|
||||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
| SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | |||||||||
org.globus.gsi.proxy
Class ProxyPathValidator
java.lang.Object | +--org.globus.gsi.proxy.ProxyPathValidator
- public class ProxyPathValidator
- extends Object
Performs certificate/proxy path validation. It supports both
old style Globus proxy as well as the new proxy certificate format.
It checks BasicConstraints, KeyUsage, and ProxyCertInfo (if applicable)
extensions. It also provides a callback interface for custom policy
checking of restricted proxies.
Currently, does not perform the following checks for the new proxy
certificates:
- Check if proxy serial number is unique (and the version number)
- Check for empty subject names
| Constructor Summary | |
ProxyPathValidator()
|
|
| Method Summary | |
protected void |
checkIdentity(X509Certificate cert,
int certType)
|
protected void |
checkKeyUsage(TBSCertificateStructure issuer,
X509Certificate[] certPath,
int index)
|
protected void |
checkProxyConstraints(TBSCertificateStructure proxy,
TBSCertificateStructure issuer,
X509Certificate checkedProxy)
|
protected void |
checkRestrictedProxy(TBSCertificateStructure proxy,
X509Certificate[] certPath,
int index)
|
protected void |
checkUnsupportedCriticalExtensions(TBSCertificateStructure crt,
int certType,
X509Certificate checkedProxy)
|
protected int |
getCAPathConstraint(TBSCertificateStructure crt)
|
String |
getIdentity()
Returns the subject name of the identity certificate (in the Globus format) |
X509Certificate |
getIdentityCertificate()
Returns the identity certificate. |
protected boolean[] |
getKeyUsage(TBSCertificateStructure crt)
|
protected ProxyCertInfo |
getProxyCertInfo(TBSCertificateStructure crt)
|
protected int |
getProxyPathConstraint(TBSCertificateStructure crt)
|
ProxyPolicyHandler |
getProxyPolicyHandler(String id)
Retrieves a restricted proxy policy handler for a given policy id. |
boolean |
isLimited()
Returns if the validated proxy path is limited. |
ProxyPolicyHandler |
removeProxyPolicyHandler(String id)
Removes a restricted proxy policy handler. |
void |
reset()
Resets the internal state. |
ProxyPolicyHandler |
setProxyPolicyHandler(String id,
ProxyPolicyHandler handler)
Sets a restricted proxy policy handler. |
void |
validate(X509Certificate[] certPath)
Performs certificate path validation. |
void |
validate(X509Certificate[] certPath,
TrustedCertificates trustedCerts)
Performs certificate path validation. |
void |
validate(X509Certificate[] certPath,
X509Certificate[] trustedCerts)
Performs all certificate path validation including checking of the signatures, validity of the certificates, extension checking, etc. It uses the PureTLS code to do basic signature & certificate validity checking and then calls validate for further checks. |
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
| Constructor Detail |
ProxyPathValidator
public ProxyPathValidator()
| Method Detail |
isLimited
public boolean isLimited()
- Returns if the validated proxy path is limited. A proxy path
is limited when a limited proxy is present anywhere after the
first non-impersonation proxy certificate.
- Returns:
- true if the validated path is limited
getIdentityCertificate
public X509Certificate getIdentityCertificate()
- Returns the identity certificate. The first certificates in the
path that is not an impersonation proxy, e.g. it could be a
restricted proxy or end-entity certificate
- Returns:
X509Certificatethe identity certificate
getIdentity
public String getIdentity()
- Returns the subject name of the identity certificate (in the
Globus format)
- Returns:
- the subject name of the identity certificate in the Globus format
- See Also:
getIdentityCertificate()
removeProxyPolicyHandler
public ProxyPolicyHandler removeProxyPolicyHandler(String id)
- Removes a restricted proxy policy handler.
- Parameters:
id- the Oid of the policy handler to remove.- Returns:
ProxyPolicyHandlerthe removed handler, or null if there is no handler registered under that id.
setProxyPolicyHandler
public ProxyPolicyHandler setProxyPolicyHandler(String id, ProxyPolicyHandler handler)
- Sets a restricted proxy policy handler.
- Parameters:
id- the Oid of the proxy policy to install the handler for.handler- the proxy policy handler.- Returns:
ProxyPolicyHandlerthe previous handler installed under the specified id. Usually, will be null.
getProxyPolicyHandler
public ProxyPolicyHandler getProxyPolicyHandler(String id)
- Retrieves a restricted proxy policy handler for a given policy id.
- Parameters:
id- the Oid of the proxy policy to get the handler for.- Returns:
ProxyPolicyHandlerthe policy handler registered for the given id or null if none is registered.
reset
public void reset()
- Resets the internal state. Useful for reusing the same instance for validating multiple certificate paths.
validate
public void validate(X509Certificate[] certPath, X509Certificate[] trustedCerts) throws ProxyPathValidatorException
- Performs all certificate path validation including
checking of the signatures, validity of the certificates,
extension checking, etc.
It uses the PureTLS code to do basic signature & certificate validity checking and then callsvalidatefor further checks.- Parameters:
certPath- the certificate path to validate.trustedCerts- the trusted (CA) certificates.- Throws:
ProxyPathValidatorException- if certificate path validation fails.
validate
public void validate(X509Certificate[] certPath) throws ProxyPathValidatorException
- Performs certificate path validation. Does not check
the signatures or validity of the certificates but it performs
all other checks like the extension checking, restricted policy
checking, etc.
- Parameters:
certPath- the certificate path to validate.- Throws:
ProxyPathValidatorException- if certificate path validation fails.
validate
public void validate(X509Certificate[] certPath, TrustedCertificates trustedCerts) throws ProxyPathValidatorException
- Performs certificate path validation. Does not check
the signatures or validity of the certificates but it performs
all other checks like the extension checking, restricted policy
checking, etc.
- Parameters:
certPath- the certificate path to validate.trustedCerts- the trusted (CA) certificates. If null, the default trusted certificates will be used.- Throws:
ProxyPathValidatorException- if certificate path validation fails.
checkIdentity
protected void checkIdentity(X509Certificate cert, int certType)
checkRestrictedProxy
protected void checkRestrictedProxy(TBSCertificateStructure proxy, X509Certificate[] certPath, int index) throws ProxyPathValidatorException, IOException
checkKeyUsage
protected void checkKeyUsage(TBSCertificateStructure issuer, X509Certificate[] certPath, int index) throws ProxyPathValidatorException, IOException
checkProxyConstraints
protected void checkProxyConstraints(TBSCertificateStructure proxy, TBSCertificateStructure issuer, X509Certificate checkedProxy) throws ProxyPathValidatorException, IOException
checkUnsupportedCriticalExtensions
protected void checkUnsupportedCriticalExtensions(TBSCertificateStructure crt, int certType, X509Certificate checkedProxy) throws ProxyPathValidatorException
getProxyPathConstraint
protected int getProxyPathConstraint(TBSCertificateStructure crt) throws IOException
getCAPathConstraint
protected int getCAPathConstraint(TBSCertificateStructure crt) throws IOException
getProxyCertInfo
protected ProxyCertInfo getProxyCertInfo(TBSCertificateStructure crt) throws IOException
getKeyUsage
protected boolean[] getKeyUsage(TBSCertificateStructure crt) throws IOException
|
||||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
| SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | |||||||||