Package eu.emi.security.authn.x509.impl

Class DirectoryCertChainValidator

java.lang.Object
eu.emi.security.authn.x509.helpers.pkipath.AbstractValidator
eu.emi.security.authn.x509.helpers.pkipath.PlainCRLValidator
eu.emi.security.authn.x509.impl.DirectoryCertChainValidator
All Implemented Interfaces:
X509CertChainValidator, X509CertChainValidatorExt
public class DirectoryCertChainValidator extends PlainCRLValidator
The certificate validator which uses a flexible set of certificates and CRL locations. Both CA certificates or CRLs can be provided as a list of locations. Each element in the list is either a URL to a concrete file (note that this might be remote file) or a local path. In the latter case it is possible to use wildcards in path locations.

It is possible to configure this validator to refresh both CRL and CA certificate locations on a regular interval.

Note: be very careful when using remote CA certificate locations. If such a remote location is compromised or DNS address is spooffed then your system is also compromised.

It is possible to configure this validator to use files encoded in DER or PEM format, but all the files must use a single encoding.

The CRLs (Certificate Revocation Lists, if their handling is turned on) can be obtained also from the CA certificate extension defining CRL URL if are not provided explicitly.

Author:
K. Benedyczak
See Also:

  • Constructor Details

    • DirectoryCertChainValidator

      public DirectoryCertChainValidator(List<String> trustedLocations, CertificateUtils.Encoding encoding, long truststoreUpdateInterval, int connectionTimeoutCA, String diskCache, ValidatorParamsExt params) throws KeyStoreException, IOException
      Constructs a new validator instance. CRLs (Certificate Revocation Lists) are taken from the trusted CAs certificate extension and downloaded, unless CRL checking is disabled. Additional CRLs may be provided manually.
      Parameters:
      trustedLocations - trusted certificates locations, either as local wildcard paths or URLs
      encoding - Whether certificates in the store are stored as PEM or DER files. Note that the whole store must be consistent.
      truststoreUpdateInterval - truststore update interval in milliseconds. Use a <= 0 value to disable automatic updates.
      connectionTimeoutCA - connection timeout in ms for downloading remote CA certificates, >= 0. 0 means infinite timeout.
      diskCache - directory path, where the remote CA certificates shall be cached after downloading. Can be null if cache shall not be used.
      params - common validator settings (revocation, initial listeners, proxy support, ...)
      Throws:
      IOException - IO exception
      KeyStoreException - key store exception

    • DirectoryCertChainValidator

      public DirectoryCertChainValidator(List<String> trustedLocations, CertificateUtils.Encoding encoding, long truststoreUpdateInterval, int connectionTimeoutCA, String diskCache) throws KeyStoreException, IOException
      Constructs a new validator instance with default additional settings (see ValidatorParamsExt()).
      Parameters:
      trustedLocations - trusted certificates locations, either as local wildcard paths or URLs
      encoding - Whether certificates in the store are stored as PEM or DER files. Note that the whole store must be consistent.
      truststoreUpdateInterval - truststore update interval in milliseconds. Use a <= 0 value to disable automatic updates.
      connectionTimeoutCA - connection timeout in ms for downloading remote CA certificates, >= 0. 0 means infinite timeout.
      diskCache - directory path, where the remote CA certificates shall be cached after downloading. Can be null if cache shall not be used.
      Throws:
      IOException - IO exception
      KeyStoreException - key store exception

    • DirectoryCertChainValidator

      public DirectoryCertChainValidator(String trustedLocation, String crlLocation, String diskCache) throws KeyStoreException, IOException
      Constructs a new validator instance with simplified parameters: only one location for certificates, truststore and CRLs are refreshed every hour, connection timeout is 15s, proxies are supported, encoding is PEM and no initial update listener is registered.

      Revocation settings are as follows: OCSP is enable with default settings and is used first. If OSCP check is not successful then CRLs are checked if are present.

      Parameters:
      trustedLocation - trusted certificates location, either as local wildcard path or URL
      crlLocation - location of CRLs, either as local wildcard path or URL.
      diskCache - directory path, where the remote CA certificates shall be cached after downloading. Can be null if cache shall not be used.
      Throws:
      IOException - IO exception
      KeyStoreException - key store exception

  • Method Details

    • getTruststoreUpdateInterval

      public long getTruststoreUpdateInterval()
      Returns the interval between subsequent checks of the truststore files.
      Returns:
      the current refresh interval in milliseconds

    • setTruststoreUpdateInterval

      public void setTruststoreUpdateInterval(long updateInterval)
      Sets a new interval between subsequent checks of the truststore files.
      Parameters:
      updateInterval - the new interval to be set in milliseconds

    • getTruststorePaths

      public List<String> getTruststorePaths()
      Returns the current truststore locations
      Returns:
      the path

    • setTruststorePaths

      public void setTruststorePaths(List<String> trustedLocations)
      Sets new trusted locations. See constructor argument description for details.
      Parameters:
      trustedLocations - trusted certificate locations

    • dispose

      public void dispose()
      Disposes resources used by this Validator, like threads. After calling this method the validator can not be used anymore.
      Specified by:
      dispose in interface X509CertChainValidatorExt
      Overrides:
      dispose in class PlainCRLValidator