Package org.globus.gsi.trustmanager
Class X509ProxyCertPathValidator
- java.lang.Object
-
- java.security.cert.CertPathValidatorSpi
-
- org.globus.gsi.trustmanager.X509ProxyCertPathValidator
-
public class X509ProxyCertPathValidator extends java.security.cert.CertPathValidatorSpi
Implementation of the CertPathValidatorSpi and the logic for X.509 Proxy Path Validation.- Since:
- 1.0
- Version:
- ${version}
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
BASIC_CONSTRAINT_OID
protected java.security.cert.CertStore
certStore
private java.security.cert.X509Certificate
identityCert
static java.lang.String
KEY_USAGE_OID
protected java.security.KeyStore
keyStore
private boolean
limited
private java.util.Map<java.lang.String,ProxyPolicyHandler>
policyHandlers
protected SigningPolicyStore
policyStore
private boolean
rejectLimitedProxy
-
Constructor Summary
Constructors Constructor Description X509ProxyCertPathValidator()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description private void
checkCertificate(java.security.cert.X509Certificate cert, GSIConstants.CertificateType certType)
private void
checkExtension(org.bouncycastle.asn1.ASN1ObjectIdentifier oid, org.bouncycastle.asn1.x509.X509Extension proxyExtension, org.bouncycastle.asn1.x509.X509Extension proxyKeyUsage)
protected void
checkKeyUsage(org.bouncycastle.asn1.x509.TBSCertificateStructure issuer)
private void
checkProxyConstraints(java.security.cert.CertPath certPath, java.security.cert.X509Certificate cert, org.bouncycastle.asn1.x509.TBSCertificateStructure tbsCert, GSIConstants.CertificateType certType, org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert, int i)
protected void
checkProxyConstraints(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy, org.bouncycastle.asn1.x509.TBSCertificateStructure issuer, java.security.cert.X509Certificate checkedProxy)
protected void
checkRestrictedProxy(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy, java.security.cert.CertPath certPath, int index)
void
clear()
Dispose of the current validation state.java.security.cert.CertPathValidatorResult
engineValidate(java.security.cert.CertPath certPath, java.security.cert.CertPathParameters params)
Validates the specified certification path using the specified algorithm parameter set.protected java.util.List<CertificateChecker>
getCertificateCheckers()
private GSIConstants.CertificateType
getCertificateType(org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert)
java.security.cert.X509Certificate
getIdentityCertificate()
private org.bouncycastle.asn1.x509.TBSCertificateStructure
getTBSCertificateStructure(java.security.cert.X509Certificate issuerCert)
boolean
isLimited()
boolean
isRejectLimitedProxy()
protected void
parseParameters(java.security.cert.CertPathParameters params)
void
setIdentityCert(java.security.cert.X509Certificate identityCert)
void
setLimited(boolean limited)
protected java.security.cert.CertPathValidatorResult
validate(java.security.cert.CertPath certPath)
Validates the certificate path and does the following for each certificate in the chain: method checkCertificate() In addition: a) Validates if the issuer type of each certificate is correct b) CA path constraints c) Proxy path constraintsprivate void
validateCACert(java.security.cert.X509Certificate cert, java.security.cert.X509Certificate issuerCert, org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert, int proxyDepth, int i, boolean certIsProxy)
private int
validateCert(java.security.cert.X509Certificate cert, GSIConstants.CertificateType certType, java.security.cert.X509Certificate issuerCert, org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert, GSIConstants.CertificateType issuerCertType, int proxyDepth, int i, boolean certIsProxy)
private void
validateEECCert(java.security.cert.X509Certificate cert, GSIConstants.CertificateType certType, java.security.cert.X509Certificate issuerCert)
private int
validateGsi2ProxyCert(java.security.cert.X509Certificate cert, GSIConstants.CertificateType certType, java.security.cert.X509Certificate issuerCert, int proxyDepth)
private int
validateGsiProxyCert(java.security.cert.X509Certificate cert, GSIConstants.CertificateType certType, java.security.cert.X509Certificate issuerCert, org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert, GSIConstants.CertificateType issuerCertType, int proxyDepth)
-
-
-
Field Detail
-
BASIC_CONSTRAINT_OID
public static final java.lang.String BASIC_CONSTRAINT_OID
- See Also:
- Constant Field Values
-
KEY_USAGE_OID
public static final java.lang.String KEY_USAGE_OID
- See Also:
- Constant Field Values
-
keyStore
protected java.security.KeyStore keyStore
-
certStore
protected java.security.cert.CertStore certStore
-
policyStore
protected SigningPolicyStore policyStore
-
identityCert
private java.security.cert.X509Certificate identityCert
-
limited
private boolean limited
-
rejectLimitedProxy
private boolean rejectLimitedProxy
-
policyHandlers
private java.util.Map<java.lang.String,ProxyPolicyHandler> policyHandlers
-
-
Method Detail
-
engineValidate
public java.security.cert.CertPathValidatorResult engineValidate(java.security.cert.CertPath certPath, java.security.cert.CertPathParameters params) throws java.security.cert.CertPathValidatorException, java.security.InvalidAlgorithmParameterException
Validates the specified certification path using the specified algorithm parameter set.The
CertPath
specified must be of a type that is supported by the validation algorithm, otherwise anInvalidAlgorithmParameterException
will be thrown. For example, aCertPathValidator
that implements the PKIX algorithm validatesCertPath
objects of type X.509.- Specified by:
engineValidate
in classjava.security.cert.CertPathValidatorSpi
- Parameters:
certPath
- theCertPath
to be validatedparams
- the algorithm parameters- Returns:
- the result of the validation algorithm
- Throws:
java.security.cert.CertPathValidatorException
- if theCertPath
does not validatejava.security.InvalidAlgorithmParameterException
- if the specified parameters or the type of the specifiedCertPath
are inappropriate for thisCertPathValidator
-
clear
public void clear()
Dispose of the current validation state.
-
parseParameters
protected void parseParameters(java.security.cert.CertPathParameters params) throws java.security.InvalidAlgorithmParameterException
- Throws:
java.security.InvalidAlgorithmParameterException
-
validate
protected java.security.cert.CertPathValidatorResult validate(java.security.cert.CertPath certPath) throws java.security.cert.CertPathValidatorException
Validates the certificate path and does the following for each certificate in the chain: method checkCertificate() In addition: a) Validates if the issuer type of each certificate is correct b) CA path constraints c) Proxy path constraintsIf it is of type proxy, check following: a) proxy constraints b) restricted proxy else if certificate, check the following: a) keyisage
- Parameters:
certPath
- The CertPath to validate.- Returns:
- The results of the validation.
- Throws:
java.security.cert.CertPathValidatorException
- If the CertPath is invalid.
-
getCertificateType
private GSIConstants.CertificateType getCertificateType(org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert) throws java.security.cert.CertPathValidatorException
- Throws:
java.security.cert.CertPathValidatorException
-
getTBSCertificateStructure
private org.bouncycastle.asn1.x509.TBSCertificateStructure getTBSCertificateStructure(java.security.cert.X509Certificate issuerCert) throws java.security.cert.CertPathValidatorException
- Throws:
java.security.cert.CertPathValidatorException
-
validateCert
private int validateCert(java.security.cert.X509Certificate cert, GSIConstants.CertificateType certType, java.security.cert.X509Certificate issuerCert, org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert, GSIConstants.CertificateType issuerCertType, int proxyDepth, int i, boolean certIsProxy) throws java.security.cert.CertPathValidatorException
- Throws:
java.security.cert.CertPathValidatorException
-
checkProxyConstraints
private void checkProxyConstraints(java.security.cert.CertPath certPath, java.security.cert.X509Certificate cert, org.bouncycastle.asn1.x509.TBSCertificateStructure tbsCert, GSIConstants.CertificateType certType, org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert, int i) throws java.security.cert.CertPathValidatorException
- Throws:
java.security.cert.CertPathValidatorException
-
validateEECCert
private void validateEECCert(java.security.cert.X509Certificate cert, GSIConstants.CertificateType certType, java.security.cert.X509Certificate issuerCert) throws java.security.cert.CertPathValidatorException
- Throws:
java.security.cert.CertPathValidatorException
-
validateGsi2ProxyCert
private int validateGsi2ProxyCert(java.security.cert.X509Certificate cert, GSIConstants.CertificateType certType, java.security.cert.X509Certificate issuerCert, int proxyDepth) throws java.security.cert.CertPathValidatorException
- Throws:
java.security.cert.CertPathValidatorException
-
validateGsiProxyCert
private int validateGsiProxyCert(java.security.cert.X509Certificate cert, GSIConstants.CertificateType certType, java.security.cert.X509Certificate issuerCert, org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert, GSIConstants.CertificateType issuerCertType, int proxyDepth) throws java.security.cert.CertPathValidatorException
- Throws:
java.security.cert.CertPathValidatorException
-
validateCACert
private void validateCACert(java.security.cert.X509Certificate cert, java.security.cert.X509Certificate issuerCert, org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert, int proxyDepth, int i, boolean certIsProxy) throws java.security.cert.CertPathValidatorException
- Throws:
java.security.cert.CertPathValidatorException
-
checkRestrictedProxy
protected void checkRestrictedProxy(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy, java.security.cert.CertPath certPath, int index) throws java.security.cert.CertPathValidatorException, java.io.IOException
- Throws:
java.security.cert.CertPathValidatorException
java.io.IOException
-
checkKeyUsage
protected void checkKeyUsage(org.bouncycastle.asn1.x509.TBSCertificateStructure issuer) throws java.security.cert.CertPathValidatorException, java.io.IOException
- Throws:
java.security.cert.CertPathValidatorException
java.io.IOException
-
getCertificateCheckers
protected java.util.List<CertificateChecker> getCertificateCheckers()
-
checkCertificate
private void checkCertificate(java.security.cert.X509Certificate cert, GSIConstants.CertificateType certType) throws java.security.cert.CertPathValidatorException
- Throws:
java.security.cert.CertPathValidatorException
-
checkProxyConstraints
protected void checkProxyConstraints(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy, org.bouncycastle.asn1.x509.TBSCertificateStructure issuer, java.security.cert.X509Certificate checkedProxy) throws java.security.cert.CertPathValidatorException, java.io.IOException
- Throws:
java.security.cert.CertPathValidatorException
java.io.IOException
-
checkExtension
private void checkExtension(org.bouncycastle.asn1.ASN1ObjectIdentifier oid, org.bouncycastle.asn1.x509.X509Extension proxyExtension, org.bouncycastle.asn1.x509.X509Extension proxyKeyUsage) throws java.security.cert.CertPathValidatorException
- Throws:
java.security.cert.CertPathValidatorException
-
getIdentityCertificate
public java.security.cert.X509Certificate getIdentityCertificate()
-
setLimited
public void setLimited(boolean limited)
-
isLimited
public boolean isLimited()
-
setIdentityCert
public void setIdentityCert(java.security.cert.X509Certificate identityCert)
-
isRejectLimitedProxy
public boolean isRejectLimitedProxy()
-
-