eu.emi.security.authn.x509.helpers.pkipath
Class BCCertPathValidator

java.lang.Object
  extended by eu.emi.security.authn.x509.helpers.pkipath.BCCertPathValidator

public class BCCertPathValidator
extends Object

Low-level certificate validator based on the BC PKIXCertPathReviewer with additional support for proxy certificates.

Author:
K. Benedyczak

Field Summary
static long PROXY_VALIDATION_GRACE_PERIOD
           
 
Constructor Summary
BCCertPathValidator()
           
 
Method Summary
protected  void checkLastCNNameRule(X500Principal srcP, X500Principal issuerP, List<ValidationError> errors, int position, X509Certificate[] proxyChain)
           
protected  List<X509Certificate> checkNonProxyChain(X509Certificate[] baseChain, ExtPKIXParameters params, List<ValidationError> errors, Set<String> unresolvedExtensions, int posDelta, X509Certificate[] cc)
          Performs checking of the chain which has no proxies (or at least should not have proxies), using FixedBCPKIXCertPathReviewer.
protected  void checkPairWithProxy(X509Certificate issuerCert, X509Certificate proxyCert, List<ValidationError> errors, int position, X509Certificate[] proxyChain, Date validationTime)
          Checks if the certificate passed as the 2nd argument is a correct proxy certificate including checks w.r.t.
protected  void checkProxyChainMain(X509Certificate[] proxyChain, List<ValidationError> errors, Set<String> unresolvedExtensions, Date validDate)
          Performs a validation loop of the proxy chain checking each pair in chain for the rules not otherwise verified by the base check.
protected  void checkProxyChainWithBC(X509Certificate[] proxyChain, Set<TrustAnchor> trustAnchor, List<ValidationError> errors, Set<String> unresolvedExtensions)
          Checks chain with proxies, starting with the EEC using X.509 path validation.
protected  void checkProxyTime(X509Certificate proxyCert, Date validationTime, X509Certificate[] proxyChain, List<ValidationError> errors, int position)
           
protected  List<ValidationError> convertErrors(List<?>[] bcErrorsA, boolean ignoreProxyErrors, int positionDelta, X509Certificate[] cc)
           
protected  ExtPKIXParameters createPKIXParameters(X509Certificate[] toCheck, boolean proxySupport, Set<TrustAnchor> trustAnchors, CertStore crlStore, RevocationParameters revocationParams, ObserversHandler observersHandler)
           
protected  int getFirstProxy(X509Certificate[] toCheck)
           
protected  Set<String> getUnresolvedExtensionons(List<?>[] bcErrorsA)
           
 ValidationResult validate(X509Certificate[] toCheck, boolean proxySupport, Set<TrustAnchor> trustAnchors, CertStore crlStore, RevocationParameters revocationParams, ObserversHandler observersHandler)
          Performs validation.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

PROXY_VALIDATION_GRACE_PERIOD

public static final long PROXY_VALIDATION_GRACE_PERIOD
See Also:
Constant Field Values
Constructor Detail

BCCertPathValidator

public BCCertPathValidator()
Method Detail

validate

public ValidationResult validate(X509Certificate[] toCheck,
                                 boolean proxySupport,
                                 Set<TrustAnchor> trustAnchors,
                                 CertStore crlStore,
                                 RevocationParameters revocationParams,
                                 ObserversHandler observersHandler)
                          throws CertificateException
Performs validation. Expects correctly set up parameters.

If the proxy support is turned off or the chain has no proxy certificate then normal X.509 path validation is performed (see below).

If the proxy support is turned on and the chain has at least one proxy then the following checks are performed:

The normal path validation is performed as follows:

Parameters:
toCheck - chain to check
Throws:
CertificateException - if some of the certificates in the chain can not be parsed

createPKIXParameters

protected ExtPKIXParameters createPKIXParameters(X509Certificate[] toCheck,
                                                 boolean proxySupport,
                                                 Set<TrustAnchor> trustAnchors,
                                                 CertStore crlStore,
                                                 RevocationParameters revocationParams,
                                                 ObserversHandler observersHandler)

getFirstProxy

protected int getFirstProxy(X509Certificate[] toCheck)

checkNonProxyChain

protected List<X509Certificate> checkNonProxyChain(X509Certificate[] baseChain,
                                                   ExtPKIXParameters params,
                                                   List<ValidationError> errors,
                                                   Set<String> unresolvedExtensions,
                                                   int posDelta,
                                                   X509Certificate[] cc)
                                            throws CertificateException
Performs checking of the chain which has no proxies (or at least should not have proxies), using FixedBCPKIXCertPathReviewer. In future, when BC implementation is fixed it should use PKIXCertPathReviewer instead.

Parameters:
baseChain -
params -
errors -
unresolvedExtensions -
Returns:
validated chain or null
Throws:
CertificateException

checkProxyChainWithBC

protected void checkProxyChainWithBC(X509Certificate[] proxyChain,
                                     Set<TrustAnchor> trustAnchor,
                                     List<ValidationError> errors,
                                     Set<String> unresolvedExtensions)
                              throws CertificateException
Checks chain with proxies, starting with the EEC using X.509 path validation. EEC issuer is used as the only trust anchor. CRLs are ignored, proxy extension OIDs are marked as handled. The error resulting from the missing CA extension is ignored as well as validity time errors. The latter are checked manually later on.

Parameters:
proxyChain -
errors -
unresolvedExtensions -
Throws:
CertificateException

checkProxyChainMain

protected void checkProxyChainMain(X509Certificate[] proxyChain,
                                   List<ValidationError> errors,
                                   Set<String> unresolvedExtensions,
                                   Date validDate)
                            throws CertificateException
Performs a validation loop of the proxy chain checking each pair in chain for the rules not otherwise verified by the base check. Additionally chain length restriction is verified.

Parameters:
proxyChain -
errors -
unresolvedExtensions -
Throws:
CertificateException

checkPairWithProxy

protected void checkPairWithProxy(X509Certificate issuerCert,
                                  X509Certificate proxyCert,
                                  List<ValidationError> errors,
                                  int position,
                                  X509Certificate[] proxyChain,
                                  Date validationTime)
                           throws CertPathValidatorException,
                                  CertificateParsingException
Checks if the certificate passed as the 2nd argument is a correct proxy certificate including checks w.r.t. chain rules with the certificate passed as the 1st argument being its issuing certificate. The checks are: The numbers in brackets refer to the RFC 3820 sections. The last two rules were added in the version 1.1.0 of the library.

Parameters:
issuerCert - certificate of the issuer
proxyCert - certificate to be checked
errors - out arg - list of errors found
position - position in original chain to be used in error reporting
Throws:
CertPathValidatorException
CertificateParsingException

checkProxyTime

protected void checkProxyTime(X509Certificate proxyCert,
                              Date validationTime,
                              X509Certificate[] proxyChain,
                              List<ValidationError> errors,
                              int position)

checkLastCNNameRule

protected void checkLastCNNameRule(X500Principal srcP,
                                   X500Principal issuerP,
                                   List<ValidationError> errors,
                                   int position,
                                   X509Certificate[] proxyChain)
                            throws CertPathValidatorException
Throws:
CertPathValidatorException

convertErrors

protected List<ValidationError> convertErrors(List<?>[] bcErrorsA,
                                              boolean ignoreProxyErrors,
                                              int positionDelta,
                                              X509Certificate[] cc)

getUnresolvedExtensionons

protected Set<String> getUnresolvedExtensionons(List<?>[] bcErrorsA)


Copyright © 2012-2013 European Middleware Initiative. All Rights Reserved.