Package org.globus.gsi.proxy
Class ProxyPathValidator
- java.lang.Object
-
- org.globus.gsi.proxy.ProxyPathValidator
-
public class ProxyPathValidator extends Object
Performs certificate/proxy path validation. It supports both old style Globus proxy as well as the new proxy certificate format. It checks BasicConstraints, KeyUsage, and ProxyCertInfo (if applicable) extensions. It also checks for presence in CRLs and signing policy compliance. This validator requires that each CA be installed with signing policy. It also provides a callback interface for custom policy checking of restricted proxies.
Currently, does not perform the following checks for the new proxy certificates:- Check if proxy serial number is unique (and the version number)
- Check for empty subject names
-
-
Constructor Summary
Constructors Constructor Description ProxyPathValidator()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description String
getIdentity()
Returns the subject name of the identity certificate (in the Globus format)X509Certificate
getIdentityCertificate()
Returns the identity certificate.ProxyPolicyHandler
getProxyPolicyHandler(String id)
Retrieves a restricted proxy policy handler for a given policy id.boolean
isLimited()
Returns if the validated proxy path is limited.ProxyPolicyHandler
removeProxyPolicyHandler(String id)
Removes a restricted proxy policy handler.void
reset()
Resets the internal state.ProxyPolicyHandler
setProxyPolicyHandler(String id, ProxyPolicyHandler handler)
Sets a restricted proxy policy handler.void
setRejectLimitedProxyCheck(boolean rejectLimProxy)
If set, the validate rejects certificate chain if limited proxy if foundprotected void
setValidator(X509ProxyCertPathValidator validator)
protected void
validate(X509Certificate[] certPath)
Performs certificate path validation.void
validate(X509Certificate[] certPath, X509Certificate[] trustedCerts)
Performs all certificate path validation including checking of the signatures, validity of the certificates, extension checking, etc.
It uses the PureTLS code to do basic cert signature checking checking and then callsvalidate
for further checks.void
validate(X509Certificate[] certPath, X509Certificate[] trustedCerts, CertificateRevocationLists crls)
void
validate(X509Certificate[] certPath, X509Certificate[] trustedCerts, CertificateRevocationLists crls, SigningPolicy[] signingPolicies)
void
validate(X509Certificate[] certPath, X509Certificate[] trustedCerts, CertificateRevocationLists crls, SigningPolicy[] signingPolicies, Boolean enforceSigningPolicy)
protected void
validate(X509Certificate[] certPath, TrustedCertificates trustedCerts)
Performs certificate path validation.protected void
validate(X509Certificate[] certPath, TrustedCertificates trustedCerts, CertificateRevocationLists crlsList)
protected void
validate(X509Certificate[] certPath, TrustedCertificates trustedCerts, CertificateRevocationLists crlsList, Boolean enforceSigningPolicy)
Performs certificate path validation.
-
-
-
Method Detail
-
isLimited
public boolean isLimited()
Returns if the validated proxy path is limited. A proxy path is limited when a limited proxy is present anywhere after the first non-impersonation proxy certificate.- Returns:
- true if the validated path is limited
-
getIdentityCertificate
public X509Certificate getIdentityCertificate()
Returns the identity certificate. The first certificates in the path that is not an impersonation proxy, e.g. it could be a restricted proxy or end-entity certificate- Returns:
X509Certificate
the identity certificate
-
getIdentity
public String getIdentity()
Returns the subject name of the identity certificate (in the Globus format)- Returns:
- the subject name of the identity certificate in the Globus format
- See Also:
getIdentityCertificate()
-
removeProxyPolicyHandler
public ProxyPolicyHandler removeProxyPolicyHandler(String id)
Removes a restricted proxy policy handler.- Parameters:
id
- the Oid of the policy handler to remove.- Returns:
ProxyPolicyHandler
the removed handler, or null if there is no handler registered under that id.
-
setProxyPolicyHandler
public ProxyPolicyHandler setProxyPolicyHandler(String id, ProxyPolicyHandler handler)
Sets a restricted proxy policy handler.- Parameters:
id
- the Oid of the proxy policy to install the handler for.handler
- the proxy policy handler.- Returns:
ProxyPolicyHandler
the previous handler installed under the specified id. Usually, will be null.
-
getProxyPolicyHandler
public ProxyPolicyHandler getProxyPolicyHandler(String id)
Retrieves a restricted proxy policy handler for a given policy id.- Parameters:
id
- the Oid of the proxy policy to get the handler for.- Returns:
ProxyPolicyHandler
the policy handler registered for the given id or null if none is registered.
-
reset
public void reset()
Resets the internal state. Useful for reusing the same instance for validating multiple certificate paths.
-
setRejectLimitedProxyCheck
public void setRejectLimitedProxyCheck(boolean rejectLimProxy)
If set, the validate rejects certificate chain if limited proxy if found
-
validate
public void validate(X509Certificate[] certPath, X509Certificate[] trustedCerts) throws ProxyPathValidatorException
Performs all certificate path validation including checking of the signatures, validity of the certificates, extension checking, etc.
It uses the PureTLS code to do basic cert signature checking checking and then callsvalidate
for further checks.- Parameters:
certPath
- the certificate path to validate.trustedCerts
- the trusted (CA) certificates.- Throws:
ProxyPathValidatorException
- if certificate path validation fails.
-
validate
public void validate(X509Certificate[] certPath, X509Certificate[] trustedCerts, CertificateRevocationLists crls) throws ProxyPathValidatorException
- Throws:
ProxyPathValidatorException
-
validate
public void validate(X509Certificate[] certPath, X509Certificate[] trustedCerts, CertificateRevocationLists crls, SigningPolicy[] signingPolicies) throws ProxyPathValidatorException
- Throws:
ProxyPathValidatorException
-
validate
public void validate(X509Certificate[] certPath, X509Certificate[] trustedCerts, CertificateRevocationLists crls, SigningPolicy[] signingPolicies, Boolean enforceSigningPolicy) throws ProxyPathValidatorException
- Throws:
ProxyPathValidatorException
-
validate
protected void validate(X509Certificate[] certPath) throws ProxyPathValidatorException
Performs certificate path validation. Does not check the cert signatures but it performs all other checks like the extension checking, validity checking, restricted policy checking, CRL checking, etc.- Parameters:
certPath
- the certificate path to validate.- Throws:
ProxyPathValidatorException
- if certificate path validation fails.
-
validate
protected void validate(X509Certificate[] certPath, TrustedCertificates trustedCerts) throws ProxyPathValidatorException
Performs certificate path validation. Does not check the cert signatures but it performs all other checks like the extension checking, validity checking, restricted policy checking, CRL checking, etc.- Parameters:
certPath
- the certificate path to validate.trustedCerts
- the trusted (CA) certificates. If null, the default trusted certificates will be used.- Throws:
ProxyPathValidatorException
- if certificate path validation fails.
-
validate
protected void validate(X509Certificate[] certPath, TrustedCertificates trustedCerts, CertificateRevocationLists crlsList) throws ProxyPathValidatorException
- Throws:
ProxyPathValidatorException
-
validate
protected void validate(X509Certificate[] certPath, TrustedCertificates trustedCerts, CertificateRevocationLists crlsList, Boolean enforceSigningPolicy) throws ProxyPathValidatorException
Performs certificate path validation. Does not check the cert signatures but it performs all other checks like the extension checking, validity checking, restricted policy checking, CRL checking, etc.- Parameters:
certPath
- the certificate path to validate.trustedCerts
- the trusted (CA) certificates. If null, the default trusted certificates will be used.crlsList
- the certificate revocation list. If null, the default certificate revocation list will be used.- Throws:
ProxyPathValidatorException
- if certificate path validation fails.
-
setValidator
protected void setValidator(X509ProxyCertPathValidator validator)
-
-