com.dstc.security.ssl
Class BasicTrustEngine

java.lang.Object
  |
  +--com.dstc.security.ssl.TrustEngine
        |
        +--com.dstc.security.ssl.BasicTrustEngine

public class BasicTrustEngine
extends TrustEngine

A simple TrustEngine that does basic cert-path processing. It has an optional certificate-checking callback that can be used, for instance, to implement X.509 CRLs or (potentially) OCSP.

See Also:
OptimisticCRLChecker

Constructor Summary
BasicTrustEngine(Collection trustedCerts)
          Create a BasicTrustEngine with a collection of trusted certificates.
BasicTrustEngine(Collection trustedCerts, CertChecker checker)
          Create a BasicTrustEngine with a collection of trusted certificates and a certificate-checking callback.
BasicTrustEngine(X509Certificate[] trustedCerts)
          Create a BasicTrustEngine with an array of trusted certificates.
BasicTrustEngine(X509Certificate[] trustedCerts, CertChecker checker)
          Create a BasicTrustEngine with an array of trusted certificates and a certificate-checking callback.
 
Method Summary
static Collection getCertificates(InputStream in)
          Convenience method to get all X.509 certificates from an InputStream.
static Collection getCertificates(KeyStore certStore)
          Convenience method to get all the X.509 certificates from a KeyStore, using KeyStore.getCertificate(String).
static BasicTrustEngine getDefault()
          Attempts to create a default TrustEngine.
 Iterator getTrustedCerts()
          Get the list of trusted certificates used by this TrustEngine.
 void validateCertPath(X509Certificate[] path)
          Validate a candidate certificate path against this TrustEngine.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

BasicTrustEngine

public BasicTrustEngine(Collection trustedCerts)
Create a BasicTrustEngine with a collection of trusted certificates. The optional callback is not used.
Parameters:
trustedCerts - a collection of trusted certificates.

BasicTrustEngine

public BasicTrustEngine(Collection trustedCerts,
                        CertChecker checker)
Create a BasicTrustEngine with a collection of trusted certificates and a certificate-checking callback.
Parameters:
trustedCerts - a collection of trusted certificates.
checker - a certificate-checking callback, or null.

BasicTrustEngine

public BasicTrustEngine(X509Certificate[] trustedCerts)
Create a BasicTrustEngine with an array of trusted certificates. The optional callback is not used.
Parameters:
trustedCerts - an array of trusted certificates.

BasicTrustEngine

public BasicTrustEngine(X509Certificate[] trustedCerts,
                        CertChecker checker)
Create a BasicTrustEngine with an array of trusted certificates and a certificate-checking callback.
Parameters:
trustedCerts - an array of trusted certificates.
checker - a certificate-checking callback, or null.
Method Detail

getDefault

public static BasicTrustEngine getDefault()
                                   throws KeyStoreException,
                                          IOException,
                                          NoSuchAlgorithmException,
                                          CertificateException
Attempts to create a default TrustEngine. This method looks for a jre/lib/security/cacerts file, treats the file as a KeyStore of the default type, uses getCertificates(KeyStore) to read the X.509 certificates from the store, and constructs a BasicTrustEngine using the resulting certificates.

Returns:
a BasicTrustEngine using the X.509 certificates from the "cacerts" KeyStore
Throws:
KeyStoreException - if the default keystore type is not available (!)
IOException - if the jre/lib/security/cacerts file could not be opened or read
NoSuchAlgorithmException - if the algorithm to check the integrity of the keystore cannot be found
CertificateException - if any of the certificates in the keystore could not be loaded
See Also:
KeyStore

getCertificates

public static Collection getCertificates(KeyStore certStore)
                                  throws KeyStoreException
Convenience method to get all the X.509 certificates from a KeyStore, using KeyStore.getCertificate(String).

Parameters:
certStore - the KeyStore from which to extract certificates
Returns:
a Collection containing all X.509 certificates that were read from the KeyStore
Throws:
KeyStoreException - if the keystore has not been initialized

getCertificates

public static Collection getCertificates(InputStream in)
                                  throws CertificateException,
                                         IOException
Convenience method to get all X.509 certificates from an InputStream. The stream is assumed to be in a format suitable for CertificateFactory.generateCertificate(InputStream).

This method reads the input stream up to end-of-file.

Parameters:
in - the InputStream from which the certificate or certificates will be read
Returns:
a Collection containing all X.509 certificates that were read from the stream
Throws:
CertificateException - an X.509 CertificateFactory could not be instantiated, or certificate parsing errors
IOException - on errors reading the input stream
See Also:
CertificateFactory.generateCertificate(InputStream)

getTrustedCerts

public Iterator getTrustedCerts()
Description copied from class: TrustEngine
Get the list of trusted certificates used by this TrustEngine.
Overrides:
getTrustedCerts in class TrustEngine
Tags copied from class: TrustEngine
Returns:
an Iterator for the list of X509Certificate instances. The Iterator should not allow modification.

validateCertPath

public void validateCertPath(X509Certificate[] path)
                      throws CertificateException,
                             CertPathValidationException
Description copied from class: TrustEngine
Validate a candidate certificate path against this TrustEngine. Returns void for success, throws exceptions for failure.

This method may be invoked concurrently from multiple threads, so its implementation should be multithread-safe; this is straightforward if it maintains no state, i.e. has no mutable instance variables (or mutable objects reached from those instance variables).

Overrides:
validateCertPath in class TrustEngine
Tags copied from class: TrustEngine
Parameters:
path - the candidate certificate path to check. path[0] should contain the subject's certificate; any subsequent entries should be CA certificates in the normal order.
Throws:
CertificateException - if some certificate in the path is deemed unsuitable
CertPathValidationException - if validation of the certificate path failed