Package org.globus.gsi.trustmanager

Class X509ProxyCertPathValidator

  • public class X509ProxyCertPathValidator
extends java.security.cert.CertPathValidatorSpi
    Implementation of the CertPathValidatorSpi and the logic for X.509 Proxy Path Validation.
    Since:
    1.0
    Version:
    ${version}

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      private void checkCertificate​(java.security.cert.X509Certificate cert, GSIConstants.CertificateType certType)  
      private void checkExtension​(org.bouncycastle.asn1.ASN1ObjectIdentifier oid, org.bouncycastle.asn1.x509.X509Extension proxyExtension, org.bouncycastle.asn1.x509.X509Extension proxyKeyUsage)  
      protected void checkKeyUsage​(org.bouncycastle.asn1.x509.TBSCertificateStructure issuer)  
      private void checkProxyConstraints​(java.security.cert.CertPath certPath, java.security.cert.X509Certificate cert, org.bouncycastle.asn1.x509.TBSCertificateStructure tbsCert, GSIConstants.CertificateType certType, org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert, int i)  
      protected void checkProxyConstraints​(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy, org.bouncycastle.asn1.x509.TBSCertificateStructure issuer, java.security.cert.X509Certificate checkedProxy)  
      protected void checkRestrictedProxy​(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy, java.security.cert.CertPath certPath, int index)  
      void clear()
      Dispose of the current validation state.
      java.security.cert.CertPathValidatorResult engineValidate​(java.security.cert.CertPath certPath, java.security.cert.CertPathParameters params)
      Validates the specified certification path using the specified algorithm parameter set.
      protected java.util.List<CertificateChecker> getCertificateCheckers()  
      private GSIConstants.CertificateType getCertificateType​(org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert)  
      java.security.cert.X509Certificate getIdentityCertificate()  
      private org.bouncycastle.asn1.x509.TBSCertificateStructure getTBSCertificateStructure​(java.security.cert.X509Certificate issuerCert)  
      boolean isLimited()  
      boolean isRejectLimitedProxy()  
      protected void parseParameters​(java.security.cert.CertPathParameters params)  
      void setIdentityCert​(java.security.cert.X509Certificate identityCert)  
      void setLimited​(boolean limited)  
      protected java.security.cert.CertPathValidatorResult validate​(java.security.cert.CertPath certPath)
      Validates the certificate path and does the following for each certificate in the chain: method checkCertificate() In addition: a) Validates if the issuer type of each certificate is correct b) CA path constraints c) Proxy path constraints
      private void validateCACert​(java.security.cert.X509Certificate cert, java.security.cert.X509Certificate issuerCert, org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert, int proxyDepth, int i, boolean certIsProxy)  
      private int validateCert​(java.security.cert.X509Certificate cert, GSIConstants.CertificateType certType, java.security.cert.X509Certificate issuerCert, org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert, GSIConstants.CertificateType issuerCertType, int proxyDepth, int i, boolean certIsProxy)  
      private void validateEECCert​(java.security.cert.X509Certificate cert, GSIConstants.CertificateType certType, java.security.cert.X509Certificate issuerCert)  
      private int validateGsi2ProxyCert​(java.security.cert.X509Certificate cert, GSIConstants.CertificateType certType, java.security.cert.X509Certificate issuerCert, int proxyDepth)  
      private int validateGsiProxyCert​(java.security.cert.X509Certificate cert, GSIConstants.CertificateType certType, java.security.cert.X509Certificate issuerCert, org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert, GSIConstants.CertificateType issuerCertType, int proxyDepth)  

      • Methods inherited from class java.security.cert.CertPathValidatorSpi

        engineGetRevocationChecker

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • BASIC_CONSTRAINT_OID

        public static final java.lang.String BASIC_CONSTRAINT_OID
        See Also:
        Constant Field Values

      • keyStore

        protected java.security.KeyStore keyStore

      • certStore

        protected java.security.cert.CertStore certStore

      • identityCert

        private java.security.cert.X509Certificate identityCert

      • limited

        private boolean limited

      • rejectLimitedProxy

        private boolean rejectLimitedProxy

      • policyHandlers

        private java.util.Map<java.lang.String,​ProxyPolicyHandler> policyHandlers

    • Constructor Detail

      • X509ProxyCertPathValidator

        public X509ProxyCertPathValidator()

    • Method Detail

      • engineValidate

        public java.security.cert.CertPathValidatorResult engineValidate​(java.security.cert.CertPath certPath,
                                                                 java.security.cert.CertPathParameters params)
                                                          throws java.security.cert.CertPathValidatorException,
                                                                 java.security.InvalidAlgorithmParameterException
        Validates the specified certification path using the specified algorithm parameter set.

        The CertPath specified must be of a type that is supported by the validation algorithm, otherwise an InvalidAlgorithmParameterException will be thrown. For example, a CertPathValidator that implements the PKIX algorithm validates CertPath objects of type X.509.

        Specified by:
        engineValidate in class java.security.cert.CertPathValidatorSpi
        Parameters:
        certPath - the CertPath to be validated
        params - the algorithm parameters
        Returns:
        the result of the validation algorithm
        Throws:
        java.security.cert.CertPathValidatorException - if the CertPath does not validate
        java.security.InvalidAlgorithmParameterException - if the specified parameters or the type of the specified CertPath are inappropriate for this CertPathValidator

      • clear

        public void clear()
        Dispose of the current validation state.

      • parseParameters

        protected void parseParameters​(java.security.cert.CertPathParameters params)
                        throws java.security.InvalidAlgorithmParameterException
        Throws:
        java.security.InvalidAlgorithmParameterException

      • validate

        protected java.security.cert.CertPathValidatorResult validate​(java.security.cert.CertPath certPath)
                                                       throws java.security.cert.CertPathValidatorException
        Validates the certificate path and does the following for each certificate in the chain: method checkCertificate() In addition: a) Validates if the issuer type of each certificate is correct b) CA path constraints c) Proxy path constraints

        If it is of type proxy, check following: a) proxy constraints b) restricted proxy else if certificate, check the following: a) keyisage

        Parameters:
        certPath - The CertPath to validate.
        Returns:
        The results of the validation.
        Throws:
        java.security.cert.CertPathValidatorException - If the CertPath is invalid.

      • getCertificateType

        private GSIConstants.CertificateType getCertificateType​(org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert)
                                                 throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • getTBSCertificateStructure

        private org.bouncycastle.asn1.x509.TBSCertificateStructure getTBSCertificateStructure​(java.security.cert.X509Certificate issuerCert)
                                                                               throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • validateCert

        private int validateCert​(java.security.cert.X509Certificate cert,
                         GSIConstants.CertificateType certType,
                         java.security.cert.X509Certificate issuerCert,
                         org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert,
                         GSIConstants.CertificateType issuerCertType,
                         int proxyDepth,
                         int i,
                         boolean certIsProxy)
                  throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • checkProxyConstraints

        private void checkProxyConstraints​(java.security.cert.CertPath certPath,
                                   java.security.cert.X509Certificate cert,
                                   org.bouncycastle.asn1.x509.TBSCertificateStructure tbsCert,
                                   GSIConstants.CertificateType certType,
                                   org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert,
                                   int i)
                            throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • validateEECCert

        private void validateEECCert​(java.security.cert.X509Certificate cert,
                             GSIConstants.CertificateType certType,
                             java.security.cert.X509Certificate issuerCert)
                      throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • validateGsi2ProxyCert

        private int validateGsi2ProxyCert​(java.security.cert.X509Certificate cert,
                                  GSIConstants.CertificateType certType,
                                  java.security.cert.X509Certificate issuerCert,
                                  int proxyDepth)
                           throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • validateGsiProxyCert

        private int validateGsiProxyCert​(java.security.cert.X509Certificate cert,
                                 GSIConstants.CertificateType certType,
                                 java.security.cert.X509Certificate issuerCert,
                                 org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert,
                                 GSIConstants.CertificateType issuerCertType,
                                 int proxyDepth)
                          throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • validateCACert

        private void validateCACert​(java.security.cert.X509Certificate cert,
                            java.security.cert.X509Certificate issuerCert,
                            org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert,
                            int proxyDepth,
                            int i,
                            boolean certIsProxy)
                     throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • checkRestrictedProxy

        protected void checkRestrictedProxy​(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy,
                                    java.security.cert.CertPath certPath,
                                    int index)
                             throws java.security.cert.CertPathValidatorException,
                                    java.io.IOException
        Throws:
        java.security.cert.CertPathValidatorException
        java.io.IOException

      • checkKeyUsage

        protected void checkKeyUsage​(org.bouncycastle.asn1.x509.TBSCertificateStructure issuer)
                      throws java.security.cert.CertPathValidatorException,
                             java.io.IOException
        Throws:
        java.security.cert.CertPathValidatorException
        java.io.IOException

      • getCertificateCheckers

        protected java.util.List<CertificateChecker> getCertificateCheckers()

      • checkCertificate

        private void checkCertificate​(java.security.cert.X509Certificate cert,
                              GSIConstants.CertificateType certType)
                       throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • checkProxyConstraints

        protected void checkProxyConstraints​(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy,
                                     org.bouncycastle.asn1.x509.TBSCertificateStructure issuer,
                                     java.security.cert.X509Certificate checkedProxy)
                              throws java.security.cert.CertPathValidatorException,
                                     java.io.IOException
        Throws:
        java.security.cert.CertPathValidatorException
        java.io.IOException

      • checkExtension

        private void checkExtension​(org.bouncycastle.asn1.ASN1ObjectIdentifier oid,
                            org.bouncycastle.asn1.x509.X509Extension proxyExtension,
                            org.bouncycastle.asn1.x509.X509Extension proxyKeyUsage)
                     throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • getIdentityCertificate

        public java.security.cert.X509Certificate getIdentityCertificate()

      • setLimited

        public void setLimited​(boolean limited)

      • isLimited

        public boolean isLimited()

      • setIdentityCert

        public void setIdentityCert​(java.security.cert.X509Certificate identityCert)

      • isRejectLimitedProxy

        public boolean isRejectLimitedProxy()