|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectnl.nikhef.slcshttps.trust.TrustCert
public class TrustCert
This class contains all fields and methods to check the validity of a certificate chain for use as a trusted server certificate, including storing for reuse.
TrustManagerImpl
Nested Class Summary | |
---|---|
protected class |
TrustCert.Status
Nested class, contains the status fields relevant for an alias: whether the alias was added for a (in)valid name and/or (in)valid date; the certchain is not relevant for a certain alias, since it's the same for all aliases. |
Field Summary | |
---|---|
protected String |
chainError
String describing the error causing the chain validation to
fail. |
protected int |
chainErrorIdx
Index of certificate causing the chain validation to fail. |
protected Date |
chainFirstDate
Date represention of the latest
notBefore . |
protected int |
chainFirstIdx
Index of the certificate with the latest notBefore or -1 for unset. |
protected long |
chainFirstMSec
msec represention of the latest notBefore . |
protected Date |
chainLastDate
Date represention of the earliest
notAfter . |
protected int |
chainLastIdx
Index of the certificate with the earliest notAfter or -1 for unset. |
protected long |
chainLastMSec
msec represention of the earliest notAfter . |
(package private) static HostnameChecker |
hostnameChecker
Contains a HostnameChecker used for checking the hostnames. |
protected Hashtable<String,TrustCert.Status> |
knownAliases
Contains a list of already seen and accepted aliases (hostname:portnumber) for this certificate chain, with their status at the time they were accepted. |
protected TrustCert.Status |
status
Current status of the certificate(chain). |
private X509Certificate |
x509Cert
Holds the actual X509Certificate , either set using
constructor TrustCert(X509Certificate[]) or using
setCertChain(X509Certificate[]) . |
private X509Certificate[] |
x509Chain
The certificate chain for the X509Certificate , either set
using constructor TrustCert(X509Certificate[]) or using
setCertChain(X509Certificate[]) . |
Constructor Summary | |
---|---|
private |
TrustCert()
Constructs a default TrustCert . |
|
TrustCert(X509Certificate[] certChain)
Constructs a TrustCert from a X509Certificate
chain. |
Method Summary | |
---|---|
void |
addAlias(String alias)
Adds the given alias to the list of aliases for this TrustCert . |
boolean |
checkChain()
Method to check whether the certificate chain is valid, that is in particular if the whole chain can be followed back to a trusted root certificate. |
boolean |
checkHostname(String hostName)
Method to check whether the server certificate is valid for given hostName . |
boolean |
checkValidity()
Method to check whether the certificate chain is valid, that is when the current time ≥ the latest not-before in the chain and ≤ the earliest not-after in the chain. |
boolean |
equals(TrustCert other)
Equals method, comparing two TrustCert s, which are
considered equal when their server certificate (first in chain) is equal. |
boolean |
equals(X509Certificate other)
Equals method, comparing the server certificate (first in chain) against a X509Certificate . |
protected String |
getAliasErrors(String alias)
Creates a String describing all the errors for given
alias , using its stored Status . |
protected String[] |
getErrors(String host)
Creates a String array, one for each error for the current
connection, using the data in the status field. |
protected String[] |
getOldErrors()
Creates a String array, one for each known alias, each
containing a list of all the errors for that alias. |
TrustCert.Status |
getStatus(String alias)
Method to get the status of a known alias. |
void |
removeAlias(String alias)
Removes the given alias from the list of aliases for this TrustCert . |
private void |
setCertChain(X509Certificate[] certChain)
Sets the certificate chain for this TrustCert . |
protected void |
setExtremes()
Finds the latest not-before time and the earliest not-after time for the certificate chain, thus finding the smallest interval for which the whole chain is valid. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
static HostnameChecker hostnameChecker
HostnameChecker
used for checking the hostnames. We
can use the same for all checking, hence it's initialized at class
initialization, which improves performance.
private X509Certificate x509Cert
X509Certificate
, either set using
constructor TrustCert(X509Certificate[])
or using
setCertChain(X509Certificate[])
. Note that it is equal to the
0th element of x509Chain
.
private X509Certificate[] x509Chain
X509Certificate
, either set
using constructor TrustCert(X509Certificate[])
or using
setCertChain(X509Certificate[])
. Note that
x509Chain[0]
is equal to x509Cert
.
protected Hashtable<String,TrustCert.Status> knownAliases
protected TrustCert.Status status
protected int chainFirstIdx
notBefore
or -1 for unset.
protected Date chainFirstDate
Date
represention of the latest
notBefore
.
protected long chainFirstMSec
notBefore
.
protected int chainLastIdx
notAfter
or -1 for unset.
protected Date chainLastDate
Date
represention of the earliest
notAfter
.
protected long chainLastMSec
notAfter
.
protected int chainErrorIdx
CertPathValidatorException
which doesn't point
to a specific certificate, it sets it to -1, we hence use -2 for unset.
protected String chainError
String
describing the error causing the chain validation to
fail.
Constructor Detail |
---|
private TrustCert()
TrustCert
. Its certificate chain can be
set using setCertChain(X509Certificate[])
.
TrustCert(X509Certificate[]).
public TrustCert(X509Certificate[] certChain)
TrustCert
from a X509Certificate
chain.
certChain
- X509Certificate[]
chain for this
TrustCert
Method Detail |
---|
private void setCertChain(X509Certificate[] certChain)
TrustCert
.
certChain
- X509Certificate[]
chain for this
TrustCert
TrustCert(X509Certificate[]).
public boolean equals(TrustCert other)
TrustCert
s, which are
considered equal when their server certificate (first in chain) is equal.
other
- Other TrustCert
to compare against.
X509Certificate
in
each chain is equal.equals(X509Certificate)
public boolean equals(X509Certificate other)
X509Certificate
.
other
- X509Certificate
to compare the server
certificate (1st in chain) against.
X509Certificate
.equals(TrustCert)
public boolean checkValidity() throws CertificateException
status
field for later usage.
CertificateException
- if the certchain is not (yet) known.getStatus(String)
public boolean checkHostname(String hostName) throws CertificateException
hostName
. The result is stored in the status
field
for later usage.
hostName
- hostname to check the server certificate against.
CertificateException
- in case of error (not when certificate is
invalid for hostname).HostnameChecker
,
getStatus(String)
public boolean checkChain() throws CertificateException
checkValidity()
.
Note that if for some reason there is no time at which the entire
certificate chain was, is or will be valid, we still will get an error
here. The chainError
field will contain a (descriptive) error
message or be null if the chain validated.
CertificateException
- in case of error (not when certificate is
invalid for hostname).CertChainChecker
public TrustCert.Status getStatus(String alias)
alias
- String representing the alias for which to get the
Status
(alias is hostname:portnumber).
public void addAlias(String alias)
TrustCert
.
alias
- String representing the alias to add (alias is
hostname:portnumber).removeAlias(String)
public void removeAlias(String alias)
TrustCert
.
alias
- String representing the alias to remove (alias is
hostname:portnumber).removeAlias(String)
protected void setExtremes() throws CertificateException
chainFirstIdx
, chainFirstDate
and chainFirstMSec
and
for the latter in the fields chainLastIdx
, chainLastDate
and chainLastMSec
. Both the date and msec
representation are stored for performance.
CertificateException
- when the server certificate or chain is not
(yet) set.checkValidity()
protected String getAliasErrors(String alias)
String
describing all the errors for given
alias
, using its stored Status
.
alias
- String containing the alias (hostname:portnumber).
protected String[] getOldErrors()
String
array, one for each known alias, each
containing a list of all the errors for that alias.
getAliasErrors(String)
,
getErrors(String)
protected String[] getErrors(String host)
String
array, one for each error for the current
connection, using the data in the status
field.
host
- String
with the hostname, only used in the
error message.
getOldErrors()
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
nl.nikhef.slcshttps | Mischa Sallé - msalle(AT)nikhef.nl |