eu.emi.security.authn.x509.helpers.trust

Class LazyOpensslTrustAnchorStoreImpl

java.lang.Object

eu.emi.security.authn.x509.helpers.trust.AbstractTrustAnchorStore

eu.emi.security.authn.x509.helpers.trust.LazyOpensslTrustAnchorStoreImpl

All Implemented Interfaces:

OpensslTrustAnchorStore, TrustAnchorStore

public class LazyOpensslTrustAnchorStoreImpl
extends AbstractTrustAnchorStore
implements OpensslTrustAnchorStore

Implementation of the truststore which uses CA certificates from a single directory in OpenSSL format. Each certificate should be stored in a file named HASH.NUM, where HASH is an 8 digit hex number. The NUM must be a number, starting from 0. The hash can be either of openssl pre 1.0.0 version (with 8 least significant digits of the MD5 hash of the certificate subject in DER format) or in openssl 1.0.0 and above format (SHA1 hash of specially normalized DN). The class is configured to use one or another, never both.

This class (contrary to the OpensslTrustAnchorStoreImpl) doesn't extend DirectoryTrustAnchorStore and therefore certificates (and all corresponding files) are not loaded at startup and kept in memory. The files are loaded on-demand and are only cached in memory for no longer then the updateInterval is.

Field Summary

Fields

Modifier and Type	Field and Description
private java.io.File	baseDirectory
protected CachedElement<java.util.Set<TrustAnchorExt>>	cachedAnchors
protected java.util.Map<javax.security.auth.x500.X500Principal,CachedElement<java.util.Set<TrustAnchorExt>>>	cachedAnchorsPerIssuer
static java.lang.String	CERTS_REGEXP
private NamespacesStore	globusNsStore
private boolean	openssl1Mode
private NamespacesStore	pmaNsStore

Fields inherited from class eu.emi.security.authn.x509.helpers.trust.AbstractTrustAnchorStore

observers

Fields inherited from interface eu.emi.security.authn.x509.helpers.trust.OpensslTrustAnchorStore

CERT_WILDCARD

Constructor Summary

Constructors

Constructor and Description
LazyOpensslTrustAnchorStoreImpl(java.lang.String basePath, long updateInterval, ObserversHandler observers, boolean openssl1Mode)

Method Summary

Modifier and Type	Method and Description
void	dispose()
NamespacesStore	getGlobusNsStore()
NamespacesStore	getPmaNsStore()
java.util.Set<java.security.cert.TrustAnchor>	getTrustAnchors()
java.util.Set<java.security.cert.TrustAnchor>	getTrustAnchorsFor(java.security.cert.X509Certificate[] certChain) Algorithm is as follows: for each certificate subject in chain, and for the issuer of the last certificate in chain, it is tried to load a trust anchor defined for such subject.
java.security.cert.X509Certificate[]	getTrustedCertificates()
private java.util.Set<TrustAnchorExt>	loadTrustAnchors()
protected void	tryLoadCert(java.io.File file, java.util.Set<TrustAnchorExt> set)
protected java.security.cert.X509Certificate	tryLoadCertInternal(java.io.File file)
private void	tryLoadTAFor(javax.security.auth.x500.X500Principal issuer, java.util.Set<TrustAnchorExt> ret)

Methods inherited from class eu.emi.security.authn.x509.helpers.trust.AbstractTrustAnchorStore

checkValidity, getUpdateInterval, setUpdateInterval

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface eu.emi.security.authn.x509.helpers.trust.TrustAnchorStore

getUpdateInterval, setUpdateInterval

Field Detail

CERTS_REGEXP

public static final java.lang.String CERTS_REGEXP

See Also:

Constant Field Values

cachedAnchors

protected CachedElement<java.util.Set<TrustAnchorExt>> cachedAnchors

cachedAnchorsPerIssuer

protected java.util.Map<javax.security.auth.x500.X500Principal,CachedElement<java.util.Set<TrustAnchorExt>>> cachedAnchorsPerIssuer

openssl1Mode

private boolean openssl1Mode

pmaNsStore

private NamespacesStore pmaNsStore

globusNsStore

private NamespacesStore globusNsStore

baseDirectory

private java.io.File baseDirectory

Constructor Detail

LazyOpensslTrustAnchorStoreImpl

public LazyOpensslTrustAnchorStoreImpl(java.lang.String basePath,
                                       long updateInterval,
                                       ObserversHandler observers,
                                       boolean openssl1Mode)

Method Detail

tryLoadCertInternal

protected java.security.cert.X509Certificate tryLoadCertInternal(java.io.File file)

tryLoadCert

protected void tryLoadCert(java.io.File file,
                           java.util.Set<TrustAnchorExt> set)

getPmaNsStore

public NamespacesStore getPmaNsStore()

Specified by:

getPmaNsStore in interface OpensslTrustAnchorStore

getGlobusNsStore

public NamespacesStore getGlobusNsStore()

Specified by:

getGlobusNsStore in interface OpensslTrustAnchorStore

loadTrustAnchors

private java.util.Set<TrustAnchorExt> loadTrustAnchors()

getTrustAnchors

public java.util.Set<java.security.cert.TrustAnchor> getTrustAnchors()

Specified by:

getTrustAnchors in interface TrustAnchorStore

getTrustedCertificates

public java.security.cert.X509Certificate[] getTrustedCertificates()

Specified by:

getTrustedCertificates in interface TrustAnchorStore

dispose

public void dispose()

Specified by:

dispose in interface TrustAnchorStore

getTrustAnchorsFor

public java.util.Set<java.security.cert.TrustAnchor> getTrustAnchorsFor(java.security.cert.X509Certificate[] certChain)

Algorithm is as follows: for each certificate subject in chain, and for the issuer of the last certificate in chain, it is tried to load a trust anchor defined for such subject. If successful then also it is tried recursively to load all parent trust anchors for the loaded one.

Parameters:

certChain - certificate chain

Returns:

set of trust anchors for a given certificate chain

tryLoadTAFor

private void tryLoadTAFor(javax.security.auth.x500.X500Principal issuer,
                          java.util.Set<TrustAnchorExt> ret)