|
||||||||||
PREV PACKAGE NEXT PACKAGE | FRAMES NO FRAMES |
See:
Description
Class Summary | |
BasicTrustEngine | A simple TrustEngine that does basic cert-path processing. |
CertChecker | Abstract callback for checking each certificate in a cert path. |
OptimisticCRLChecker | A CertChecker that does simple processing of X.509 Certificate
Revocation Lists (CRLs). |
SSLServerSocketFactory | A concrete factory for SSLServerSocket
implementations. |
SSLSocketFactory | A concrete factory for SSLSocket implementations. |
TrustEngine | An abstraction of trust for X.509 certificate paths. |
Exception Summary | |
CertPathValidationException | Signals that a cert path was deemed invalid |
Provides configurable SSLSocket and SSLServerSocket factories.
The two main classes are
com.dstc.security.ssl.SSLSocketFactory
and
com.dstc.security.ssl.SSLServerSocketFactory
,
which are concrete implementations of the corresponding abstract classes in
the javax.net.ssl package.
SSL clients, and SSL servers with setNeedClientAuth(true)
, need
to validate X.509 certificate paths. The validation logic is encapsulated in
the TrustEngine
abstract class, and one
implementation is provided: BasicTrustEngine
.
Both SSLSocketFactory
and SSLServerSocketFactory
can accept a TrustEngine
instance.
BasicTrustEngine
accepts an optional callback that can be used
to perform additional checks on each certificate. The callback is defined by
the CertChecker
abstract class, and one
implementation is provided: OptimisticCRLChecker
.
For simple SSL clients, these customizations may be unnecessary, and a suitable
factory can be created simply by the
javax.net.ssl.SSLSocketFactory.getDefault()
static method, which essentially
creates an instance of
SSLSocketFactory.SSLSocketFactory()
.
On the other end of the scale, an SSL client that wants to perform CRL checking might do
(A good SSL client should generally specify an explicit setting for the fifth parameter toimport com.dstc.security.ssl.OptimisticCRLChecker; import com.dstc.security.ssl.TrustEngine; import com.dstc.security.ssl.BasicTrustEngine; import com.dstc.security.ssl.SSLSocketFactory; Collection crls = ...; // (OptimisticCRLChecker.getCRLs can load CRLS from an InputStream) Collection trustedCerts = ...; // (BasicTrustEngine.getCertificates can load certificates // from an InputStream or from a KeyStore) TrustEngine trustEngine = new BasicTrustEngine(trustedCerts, new OptimisticCRLChecker(crls)); return SSLSocketFactory.getInstance(null, null, null, trustEngine, null);
getInstance
, the default list of cipher suites,
rather than relying on the default list chosen by
SSLSocketFactory
, as the example above does).
|
||||||||||
PREV PACKAGE NEXT PACKAGE | FRAMES NO FRAMES |