org.bouncycastle.x509.util
Class LDAPStoreHelper

java.lang.Object
  org.bouncycastle.x509.util.LDAPStoreHelper

public class LDAPStoreHelper
extends java.lang.Object

This is a general purpose implementation to get X.509 certificates, CRLs, attribute certificates and cross certificates from a LDAP location.

At first a search is performed in the ldap*AttributeNames of the X509LDAPCertStoreParameters with the given information of the subject (for all kind of certificates) or issuer (for CRLs), respectively, if a X509CertStoreSelector or X509AttributeCertificate is given with that details.

For the used schemes see:

• RFC 2587
• Internet X.509 Public Key Infrastructure Additional LDAP Schema for PKIs and PMIs

Field Summary

private java.util.Map	cacheMap
private static int	cacheSize
private static java.lang.String	LDAP_PROVIDER Initial Context Factory.
private static long	lifeTime
private X509LDAPCertStoreParameters	params
private static java.lang.String	REFERRALS_IGNORE Processing referrals..
private static java.lang.String	SEARCH_SECURITY_LEVEL Security level to be used for LDAP connections.
private static java.lang.String	URL_CONTEXT_PREFIX Package Prefix for loading URL context factories.

Constructor Summary

LDAPStoreHelper(X509LDAPCertStoreParameters params)

Method Summary

private void	addToCache(java.lang.String searchCriteria, java.util.List list)
private java.util.List	attrCertSubjectSerialSearch(X509AttributeCertStoreSelector xselector, java.lang.String[] attrs, java.lang.String[] attrNames, java.lang.String[] subjectAttributeNames) Can use the entityName of the holder of the attribute certificate, the serialNumber of attribute certificate and the serialNumber of the associated certificate of the given of the X509AttributeCertSelector.
private java.util.List	certSubjectSerialSearch(X509CertStoreSelector xselector, java.lang.String[] attrs, java.lang.String[] attrNames, java.lang.String[] subjectAttributeNames) Can use the subject and serial and the subject and serialNumber of the certificate of the given of the X509CertStoreSelector.
private javax.naming.directory.DirContext	connectLDAP()
private java.util.Set	createAttributeCertificates(java.util.List list, X509AttributeCertStoreSelector xselector)
private java.util.Set	createCerts(java.util.List list, X509CertStoreSelector xselector)
private java.util.Set	createCRLs(java.util.List list, X509CRLStoreSelector xselector)
private java.util.Set	createCrossCertificatePairs(java.util.List list, X509CertPairStoreSelector xselector)
private java.util.List	cRLIssuerSearch(X509CRLStoreSelector xselector, java.lang.String[] attrs, java.lang.String[] attrNames, java.lang.String[] issuerAttributeNames) Can use the issuer of the given of the X509CRLStoreSelector.
private java.util.List	crossCertificatePairSubjectSearch(X509CertPairStoreSelector xselector, java.lang.String[] attrs, java.lang.String[] attrNames, java.lang.String[] subjectAttributeNames) Can use the subject of the forward certificate of the set certificate pair or the subject of the forward X509CertStoreSelector of the given selector.
java.util.Collection	getAACertificates(X509AttributeCertStoreSelector selector) Returns attribute certificates for an attribute authority The aAcertificate holds the privileges of an attribute authority.
java.util.Collection	getAttributeAuthorityRevocationLists(X509CRLStoreSelector selector) Returns the revocation list for revoked attribute certificates for an attribute authority The attributeAuthorityList holds a list of AA certificates that have been revoked.
java.util.Collection	getAttributeCertificateAttributes(X509AttributeCertStoreSelector selector) Returns an attribute certificate for an user.
java.util.Collection	getAttributeCertificateRevocationLists(X509CRLStoreSelector selector) Returns the revocation list for revoked attribute certificates.
java.util.Collection	getAttributeDescriptorCertificates(X509AttributeCertStoreSelector selector) Returns an attribute certificate for an authority The attributeDescriptorCertificate is self signed by a source of authority and holds a description of the privilege and its delegation rules.
java.util.Collection	getAuthorityRevocationLists(X509CRLStoreSelector selector) Returns the CRLs for issued certificates for other CAs matching the given selector.
java.util.Collection	getCACertificates(X509CertStoreSelector selector) Returns CA certificates.
private javax.security.auth.x500.X500Principal	getCertificateIssuer(java.security.cert.X509Certificate cert)
java.util.Collection	getCertificateRevocationLists(X509CRLStoreSelector selector) Returns the certificate revocation lists for revoked certificates.
java.util.Collection	getCrossCertificatePairs(X509CertPairStoreSelector selector) Returns cross certificate pairs.
java.util.Collection	getDeltaCertificateRevocationLists(X509CRLStoreSelector selector) Returns the delta revocation list for revoked certificates.
private java.util.List	getFromCache(java.lang.String searchCriteria)
private java.lang.String	getSubjectAsString(X509CertStoreSelector xselector)
java.util.Collection	getUserCertificates(X509CertStoreSelector selector) Returns end certificates.
private java.lang.String	parseDN(java.lang.String subject, java.lang.String dNAttributeName)
private java.util.List	search(java.lang.String[] attributeNames, java.lang.String attributeValue, java.lang.String[] attrs) Returns a List of encodings of the certificates, attribute certificates, CRL or certificate pairs.
private java.lang.String[]	splitString(java.lang.String str)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

params

private X509LDAPCertStoreParameters params

LDAP_PROVIDER

private static java.lang.String LDAP_PROVIDER

Initial Context Factory.

REFERRALS_IGNORE

private static java.lang.String REFERRALS_IGNORE

Processing referrals..

SEARCH_SECURITY_LEVEL

private static final java.lang.String SEARCH_SECURITY_LEVEL

Security level to be used for LDAP connections.

See Also:

Constant Field Values

URL_CONTEXT_PREFIX

private static final java.lang.String URL_CONTEXT_PREFIX

Package Prefix for loading URL context factories.

See Also:

Constant Field Values

cacheMap

private java.util.Map cacheMap

cacheSize

private static int cacheSize

lifeTime

private static long lifeTime

Constructor Detail

LDAPStoreHelper

public LDAPStoreHelper(X509LDAPCertStoreParameters params)

Method Detail

connectLDAP

private javax.naming.directory.DirContext connectLDAP()
                                               throws javax.naming.NamingException

Throws:

javax.naming.NamingException

parseDN

private java.lang.String parseDN(java.lang.String subject,
                                 java.lang.String dNAttributeName)

createCerts

private java.util.Set createCerts(java.util.List list,
                                  X509CertStoreSelector xselector)
                           throws StoreException

Throws:

StoreException

certSubjectSerialSearch

private java.util.List certSubjectSerialSearch(X509CertStoreSelector xselector,
                                               java.lang.String[] attrs,
                                               java.lang.String[] attrNames,
                                               java.lang.String[] subjectAttributeNames)
                                        throws StoreException

Can use the subject and serial and the subject and serialNumber of the certificate of the given of the X509CertStoreSelector. If a certificate for checking is given this has higher precedence.

Parameters:

xselector - The selector with the search criteria.

attrs - Attributes which contain the certificates in the LDAP directory.

attrNames - Attribute names in teh LDAP directory which correspond to the subjectAttributeNames.

subjectAttributeNames - Subject attribute names (like "CN", "O", "OU") to use to search in the LDAP directory

Returns:

A list of found DER encoded certificates.

Throws:

StoreException - if an error occurs while searching.

crossCertificatePairSubjectSearch

private java.util.List crossCertificatePairSubjectSearch(X509CertPairStoreSelector xselector,
                                                         java.lang.String[] attrs,
                                                         java.lang.String[] attrNames,
                                                         java.lang.String[] subjectAttributeNames)
                                                  throws StoreException

Can use the subject of the forward certificate of the set certificate pair or the subject of the forward X509CertStoreSelector of the given selector.

Parameters:

xselector - The selector with the search criteria.

attrs - Attributes which contain the attribute certificates in the LDAP directory.

attrNames - Attribute names in the LDAP directory which correspond to the subjectAttributeNames.

subjectAttributeNames - Subject attribute names (like "CN", "O", "OU") to use to search in the LDAP directory

Returns:

A list of found DER encoded certificate pairs.

Throws:

StoreException - if an error occurs while searching.

attrCertSubjectSerialSearch

private java.util.List attrCertSubjectSerialSearch(X509AttributeCertStoreSelector xselector,
                                                   java.lang.String[] attrs,
                                                   java.lang.String[] attrNames,
                                                   java.lang.String[] subjectAttributeNames)
                                            throws StoreException

Can use the entityName of the holder of the attribute certificate, the serialNumber of attribute certificate and the serialNumber of the associated certificate of the given of the X509AttributeCertSelector.

Parameters:

xselector - The selector with the search criteria.

attrs - Attributes which contain the attribute certificates in the LDAP directory.

attrNames - Attribute names in the LDAP directory which correspond to the subjectAttributeNames.

subjectAttributeNames - Subject attribute names (like "CN", "O", "OU") to use to search in the LDAP directory

Returns:

A list of found DER encoded attribute certificates.

Throws:

StoreException - if an error occurs while searching.

cRLIssuerSearch

private java.util.List cRLIssuerSearch(X509CRLStoreSelector xselector,
                                       java.lang.String[] attrs,
                                       java.lang.String[] attrNames,
                                       java.lang.String[] issuerAttributeNames)
                                throws StoreException

Can use the issuer of the given of the X509CRLStoreSelector.

Parameters:

xselector - The selector with the search criteria.

attrs - Attributes which contain the attribute certificates in the LDAP directory.

attrNames - Attribute names in the LDAP directory which correspond to the subjectAttributeNames.

issuerAttributeNames - Issuer attribute names (like "CN", "O", "OU") to use to search in the LDAP directory

Returns:

A list of found DER encoded CRLs.

Throws:

StoreException - if an error occurs while searching.

search

private java.util.List search(java.lang.String[] attributeNames,
                              java.lang.String attributeValue,
                              java.lang.String[] attrs)
                       throws StoreException

Returns a List of encodings of the certificates, attribute certificates, CRL or certificate pairs.

Parameters:

attributeNames - The attribute names to look for in the LDAP.

attributeValue - The value the attribute name must have.

attrs - The attributes in the LDAP which hold the certificate, attribute certificate, certificate pair or CRL in a found entry.

Returns:

A List of byte arrays with the encodings.

Throws:

StoreException - if an error occurs getting the results from the LDAP directory.

createCRLs

private java.util.Set createCRLs(java.util.List list,
                                 X509CRLStoreSelector xselector)
                          throws StoreException

Throws:

StoreException

createCrossCertificatePairs

private java.util.Set createCrossCertificatePairs(java.util.List list,
                                                  X509CertPairStoreSelector xselector)
                                           throws StoreException

Throws:

StoreException

createAttributeCertificates

private java.util.Set createAttributeCertificates(java.util.List list,
                                                  X509AttributeCertStoreSelector xselector)
                                           throws StoreException

Throws:

StoreException

getAuthorityRevocationLists

public java.util.Collection getAuthorityRevocationLists(X509CRLStoreSelector selector)
                                                 throws StoreException

Returns the CRLs for issued certificates for other CAs matching the given selector.
The authorityRevocationList attribute includes revocation information regarding certificates issued to other CAs.

Parameters:

selector - The CRL selector to use to find the CRLs.

Returns:

A possible empty collection with CRLs

Throws:

StoreException

getAttributeCertificateRevocationLists

public java.util.Collection getAttributeCertificateRevocationLists(X509CRLStoreSelector selector)
                                                            throws StoreException

Returns the revocation list for revoked attribute certificates.

The attributeCertificateRevocationList holds a list of attribute certificates that have been revoked.

Parameters:

selector - The CRL selector to use to find the CRLs.

Returns:

A possible empty collection with CRLs.

Throws:

StoreException

getAttributeAuthorityRevocationLists

public java.util.Collection getAttributeAuthorityRevocationLists(X509CRLStoreSelector selector)
                                                          throws StoreException

Returns the revocation list for revoked attribute certificates for an attribute authority

The attributeAuthorityList holds a list of AA certificates that have been revoked.

Parameters:

selector - The CRL selector to use to find the CRLs.

Returns:

A possible empty collection with CRLs

Throws:

StoreException

getCrossCertificatePairs

public java.util.Collection getCrossCertificatePairs(X509CertPairStoreSelector selector)
                                              throws StoreException

Returns cross certificate pairs.

Parameters:

selector - The selector to use to find the cross certificates.

Returns:

A possible empty collection with X509CertificatePairs

Throws:

StoreException

getUserCertificates

public java.util.Collection getUserCertificates(X509CertStoreSelector selector)
                                         throws StoreException

Returns end certificates.

The attributeDescriptorCertificate is self signed by a source of authority and holds a description of the privilege and its delegation rules.

Parameters:

selector - The selector to find the certificates.

Returns:

A possible empty collection with certificates.

Throws:

StoreException

getAACertificates

public java.util.Collection getAACertificates(X509AttributeCertStoreSelector selector)
                                       throws StoreException

Returns attribute certificates for an attribute authority

The aAcertificate holds the privileges of an attribute authority.

Parameters:

selector - The selector to find the attribute certificates.

Returns:

A possible empty collection with attribute certificates.

Throws:

StoreException

getAttributeDescriptorCertificates

public java.util.Collection getAttributeDescriptorCertificates(X509AttributeCertStoreSelector selector)
                                                        throws StoreException

Returns an attribute certificate for an authority

The attributeDescriptorCertificate is self signed by a source of authority and holds a description of the privilege and its delegation rules.

Parameters:

selector - The selector to find the attribute certificates.

Returns:

A possible empty collection with attribute certificates.

Throws:

StoreException

getCACertificates

public java.util.Collection getCACertificates(X509CertStoreSelector selector)
                                       throws StoreException

Returns CA certificates.

The cACertificate attribute of a CA's directory entry shall be used to store self-issued certificates (if any) and certificates issued to this CA by CAs in the same realm as this CA.

Parameters:

selector - The selector to find the certificates.

Returns:

A possible empty collection with certificates.

Throws:

StoreException

getDeltaCertificateRevocationLists

public java.util.Collection getDeltaCertificateRevocationLists(X509CRLStoreSelector selector)
                                                        throws StoreException

Returns the delta revocation list for revoked certificates.

Parameters:

selector - The CRL selector to use to find the CRLs.

Returns:

A possible empty collection with CRLs.

Throws:

StoreException

getAttributeCertificateAttributes

public java.util.Collection getAttributeCertificateAttributes(X509AttributeCertStoreSelector selector)
                                                       throws StoreException

Returns an attribute certificate for an user.

The attributeCertificateAttribute holds the privileges of a user

Parameters:

selector - The selector to find the attribute certificates.

Returns:

A possible empty collection with attribute certificates.

Throws:

StoreException

getCertificateRevocationLists

public java.util.Collection getCertificateRevocationLists(X509CRLStoreSelector selector)
                                                   throws StoreException

Returns the certificate revocation lists for revoked certificates.

Parameters:

selector - The CRL selector to use to find the CRLs.

Returns:

A possible empty collection with CRLs.

Throws:

StoreException

addToCache

private void addToCache(java.lang.String searchCriteria,
                        java.util.List list)

getFromCache

private java.util.List getFromCache(java.lang.String searchCriteria)

splitString

private java.lang.String[] splitString(java.lang.String str)

getSubjectAsString

private java.lang.String getSubjectAsString(X509CertStoreSelector xselector)

getCertificateIssuer

private javax.security.auth.x500.X500Principal getCertificateIssuer(java.security.cert.X509Certificate cert)