Class SigningPolicyParser


  • public class SigningPolicyParser
    extends Object
    Signing policy BCNF grammar as implemented here: (based on C implementation)

    eacl ::= {eacl_entry}
    eacl_entry ::= {access_identity} pos_rights {restriction} {pos_rights {restriction}} | {access_identity} neg_rights
    access_identity ::= access_identity_type def_authority value
    access_identity_type ::= "access_id_HOST" | "access_id_USER" | "access_id_GROUP" | "access_id_CA" | "access_id_APPLICATION" | "access_id_ANYBODY"
    pos_rights ::= "pos_rights" def_authority value {"pos_rights" def_authority value}
    neg_rights ::= "neg_rights" def_authority value {"neg_rights" def_authority value}
    restriction ::= condition_type def_authority value
    condition_type ::= alphanumeric_string
    def_authority ::= alphanumeric_string
    value ::= alphanumeric_string

    This class take a signing policy file as input and parses it to extract the policy that is enforced. Only the following policy is enforced: access_id_CA with defining authority as X509 with CA DN as value. Any positive rights following it with globus as defining authority and value CA:sign. Lastly, restriction "cond_subjects" with globus as defining authority and the DNs the CA is authorized to sign. restrictions are assumed to start with cond_. Order of rights matter, so the first occurance of CA:Sign with allowedDNs is used and rest of the policy is ignored.

    For a given signing policy file, only policy with the particular CA's DN is parsed.

    subject names may include the following wildcard characters: * Matches zero or any number of characters. ? Matches any single character.

    All subject names should be in Globus format, with slashes and should NOT be revered.

    The allowed DN patterns are returned as a vector of java.util.regexp.Pattern. The BCNF grammar that uses wildcard (*) and single character (?) are replaced with the regexp grammar needed by the Pattern class.

    • Constructor Detail

      • SigningPolicyParser

        public SigningPolicyParser()
    • Method Detail

      • parse

        public Map<X500Principal,​SigningPolicy> parse​(String fileName)
                                                     throws FileNotFoundException,
                                                            SigningPolicyException
        Parses the file to extract signing policy defined for CA with the specified DN. If the policy file does not exist, a SigningPolicy object with only CA DN is created. If policy path exists, but no relevant policy exisit, SigningPolicy object with CA DN and file path is created.
        Parameters:
        fileName - Name of the signing policy file
        Returns:
        SigningPolicy object that contains the information. If no policy is found, SigningPolicy object with only the CA DN is returned.
        Throws:
        SigningPolicyException - Any errors with parsing the signing policy file.
        FileNotFoundException - If the signing policy file does not exist.
      • parse

        public Map<X500Principal,​SigningPolicy> parse​(Reader reader)
                                                     throws SigningPolicyException
        Parses input stream to extract signing policy defined for CA with the specified DN.
        Parameters:
        reader - Reader to any input stream to get the signing policy information.
        Returns:
        signing policy map defined by the signing policy file
        Throws:
        SigningPolicyException - Any errors with parsing the signing policy.
      • getPattern

        public static Pattern getPattern​(String patternStr)
        Method that takes a pattern string as described in the signing policy file with * for zero or many characters and ? for single character, and converts it into java.util.regexp.Pattern object. This requires replacing the wildcard characters with equivalent expression in regexp grammar.
        Parameters:
        patternStr - Pattern string as described in the signing policy file with for zero or many characters and ? for single character
        Returns:
        Pattern object with the expression equivalent to patternStr.