/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/**
* A <code>CertStore</code> that retrieves <code>Certificates</code> or
* <code>CRL</code>s from a URI, for example, as specified in an X.509
* AuthorityInformationAccess or CRLDistributionPoint extension.
* <p>
* For CRLs, this implementation retrieves a single DER encoded CRL per URI.
* For Certificates, this implementation retrieves a single DER encoded CRL or
* a collection of Certificates encoded as a PKCS#7 "certs-only" CMS message.
* <p>
* This <code>CertStore</code> also implements Certificate/CRL caching.
* Currently, the cache is shared between all applications in the VM and uses a
* hardcoded policy. The cache has a maximum size of 185 entries, which are held
* by SoftReferences. A request will be satisfied from the cache if we last
* checked for an update within CHECK_INTERVAL (last 30 seconds). Otherwise,
* we open an URLConnection to download the Certificate(s)/CRL using an
* If-Modified-Since request (HTTP) if possible. Note that both positive and
* negative responses are cached, i.e. if we are unable to open the connection
* or the Certificate(s)/CRL cannot be parsed, we remember this result and
* additional calls during the CHECK_INTERVAL period do not try to open another
* connection.
* <p>
* The URICertStore is not currently a standard CertStore type. We should
* consider adding a standard "URI" CertStore type.
*
* @author Andreas Sterbenz
* @author Sean Mullan
* @since 7.0
*/
// interval between checks for update of cached Certificates/CRLs
// (30 seconds)
// size of the cache (see Cache class for sizing recommendations)
// X.509 certificate factory instance
// cached Collection of X509Certificates (may be empty, never null)
// cached X509CRL (may be null)
// time we last checked for an update
private long lastChecked;
// time server returned as last modified time stamp
// or 0 if not available
private long lastModified;
// the URI of this CertStore
// true if URI is ldap
private boolean ldap = false;
/**
* Holder class to lazily load LDAPCertStoreHelper if present.
*/
private static class LDAP {
"sun.security.provider.certpath.ldap.LDAPCertStoreHelper";
new PrivilegedAction<CertStoreHelper>() {
public CertStoreHelper run() {
try {
return (CertStoreHelper)c.newInstance();
} catch (ClassNotFoundException cnf) {
return null;
} catch (InstantiationException e) {
throw new AssertionError(e);
} catch (IllegalAccessException e) {
throw new AssertionError(e);
}
}});
return helper;
}
}
// Default maximum connect timeout in milliseconds (15 seconds)
// allowed when downloading CRLs
/**
* Integer value indicating the connect timeout, in seconds, to be
* used for the CRL download. A timeout of zero is interpreted as
* an infinite timeout.
*/
/**
* Initialize the timeout length by getting the CRL timeout
* system property. If the property has not been set, or if its
* value is negative, set the timeout length to the default.
*/
private static int initializeTimeout() {
new GetIntegerAction("com.sun.security.crl.timeout"));
return DEFAULT_CRL_CONNECT_TIMEOUT;
}
// Convert to milliseconds, as the system property will be
// specified in seconds
return tmp * 1000;
}
/**
* Creates a URICertStore.
*
* @param parameters specifying the URI
*/
super(params);
if (!(params instanceof URICertStoreParameters)) {
throw new InvalidAlgorithmParameterException
("params must be instanceof URICertStoreParameters");
}
// if ldap URI, use an LDAPCertStore to fetch certs and CRLs
throw new NoSuchAlgorithmException("LDAP not present");
ldap = true;
// strip off leading '/'
}
}
try {
} catch (CertificateException e) {
throw new RuntimeException();
}
}
/**
* Returns a URI CertStore. This method consults a cache of
* CertStores (shared per JVM) using the URI as a key.
*/
}
} else {
}
}
return ucs;
}
/**
* Creates a CertStore from information included in the AccessDescription
* object of a certificate's Authority Information Access Extension.
*/
return null;
}
return null;
}
try {
return URICertStore.getInstance
}
return null;
}
}
/**
* Returns a <code>Collection</code> of <code>X509Certificate</code>s that
* match the specified selector. If no <code>X509Certificate</code>s
* match the selector, an empty <code>Collection</code> will be returned.
*
* @param selector a <code>CertSelector</code> used to select which
* <code>X509Certificate</code>s should be returned. Specify
* <code>null</code> to return all <code>X509Certificate</code>s.
* @return a <code>Collection</code> of <code>X509Certificate</code>s that
* match the specified selector
* @throws CertStoreException if an exception occurs
*/
// if ldap URI we wrap the CertSelector in an LDAPCertSelector to
// avoid LDAP DN matching issues (see LDAPCertSelector for more info)
if (ldap) {
try {
} catch (IOException ioe) {
throw new CertStoreException(ioe);
}
// Fetch the certificates via LDAP. LDAPCertStore has its own
// caching mechanism, see the class description for more info.
return (Collection<X509Certificate>)
}
// Return the Certificates for this entry. It returns the cached value
// if it is still current and fetches the Certificates otherwise.
// For the caching details, see the top of this class.
}
}
lastChecked = time;
try {
if (lastModified != 0) {
}
long oldLastModified = lastModified;
if (oldLastModified != 0) {
if (oldLastModified == lastModified) {
}
} else if (connection instanceof HttpURLConnection) {
// some proxy servers omit last modified
if (hconn.getResponseCode()
}
}
}
}
}
} catch (IOException e) {
e.printStackTrace();
}
} catch (CertificateException e) {
e.printStackTrace();
}
} finally {
try {
} catch (IOException e) {
// ignore
}
}
}
// exception, forget previous values
lastModified = 0;
return certs;
}
/**
* Iterates over the specified Collection of X509Certificates and
* returns only those that match the criteria specified in the
* CertSelector.
*/
// if selector not specified, all certs match
return certs;
}
}
}
return matchedCerts;
}
/**
* Returns a <code>Collection</code> of <code>X509CRL</code>s that
* match the specified selector. If no <code>X509CRL</code>s
* match the selector, an empty <code>Collection</code> will be returned.
*
* @param selector A <code>CRLSelector</code> used to select which
* <code>X509CRL</code>s should be returned. Specify <code>null</code>
* to return all <code>X509CRL</code>s.
* @return A <code>Collection</code> of <code>X509CRL</code>s that
* match the specified selector
* @throws CertStoreException if an exception occurs
*/
throws CertStoreException {
// if ldap URI we wrap the CRLSelector in an LDAPCRLSelector to
// avoid LDAP DN matching issues (see LDAPCRLSelector for more info)
if (ldap) {
try {
} catch (IOException ioe) {
throw new CertStoreException(ioe);
}
// Fetch the CRLs via LDAP. LDAPCertStore has its own
// caching mechanism, see the class description for more info.
}
// Return the CRLs for this entry. It returns the cached value
// if it is still current and fetches the CRLs otherwise.
// For the caching details, see the top of this class.
}
}
lastChecked = time;
try {
if (lastModified != 0) {
}
long oldLastModified = lastModified;
if (oldLastModified != 0) {
if (oldLastModified == lastModified) {
}
} else if (connection instanceof HttpURLConnection) {
// some proxy servers omit last modified
if (hconn.getResponseCode()
}
}
}
}
}
} catch (IOException e) {
e.printStackTrace();
}
} catch (CRLException e) {
e.printStackTrace();
}
} finally {
try {
} catch (IOException e) {
// ignore
}
}
}
// exception, forget previous values
lastModified = 0;
}
/**
* Checks if the specified X509CRL matches the criteria specified in the
* CRLSelector.
*/
} else {
}
}
/**
* CertStoreParameters for the URICertStore.
*/
}
if (!(obj instanceof URICertStoreParameters)) {
return false;
}
}
public int hashCode() {
if (hashCode == 0) {
int result = 17;
}
return hashCode;
}
try {
return super.clone();
} catch (CloneNotSupportedException e) {
/* Cannot happen */
throw new InternalError(e.toString());
}
}
}
/**
* This class allows the URICertStore to be accessed as a CertStore.
*/
}
}
}