org.jsslutils.sslcontext

Class PKIXSSLContextFactory

java.lang.Object

org.jsslutils.sslcontext.DefaultSSLContextFactory

org.jsslutils.sslcontext.X509SSLContextFactory

org.jsslutils.sslcontext.PKIXSSLContextFactory

All Implemented Interfaces:

SSLContextFactory

public class PKIXSSLContextFactory
extends X509SSLContextFactory

This class is a factory that provides methods for creating an SSLContext configured with the settings set in this factory: using the PKIX algorithm for both the key manager and the trust manager. These managers are created from the KeyStores passed to the constructor. This implementation build a trust store that supports revocation and CRLs, see the CRL-related methods. The "org.jsslutils.prop.crlReloadInterval" system property may be used to configure the reload interval for CRLs (when re-loaded automatically), in seconds (0 won't reload them).

Author:

Bruno Harbulot

Nested Class Summary

Nested classes/interfaces inherited from interface org.jsslutils.sslcontext.SSLContextFactory

SSLContextFactory.SSLContextFactoryException

Field Summary

Fields

Modifier and Type	Field and Description
static String	CRL_RELOAD_INTERVAL_PROP
protected Set<CRL>	crlCollection
protected boolean	enableRevocation

Fields inherited from class org.jsslutils.sslcontext.X509SSLContextFactory

KEY_PASSWORD_PROP, KEYSTORE_FILE_PROP, KEYSTORE_PASSWORD_PROP, KEYSTORE_PROVIDER_ARGFILE_PROP, KEYSTORE_PROVIDER_ARGTEXT_PROP, KEYSTORE_PROVIDER_CLASS_PROP, KEYSTORE_PROVIDER_PROP, KEYSTORE_TYPE_PROP, TRUSTSTORE_FILE_PROP, TRUSTSTORE_PASSWORD_PROP, TRUSTSTORE_PROVIDER_ARGFILE_PROP, TRUSTSTORE_PROVIDER_ARGTEXT_PROP, TRUSTSTORE_PROVIDER_CLASS_PROP, TRUSTSTORE_PROVIDER_PROP, TRUSTSTORE_TYPE_PROP

Fields inherited from class org.jsslutils.sslcontext.DefaultSSLContextFactory

CONTEXT_PROTOCOL_NAME_PROP, CONTEXT_PROVIDER_NAME_PROP, SECURERANDOM_ALGORITHM_PROP, SECURERANDOM_PROVIDER_NAME_PROP

Constructor Summary

Constructors

Constructor and Description
PKIXSSLContextFactory()
PKIXSSLContextFactory(KeyStore keyStore, char[] keyPassword, KeyStore trustStore) Builds an SSLContextFactory using the PKIX algorithm in the TrustManagerFactory.
PKIXSSLContextFactory(KeyStore keyStore, char[] keyPassword, KeyStore trustStore, boolean enableRevocation) Builds an SSLContextFactory using the PKIX algorithm in the TrustManagerFactory.
PKIXSSLContextFactory(KeyStore keyStore, String keyPassword, KeyStore trustStore) Builds an SSLContextFactory using the PKIX algorithm in the TrustManagerFactory.
PKIXSSLContextFactory(KeyStore keyStore, String keyPassword, KeyStore trustStore, boolean enableRevocation) Builds an SSLContextFactory using the PKIX algorithm in the TrustManagerFactory.

Method Summary

Modifier and Type	Method and Description
void	addCrl(CRL crl) Adds a CRL to the collection used by getCrlCollection() (and thus the trust manager by default).
void	addCrl(InputStream crlInputStream) Adds a CRL from an InputStream to the collection used by getCrlCollection() (and thus the trust manager by default).
void	addCrl(String crlUrl) Adds a CRL from a URL to the collection used by getCrlCollection() (and thus the trust manager by default).
void	addCrl(String crlUrl, long reloadInterval) Adds a CRL from a URL to the collection used by getCrlCollection() (and thus the trust manager by default); this CRL will be reloaded periodically.
void	addCrlCollection(Collection<? extends CRL> crlCollection) Adds CRLs to the collection used by getCrlCollection() (and thus the trust manager by default).
Callable<X509CRL>	addReloadableCrl(String crlUrl) Adds a CRL from a URL to the collection used by getCrlCollection() (and thus the trust manager by default).
protected CertStore	getCertStore() Returns the CertStore added to the PKIXParameters in getPKIXParameters().
Collection<? extends CRL>	getCrlCollection() Returns the Collection of X509CRLs used to initialise the CollectionCertStoreParameters used in getCertStore().
protected PKIXParameters	getPKIXParameters() Returns the PKIXParameters used for initialising the ManagerFactoryParameters in getTrustParams().
protected TrustManager[]	getRawTrustManagers() Builds TrustManagers from the trust store provided in the constructor, using a PKIX TrustManagerFactory.
protected ManagerFactoryParameters	getTrustParams() Returns the ManagerFactoryParameters used for initialising the TrustManagerFactory in getTrustManagers().
CRL	loadCrl(InputStream crlInputStream) Builds a CRL object from an InputStream.
CRL	loadCrl(String crlUrl) Builds a CRL object from a URL.

Methods inherited from class org.jsslutils.sslcontext.X509SSLContextFactory

configure, getKeyManagers, getKeyStore, getRawKeyManagers, getTrustManagers, getTrustStore, setKeyManagerWrapper, setKeyPassword, setKeyPasswordCallbackHandler, setKeyStore, setKeyStorePasswordCallbackHandler, setTrustManagerWrapper, setTrustStore, setTrustStorePasswordCallbackHandler

Methods inherited from class org.jsslutils.sslcontext.DefaultSSLContextFactory

buildSSLContext, buildSSLContext, clone, getContextProtocol, getContextProvider, getDefaultSecureRandomAlgorithm, getSecureRandom, getSecureRandomProvider, setSecureRandom

Methods inherited from class java.lang.Object

equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CRL_RELOAD_INTERVAL_PROP

public static final String CRL_RELOAD_INTERVAL_PROP

See Also:

Constant Field Values

enableRevocation

protected boolean enableRevocation

crlCollection

protected Set<CRL> crlCollection

Constructor Detail

PKIXSSLContextFactory

public PKIXSSLContextFactory()

PKIXSSLContextFactory

public PKIXSSLContextFactory(KeyStore keyStore,
                             char[] keyPassword,
                             KeyStore trustStore,
                             boolean enableRevocation)

Builds an SSLContextFactory using the PKIX algorithm in the TrustManagerFactory.

Parameters:

keyStore - KeyStore that contains the key.

keyPassword - password to the key.

trustStore - KeyStore that contains the trusted X.509 certificates.

enableRevocation - sets whether certificate revocation should be enabled.

PKIXSSLContextFactory

public PKIXSSLContextFactory(KeyStore keyStore,
                             String keyPassword,
                             KeyStore trustStore,
                             boolean enableRevocation)

Builds an SSLContextFactory using the PKIX algorithm in the TrustManagerFactory.

Parameters:

keyStore - KeyStore that contains the key.

keyPassword - password to the key.

trustStore - KeyStore that contains the trusted X.509 certificates.

enableRevocation - sets whether certificate revocation should be enabled.

PKIXSSLContextFactory

public PKIXSSLContextFactory(KeyStore keyStore,
                             char[] keyPassword,
                             KeyStore trustStore)

Builds an SSLContextFactory using the PKIX algorithm in the TrustManagerFactory. Certificate revocation is enabled by default.

Parameters:

keyStore - KeyStore that contains the key.

keyPassword - password to the key.

trustStore - KeyStore that contains the trusted X.509 certificates.

PKIXSSLContextFactory

public PKIXSSLContextFactory(KeyStore keyStore,
                             String keyPassword,
                             KeyStore trustStore)

Builds an SSLContextFactory using the PKIX algorithm in the TrustManagerFactory. Certificate revocation is enabled by default.

Parameters:

keyStore - KeyStore that contains the key.

keyPassword - password to the key.

trustStore - KeyStore that contains the trusted X.509 certificates.

Method Detail

getRawTrustManagers

protected TrustManager[] getRawTrustManagers()
                                      throws SSLContextFactory.SSLContextFactoryException

Builds TrustManagers from the trust store provided in the constructor, using a PKIX TrustManagerFactory. The TrustManagerFactory parameters used are those provided by getTrustParams().

Overrides:

getRawTrustManagers in class X509SSLContextFactory

Returns:

PKIX-based trust managers corresponding to the trust store.

Throws:

SSLContextFactory.SSLContextFactoryException

getTrustParams

protected ManagerFactoryParameters getTrustParams()
                                           throws SSLContextFactory.SSLContextFactoryException

Returns the ManagerFactoryParameters used for initialising the TrustManagerFactory in getTrustManagers(). You can override it, but the default behaviour is to build a CertPathTrustManagerParameters from the PKIXParameters returned by getPKIXParameters().

Returns:

ManagerFactoryParameters used by getTrustManagers().

Throws:

SSLContextFactoryException

SSLContextFactory.SSLContextFactoryException

getPKIXParameters

protected PKIXParameters getPKIXParameters()
                                    throws SSLContextFactory.SSLContextFactoryException

Returns the PKIXParameters used for initialising the ManagerFactoryParameters in getTrustParams(). You can override it, but the default behaviour is to build a PKIXBuilderParameters from the trustStore, enable the revocation according to enableRevocation and adds the CertStore provided by getCertStore().

Returns:

PKIXParameters used by getTrustParams()

Throws:

SSLContextFactoryException

SSLContextFactory.SSLContextFactoryException

getCertStore

protected CertStore getCertStore()
                          throws SSLContextFactory.SSLContextFactoryException

Returns the CertStore added to the PKIXParameters in getPKIXParameters(). You can override it, but the default behaviour is to build a CertStore using the Collection of X509CRL obtained from getCrlCollection(). Typical extensions would probably consist of using an LDAP-based CertStore.

Returns:

CertStore used by getPKIXParameters().

Throws:

SSLContextFactoryException

SSLContextFactory.SSLContextFactoryException

getCrlCollection

public Collection<? extends CRL> getCrlCollection()
                                           throws SSLContextFactory.SSLContextFactoryException

Returns the Collection of X509CRLs used to initialise the CollectionCertStoreParameters used in getCertStore().

Returns:

Collection of X509CRL ultimately checked by the trust manager.

Throws:

SSLContextFactoryException

SSLContextFactory.SSLContextFactoryException

addCrlCollection

public void addCrlCollection(Collection<? extends CRL> crlCollection)
                      throws SSLContextFactory.SSLContextFactoryException

Adds CRLs to the collection used by getCrlCollection() (and thus the trust manager by default).

Parameters:

crlCollection - collection of CRLs to add.

Throws:

SSLContextFactoryException

SSLContextFactory.SSLContextFactoryException

addCrl

public void addCrl(CRL crl)
            throws SSLContextFactory.SSLContextFactoryException

Adds a CRL to the collection used by getCrlCollection() (and thus the trust manager by default).

Parameters:

crl - CRL to add.

Throws:

SSLContextFactoryException

SSLContextFactory.SSLContextFactoryException

addCrl

public void addCrl(InputStream crlInputStream)
            throws SSLContextFactory.SSLContextFactoryException

Adds a CRL from an InputStream to the collection used by getCrlCollection() (and thus the trust manager by default).

Parameters:

crlInputStream - InputStream containing the CRL to read (this is not closed by this method).

Throws:

SSLContextFactoryException

SSLContextFactory.SSLContextFactoryException

addCrl

public void addCrl(String crlUrl)
            throws SSLContextFactory.SSLContextFactoryException,
                   MalformedURLException,
                   IOException

Adds a CRL from a URL to the collection used by getCrlCollection() (and thus the trust manager by default).

Parameters:

crlUrl - URL of the CRL to fetch.

Throws:

SSLContextFactoryException

IOException

MalformedURLException

SSLContextFactory.SSLContextFactoryException

addCrl

public void addCrl(String crlUrl,
                   long reloadInterval)
            throws SSLContextFactory.SSLContextFactoryException,
                   MalformedURLException,
                   IOException

Adds a CRL from a URL to the collection used by getCrlCollection() (and thus the trust manager by default); this CRL will be reloaded periodically.

Parameters:

crlUrl - URL of the CRL to fetch.

reloadInterval - number of seconds between reloads.

Throws:

SSLContextFactoryException

MalformedURLException

IOException

SSLContextFactory.SSLContextFactoryException

addReloadableCrl

public Callable<X509CRL> addReloadableCrl(String crlUrl)
                                   throws SSLContextFactory.SSLContextFactoryException,
                                          MalformedURLException,
                                          IOException

Adds a CRL from a URL to the collection used by getCrlCollection() (and thus the trust manager by default). This CRL will be reloaded by the Callable returned; this callable is not scheduled in an executor at this stage (up to the user of this method).

Parameters:

crlUrl - URL of the CRL to fetch.

Returns:

Callable that reloads the CRL (call() will return the new CRL).

Throws:

SSLContextFactoryException

MalformedURLException

IOException

SSLContextFactory.SSLContextFactoryException

loadCrl

public CRL loadCrl(InputStream crlInputStream)
            throws SSLContextFactory.SSLContextFactoryException

Builds a CRL object from an InputStream.

Parameters:

crlInputStream - InputStream containing the CRL to read (this is not closed by this method).

Returns:

X509CRL built from the representation obtained from this InputStream.

Throws:

SSLContextFactoryException

SSLContextFactory.SSLContextFactoryException

loadCrl

public CRL loadCrl(String crlUrl)
            throws SSLContextFactory.SSLContextFactoryException,
                   IOException,
                   MalformedURLException

Builds a CRL object from a URL.

Parameters:

crlUrl - URL of the CRL to fetch.

Returns:

X509CRL built from the representation obtained from this URL.

Throws:

SSLContextFactoryException

IOException

MalformedURLException

SSLContextFactory.SSLContextFactoryException