Class ProxyPathValidator


  • public class ProxyPathValidator
    extends Object
    Performs certificate/proxy path validation. It supports both old style Globus proxy as well as the new proxy certificate format. It checks BasicConstraints, KeyUsage, and ProxyCertInfo (if applicable) extensions. It also checks for presence in CRLs and signing policy compliance. This validator requires that each CA be installed with signing policy. It also provides a callback interface for custom policy checking of restricted proxies.
    Currently, does not perform the following checks for the new proxy certificates:
    1. Check if proxy serial number is unique (and the version number)
    2. Check for empty subject names
    • Constructor Detail

      • ProxyPathValidator

        public ProxyPathValidator()
    • Method Detail

      • isLimited

        public boolean isLimited()
        Returns if the validated proxy path is limited. A proxy path is limited when a limited proxy is present anywhere after the first non-impersonation proxy certificate.
        Returns:
        true if the validated path is limited
      • getIdentityCertificate

        public X509Certificate getIdentityCertificate()
        Returns the identity certificate. The first certificates in the path that is not an impersonation proxy, e.g. it could be a restricted proxy or end-entity certificate
        Returns:
        X509Certificate the identity certificate
      • getIdentity

        public String getIdentity()
        Returns the subject name of the identity certificate (in the Globus format)
        Returns:
        the subject name of the identity certificate in the Globus format
        See Also:
        getIdentityCertificate()
      • removeProxyPolicyHandler

        public ProxyPolicyHandler removeProxyPolicyHandler​(String id)
        Removes a restricted proxy policy handler.
        Parameters:
        id - the Oid of the policy handler to remove.
        Returns:
        ProxyPolicyHandler the removed handler, or null if there is no handler registered under that id.
      • setProxyPolicyHandler

        public ProxyPolicyHandler setProxyPolicyHandler​(String id,
                                                        ProxyPolicyHandler handler)
        Sets a restricted proxy policy handler.
        Parameters:
        id - the Oid of the proxy policy to install the handler for.
        handler - the proxy policy handler.
        Returns:
        ProxyPolicyHandler the previous handler installed under the specified id. Usually, will be null.
      • getProxyPolicyHandler

        public ProxyPolicyHandler getProxyPolicyHandler​(String id)
        Retrieves a restricted proxy policy handler for a given policy id.
        Parameters:
        id - the Oid of the proxy policy to get the handler for.
        Returns:
        ProxyPolicyHandler the policy handler registered for the given id or null if none is registered.
      • reset

        public void reset()
        Resets the internal state. Useful for reusing the same instance for validating multiple certificate paths.
      • setRejectLimitedProxyCheck

        public void setRejectLimitedProxyCheck​(boolean rejectLimProxy)
        If set, the validate rejects certificate chain if limited proxy if found
      • validate

        public void validate​(X509Certificate[] certPath,
                             X509Certificate[] trustedCerts)
                      throws ProxyPathValidatorException
        Performs all certificate path validation including checking of the signatures, validity of the certificates, extension checking, etc.
        It uses the PureTLS code to do basic cert signature checking checking and then calls validate for further checks.
        Parameters:
        certPath - the certificate path to validate.
        trustedCerts - the trusted (CA) certificates.
        Throws:
        ProxyPathValidatorException - if certificate path validation fails.
      • validate

        protected void validate​(X509Certificate[] certPath)
                         throws ProxyPathValidatorException
        Performs certificate path validation. Does not check the cert signatures but it performs all other checks like the extension checking, validity checking, restricted policy checking, CRL checking, etc.
        Parameters:
        certPath - the certificate path to validate.
        Throws:
        ProxyPathValidatorException - if certificate path validation fails.
      • validate

        protected void validate​(X509Certificate[] certPath,
                                TrustedCertificates trustedCerts)
                         throws ProxyPathValidatorException
        Performs certificate path validation. Does not check the cert signatures but it performs all other checks like the extension checking, validity checking, restricted policy checking, CRL checking, etc.
        Parameters:
        certPath - the certificate path to validate.
        trustedCerts - the trusted (CA) certificates. If null, the default trusted certificates will be used.
        Throws:
        ProxyPathValidatorException - if certificate path validation fails.
      • validate

        protected void validate​(X509Certificate[] certPath,
                                TrustedCertificates trustedCerts,
                                CertificateRevocationLists crlsList,
                                Boolean enforceSigningPolicy)
                         throws ProxyPathValidatorException
        Performs certificate path validation. Does not check the cert signatures but it performs all other checks like the extension checking, validity checking, restricted policy checking, CRL checking, etc.
        Parameters:
        certPath - the certificate path to validate.
        trustedCerts - the trusted (CA) certificates. If null, the default trusted certificates will be used.
        crlsList - the certificate revocation list. If null, the default certificate revocation list will be used.
        Throws:
        ProxyPathValidatorException - if certificate path validation fails.