Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

de.fhg.igd.semoa.net
Class SSLTrustManager

java.lang.Object
  extended byde.fhg.igd.semoa.net.SSLTrustManager
All Implemented Interfaces:
TrustManager, X509TrustManager
public class SSLTrustManager
extends Object
implements X509TrustManager

SSLTrustManager implements the X509TrustManager class from java ssl package. This is unavoidable in order to redirect the certificate verification by the KeyMaster class. Keep in mind, that logging to System.out or System.err is not possible within callback methods, because data would be transfered over SSL stream!

Version:
"$Id: SSLTrustManager.java 1913 2007-08-08 02:41:53Z jpeters $"
Author:
Stivens Milic, Jan Peters

Field Summary
private  Set acceptedSubjects_
          A certificate, which has successfully been verified, will be accepted by checkClientTrusted resp.
static String AUTH_TYPE
          The variable AUTH_TYPE determine authentication type used in SSL process.
protected  int flag_
          The flag identifying the type of trust checks which are made when checkClientTrusted or checkClientTrusted is called.
private  String id_
          The id used to identify error messages.
static int ISSUER_TRUST_CHECK
          When checkClientTrusted or checkServerTrusted is called, the given certificate chain is verified and the root CA certificate is validated against the trusted certificates of the KeyMaster.
private  KeyMaster keymaster_
          The KeyMaster.
private  long lastFetch_
          The time at which the key master reference was fetched last.
private  Object lock_
          A private lock object to synchronize on.
private static Logger log_
          The Logger instance for this class
static int NO_TRUST_CHECK
          No trust check is done at all, when checkClientTrusted or checkServerTrusted is called.
static int SUBJECT_TRUST_CHECK
          In addition to the checks made when flag_ is ISSUER_TRUST_CHECK, the subject DN of the given certificate is compared against a given set of acceptedSubjects_.
 
Constructor Summary
SSLTrustManager()
          Default constructor.
SSLTrustManager(String id, int flag)
          Constructor to create a class instance initiated with the given logging identifier and trust management flag.
SSLTrustManager(String id, Principal[] acceptedSubjects)
          Constructor to create a class instance initiated with the given loggin identifier and set of subjects to accept during trust checks.
 
Method Summary
 void checkClientTrusted(X509Certificate[] chain, String authType)
          This Method implements checkClientTrusted() method from X509TrustManager.
 void checkServerTrusted(X509Certificate[] chain, String authType)
          This Method implements checkServerTrusted() method from X509TrustManager.
protected  void checkTrusted(X509Certificate[] chain, String authType)
          This Method implements checkServerTrusted() method from X509TrustManager.
 X509Certificate[] getAcceptedIssuers()
          Returns a chain of trusted X509Certificates from the Keymaster.
 Principal[] getAcceptedSubjects()
          Returns trusted certificate subjects DN as restriction in addition to the accepted issuers list.
private  KeyMaster getKeyMaster()
          Returns a reference to the key master.
 int getTrustManagementType()
          Returns the type of trust manangement checks made.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

log_

private static Logger log_
The Logger instance for this class

NO_TRUST_CHECK

public static final int NO_TRUST_CHECK
No trust check is done at all, when checkClientTrusted or checkServerTrusted is called. Neither the given certificate chain is verified.

See Also:
Constant Field Values

ISSUER_TRUST_CHECK

public static final int ISSUER_TRUST_CHECK
When checkClientTrusted or checkServerTrusted is called, the given certificate chain is verified and the root CA certificate is validated against the trusted certificates of the KeyMaster.

See Also:
Constant Field Values

SUBJECT_TRUST_CHECK

public static final int SUBJECT_TRUST_CHECK
In addition to the checks made when flag_ is ISSUER_TRUST_CHECK, the subject DN of the given certificate is compared against a given set of acceptedSubjects_.

See Also:
Constant Field Values

AUTH_TYPE

public static final String AUTH_TYPE
The variable AUTH_TYPE determine authentication type used in SSL process. This authentication type is determined by the actual certificate used.

See Also:
Constant Field Values

lock_

private Object lock_
A private lock object to synchronize on.

keymaster_

private KeyMaster keymaster_
The KeyMaster.

acceptedSubjects_

private Set acceptedSubjects_
A certificate, which has successfully been verified, will be accepted by checkClientTrusted resp. checkClientTrusted, iff this set is null, or the corresponding subject DN is element of this set.

lastFetch_

private long lastFetch_
The time at which the key master reference was fetched last.

id_

private String id_
The id used to identify error messages.

flag_

protected int flag_
The flag identifying the type of trust checks which are made when checkClientTrusted or checkClientTrusted is called.

Constructor Detail

SSLTrustManager

public SSLTrustManager()
Default constructor. The default setting SSLMasterImpl.DEFAULT_ID and ISSUER_TRUST_CHECK are used for the created class instance.

SSLTrustManager

public SSLTrustManager(String id,
                       int flag)
Constructor to create a class instance initiated with the given logging identifier and trust management flag. The following flags are allowed: NO_TRUST_CHECK, ISSUER_TRUST_CHECK.

Parameters:
id - logging identifier.
flag - trust management flag.

SSLTrustManager

public SSLTrustManager(String id,
                       Principal[] acceptedSubjects)
Constructor to create a class instance initiated with the given loggin identifier and set of subjects to accept during trust checks. The internal trust management flag is automatically set to SUBJECT_TRUST_CHECK.

Parameters:
id - logging indentifier.
acceptedSubjects - the subject DNs to accept during trust checks.
Method Detail

getKeyMaster

private KeyMaster getKeyMaster()
Returns a reference to the key master. This is a convenience method which only re-fetches the key master if it changed since the last fetch (which is not likely to happen anyway).

Returns:
The reference to the KeyMaster.

getTrustManagementType

public int getTrustManagementType()
Returns the type of trust manangement checks made.

Returns:
the type of trust manangement checks made.

getAcceptedSubjects

public Principal[] getAcceptedSubjects()
Returns trusted certificate subjects DN as restriction in addition to the accepted issuers list.

Returns:
The trusted subjects, or null, if there is no restriction according to the certificates subject DN.

getAcceptedIssuers

public X509Certificate[] getAcceptedIssuers()
Returns a chain of trusted X509Certificates from the Keymaster. It implements getAcceptedIssuers() from X509TrustManager.

Specified by:
getAcceptedIssuers in interface X509TrustManager
Returns:
Trusted certificates chain of X509Certificate.

checkClientTrusted

public void checkClientTrusted(X509Certificate[] chain,
                               String authType)
                        throws CertificateException
This Method implements checkClientTrusted() method from X509TrustManager. To verify the client certificate chain the checkServerTrusted method is called.

Specified by:
checkClientTrusted in interface X509TrustManager
Parameters:
chain - X509Certificate chain to be verified.
authType - authorisation type
Throws:
CertificateException - if the certificate chain is not trusted by this TrustManager

checkServerTrusted

public void checkServerTrusted(X509Certificate[] chain,
                               String authType)
                        throws CertificateException
This Method implements checkServerTrusted() method from X509TrustManager. To verify the server certificate chain the KeyMaster is used.

Specified by:
checkServerTrusted in interface X509TrustManager
Parameters:
chain - X509Certificate chain to be verified.
Throws:
CertificateException - if the certificate chain is not trusted by this TrustManager

checkTrusted

protected void checkTrusted(X509Certificate[] chain,
                            String authType)
                     throws CertificateException
This Method implements checkServerTrusted() method from X509TrustManager. To verify the server certificate chain and validate root CA issuer the KeyMaster is used.

Parameters:
chain - X509Certificate chain to be verified.
Throws:
CertificateException - if the certificate chain is not trusted by this TrustManager
Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © Fraunhofer Gesellschaft. All Rights Reserved.