/*
* Copyright 1999-2010 University of Chicago
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in
* compliance with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is
* distributed on an "AS IS" BASIS,WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied.
*
* See the License for the specific language governing permissions and limitations under the License.
*/
package org.globus.gsi.stores;
import org.apache.commons.logging.LogFactory;
import org.apache.commons.logging.Log;
import java.security.InvalidAlgorithmParameterException;
import java.security.cert.CRL;
import java.security.cert.CRLSelector;
import java.security.cert.CertSelector;
import java.security.cert.CertStoreException;
import java.security.cert.CertStoreParameters;
import java.security.cert.CertStoreSpi;
import java.security.cert.Certificate;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Vector;
/**
* Created by IntelliJ IDEA. User: turtlebender Date: Dec 29, 2009 Time:
* 12:57:23 PM To change this template use File | Settings | File Templates.
*/
public class ResourceCertStore extends CertStoreSpi {
private static Log logger = LogFactory.getLog(ResourceCertStore.class.getCanonicalName());
private ResourceCACertStore caDelegate = new ResourceCACertStore();
private ResourceCRLStore crlDelegate = new ResourceCRLStore();
/**
* The sole constructor.
*
* @param params
* the initialization parameters (may be <code>null</code>)
* @throws java.security.InvalidAlgorithmParameterException
* if the initialization parameters are inappropriate for this
* <code>CertStoreSpi</code>
* @throws ResourceStoreException
* If error loading certs and crls.
*/
public ResourceCertStore(CertStoreParameters params)
throws InvalidAlgorithmParameterException, ResourceStoreException {
super(params);
if (params == null) {
throw new InvalidAlgorithmParameterException();
}
if (params instanceof ResourceCertStoreParameters) {
ResourceCertStoreParameters storeParams = (ResourceCertStoreParameters) params;
crlDelegate.loadWrappers(storeParams.getCrlLocationPattern());
caDelegate.loadWrappers(storeParams.getCertLocationPattern());
} else {
throw new InvalidAlgorithmParameterException();
}
}
/**
* Returns a <code>Collection</code> of <code>Certificate</code>s that match
* the specified selector. If no <code>Certificate</code>s match the
* selector, an empty <code>Collection</code> will be returned.
* <p/>
* For some <code>CertStore</code> types, the resulting
* <code>Collection</code> may not contain <b>all</b> of the
* <code>Certificate</code>s that match the selector. For instance, an LDAP
* <code>CertStore</code> may not search all entries in the directory.
* Instead, it may just search entries that are likely to contain the
* <code>Certificate</code>s it is looking for.
* <p/>
* Some <code>CertStore</code> implementations (especially LDAP
* <code>CertStore</code>s) may throw a <code>CertStoreException</code>
* unless a non-null <code>CertSelector</code> is provided that includes
* specific criteria that can be used to find the certificates. Issuer
* and/or subject names are especially useful criteria.
*
* @param selector
* A <code>CertSelector</code> used to select which
* <code>Certificate</code>s should be returned. Specify
* <code>null</code> to return all <code>Certificate</code>s (if
* supported).
* @return A <code>Collection</code> of <code>Certificate</code>s that match
* the specified selector (never <code>null</code>)
* @throws java.security.cert.CertStoreException
* if an exception occurs
*/
public Collection<? extends Certificate> engineGetCertificates(
CertSelector selector) throws CertStoreException {
logger.debug("selecting Certificates");
if (selector != null && !(selector instanceof X509CertSelector)) {
throw new IllegalArgumentException();
}
if (caDelegate.getCollection() == null) {
return null;
}
// Given that we always only use subject, how can we improve performance
// here. Custom
Vector<X509Certificate> certSet = new Vector<X509Certificate>();
if (selector == null) {
for (TrustAnchor trustAnchor : caDelegate.getCollection()) {
certSet.add(trustAnchor.getTrustedCert());
}
} else {
for (TrustAnchor trustAnchor : caDelegate.getCollection()) {
X509Certificate cert = trustAnchor.getTrustedCert();
if (selector.match(cert)) {
certSet.add(cert);
}
}
}
return certSet;
}
/**
* Returns a <code>Collection</code> of <code>CRL</code>s that match the
* specified selector. If no <code>CRL</code>s match the selector, an empty
* <code>Collection</code> will be returned.
* <p/>
* For some <code>CertStore</code> types, the resulting
* <code>Collection</code> may not contain <b>all</b> of the
* <code>CRL</code>s that match the selector. For instance, an LDAP
* <code>CertStore</code> may not search all entries in the directory.
* Instead, it may just search entries that are likely to contain the
* <code>CRL</code>s it is looking for.
* <p/>
* Some <code>CertStore</code> implementations (especially LDAP
* <code>CertStore</code>s) may throw a <code>CertStoreException</code>
* unless a non-null <code>CRLSelector</code> is provided that includes
* specific criteria that can be used to find the CRLs. Issuer names and/or
* the certificate to be checked are especially useful.
*
* @param selector
* A <code>CRLSelector</code> used to select which
* <code>CRL</code>s should be returned. Specify
* <code>null</code> to return all <code>CRL</code>s (if
* supported).
* @return A <code>Collection</code> of <code>CRL</code>s that match the
* specified selector (never <code>null</code>)
* @throws java.security.cert.CertStoreException
* if an exception occurs
*/
public Collection<? extends CRL> engineGetCRLs(CRLSelector selector)
throws CertStoreException {
if (selector != null && !(selector instanceof X509CRLSelector)) {
throw new IllegalArgumentException();
}
if (crlDelegate.getCollection() == null) {
return new Vector<X509CRL>();
}
// Given that we always only use subject, how can we improve performance
// here. Custom
if (selector == null) {
return crlDelegate.getCollection();
} else {
Vector<X509CRL> certSet = new Vector<X509CRL>();
for (X509CRL crl : crlDelegate.getCollection()) {
if (selector.match(crl)) {
certSet.add(crl);
}
}
return certSet;
}
}
}