eu.emi.security.authn.x509.impl
Class DirectoryCertChainValidator

java.lang.Object
  extended by eu.emi.security.authn.x509.helpers.pkipath.AbstractValidator
      extended by eu.emi.security.authn.x509.helpers.pkipath.PlainCRLValidator
          extended by eu.emi.security.authn.x509.impl.DirectoryCertChainValidator
All Implemented Interfaces:
X509CertChainValidator, X509CertChainValidatorExt

public class DirectoryCertChainValidator
extends PlainCRLValidator

The certificate validator which uses a flexible set of certificates and CRL locations. Both CA certificates or CRLs can be provided as a list of locations. Each element in the list is either a URL to a concrete file (note that this might be remote file) or a local path. In the latter case it is possible to use wildcards in path locations.

It is possible to configure this validator to refresh both CRL and CA certificate locations on a regular interval.

Note: be very careful when using remote CA certificate locations. If such a remote location is compromised or DNS address is spooffed then your system is also compromised.

It is possible to configure this validator to use files encoded in DER or PEM format, but all the files must use a single encoding.

The CRLs (Certificate Revocation Lists, if their handling is turned on) can be obtained also from the CA certificate extension defining CRL URL if are not provided explicitly.

Author:
K. Benedyczak
See Also:
X509CertChainValidator

Field Summary
 
Fields inherited from class eu.emi.security.authn.x509.helpers.pkipath.PlainCRLValidator
crlStoreImpl, revocationParameters, timer
 
Fields inherited from class eu.emi.security.authn.x509.helpers.pkipath.AbstractValidator
disposed, listeners, observers, validator
 
Constructor Summary
DirectoryCertChainValidator(List<String> trustedLocations, CertificateUtils.Encoding encoding, long truststoreUpdateInterval, int connectionTimeoutCA, String diskCache)
          Constructs a new validator instance with default additional settings (see ValidatorParamsExt.ValidatorParamsExt()).
DirectoryCertChainValidator(List<String> trustedLocations, CertificateUtils.Encoding encoding, long truststoreUpdateInterval, int connectionTimeoutCA, String diskCache, ValidatorParamsExt params)
          Constructs a new validator instance.
DirectoryCertChainValidator(String trustedLocation, String crlLocation, String diskCache)
          Constructs a new validator instance with simplified parameters: only one location for certificates, truststore and CRLs are refreshed every hour, connection timeout is 15s, proxies are supported, encoding is PEM and no initial update listener is registered.
 
Method Summary
 void dispose()
          Disposes resources used by this Validator, like threads.
 List<String> getTruststorePaths()
          Returns the current truststore locations
 long getTruststoreUpdateInterval()
          Returns the interval between subsequent checks of the truststore files.
 void setTruststorePaths(List<String> trustedLocations)
          Sets new trusted locations.
 void setTruststoreUpdateInterval(long updateInterval)
          Sets a new interval between subsequent checks of the truststore files.
 
Methods inherited from class eu.emi.security.authn.x509.helpers.pkipath.PlainCRLValidator
createCRLStore, getCrls, getCRLUpdateInterval, getRevocationParameters, setCrls, setCRLUpdateInterval
 
Methods inherited from class eu.emi.security.authn.x509.helpers.pkipath.AbstractValidator
addUpdateListener, addValidationListener, getProxySupport, getRevocationCheckingMode, getTrustedIssuers, init, notifyListeners, processErrorList, removeUpdateListener, removeValidationListener, validate, validate
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

DirectoryCertChainValidator

public DirectoryCertChainValidator(List<String> trustedLocations,
                                   CertificateUtils.Encoding encoding,
                                   long truststoreUpdateInterval,
                                   int connectionTimeoutCA,
                                   String diskCache,
                                   ValidatorParamsExt params)
                            throws KeyStoreException,
                                   IOException
Constructs a new validator instance. CRLs (Certificate Revocation Lists) are taken from the trusted CAs certificate extension and downloaded, unless CRL checking is disabled. Additional CRLs may be provided manually.

Parameters:
trustedLocations - trusted certificates locations, either as local wildcard paths or URLs
encoding - Whether certificates in the store are stored as PEM or DER files. Note that the whole store must be consistent.
truststoreUpdateInterval - truststore update interval in milliseconds. Use a <= 0 value to disable automatic updates.
connectionTimeoutCA - connection timeout in ms for downloading remote CA certificates, >= 0. 0 means infinite timeout.
diskCache - directory path, where the remote CA certificates shall be cached after downloading. Can be null if cache shall not be used.
params - common validator settings (revocation, initial listeners, proxy support, ...)
Throws:
IOException
KeyStoreException

DirectoryCertChainValidator

public DirectoryCertChainValidator(List<String> trustedLocations,
                                   CertificateUtils.Encoding encoding,
                                   long truststoreUpdateInterval,
                                   int connectionTimeoutCA,
                                   String diskCache)
                            throws KeyStoreException,
                                   IOException
Constructs a new validator instance with default additional settings (see ValidatorParamsExt.ValidatorParamsExt()).

Parameters:
trustedLocations - trusted certificates locations, either as local wildcard paths or URLs
encoding - Whether certificates in the store are stored as PEM or DER files. Note that the whole store must be consistent.
truststoreUpdateInterval - truststore update interval in milliseconds. Use a <= 0 value to disable automatic updates.
connectionTimeoutCA - connection timeout in ms for downloading remote CA certificates, >= 0. 0 means infinite timeout.
diskCache - directory path, where the remote CA certificates shall be cached after downloading. Can be null if cache shall not be used.
Throws:
IOException
KeyStoreException

DirectoryCertChainValidator

public DirectoryCertChainValidator(String trustedLocation,
                                   String crlLocation,
                                   String diskCache)
                            throws KeyStoreException,
                                   IOException
Constructs a new validator instance with simplified parameters: only one location for certificates, truststore and CRLs are refreshed every hour, connection timeout is 15s, proxies are supported, encoding is PEM and no initial update listener is registered.

Revocation settings are as follows: OCSP is enable with default settings and is used first. If OSCP check is not successful then CRLs are checked if are present.

Parameters:
trustedLocation - trusted certificates location, either as local wildcard path or URL
crlLocation - location of CRLs, either as local wildcard path or URL.
diskCache - directory path, where the remote CA certificates shall be cached after downloading. Can be null if cache shall not be used.
Throws:
IOException
KeyStoreException
Method Detail

getTruststoreUpdateInterval

public long getTruststoreUpdateInterval()
Returns the interval between subsequent checks of the truststore files.

Returns:
the current refresh interval in milliseconds

setTruststoreUpdateInterval

public void setTruststoreUpdateInterval(long updateInterval)
Sets a new interval between subsequent checks of the truststore files.

Parameters:
updateInterval - the new interval to be set in milliseconds

getTruststorePaths

public List<String> getTruststorePaths()
Returns the current truststore locations

Returns:
the path

setTruststorePaths

public void setTruststorePaths(List<String> trustedLocations)
Sets new trusted locations. See constructor argument description for details.


dispose

public void dispose()
Disposes resources used by this Validator, like threads. After calling this method the validator can not be used anymore.

Specified by:
dispose in interface X509CertChainValidatorExt
Overrides:
dispose in class PlainCRLValidator


Copyright © 2012-2013 European Middleware Initiative. All Rights Reserved.