Package eu.emi.security.authn.x509.impl

Class DirectoryCertChainValidator

  • All Implemented Interfaces:
    X509CertChainValidator, X509CertChainValidatorExt
    public class DirectoryCertChainValidator
extends PlainCRLValidator
    The certificate validator which uses a flexible set of certificates and CRL locations. Both CA certificates or CRLs can be provided as a list of locations. Each element in the list is either a URL to a concrete file (note that this might be remote file) or a local path. In the latter case it is possible to use wildcards in path locations.

    It is possible to configure this validator to refresh both CRL and CA certificate locations on a regular interval.

    Note: be very careful when using remote CA certificate locations. If such a remote location is compromised or DNS address is spooffed then your system is also compromised.

    It is possible to configure this validator to use files encoded in DER or PEM format, but all the files must use a single encoding.

    The CRLs (Certificate Revocation Lists, if their handling is turned on) can be obtained also from the CA certificate extension defining CRL URL if are not provided explicitly.

    Author:
    K. Benedyczak
    See Also:
    X509CertChainValidator

    • Constructor Detail

      • DirectoryCertChainValidator

        public DirectoryCertChainValidator​(java.util.List<java.lang.String> trustedLocations,
                                   CertificateUtils.Encoding encoding,
                                   long truststoreUpdateInterval,
                                   int connectionTimeoutCA,
                                   java.lang.String diskCache,
                                   ValidatorParamsExt params)
                            throws java.security.KeyStoreException,
                                   java.io.IOException
        Constructs a new validator instance. CRLs (Certificate Revocation Lists) are taken from the trusted CAs certificate extension and downloaded, unless CRL checking is disabled. Additional CRLs may be provided manually.
        Parameters:
        trustedLocations - trusted certificates locations, either as local wildcard paths or URLs
        encoding - Whether certificates in the store are stored as PEM or DER files. Note that the whole store must be consistent.
        truststoreUpdateInterval - truststore update interval in milliseconds. Use a <= 0 value to disable automatic updates.
        connectionTimeoutCA - connection timeout in ms for downloading remote CA certificates, >= 0. 0 means infinite timeout.
        diskCache - directory path, where the remote CA certificates shall be cached after downloading. Can be null if cache shall not be used.
        params - common validator settings (revocation, initial listeners, proxy support, ...)
        Throws:
        java.io.IOException - IO exception
        java.security.KeyStoreException - key store exception

      • DirectoryCertChainValidator

        public DirectoryCertChainValidator​(java.util.List<java.lang.String> trustedLocations,
                                   CertificateUtils.Encoding encoding,
                                   long truststoreUpdateInterval,
                                   int connectionTimeoutCA,
                                   java.lang.String diskCache)
                            throws java.security.KeyStoreException,
                                   java.io.IOException
        Constructs a new validator instance with default additional settings (see ValidatorParamsExt()).
        Parameters:
        trustedLocations - trusted certificates locations, either as local wildcard paths or URLs
        encoding - Whether certificates in the store are stored as PEM or DER files. Note that the whole store must be consistent.
        truststoreUpdateInterval - truststore update interval in milliseconds. Use a <= 0 value to disable automatic updates.
        connectionTimeoutCA - connection timeout in ms for downloading remote CA certificates, >= 0. 0 means infinite timeout.
        diskCache - directory path, where the remote CA certificates shall be cached after downloading. Can be null if cache shall not be used.
        Throws:
        java.io.IOException - IO exception
        java.security.KeyStoreException - key store exception

      • DirectoryCertChainValidator

        public DirectoryCertChainValidator​(java.lang.String trustedLocation,
                                   java.lang.String crlLocation,
                                   java.lang.String diskCache)
                            throws java.security.KeyStoreException,
                                   java.io.IOException
        Constructs a new validator instance with simplified parameters: only one location for certificates, truststore and CRLs are refreshed every hour, connection timeout is 15s, proxies are supported, encoding is PEM and no initial update listener is registered.

        Revocation settings are as follows: OCSP is enable with default settings and is used first. If OSCP check is not successful then CRLs are checked if are present.

        Parameters:
        trustedLocation - trusted certificates location, either as local wildcard path or URL
        crlLocation - location of CRLs, either as local wildcard path or URL.
        diskCache - directory path, where the remote CA certificates shall be cached after downloading. Can be null if cache shall not be used.
        Throws:
        java.io.IOException - IO exception
        java.security.KeyStoreException - key store exception

    • Method Detail

      • getTruststoreUpdateInterval

        public long getTruststoreUpdateInterval()
        Returns the interval between subsequent checks of the truststore files.
        Returns:
        the current refresh interval in milliseconds

      • setTruststoreUpdateInterval

        public void setTruststoreUpdateInterval​(long updateInterval)
        Sets a new interval between subsequent checks of the truststore files.
        Parameters:
        updateInterval - the new interval to be set in milliseconds

      • getTruststorePaths

        public java.util.List<java.lang.String> getTruststorePaths()
        Returns the current truststore locations
        Returns:
        the path

      • setTruststorePaths

        public void setTruststorePaths​(java.util.List<java.lang.String> trustedLocations)
        Sets new trusted locations. See constructor argument description for details.
        Parameters:
        trustedLocations - trusted certificate locations