Package io.netty.handler.ssl.ocsp

Class OcspServerCertificateValidator

java.lang.Object

io.netty.channel.ChannelHandlerAdapter

io.netty.channel.ChannelInboundHandlerAdapter

io.netty.handler.ssl.ocsp.OcspServerCertificateValidator

All Implemented Interfaces:

ChannelHandler, ChannelInboundHandler

public class OcspServerCertificateValidator
extends ChannelInboundHandlerAdapter

OcspServerCertificateValidator validates incoming server's certificate using OCSP. Once TLS handshake is completed, SslHandshakeCompletionEvent.SUCCESS is fired, validator will perform certificate validation using OCSP over HTTP/1.1 with the server's certificate issuer OCSP responder.

Nested Class Summary

Nested classes/interfaces inherited from interface io.netty.channel.ChannelHandler

ChannelHandler.Sharable

Field Summary

Fields

Modifier and Type	Field	Description
static AttributeKey<java.lang.Boolean>	OCSP_PIPELINE_ATTRIBUTE	An attribute used to mark all channels created by the OcspServerCertificateValidator.

Constructor Summary

Constructors

Constructor	Description
OcspServerCertificateValidator()	Create a new OcspServerCertificateValidator instance without nonce validation on OCSP response, using default IoTransport.DEFAULT instance, default DnsNameResolver implementation and with closeAndThrowIfNotValid set to true
OcspServerCertificateValidator(boolean validateNonce)	Create a new OcspServerCertificateValidator instance with default IoTransport.DEFAULT instance and default DnsNameResolver implementation and closeAndThrowIfNotValid set to true.
OcspServerCertificateValidator(boolean closeAndThrowIfNotValid, boolean validateNonce, IoTransport ioTransport, DnsNameResolver dnsNameResolver)	Create a new IoTransport instance
OcspServerCertificateValidator(boolean validateNonce, IoTransport ioTransport)	Create a new OcspServerCertificateValidator instance
OcspServerCertificateValidator(boolean validateNonce, IoTransport ioTransport, DnsNameResolver dnsNameResolver)	Create a new IoTransport instance with closeAndThrowIfNotValid set to true

Method Summary

Modifier and Type	Method	Description
protected static DnsNameResolver	createDefaultResolver(IoTransport ioTransport)
void	exceptionCaught(ChannelHandlerContext ctx, java.lang.Throwable cause)	Calls ChannelHandlerContext.fireExceptionCaught(Throwable) to forward to the next ChannelHandler in the ChannelPipeline.
void	userEventTriggered(ChannelHandlerContext ctx, java.lang.Object evt)	Calls ChannelHandlerContext.fireUserEventTriggered(Object) to forward to the next ChannelInboundHandler in the ChannelPipeline.

Methods inherited from class io.netty.channel.ChannelInboundHandlerAdapter

channelActive, channelInactive, channelRead, channelReadComplete, channelRegistered, channelUnregistered, channelWritabilityChanged

Methods inherited from class io.netty.channel.ChannelHandlerAdapter

ensureNotSharable, handlerAdded, handlerRemoved, isSharable

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface io.netty.channel.ChannelHandler

handlerAdded, handlerRemoved

Field Detail

OCSP_PIPELINE_ATTRIBUTE

public static final AttributeKey<java.lang.Boolean> OCSP_PIPELINE_ATTRIBUTE

An attribute used to mark all channels created by the OcspServerCertificateValidator.

Constructor Detail

OcspServerCertificateValidator

public OcspServerCertificateValidator()

Create a new OcspServerCertificateValidator instance without nonce validation on OCSP response, using default IoTransport.DEFAULT instance, default DnsNameResolver implementation and with closeAndThrowIfNotValid set to true

OcspServerCertificateValidator

public OcspServerCertificateValidator(boolean validateNonce)

Create a new OcspServerCertificateValidator instance with default IoTransport.DEFAULT instance and default DnsNameResolver implementation and closeAndThrowIfNotValid set to true.

Parameters:

validateNonce - Set to true if we should force nonce validation on OCSP response else set to false

OcspServerCertificateValidator

public OcspServerCertificateValidator(boolean validateNonce,
                                      IoTransport ioTransport)

Create a new OcspServerCertificateValidator instance

Parameters:

validateNonce - Set to true if we should force nonce validation on OCSP response else set to false

ioTransport - IoTransport to use

OcspServerCertificateValidator

public OcspServerCertificateValidator(boolean validateNonce,
                                      IoTransport ioTransport,
                                      DnsNameResolver dnsNameResolver)

Create a new IoTransport instance with closeAndThrowIfNotValid set to true

Parameters:

validateNonce - Set to true if we should force nonce validation on OCSP response else set to false

ioTransport - IoTransport to use

dnsNameResolver - DnsNameResolver implementation to use

OcspServerCertificateValidator

public OcspServerCertificateValidator(boolean closeAndThrowIfNotValid,
                                      boolean validateNonce,
                                      IoTransport ioTransport,
                                      DnsNameResolver dnsNameResolver)

Create a new IoTransport instance

Parameters:

closeAndThrowIfNotValid - If set to true then we will close the channel and throw an exception when certificate is not OcspResponse.Status.VALID. If set to false then we will simply pass the OcspValidationEvent to the next handler in pipeline and let it decide what to do.

validateNonce - Set to true if we should force nonce validation on OCSP response else set to false

ioTransport - IoTransport to use

dnsNameResolver - DnsNameResolver implementation to use

Method Detail

createDefaultResolver

protected static DnsNameResolver createDefaultResolver(IoTransport ioTransport)

userEventTriggered

public void userEventTriggered(ChannelHandlerContext ctx,
                               java.lang.Object evt)
                        throws java.lang.Exception

Description copied from class: ChannelInboundHandlerAdapter

Calls ChannelHandlerContext.fireUserEventTriggered(Object) to forward to the next ChannelInboundHandler in the ChannelPipeline. Sub-classes may override this method to change behavior.

Specified by:

userEventTriggered in interface ChannelInboundHandler

Overrides:

userEventTriggered in class ChannelInboundHandlerAdapter

Throws:

java.lang.Exception

exceptionCaught

public void exceptionCaught(ChannelHandlerContext ctx,
                            java.lang.Throwable cause)

Description copied from class: ChannelInboundHandlerAdapter

Calls ChannelHandlerContext.fireExceptionCaught(Throwable) to forward to the next ChannelHandler in the ChannelPipeline. Sub-classes may override this method to change behavior.

Specified by:

exceptionCaught in interface ChannelHandler

Specified by:

exceptionCaught in interface ChannelInboundHandler

Overrides:

exceptionCaught in class ChannelInboundHandlerAdapter