org.glite.security.trustmanager
Class OpensslTrustmanager

java.lang.Object
  extended by org.glite.security.trustmanager.OpensslTrustmanager
All Implemented Interfaces:
javax.net.ssl.TrustManager, javax.net.ssl.X509TrustManager

public class OpensslTrustmanager
extends java.lang.Object
implements javax.net.ssl.X509TrustManager

Author:
Joni Hahkala

Constructor Summary
OpensslTrustmanager(java.lang.String dir, boolean crlRequired)
           
 
Method Summary
 void checkClientTrusted(java.security.cert.X509Certificate[] arg0, java.lang.String arg1)
           
 void checkServerTrusted(java.security.cert.X509Certificate[] arg0, java.lang.String arg1)
           
 void checkUpdate()
          Checks whether the trustanchors need updates and if they do updates them.
 java.security.cert.X509Certificate[] getAcceptedIssuers()
           
static java.lang.String getOpenSSLCAHash(java.security.cert.X509Certificate cert)
          Generates the hex hash of the DN used by openssl to name the CA certificate files.
static java.lang.String getOpenSSLCAHash(org.bouncycastle.asn1.x509.X509Name subject)
          Generates the hex hash of the DN used by openssl to name the CA certificate files.
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

OpensslTrustmanager

public OpensslTrustmanager(java.lang.String dir,
                           boolean crlRequired)
                    throws java.io.IOException,
                           java.security.cert.CertificateException,
                           java.text.ParseException,
                           java.security.NoSuchProviderException
Parameters:
dir - The trust anchor directory (often /etc/grid-security/certificates)
crlRequired - Whether the CRLs are required. If they are and the CRL is absent or expired all certs from that CA are rejected.
Throws:
java.io.IOException - in case there is a read error during reading of CA certs, CRLs or namespace files.
java.security.cert.CertificateException - in case there is problems handling the CA certs.
java.text.ParseException - in case there is problems parsing the namespace files.
java.security.NoSuchProviderException - in case Bouncycastle provider is not found and initialization fails.
Method Detail

checkClientTrusted

public void checkClientTrusted(java.security.cert.X509Certificate[] arg0,
                               java.lang.String arg1)
                        throws java.security.cert.CertificateException
Specified by:
checkClientTrusted in interface javax.net.ssl.X509TrustManager
Throws:
java.security.cert.CertificateException

checkServerTrusted

public void checkServerTrusted(java.security.cert.X509Certificate[] arg0,
                               java.lang.String arg1)
                        throws java.security.cert.CertificateException
Specified by:
checkServerTrusted in interface javax.net.ssl.X509TrustManager
Throws:
java.security.cert.CertificateException

getAcceptedIssuers

public java.security.cert.X509Certificate[] getAcceptedIssuers()
Specified by:
getAcceptedIssuers in interface javax.net.ssl.X509TrustManager

getOpenSSLCAHash

public static java.lang.String getOpenSSLCAHash(org.bouncycastle.asn1.x509.X509Name subject)
Generates the hex hash of the DN used by openssl to name the CA certificate files. The hash is actually the hex of 8 least significant bytes of a MD5 digest of the the ASN.1 encoded DN.

Parameters:
subject - the DN to hash.
Returns:
the 8 character string of the hexadecimal hash.

checkUpdate

public void checkUpdate()
                 throws java.io.IOException,
                        java.security.cert.CertificateException,
                        java.text.ParseException
Checks whether the trustanchors need updates and if they do updates them.

Throws:
java.io.IOException - thrown in case a file reading fails.
java.security.cert.CertificateException - thrown if there are problems with the certificates.
java.text.ParseException - thrown in case there are problems parsing certificates, CRLs or namespaces.

getOpenSSLCAHash

public static java.lang.String getOpenSSLCAHash(java.security.cert.X509Certificate cert)
Generates the hex hash of the DN used by openssl to name the CA certificate files. The hash is actually the hex of 8 least significant bytes of a MD5 digest of the the ASN.1 encoded DN.

Parameters:
cert - the certificate from which the subject DN is taken and hashed.
Returns:
the 8 character string of the hexadecimal hash.