nl.nikhef.slcshttps.trust
Class TrustCert

java.lang.Object
  extended by nl.nikhef.slcshttps.trust.TrustCert

public class TrustCert
extends Object

This class contains all fields and methods to check the validity of a certificate chain for use as a trusted server certificate, including storing for reuse.

Version:
0.1
Author:
Mischa Sallé
See Also:
TrustManagerImpl

Nested Class Summary
protected  class TrustCert.Status
          Nested class, contains the status fields relevant for an alias: whether the alias was added for a (in)valid name and/or (in)valid date; the certchain is not relevant for a certain alias, since it's the same for all aliases.
 
Field Summary
protected  String chainError
          String describing the error causing the chain validation to fail.
protected  int chainErrorIdx
          Index of certificate causing the chain validation to fail.
protected  Date chainFirstDate
          Date represention of the latest notBefore.
protected  int chainFirstIdx
          Index of the certificate with the latest notBefore or -1 for unset.
protected  long chainFirstMSec
          msec represention of the latest notBefore.
protected  Date chainLastDate
          Date represention of the earliest notAfter.
protected  int chainLastIdx
          Index of the certificate with the earliest notAfter or -1 for unset.
protected  long chainLastMSec
          msec represention of the earliest notAfter.
(package private) static HostnameChecker hostnameChecker
          Contains a HostnameChecker used for checking the hostnames.
protected  Hashtable<String,TrustCert.Status> knownAliases
          Contains a list of already seen and accepted aliases (hostname:portnumber) for this certificate chain, with their status at the time they were accepted.
protected  TrustCert.Status status
          Current status of the certificate(chain).
private  X509Certificate x509Cert
          Holds the actual X509Certificate, either set using constructor TrustCert(X509Certificate[]) or using setCertChain(X509Certificate[]).
private  X509Certificate[] x509Chain
          The certificate chain for the X509Certificate, either set using constructor TrustCert(X509Certificate[]) or using setCertChain(X509Certificate[]).
 
Constructor Summary
private TrustCert()
          Constructs a default TrustCert.
  TrustCert(X509Certificate[] certChain)
          Constructs a TrustCert from a X509Certificate chain.
 
Method Summary
 void addAlias(String alias)
          Adds the given alias to the list of aliases for this TrustCert.
 boolean checkChain()
          Method to check whether the certificate chain is valid, that is in particular if the whole chain can be followed back to a trusted root certificate.
 boolean checkHostname(String hostName)
          Method to check whether the server certificate is valid for given hostName.
 boolean checkValidity()
          Method to check whether the certificate chain is valid, that is when the current time ≥ the latest not-before in the chain and ≤ the earliest not-after in the chain.
 boolean equals(TrustCert other)
          Equals method, comparing two TrustCerts, which are considered equal when their server certificate (first in chain) is equal.
 boolean equals(X509Certificate other)
          Equals method, comparing the server certificate (first in chain) against a X509Certificate.
protected  String getAliasErrors(String alias)
          Creates a String describing all the errors for given alias, using its stored Status.
protected  String[] getErrors(String host)
          Creates a String array, one for each error for the current connection, using the data in the status field.
protected  String[] getOldErrors()
          Creates a String array, one for each known alias, each containing a list of all the errors for that alias.
 TrustCert.Status getStatus(String alias)
          Method to get the status of a known alias.
 void removeAlias(String alias)
          Removes the given alias from the list of aliases for this TrustCert.
private  void setCertChain(X509Certificate[] certChain)
          Sets the certificate chain for this TrustCert.
protected  void setExtremes()
          Finds the latest not-before time and the earliest not-after time for the certificate chain, thus finding the smallest interval for which the whole chain is valid.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

hostnameChecker

static HostnameChecker hostnameChecker
Contains a HostnameChecker used for checking the hostnames. We can use the same for all checking, hence it's initialized at class initialization, which improves performance.


x509Cert

private X509Certificate x509Cert
Holds the actual X509Certificate, either set using constructor TrustCert(X509Certificate[]) or using setCertChain(X509Certificate[]). Note that it is equal to the 0th element of x509Chain.


x509Chain

private X509Certificate[] x509Chain
The certificate chain for the X509Certificate, either set using constructor TrustCert(X509Certificate[]) or using setCertChain(X509Certificate[]). Note that x509Chain[0] is equal to x509Cert.


knownAliases

protected Hashtable<String,TrustCert.Status> knownAliases
Contains a list of already seen and accepted aliases (hostname:portnumber) for this certificate chain, with their status at the time they were accepted.


status

protected TrustCert.Status status
Current status of the certificate(chain).


chainFirstIdx

protected int chainFirstIdx
Index of the certificate with the latest notBefore or -1 for unset.


chainFirstDate

protected Date chainFirstDate
Date represention of the latest notBefore.


chainFirstMSec

protected long chainFirstMSec
msec represention of the latest notBefore.


chainLastIdx

protected int chainLastIdx
Index of the certificate with the earliest notAfter or -1 for unset.


chainLastDate

protected Date chainLastDate
Date represention of the earliest notAfter.


chainLastMSec

protected long chainLastMSec
msec represention of the earliest notAfter.


chainErrorIdx

protected int chainErrorIdx
Index of certificate causing the chain validation to fail. Note that when we catch a CertPathValidatorException which doesn't point to a specific certificate, it sets it to -1, we hence use -2 for unset.


chainError

protected String chainError
String describing the error causing the chain validation to fail.

Constructor Detail

TrustCert

private TrustCert()
Constructs a default TrustCert. Its certificate chain can be set using setCertChain(X509Certificate[]).

See Also:
TrustCert(X509Certificate[]).

TrustCert

public TrustCert(X509Certificate[] certChain)
Constructs a TrustCert from a X509Certificate chain.

Parameters:
certChain - X509Certificate[] chain for this TrustCert
Method Detail

setCertChain

private void setCertChain(X509Certificate[] certChain)
Sets the certificate chain for this TrustCert.

Parameters:
certChain - X509Certificate[] chain for this TrustCert
See Also:
TrustCert(X509Certificate[]).

equals

public boolean equals(TrustCert other)
Equals method, comparing two TrustCerts, which are considered equal when their server certificate (first in chain) is equal.

Parameters:
other - Other TrustCert to compare against.
Returns:
boolean indicating whether the first X509Certificate in each chain is equal.
See Also:
equals(X509Certificate)

equals

public boolean equals(X509Certificate other)
Equals method, comparing the server certificate (first in chain) against a X509Certificate.

Parameters:
other - X509Certificate to compare the server certificate (1st in chain) against.
Returns:
boolean indicating whether the server certificate is equal to given X509Certificate.
See Also:
equals(TrustCert)

checkValidity

public boolean checkValidity()
                      throws CertificateException
Method to check whether the certificate chain is valid, that is when the current time ≥ the latest not-before in the chain and ≤ the earliest not-after in the chain. The result is stored in the status field for later usage.

Returns:
boolean indicating whether it is currently valid.
Throws:
CertificateException - if the certchain is not (yet) known.
See Also:
getStatus(String)

checkHostname

public boolean checkHostname(String hostName)
                      throws CertificateException
Method to check whether the server certificate is valid for given hostName. The result is stored in the status field for later usage.

Parameters:
hostName - hostname to check the server certificate against.
Returns:
boolean indicating whether it is valid for given hostname.
Throws:
CertificateException - in case of error (not when certificate is invalid for hostname).
See Also:
HostnameChecker, getStatus(String)

checkChain

public boolean checkChain()
                   throws CertificateException
Method to check whether the certificate chain is valid, that is in particular if the whole chain can be followed back to a trusted root certificate. It uses the earliest not-after date of the chain, to prevent errors from time-invalidity for which we have checkValidity(). Note that if for some reason there is no time at which the entire certificate chain was, is or will be valid, we still will get an error here. The chainError field will contain a (descriptive) error message or be null if the chain validated.

Returns:
boolean indicating whether it is valid.
Throws:
CertificateException - in case of error (not when certificate is invalid for hostname).
See Also:
CertChainChecker

getStatus

public TrustCert.Status getStatus(String alias)
Method to get the status of a known alias.

Parameters:
alias - String representing the alias for which to get the Status (alias is hostname:portnumber).
Returns:
Status as it was when the certificate/alias was last seen.

addAlias

public void addAlias(String alias)
Adds the given alias to the list of aliases for this TrustCert.

Parameters:
alias - String representing the alias to add (alias is hostname:portnumber).
See Also:
removeAlias(String)

removeAlias

public void removeAlias(String alias)
Removes the given alias from the list of aliases for this TrustCert.

Parameters:
alias - String representing the alias to remove (alias is hostname:portnumber).
See Also:
removeAlias(String)

setExtremes

protected void setExtremes()
                    throws CertificateException
Finds the latest not-before time and the earliest not-after time for the certificate chain, thus finding the smallest interval for which the whole chain is valid. It sets the outcome for the former in the fields chainFirstIdx, chainFirstDate and chainFirstMSec and for the latter in the fields chainLastIdx, chainLastDate and chainLastMSec. Both the date and msec representation are stored for performance.

Throws:
CertificateException - when the server certificate or chain is not (yet) set.
See Also:
checkValidity()

getAliasErrors

protected String getAliasErrors(String alias)
Creates a String describing all the errors for given alias, using its stored Status.

Parameters:
alias - String containing the alias (hostname:portnumber).
Returns:
String describing all the errors with the certificate chain for given alias.

getOldErrors

protected String[] getOldErrors()
Creates a String array, one for each known alias, each containing a list of all the errors for that alias.

Returns:
String[] one element per alias, each with an error list.
See Also:
getAliasErrors(String), getErrors(String)

getErrors

protected String[] getErrors(String host)
Creates a String array, one for each error for the current connection, using the data in the status field.

Parameters:
host - String with the hostname, only used in the error message.
Returns:
String[] one element per error.
See Also:
getOldErrors()


nl.nikhef.slcshttps Mischa Sallé - msalle(AT)nikhef.nl