Class X509ProxyCertPathValidator

java.lang.Object

java.security.cert.CertPathValidatorSpi

org.globus.gsi.trustmanager.X509ProxyCertPathValidator

public class X509ProxyCertPathValidator
extends CertPathValidatorSpi

Implementation of the CertPathValidatorSpi and the logic for X.509 Proxy Path Validation.

Since:

1.0

Version:

${version}

Field Summary

Fields

Modifier and Type	Field	Description
static final String	BASIC_CONSTRAINT_OID
protected CertStore	certStore
private X509Certificate	identityCert
static final String	KEY_USAGE_OID
protected KeyStore	keyStore
private boolean	limited
private Map<String, ProxyPolicyHandler>	policyHandlers
protected SigningPolicyStore	policyStore
private boolean	rejectLimitedProxy

Constructor Summary

Constructors

Constructor	Description
X509ProxyCertPathValidator()

Method Summary

Modifier and Type	Method	Description
private void	checkCertificate(X509Certificate cert, GSIConstants.CertificateType certType)
private void	checkExtension(org.bouncycastle.asn1.ASN1ObjectIdentifier oid, org.bouncycastle.asn1.x509.X509Extension proxyExtension, org.bouncycastle.asn1.x509.X509Extension proxyKeyUsage)
protected void	checkKeyUsage(org.bouncycastle.asn1.x509.TBSCertificateStructure issuer)
private void	checkProxyConstraints(CertPath certPath, X509Certificate cert, org.bouncycastle.asn1.x509.TBSCertificateStructure tbsCert, GSIConstants.CertificateType certType, org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert, int i)
protected void	checkProxyConstraints(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy, org.bouncycastle.asn1.x509.TBSCertificateStructure issuer, X509Certificate checkedProxy)
protected void	checkRestrictedProxy(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy, CertPath certPath, int index)
void	clear()	Dispose of the current validation state.
CertPathValidatorResult	engineValidate(CertPath certPath, CertPathParameters params)	Validates the specified certification path using the specified algorithm parameter set.
protected List<CertificateChecker>	getCertificateCheckers()
private GSIConstants.CertificateType	getCertificateType(org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert)
X509Certificate	getIdentityCertificate()
private org.bouncycastle.asn1.x509.TBSCertificateStructure	getTBSCertificateStructure(X509Certificate issuerCert)
boolean	isLimited()
boolean	isRejectLimitedProxy()
protected void	parseParameters(CertPathParameters params)
void	setIdentityCert(X509Certificate identityCert)
void	setLimited(boolean limited)
protected CertPathValidatorResult	validate(CertPath certPath)	Validates the certificate path and does the following for each certificate in the chain: method checkCertificate() In addition: a) Validates if the issuer type of each certificate is correct b) CA path constraints c) Proxy path constraints
private void	validateCACert(X509Certificate cert, X509Certificate issuerCert, org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert, int proxyDepth, int i, boolean certIsProxy)
private int	validateCert(X509Certificate cert, GSIConstants.CertificateType certType, X509Certificate issuerCert, org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert, GSIConstants.CertificateType issuerCertType, int proxyDepth, int i, boolean certIsProxy)
private void	validateEECCert(X509Certificate cert, GSIConstants.CertificateType certType, X509Certificate issuerCert)
private int	validateGsi2ProxyCert(X509Certificate cert, GSIConstants.CertificateType certType, X509Certificate issuerCert, int proxyDepth)
private int	validateGsiProxyCert(X509Certificate cert, GSIConstants.CertificateType certType, X509Certificate issuerCert, org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert, GSIConstants.CertificateType issuerCertType, int proxyDepth)

Methods inherited from class CertPathValidatorSpi

engineGetRevocationChecker

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

BASIC_CONSTRAINT_OID

public static final String BASIC_CONSTRAINT_OID

See Also:

• Constant Field Values

KEY_USAGE_OID

public static final String KEY_USAGE_OID

See Also:

• Constant Field Values

keyStore

protected KeyStore keyStore

certStore

protected CertStore certStore

policyStore

protected SigningPolicyStore policyStore

identityCert

private X509Certificate identityCert

limited

private boolean limited

rejectLimitedProxy

private boolean rejectLimitedProxy

policyHandlers

private Map<String, ProxyPolicyHandler> policyHandlers

Constructor Details

X509ProxyCertPathValidator

public X509ProxyCertPathValidator()

Method Details

engineValidate

public CertPathValidatorResult engineValidate(CertPath certPath,
 CertPathParameters params)
                                       throws CertPathValidatorException,
InvalidAlgorithmParameterException

Validates the specified certification path using the specified algorithm parameter set.

The CertPath specified must be of a type that is supported by the validation algorithm, otherwise an InvalidAlgorithmParameterException will be thrown. For example, a CertPathValidator that implements the PKIX algorithm validates CertPath objects of type X.509.

Specified by:

engineValidate in class CertPathValidatorSpi

Parameters:

certPath - the CertPath to be validated

params - the algorithm parameters

Returns:

the result of the validation algorithm

Throws:

CertPathValidatorException - if the CertPath does not validate

InvalidAlgorithmParameterException - if the specified parameters or the type of the specified CertPath are inappropriate for this CertPathValidator

clear

public void clear()

Dispose of the current validation state.

parseParameters

protected void parseParameters(CertPathParameters params)
                        throws InvalidAlgorithmParameterException

Throws:

InvalidAlgorithmParameterException

validate

protected CertPathValidatorResult validate(CertPath certPath)
                                    throws CertPathValidatorException

Validates the certificate path and does the following for each certificate in the chain: method checkCertificate() In addition: a) Validates if the issuer type of each certificate is correct b) CA path constraints c) Proxy path constraints

If it is of type proxy, check following: a) proxy constraints b) restricted proxy else if certificate, check the following: a) keyisage

Parameters:

certPath - The CertPath to validate.

Returns:

The results of the validation.

Throws:

CertPathValidatorException - If the CertPath is invalid.

getCertificateType

private GSIConstants.CertificateType getCertificateType(org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert)
                                                 throws CertPathValidatorException

Throws:

CertPathValidatorException

getTBSCertificateStructure

private org.bouncycastle.asn1.x509.TBSCertificateStructure getTBSCertificateStructure(X509Certificate issuerCert)
                                                                               throws CertPathValidatorException

Throws:

CertPathValidatorException

validateCert

private int validateCert(X509Certificate cert,
 GSIConstants.CertificateType certType,
 X509Certificate issuerCert,
 org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert,
 GSIConstants.CertificateType issuerCertType,
 int proxyDepth,
 int i,
 boolean certIsProxy)
                  throws CertPathValidatorException

Throws:

CertPathValidatorException

checkProxyConstraints

private void checkProxyConstraints(CertPath certPath,
 X509Certificate cert,
 org.bouncycastle.asn1.x509.TBSCertificateStructure tbsCert,
 GSIConstants.CertificateType certType,
 org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert,
 int i)
                            throws CertPathValidatorException

Throws:

CertPathValidatorException

validateEECCert

private void validateEECCert(X509Certificate cert,
 GSIConstants.CertificateType certType,
 X509Certificate issuerCert)
                      throws CertPathValidatorException

Throws:

CertPathValidatorException

validateGsi2ProxyCert

private int validateGsi2ProxyCert(X509Certificate cert,
 GSIConstants.CertificateType certType,
 X509Certificate issuerCert,
 int proxyDepth)
                           throws CertPathValidatorException

Throws:

CertPathValidatorException

validateGsiProxyCert

private int validateGsiProxyCert(X509Certificate cert,
 GSIConstants.CertificateType certType,
 X509Certificate issuerCert,
 org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert,
 GSIConstants.CertificateType issuerCertType,
 int proxyDepth)
                          throws CertPathValidatorException

Throws:

CertPathValidatorException

validateCACert

private void validateCACert(X509Certificate cert,
 X509Certificate issuerCert,
 org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert,
 int proxyDepth,
 int i,
 boolean certIsProxy)
                     throws CertPathValidatorException

Throws:

CertPathValidatorException

checkRestrictedProxy

protected void checkRestrictedProxy(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy,
 CertPath certPath,
 int index)
                             throws CertPathValidatorException,
IOException

Throws:

CertPathValidatorException

IOException

checkKeyUsage

protected void checkKeyUsage(org.bouncycastle.asn1.x509.TBSCertificateStructure issuer)
                      throws CertPathValidatorException,
IOException

Throws:

CertPathValidatorException

IOException

getCertificateCheckers

protected List<CertificateChecker> getCertificateCheckers()

checkCertificate

private void checkCertificate(X509Certificate cert,
 GSIConstants.CertificateType certType)
                       throws CertPathValidatorException

Throws:

CertPathValidatorException

checkProxyConstraints

protected void checkProxyConstraints(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy,
 org.bouncycastle.asn1.x509.TBSCertificateStructure issuer,
 X509Certificate checkedProxy)
                              throws CertPathValidatorException,
IOException

Throws:

CertPathValidatorException

IOException

checkExtension

private void checkExtension(org.bouncycastle.asn1.ASN1ObjectIdentifier oid,
 org.bouncycastle.asn1.x509.X509Extension proxyExtension,
 org.bouncycastle.asn1.x509.X509Extension proxyKeyUsage)
                     throws CertPathValidatorException

Throws:

CertPathValidatorException

getIdentityCertificate

public X509Certificate getIdentityCertificate()

setLimited

public void setLimited(boolean limited)

isLimited

public boolean isLimited()

setIdentityCert

public void setIdentityCert(X509Certificate identityCert)

isRejectLimitedProxy

public boolean isRejectLimitedProxy()