|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objecteu.emi.security.authn.x509.helpers.pkipath.AbstractValidator
eu.emi.security.authn.x509.helpers.pkipath.PlainCRLValidator
eu.emi.security.authn.x509.impl.DirectoryCertChainValidator
public class DirectoryCertChainValidator
The certificate validator which uses a flexible set of certificates and CRL locations. Both CA certificates or CRLs can be provided as a list of locations. Each element in the list is either a URL to a concrete file (note that this might be remote file) or a local path. In the latter case it is possible to use wildcards in path locations.
It is possible to configure this validator to refresh both CRL and CA certificate locations on a regular interval.
Note: be very careful when using remote CA certificate locations. If such a remote location is compromised or DNS address is spooffed then your system is also compromised.
It is possible to configure this validator to use files encoded in DER or PEM format, but all the files must use a single encoding.
The CRLs (Certificate Revocation Lists, if their handling is turned on) can be obtained also from the CA certificate extension defining CRL URL if are not provided explicitly.
X509CertChainValidator
Field Summary |
---|
Fields inherited from class eu.emi.security.authn.x509.helpers.pkipath.PlainCRLValidator |
---|
crlStoreImpl, revocationParameters, timer |
Fields inherited from class eu.emi.security.authn.x509.helpers.pkipath.AbstractValidator |
---|
disposed, listeners, observers, validator |
Constructor Summary | |
---|---|
DirectoryCertChainValidator(List<String> trustedLocations,
CertificateUtils.Encoding encoding,
long truststoreUpdateInterval,
int connectionTimeoutCA,
String diskCache)
Constructs a new validator instance with default additional settings (see ValidatorParamsExt.ValidatorParamsExt() ). |
|
DirectoryCertChainValidator(List<String> trustedLocations,
CertificateUtils.Encoding encoding,
long truststoreUpdateInterval,
int connectionTimeoutCA,
String diskCache,
ValidatorParamsExt params)
Constructs a new validator instance. |
|
DirectoryCertChainValidator(String trustedLocation,
String crlLocation,
String diskCache)
Constructs a new validator instance with simplified parameters: only one location for certificates, truststore and CRLs are refreshed every hour, connection timeout is 15s, proxies are supported, encoding is PEM and no initial update listener is registered. |
Method Summary | |
---|---|
void |
dispose()
Disposes resources used by this Validator, like threads. |
List<String> |
getTruststorePaths()
Returns the current truststore locations |
long |
getTruststoreUpdateInterval()
Returns the interval between subsequent checks of the truststore files. |
void |
setTruststorePaths(List<String> trustedLocations)
Sets new trusted locations. |
void |
setTruststoreUpdateInterval(long updateInterval)
Sets a new interval between subsequent checks of the truststore files. |
Methods inherited from class eu.emi.security.authn.x509.helpers.pkipath.PlainCRLValidator |
---|
createCRLStore, getCrls, getCRLUpdateInterval, getRevocationParameters, setCrls, setCRLUpdateInterval |
Methods inherited from class eu.emi.security.authn.x509.helpers.pkipath.AbstractValidator |
---|
addUpdateListener, addValidationListener, getProxySupport, getRevocationCheckingMode, getTrustedIssuers, init, notifyListeners, processErrorList, removeUpdateListener, removeValidationListener, validate, validate |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public DirectoryCertChainValidator(List<String> trustedLocations, CertificateUtils.Encoding encoding, long truststoreUpdateInterval, int connectionTimeoutCA, String diskCache, ValidatorParamsExt params) throws KeyStoreException, IOException
trustedLocations
- trusted certificates locations, either as local wildcard
paths or URLsencoding
- Whether certificates in the store are stored as PEM or DER files. Note that the
whole store must be consistent.truststoreUpdateInterval
- truststore update interval in milliseconds. Use a <= 0 value to disable automatic updates.connectionTimeoutCA
- connection timeout in ms for downloading remote CA certificates, >= 0. 0 means infinite timeout.diskCache
- directory path, where the remote CA certificates shall be cached
after downloading. Can be null if cache shall not be used.params
- common validator settings (revocation, initial listeners, proxy support, ...)
IOException
KeyStoreException
public DirectoryCertChainValidator(List<String> trustedLocations, CertificateUtils.Encoding encoding, long truststoreUpdateInterval, int connectionTimeoutCA, String diskCache) throws KeyStoreException, IOException
ValidatorParamsExt.ValidatorParamsExt()
).
trustedLocations
- trusted certificates locations, either as local wildcard
paths or URLsencoding
- Whether certificates in the store are stored as PEM or DER files. Note that the
whole store must be consistent.truststoreUpdateInterval
- truststore update interval in milliseconds. Use a <= 0 value to disable automatic updates.connectionTimeoutCA
- connection timeout in ms for downloading remote CA certificates, >= 0. 0 means infinite timeout.diskCache
- directory path, where the remote CA certificates shall be cached
after downloading. Can be null if cache shall not be used.
IOException
KeyStoreException
public DirectoryCertChainValidator(String trustedLocation, String crlLocation, String diskCache) throws KeyStoreException, IOException
Revocation settings are as follows: OCSP is enable with default settings and is used first. If OSCP check is not successful then CRLs are checked if are present.
trustedLocation
- trusted certificates location, either as local wildcard
path or URLcrlLocation
- location of CRLs, either as local wildcard
path or URL.diskCache
- directory path, where the remote CA certificates shall be cached
after downloading. Can be null if cache shall not be used.
IOException
KeyStoreException
Method Detail |
---|
public long getTruststoreUpdateInterval()
public void setTruststoreUpdateInterval(long updateInterval)
updateInterval
- the new interval to be set in millisecondspublic List<String> getTruststorePaths()
public void setTruststorePaths(List<String> trustedLocations)
public void dispose()
dispose
in interface X509CertChainValidatorExt
dispose
in class PlainCRLValidator
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |