private X509Certificate[] checkX509Cache(String key) {
if (xkmsClientCache == null) {
return null;
}
XKMSCacheToken cachedToken = xkmsClientCache.get(key);
if (cachedToken != null && cachedToken.getX509Certificate() != null) {
return new X509Certificate[] {cachedToken.getX509Certificate()};
} else {
return null;
}
}
@Override
public void verifyTrust(
X509Certificate[] certs,
boolean enableRevocation,
Collection<Pattern> subjectCertConstraints,
Collection<Pattern> issuerCertConstraints)
throws WSSecurityException {
if (certs != null) {
LOG.fine(String.format("Verifying certificate id: %s", certs[0].getSubjectDN()));
}
XKMSCacheToken cachedToken = null;
// Try local cache first
if (certs != null && certs.length > 0 && xkmsClientCache != null) {
String key = certs[0].getSubjectX500Principal().getName();
// Try by Subject DN and IssuerSerial
cachedToken = xkmsClientCache.get(key);
if (cachedToken == null) {
key =
getKeyForIssuerSerial(
certs[0].getIssuerX500Principal().getName(), certs[0].getSerialNumber());
cachedToken = xkmsClientCache.get(key);
}
if (cachedToken != null && cachedToken.isXkmsValidated()) {
LOG.fine("Certificate has already been validated by the XKMS service");
return;
}
}
if (certs == null || certs[0] == null || !xkmsInvoker.validateCertificate(certs[0])) {
throw new CryptoProviderException("The given certificate is not valid");
}
// Validate Cached token
if (cachedToken != null) {
cachedToken.setXkmsValidated(true);
}
// Otherwise, Store in the cache as a validated certificate
storeCertificateInCache(certs[0], null, true);
}
private void storeCertificateInCache(X509Certificate certificate, String key, boolean validated) {
// Store in the cache
if (certificate != null && xkmsClientCache != null) {
XKMSCacheToken cacheToken = new XKMSCacheToken(certificate);
cacheToken.setXkmsValidated(validated);
// Store using a custom key (if any)
if (key != null) {
xkmsClientCache.put(key, cacheToken);
}
// Store it using IssuerSerial as well
String issuerSerialKey =
getKeyForIssuerSerial(
certificate.getIssuerX500Principal().getName(), certificate.getSerialNumber());
if (!issuerSerialKey.equals(key)) {
xkmsClientCache.put(issuerSerialKey, cacheToken);
}
// Store it using the Subject DN as well
String subjectDNKey = certificate.getSubjectX500Principal().getName();
if (!subjectDNKey.equals(key)) {
xkmsClientCache.put(subjectDNKey, cacheToken);
}
}
}