xsul.dsig.globus.security.authentication.wssec
Class ProxyPathValidator

java.lang.Object
  extended byxsul.dsig.globus.security.authentication.wssec.ProxyPathValidator

public class ProxyPathValidator
extends java.lang.Object

Performs certificate/proxy path validation. It supports both old style Globus proxy as well as the new proxy certificate format. It checks BasicConstraints, KeyUsage, and ProxyCertInfo (if applicable) extensions. It also provides a callback interface for custom policy checking of restricted proxies.
Currently, does not perform the following checks for the new proxy certificates:

  1. Check if proxy serial number is unique (and the version number)
  2. Check for empty subject names


Constructor Summary
ProxyPathValidator()
           
 
Method Summary
 java.lang.String getIdentity()
          Returns the subject name of the identity certificate (in the Globus format)
 java.security.cert.X509Certificate getIdentityCertificate()
          Returns the identity certificate.
 boolean isLimited()
          Returns if the validated proxy path is limited.
 void reset()
          Resets the internal state.
 void validate(java.security.cert.X509Certificate[] certPath)
          Performs certificate path validation.
 void validate(java.security.cert.X509Certificate[] certPath, java.security.cert.X509Certificate[] trustedCerts)
          Performs all certificate path validation including checking of the signatures, validity of the certificates, extension checking, etc.
It uses the PureTLS code to do basic signature & certificate validity checking and then calls validate for further checks.
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

ProxyPathValidator

public ProxyPathValidator()
Method Detail

isLimited

public boolean isLimited()
Returns if the validated proxy path is limited. A proxy path is limited when a limited proxy is present anywhere after the first non-impersonation proxy certificate.

Returns:
true if the validated path is limited

getIdentityCertificate

public java.security.cert.X509Certificate getIdentityCertificate()
Returns the identity certificate. The first certificates in the path that is not an impersonation proxy, e.g. it could be a restricted proxy or end-entity certificate

Returns:
X509Certificate the identity certificate

getIdentity

public java.lang.String getIdentity()
Returns the subject name of the identity certificate (in the Globus format)

Returns:
the subject name of the identity certificate in the Globus format
See Also:
getIdentityCertificate()

reset

public void reset()
Resets the internal state. Useful for reusing the same instance for validating multiple certificate paths.


validate

public void validate(java.security.cert.X509Certificate[] certPath,
                     java.security.cert.X509Certificate[] trustedCerts)
              throws ProxyPathValidatorException
Performs all certificate path validation including checking of the signatures, validity of the certificates, extension checking, etc.
It uses the PureTLS code to do basic signature & certificate validity checking and then calls validate for further checks.

Parameters:
certPath - the certificate path to validate.
trustedCerts - the trusted (CA) certificates.
Throws:
ProxyPathValidatorException - if certificate path validation fails.

validate

public void validate(java.security.cert.X509Certificate[] certPath)
              throws ProxyPathValidatorException
Performs certificate path validation. Does not check the signatures or validity of the certificates but it performs all other checks like the extension checking, restricted policy checking, etc.

Parameters:
certPath - the certificate path to validate.
Throws:
ProxyPathValidatorException - if certificate path validation fails.


IU Extreme! Lab (http://www.extreme.indiana.edu)