Class TopologyRegistryTrustManager

  • All Implemented Interfaces:
    java.io.Serializable, javax.net.ssl.TrustManager, javax.net.ssl.X509TrustManager

    @ThreadSafety(level=COMPLETELY_THREADSAFE)
    public final class TopologyRegistryTrustManager
    extends java.lang.Object
    implements javax.net.ssl.X509TrustManager, java.io.Serializable
    This class provides an implementation of an X.509 trust manager that can be used to trust certificates listed in the topology registry of a Ping Identity Directory Server instance. It will read the topology registry from the server's configuration file rather than communicating with it over LDAP, so it is only available for use when run from LDAP tools provided with the Ping Identity Directory Server.
    NOTE: This class, and other classes within the com.unboundid.ldap.sdk.unboundidds package structure, are only supported for use against Ping Identity, UnboundID, and Nokia/Alcatel-Lucent 8661 server products. These classes provide support for proprietary functionality or for external specifications that are not considered stable or mature enough to be guaranteed to work in an interoperable way with other types of LDAP servers.
    See Also:
    Serialized Form
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void checkClientTrusted​(java.security.cert.X509Certificate[] chain, java.lang.String authType)
      Checks to determine whether the provided client certificate chain should be trusted.
      void checkServerTrusted​(java.security.cert.X509Certificate[] chain, java.lang.String authType)
      Checks to determine whether the provided server certificate chain should be trusted.
      java.security.cert.X509Certificate[] getAcceptedIssuers()
      Retrieves the accepted issuer certificates for this trust manager.
      long getCacheDurationMillis()
      Retrieves the maximum length of time in milliseconds that cached topology registry information should be considered valid.
      java.io.File getConfigurationFile()
      Retrieves the server configuration file from which the topology registry certificates will be read.
      boolean ignoreIssuerCertificateValidityWindow()
      Indicates whether to ignore the validity window for issuer certificates when determining whether to trust a certificate chain.
      boolean ignorePeerCertificateValidityWindow()
      Indicates whether to ignore the validity window for the peer certificate when determining whether to trust a certificate chain.
      boolean requirePeerCertificateInTopologyRegistry()
      Indicates whether to require the peer certificate itself to be included in the topology registry for a certificate chain to be trusted.
      java.lang.String toString()
      Retrieves a string representation of this topology registry trust manager instance.
      void toString​(java.lang.StringBuilder buffer)
      Appends a string representation of this topology registry trust manager instance to the given buffer.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
    • Constructor Detail

      • TopologyRegistryTrustManager

        public TopologyRegistryTrustManager​(@NotNull
                                            java.io.File configurationFile,
                                            long cacheDurationMillis)
        Creates a new instance of this trust manager with the provided settings.
        Parameters:
        configurationFile - The configuration file for the Ping Identity Directory Server instance that holds the topology registry data. It must not be null.
        cacheDurationMillis - The maximum length of time in milliseconds that previously loaded certificates may be cached. If this is less than or equal to zero, then certificates will not be cached.
    • Method Detail

      • getConfigurationFile

        @NotNull
        public java.io.File getConfigurationFile()
        Retrieves the server configuration file from which the topology registry certificates will be read.
        Returns:
        The server configuration file from which the topology registry certificates will be read.
      • getCacheDurationMillis

        public long getCacheDurationMillis()
        Retrieves the maximum length of time in milliseconds that cached topology registry information should be considered valid.
        Returns:
        The maximum length of time in milliseconds that cached topology registry information should be considered valid, or zero if topology registry information should not be cached.
      • requirePeerCertificateInTopologyRegistry

        public boolean requirePeerCertificateInTopologyRegistry()
        Indicates whether to require the peer certificate itself to be included in the topology registry for a certificate chain to be trusted.
        Returns:
        true if a certificate chain may only be trusted if the topology registry includes the peer certificate itself, or false if a certificate chain may be trusted if the topology registry contains the peer certificate or any of its issuers.
      • ignorePeerCertificateValidityWindow

        public boolean ignorePeerCertificateValidityWindow()
        Indicates whether to ignore the validity window for the peer certificate when determining whether to trust a certificate chain.
        Returns:
        true if a certificate chain may be considered trusted even if the current time is outside the peer certificate's validity window, or false if a certificate chain may only be considered trusted if the current time is between the notBefore and notAfter timestamps for the peer certificate.
      • ignoreIssuerCertificateValidityWindow

        public boolean ignoreIssuerCertificateValidityWindow()
        Indicates whether to ignore the validity window for issuer certificates when determining whether to trust a certificate chain.
        Returns:
        true if a certificate chain may be considered trusted even if the current time is outside the any issuer certificate's validity window, or false if a certificate chain may only be considered trusted if the current time is between the notBefore and notAfter timestamps for all issuer certificates.
      • checkClientTrusted

        public void checkClientTrusted​(@NotNull
                                       java.security.cert.X509Certificate[] chain,
                                       @NotNull
                                       java.lang.String authType)
                                throws java.security.cert.CertificateException
        Checks to determine whether the provided client certificate chain should be trusted.
        Specified by:
        checkClientTrusted in interface javax.net.ssl.X509TrustManager
        Parameters:
        chain - The client certificate chain for which to make the determination.
        authType - The authentication type based on the client certificate.
        Throws:
        java.security.cert.CertificateException - If the provided client certificate chain should not be trusted.
      • checkServerTrusted

        public void checkServerTrusted​(@NotNull
                                       java.security.cert.X509Certificate[] chain,
                                       @NotNull
                                       java.lang.String authType)
                                throws java.security.cert.CertificateException
        Checks to determine whether the provided server certificate chain should be trusted.
        Specified by:
        checkServerTrusted in interface javax.net.ssl.X509TrustManager
        Parameters:
        chain - The server certificate chain for which to make the determination.
        authType - The key exchange algorithm used.
        Throws:
        java.security.cert.CertificateException - If the provided server certificate chain should not be trusted.
      • getAcceptedIssuers

        @NotNull
        public java.security.cert.X509Certificate[] getAcceptedIssuers()
        Retrieves the accepted issuer certificates for this trust manager.
        Specified by:
        getAcceptedIssuers in interface javax.net.ssl.X509TrustManager
        Returns:
        The accepted issuer certificates for this trust manager, or an empty set of accepted issuers if a problem was encountered while initializing this trust manager.
      • toString

        @NotNull
        public java.lang.String toString()
        Retrieves a string representation of this topology registry trust manager instance.
        Overrides:
        toString in class java.lang.Object
        Returns:
        A string representation of this topology registry trust manager instance.
      • toString

        public void toString​(@NotNull
                             java.lang.StringBuilder buffer)
        Appends a string representation of this topology registry trust manager instance to the given buffer.
        Parameters:
        buffer - The buffer to which the string representation should be appended.