Class LazyOpensslTrustAnchorStoreImpl
java.lang.Object
eu.emi.security.authn.x509.helpers.trust.AbstractTrustAnchorStore
eu.emi.security.authn.x509.helpers.trust.LazyOpensslTrustAnchorStoreImpl
- All Implemented Interfaces:
OpensslTrustAnchorStore,TrustAnchorStore
public class LazyOpensslTrustAnchorStoreImpl
extends AbstractTrustAnchorStore
implements OpensslTrustAnchorStore
Implementation of the truststore which uses CA certificates from a single directory
in OpenSSL format. Each certificate should be stored in a file named HASH.NUM,
where HASH is an 8 digit hex number. The NUM must be a number, starting from 0.
The hash can be either of openssl pre 1.0.0 version
(with 8 least significant digits of the MD5 hash of the certificate subject in DER format)
or in openssl 1.0.0 and above format (SHA1 hash of specially normalized DN). The class is configured
to use one or another, never both.
This class (contrary to the OpensslTrustAnchorStoreImpl) doesn't extend DirectoryTrustAnchorStore
and therefore certificates (and all corresponding files) are not loaded at startup and kept in memory.
The files are loaded on-demand and are only cached in memory for no longer then the updateInterval is.
- Author:
- K. Benedyczak
-
Field Summary
FieldsModifier and TypeFieldDescriptionprotected CachedElement<Set<TrustAnchorExt>>protected Map<X500Principal,CachedElement<Set<TrustAnchorExt>>> static final StringFields inherited from class eu.emi.security.authn.x509.helpers.trust.AbstractTrustAnchorStore
observersFields inherited from interface eu.emi.security.authn.x509.helpers.trust.OpensslTrustAnchorStore
CERT_WILDCARD -
Constructor Summary
ConstructorsConstructorDescriptionLazyOpensslTrustAnchorStoreImpl(String basePath, long updateInterval, ObserversHandler observers, boolean openssl1Mode) -
Method Summary
Modifier and TypeMethodDescriptionvoiddispose()getTrustAnchorsFor(X509Certificate[] certChain) Algorithm is as follows: for each certificate subject in chain, and for the issuer of the last certificate in chain, it is tried to load a trust anchor defined for such subject.protected voidtryLoadCert(File file, Set<TrustAnchorExt> set) protected X509CertificatetryLoadCertInternal(File file) Methods inherited from class eu.emi.security.authn.x509.helpers.trust.AbstractTrustAnchorStore
checkValidity, getUpdateInterval, setUpdateIntervalMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface eu.emi.security.authn.x509.helpers.trust.TrustAnchorStore
getUpdateInterval, setUpdateInterval
-
Field Details
-
CERTS_REGEXP
- See Also:
-
cachedAnchors
-
cachedAnchorsPerIssuer
-
-
Constructor Details
-
LazyOpensslTrustAnchorStoreImpl
public LazyOpensslTrustAnchorStoreImpl(String basePath, long updateInterval, ObserversHandler observers, boolean openssl1Mode)
-
-
Method Details
-
tryLoadCertInternal
-
tryLoadCert
-
getPmaNsStore
- Specified by:
getPmaNsStorein interfaceOpensslTrustAnchorStore
-
getGlobusNsStore
- Specified by:
getGlobusNsStorein interfaceOpensslTrustAnchorStore
-
getTrustAnchors
- Specified by:
getTrustAnchorsin interfaceTrustAnchorStore
-
getTrustedCertificates
- Specified by:
getTrustedCertificatesin interfaceTrustAnchorStore
-
dispose
public void dispose()- Specified by:
disposein interfaceTrustAnchorStore
-
getTrustAnchorsFor
Algorithm is as follows: for each certificate subject in chain, and for the issuer of the last certificate in chain, it is tried to load a trust anchor defined for such subject. If successful then also it is tried recursively to load all parent trust anchors for the loaded one.- Parameters:
certChain- certificate chain- Returns:
- set of trust anchors for a given certificate chain
-