Package io.netty.handler.ssl.ocsp
Class OcspServerCertificateValidator
java.lang.Object
io.netty.channel.ChannelHandlerAdapter
io.netty.channel.ChannelInboundHandlerAdapter
io.netty.handler.ssl.ocsp.OcspServerCertificateValidator
- All Implemented Interfaces:
ChannelHandler
,ChannelInboundHandler
OcspServerCertificateValidator
validates incoming server's certificate
using OCSP. Once TLS handshake is completed, SslHandshakeCompletionEvent.SUCCESS
is fired, validator
will perform certificate validation using OCSP over HTTP/1.1 with the server's certificate issuer OCSP responder.-
Nested Class Summary
Nested classes/interfaces inherited from interface io.netty.channel.ChannelHandler
ChannelHandler.Sharable
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate final boolean
private final DnsNameResolver
private final IoTransport
static final AttributeKey
<Boolean> An attribute used to mark all channels created by theOcspServerCertificateValidator
.private final boolean
-
Constructor Summary
ConstructorsConstructorDescriptionCreate a newOcspServerCertificateValidator
instance without nonce validation on OCSP response, using defaultIoTransport.DEFAULT
instance, defaultDnsNameResolver
implementation and withcloseAndThrowIfNotValid
set totrue
OcspServerCertificateValidator
(boolean validateNonce) Create a newOcspServerCertificateValidator
instance with defaultIoTransport.DEFAULT
instance and defaultDnsNameResolver
implementation andcloseAndThrowIfNotValid
set totrue
.OcspServerCertificateValidator
(boolean closeAndThrowIfNotValid, boolean validateNonce, IoTransport ioTransport, DnsNameResolver dnsNameResolver) Create a newIoTransport
instanceOcspServerCertificateValidator
(boolean validateNonce, IoTransport ioTransport) Create a newOcspServerCertificateValidator
instanceOcspServerCertificateValidator
(boolean validateNonce, IoTransport ioTransport, DnsNameResolver dnsNameResolver) -
Method Summary
Modifier and TypeMethodDescriptionprotected static DnsNameResolver
createDefaultResolver
(IoTransport ioTransport) void
exceptionCaught
(ChannelHandlerContext ctx, Throwable cause) CallsChannelHandlerContext.fireExceptionCaught(Throwable)
to forward to the nextChannelHandler
in theChannelPipeline
.void
userEventTriggered
(ChannelHandlerContext ctx, Object evt) CallsChannelHandlerContext.fireUserEventTriggered(Object)
to forward to the nextChannelInboundHandler
in theChannelPipeline
.Methods inherited from class io.netty.channel.ChannelInboundHandlerAdapter
channelActive, channelInactive, channelRead, channelReadComplete, channelRegistered, channelUnregistered, channelWritabilityChanged
Methods inherited from class io.netty.channel.ChannelHandlerAdapter
ensureNotSharable, handlerAdded, handlerRemoved, isSharable
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface io.netty.channel.ChannelHandler
handlerAdded, handlerRemoved
-
Field Details
-
OCSP_PIPELINE_ATTRIBUTE
An attribute used to mark all channels created by theOcspServerCertificateValidator
. -
closeAndThrowIfNotValid
private final boolean closeAndThrowIfNotValid -
validateNonce
private final boolean validateNonce -
ioTransport
-
dnsNameResolver
-
-
Constructor Details
-
OcspServerCertificateValidator
public OcspServerCertificateValidator()Create a newOcspServerCertificateValidator
instance without nonce validation on OCSP response, using defaultIoTransport.DEFAULT
instance, defaultDnsNameResolver
implementation and withcloseAndThrowIfNotValid
set totrue
-
OcspServerCertificateValidator
public OcspServerCertificateValidator(boolean validateNonce) Create a newOcspServerCertificateValidator
instance with defaultIoTransport.DEFAULT
instance and defaultDnsNameResolver
implementation andcloseAndThrowIfNotValid
set totrue
.- Parameters:
validateNonce
- Set totrue
if we should force nonce validation on OCSP response else set tofalse
-
OcspServerCertificateValidator
Create a newOcspServerCertificateValidator
instance- Parameters:
validateNonce
- Set totrue
if we should force nonce validation on OCSP response else set tofalse
ioTransport
-IoTransport
to use
-
OcspServerCertificateValidator
public OcspServerCertificateValidator(boolean validateNonce, IoTransport ioTransport, DnsNameResolver dnsNameResolver) - Parameters:
validateNonce
- Set totrue
if we should force nonce validation on OCSP response else set tofalse
ioTransport
-IoTransport
to usednsNameResolver
-DnsNameResolver
implementation to use
-
OcspServerCertificateValidator
public OcspServerCertificateValidator(boolean closeAndThrowIfNotValid, boolean validateNonce, IoTransport ioTransport, DnsNameResolver dnsNameResolver) Create a newIoTransport
instance- Parameters:
closeAndThrowIfNotValid
- If set totrue
then we will close the channel and throw an exception when certificate is notOcspResponse.Status.VALID
. If set tofalse
then we will simply pass theOcspValidationEvent
to the next handler in pipeline and let it decide what to do.validateNonce
- Set totrue
if we should force nonce validation on OCSP response else set tofalse
ioTransport
-IoTransport
to usednsNameResolver
-DnsNameResolver
implementation to use
-
-
Method Details
-
createDefaultResolver
-
userEventTriggered
Description copied from class:ChannelInboundHandlerAdapter
CallsChannelHandlerContext.fireUserEventTriggered(Object)
to forward to the nextChannelInboundHandler
in theChannelPipeline
. Sub-classes may override this method to change behavior.- Specified by:
userEventTriggered
in interfaceChannelInboundHandler
- Overrides:
userEventTriggered
in classChannelInboundHandlerAdapter
- Throws:
Exception
-
exceptionCaught
Description copied from class:ChannelInboundHandlerAdapter
CallsChannelHandlerContext.fireExceptionCaught(Throwable)
to forward to the nextChannelHandler
in theChannelPipeline
. Sub-classes may override this method to change behavior.- Specified by:
exceptionCaught
in interfaceChannelHandler
- Specified by:
exceptionCaught
in interfaceChannelInboundHandler
- Overrides:
exceptionCaught
in classChannelInboundHandlerAdapter
-