Download Document

Customization of SOSI CRL mechanism
This document describes a possible customization of the CRL check in the SOSI library.
Consider the following scenario
The scenario depicted has the following properties
 SOSI requests are received in Runtime nodes with high load
 It is not desirable to consume bandwidth, cpu and memory in order to download,
parse and cache CRL on each Runtime node
 The Batch node does not receive any SOSI runtime requests and is able to process
asynchronous lenghty requests based on an internal timer mechanism
Batch node
On the Batch node the CRL is downloaded, parsed and stored to a database.
Implement a custom ObjectCache like:
import
import
import
import
import
import
import
import
java.io.ByteArrayInputStream;
java.io.Serializable;
java.math.BigInteger;
java.security.cert.CertificateFactory;
java.security.cert.X509CRL;
java.security.cert.X509CRLEntry;
java.util.Iterator;
java.util.Set;
public class DBSavingCRLCache implements ObjectCache {
private static CRL crl;
private static String name;
public DBSavingCRLCache() {
super();
}
public String getNameOfCachedObject() {
return name;
}
public Serializable getCachedObject() {
return crl;
}
private void saveToDB() {
try {
// start transaction
// delete list of revoked serials from DB
CertificateFactory cf =
CertificateFactory.getInstance("X.509");
X509CRL X509crl = (X509CRL) cf.generateCRL(new
ByteArrayInputStream(crl.getEncoded()));
Set revokedSerials =
X509crl.getRevokedCertificates();
Iterator iter = revokedSerials.iterator();
while (iter.hasNext()) {
X509CRLEntry crlEntry = (X509CRLEntry)
iter.next();
BigInteger revokedCertificateSerialNumber
= crlEntry.getSerialNumber();
// save revokedCertificateSerialNumber to DB
}
// commit transaction
} catch (Exception e) {
// ALERT!
}
}
public void setCachedObject(Serializable object, String name) {
DBSavingCRLCache.crl = (CRL) object;
DBSavingCRLCache.name = name;
saveToDB();
}
}
Construct SOSIFactory using customized ObjectCache
Properties properties = new Properties();
properties.put(SOSIFactory.PROPERTYNAME_CRL_CACHE_IMPLEMENTATION,
"xx.yy.DBSavingCRLCache");
properties.setProperty("sosi:federation", "SOSI_TEST");
// possibly specify other properties here....
CredentialVault credentialVault = <construct or resolve credentialvault here>;
SOSIFactory factory = new SOSIFactory(credentialVault, properties);
This will cause the CRL to be downloaded, validated and saveToDB
On CRL timer event issue
try {
factory.getFederation().getCertificationAuthority().refreshCRL();
} catch (PKIException pki){
// ALERT!
}
Runtime node
On the runtime node the CertificateStatusChecker is customized
public class DBCertificateStatusChecker implements
dk.sosi.seal.pki.CertificateStatusChecker {
private CertificationAuthority certificationAuthority;
public DBCertificateStatusChecker() {
super();
}
public void setCertificationAuthority(CertificationAuthority
certificationAuthority){
this.certificationAuthority = certificationAuthority;
}
public boolean isRevoked(X509Certificate certificate) throws
PKIException {
// Assert that the certificate is issued under this ca
checkIssuer(certificate);
// implement DB status check
// SELECT FROM DB WHERE REVOKEDSERIAL = certificate.getSerialNumber()
// return rs.next();
}
private void checkIssuer(X509Certificate certificate) {
if (!certificationAuthority.isIssuerOf(certificate)) {
throw new PKIException("Passed certificate cannot be verified,
since it is not issued by the configured ca");
}
}
public void refreshCRL() throws PKIException {
// never called
}
}
Construct SOSIFactory using customized CertificateStatusChecker
Properties properties = new
Properties();PROPERTYNAME_SOSI_CERTIFICATE_STATUS_CHECKERCRL_CACHE_IMPLEMENTATIO
N, "xx.yy.DBCertificateStatusChecker");
properties.setProperty("sosi:federation", "SOSI_TEST");
// possibly specify other properties here....
CredentialVault credentialVault = <construct or resolve credentialvault here>;
SOSIFactory factory = new SOSIFactory(credentialVault, properties);