Certificates and CRLs
* from a repository.
*
* This class uses a provider-based architecture, as described in the
* Java Cryptography Architecture.
* To create a CertStore, call one of the static
* getInstance methods, passing in the type of
* CertStore desired, any applicable initialization parameters
* and optionally the name of the provider desired.
*
* Once the CertStore has been created, it can be used to
* retrieve Certificates and CRLs by calling its
* {@link #getCertificates(CertSelector selector) getCertificates} and
* {@link #getCRLs(CRLSelector selector) getCRLs} methods.
*
* Unlike a {@link java.security.KeyStore KeyStore}, which provides access
* to a cache of private keys and trusted certificates, a
* CertStore is designed to provide access to a potentially
* vast repository of untrusted certificates and CRLs. For example, an LDAP
* implementation of CertStore provides access to certificates
* and CRLs stored in one or more directories using the LDAP protocol and the
* schema as defined in the RFC service attribute. See Appendix A in the
*
* Java Certification Path API Programmer's Guide for more information about
* standard CertStore types.
*
* Concurrent Access *
* All public methods of CertStore objects must be thread-safe.
* That is, multiple threads may concurrently invoke these methods on a
* single CertStore object (or more than one) with no
* ill effects. This allows a CertPathBuilder to search for a
* CRL while simultaneously searching for further certificates, for instance.
*
* The static methods of this class are also guaranteed to be thread-safe. * Multiple threads may concurrently invoke the static methods defined in * this class with no ill effects. * * @version 1.13 06/28/04 * @since 1.4 * @author Sean Mullan, Steve Hanna */ public class CertStore { /* * Constant to lookup in the Security properties file to determine * the default certstore type. In the Security properties file, the * default certstore type is given as: *
* certstore.type=LDAP
*
*/
private static final String CERTSTORE_TYPE = "certstore.type";
private CertStoreSpi storeSpi;
private Provider provider;
private String type;
private CertStoreParameters params;
/**
* Creates a CertStore object of the given type, and
* encapsulates the given provider implementation (SPI object) in it.
*
* @param storeSpi the provider implementation
* @param provider the provider
* @param type the type
* @param params the initialization parameters (may be null)
*/
protected CertStore(CertStoreSpi storeSpi, Provider provider,
String type, CertStoreParameters params) {
this.storeSpi = storeSpi;
this.provider = provider;
this.type = type;
if (params != null)
this.params = (CertStoreParameters) params.clone();
}
/**
* Returns a Collection of Certificates that
* match the specified selector. If no Certificates
* match the selector, an empty Collection will be returned.
*
* For some CertStore types, the resulting
* Collection may not contain all of the
* Certificates that match the selector. For instance,
* an LDAP CertStore may not search all entries in the
* directory. Instead, it may just search entries that are likely to
* contain the Certificates it is looking for.
*
* Some CertStore implementations (especially LDAP
* CertStores) may throw a CertStoreException
* unless a non-null CertSelector is provided that
* includes specific criteria that can be used to find the certificates.
* Issuer and/or subject names are especially useful criteria.
*
* @param selector A CertSelector used to select which
* Certificates should be returned. Specify null
* to return all Certificates (if supported).
* @return A Collection of Certificates that
* match the specified selector (never null)
* @throws CertStoreException if an exception occurs
*/
public final Collection getCertificates
(CertSelector selector) throws CertStoreException {
return storeSpi.engineGetCertificates(selector);
}
/**
* Returns a Collection of CRLs that
* match the specified selector. If no CRLs
* match the selector, an empty Collection will be returned.
*
* For some CertStore types, the resulting
* Collection may not contain all of the
* CRLs that match the selector. For instance,
* an LDAP CertStore may not search all entries in the
* directory. Instead, it may just search entries that are likely to
* contain the CRLs it is looking for.
*
* Some CertStore implementations (especially LDAP
* CertStores) may throw a CertStoreException
* unless a non-null CRLSelector is provided that
* includes specific criteria that can be used to find the CRLs.
* Issuer names and/or the certificate to be checked are especially useful.
*
* @param selector A CRLSelector used to select which
* CRLs should be returned. Specify null
* to return all CRLs (if supported).
* @return A Collection of CRLs that
* match the specified selector (never null)
* @throws CertStoreException if an exception occurs
*/
public final Collection getCRLs(CRLSelector selector)
throws CertStoreException {
return storeSpi.engineGetCRLs(selector);
}
/**
* Returns a CertStore object that implements the specified
* CertStore type and is initialized with the specified
* parameters.
*
*
If the default provider package provides an implementation
* of the specified CertStore type, an instance of
* CertStore containing that implementation is returned.
* If the requested type is not available in the default package, other
* packages are searched.
*
*
The CertStore that is returned is initialized with the
* specified CertStoreParameters. The type of parameters
* needed may vary between different types of CertStores.
* Note that the specified CertStoreParameters object is
* cloned.
*
* @param type the name of the requested CertStore type
* @param params the initialization parameters (may be null)
* @return a CertStore object that implements the specified
* CertStore type
* @throws NoSuchAlgorithmException if the requested type is not
* available in the default provider package or any of the other provider
* packages that were searched
* @throws InvalidAlgorithmParameterException if the specified
* initialization parameters are inappropriate for this
* CertStore
*/
public static CertStore getInstance(String type, CertStoreParameters params)
throws InvalidAlgorithmParameterException,
NoSuchAlgorithmException {
try {
Instance instance = GetInstance.getInstance("CertStore",
CertStoreSpi.class, type, params);
return new CertStore((CertStoreSpi)instance.impl,
instance.provider, type, params);
} catch (NoSuchAlgorithmException e) {
return handleException(e);
}
}
private static CertStore handleException(NoSuchAlgorithmException e)
throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
Throwable cause = e.getCause();
if (cause instanceof InvalidAlgorithmParameterException) {
throw (InvalidAlgorithmParameterException)cause;
}
throw e;
}
/**
* Returns a CertStore object that implements the specified
* CertStore type, as supplied by the specified provider
* and initialized with the specified parameters.
*
*
The CertStore that is returned is initialized with the
* specified CertStoreParameters. The type of parameters
* needed may vary between different types of CertStores.
* Note that the specified CertStoreParameters object is
* cloned.
*
* @param type the requested CertStore type
* @param params the initialization parameters (may be null)
* @param provider the name of the provider
* @return a CertStore object that implements the
* specified type, as supplied by the specified provider
* @throws NoSuchAlgorithmException if the requested type is not
* available from the specified provider
* @throws InvalidAlgorithmParameterException if the specified
* initialization parameters are inappropriate for this
* CertStore
* @throws NoSuchProviderException if the provider has not been configured
* @exception IllegalArgumentException if the provider is
* null
*/
public static CertStore getInstance(String type,
CertStoreParameters params, String provider)
throws InvalidAlgorithmParameterException,
NoSuchAlgorithmException, NoSuchProviderException {
try {
Instance instance = GetInstance.getInstance("CertStore",
CertStoreSpi.class, type, params, provider);
return new CertStore((CertStoreSpi)instance.impl,
instance.provider, type, params);
} catch (NoSuchAlgorithmException e) {
return handleException(e);
}
}
/**
* Returns a CertStore object that implements the specified
* CertStore type, as supplied by the specified provider and
* initialized with the specified parameters.
* Note: the provider doesn't have to be registered.
*
*
The CertStore that is returned is initialized with the
* specified CertStoreParameters. The type of parameters
* needed may vary between different types of CertStores.
* Note that the specified CertStoreParameters object is
* cloned.
*
* @param type the requested CertStore type
* @param params the initialization parameters (may be null)
* @param provider the provider
* @return a CertStore object that implements the
* specified type, as supplied by the specified provider
* @exception NoSuchAlgorithmException if the requested type is not
* available from the specified provider
* @throws InvalidAlgorithmParameterException if the specified
* initialization parameters are inappropriate for this
* CertStore
* @exception IllegalArgumentException if the provider is
* null
*/
public static CertStore getInstance(String type, CertStoreParameters params,
Provider provider) throws NoSuchAlgorithmException,
InvalidAlgorithmParameterException {
try {
Instance instance = GetInstance.getInstance("CertStore",
CertStoreSpi.class, type, params, provider);
return new CertStore((CertStoreSpi)instance.impl,
instance.provider, type, params);
} catch (NoSuchAlgorithmException e) {
return handleException(e);
}
}
/**
* Returns the parameters used to initialize this CertStore.
* Note that the CertStoreParameters object is cloned before
* it is returned.
*
* @return the parameters used to initialize this CertStore
* (may be null)
*/
public final CertStoreParameters getCertStoreParameters() {
return (params == null ? null : (CertStoreParameters) params.clone());
}
/**
* Returns the type of this CertStore.
*
* @return the type of this CertStore
*/
public final String getType() {
return this.type;
}
/**
* Returns the provider of this CertStore.
*
* @return the provider of this CertStore
*/
public final Provider getProvider() {
return this.provider;
}
/**
* Returns the default CertStore type as specified in the
* Java security properties file, or the string "LDAP" if no
* such property exists. The Java security properties file is located in
* the file named <JAVA_HOME>/lib/security/java.security, where
* <JAVA_HOME> refers to the directory where the JDK was installed.
*
*
The default CertStore type can be used by applications
* that do not want to use a hard-coded type when calling one of the
* getInstance methods, and want to provide a default
* CertStore type in case a user does not specify its own.
*
*
The default CertStore type can be changed by setting
* the value of the "certstore.type" security property (in the Java
* security properties file) to the desired type.
*
* @return the default CertStore type as specified in the
* Java security properties file, or the string "LDAP"
* if no such property exists.
*/
public final static String getDefaultType() {
String cstype;
cstype = (String)AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
return Security.getProperty(CERTSTORE_TYPE);
}
});
if (cstype == null) {
cstype = "LDAP";
}
return cstype;
}
}