Class CertificateVerifier


  • public abstract class CertificateVerifier
    extends java.lang.Object
    Is called during handshake and hooked into openssl via SSL_CTX_set_cert_verify_callback. IMPORTANT: Implementations of this interface should be static as it is stored as a global reference via JNI. This means if you use an inner / anonymous class to implement this and also depend on the finalizer of the class to free up the SSLContext the finalizer will never run as the object is never GC, due the hard reference to the enclosing class. This will most likely result in a memory leak.
    • Field Detail

      • X509_V_OK

        public static final int X509_V_OK
      • X509_V_ERR_UNSPECIFIED

        public static final int X509_V_ERR_UNSPECIFIED
      • X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT

        public static final int X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
      • X509_V_ERR_UNABLE_TO_GET_CRL

        public static final int X509_V_ERR_UNABLE_TO_GET_CRL
      • X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE

        public static final int X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
      • X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE

        public static final int X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
      • X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY

        public static final int X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
      • X509_V_ERR_CERT_SIGNATURE_FAILURE

        public static final int X509_V_ERR_CERT_SIGNATURE_FAILURE
      • X509_V_ERR_CRL_SIGNATURE_FAILURE

        public static final int X509_V_ERR_CRL_SIGNATURE_FAILURE
      • X509_V_ERR_CERT_NOT_YET_VALID

        public static final int X509_V_ERR_CERT_NOT_YET_VALID
      • X509_V_ERR_CERT_HAS_EXPIRED

        public static final int X509_V_ERR_CERT_HAS_EXPIRED
      • X509_V_ERR_CRL_NOT_YET_VALID

        public static final int X509_V_ERR_CRL_NOT_YET_VALID
      • X509_V_ERR_CRL_HAS_EXPIRED

        public static final int X509_V_ERR_CRL_HAS_EXPIRED
      • X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD

        public static final int X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
      • X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD

        public static final int X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
      • X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD

        public static final int X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
      • X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD

        public static final int X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
      • X509_V_ERR_OUT_OF_MEM

        public static final int X509_V_ERR_OUT_OF_MEM
      • X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT

        public static final int X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
      • X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN

        public static final int X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
      • X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY

        public static final int X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
      • X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

        public static final int X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
      • X509_V_ERR_CERT_CHAIN_TOO_LONG

        public static final int X509_V_ERR_CERT_CHAIN_TOO_LONG
      • X509_V_ERR_CERT_REVOKED

        public static final int X509_V_ERR_CERT_REVOKED
      • X509_V_ERR_INVALID_CA

        public static final int X509_V_ERR_INVALID_CA
      • X509_V_ERR_PATH_LENGTH_EXCEEDED

        public static final int X509_V_ERR_PATH_LENGTH_EXCEEDED
      • X509_V_ERR_INVALID_PURPOSE

        public static final int X509_V_ERR_INVALID_PURPOSE
      • X509_V_ERR_CERT_UNTRUSTED

        public static final int X509_V_ERR_CERT_UNTRUSTED
      • X509_V_ERR_CERT_REJECTED

        public static final int X509_V_ERR_CERT_REJECTED
      • X509_V_ERR_SUBJECT_ISSUER_MISMATCH

        public static final int X509_V_ERR_SUBJECT_ISSUER_MISMATCH
      • X509_V_ERR_AKID_SKID_MISMATCH

        public static final int X509_V_ERR_AKID_SKID_MISMATCH
      • X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH

        public static final int X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
      • X509_V_ERR_KEYUSAGE_NO_CERTSIGN

        public static final int X509_V_ERR_KEYUSAGE_NO_CERTSIGN
      • X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER

        public static final int X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
      • X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION

        public static final int X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
      • X509_V_ERR_KEYUSAGE_NO_CRL_SIGN

        public static final int X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
      • X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION

        public static final int X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
      • X509_V_ERR_INVALID_NON_CA

        public static final int X509_V_ERR_INVALID_NON_CA
      • X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED

        public static final int X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
      • X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE

        public static final int X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
      • X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED

        public static final int X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
      • X509_V_ERR_INVALID_EXTENSION

        public static final int X509_V_ERR_INVALID_EXTENSION
      • X509_V_ERR_INVALID_POLICY_EXTENSION

        public static final int X509_V_ERR_INVALID_POLICY_EXTENSION
      • X509_V_ERR_NO_EXPLICIT_POLICY

        public static final int X509_V_ERR_NO_EXPLICIT_POLICY
      • X509_V_ERR_DIFFERENT_CRL_SCOPE

        public static final int X509_V_ERR_DIFFERENT_CRL_SCOPE
      • X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE

        public static final int X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
      • X509_V_ERR_UNNESTED_RESOURCE

        public static final int X509_V_ERR_UNNESTED_RESOURCE
      • X509_V_ERR_PERMITTED_VIOLATION

        public static final int X509_V_ERR_PERMITTED_VIOLATION
      • X509_V_ERR_EXCLUDED_VIOLATION

        public static final int X509_V_ERR_EXCLUDED_VIOLATION
      • X509_V_ERR_SUBTREE_MINMAX

        public static final int X509_V_ERR_SUBTREE_MINMAX
      • X509_V_ERR_APPLICATION_VERIFICATION

        public static final int X509_V_ERR_APPLICATION_VERIFICATION
      • X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE

        public static final int X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
      • X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX

        public static final int X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
      • X509_V_ERR_UNSUPPORTED_NAME_SYNTAX

        public static final int X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
      • X509_V_ERR_CRL_PATH_VALIDATION_ERROR

        public static final int X509_V_ERR_CRL_PATH_VALIDATION_ERROR
      • X509_V_ERR_PATH_LOOP

        public static final int X509_V_ERR_PATH_LOOP
      • X509_V_ERR_SUITE_B_INVALID_VERSION

        public static final int X509_V_ERR_SUITE_B_INVALID_VERSION
      • X509_V_ERR_SUITE_B_INVALID_ALGORITHM

        public static final int X509_V_ERR_SUITE_B_INVALID_ALGORITHM
      • X509_V_ERR_SUITE_B_INVALID_CURVE

        public static final int X509_V_ERR_SUITE_B_INVALID_CURVE
      • X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM

        public static final int X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
      • X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED

        public static final int X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED
      • X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256

        public static final int X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
      • X509_V_ERR_HOSTNAME_MISMATCH

        public static final int X509_V_ERR_HOSTNAME_MISMATCH
      • X509_V_ERR_EMAIL_MISMATCH

        public static final int X509_V_ERR_EMAIL_MISMATCH
      • X509_V_ERR_IP_ADDRESS_MISMATCH

        public static final int X509_V_ERR_IP_ADDRESS_MISMATCH
      • X509_V_ERR_DANE_NO_MATCH

        public static final int X509_V_ERR_DANE_NO_MATCH
      • ERRORS

        private static final java.util.Set<java.lang.Integer> ERRORS
    • Constructor Detail

      • CertificateVerifier

        public CertificateVerifier()
    • Method Detail

      • isValid

        public static boolean isValid​(int errorCode)
        Returns true if the given errorCode is valid, false otherwise.
      • verify

        public abstract int verify​(long ssl,
                                   byte[][] x509,
                                   java.lang.String authAlgorithm)
        Returns true if the passed in certificate chain could be verified and so the handshake should be successful, false otherwise.
        Parameters:
        ssl - the SSL instance
        x509 - the X509 certificate chain
        authAlgorithm - the auth algorithm
        Returns:
        verified true if verified successful, false otherwise