|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectorg.glite.security.trustmanager.OpensslCertPathValidator
public class OpensslCertPathValidator
OpenSSLCertPathValidator validates certificate paths. A certificate path is an array of certificates where the first certificate is signed by the public key of the second, the second certificate is signed by the public key of the third and so on. The certificate path might contain a certificate authority (CA) certificate as the last element or it may not. If the path ends in CA certificate, the CA certificate is ignored. To validate the last non-CA certificate the trust anchors given in the constructor are searched and if a CA that issued the certificate is found the non-CA certificate is checked against the CA certificate. The last non-CA certificate is checked against the optional certificate revocation lists (CRL) given in the setCRLs method. If all the certificates in the array are valid and there is a CA that signed the last non-CA certificate, the path is valid. The certificates have to be arranged in correct order. The have to be ordered from index 0 being the actual end certificate, 0 or more intermediate certificates. The last item in the array can be the end certificate if it is signed by a CA, an intermediate certificate that is signed by a CA or a CA certificate, which is ignored and the previous certificate is used as the last of the array. Notice: a certificate path consisting of only a CA certificate is considered invalid certificate path. The certificates are also checked for:
Constructor Summary | |
---|---|
OpensslCertPathValidator(java.lang.String trustPath,
boolean crlRequired)
Creates a new instance of MyCertPathValidator |
Method Summary | |
---|---|
java.util.Vector<java.security.cert.X509Certificate> |
buildPath(java.security.cert.X509Certificate[] inpath)
Constructs the CA path of the given cert chain. |
void |
check(java.security.cert.X509Certificate[] inpath)
Checks that a certificate path is valid. |
CertPathValidatorState |
checkAnchorAndCert(java.security.cert.X509Certificate sub,
java.security.cert.X509Certificate caCert,
CertPathValidatorState state,
boolean firstAnchor)
Does the same checks as checkCertificatePair and in addition checks that the sub is not listed in the possible CRL issued by the CA represented by the anchor. |
CertPathValidatorState |
checkCertificatePair(java.security.cert.X509Certificate sub,
java.security.cert.X509Certificate signer,
CertPathValidatorState state)
Checks that the sub certificate is signed and issued by signer |
void |
checkDNRestriction(java.security.cert.X509Certificate sub,
java.security.cert.X509Certificate signer,
int proxyType)
Checks that the subject DN starts with the DN parts of the signer. |
void |
checkSignature(java.security.cert.X509Certificate sub,
java.security.cert.X509Certificate signer)
Checks that the sub certificate is signed by the signer. |
void |
checkUpdate()
Checks whether any trust anchor information has been updated on disk and reloads them if they have. |
void |
checkValidity(java.security.cert.X509Certificate cert)
Checks that the certificate is valid now and throws the corresponding exception in case it isn't. |
boolean |
findAddParent(java.util.Vector<java.security.cert.X509Certificate> inpath)
Searches for a parent CA from trustAnchors and add the cert to the cert chain. |
java.security.cert.X509Certificate[] |
getCACerts()
Returns an array of accepted CA certificates |
Methods inherited from class java.lang.Object |
---|
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public OpensslCertPathValidator(java.lang.String trustPath, boolean crlRequired) throws java.security.cert.CertificateException, java.security.NoSuchProviderException, java.io.IOException, java.text.ParseException
trustPath
- A vector or TrustAnchors (Certificate Authority certificates with additional info and wrapping)
that are considered trusted.crlRequired
- true if CRLs are required for each CA for them to be used in the certificate path checking.
java.security.cert.CertificateException
- in case CA certificate loading fails.
java.security.NoSuchProviderException
- in case bouncycastle provider is not found.
java.io.IOException
- in case CA, CRL or namespace file reading fails.
java.text.ParseException
- in case the reading of namespace files fails.Method Detail |
---|
public boolean findAddParent(java.util.Vector<java.security.cert.X509Certificate> inpath)
inpath
- The input path.
public java.util.Vector<java.security.cert.X509Certificate> buildPath(java.security.cert.X509Certificate[] inpath) throws java.security.cert.CertPathValidatorException, java.security.cert.CertificateException
inpath
- The certificate chain to start with.
java.security.cert.CertPathValidatorException
- Thrown in case the certificate chain building fails, like if there is no valid
trustanchor for the chain.
java.security.cert.CertificateException
- In case certificate handling fails, in case of corrupted certs etc.public void check(java.security.cert.X509Certificate[] inpath) throws java.security.cert.CertPathValidatorException, java.security.cert.CertificateException
inpath
- The certificate path to check
java.security.cert.CertPathValidatorException
- Thrown if there was a problem linking two certificates
java.security.cert.CertificateException
- thrown if there was a problem with a single certificatepublic void checkValidity(java.security.cert.X509Certificate cert) throws java.security.cert.CertificateExpiredException, java.security.cert.CertificateNotYetValidException
cert
-
java.security.cert.CertificateExpiredException
java.security.cert.CertificateNotYetValidException
public void checkSignature(java.security.cert.X509Certificate sub, java.security.cert.X509Certificate signer) throws java.security.cert.CertPathValidatorException, java.security.cert.CertificateException
sub
- The sub certificate, the certificate appearing before signer in the certificate path array.signer
- The signer certificate, the certificate appearing after the sub in the certificate path array.
java.security.cert.CertPathValidatorException
- Thrown if the signature cheking fails
java.security.cert.CertificateException
- Thrown if a problem occures when accessing either certificate.public CertPathValidatorState checkCertificatePair(java.security.cert.X509Certificate sub, java.security.cert.X509Certificate signer, CertPathValidatorState state) throws java.security.cert.CertPathValidatorException, java.security.cert.CertificateException
sub
- the sub certificatesigner
- the signer certificate. The certificate for the issuer of the sub certificate.state
- the state for this certificate pair checking from the previous round.
java.security.cert.CertPathValidatorException
- Thrown if the signature in sub is invalid or the certificate is not issued by
signer.
java.security.cert.CertificateException
- Thrown if there is a problem accessing data from either of the certificatespublic CertPathValidatorState checkAnchorAndCert(java.security.cert.X509Certificate sub, java.security.cert.X509Certificate caCert, CertPathValidatorState state, boolean firstAnchor) throws java.security.cert.CertPathValidatorException, java.security.cert.CertificateException, java.security.cert.CRLException
sub
- The sub certificate to check.caCert
- The ca cert to check.state
- The state from the possible previous steps.firstAnchor
- The flag for first anchor in the chain. The anchor must be found, otherwise checking fails.
java.security.cert.CertPathValidatorException
- Thrown if the sub certificate is not issued by anchor, is revoked or the
signature in sub is invalid.
java.security.cert.CertificateException
- Thrown if there is a problem accessing the data from the certificate or the trust
anchor
java.security.cert.CRLException
- In case the CRL parsing or usage fails.public java.security.cert.X509Certificate[] getCACerts()
public void checkDNRestriction(java.security.cert.X509Certificate sub, java.security.cert.X509Certificate signer, int proxyType) throws java.security.cert.CertificateException
sub
- The certificate to check.signer
- The signer cert to take the DN from for the checking.proxyType
- type of this proxy type.
java.security.cert.CertificateException
- Thrown in case there is problems in handling the certificates.ProxyCertificateInfo
public void checkUpdate() throws java.io.IOException, java.security.cert.CertificateException, java.text.ParseException
java.io.IOException
- In case there is unrecoverable trust info reading failure during update.
java.security.cert.CertificateException
- In case there is unrecoverable certificate parsing or handling problem during
update.
java.text.ParseException
- In case there is an unrecoverable CRL or namespace parsing error during update.
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |