Package org.globus.gsi.trustmanager

Class X509ProxyCertPathValidator

java.lang.Object

java.security.cert.CertPathValidatorSpi

org.globus.gsi.trustmanager.X509ProxyCertPathValidator

public class X509ProxyCertPathValidator
extends CertPathValidatorSpi

Implementation of the CertPathValidatorSpi and the logic for X.509 Proxy Path Validation.

Since:

1.0

Version:

${version}

Field Summary

Fields

Modifier and Type	Field	Description
static String	BASIC_CONSTRAINT_OID
protected CertStore	certStore
static String	KEY_USAGE_OID
protected KeyStore	keyStore
protected SigningPolicyStore	policyStore

Constructor Summary

Constructors

Constructor	Description
X509ProxyCertPathValidator()

Method Summary

Modifier and Type	Method	Description
protected void	checkKeyUsage(org.bouncycastle.asn1.x509.TBSCertificateStructure issuer)
protected void	checkProxyConstraints(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy, org.bouncycastle.asn1.x509.TBSCertificateStructure issuer, X509Certificate checkedProxy)
protected void	checkRestrictedProxy(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy, CertPath certPath, int index)
void	clear()	Dispose of the current validation state.
CertPathValidatorResult	engineValidate(CertPath certPath, CertPathParameters params)	Validates the specified certification path using the specified algorithm parameter set.
protected List<CertificateChecker>	getCertificateCheckers()
X509Certificate	getIdentityCertificate()
boolean	isLimited()
boolean	isRejectLimitedProxy()
protected void	parseParameters(CertPathParameters params)
void	setIdentityCert(X509Certificate identityCert)
void	setLimited(boolean limited)
protected CertPathValidatorResult	validate(CertPath certPath)	Validates the certificate path and does the following for each certificate in the chain: method checkCertificate() In addition: a) Validates if the issuer type of each certificate is correct b) CA path constraints c) Proxy path constraints

Methods inherited from class java.security.cert.CertPathValidatorSpi

engineGetRevocationChecker

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

BASIC_CONSTRAINT_OID

public static final String BASIC_CONSTRAINT_OID

See Also:

Constant Field Values

KEY_USAGE_OID

public static final String KEY_USAGE_OID

See Also:

Constant Field Values

keyStore

protected KeyStore keyStore

certStore

protected CertStore certStore

policyStore

protected SigningPolicyStore policyStore

Constructor Detail

X509ProxyCertPathValidator

public X509ProxyCertPathValidator()

Method Detail

engineValidate

public CertPathValidatorResult engineValidate(CertPath certPath,
                                              CertPathParameters params)
                                       throws CertPathValidatorException,
                                              InvalidAlgorithmParameterException

Validates the specified certification path using the specified algorithm parameter set.

The CertPath specified must be of a type that is supported by the validation algorithm, otherwise an InvalidAlgorithmParameterException will be thrown. For example, a CertPathValidator that implements the PKIX algorithm validates CertPath objects of type X.509.

Specified by:

engineValidate in class CertPathValidatorSpi

Parameters:

certPath - the CertPath to be validated

params - the algorithm parameters

Returns:

the result of the validation algorithm

Throws:

CertPathValidatorException - if the CertPath does not validate

InvalidAlgorithmParameterException - if the specified parameters or the type of the specified CertPath are inappropriate for this CertPathValidator

clear

public void clear()

Dispose of the current validation state.

parseParameters

protected void parseParameters(CertPathParameters params)
                        throws InvalidAlgorithmParameterException

Throws:

InvalidAlgorithmParameterException

validate

protected CertPathValidatorResult validate(CertPath certPath)
                                    throws CertPathValidatorException

Validates the certificate path and does the following for each certificate in the chain: method checkCertificate() In addition: a) Validates if the issuer type of each certificate is correct b) CA path constraints c) Proxy path constraints

If it is of type proxy, check following: a) proxy constraints b) restricted proxy else if certificate, check the following: a) keyisage

Parameters:

certPath - The CertPath to validate.

Returns:

The results of the validation.

Throws:

CertPathValidatorException - If the CertPath is invalid.

checkRestrictedProxy

protected void checkRestrictedProxy(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy,
                                    CertPath certPath,
                                    int index)
                             throws CertPathValidatorException,
                                    IOException

Throws:

CertPathValidatorException

IOException

checkKeyUsage

protected void checkKeyUsage(org.bouncycastle.asn1.x509.TBSCertificateStructure issuer)
                      throws CertPathValidatorException,
                             IOException

Throws:

CertPathValidatorException

IOException

getCertificateCheckers

protected List<CertificateChecker> getCertificateCheckers()

checkProxyConstraints

protected void checkProxyConstraints(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy,
                                     org.bouncycastle.asn1.x509.TBSCertificateStructure issuer,
                                     X509Certificate checkedProxy)
                              throws CertPathValidatorException,
                                     IOException

Throws:

CertPathValidatorException

IOException

getIdentityCertificate

public X509Certificate getIdentityCertificate()

setLimited

public void setLimited(boolean limited)

isLimited

public boolean isLimited()

setIdentityCert

public void setIdentityCert(X509Certificate identityCert)

isRejectLimitedProxy

public boolean isRejectLimitedProxy()