Package nl.nikhef.slcshttps.trust

This package provides classes to interactively let the user accept or refuse invalid server certificates in a way similar to the behaviour of modern webbrowsers.

See:
          Description

Interface Summary
HttxURLConnection.HttxClientCommunicator Interface for HttxURLConnection communication about client certificate expiration.
TrustManagerImpl.TrustCommunicator Interface for TrustManagerImpl communication with the user.
 

Class Summary
CertChainChecker Static class to validate a X509Certificate chain.
HostnameChecker Class to check whether a certain certificate is valid for a certain hostname, either using TLS or LDAP scheme.
HttxURLConnection This class extends a HttpsURLConnection that can use a TrustManager that not only can check the certificate chain but also the hostname against the server certificate.
HttxURLConnection.StdioComm This Implementation uses only stdio/stderr for I/O.
TrustCert This class contains all fields and methods to check the validity of a certificate chain for use as a trusted server certificate, including storing for reuse.
TrustManagerImpl This class implements a X509TrustManager which asks the user for confirmation when something is wrong and in this process also checks whether the hostname is valid for the certificate chain.
TrustManagerImpl.StdioComm This Implementation uses only stdio/stderr for I/O.
 

Package nl.nikhef.slcshttps.trust Description

This package provides classes to interactively let the user accept or refuse invalid server certificates in a way similar to the behaviour of modern webbrowsers. Customizing the checking of server certificates is normally done in Java by implementing both a HostnameVerifier and a X509TrustManager. The HostnameVerifier is responsible for matching the hostname of the server against the server, while the TrustManager does the different checks on the validity of the certificate chain. A HostnameVerifier implementation cannot do both, since its verify() method is only called when the hostname does not match. On the other a (X509)TrustManager implementation does not get the hostname of the server. Since we like the user to get only one prompt upon error, we extend HttpsURLConnection into HttxURLConnection which sets static hostname and port fields inside the TrustManagerImpl class. Note that this means that HttxURLConnection is not thread-safe, but it is hard to implement this in any case, since the set of already accepted certificates should be global accross threads. All checks are now done using only the TrustManager which internally uses HostnameChecker and CertChainChecker for this.

Since:
0.1
See Also:
nl.nikhef.slcshttps, http://www.nikhef.nl/pub/projects/grid/slcshttps/


nl.nikhef.slcshttps Mischa Sallé - msalle(AT)nikhef.nl