org.globus.gsi.proxy
Class ProxyPathValidator

java.lang.Object
  extended by org.globus.gsi.proxy.ProxyPathValidator

public class ProxyPathValidator
extends java.lang.Object

Performs certificate/proxy path validation. It supports both old style Globus proxy as well as the new proxy certificate format. It checks BasicConstraints, KeyUsage, and ProxyCertInfo (if applicable) extensions. It also checks for presence in CRLs and signing policy compliance. This validator requires that each CA be installed with signing policy. It also provides a callback interface for custom policy checking of restricted proxies.
Currently, does not perform the following checks for the new proxy certificates:

  1. Check if proxy serial number is unique (and the version number)
  2. Check for empty subject names


Constructor Summary
ProxyPathValidator()
           
 
Method Summary
 java.lang.String getIdentity()
          Returns the subject name of the identity certificate (in the Globus format)
 java.security.cert.X509Certificate getIdentityCertificate()
          Returns the identity certificate.
 ProxyPolicyHandler getProxyPolicyHandler(java.lang.String id)
          Retrieves a restricted proxy policy handler for a given policy id.
 boolean isLimited()
          Returns if the validated proxy path is limited.
 ProxyPolicyHandler removeProxyPolicyHandler(java.lang.String id)
          Removes a restricted proxy policy handler.
 void reset()
          Resets the internal state.
 ProxyPolicyHandler setProxyPolicyHandler(java.lang.String id, ProxyPolicyHandler handler)
          Sets a restricted proxy policy handler.
 void setRejectLimitedProxyCheck(boolean rejectLimProxy)
          If set, the validate rejects certificate chain if limited proxy if found
protected  void setValidator(X509ProxyCertPathValidator validator)
           
protected  void validate(java.security.cert.X509Certificate[] certPath)
          Performs certificate path validation.
protected  void validate(java.security.cert.X509Certificate[] certPath, TrustedCertificates trustedCerts)
          Performs certificate path validation.
protected  void validate(java.security.cert.X509Certificate[] certPath, TrustedCertificates trustedCerts, CertificateRevocationLists crlsList)
           
protected  void validate(java.security.cert.X509Certificate[] certPath, TrustedCertificates trustedCerts, CertificateRevocationLists crlsList, java.lang.Boolean enforceSigningPolicy)
          Performs certificate path validation.
 void validate(java.security.cert.X509Certificate[] certPath, java.security.cert.X509Certificate[] trustedCerts)
          Performs all certificate path validation including checking of the signatures, validity of the certificates, extension checking, etc.
It uses the PureTLS code to do basic cert signature checking checking and then calls validate for further checks.
 void validate(java.security.cert.X509Certificate[] certPath, java.security.cert.X509Certificate[] trustedCerts, CertificateRevocationLists crls)
           
 void validate(java.security.cert.X509Certificate[] certPath, java.security.cert.X509Certificate[] trustedCerts, CertificateRevocationLists crls, SigningPolicy[] signingPolicies)
           
 void validate(java.security.cert.X509Certificate[] certPath, java.security.cert.X509Certificate[] trustedCerts, CertificateRevocationLists crls, SigningPolicy[] signingPolicies, java.lang.Boolean enforceSigningPolicy)
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

ProxyPathValidator

public ProxyPathValidator()
Method Detail

isLimited

public boolean isLimited()
Returns if the validated proxy path is limited. A proxy path is limited when a limited proxy is present anywhere after the first non-impersonation proxy certificate.

Returns:
true if the validated path is limited

getIdentityCertificate

public java.security.cert.X509Certificate getIdentityCertificate()
Returns the identity certificate. The first certificates in the path that is not an impersonation proxy, e.g. it could be a restricted proxy or end-entity certificate

Returns:
X509Certificate the identity certificate

getIdentity

public java.lang.String getIdentity()
Returns the subject name of the identity certificate (in the Globus format)

Returns:
the subject name of the identity certificate in the Globus format
See Also:
getIdentityCertificate()

removeProxyPolicyHandler

public ProxyPolicyHandler removeProxyPolicyHandler(java.lang.String id)
Removes a restricted proxy policy handler.

Parameters:
id - the Oid of the policy handler to remove.
Returns:
ProxyPolicyHandler the removed handler, or null if there is no handler registered under that id.

setProxyPolicyHandler

public ProxyPolicyHandler setProxyPolicyHandler(java.lang.String id,
                                                ProxyPolicyHandler handler)
Sets a restricted proxy policy handler.

Parameters:
id - the Oid of the proxy policy to install the handler for.
handler - the proxy policy handler.
Returns:
ProxyPolicyHandler the previous handler installed under the specified id. Usually, will be null.

getProxyPolicyHandler

public ProxyPolicyHandler getProxyPolicyHandler(java.lang.String id)
Retrieves a restricted proxy policy handler for a given policy id.

Parameters:
id - the Oid of the proxy policy to get the handler for.
Returns:
ProxyPolicyHandler the policy handler registered for the given id or null if none is registered.

reset

public void reset()
Resets the internal state. Useful for reusing the same instance for validating multiple certificate paths.


setRejectLimitedProxyCheck

public void setRejectLimitedProxyCheck(boolean rejectLimProxy)
If set, the validate rejects certificate chain if limited proxy if found


validate

public void validate(java.security.cert.X509Certificate[] certPath,
                     java.security.cert.X509Certificate[] trustedCerts)
              throws ProxyPathValidatorException
Performs all certificate path validation including checking of the signatures, validity of the certificates, extension checking, etc.
It uses the PureTLS code to do basic cert signature checking checking and then calls validate for further checks.

Parameters:
certPath - the certificate path to validate.
trustedCerts - the trusted (CA) certificates.
Throws:
ProxyPathValidatorException - if certificate path validation fails.

validate

public void validate(java.security.cert.X509Certificate[] certPath,
                     java.security.cert.X509Certificate[] trustedCerts,
                     CertificateRevocationLists crls)
              throws ProxyPathValidatorException
Throws:
ProxyPathValidatorException

validate

public void validate(java.security.cert.X509Certificate[] certPath,
                     java.security.cert.X509Certificate[] trustedCerts,
                     CertificateRevocationLists crls,
                     SigningPolicy[] signingPolicies)
              throws ProxyPathValidatorException
Throws:
ProxyPathValidatorException

validate

public void validate(java.security.cert.X509Certificate[] certPath,
                     java.security.cert.X509Certificate[] trustedCerts,
                     CertificateRevocationLists crls,
                     SigningPolicy[] signingPolicies,
                     java.lang.Boolean enforceSigningPolicy)
              throws ProxyPathValidatorException
Throws:
ProxyPathValidatorException

validate

protected void validate(java.security.cert.X509Certificate[] certPath)
                 throws ProxyPathValidatorException
Performs certificate path validation. Does not check the cert signatures but it performs all other checks like the extension checking, validity checking, restricted policy checking, CRL checking, etc.

Parameters:
certPath - the certificate path to validate.
Throws:
ProxyPathValidatorException - if certificate path validation fails.

validate

protected void validate(java.security.cert.X509Certificate[] certPath,
                        TrustedCertificates trustedCerts)
                 throws ProxyPathValidatorException
Performs certificate path validation. Does not check the cert signatures but it performs all other checks like the extension checking, validity checking, restricted policy checking, CRL checking, etc.

Parameters:
certPath - the certificate path to validate.
trustedCerts - the trusted (CA) certificates. If null, the default trusted certificates will be used.
Throws:
ProxyPathValidatorException - if certificate path validation fails.

validate

protected void validate(java.security.cert.X509Certificate[] certPath,
                        TrustedCertificates trustedCerts,
                        CertificateRevocationLists crlsList)
                 throws ProxyPathValidatorException
Throws:
ProxyPathValidatorException

validate

protected void validate(java.security.cert.X509Certificate[] certPath,
                        TrustedCertificates trustedCerts,
                        CertificateRevocationLists crlsList,
                        java.lang.Boolean enforceSigningPolicy)
                 throws ProxyPathValidatorException
Performs certificate path validation. Does not check the cert signatures but it performs all other checks like the extension checking, validity checking, restricted policy checking, CRL checking, etc.

Parameters:
certPath - the certificate path to validate.
trustedCerts - the trusted (CA) certificates. If null, the default trusted certificates will be used.
crlsList - the certificate revocation list. If null, the default certificate revocation list will be used.
Throws:
ProxyPathValidatorException - if certificate path validation fails.

setValidator

protected void setValidator(X509ProxyCertPathValidator validator)


Copyright © 2013. All Rights Reserved.