ProxyPathValidator

Overview

Package

Class

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

gov.nih.nci.cagrid.gts.service
Class ProxyPathValidator

java.lang.Object
  gov.nih.nci.cagrid.gts.service.ProxyPathValidator

public class ProxyPathValidator
extends java.lang.Object
extends java.lang.Object

Performs certificate/proxy path validation. It supports both old style Globus proxy as well as the new proxy certificate format. It checks BasicConstraints, KeyUsage, and ProxyCertInfo (if applicable) extensions. It also provides a callback interface for custom policy checking of restricted proxies.
Currently, does not perform the following checks for the new proxy certificates:

Check if proxy serial number is unique (and the version number)
Check for empty subject names

Constructor Summary
`ProxyPathValidator()`

Method Summary
`protected void`	`checkCRL(java.security.cert.X509Certificate cert, CertificateRevocationLists crlsList, org.globus.gsi.TrustedCertificates trustedCerts)`
`protected void`	`checkIdentity(java.security.cert.X509Certificate cert, int certType)`
`protected void`	`checkKeyUsage(org.bouncycastle.asn1.x509.TBSCertificateStructure issuer, java.security.cert.X509Certificate[] certPath, int index)`
`protected void`	`checkProxyConstraints(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy, org.bouncycastle.asn1.x509.TBSCertificateStructure issuer, java.security.cert.X509Certificate checkedProxy)`
`protected void`	`checkRestrictedProxy(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy, java.security.cert.X509Certificate[] certPath, int index)`
`protected void`	`checkUnsupportedCriticalExtensions(org.bouncycastle.asn1.x509.TBSCertificateStructure crt, int certType, java.security.cert.X509Certificate checkedProxy)`
`protected void`	`checkValidity(java.security.cert.X509Certificate cert)`
`protected int`	`getCAPathConstraint(org.bouncycastle.asn1.x509.TBSCertificateStructure crt)`
`java.lang.String`	`getIdentity()` Returns the subject name of the identity certificate (in the Globus format)
`java.security.cert.X509Certificate`	`getIdentityCertificate()` Returns the identity certificate.
`protected boolean[]`	`getKeyUsage(org.bouncycastle.asn1.x509.TBSCertificateStructure crt)`
`protected org.globus.gsi.proxy.ext.ProxyCertInfo`	`getProxyCertInfo(org.bouncycastle.asn1.x509.TBSCertificateStructure crt)`
`protected int`	`getProxyPathConstraint(org.bouncycastle.asn1.x509.TBSCertificateStructure crt)`
`org.globus.gsi.proxy.ProxyPolicyHandler`	`getProxyPolicyHandler(java.lang.String id)` Retrieves a restricted proxy policy handler for a given policy id.
`boolean`	`isLimited()` Returns if the validated proxy path is limited.
`org.globus.gsi.proxy.ProxyPolicyHandler`	`removeProxyPolicyHandler(java.lang.String id)` Removes a restricted proxy policy handler.
`void`	`reset()` Resets the internal state.
`org.globus.gsi.proxy.ProxyPolicyHandler`	`setProxyPolicyHandler(java.lang.String id, org.globus.gsi.proxy.ProxyPolicyHandler handler)` Sets a restricted proxy policy handler.
`void`	`setRejectLimitedProxyCheck(boolean rejectLimProxy)` If set, the validate rejects certificate chain if limited proxy if found
`protected void`	`validate(java.security.cert.X509Certificate[] certPath)` Performs certificate path validation.
`protected void`	`validate(java.security.cert.X509Certificate[] certPath, org.globus.gsi.TrustedCertificates trustedCerts)` Performs certificate path validation.
`protected void`	`validate(java.security.cert.X509Certificate[] certPath, org.globus.gsi.TrustedCertificates trustedCerts, CertificateRevocationLists crlsList)` Performs certificate path validation.
`void`	`validate(java.security.cert.X509Certificate[] certPath, java.security.cert.X509Certificate[] trustedCerts)` Performs all certificate path validation including checking of the signatures, validity of the certificates, extension checking, etc. It uses the PureTLS code to do basic cert signature checking checking and then calls `validate` for further checks.
`void`	`validate(java.security.cert.X509Certificate[] certPath, java.security.cert.X509Certificate[] trustedCerts, CertificateRevocationLists crls)`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Constructor Detail

ProxyPathValidator

public ProxyPathValidator()

Method Detail

isLimited

public boolean isLimited()

Returns if the validated proxy path is limited. A proxy path is limited when a limited proxy is present anywhere after the first non-impersonation proxy certificate.

Returns:: true if the validated path is limited

getIdentityCertificate

public java.security.cert.X509Certificate getIdentityCertificate()

Returns the identity certificate. The first certificates in the path that is not an impersonation proxy, e.g. it could be a restricted proxy or end-entity certificate

Returns:: X509Certificate the identity certificate

getIdentity

public java.lang.String getIdentity()

Returns the subject name of the identity certificate (in the Globus format)

Returns:: the subject name of the identity certificate in the Globus format
See Also:: getIdentityCertificate()

removeProxyPolicyHandler

public org.globus.gsi.proxy.ProxyPolicyHandler removeProxyPolicyHandler(java.lang.String id)

Removes a restricted proxy policy handler.

Parameters:: id - the Oid of the policy handler to remove.
Returns:: ProxyPolicyHandler the removed handler, or null if there is no handler registered under that id.

setProxyPolicyHandler

public org.globus.gsi.proxy.ProxyPolicyHandler setProxyPolicyHandler(java.lang.String id,
                                                                     org.globus.gsi.proxy.ProxyPolicyHandler handler)

Sets a restricted proxy policy handler.

Parameters:: id - the Oid of the proxy policy to install the handler for.; handler - the proxy policy handler.
Returns:: ProxyPolicyHandler the previous handler installed under the specified id. Usually, will be null.

getProxyPolicyHandler

public org.globus.gsi.proxy.ProxyPolicyHandler getProxyPolicyHandler(java.lang.String id)

Retrieves a restricted proxy policy handler for a given policy id.

Parameters:: id - the Oid of the proxy policy to get the handler for.
Returns:: ProxyPolicyHandler the policy handler registered for the given id or null if none is registered.

reset

public void reset()

Resets the internal state. Useful for reusing the same instance for validating multiple certificate paths.

setRejectLimitedProxyCheck

public void setRejectLimitedProxyCheck(boolean rejectLimProxy)

If set, the validate rejects certificate chain if limited proxy if found

validate

public void validate(java.security.cert.X509Certificate[] certPath,
                     java.security.cert.X509Certificate[] trustedCerts)
              throws org.globus.gsi.proxy.ProxyPathValidatorException

Performs all certificate path validation including checking of the signatures, validity of the certificates, extension checking, etc.
It uses the PureTLS code to do basic cert signature checking checking and then calls validate for further checks.

Parameters:: certPath - the certificate path to validate.; trustedCerts - the trusted (CA) certificates.
Throws:: org.globus.gsi.proxy.ProxyPathValidatorException - if certificate path validation fails.

validate

public void validate(java.security.cert.X509Certificate[] certPath,
                     java.security.cert.X509Certificate[] trustedCerts,
                     CertificateRevocationLists crls)
              throws org.globus.gsi.proxy.ProxyPathValidatorException

Throws:: org.globus.gsi.proxy.ProxyPathValidatorException

validate

protected void validate(java.security.cert.X509Certificate[] certPath)
                 throws org.globus.gsi.proxy.ProxyPathValidatorException

Performs certificate path validation. Does not check the cert signatures but it performs all other checks like the extension checking, validity checking, restricted policy checking, CRL checking, etc.

Parameters:: certPath - the certificate path to validate.
Throws:: org.globus.gsi.proxy.ProxyPathValidatorException - if certificate path validation fails.

validate

protected void validate(java.security.cert.X509Certificate[] certPath,
                        org.globus.gsi.TrustedCertificates trustedCerts)
                 throws org.globus.gsi.proxy.ProxyPathValidatorException

Parameters:: certPath - the certificate path to validate.; trustedCerts - the trusted (CA) certificates. If null, the default trusted certificates will be used.
Throws:: org.globus.gsi.proxy.ProxyPathValidatorException - if certificate path validation fails.

validate

protected void validate(java.security.cert.X509Certificate[] certPath,
                        org.globus.gsi.TrustedCertificates trustedCerts,
                        CertificateRevocationLists crlsList)
                 throws org.globus.gsi.proxy.ProxyPathValidatorException

Parameters:: certPath - the certificate path to validate.; trustedCerts - the trusted (CA) certificates. If null, the default trusted certificates will be used.; crlsList - the certificate revocation list. If null, the default certificate revocation list will be used.
Throws:: org.globus.gsi.proxy.ProxyPathValidatorException - if certificate path validation fails.

checkIdentity

protected void checkIdentity(java.security.cert.X509Certificate cert,
                             int certType)
                      throws org.globus.gsi.proxy.ProxyPathValidatorException

Throws:: org.globus.gsi.proxy.ProxyPathValidatorException

checkRestrictedProxy

protected void checkRestrictedProxy(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy,
                                    java.security.cert.X509Certificate[] certPath,
                                    int index)
                             throws org.globus.gsi.proxy.ProxyPathValidatorException,
                                    java.io.IOException

Throws:: org.globus.gsi.proxy.ProxyPathValidatorException; java.io.IOException

checkKeyUsage

protected void checkKeyUsage(org.bouncycastle.asn1.x509.TBSCertificateStructure issuer,
                             java.security.cert.X509Certificate[] certPath,
                             int index)
                      throws org.globus.gsi.proxy.ProxyPathValidatorException,
                             java.io.IOException

Throws:: org.globus.gsi.proxy.ProxyPathValidatorException; java.io.IOException

checkProxyConstraints

protected void checkProxyConstraints(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy,
                                     org.bouncycastle.asn1.x509.TBSCertificateStructure issuer,
                                     java.security.cert.X509Certificate checkedProxy)
                              throws org.globus.gsi.proxy.ProxyPathValidatorException,
                                     java.io.IOException

Throws:: org.globus.gsi.proxy.ProxyPathValidatorException; java.io.IOException

checkUnsupportedCriticalExtensions

protected void checkUnsupportedCriticalExtensions(org.bouncycastle.asn1.x509.TBSCertificateStructure crt,
                                                  int certType,
                                                  java.security.cert.X509Certificate checkedProxy)
                                           throws org.globus.gsi.proxy.ProxyPathValidatorException

Throws:: org.globus.gsi.proxy.ProxyPathValidatorException

checkValidity

protected void checkValidity(java.security.cert.X509Certificate cert)
                      throws org.globus.gsi.proxy.ProxyPathValidatorException

Throws:: org.globus.gsi.proxy.ProxyPathValidatorException

getProxyPathConstraint

protected int getProxyPathConstraint(org.bouncycastle.asn1.x509.TBSCertificateStructure crt)
                              throws java.io.IOException

Throws:: java.io.IOException

getCAPathConstraint

protected int getCAPathConstraint(org.bouncycastle.asn1.x509.TBSCertificateStructure crt)
                           throws java.io.IOException

Throws:: java.io.IOException

getProxyCertInfo

protected org.globus.gsi.proxy.ext.ProxyCertInfo getProxyCertInfo(org.bouncycastle.asn1.x509.TBSCertificateStructure crt)
                                                           throws java.io.IOException

Throws:: java.io.IOException

getKeyUsage

protected boolean[] getKeyUsage(org.bouncycastle.asn1.x509.TBSCertificateStructure crt)
                         throws java.io.IOException

Throws:: java.io.IOException

checkCRL

protected void checkCRL(java.security.cert.X509Certificate cert,
                        CertificateRevocationLists crlsList,
                        org.globus.gsi.TrustedCertificates trustedCerts)
                 throws org.globus.gsi.proxy.ProxyPathValidatorException

Throws:: org.globus.gsi.proxy.ProxyPathValidatorException

Overview

Package

Class

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

gov.nih.nci.cagrid.gts.service Class ProxyPathValidator

ProxyPathValidator

isLimited

getIdentityCertificate

getIdentity

removeProxyPolicyHandler

setProxyPolicyHandler

getProxyPolicyHandler

reset

setRejectLimitedProxyCheck

validate

validate

validate

validate

validate

checkIdentity

checkRestrictedProxy

checkKeyUsage

checkProxyConstraints

checkUnsupportedCriticalExtensions

checkValidity

getProxyPathConstraint

getCAPathConstraint

getProxyCertInfo

getKeyUsage

checkCRL

gov.nih.nci.cagrid.gts.service
Class ProxyPathValidator