Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
ehsbe CommonsTM
Version 1.1.0rc3
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

com.ehsbe.commons.util
Class LocalTrustManager

java.lang.Object
  extended by com.ehsbe.commons.util.LocalTrustManager
All Implemented Interfaces:
TrustManager, X509TrustManager
public class LocalTrustManager
extends Object
implements X509TrustManager

A none-default TrustManager, which validates client and server certificates against its own list of certificates (TrustAnchors).

Also it validates forward with the shortest possible path, i.e. if a certifcate in the chain to check matches a trusted certificate, only the path from the beginning of the chain 'til the certificate found gets validated.

To avoid the manipulation of this TrustManager, one should not allow "foreign" packages to add/remove certificates. So it is recommended to overwrite addCerts(Collection), removeCerts(Collection) and by calling its super method and make them final.

It handles X.509 certificates, only.

Version:
$Revision: 463 $
Author:
Jens Elkner
See Also:
CertPathValidator, CertPathBuilder, InvalidCertHandler, JxInvalidCertHandler

Constructor Summary
LocalTrustManager()
          Create a new TrustManager with an empty list of trusted certificates.
LocalTrustManager(InvalidCertHandler handler)
          Create a new TrustManager with an empty list of trusted certificates.
LocalTrustManager(String caCertBundlePath)
          Create a new TrustManager and add all X.509 certificates from the given CA cert bundle to the internal certificate list.
LocalTrustManager(String caCertBundlePath, InvalidCertHandler handler)
          Create a new TrustManager and add all X.509 certificates from the given CA cert bundle to the internal certificate list.
 
Method Summary
protected  void addCertBundle(String caCertBundlePath)
          Add all X.509 certificates from the given CA cert bundle to the internal certificate list.
protected  void addCerts(Collection<Certificate> certs)
          Add the given certificate to the internal certificate list.
protected  void addOtherCerts(Collection<Certificate> certs)
          Add the given certificate to the internal other certificate list.
 void checkClientTrusted(X509Certificate[] chain, String authType)
          
 void checkServerTrusted(X509Certificate[] chain, String authType)
          
 ArrayList<Certificate> checkTrusted(X509Certificate[] chain)
          Same as check*Trusted(...), but returns the chain, which has been validate and the the certificate of the trusted anchor for this chain at the end of the list (which might be null if an unexpected error occured)
 X509Certificate[] getAcceptedIssuers()
          
static X509TrustManager getInstance()
          Get the JVM singleton instance, which handles local certs.
 X509Certificate[] getOtherCerts()
          Get the internal list of other certificates.
protected  void removeCerts(Collection<Certificate> certs)
          Remove the given certificates from the internal TrustAnchor certificate list.
protected  void removeOtherCerts(Collection<Certificate> certs)
          Remove the given certificates from the internal other certificate list.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

LocalTrustManager

public LocalTrustManager()
Create a new TrustManager with an empty list of trusted certificates.

LocalTrustManager

public LocalTrustManager(InvalidCertHandler handler)
Create a new TrustManager with an empty list of trusted certificates.

Parameters:
handler - handler to use if validation of a certificate path fails.
See Also:
addCertBundle(String)

LocalTrustManager

public LocalTrustManager(String caCertBundlePath)
                  throws IOException,
                         CertificateException
Create a new TrustManager and add all X.509 certificates from the given CA cert bundle to the internal certificate list.

Parameters:
caCertBundlePath - the resource path name of the CA certificate bundle to load. All none-X.509 certificates are ignored.
Throws:
IOException - if the resource can not be found or a read error occures when reading the resource stream.
CertificateException - if no Provider can be found, which supports X.509 certificates.
See Also:
addCertBundle(String)

LocalTrustManager

public LocalTrustManager(String caCertBundlePath,
                         InvalidCertHandler handler)
                  throws IOException,
                         CertificateException
Create a new TrustManager and add all X.509 certificates from the given CA cert bundle to the internal certificate list.

Parameters:
caCertBundlePath - the resource path name of the CA certificate bundle to load. All none-X.509 certificates are ignored.
handler - handler to use if validation of a certificate path fails.
Throws:
IOException - if the resource can not be found or a read error occures when reading the resource stream.
CertificateException - if no Provider can be found, which supports X.509 certificates.
See Also:
addCertBundle(String)
Method Detail

getInstance

public static X509TrustManager getInstance()
Get the JVM singleton instance, which handles local certs. Per default, it contains no certificates and thus treats all certificates to be checked as invalid (unknown issuer/certificate).

Returns:
always the same instance.

addCertBundle

protected void addCertBundle(String caCertBundlePath)
                      throws IOException,
                             CertificateException
Add all X.509 certificates from the given CA cert bundle to the internal certificate list. Certificats will be used as TrustAnchors.

The bundle is expected to be a concatenation of Base64 DER encoded (aka PEM encoded) X.509 certificates, i.e. each certificate is enclosed between a "-----BEGIN CERTIFICATE-----" and a "-----END CERTIFICATE-----" line. See also openssl x509 -in file -inform PEM -text . The file itself is US-ASCII formated.

Parameters:
caCertBundlePath - the resource path name of the CA certificate bundle to load. All none-X.509 certificates are ignored.
Throws:
IOException - if the resource can not be found or a read error occures when reading the resource stream.
CertificateException - if no Provider can be found, which supports X.509 certificates.
See Also:
addCerts(Collection), CertificateFactory.generateCertificate(InputStream)

addCerts

protected void addCerts(Collection<Certificate> certs)
Add the given certificate to the internal certificate list. Certificats will be used as TrustAnchors.

Parameters:
certs - a list of X.509 certificates to add. Every certificate added to this instance gets removed from this list. So on return it contains not accepted certificates, only.
See Also:
removeCerts(Collection)

addOtherCerts

protected void addOtherCerts(Collection<Certificate> certs)
Add the given certificate to the internal other certificate list. Certificats are NOT used as TrustAnchors, but as helper to establish a cert path.

Parameters:
certs - a list of X.509 certificates to add. Every certificate added to this instance gets removed from this list. So on return it contains not accepted certificates, only.
See Also:
removeOtherCerts(Collection)

removeCerts

protected void removeCerts(Collection<Certificate> certs)
Remove the given certificates from the internal TrustAnchor certificate list.

Parameters:
certs - X.509 certificate to remove. Every certificate removed from this instance gets removed from this list. So on return it contains unremoved certificates (i.e. which have not been in this internal list), only.
See Also:
addCerts(Collection), addCertBundle(String)

removeOtherCerts

protected void removeOtherCerts(Collection<Certificate> certs)
Remove the given certificates from the internal other certificate list.

Parameters:
certs - X.509 certificate to remove. Every certificate removed from this instance gets removed from this list. So on return it contains unremoved certificates (i.e. which have not been in this internal list), only.
See Also:
addOtherCerts(Collection)

checkClientTrusted

public void checkClientTrusted(X509Certificate[] chain,
                               String authType)
                        throws CertificateException

Specified by:
checkClientTrusted in interface X509TrustManager
Throws:
CertificateException

checkServerTrusted

public void checkServerTrusted(X509Certificate[] chain,
                               String authType)
                        throws CertificateException

Specified by:
checkServerTrusted in interface X509TrustManager
Throws:
CertificateException

checkTrusted

public ArrayList<Certificate> checkTrusted(X509Certificate[] chain)
                                    throws CertificateException
Same as check*Trusted(...), but returns the chain, which has been validate and the the certificate of the trusted anchor for this chain at the end of the list (which might be null if an unexpected error occured)

Parameters:
chain - chain of certificates to validate
Returns:
a possibly empty list.
Throws:
CertificateException

getAcceptedIssuers

public X509Certificate[] getAcceptedIssuers()

Specified by:
getAcceptedIssuers in interface X509TrustManager

getOtherCerts

public X509Certificate[] getOtherCerts()
Get the internal list of other certificates.

Returns:
a possible empty list
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
ehsbe CommonsTM
Version 1.1.0rc3
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright ©2005-2009 EHSBE, Walther-Rathenau-Str. 58, 39104 Magdeburg, Sachsen-Anhalt, Germany. All Rights Reserved.