eu.emi.security.authn.x509.proxy
Class ProxyChainInfo

java.lang.Object
  extended by eu.emi.security.authn.x509.proxy.ProxyChainInfo

public class ProxyChainInfo
extends Object

A class to get an information from a proxy certificate chain.

Author:
J. Hahkala, K. Benedyczak

Constructor Summary
ProxyChainInfo(X509Certificate[] chain)
          Generates new instance of this class using the certificate chain as the source of the data.
 
Method Summary
static byte[][] concatArrays(byte[][] first, byte[][] second)
          Concatenates two arrays of arrays bytes.
 AttributeCertificate[][] getAttributeCertificateExtensions()
          Returns the Attribute Certificate extensions from the certificate chain.
 int getFirstProxyPosition()
           
 ProxyPolicy[] getPolicy()
          Gets the array of RFC proxy extension policy OID and octets of the policy.
 byte[][][] getProxySourceRestrictions()
          Gets the proxy source restriction data from the chain.
 byte[][][] getProxyTargetRestrictions()
          Gets the proxy target restriction data from the chain.
 String[] getProxyTracingIssuers()
          Returns an array of URLs of the proxy tracing issuers in the chain.
 String[] getProxyTracingSubjects()
          Returns an array of URLs of the proxy tracing subjects in the chain.
 ProxyChainType getProxyType()
          The type of the proxy chain chain is returned.
 int getRemainingPathLimit()
          Returns the remaining path length of this chain.
 String[] getSAMLExtensions()
          Returns the SAML extensions from the certificate chain.
 BigInteger[] getSerialNumbers()
           
 boolean isHostAllowedAsSource(byte[] ipAddress)
          Checks if the given IP address is allowed as this proxy chain source.
 boolean isHostAllowedAsTarget(byte[] ipAddress)
          Checks if the given IP address is allowed as this proxy chain target.
 boolean isLimited()
          Used to check whether the proxy chain is limited or not.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

ProxyChainInfo

public ProxyChainInfo(X509Certificate[] chain)
               throws CertificateException
Generates new instance of this class using the certificate chain as the source of the data.

Parameters:
chain - chain with at least one proxy certificate
Throws:
CertificateException - if there is no proxy certificate in the chain or if the chain is inconsistent, i.e. after proxy there is a non-proxy certificate.
Method Detail

getSerialNumbers

public BigInteger[] getSerialNumbers()
Returns:
array with serial numbers of the certificates in the chain

getProxyType

public ProxyChainType getProxyType()
                            throws CertificateException
The type of the proxy chain chain is returned. If chain contains different types then MIXED type is returned.

Returns:
the type of the chain
Throws:
CertificateException

getFirstProxyPosition

public int getFirstProxyPosition()
Returns:
the index of the first proxy in the chain (issued by the EEC).

isLimited

public boolean isLimited()
                  throws CertificateException,
                         IOException
Used to check whether the proxy chain is limited or not. The method returns 'true' if and only if there is at least one limited proxy in the chain.

Returns:
true if the chain is limited, i.e. owner of the certificate may not submit jobs
Throws:
CertificateException
IOException

getPolicy

public ProxyPolicy[] getPolicy()
                        throws IOException
Gets the array of RFC proxy extension policy OID and octets of the policy. See RFC3820. Policy octets can be null in case the OID in itself defines the behavior, like with "inherit all" policy or "independent" policy. The array contains entries from all certificates in chain.

Returns:
array with policy information
Throws:
IOException - Thrown in case the parsing of the information failed.

getProxyTracingIssuers

public String[] getProxyTracingIssuers()
                                throws IOException
Returns an array of URLs of the proxy tracing issuers in the chain. Non-traced proxies will have null in the array.

Returns:
The proxy tracing issuer URLs in String format, or null in the array if an extension was not found or it was empty.
Throws:
IOException - Thrown in case the parsing of the information failed.

getProxyTracingSubjects

public String[] getProxyTracingSubjects()
                                 throws IOException
Returns an array of URLs of the proxy tracing subjects in the chain. Non-traced proxies will have null in the array.

Returns:
The proxy tracing subject URLs in String format, or null in the array if an extension was not found or it was empty.
Throws:
IOException - Thrown in case the parsing of the information failed.

getSAMLExtensions

public String[] getSAMLExtensions()
                           throws IOException
Returns the SAML extensions from the certificate chain.

Returns:
The SAML assertions in String format. A null in the array means that no SAML extensions were found at the given position.
Throws:
IOException - Thrown in case the parsing of the information failed.

getAttributeCertificateExtensions

public AttributeCertificate[][] getAttributeCertificateExtensions()
                                                           throws IOException
Returns the Attribute Certificate extensions from the certificate chain.

Returns:
The Attribute Certificates array. The first index corresponds to the first certificate in the chain. A null in the array means that no AC extension was found at the given position.
Throws:
IOException - Thrown in case the parsing of the information failed.

getRemainingPathLimit

public int getRemainingPathLimit()
                          throws IOException
Returns the remaining path length of this chain. Will search for both the RFC 3820 and the draft proxy path limit extensions. Legacy proxies are treated as unlimited.

Notice: negative value means that the chain is invalid as it has passed the limit of delegations. Integer.MAX_INT is returned if there is no path length limit set on the chain.

Returns:
remaining proxy path limit
Throws:
IOException - Thrown in case the parsing of the information failed.

getProxySourceRestrictions

public byte[][][] getProxySourceRestrictions()
                                      throws IOException
Gets the proxy source restriction data from the chain. The allowed namespaces in different certificates in the chain will be intersected and the excluded namespaces will be summed. The returned array has as the first item the array of allowed namespaces and as the second item the array of excluded namespaces. If extensions exist, but in the end no allowed or excluded namespaces are left, the array is empty.

Returns:
array with proxy source restrictions. Null is returned when there is no restriction defined for any of the proxies in the chain.
Throws:
IOException - Thrown in case the parsing of the information failed.

getProxyTargetRestrictions

public byte[][][] getProxyTargetRestrictions()
                                      throws IOException
Gets the proxy target restriction data from the chain. The allowed namespaces in different certificates in the chain will be intersected and the union of the excluded namespaces will be computed. The returned array has as the first item the array of allowed namespaces and as the second item the array of excluded namespaces. If extensions exist, but in the end no allowed or excluded namespaces are left, the array is empty.

Returns:
array with proxy target restrictions. Null is returned when there is no restriction defined for any of the proxies in the chain.
Throws:
IOException - Thrown in case the parsing of the information failed.

isHostAllowedAsSource

public boolean isHostAllowedAsSource(byte[] ipAddress)
                              throws IOException
Checks if the given IP address is allowed as this proxy chain source.

Parameters:
ipAddress - host IPv4 address in 4 elements array
Returns:
true if and only if the ipAddress is OK w.r.t. this proxy chain's source restrictions.
Throws:
IOException - Thrown in case the parsing of the information failed.

isHostAllowedAsTarget

public boolean isHostAllowedAsTarget(byte[] ipAddress)
                              throws IOException
Checks if the given IP address is allowed as this proxy chain target.

Parameters:
ipAddress - host IPv4 address in 4 elements array
Returns:
true if and only if the ipAddress is OK w.r.t. this proxy chain's source restrictions.
Throws:
IOException - Thrown in case the parsing of the information failed.

concatArrays

public static byte[][] concatArrays(byte[][] first,
                                    byte[][] second)
Concatenates two arrays of arrays bytes.

Parameters:
first - The array of arrays to begin with.
second - The array of arrays to end with.
Returns:
the array of arrays that contains the arrays from both argument arrays.


Copyright © 2012-2013 European Middleware Initiative. All Rights Reserved.