JCA and JSSE Java API proposal

What is missing for sure:

  • ProxyCerts support (including creation)
  • Utility methods. I suppose it is nice to include methods to e.g. compare two DNs etc.

What I don't like:

  • static creators are not OO
  • a lot of objects/interafces is hanging around. It's the price for using JCA/JSSE and I think in Java case we should pay it.
  • point (b) below, NOTE one.

a) Representation of material being the fundamental input for certificate validation - the trusted CAs
interface: TrustAnchorFactory
 -> Set<TrustAnchor> getTrustAnchors()
 
implementations:
 -> KeyStoreTAF
 -> OpensslDirectoryTAF

Creation via constructors.

b) CRLs and OCSP and other not natively included in Java certificate chain tests are to be handled by PKIXCertPathChecker extensions:
 -> OCSPCertPathChecker
 -> CRLCertPathChecker (likely more for different crl sources)
 
Creation via constructors.

NOTE: this overlaps with the functionality of classes from sun.security.provider.certpath package what is obviously bad. 
But this approach allows us to configure validation is a reasonable manner.
NOTE: it it is really needed we can add callback mechanism (extend PKIXCertPathChecker with callback registration and 
use the extended class as a base for real checkers).

c) Utility to create PKIXParameters which holds all settings related to cert chain verification.

class: PKIXParametersFactory
 -> static PKIXParameters create(TrustAnchorFactory, PKIXCertPathChcecker...)
 -> other methods might be added here to simplify the typical UNICORE/gLite/ARC settings, i.e.:
    static PKIXParameters createDefault4OpenSSL(String directory, ...)
  
d) Utility to create TrustManager

class: TrustManagerCreator
 -> static TrustManager create(PKIXParameters)
 -> static TrustManager[] createArray(PKIXParameters)
 
d') Utility to create credentials

interface: Credential
 -> KeyStore getAsKeyStore()
 -> KeyManager getAsKeymanager()
 
implementations:
 ->KeystoreCredential (dummy)
 ->PEMFileCredential (may be in different versions)

e) SSL connection verification

interface ConnectionVerificator
 -> void verifyConnection(SSLSocket, SSLContext) throws ...

implementations:
 -> CertHostnameVerificator 

f) Utility to create SocketFactory and ServerSocketFactory

class SocketFactoryCreator
 -> static ServerSocketFactory createSSF(KeyManager, TrustManager)
 -> static ServerSocketFactory createSSF(KeyManager, PKIXParameters)
 -> static SocketFactory createSF(KeyManager, TrustManager)
 -> static SocketFactory createSF(KeyManager, PKIXParameters)
 -> static SocketFactory createSF(KeyManager, TrustManager, ConnectionVerificator...)
 -> static SocketFactory createSF(KeyManager, PKIXParameters, ConnectionVerificator...)

impl. note: returned SocketFactory can use decorator pattern to add ConnectionVerificators to the socket created by the internal/standard SocketFactory.

NOTE: maybe better left decoration for users and only provide verificator? Might be better for users. 



================== EXAMPLE =====================

   //common code, an explicit version. Might be one line when using default settings.
   OpenSSLDirectoryTAF taf = new OpenSSLDirectoryTAF(/*params*/);
   CRLCertPathChecker crlChecker = new CRLCertPathChecker(/*params*/);
   PKIXParameters params = PKIXParametersFactory.create(taf, crlChecker);
      
   //for verification
   CertPathValidator validator = CertPathValidator.getInstance("PKIX");
   validator.validate(toBeChecked, params);
   
   //ssl connection creation
   KeyManager ks = new PEMFileCredential().getAsKeyManager();
   SSLServerSocketFactory sslSsf = SocketFactoryCreator.createSSF(ks, params);      

-- KrzysztofBenedyczak - 19-Oct-2010

Edit | Attach | Watch | Print version | History: r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r1 - 2010-10-19 - unknown
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EMI All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback