eu.emi.security.authn.x509.impl

Class OpensslCertChainValidator

java.lang.Object

eu.emi.security.authn.x509.helpers.pkipath.AbstractValidator

eu.emi.security.authn.x509.impl.OpensslCertChainValidator

All Implemented Interfaces:

X509CertChainValidator, X509CertChainValidatorExt

public class OpensslCertChainValidator
extends AbstractValidator

The certificate validator which uses OpenSSL directory as a truststore. The validator can work in two modes: the default lazy mode when the truststore contents is loaded on-demand and in a classic mode, when the whole truststore is loaded to the memory at startup. The latter mode can be useful for server-side as allows to get an information about truststore problems (as expired certificates or invalid files) at startup. Also the performance characteristic is better: validation can be faster and operation time more stable. Unfortunately both advantages are at the cost of a longer initialization time and bigger memory footprint. Therefore the lazy mode is strongly suggested for client tools, where this is a concern.

Author:

K. Benedyczak

Field Summary

Fields

Modifier and Type	Field and Description
protected static Timer	timer

Fields inherited from class eu.emi.security.authn.x509.helpers.pkipath.AbstractValidator

disposed, listeners, observers, validator

Constructor Summary

Constructors

Constructor and Description
OpensslCertChainValidator(String directory) Constructs a new validator instance using the default settings: CRLs are used if present, proxy certificates are supported and directory is rescanned every 10mins.
OpensslCertChainValidator(String directory, boolean openssl1Mode, NamespaceCheckingMode namespaceMode, long updateInterval, ValidatorParams params) Constructs a new validator instance.
OpensslCertChainValidator(String directory, boolean openssl1Mode, NamespaceCheckingMode namespaceMode, long updateInterval, ValidatorParams params, boolean lazyMode) Constructs a new validator instance.
OpensslCertChainValidator(String directory, NamespaceCheckingMode namespaceMode, long updateInterval) Constructs a new validator instance with default additional settings (see ValidatorParams.ValidatorParams()).
OpensslCertChainValidator(String directory, NamespaceCheckingMode namespaceMode, long updateInterval, ValidatorParams params) Constructs a new validator instance.

Method Summary

Modifier and Type	Method and Description
void	dispose() Disposes resources used by this Validator, like threads.
NamespaceCheckingMode	getNamespaceCheckingMode() Returns the namespace checking mode.
String	getTruststorePath() Returns the trusted certificates directory path
long	getUpdateInterval() Returns the interval between subsequent checks of the trusted certificates directory.
void	setUpdateInterval(long updateInterval) Sets a new interval between subsequent checks of the trusted certificates directory.
ValidationResult	validate(X509Certificate[] certChain) Performs validation of a provided certificate chain.

Methods inherited from class eu.emi.security.authn.x509.helpers.pkipath.AbstractValidator

addUpdateListener, addValidationListener, getProxySupport, getRevocationCheckingMode, getTrustedIssuers, init, isDisposed, notifyListeners, processErrorList, removeUpdateListener, removeValidationListener, validate, validate

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

timer

protected static final Timer timer

Constructor Detail

OpensslCertChainValidator

public OpensslCertChainValidator(String directory,
                                 NamespaceCheckingMode namespaceMode,
                                 long updateInterval,
                                 ValidatorParams params)

Constructs a new validator instance. This version is equivalent to the OpensslCertChainValidator(String, boolean, NamespaceCheckingMode, long, ValidatorParams, boolean) with the legacy (pre 1.0) format of the truststore and the lazy mode turned on.

Parameters:

directory - path where trusted certificates are stored.

namespaceMode - specifies how certificate namespaces should be handled

updateInterval - specifies in miliseconds how often the directory should be checked for updates. The files are reloaded only if their modification timestamp was changed since last load. Use a <= 0 value to disable automatic updates.

params - common validator settings (revocation, initial listeners, proxy support, ...)

OpensslCertChainValidator

public OpensslCertChainValidator(String directory,
                                 boolean openssl1Mode,
                                 NamespaceCheckingMode namespaceMode,
                                 long updateInterval,
                                 ValidatorParams params)

Constructs a new validator instance. This validator will work in the lazy mode. See OpensslCertChainValidator(String, boolean, NamespaceCheckingMode, long, ValidatorParams, boolean) for details.

Parameters:

directory - path where trusted certificates are stored.

openssl1Mode - if true then truststore is with hashes in openssl 1+ format. Otherwise the openssl 0.x format is used.

namespaceMode - specifies how certificate namespaces should be handled

updateInterval - specifies in miliseconds how often the directory should be checked for updates. The files are reloaded only if their modification timestamp was changed since last load. Use a <= 0 value to disable automatic updates.

params - common validator settings (revocation, initial listeners, proxy support, ...)

OpensslCertChainValidator

public OpensslCertChainValidator(String directory,
                                 boolean openssl1Mode,
                                 NamespaceCheckingMode namespaceMode,
                                 long updateInterval,
                                 ValidatorParams params,
                                 boolean lazyMode)

Constructs a new validator instance.

Parameters:

directory - path where trusted certificates are stored.

openssl1Mode - if true then truststore is with hashes in openssl 1+ format. Otherwise the openssl 0.x format is used.

namespaceMode - specifies how certificate namespaces should be handled

updateInterval - specifies in miliseconds how often the directory should be checked for updates. The files are reloaded only if their modification timestamp was changed since last load. Use a <= 0 value to disable automatic updates.

params - common validator settings (revocation, initial listeners, proxy support, ...)

lazyMode - if true then certificates, CRLs and namespace definitions are loaded on-demand (with in-memory caching). If false then the whole truststore contents is loaded at startup and kept in memory.

Since:

2.0.0

OpensslCertChainValidator

public OpensslCertChainValidator(String directory,
                                 NamespaceCheckingMode namespaceMode,
                                 long updateInterval)

Constructs a new validator instance with default additional settings (see ValidatorParams.ValidatorParams()). The legacy, pre openssl 1.0 format of the truststore is used as well as the lazy loading mode.

Parameters:

directory - path where trusted certificates are stored.

namespaceMode - specifies how certificate namespaces should be handled

updateInterval - specifies in miliseconds how often the directory should be checked for updates. The files are reloaded only if their modification timestamp was changed since last load.

OpensslCertChainValidator

public OpensslCertChainValidator(String directory)

Constructs a new validator instance using the default settings: CRLs are used if present, proxy certificates are supported and directory is rescanned every 10mins. EuGridPMA namespaces are checked in the first place, if not found then Globus EACLs are tried. Lack of namespaces is ignored. The legacy, pre openssl 1.0 format of the truststore is used as well as the lazy loading mode.

Parameters:

directory - path where trusted certificates are stored.

Method Detail

getTruststorePath

public String getTruststorePath()

Returns the trusted certificates directory path

Returns:

the path

getNamespaceCheckingMode

public NamespaceCheckingMode getNamespaceCheckingMode()

Returns the namespace checking mode.

Returns:

the namespace mode

getUpdateInterval

public long getUpdateInterval()

Returns the interval between subsequent checks of the trusted certificates directory. Note that files are actually reread only if their modification time has changed.

Returns:

the current refresh interval in milliseconds

setUpdateInterval

public void setUpdateInterval(long updateInterval)

Sets a new interval between subsequent checks of the trusted certificates directory. Note that files are actually reread only if their modification time has changed.

Parameters:

updateInterval - the new interval to be set in milliseconds

dispose

public void dispose()

Description copied from class: AbstractValidator

Disposes resources used by this Validator, like threads. After calling this method the validator can not be used anymore.

Specified by:

dispose in interface X509CertChainValidatorExt

Overrides:

dispose in class AbstractValidator

validate

public ValidationResult validate(X509Certificate[] certChain)

Performs validation of a provided certificate chain.

Specified by:

validate in interface X509CertChainValidator

Overrides:

validate in class AbstractValidator

Parameters:

certChain - to be validated

Returns:

result of validation