Class PlainCRLStoreSpi

  • Direct Known Subclasses:
    OpensslCRLStoreSpi

    public class PlainCRLStoreSpi
    extends AbstractCRLStoreSPI
    Handles an in-memory CRL store.

    CRLs may be provided as URLs or local files. If the CRL is provided as a local file (i.e. is not an absolute URL) then it can contain wildcard characters ('*', '?'). In case of wildcard locations, the actual file list is regenerated on each update.

    All CRLs are loaded and parsed to establish CA->CRL mapping. This mapping is updated after the updateInterval time is passed.

    Faulty CRL locations together with the respective errors can be obtained by using a listener.

    It is possible to pass more then one location of CRLs of the same CA.

    The class is implemented in an asynchronous mode: CRLs are resolved on regular intervals (or only once on startup). The CRL searching is independent of the updates. It can block to download, read and subsequently parse a CRL if it is not present in the in-memory cache.

    CRLs downloaded from a remote URL (http or ftp) can be cached on a local disk. If the update task can not download the CRL which was previously cached on disk, then the version from disk is returned.

    This class is thread safe.

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description
      private static class  PlainCRLStoreSpi.CRLAsyncUpdateTask
      This class follows a quite advanced but important pattern: - it is static so there is no hidden reference from it to the wrapping class - instead it has a weak reference to the wrapping object - when the weak reference is nullified, it means that the wrapping object was discarded by the GC and is no more usable: in this case the update task is automatically stopped.
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected void addCRL​(java.security.cert.X509CRL crl, java.net.URL location)  
      void dispose()
      After calling this method no notification will be produced and subsequent updates won't be scheduled.
      protected java.util.Collection<java.security.cert.X509CRL> getCRLForIssuer​(javax.security.auth.x500.X500Principal issuer)  
      protected java.util.Collection<java.security.cert.X509CRL> getCRLWithMatcher​(java.security.cert.CRLSelector selectorRaw)  
      java.util.List<java.lang.String> getLocations()  
      private java.security.cert.X509CRL getOrLoadCRL​(java.net.URL location)  
      long getUpdateInterval()  
      protected java.security.cert.X509CRL loadCRL​(java.net.URL url)  
      private java.security.cert.X509CRL loadCrlWrapper​(java.io.InputStream is)
      Wrapper as BC provider in some cases returns null instead of exception when there are problems.
      protected java.security.cert.X509CRL reloadCRL​(java.net.URL location)  
      private void reloadCRLs​(java.util.Collection<java.net.URL> locations)
      For all URLs tries to load a CRL
      private void removeStaleIssuerMapping()
      Removes those mappings which are for the not known locations.
      private void scheduleUpdate()  
      void setUpdateInterval​(long newInterval)  
      void start()
      Initiates the store operation (the initial update and subsequent refreshes)
      private void update()
      1.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • timer

        private java.util.Timer timer
      • intervalLock

        private java.lang.Object intervalLock
      • ca2location

        private java.util.Map<javax.security.auth.x500.X500Principal,​java.util.Set<java.net.URL>> ca2location
      • loadedCRLs

        private java.util.Map<java.net.URL,​java.lang.ref.SoftReference<java.security.cert.X509CRL>> loadedCRLs
    • Constructor Detail

      • PlainCRLStoreSpi

        public PlainCRLStoreSpi​(CRLParameters params,
                                java.util.Timer t,
                                ObserversHandler observers)
                         throws java.security.InvalidAlgorithmParameterException
        Creates a new CRL store. The store will be empty until the start() method is called.
        Parameters:
        params - CRL parameters
        t - timer
        observers - observers handler
        Throws:
        java.security.InvalidAlgorithmParameterException - invalid algorithm parameter exception
    • Method Detail

      • start

        public void start()
        Initiates the store operation (the initial update and subsequent refreshes)
      • loadCRL

        protected java.security.cert.X509CRL loadCRL​(java.net.URL url)
                                              throws java.io.IOException,
                                                     java.security.cert.CRLException,
                                                     java.net.URISyntaxException
        Throws:
        java.io.IOException
        java.security.cert.CRLException
        java.net.URISyntaxException
      • loadCrlWrapper

        private java.security.cert.X509CRL loadCrlWrapper​(java.io.InputStream is)
                                                   throws java.io.IOException,
                                                          java.security.cert.CRLException
        Wrapper as BC provider in some cases returns null instead of exception when there are problems.
        Parameters:
        is - input stream
        Returns:
        generated CRL
        Throws:
        java.io.IOException - IO exception
        java.security.cert.CRLException - CRL exception
      • getLocations

        public java.util.List<java.lang.String> getLocations()
      • getUpdateInterval

        public long getUpdateInterval()
      • removeStaleIssuerMapping

        private void removeStaleIssuerMapping()
        Removes those mappings which are for the not known locations. Happens when a file was removed from a wildcard listing.
      • reloadCRLs

        private void reloadCRLs​(java.util.Collection<java.net.URL> locations)
        For all URLs tries to load a CRL
      • reloadCRL

        protected java.security.cert.X509CRL reloadCRL​(java.net.URL location)
      • addCRL

        protected void addCRL​(java.security.cert.X509CRL crl,
                              java.net.URL location)
      • update

        private void update()
        1. work only if updateNeeded() 2. for all wildcards refresh file lists 3. remove the locations not valid anymore 4. for all location URLs try to get the CRL 5. update timestamp 6. schedule the next update if enabled
      • scheduleUpdate

        private void scheduleUpdate()
      • getOrLoadCRL

        private java.security.cert.X509CRL getOrLoadCRL​(java.net.URL location)
      • getCRLForIssuer

        protected java.util.Collection<java.security.cert.X509CRL> getCRLForIssuer​(javax.security.auth.x500.X500Principal issuer)
        Specified by:
        getCRLForIssuer in class AbstractCRLStoreSPI
      • getCRLWithMatcher

        protected java.util.Collection<java.security.cert.X509CRL> getCRLWithMatcher​(java.security.cert.CRLSelector selectorRaw)
        Specified by:
        getCRLWithMatcher in class AbstractCRLStoreSPI
      • dispose

        public void dispose()
        After calling this method no notification will be produced and subsequent updates won't be scheduled. However one next update may be run.
        Specified by:
        dispose in class AbstractCRLStoreSPI