedCAs(NiFiProperties properties)

Loads the trusted certificate authorities according to the specified properties.

Parameters:

properties - properties

Returns:

map of certificate authorities

validate

public void validate(X509Certificate[] certificates)
              throws CertificateStatusException

Validates the specified certificate using OCSP if configured.

Parameters:

certificates - the client certificates

Throws:

CertificateStatusException - ex

getSubjectCertificate

private X509Certificate getSubjectCertificate(X509Certificate[] certificates)

Gets the subject certificate.

Parameters:

certificates - certs

Returns:

subject cert

getIssuerCertificate

private X509Certificate getIssuerCertificate(X509Certificate[] certificates)

Gets the issuer certificate.

Parameters:

certificates - certs

Returns:

issuer cert

getOcspStatus

private OcspStatus getOcspStatus(OcspRequest ocspStatusKey)

Gets the OCSP status for the specified subject and issuer certificates.

Parameters:

ocspStatusKey - status key

Returns:

ocsp status

getClientResponse

private javax.ws.rs.core.Response getClientResponse(org.bouncycastle.cert.ocsp.OCSPReq ocspRequest)
                                             throws IOException

Throws:

IOException

getTrustedResponderCertificate

private X509Certificate getTrustedResponderCertificate(org.bouncycastle.cert.X509CertificateHolder responderCertificateHolder,
                                                       X509Certificate issuerCertificate)
                                                throws CertificateException

Gets the trusted responder certificate. The response contains the responder certificate, however we cannot blindly trust it. Instead, we use a configured trusted CA. If the responder certificate is a trusted CA, then we can use it. If the responder certificate is not directly trusted, we still may be able to trust it if it was issued by the same CA that issued the subject certificate. Other various checks may be required (this portion is currently not implemented).

Parameters:

responderCertificateHolder - cert

issuerCertificate - cert

Returns:

cert

Throws:

CertificateException