Package eu.emi.security.authn.x509.helpers.pkipath

Class AbstractValidator

java.lang.Object
eu.emi.security.authn.x509.helpers.pkipath.AbstractValidator
All Implemented Interfaces:
X509CertChainValidator, X509CertChainValidatorExt
Direct Known Subclasses:
OpensslCertChainValidator, PlainCRLValidator
public abstract class AbstractValidator extends Object implements X509CertChainValidatorExt
Base implementation of X509CertChainValidator. It is configured with CertStore providing CRLs and TrustAnchorStore providing trusted CAs. The implementation validates certificates using the BCCertPathValidator.

This class is thread safe and its extensions should also guarantee this.

Author:
K. Benedyczak

  • Field Details

  • Constructor Details

    • AbstractValidator

      public AbstractValidator(Collection<? extends StoreUpdateListener> initialListeners)
      Default constructor is available, the subclass must initialize the parent with the init() method. Note that it is strongly suggested to call the init() method from the child class constructor.

      This is not a cleanest design possible but it is required as arguments to the init() method require some code to be created in subclasses. Therefore we have a trade off: a bit unclean design inside the library and a clean external API without factory methods.

      Parameters:
      initialListeners - initial listeners

  • Method Details

    • init

      protected void init(TrustAnchorStore caStore, AbstractCRLStoreSPI crlStore, ProxySupport proxySupport, RevocationParameters revocationCheckingMode)
      Use this method to initialize the parent from the extension class, if not using the non-default constructor.
      Parameters:
      caStore - CA store
      crlStore - CRL store
      proxySupport - proxy support
      revocationCheckingMode - revocation checking mode

    • validate

      public ValidationResult validate(CertPath certPath)
      Performs validation of a provided certificate path.
      Specified by:
      validate in interface X509CertChainValidator
      Parameters:
      certPath - to be validated
      Returns:
      result of validation

    • validate

      public ValidationResult validate(X509Certificate[] certChain)
      Performs validation of a provided certificate chain.
      Specified by:
      validate in interface X509CertChainValidator
      Parameters:
      certChain - to be validated
      Returns:
      result of validation

    • validate

      protected ValidationResult validate(X509Certificate[] certChain, Set<TrustAnchor> anchors)

    • processErrorList

      protected void processErrorList(List<ValidationError> errors)

    • getTrustedIssuers

      public X509Certificate[] getTrustedIssuers()
      Returns a list of trusted issuers of certificates.
      Specified by:
      getTrustedIssuers in interface X509CertChainValidator
      Returns:
      array containing trusted issuers' certificates

    • notifyListeners

      protected boolean notifyListeners(ValidationError error)
      Notifies all registered listeners.
      Parameters:
      error - validation error
      Returns:
      true if the error should be ignored false otherwise.

    • addValidationListener

      public void addValidationListener(ValidationErrorListener listener)
      Registers a listener which can react to errors found during certificate validation. It is useful in two cases: (rarely) if you want to change the default logic of the validator and if you will use the validator indirectly (e.g. to validate SSL socket connections) and want to get the original ValidationError, not the exception.
      Specified by:
      addValidationListener in interface X509CertChainValidator
      Parameters:
      listener - to be registered

    • removeValidationListener

      public void removeValidationListener(ValidationErrorListener listener)
      Unregisters a previously registered validation listener. If the listener was not registered then the method does nothing.
      Specified by:
      removeValidationListener in interface X509CertChainValidator
      Parameters:
      listener - to be unregistered

    • getProxySupport

      public ProxySupport getProxySupport()
      Returns whether this validator supports proxy certificates.
      Specified by:
      getProxySupport in interface X509CertChainValidatorExt
      Returns:
      proxy certificates support mode

    • getRevocationCheckingMode

      public RevocationParameters getRevocationCheckingMode()
      Gets the current revocation checking mode.
      Specified by:
      getRevocationCheckingMode in interface X509CertChainValidatorExt
      Returns:
      the current mode

    • dispose

      public void dispose()
      Disposes resources used by this Validator, like threads. After calling this method the validator can not be used anymore.
      Specified by:
      dispose in interface X509CertChainValidatorExt

    • isDisposed

      protected boolean isDisposed()

    • addUpdateListener

      public void addUpdateListener(StoreUpdateListener listener)
      Registers a listener which can react to errors found during refreshing of the trust material: trusted CAs or CRLs. This method is useful only if the implementation supports updating of CAs or CRLs, otherwise the listener will not be invoked.
      Specified by:
      addUpdateListener in interface X509CertChainValidator
      Parameters:
      listener - to be registered

    • removeUpdateListener

      public void removeUpdateListener(StoreUpdateListener listener)
      Unregisters a previously registered CA or CRL update listener. If the listener was not registered then the method does nothing.
      Specified by:
      removeUpdateListener in interface X509CertChainValidator
      Parameters:
      listener - to be unregistered