Access Keys:
Skip to content (Access Key - 0)

GTS

GTS Client API Examples

[ GTS: Administrators Guide | Developers Guide | caGrid: Documentation Guides ]

Overview

A certificate authority maintains a list of certificates that are revoked or no longer valid called a certificate revocation list (CRL). When a CA adds or removes an entry from the CRL, the CRL needs to be published to those services trusting the CA. When the GAARDS UI is used to revoke a host certificate, GAARDS will send an updateHostCertificateRecord request to Dorian (i.e., the CA). Dorian updates the status of the host certificate, generates a new CRL, and then sends the CRL to the GTS server to be distributed. If the CA is not Dorian, the CA needs to provide its CRL to the GTS server for publication.

Updating a CA's CRL to GTS Example

Below is a programmatic way to publish a CRL to the GTS server. Note: the CRL needs to be signed by the CA. This prevents unauthorized changes to the CRL.

Some of the required packages:

import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import org.cagrid.gaards.pki.CertUtil;

Code Sample:

String gtsURI = "https://<gts server>/wsrf/services/cagrid/GTS";
String trustedAuthorityName = "<trusted authority name>";

try {
   InputStream inStream = new FileInputStream("fileName-of-cert");
   CertificateFactory cf = CertificateFactory.getInstance("X.509");
   X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);
   GTSAdminClient gtsadminclient = new GTSAdminClient(gtsURI, null);
   X509CRL crl = CertUtil.loadCRL(new File("fileName-of-crl"));

   try {
      crl.verify(cert.getPublicKey());
   } catch (Exception crle) {
      System.err.println("Error verifying CRL, the CRL must be issued and signed by same key is the Trusted Authority's Certificate");
      crle.printStackTrace();
   }

   gov.nih.nci.cagrid.gts.bean.X509CRL x509 = new gov.nih.nci.cagrid.gts.bean.X509CRL();
   x509.setCrlEncodedString(CertUtil.writeCRL(crl));
   gtsadminclient.updateCRL(trustedAuthorityName, x509);
} catch (Exception e) {
   e.printStackTrace();
}
Last edited by
Clayton Clark (1019 days ago) , ...
Adaptavist Theme Builder Powered by Atlassian Confluence