Certificate validator

Rule engine for creation of certificate validator.

License

License

GroupId

GroupId

no.difi.commons
ArtifactId

ArtifactId

commons-certvalidator
Last Version

Last Version

2.2.1
Release Date

Release Date

Type

Type

jar
Description

Description

Certificate validator
Rule engine for creation of certificate validator.
Project URL

Project URL

https://github.com/difi/certvalidator
Project Organization

Project Organization

Norwegian Agency for Public Management and eGovernment (Difi)
Source Code Management

Source Code Management

https://github.com/difi/certvalidator

Download commons-certvalidator

How to add to project

<!-- https://jarcasting.com/artifacts/no.difi.commons/commons-certvalidator/ -->
<dependency>
    <groupId>no.difi.commons</groupId>
    <artifactId>commons-certvalidator</artifactId>
    <version>2.2.1</version>
</dependency>
// https://jarcasting.com/artifacts/no.difi.commons/commons-certvalidator/
implementation 'no.difi.commons:commons-certvalidator:2.2.1'
// https://jarcasting.com/artifacts/no.difi.commons/commons-certvalidator/
implementation ("no.difi.commons:commons-certvalidator:2.2.1")
'no.difi.commons:commons-certvalidator:jar:2.2.1'
<dependency org="no.difi.commons" name="commons-certvalidator" rev="2.2.1">
  <artifact name="commons-certvalidator" type="jar" />
</dependency>
@Grapes(
@Grab(group='no.difi.commons', module='commons-certvalidator', version='2.2.1')
)
libraryDependencies += "no.difi.commons" % "commons-certvalidator" % "2.2.1"
[no.difi.commons/commons-certvalidator "2.2.1"]

Dependencies

compile (3)

Group / Artifact Type Version
org.bouncycastle : bcpkix-jdk15on jar 1.58
com.google.guava : guava jar 26.0-jre
net.klakegg.pkix : pkix-ocsp jar 0.9.1

provided (1)

Group / Artifact Type Version
org.kohsuke.metainf-services : metainf-services jar 1.8

test (3)

Group / Artifact Type Version
org.testng : testng jar 6.14.3
org.mockito : mockito-core jar 2.21.0
joda-time : joda-time jar 2.10.5

Project Modules

There are no modules declared in this project.

Certificate validator for X.509 certificates

Build Status CodeCov Maven Central

This validator is not a single validator, it is set of rules to build the certificate validator (using X.509 certificates) fitting the needs of your business case.

A lot of sensible defaults is used to make it easy to get started using this library. Use a proper IDE to customize to your needs.

Getting started

Include dependency in your pom.xml:

<dependency>
    <groupId>no.difi.commons</groupId>
    <artifactId>commons-certvalidator</artifactId>
    <version>2.1.1</version>
</dependency>

Create your own validator(s):

// Generic validator
Validator validator = ValidatorBuilder.newInstance()
    .addRule(new ExpirationRule())
    .addRule(new SigningRule())
    .addRule(new CRLRule())
    .addRule(new OCSPRule())
    .build();

// Accept only non-expired self-signed certificates
Validator validator = ValidatorBuilder.newInstance()
    .addRule(new ExpirationRule())
    .addRule(SigningRule.SelfSignedOnly())
    .build();

// Is the certificate expiring in less than 7 days?
Validator validator = ValidatorBuilder.newInstance()
    .addRule(new ExpirationSoonRule(7 * 24 * 60 * 60 * 1000))
    .build();
    
// Validate your certificate (throws exception on error)
validator.validate(...);

// Validate your certificate (returns boolean)
validator.isValid(...);

Please note the Validator accepts InputStream, byte[] and X509Certificate as input for validation.

Validators may not only be used to judge a given certificate when in situation to trust or not to trust a certificate. A validator instance may be used to implement logic helping users to handle certificates in a better manner (ie. give a warning before certificate expires).

Available building blocks

  • ChainRule - Validates chain of trust of certificate given access to root certificates and intermediate certificates.
  • CriticalExtensionRule - Validates required or recognized extensions.
  • CRLRule - Use information regarding Certificate Revocation List (CRL) in certificate to validate certificate.
  • DummyRule - Very simple implementation potentially interesting to use in testing.
  • ExpirationSoonRule
  • ExpirationRule
  • OCSPRule - Use information regarding Online Certificate Status Protocol (OCSP) in certificate to validate certificate.
  • PrincipalNameRule
  • SigningRule

Structure

  • Junction - Combine multiple validators into one validator using 'and', 'or' and 'xor'.

Extras

  • NorwegianOrganizationNumberRule (extends PrincipalNameRule) - Implements logic to fetch a norwegian organization number from a certificate given standardization is used.

Exceptions

  • CertificateValidatorException - This is thrown if anything around validation of certificate results in problems.
  • FailedValidationException (extends CertificateValidatorException) - This is thrown when certificate is validated to not be valid.
  • CertificateBucketException (extends CertificateValidatorException) - This is thrown when there are problems regarding certificate buckets.

Creating new rules

All new validation rules must implement the very simple ValidatorRule interface to be included in a chain of rules.

no.difi.commons

Digitaliseringsdirektoratet (Digdir)

Versions

Version
2.2.1
2.2.0
2.1.1
2.1.0
2.0.4
2.0.3
2.0.2
2.0.1
2.0.0