xsul.dsig.globus.security.authentication.wssec
Class ProxyPathValidator

java.lang.Object
  xsul.dsig.globus.security.authentication.wssec.ProxyPathValidator

public class ProxyPathValidator

extends java.lang.Object

Performs certificate/proxy path validation. It supports both old style Globus proxy as well as the new proxy certificate format. It checks BasicConstraints, KeyUsage, and ProxyCertInfo (if applicable) extensions. It also provides a callback interface for custom policy checking of restricted proxies.
Currently, does not perform the following checks for the new proxy certificates:

1. Check if proxy serial number is unique (and the version number)
2. Check for empty subject names

Constructor Summary

ProxyPathValidator()

Method Summary

java.lang.String	getIdentity() Returns the subject name of the identity certificate (in the Globus format)
java.security.cert.X509Certificate	getIdentityCertificate() Returns the identity certificate.
boolean	isLimited() Returns if the validated proxy path is limited.
void	reset() Resets the internal state.
void	validate(java.security.cert.X509Certificate[] certPath) Performs certificate path validation.
void	validate(java.security.cert.X509Certificate[] certPath, java.security.cert.X509Certificate[] trustedCerts) Performs all certificate path validation including checking of the signatures, validity of the certificates, extension checking, etc. It uses the PureTLS code to do basic signature & certificate validity checking and then calls validate for further checks.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ProxyPathValidator

public ProxyPathValidator()

Method Detail

isLimited

public boolean isLimited()

Returns if the validated proxy path is limited. A proxy path is limited when a limited proxy is present anywhere after the first non-impersonation proxy certificate.

Returns:

true if the validated path is limited

getIdentityCertificate

public java.security.cert.X509Certificate getIdentityCertificate()

Returns the identity certificate. The first certificates in the path that is not an impersonation proxy, e.g. it could be a restricted proxy or end-entity certificate

Returns:

X509Certificate the identity certificate

getIdentity

public java.lang.String getIdentity()

Returns the subject name of the identity certificate (in the Globus format)

Returns:

the subject name of the identity certificate in the Globus format

See Also:

getIdentityCertificate()

reset

public void reset()

Resets the internal state. Useful for reusing the same instance for validating multiple certificate paths.

validate

public void validate(java.security.cert.X509Certificate[] certPath,
                     java.security.cert.X509Certificate[] trustedCerts)
              throws ProxyPathValidatorException

Performs all certificate path validation including checking of the signatures, validity of the certificates, extension checking, etc.
It uses the PureTLS code to do basic signature & certificate validity checking and then calls validate for further checks.

Parameters:

certPath - the certificate path to validate.

trustedCerts - the trusted (CA) certificates.

Throws:

ProxyPathValidatorException - if certificate path validation fails.

validate

public void validate(java.security.cert.X509Certificate[] certPath)
              throws ProxyPathValidatorException

Performs certificate path validation. Does not check the signatures or validity of the certificates but it performs all other checks like the extension checking, restricted policy checking, etc.

Parameters:

certPath - the certificate path to validate.

Throws:

ProxyPathValidatorException - if certificate path validation fails.