eu.emi.security.authn.x509.helpers.crl

Class PlainCRLStoreSpi

java.lang.Object

java.security.cert.CertStoreSpi

eu.emi.security.authn.x509.helpers.crl.AbstractCRLStoreSPI

eu.emi.security.authn.x509.helpers.crl.PlainCRLStoreSpi

Direct Known Subclasses:

OpensslCRLStoreSpi

public class PlainCRLStoreSpi
extends AbstractCRLStoreSPI

Handles an in-memory CRL store.

CRLs may be provided as URLs or local files. If the CRL is provided as a local file (i.e. is not an absolute URL) then it can contain wildcard characters ('*', '?'). In case of wildcard locations, the actual file list is regenerated on each update.

All CRLs are loaded and parsed to establish CA->CRL mapping. This mapping is updated after the updateInterval time is passed.

Faulty CRL locations together with the respective errors can be obtained by using a listener.

It is possible to pass more then one location of CRLs of the same CA.

The class is implemented in an asynchronous mode: CRLs are resolved on regular intervals (or only once on startup). The CRL searching is independent of the updates. It can block to download, read and subsequently parse a CRL if it is not present in the in-memory cache.

CRLs downloaded from a remote URL (http or ftp) can be cached on a local disk. If the update task can not download the CRL which was previously cached on disk, then the version from disk is returned.

This class is thread safe.

Nested Class Summary

Nested Classes

Modifier and Type

Class and Description

private static class

PlainCRLStoreSpi.CRLAsyncUpdateTask This class follows a quite advanced but important pattern: - it is static so there is no hidden reference from it to the wrapping class - instead it has a weak reference to the wrapping object - when the weak reference is nullified, it means that the wrapping object was discarded by the GC and is no more usable: in this case the update task is automatically stopped.

Field Summary

Fields

Modifier and Type	Field and Description
private java.util.Map<javax.security.auth.x500.X500Principal,java.util.Set<java.net.URL>>	ca2location
private java.lang.Object	intervalLock
private java.util.Map<java.net.URL,java.lang.ref.SoftReference<java.security.cert.X509CRL>>	loadedCRLs
private java.util.Timer	timer
private PlainStoreUtils	utils

Fields inherited from class eu.emi.security.authn.x509.helpers.crl.AbstractCRLStoreSPI

factory, observers, params, updateInterval

Constructor Summary

Constructors

Constructor and Description
PlainCRLStoreSpi(CRLParameters params, java.util.Timer t, ObserversHandler observers) Creates a new CRL store.

Method Summary

Modifier and Type	Method and Description
protected void	addCRL(java.security.cert.X509CRL crl, java.net.URL location)
void	dispose() After calling this method no notification will be produced and subsequent updates won't be scheduled.
protected java.util.Collection<java.security.cert.X509CRL>	getCRLForIssuer(javax.security.auth.x500.X500Principal issuer)
protected java.util.Collection<java.security.cert.X509CRL>	getCRLWithMatcher(java.security.cert.CRLSelector selectorRaw)
java.util.List<java.lang.String>	getLocations()
private java.security.cert.X509CRL	getOrLoadCRL(java.net.URL location)
long	getUpdateInterval()
protected java.security.cert.X509CRL	loadCRL(java.net.URL url)
private java.security.cert.X509CRL	loadCrlWrapper(java.io.InputStream is) Wrapper as BC provider in some cases returns null instead of exception when there are problems.
protected java.security.cert.X509CRL	reloadCRL(java.net.URL location)
private void	reloadCRLs(java.util.Collection<java.net.URL> locations) For all URLs tries to load a CRL
private void	removeStaleIssuerMapping() Removes those mappings which are for the not known locations.
private void	scheduleUpdate()
void	setUpdateInterval(long newInterval)
void	start() Initiates the store operation (the initial update and subsequent refreshes)
private void	update() 1.

Methods inherited from class eu.emi.security.authn.x509.helpers.crl.AbstractCRLStoreSPI

engineGetCertificates, engineGetCRLs, notifyObservers

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

utils

private final PlainStoreUtils utils

timer

private java.util.Timer timer

intervalLock

private java.lang.Object intervalLock

ca2location

private java.util.Map<javax.security.auth.x500.X500Principal,java.util.Set<java.net.URL>> ca2location

loadedCRLs

private java.util.Map<java.net.URL,java.lang.ref.SoftReference<java.security.cert.X509CRL>> loadedCRLs

Constructor Detail

PlainCRLStoreSpi

public PlainCRLStoreSpi(CRLParameters params,
                        java.util.Timer t,
                        ObserversHandler observers)
                 throws java.security.InvalidAlgorithmParameterException

Creates a new CRL store. The store will be empty until the start() method is called.

Parameters:

params - CRL parameters

t - timer

observers - observers handler

Throws:

java.security.InvalidAlgorithmParameterException - invalid algorithm parameter exception

Method Detail

start

public void start()

Initiates the store operation (the initial update and subsequent refreshes)

loadCRL

protected java.security.cert.X509CRL loadCRL(java.net.URL url)
                                      throws java.io.IOException,
                                             java.security.cert.CRLException,
                                             java.net.URISyntaxException

Throws:

java.io.IOException

java.security.cert.CRLException

java.net.URISyntaxException

loadCrlWrapper

private java.security.cert.X509CRL loadCrlWrapper(java.io.InputStream is)
                                           throws java.io.IOException,
                                                  java.security.cert.CRLException

Wrapper as BC provider in some cases returns null instead of exception when there are problems.

Parameters:

is - input stream

Returns:

generated CRL

Throws:

java.io.IOException - IO exception

java.security.cert.CRLException - CRL exception

getLocations

public java.util.List<java.lang.String> getLocations()

setUpdateInterval

public void setUpdateInterval(long newInterval)

Specified by:

setUpdateInterval in class AbstractCRLStoreSPI

getUpdateInterval

public long getUpdateInterval()

removeStaleIssuerMapping

private void removeStaleIssuerMapping()

Removes those mappings which are for the not known locations. Happens when a file was removed from a wildcard listing.

reloadCRLs

private void reloadCRLs(java.util.Collection<java.net.URL> locations)

For all URLs tries to load a CRL

reloadCRL

protected java.security.cert.X509CRL reloadCRL(java.net.URL location)

addCRL

protected void addCRL(java.security.cert.X509CRL crl,
                      java.net.URL location)

update

private void update()

1. work only if updateNeeded() 2. for all wildcards refresh file lists 3. remove the locations not valid anymore 4. for all location URLs try to get the CRL 5. update timestamp 6. schedule the next update if enabled

scheduleUpdate

private void scheduleUpdate()

getOrLoadCRL

private java.security.cert.X509CRL getOrLoadCRL(java.net.URL location)

getCRLForIssuer

protected java.util.Collection<java.security.cert.X509CRL> getCRLForIssuer(javax.security.auth.x500.X500Principal issuer)

Specified by:

getCRLForIssuer in class AbstractCRLStoreSPI

getCRLWithMatcher

protected java.util.Collection<java.security.cert.X509CRL> getCRLWithMatcher(java.security.cert.CRLSelector selectorRaw)

Specified by:

getCRLWithMatcher in class AbstractCRLStoreSPI

dispose

public void dispose()

After calling this method no notification will be produced and subsequent updates won't be scheduled. However one next update may be run.

Specified by:

dispose in class AbstractCRLStoreSPI