Package com.dstc.security.ssl

Provides configurable SSLSocket and SSLServerSocket factories.

See:
          Description

Class Summary
BasicTrustEngine A simple TrustEngine that does basic cert-path processing.
CertChecker Abstract callback for checking each certificate in a cert path.
OptimisticCRLChecker A CertChecker that does simple processing of X.509 Certificate Revocation Lists (CRLs).
SSLServerSocketFactory A concrete factory for SSLServerSocket implementations.
SSLSocketFactory A concrete factory for SSLSocket implementations.
TrustEngine An abstraction of trust for X.509 certificate paths.
 

Exception Summary
CertPathValidationException Signals that a cert path was deemed invalid
 

Package com.dstc.security.ssl Description

Provides configurable SSLSocket and SSLServerSocket factories. The two main classes are com.dstc.security.ssl.SSLSocketFactory and com.dstc.security.ssl.SSLServerSocketFactory, which are concrete implementations of the corresponding abstract classes in the javax.net.ssl package.

SSL clients, and SSL servers with setNeedClientAuth(true), need to validate X.509 certificate paths. The validation logic is encapsulated in the TrustEngine abstract class, and one implementation is provided: BasicTrustEngine. Both SSLSocketFactory and SSLServerSocketFactory can accept a TrustEngine instance.

BasicTrustEngine accepts an optional callback that can be used to perform additional checks on each certificate. The callback is defined by the CertChecker abstract class, and one implementation is provided: OptimisticCRLChecker.

For simple SSL clients, these customizations may be unnecessary, and a suitable factory can be created simply by the javax.net.ssl.SSLSocketFactory.getDefault() static method, which essentially creates an instance of SSLSocketFactory.SSLSocketFactory().

On the other end of the scale, an SSL client that wants to perform CRL checking might do

import com.dstc.security.ssl.OptimisticCRLChecker;
import com.dstc.security.ssl.TrustEngine;
import com.dstc.security.ssl.BasicTrustEngine;
import com.dstc.security.ssl.SSLSocketFactory;

Collection crls = ...;
// (OptimisticCRLChecker.getCRLs can load CRLS from an InputStream)

Collection trustedCerts = ...;
// (BasicTrustEngine.getCertificates can load certificates
//  from an InputStream or from a KeyStore)

TrustEngine trustEngine =
    new BasicTrustEngine(trustedCerts, new OptimisticCRLChecker(crls));

return SSLSocketFactory.getInstance(null, null, null, trustEngine, null);
(A good SSL client should generally specify an explicit setting for the fifth parameter to getInstance, the default list of cipher suites, rather than relying on the default list chosen by SSLSocketFactory, as the example above does).