Package org.keycloak.utils

Class OCSPProvider

java.lang.Object

org.keycloak.utils.OCSPProvider

public abstract class OCSPProvider
extends Object

Since:

10/29/2016

Version:

$Revision: 1 $

Author:

Peter Nalyvayko

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static interface	OCSPProvider.OCSPRevocationStatus
static enum	OCSPProvider.RevocationStatus

Field Summary

Fields

Modifier and Type	Field	Description
protected static int	OCSP_CONNECT_TIMEOUT
protected static final int	TIME_SKEW

Constructor Summary

Constructors

Constructor	Description
OCSPProvider()

Method Summary

Modifier and Type	Method	Description
OCSPProvider.OCSPRevocationStatus	check(KeycloakSession session, X509Certificate cert, X509Certificate issuerCertificate)	Requests certificate revocation status using OCSP.
OCSPProvider.OCSPRevocationStatus	check(KeycloakSession session, X509Certificate cert, X509Certificate issuerCertificate, URI responderURI, X509Certificate responderCert, Date date)	Requests certificate revocation status using OCSP.
OCSPProvider.OCSPRevocationStatus	check(KeycloakSession session, X509Certificate cert, X509Certificate issuerCertificate, Date date, X509Certificate responderCert)	Requests certificate revocation status using OCSP.
protected abstract OCSPProvider.OCSPRevocationStatus	check(KeycloakSession session, X509Certificate cert, X509Certificate issuerCertificate, List<URI> responderURIs, X509Certificate responderCert, Date date)	Requests certificate revocation status using OCSP.
protected byte[]	getEncodedOCSPResponse(KeycloakSession session, byte[] encodedOCSPReq, URI responderUri)
protected abstract List<String>	getResponderURIs(X509Certificate cert)	Extracts OCSP responder URI from X509 AIA v3 extension, if available.
protected static OCSPProvider.OCSPRevocationStatus	unknownStatus()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

OCSP_CONNECT_TIMEOUT

protected static int OCSP_CONNECT_TIMEOUT

TIME_SKEW

protected static final int TIME_SKEW

See Also:

• Constant Field Values

Constructor Details

OCSPProvider

public OCSPProvider()

Method Details

check

public OCSPProvider.OCSPRevocationStatus check(KeycloakSession session,
 X509Certificate cert,
 X509Certificate issuerCertificate,
 URI responderURI,
 X509Certificate responderCert,
 Date date)
                                        throws CertPathValidatorException

Requests certificate revocation status using OCSP.

Parameters:

session - Keycloak session

cert - the certificate to be checked

issuerCertificate - The issuer certificate

responderURI - an address of OCSP responder. Overrides any OCSP responder URIs stored in certificate's AIA extension

date -

responderCert - a certificate that OCSP responder uses to sign OCSP responses

Returns:

revocation status

Throws:

CertPathValidatorException

check

public OCSPProvider.OCSPRevocationStatus check(KeycloakSession session,
 X509Certificate cert,
 X509Certificate issuerCertificate,
 Date date,
 X509Certificate responderCert)
                                        throws CertPathValidatorException

Requests certificate revocation status using OCSP. The OCSP responder URI is obtained from the certificate's AIA extension.

Parameters:

session - Keycloak session

cert - the certificate to be checked

issuerCertificate - The issuer certificate

date -

Returns:

revocation status

Throws:

CertPathValidatorException

getEncodedOCSPResponse

protected byte[] getEncodedOCSPResponse(KeycloakSession session,
 byte[] encodedOCSPReq,
 URI responderUri)
                                 throws IOException

Throws:

IOException

check

public OCSPProvider.OCSPRevocationStatus check(KeycloakSession session,
 X509Certificate cert,
 X509Certificate issuerCertificate)
                                        throws CertPathValidatorException

Requests certificate revocation status using OCSP. The OCSP responder URI is obtained from the certificate's AIA extension.

Parameters:

session - Keycloak session

cert - the certificate to be checked

issuerCertificate - The issuer certificate

Returns:

revocation status

Throws:

CertPathValidatorException

check

protected abstract OCSPProvider.OCSPRevocationStatus check(KeycloakSession session,
 X509Certificate cert,
 X509Certificate issuerCertificate,
 List<URI> responderURIs,
 X509Certificate responderCert,
 Date date)
                                                    throws CertPathValidatorException

Requests certificate revocation status using OCSP.

Parameters:

session - Keycloak session

cert - the certificate to be checked

issuerCertificate - the issuer certificate

responderURIs - the OCSP responder URIs

responderCert - the OCSP responder certificate

date - if null, the current time is used.

Returns:

a revocation status

Throws:

CertPathValidatorException

unknownStatus

protected static OCSPProvider.OCSPRevocationStatus unknownStatus()

getResponderURIs

protected abstract List<String> getResponderURIs(X509Certificate cert)
                                          throws CertificateEncodingException

Extracts OCSP responder URI from X509 AIA v3 extension, if available. There can be multiple responder URIs encoded in the certificate.

Parameters:

cert -

Returns:

a list of available responder URIs.

Throws:

CertificateEncodingException