private X509Certificate[] checkX509Cache(String key) {
if (xkmsClientCache == null) {
return null;
}
XKMSCacheToken cachedToken = xkmsClientCache.get(key);
if (cachedToken != null && cachedToken.getX509Certificate() != null) {
return new X509Certificate[] {cachedToken.getX509Certificate()};
} else {
return null;
}
}
@Override
public void verifyTrust(
X509Certificate[] certs,
boolean enableRevocation,
Collection<Pattern> subjectCertConstraints,
Collection<Pattern> issuerCertConstraints)
throws WSSecurityException {
if (certs != null) {
LOG.fine(String.format("Verifying certificate id: %s", certs[0].getSubjectDN()));
}
XKMSCacheToken cachedToken = null;
// Try local cache first
if (certs != null && certs.length > 0 && xkmsClientCache != null) {
String key = certs[0].getSubjectX500Principal().getName();
// Try by Subject DN and IssuerSerial
cachedToken = xkmsClientCache.get(key);
if (cachedToken == null) {
key =
getKeyForIssuerSerial(
certs[0].getIssuerX500Principal().getName(), certs[0].getSerialNumber());
cachedToken = xkmsClientCache.get(key);
}
if (cachedToken != null && cachedToken.isXkmsValidated()) {
LOG.fine("Certificate has already been validated by the XKMS service");
return;
}
}
if (certs == null || certs[0] == null || !xkmsInvoker.validateCertificate(certs[0])) {
throw new CryptoProviderException("The given certificate is not valid");
}
// Validate Cached token
if (cachedToken != null) {
cachedToken.setXkmsValidated(true);
}
// Otherwise, Store in the cache as a validated certificate
storeCertificateInCache(certs[0], null, true);
}