org.openpermis.cert
Class ChainCertificateVerifier

java.lang.Object
  extended by org.openpermis.cert.ChainCertificateVerifier
All Implemented Interfaces:
CertificateVerifier

public class ChainCertificateVerifier
extends Object
implements CertificateVerifier

This certificate verifier supports mutiple trusted issuers ("trusted anchors") and certificate chains. This verifier maintains a set of trusted root issuer certificates and a maximum chain length. When verifying a certificate, this class looks for a certificate chain to one of the trusted root certificates by asking the specified CertificateRepository for any required intermediate certificates. A CertificateRepository may for example return certificates from an LDAP directory or a file directory. This class supports certificate chains greater than one. A chain depth of one means that the trusted root directly signed the certificate to be verifer (only one signature involved). CAUTION: Be extremely careful when using a chain length greater than one! A length if two, for example, means that you implicitly trust all entities that have been signed by the trusted roots. This is normally not the case in reality (trust is not transitive!). If a specific crypto provider should be used when using JCE functions, you can use method setProvider(String) to specify it.

Since:
0.3.0

Field Summary
private  CertificateRepository certificateRepository
          The certificate repository to ask for intermediate certificates if necessary.
private  int maxChainLength
          The maximum length of a certificate chain.
(package private)  String provider
          The crypto provider or null if non is secified.
private  Map<Principal,X509Certificate> trustAnchorCertsBySubject
          The set of trusted issuer (trust anchors, root certificates).
 
Constructor Summary
ChainCertificateVerifier(Set<X509Certificate> trustedRoots)
          Creates a certificate verifier using the trusted roots, allowing only chains of length one and therefore needs no certificate repository to get intermediate certificates from.
ChainCertificateVerifier(Set<X509Certificate> trustedRoots, CertificateRepository certificateRepository, int maxChainLength)
          Creates a certificate verifier using the trusted roots and a certificate repository that can be asked for intermediate certificates if required and restricting the maximum chain depth to the indicated value.
ChainCertificateVerifier(Set<X509Certificate> trustedRoots, Set<X509Certificate> intermediateCerts, int maxChainLength)
          This is a convenience constructor doing the same as ChainCertificateVerifier(Set, CertificateRepository, int) but using the specified set of intermediate certificates as in-memory certificate repository.
 
Method Summary
private  void computeChainInternal(List<X509Certificate> resultChain, int remainingChainLength, Set<Certificate> visitedCerts, Certificate certToVerify)
          Internal method that is called recursively to go up the certificate chain.
 void setProvider(String provider)
          Allows to set a specific crypto provider.
 void verifyCertificate(Certificate certificate)
          Verifies the specified certificate and returns without exception if the certificate could successfully be verified..
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

trustAnchorCertsBySubject

private final Map<Principal,X509Certificate> trustAnchorCertsBySubject
The set of trusted issuer (trust anchors, root certificates). They are organized by subject name so they can be found efficiently.


certificateRepository

private final CertificateRepository certificateRepository
The certificate repository to ask for intermediate certificates if necessary.


maxChainLength

private final int maxChainLength
The maximum length of a certificate chain.


provider

String provider
The crypto provider or null if non is secified.

Constructor Detail

ChainCertificateVerifier

public ChainCertificateVerifier(Set<X509Certificate> trustedRoots,
                                CertificateRepository certificateRepository,
                                int maxChainLength)
Creates a certificate verifier using the trusted roots and a certificate repository that can be asked for intermediate certificates if required and restricting the maximum chain depth to the indicated value. A chain depth of one means that the trusted root directly signed the certificate to be verifer (only one signature involved). CAUTION: Be extremely careful when using a chain length greater than one! A length if two, for example, means that you implicitly trust all entities that have been signed by the trusted roots. This is normally not the case in reality (trust is not transitive!).

Parameters:
trustedRoots - A set of trusted root certificates. The subjects of the specified certificates must be trusted and their public keys in the certificates must be authentic. This parameter must not be null.
certificateRepository - The certificate repository is used to ask for intermediate certificates needed to build a certificate chain. Using null as value tells the class not to use a certificate repository.
maxChainLength - The maximum allowed chain length. The value must be one or greater.
Since:
0.3.0

ChainCertificateVerifier

public ChainCertificateVerifier(Set<X509Certificate> trustedRoots)
Creates a certificate verifier using the trusted roots, allowing only chains of length one and therefore needs no certificate repository to get intermediate certificates from.

Parameters:
trustedRoots - A set of trusted root certificates. The subjects of the specified certificates must be trusted and their public keys in the certificates must be authentic. This parameter must not be null.
Since:
0.3.0

ChainCertificateVerifier

public ChainCertificateVerifier(Set<X509Certificate> trustedRoots,
                                Set<X509Certificate> intermediateCerts,
                                int maxChainLength)
                         throws InvalidAlgorithmParameterException,
                                NoSuchAlgorithmException
This is a convenience constructor doing the same as ChainCertificateVerifier(Set, CertificateRepository, int) but using the specified set of intermediate certificates as in-memory certificate repository. It the trusted roots and restricts the maximum chain depth to the indicated value. A chain depth of one means that the trusted root directly signed the certificate to be verifer (only one signature involved). CAUTION: Be extremely careful when using a chain length greater than one! A length if two, for example, means that you implicitly trust all entities that have been signed by the trusted roots. This is normally not the case in reality (trust is not transitive!).

Parameters:
trustedRoots - A set of trusted root certificates. The subjects of the specified certificates must be trusted and their public keys in the certificates must be authentic. This parameter must not be null.
intermediateCerts - A set of certificates that may serve as intermediate certificates in certifiate chains. Must not be null.
maxChainLength - The maximum allowed chain length. The value must be one or greater.
Throws:
NoSuchAlgorithmException - Thrown if no collection based CertStore implementation is availabel from the underlying crypto provider.
InvalidAlgorithmParameterException - Thrown if the parameters passed to the collection based CertStore are invalid.
Since:
0.3.0
Method Detail

verifyCertificate

public void verifyCertificate(Certificate certificate)
                       throws CertificateException,
                              NoSuchAlgorithmException,
                              InvalidKeyException,
                              NoSuchProviderException,
                              SignatureException
Verifies the specified certificate and returns without exception if the certificate could successfully be verified..

Specified by:
verifyCertificate in interface CertificateVerifier
Parameters:
certificate - The certificate to be verified. Must not be null.
Throws:
CertificateException - Thrown on certificate encoding errors.
NoSuchAlgorithmException - Thrown on unsupported signature algorithms.
InvalidKeyException - Thrown on incorrect keys.
NoSuchProviderException - Thrown on incorrect crypto provider usage.
SignatureException - Thrown on incorrect signatures.
Since:
0.3.0

setProvider

public void setProvider(String provider)
Allows to set a specific crypto provider. If none is set (or null is set explicitly with this method), the default crypto provider is used.

Parameters:
provider - The name of the crypto provider to use or null.

computeChainInternal

private void computeChainInternal(List<X509Certificate> resultChain,
                                  int remainingChainLength,
                                  Set<Certificate> visitedCerts,
                                  Certificate certToVerify)
                           throws InvalidKeyException,
                                  CertificateException,
                                  NoSuchAlgorithmException,
                                  NoSuchProviderException,
                                  SignatureException
Internal method that is called recursively to go up the certificate chain.

Parameters:
resultChain - The result chain that is build during the search.
remainingChainLength - The remaining maximum allowed chain length in this step.
visitedCerts - Internally keeps track of visited certificates in order to detect loops.
certToVerify - The certificate to verify in this step.
Throws:
SignatureException
NoSuchProviderException
NoSuchAlgorithmException
CertificateException
InvalidKeyException


PERMIS Role Based Access Control 0.4.0 (Build 15)
2009/05/20 08:14:59
Copyright (c) 2002-2007 Ergon Informatik AG