Examples.java

/*
 * Copyright (c) 2011 ICM Uniwersytet Warszawski All rights reserved.
 * See LICENCE file for licensing information.
 */
package eu.emi.security.authn.x509;

import java.io.InputStream;
import java.net.ServerSocket;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;

import javax.net.ssl.SSLServerSocketFactory;
import javax.security.auth.x500.X500Principal;

import eu.emi.security.authn.x509.impl.CRLParameters;
import eu.emi.security.authn.x509.impl.CertificateUtils;
import eu.emi.security.authn.x509.impl.CertificateUtils.Encoding;
import eu.emi.security.authn.x509.impl.KeystoreCertChainValidator;
import eu.emi.security.authn.x509.impl.KeystoreCredential;
import eu.emi.security.authn.x509.impl.OpensslCertChainValidator;
import eu.emi.security.authn.x509.impl.RevocationParametersExt;
import eu.emi.security.authn.x509.impl.SocketFactoryCreator;
import eu.emi.security.authn.x509.impl.ValidatorParams;
import eu.emi.security.authn.x509.impl.ValidatorParamsExt;
import eu.emi.security.authn.x509.impl.X500NameUtils;

/**
 * Contains example code which is used in documentation - mostly to check its syntax.
 * @author K. Benedyczak
 */
@SuppressWarnings("unused")
public class Examples
{
//!!!formating is intended!!!!
	
	public void example1() throws Exception
	{
		
/*
 * Validates toBeChecked chain using Openssl style truststore, from
 * the /etc/grid-security/certificates directory. Both kinds of 
 * namespaces are checked and forced if are present. Truststore is 
 * reread every minute. The additional settings are not defined and
 * so defaults are used: CRLs are forced if are present. Proxy 
 * certificates are supported. No listeners are registered to 
 * be notified about trusted CA certificates, CRLs or namespace 
 * definitions reloading.
 */
X509Certificate[] toBeChecked = null;
X509CertChainValidator vff = new OpensslCertChainValidator(
	"/etc/grid-security/certificates", 
	NamespaceCheckingMode.EUGRIDPMA_AND_GLOBUS, 60000);

ValidationResult result = vff.validate(toBeChecked);
if (result.isValid()) {
	//...
} else {
	List<ValidationError> errors = result.getErrors();
	//...
}
	
	}
	
	public void example2() throws Exception
	{
/*
 * A more complicated example. SSL sockets will be created with the
 * certificate validator from this library. It is configured to 
 * trust all issuers from the provided JKS truststore.
 * Additionally two CRL sources are registered: one remote and 
 * one local, using wildcard. CRLs are reloaded every hour and 
 * remote CRLs are cached in /tmp/crls (useful if subsequent 
 * download fails). Listener is registered which logs successful 
 * and erroneous updates of the trust material.
 * Finally a local credential from another JKS file is loaded, 
 * to be used as local side server's certificate and private key. 
 */
char [] keystorePassword = "somePasswd".toCharArray(), 
	ksPasswd = "passwd2".toCharArray(), 
	keyPasswd = "passwd3".toCharArray();
String serverKeyAlias = "someAlias";
List<String> crlSources = new ArrayList<String>();
Collections.addAll(crlSources, "http://some.crl.distr.point1/crl.pem", 
	"/etc/crls/*.crl");
StoreUpdateListener listener = new StoreUpdateListener() {
	public void loadingNotification(String location, String type, 
			Severity level,	Exception cause)
	{
		if (level != Severity.NOTIFICATION) {
			//log problem with loading 'type' data 
			//from 'location', details are usually in 
			//cause.
		} else {
			//log successful (re)loading
		}
	}
};
CRLParameters crlParams = new CRLParameters(crlSources, 3600000, 
	15000, "/tmp/crls");
OCSPParametes ocspParams = new OCSPParametes(OCSPCheckingMode.IF_AVAILABLE);
ValidatorParamsExt commonParams = new ValidatorParamsExt(
	new RevocationParametersExt(CrlCheckingMode.REQUIRE, 
		crlParams, ocspParams),
	ProxySupport.ALLOW, Collections.singletonList(listener));

KeystoreCertChainValidator v = new KeystoreCertChainValidator(
	"/my/truststore.jks", keystorePassword, "JKS", 1000, 
	commonParams);

X509Credential c = new KeystoreCredential("/my/keystore.jks", 
	ksPasswd, keyPasswd, serverKeyAlias, "JKS");
SSLServerSocketFactory sslSsf = SocketFactoryCreator.getServerSocketFactory(c, v);
		
ServerSocket sslSS = sslSsf.createServerSocket();

	}
	
	
	public void example3() throws Exception
	{
		InputStream inputStream = null;
		
X509Certificate someCertificate = CertificateUtils.loadCertificate(
	inputStream, Encoding.PEM);
X500Principal dn1 = someCertificate.getSubjectX500Principal();
String dn2 = "CN=Bob,O=Example,C=EX";
//correctly compares binary DN with a string one
boolean equal = X500NameUtils.equal(dn1, dn2); 

	}

}