eu.emi.security.authn.x509.helpers.pkipath

Class AbstractValidator

java.lang.Object

eu.emi.security.authn.x509.helpers.pkipath.AbstractValidator

All Implemented Interfaces:

X509CertChainValidator, X509CertChainValidatorExt

Direct Known Subclasses:

OpensslCertChainValidator, PlainCRLValidator

public abstract class AbstractValidator
extends Object
implements X509CertChainValidatorExt

Base implementation of X509CertChainValidator. It is configured with CertStore providing CRLs and TrustAnchorStore providing trusted CAs. The implementation validates certificates using the BCCertPathValidator.

This class is thread safe and its extensions should also guarantee this.

Author:

K. Benedyczak

Field Summary

Fields

Modifier and Type	Field and Description
protected boolean	disposed
protected Set<ValidationErrorListener>	listeners
protected ObserversHandler	observers
protected BCCertPathValidator	validator

Constructor Summary

Constructors

Constructor and Description
AbstractValidator(Collection<? extends StoreUpdateListener> initialListeners) Default constructor is available, the subclass must initialize the parent with the init() method.

Method Summary

Modifier and Type	Method and Description
void	addUpdateListener(StoreUpdateListener listener) Registers a listener which can react to errors found during refreshing of the trust material: trusted CAs or CRLs.
void	addValidationListener(ValidationErrorListener listener) Registers a listener which can react to errors found during certificate validation.
void	dispose() Disposes resources used by this Validator, like threads.
ProxySupport	getProxySupport() Returns whether this validator supports proxy certificates.
RevocationParameters	getRevocationCheckingMode() Gets the current revocation checking mode.
X509Certificate[]	getTrustedIssuers() Returns a list of trusted issuers of certificates.
protected void	init(TrustAnchorStore caStore, AbstractCRLStoreSPI crlStore, ProxySupport proxySupport, RevocationParameters revocationCheckingMode) Use this method to initialize the parent from the extension class, if not using the non-default constructor.
protected boolean	isDisposed()
protected boolean	notifyListeners(ValidationError error) Notifies all registered listeners.
protected void	processErrorList(List<ValidationError> errors)
void	removeUpdateListener(StoreUpdateListener listener) Unregisters a previously registered CA or CRL update listener.
void	removeValidationListener(ValidationErrorListener listener) Unregisters a previously registered validation listener.
ValidationResult	validate(CertPath certPath) Performs validation of a provided certificate path.
ValidationResult	validate(X509Certificate[] certChain) Performs validation of a provided certificate chain.
protected ValidationResult	validate(X509Certificate[] certChain, Set<TrustAnchor> anchors)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

listeners

protected Set<ValidationErrorListener> listeners

observers

protected final ObserversHandler observers

validator

protected BCCertPathValidator validator

disposed

protected boolean disposed

Constructor Detail

AbstractValidator

public AbstractValidator(Collection<? extends StoreUpdateListener> initialListeners)

Default constructor is available, the subclass must initialize the parent with the init() method. Note that it is strongly suggested to call the init() method from the child class constructor.

This is not a cleanest design possible but it is required as arguments to the init() method require some code to be created in subclasses. Therefore we have a trade off: a bit unclean design inside the library and a clean external API without factory methods.

Parameters:

initialListeners - initial listeners

Method Detail

init

protected void init(TrustAnchorStore caStore,
                    AbstractCRLStoreSPI crlStore,
                    ProxySupport proxySupport,
                    RevocationParameters revocationCheckingMode)

Use this method to initialize the parent from the extension class, if not using the non-default constructor.

Parameters:

caStore - CA store

crlStore - CRL store

proxySupport - proxy support

revocationCheckingMode - revocation checking mode

validate

public ValidationResult validate(CertPath certPath)

Performs validation of a provided certificate path.

Specified by:

validate in interface X509CertChainValidator

Parameters:

certPath - to be validated

Returns:

result of validation

validate

public ValidationResult validate(X509Certificate[] certChain)

Performs validation of a provided certificate chain.

Specified by:

validate in interface X509CertChainValidator

Parameters:

certChain - to be validated

Returns:

result of validation

validate

protected ValidationResult validate(X509Certificate[] certChain,
                                    Set<TrustAnchor> anchors)

processErrorList

protected void processErrorList(List<ValidationError> errors)

getTrustedIssuers

public X509Certificate[] getTrustedIssuers()

Returns a list of trusted issuers of certificates.

Specified by:

getTrustedIssuers in interface X509CertChainValidator

Returns:

array containing trusted issuers' certificates

notifyListeners

protected boolean notifyListeners(ValidationError error)

Notifies all registered listeners.

Parameters:

error - validation error

Returns:

true if the error should be ignored false otherwise.

addValidationListener

public void addValidationListener(ValidationErrorListener listener)

Registers a listener which can react to errors found during certificate validation. It is useful in two cases: (rarely) if you want to change the default logic of the validator and if you will use the validator indirectly (e.g. to validate SSL socket connections) and want to get the original ValidationError, not the exception.

Specified by:

addValidationListener in interface X509CertChainValidator

Parameters:

listener - to be registered

removeValidationListener

public void removeValidationListener(ValidationErrorListener listener)

Unregisters a previously registered validation listener. If the listener was not registered then the method does nothing.

Specified by:

removeValidationListener in interface X509CertChainValidator

Parameters:

listener - to be unregistered

getProxySupport

public ProxySupport getProxySupport()

Returns whether this validator supports proxy certificates.

Specified by:

getProxySupport in interface X509CertChainValidatorExt

Returns:

proxy certificates support mode

getRevocationCheckingMode

public RevocationParameters getRevocationCheckingMode()

Gets the current revocation checking mode.

Specified by:

getRevocationCheckingMode in interface X509CertChainValidatorExt

Returns:

the current mode

dispose

public void dispose()

Disposes resources used by this Validator, like threads. After calling this method the validator can not be used anymore.

Specified by:

dispose in interface X509CertChainValidatorExt

isDisposed

protected boolean isDisposed()

addUpdateListener

public void addUpdateListener(StoreUpdateListener listener)

Registers a listener which can react to errors found during refreshing of the trust material: trusted CAs or CRLs. This method is useful only if the implementation supports updating of CAs or CRLs, otherwise the listener will not be invoked.

Specified by:

addUpdateListener in interface X509CertChainValidator

Parameters:

listener - to be registered

removeUpdateListener

public void removeUpdateListener(StoreUpdateListener listener)

Unregisters a previously registered CA or CRL update listener. If the listener was not registered then the method does nothing.

Specified by:

removeUpdateListener in interface X509CertChainValidator

Parameters:

listener - to be unregistered