/*
* Copyright (c) 2011-2012 ICM Uniwersytet Warszawski All rights reserved.
* See LICENCE file for licensing information.
*/
package eu.emi.security.authn.x509.impl;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import eu.emi.security.authn.x509.X509CertChainValidator;
import eu.emi.security.authn.x509.helpers.pkipath.PlainCRLValidator;
import eu.emi.security.authn.x509.helpers.trust.JDKInMemoryTrustAnchorStore;
/**
* The certificate validator which uses Java {@link KeyStore} as a truststore. This
* class is similar to {@link KeystoreCertChainValidator} but uses a keystore which
* was already loaded. Refreshing of the truststore is not supported.
* <p>
* The CRLs (Certificate Revocation Lists, if their handling is turned on) can be obtained
* from two sources: CA certificate extension defining CRL URL and additional list
* of URLs manually set by the class user. As an additional feature one may
* provide a simple paths to a local files, using wildcards. All files matching a
* wildcard are used.
* <p>
* This class is thread-safe.
*
* @author K. Benedyczak
* @see X509CertChainValidator
* @see KeystoreCertChainValidator
*/
public class InMemoryKeystoreCertChainValidator extends PlainCRLValidator
{
protected JDKInMemoryTrustAnchorStore store;
/**
* Constructs a new validator instance. CRLs (Certificate Revocation Lists)
* are taken from the trusted CAs certificate extension and downloaded,
* unless CRL checking is disabled. Additional CRLs may be provided explicitly
* using the constructor argument. Such additional CRLs are preferred to the
* ones defined by the CA extensions.
*
* @param keystore truststore to use
* @param params common validator settings (revocation, initial listeners, proxy support, ...)
* @throws IOException if the truststore can not be read
* @throws KeyStoreException if the truststore can not be parsed or
* if password is incorrect.
*/
public InMemoryKeystoreCertChainValidator(KeyStore keystore,
ValidatorParamsExt params)
throws IOException, KeyStoreException
{
super(params.getRevocationSettings(), params.getInitialListeners());
store = new JDKInMemoryTrustAnchorStore(keystore);
init(store, crlStoreImpl, params.isAllowProxy(), params.getRevocationSettings());
}
/**
* Constructs a new validator instance with default additional settings
* (see {@link ValidatorParamsExt#ValidatorParamsExt()}).
*
* @param keystore truststore to use
* @throws IOException if the truststore can not be read
* @throws KeyStoreException if the truststore can not be parsed or
* if password is incorrect.
*/
public InMemoryKeystoreCertChainValidator(KeyStore keystore)
throws IOException, KeyStoreException
{
this(keystore, new ValidatorParamsExt());
}
/**
* Returns the current trust store. Note that modifying this keystore
* won't have any impact on the validation.
* @return the KeyStore used as a trust store
*/
public synchronized KeyStore getTruststore()
{
return store.getKeyStore();
}
/**
* Changes the current trust store.
* @param ks key store
* @throws KeyStoreException key store exception
*/
public synchronized void setTruststore(KeyStore ks) throws KeyStoreException
{
store = new JDKInMemoryTrustAnchorStore(ks);
init(store, null, getProxySupport(), getRevocationCheckingMode());
}
}