Package eu.emi.security.authn.x509.impl

Class OpensslCertChainValidator

  • All Implemented Interfaces:
    X509CertChainValidator, X509CertChainValidatorExt
    public class OpensslCertChainValidator
extends AbstractValidator
    The certificate validator which uses OpenSSL directory as a truststore. The validator can work in two modes: the default lazy mode when the truststore contents is loaded on-demand and in a classic mode, when the whole truststore is loaded to the memory at startup. The latter mode can be useful for server-side as allows to get an information about truststore problems (as expired certificates or invalid files) at startup. Also the performance characteristic is better: validation can be faster and operation time more stable. Unfortunately both advantages are at the cost of a longer initialization time and bigger memory footprint. Therefore the lazy mode is strongly suggested for client tools, where this is a concern.
    Author:
    K. Benedyczak

    • Field Detail

      • timer

        protected static final java.util.Timer timer

    • Constructor Detail

      • OpensslCertChainValidator

        public OpensslCertChainValidator​(java.lang.String directory,
                                 NamespaceCheckingMode namespaceMode,
                                 long updateInterval,
                                 ValidatorParams params)
        Constructs a new validator instance. This version is equivalent to the OpensslCertChainValidator(String, boolean, NamespaceCheckingMode, long, ValidatorParams, boolean) with the legacy (pre 1.0) format of the truststore and the lazy mode turned on.
        Parameters:
        directory - path where trusted certificates are stored.
        namespaceMode - specifies how certificate namespaces should be handled
        updateInterval - specifies in miliseconds how often the directory should be checked for updates. The files are reloaded only if their modification timestamp was changed since last load. Use a <= 0 value to disable automatic updates.
        params - common validator settings (revocation, initial listeners, proxy support, ...)

      • OpensslCertChainValidator

        public OpensslCertChainValidator​(java.lang.String directory,
                                 boolean openssl1Mode,
                                 NamespaceCheckingMode namespaceMode,
                                 long updateInterval,
                                 ValidatorParams params)
        Constructs a new validator instance. This validator will work in the lazy mode. See OpensslCertChainValidator(String, boolean, NamespaceCheckingMode, long, ValidatorParams, boolean) for details.
        Parameters:
        directory - path where trusted certificates are stored.
        openssl1Mode - if true then truststore is with hashes in openssl 1+ format. Otherwise the openssl 0.x format is used.
        namespaceMode - specifies how certificate namespaces should be handled
        updateInterval - specifies in miliseconds how often the directory should be checked for updates. The files are reloaded only if their modification timestamp was changed since last load. Use a <= 0 value to disable automatic updates.
        params - common validator settings (revocation, initial listeners, proxy support, ...)

      • OpensslCertChainValidator

        public OpensslCertChainValidator​(java.lang.String directory,
                                 boolean openssl1Mode,
                                 NamespaceCheckingMode namespaceMode,
                                 long updateInterval,
                                 ValidatorParams params,
                                 boolean lazyMode)
        Constructs a new validator instance.
        Parameters:
        directory - path where trusted certificates are stored.
        openssl1Mode - if true then truststore is with hashes in openssl 1+ format. Otherwise the openssl 0.x format is used.
        namespaceMode - specifies how certificate namespaces should be handled
        updateInterval - specifies in miliseconds how often the directory should be checked for updates. The files are reloaded only if their modification timestamp was changed since last load. Use a <= 0 value to disable automatic updates.
        params - common validator settings (revocation, initial listeners, proxy support, ...)
        lazyMode - if true then certificates, CRLs and namespace definitions are loaded on-demand (with in-memory caching). If false then the whole truststore contents is loaded at startup and kept in memory.
        Since:
        2.0.0

      • OpensslCertChainValidator

        public OpensslCertChainValidator​(java.lang.String directory,
                                 NamespaceCheckingMode namespaceMode,
                                 long updateInterval)
        Constructs a new validator instance with default additional settings (see ValidatorParams()). The legacy, pre openssl 1.0 format of the truststore is used as well as the lazy loading mode.
        Parameters:
        directory - path where trusted certificates are stored.
        namespaceMode - specifies how certificate namespaces should be handled
        updateInterval - specifies in miliseconds how often the directory should be checked for updates. The files are reloaded only if their modification timestamp was changed since last load.

      • OpensslCertChainValidator

        public OpensslCertChainValidator​(java.lang.String directory)
        Constructs a new validator instance using the default settings: CRLs are used if present, proxy certificates are supported and directory is rescanned every 10mins. EuGridPMA namespaces are checked in the first place, if not found then Globus EACLs are tried. Lack of namespaces is ignored. The legacy, pre openssl 1.0 format of the truststore is used as well as the lazy loading mode.
        Parameters:
        directory - path where trusted certificates are stored.

    • Method Detail

      • getTruststorePath

        public java.lang.String getTruststorePath()
        Returns the trusted certificates directory path
        Returns:
        the path

      • getNamespaceCheckingMode

        public NamespaceCheckingMode getNamespaceCheckingMode()
        Returns the namespace checking mode.
        Returns:
        the namespace mode

      • getUpdateInterval

        public long getUpdateInterval()
        Returns the interval between subsequent checks of the trusted certificates directory. Note that files are actually reread only if their modification time has changed.
        Returns:
        the current refresh interval in milliseconds

      • setUpdateInterval

        public void setUpdateInterval​(long updateInterval)
        Sets a new interval between subsequent checks of the trusted certificates directory. Note that files are actually reread only if their modification time has changed.
        Parameters:
        updateInterval - the new interval to be set in milliseconds