Package org.keycloak.utils
Class OCSPProvider
- java.lang.Object
-
- org.keycloak.utils.OCSPProvider
-
public abstract class OCSPProvider extends Object
- Since:
- 10/29/2016
- Version:
- $Revision: 1 $
- Author:
- Peter Nalyvayko
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static interface
OCSPProvider.OCSPRevocationStatus
static class
OCSPProvider.RevocationStatus
-
Field Summary
Fields Modifier and Type Field Description protected static int
OCSP_CONNECT_TIMEOUT
protected static int
TIME_SKEW
-
Constructor Summary
Constructors Constructor Description OCSPProvider()
-
Method Summary
All Methods Static Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description OCSPProvider.OCSPRevocationStatus
check(KeycloakSession session, X509Certificate cert, X509Certificate issuerCertificate)
Requests certificate revocation status using OCSP.OCSPProvider.OCSPRevocationStatus
check(KeycloakSession session, X509Certificate cert, X509Certificate issuerCertificate, URI responderURI, X509Certificate responderCert, Date date)
Requests certificate revocation status using OCSP.OCSPProvider.OCSPRevocationStatus
check(KeycloakSession session, X509Certificate cert, X509Certificate issuerCertificate, Date date, X509Certificate responderCert)
Requests certificate revocation status using OCSP.protected abstract OCSPProvider.OCSPRevocationStatus
check(KeycloakSession session, X509Certificate cert, X509Certificate issuerCertificate, List<URI> responderURIs, X509Certificate responderCert, Date date)
Requests certificate revocation status using OCSP.protected byte[]
getEncodedOCSPResponse(KeycloakSession session, byte[] encodedOCSPReq, URI responderUri)
protected abstract List<String>
getResponderURIs(X509Certificate cert)
Extracts OCSP responder URI from X509 AIA v3 extension, if available.protected static OCSPProvider.OCSPRevocationStatus
unknownStatus()
-
-
-
Field Detail
-
OCSP_CONNECT_TIMEOUT
protected static int OCSP_CONNECT_TIMEOUT
-
TIME_SKEW
protected static final int TIME_SKEW
- See Also:
- Constant Field Values
-
-
Method Detail
-
check
public OCSPProvider.OCSPRevocationStatus check(KeycloakSession session, X509Certificate cert, X509Certificate issuerCertificate, URI responderURI, X509Certificate responderCert, Date date) throws CertPathValidatorException
Requests certificate revocation status using OCSP.- Parameters:
session
- Keycloak sessioncert
- the certificate to be checkedissuerCertificate
- The issuer certificateresponderURI
- an address of OCSP responder. Overrides any OCSP responder URIs stored in certificate's AIA extensiondate
-responderCert
- a certificate that OCSP responder uses to sign OCSP responses- Returns:
- revocation status
- Throws:
CertPathValidatorException
-
check
public OCSPProvider.OCSPRevocationStatus check(KeycloakSession session, X509Certificate cert, X509Certificate issuerCertificate, Date date, X509Certificate responderCert) throws CertPathValidatorException
Requests certificate revocation status using OCSP. The OCSP responder URI is obtained from the certificate's AIA extension.- Parameters:
session
- Keycloak sessioncert
- the certificate to be checkedissuerCertificate
- The issuer certificatedate
-- Returns:
- revocation status
- Throws:
CertPathValidatorException
-
getEncodedOCSPResponse
protected byte[] getEncodedOCSPResponse(KeycloakSession session, byte[] encodedOCSPReq, URI responderUri) throws IOException
- Throws:
IOException
-
check
public OCSPProvider.OCSPRevocationStatus check(KeycloakSession session, X509Certificate cert, X509Certificate issuerCertificate) throws CertPathValidatorException
Requests certificate revocation status using OCSP. The OCSP responder URI is obtained from the certificate's AIA extension.- Parameters:
session
- Keycloak sessioncert
- the certificate to be checkedissuerCertificate
- The issuer certificate- Returns:
- revocation status
- Throws:
CertPathValidatorException
-
check
protected abstract OCSPProvider.OCSPRevocationStatus check(KeycloakSession session, X509Certificate cert, X509Certificate issuerCertificate, List<URI> responderURIs, X509Certificate responderCert, Date date) throws CertPathValidatorException
Requests certificate revocation status using OCSP.- Parameters:
session
- Keycloak sessioncert
- the certificate to be checkedissuerCertificate
- the issuer certificateresponderURIs
- the OCSP responder URIsresponderCert
- the OCSP responder certificatedate
- if null, the current time is used.- Returns:
- a revocation status
- Throws:
CertPathValidatorException
-
unknownStatus
protected static OCSPProvider.OCSPRevocationStatus unknownStatus()
-
getResponderURIs
protected abstract List<String> getResponderURIs(X509Certificate cert) throws CertificateEncodingException
Extracts OCSP responder URI from X509 AIA v3 extension, if available. There can be multiple responder URIs encoded in the certificate.- Parameters:
cert
-- Returns:
- a list of available responder URIs.
- Throws:
CertificateEncodingException
-
-