Package org.jivesoftware.openfire.keystore

Class TrustStore

  • public class TrustStore
extends CertificateStore
    A wrapper class for a store of certificates, its metadata (password, location) and related functionality that is used to verify credentials, a trust store The trust store should only contain certificates for the "most-trusted" Certificate Authorities (the store should not contain Intermediates"). These certificates are referred to as "Trust Anchors".
    Author:
    Guus der Kinderen, guus.der.kinderen@gmail.com

    • Method Detail

      • installCertificate

        public void installCertificate​(String alias,
                               String pemRepresentation)
                        throws CertificateStoreConfigException
        Imports one certificate as a trust anchor into this store. Note that this method explicitly allows one to add invalid certificates. As this store is intended to contain certificates for "most-trusted" / root Certificate Authorities, this method will fail when the PEM representation contains more than one certificate.
        Parameters:
        alias - the name (key) under which the certificate is to be stored in the store (cannot be null or empty).
        pemRepresentation - The PEM representation of the certificate to add (cannot be null or empty).
        Throws:
        CertificateStoreConfigException - if a single certificate could not be found

      • isTrusted

        public boolean isTrusted​(Certificate[] chain)
        Decide whether or not to trust the given supplied certificate chain. For certain failures, we SHOULD generate an exception - revocations and the like, but we currently do not.
        Parameters:
        chain - an array of X509Certificate where the first one is the endEntityCertificate.
        Returns:
        true if the content of this trust store allows the chain to be trusted, otherwise false.

      • getEndEntityCertificate

        public X509Certificate getEndEntityCertificate​(Certificate[] chain)
        Decide whether or not to trust the given supplied certificate chain, returning the End Entity Certificate in this case where it can, and null otherwise. A self-signed certificate will, for example, return null. For certain failures, we SHOULD generate an exception - revocations and the like, but we currently do not.
        Parameters:
        chain - an array of X509Certificate where the first one is the endEntityCertificate.
        Returns:
        trusted end-entity certificate, or null.