DirectoryCertChainValidator (canl 2.5.0 API)

java.lang.Object
- eu.emi.security.authn.x509.helpers.pkipath.AbstractValidator
- - eu.emi.security.authn.x509.helpers.pkipath.PlainCRLValidator
  - - eu.emi.security.authn.x509.impl.DirectoryCertChainValidator

All Implemented Interfaces:

X509CertChainValidator, X509CertChainValidatorExt
```
public class DirectoryCertChainValidator
extends PlainCRLValidator
```
The certificate validator which uses a flexible set of certificates and CRL locations. Both CA certificates or CRLs can be provided as a list of locations. Each element in the list is either a URL to a concrete file (note that this might be remote file) or a local path. In the latter case it is possible to use wildcards in path locations.
It is possible to configure this validator to refresh both CRL and CA certificate locations on a regular interval.
Note: be very careful when using remote CA certificate locations. If such a remote location is compromised or DNS address is spooffed then your system is also compromised.
It is possible to configure this validator to use files encoded in DER or PEM format, but all the files must use a single encoding.
The CRLs (Certificate Revocation Lists, if their handling is turned on) can be obtained also from the CA certificate extension defining CRL URL if are not provided explicitly.

Author:

K. Benedyczak

See Also:

X509CertChainValidator

Field Summary
- Fields inherited from class eu.emi.security.authn.x509.helpers.pkipath.PlainCRLValidator
  crlStoreImpl, revocationParameters, timer
- Fields inherited from class eu.emi.security.authn.x509.helpers.pkipath.AbstractValidator
  disposed, listeners, observers, validator

Constructor Summary

Constructors
Constructor and Description
`DirectoryCertChainValidator(List<String> trustedLocations, CertificateUtils.Encoding encoding, long truststoreUpdateInterval, int connectionTimeoutCA, String diskCache)` Constructs a new validator instance with default additional settings (see `ValidatorParamsExt.ValidatorParamsExt()`).
`DirectoryCertChainValidator(List<String> trustedLocations, CertificateUtils.Encoding encoding, long truststoreUpdateInterval, int connectionTimeoutCA, String diskCache, ValidatorParamsExt params)` Constructs a new validator instance.
`DirectoryCertChainValidator(String trustedLocation, String crlLocation, String diskCache)` Constructs a new validator instance with simplified parameters: only one location for certificates, truststore and CRLs are refreshed every hour, connection timeout is 15s, proxies are supported, encoding is PEM and no initial update listener is registered.

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`void`	`dispose()` Disposes resources used by this Validator, like threads.
`List<String>`	`getTruststorePaths()` Returns the current truststore locations
`long`	`getTruststoreUpdateInterval()` Returns the interval between subsequent checks of the truststore files.
`void`	`setTruststorePaths(List<String> trustedLocations)` Sets new trusted locations.
`void`	`setTruststoreUpdateInterval(long updateInterval)` Sets a new interval between subsequent checks of the truststore files.

Methods inherited from class eu.emi.security.authn.x509.helpers.pkipath.PlainCRLValidator
createCRLStore, getCrls, getCRLUpdateInterval, getRevocationParameters, setCrls, setCRLUpdateInterval

Methods inherited from class eu.emi.security.authn.x509.helpers.pkipath.AbstractValidator
addUpdateListener, addValidationListener, getProxySupport, getRevocationCheckingMode, getTrustedIssuers, init, isDisposed, notifyListeners, processErrorList, removeUpdateListener, removeValidationListener, validate, validate, validate

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
  - DirectoryCertChainValidator
```
public DirectoryCertChainValidator(List<String> trustedLocations,
                                   CertificateUtils.Encoding encoding,
                                   long truststoreUpdateInterval,
                                   int connectionTimeoutCA,
                                   String diskCache,
                                   ValidatorParamsExt params)
                            throws KeyStoreException,
                                   IOException
```
    Constructs a new validator instance. CRLs (Certificate Revocation Lists) are taken from the trusted CAs certificate extension and downloaded, unless CRL checking is disabled. Additional CRLs may be provided manually.
    
    Parameters:
    
    trustedLocations - trusted certificates locations, either as local wildcard paths or URLs
    
    encoding - Whether certificates in the store are stored as PEM or DER files. Note that the whole store must be consistent.
    
    truststoreUpdateInterval - truststore update interval in milliseconds. Use a <= 0 value to disable automatic updates.
    
    connectionTimeoutCA - connection timeout in ms for downloading remote CA certificates, >= 0. 0 means infinite timeout.
    
    diskCache - directory path, where the remote CA certificates shall be cached after downloading. Can be null if cache shall not be used.
    
    params - common validator settings (revocation, initial listeners, proxy support, ...)
    
    Throws:
    
    IOException - IO exception
    
    KeyStoreException - key store exception
  - DirectoryCertChainValidator
```
public DirectoryCertChainValidator(List<String> trustedLocations,
                                   CertificateUtils.Encoding encoding,
                                   long truststoreUpdateInterval,
                                   int connectionTimeoutCA,
                                   String diskCache)
                            throws KeyStoreException,
                                   IOException
```
    Constructs a new validator instance with default additional settings (see ValidatorParamsExt.ValidatorParamsExt()).
    
    Parameters:
    
    trustedLocations - trusted certificates locations, either as local wildcard paths or URLs
    
    encoding - Whether certificates in the store are stored as PEM or DER files. Note that the whole store must be consistent.
    
    truststoreUpdateInterval - truststore update interval in milliseconds. Use a <= 0 value to disable automatic updates.
    
    connectionTimeoutCA - connection timeout in ms for downloading remote CA certificates, >= 0. 0 means infinite timeout.
    
    diskCache - directory path, where the remote CA certificates shall be cached after downloading. Can be null if cache shall not be used.
    
    Throws:
    
    IOException - IO exception
    
    KeyStoreException - key store exception
  - DirectoryCertChainValidator
```
public DirectoryCertChainValidator(String trustedLocation,
                                   String crlLocation,
                                   String diskCache)
                            throws KeyStoreException,
                                   IOException
```
    Constructs a new validator instance with simplified parameters: only one location for certificates, truststore and CRLs are refreshed every hour, connection timeout is 15s, proxies are supported, encoding is PEM and no initial update listener is registered.
    Revocation settings are as follows: OCSP is enable with default settings and is used first. If OSCP check is not successful then CRLs are checked if are present.
    
    Parameters:
    
    trustedLocation - trusted certificates location, either as local wildcard path or URL
    
    crlLocation - location of CRLs, either as local wildcard path or URL.
    
    diskCache - directory path, where the remote CA certificates shall be cached after downloading. Can be null if cache shall not be used.
    
    Throws:
    
    IOException - IO exception
    
    KeyStoreException - key store exception
- Method Detail
  - getTruststoreUpdateInterval
```
public long getTruststoreUpdateInterval()
```
    Returns the interval between subsequent checks of the truststore files.
    
    Returns:
    
    the current refresh interval in milliseconds
  - setTruststoreUpdateInterval
```
public void setTruststoreUpdateInterval(long updateInterval)
```
    Sets a new interval between subsequent checks of the truststore files.
    
    Parameters:
    
    updateInterval - the new interval to be set in milliseconds
  - getTruststorePaths
```
public List<String> getTruststorePaths()
```
    Returns the current truststore locations
    
    Returns:
    
    the path
  - setTruststorePaths
```
public void setTruststorePaths(List<String> trustedLocations)
```
    Sets new trusted locations. See constructor argument description for details.
    
    Parameters:
    
    trustedLocations - trusted certificate locations
  - dispose
```
public void dispose()
```
    Disposes resources used by this Validator, like threads. After calling this method the validator can not be used anymore.
    
    Specified by:
    
    dispose in interface X509CertChainValidatorExt
    
    Overrides:
    
    dispose in class PlainCRLValidator

Class DirectoryCertChainValidator

Field Summary

Fields inherited from class eu.emi.security.authn.x509.helpers.pkipath.PlainCRLValidator

Fields inherited from class eu.emi.security.authn.x509.helpers.pkipath.AbstractValidator

Constructor Summary

Method Summary

Methods inherited from class eu.emi.security.authn.x509.helpers.pkipath.PlainCRLValidator

Methods inherited from class eu.emi.security.authn.x509.helpers.pkipath.AbstractValidator

Methods inherited from class java.lang.Object

Constructor Detail

DirectoryCertChainValidator

DirectoryCertChainValidator

DirectoryCertChainValidator

Method Detail

getTruststoreUpdateInterval

setTruststoreUpdateInterval

getTruststorePaths

setTruststorePaths

dispose