netty Architecture Docs
Home / Function/ validateCertificateChain() — netty Function Reference

validateCertificateChain() — netty Function Reference

Architecture documentation for the validateCertificateChain() function in OcspClient.java from the netty codebase.

Function java Buffer Allocators called by 1

Entity Profile

Dependency Diagram

graph TD
  50598886_9268_4a91_78f1_ceeb719d9600["validateCertificateChain()"]
  b3812cec_6383_4848_72ed_d7aa9ab08546["OcspClient"]
  50598886_9268_4a91_78f1_ceeb719d9600 -->|defined in| b3812cec_6383_4848_72ed_d7aa9ab08546
  af12db0d_0585_7f39_ea00_ea888c0f0445["validateSignature()"]
  af12db0d_0585_7f39_ea00_ea888c0f0445 -->|calls| 50598886_9268_4a91_78f1_ceeb719d9600
  style 50598886_9268_4a91_78f1_ceeb719d9600 fill:#6366f1,stroke:#818cf8,color:#fff

Relationship Graph

Source Code

handler-ssl-ocsp/src/main/java/io/netty/handler/ssl/ocsp/OcspClient.java lines 320–359

    private static void validateCertificateChain(X509CertificateHolder responderCert,
                                                   X509CertificateHolder[] allCerts,
                                                   X509Certificate issuerCertificate) throws OCSPException {
        try {
            // Convert BouncyCastle certificate holders to Java X509Certificates
            List<X509Certificate> certList = new ArrayList<>(allCerts.length);
            for (X509CertificateHolder certHolder : allCerts) {
                certList.add(new JcaX509CertificateConverter().getCertificate(certHolder));
            }

            // Create a CertStore with all the certificates from the OCSP response
            CertStore certStore = CertStore.getInstance("Collection",
                    new CollectionCertStoreParameters(certList));

            // Set up the target certificate selector for the responder certificate
            X509CertSelector targetConstraints = new X509CertSelector();
            targetConstraints.setCertificate(new JcaX509CertificateConverter().getCertificate(responderCert));

            // Set up trust anchor with the issuer certificate
            TrustAnchor trustAnchor = new TrustAnchor(issuerCertificate, null);

            // Build PKIX parameters
            PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(
                    Collections.singleton(trustAnchor), targetConstraints);
            pkixParams.addCertStore(certStore);
            pkixParams.setRevocationEnabled(false); // Don't check revocation when validating OCSP response

            // Build and validate the certificate path
            CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
            builder.build(pkixParams);

            // If we reach here, the chain is valid
        } catch (CertPathBuilderException e) {
            throw new OCSPException("OCSP responder certificate is not trusted by issuer: " + e.getMessage(), e);
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException e) {
            throw new OCSPException("Error setting up certificate path validation", e);
        } catch (CertificateException e) {
            throw new OCSPException("Error converting certificates for path validation", e);
        }
    }

Domain

Subdomains

Defined In

Called By

Source

Frequently Asked Questions

What does validateCertificateChain() do?
validateCertificateChain() is a function in the netty codebase, defined in handler-ssl-ocsp/src/main/java/io/netty/handler/ssl/ocsp/OcspClient.java.
Where is validateCertificateChain() defined?
validateCertificateChain() is defined in handler-ssl-ocsp/src/main/java/io/netty/handler/ssl/ocsp/OcspClient.java at line 320.
What calls validateCertificateChain()?
validateCertificateChain() is called by 1 function(s): validateSignature.

Analyze Your Own Codebase

Get architecture documentation, dependency graphs, and domain analysis for your codebase in minutes.

Try Supermodel Free