eu.emi.security.authn.x509.proxy
Class BaseProxyCertificateOptions

java.lang.Object
  extended by eu.emi.security.authn.x509.proxy.BaseProxyCertificateOptions
Direct Known Subclasses:
ProxyCertificateOptions, ProxyRequestOptions

public abstract class BaseProxyCertificateOptions
extends Object

Generic proxy creation parameters useful for all scenarios. All objects passed to this class are copied. All objects returned by methods of this class are also copies of the object state. Therefore it is only possible to modify state of this class using its methods. This class is not thread safe.

Author:
J. Hahkala, K. Benedyczak

Field Summary
static int DEFAULT_LIFETIME
           
 
Constructor Summary
protected BaseProxyCertificateOptions(X509Certificate[] parentCertChain)
          Create a new proxy cert based on the parent cert chain.
 
Method Summary
 void addExtension(CertificateExtension extension)
          Add an extension to the proxy certificate to be generated.
 AttributeCertificate[] getAttributeCertificates()
           
 List<CertificateExtension> getExtensions()
           
 int getLifetime()
           
 Date getNotBefore()
           
 X509Certificate[] getParentCertChain()
          Returns the certificate parent chain of the proxy.
 ProxyPolicy getPolicy()
           
 int getProxyPathLimit()
          Gets the proxy path length limit of this certificate.
 String getProxyTracingIssuer()
           
 String getProxyTracingSubject()
           
 String getSAMLAssertion()
          Gets SAML assertions in a string format.
 BigInteger getSerialNumber()
          Gets the proxy serial number.
 String[] getSourceRestrictionExcludedAddresses()
          Gets an excluded from source restriction IP addressSpace from the data structure.
 String[] getSourceRestrictionPermittedAddresses()
          Gets the permitted source IP addressSpace of the Proxy.
 String[] getTargetRestrictionExcludedAddresses()
          Gets an excluded target IP addressSpace from the data structure.
 String[] getTargetRestrictionPermittedAddresses()
          Returns a permitted target IP address space of the Proxy.
 ProxyType getType()
           
 boolean isLimited()
          Checks if the proxy shall be limited.
 void setAttributeCertificates(AttributeCertificate[] ac)
          Sets Attribute certificates, which will be added as the VOMS extensions to the generated proxy.
 void setLifetime(int lifetime)
          Set the proxy lifetime in seconds.
 void setLifetime(long lifetime, TimeUnit unit)
          Set the proxy lifetime using desired unit.
 void setLimited(boolean limited)
          Defines whether the resulting proxy will be a limited proxy.
 void setPolicy(ProxyPolicy policy)
          Set the RFC proxy extension policy OID and octets of the policy.
 void setProxyPathLimit(int pathLen)
          Sets the proxy path length limit of this certificate.
 void setProxyTracingIssuer(String url)
          Sets the issuer URL for the proxy tracing.
 void setProxyTracingSubject(String url)
          Sets the subject URL for the proxy tracing.
 void setSAMLAssertion(String saml)
          Sets SAML assertions in a string format.
 void setSerialNumber(BigInteger sn)
          Sets the proxy serial number.
 void setSourceRestrictionExcludedAddresses(byte[][] addresses)
          Sets an excluded from source restriction IP addressSpace to the data structure.
 void setSourceRestrictionExcludedAddresses(String[] addresses)
          Sets an excluded from source restriction IP addressSpace to the data structure.
 void setSourceRestrictionPermittedAddresses(byte[][] addresses)
          Sets a permitted source IP addressSpace to the Proxy.
 void setSourceRestrictionPermittedAddresses(String[] addresses)
          Sets a new permitted source IP addressSpace to the Proxy
 void setTargetRestrictionExcludedAddresses(byte[][] addresses)
          Sets an excluded target IP addressSpace to the data structure.
 void setTargetRestrictionExcludedAddresses(String[] addresses)
          Sets an excluded target IP addressSpace to the data structure.
 void setTargetRestrictionPermittedAddresses(byte[][] addresses)
          Sets a permitted target IP address space to the Proxy.
 void setTargetRestrictionPermittedAddresses(String[] addresses)
          Sets a new permitted target IP addressSpace to the Proxy.
 void setType(ProxyType type)
          Used to set the type of the proxy.
 void setValidityBounds(Date notBefore, Date notAfter)
          Sets the desired time bounds for the proxy.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

DEFAULT_LIFETIME

public static final int DEFAULT_LIFETIME
See Also:
Constant Field Values
Constructor Detail

BaseProxyCertificateOptions

protected BaseProxyCertificateOptions(X509Certificate[] parentCertChain)
Create a new proxy cert based on the parent cert chain. The default type of the proy generation params will be set to the type of the parent chain if it is an consistent proxy chain. If it is mixed proxy chain, or EEC certificate chain then by default RFC proxy type is set.

Parameters:
parentCertChain - chain of the issuer
Method Detail

getParentCertChain

public X509Certificate[] getParentCertChain()
Returns the certificate parent chain of the proxy. If only user certificate was provided then it is returned in a one element array.

Returns:
the parent certificate chain

setValidityBounds

public void setValidityBounds(Date notBefore,
                              Date notAfter)
Sets the desired time bounds for the proxy. Note that both arguments are cut to the seconds precision (this is what goes into certificate).

Parameters:
notBefore - proxy won't be valid before this date
notAfter - proxy won't be valid after this date
Since:
1.1.0

setLifetime

public void setLifetime(int lifetime)
Set the proxy lifetime in seconds. The start of proxy validity is set to the current time. If not set, the default lifetime is 12h.

Parameters:
lifetime - in seconds
See Also:
setValidityBounds(Date, Date)

setLifetime

public void setLifetime(long lifetime,
                        TimeUnit unit)
Set the proxy lifetime using desired unit. The start of proxy validity is set to the current time. If not set, the default lifetime is 12h.

Parameters:
lifetime - in unit specified by the 2nd parameter
unit - the unit of the timeout specified by the first value
Throws:
IllegalArgumentException - if the requested lifetime is larger then Integer.MAX_VALUE seconds.
Since:
1.1.0
See Also:
setValidityBounds(Date, Date)

getLifetime

public int getLifetime()
Returns:
proxy lifetime in seconds

getNotBefore

public Date getNotBefore()
Returns:
start of proxy validity

setType

public void setType(ProxyType type)
             throws IllegalArgumentException
Used to set the type of the proxy. Useful only in case the parent certificate is user certificate, otherwise the generator will generate same type of proxy as the parent is. And trying to set different type here than in the parent will result in IllegalArgumentException. If the parent certificate is user certificate and this method is not used, RFC3820 type will be assumed.

Parameters:
type - to be set
Throws:
IllegalArgumentException

getType

public ProxyType getType()
Returns:
the current proxy type

setLimited

public void setLimited(boolean limited)
Defines whether the resulting proxy will be a limited proxy. Job submission with a limited proxy is not possible.

For legacy proxy this is the only way to control the proxy's application area. RFC and draft proxies allows for a more rich and extensible semantics using setPolicy(ProxyPolicy).

Since version 1.2.0, in case of RFC proxies, usage of this method with argument 'true' is equivalent to calling setPolicy(new ProxyPolicy(ProxyPolicy.LIMITED_PROXY_OID)) and with argument false to setPolicy(new ProxyPolicy(ProxyPolicy.INHERITALL_POLICY_OID)). Note that subsequent calls to setPolicy will overwrite the setLimited setting. Therefore the following code:

 param.setLimited(true);
 param.setPolicy(new ProxyPolicy(ProxyPolicy.INHERITALL_POLICY_OID));
 
configures the engine to create limited legacy proxies or unlimited rfc proxies. As this behavior is rather not intended it is strongly advised NOT to mix setLimited and setPolicy calls in any case.

Parameters:
limited - true if proxy shall be limited

isLimited

public boolean isLimited()
Checks if the proxy shall be limited.

Returns:
true if limited proxy shall be created

setSerialNumber

public void setSerialNumber(BigInteger sn)
Sets the proxy serial number. Only applicable for rfc proxies.

Parameters:
sn - serial number to be set

getSerialNumber

public BigInteger getSerialNumber()
Gets the proxy serial number.

Returns:
the serial number previously set

setProxyPathLimit

public void setProxyPathLimit(int pathLen)
Sets the proxy path length limit of this certificate. Only works on rfc3820 and RFC draft proxies.

Parameters:
pathLen - path limit, use negative value if proxy shall be unlimited

getProxyPathLimit

public int getProxyPathLimit()
Gets the proxy path length limit of this certificate.

Returns:
limit or -1 if proxy shall be unlimited

addExtension

public void addExtension(CertificateExtension extension)
Add an extension to the proxy certificate to be generated.

Parameters:
extension - the extension to be set

getExtensions

public List<CertificateExtension> getExtensions()
Returns:
Returns a list of extensions including only those which were set via addExtension(CertificateExtension)

setPolicy

public void setPolicy(ProxyPolicy policy)
Set the RFC proxy extension policy OID and octets of the policy. See RFC3820. Policy can be null in case the OID in it self defines the behavior, like with "inherit all" policy or "independent" policy.

Note: this setting is ignored for legacy proxies.

Parameters:
policy - to be set

getPolicy

public ProxyPolicy getPolicy()
Returns:
Get the RFC proxy extension policy OID and octets of the policy. See RFC3820. Policy can be null in case the OID in it self defines the behavior, like with "inherit all" policy or "independent" policy.

setTargetRestrictionPermittedAddresses

public void setTargetRestrictionPermittedAddresses(String[] addresses)
                                            throws IllegalArgumentException
Sets a new permitted target IP addressSpace to the Proxy.

Parameters:
addresses - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. It equals to a network 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
See RFC 4632. The restriction is of the format used for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses.
Throws:
IllegalArgumentException - if the argument does not contain addresses in the specified format

setTargetRestrictionPermittedAddresses

public void setTargetRestrictionPermittedAddresses(byte[][] addresses)
                                            throws IllegalArgumentException
Sets a permitted target IP address space to the Proxy.

Parameters:
addresses - The array of 8 element arrays of bytes representation of address spaces defined in this structure. Each inner 8-elements array must contains IP address and netmask bytes, e.g. {137,138,0,0,255,255,0,0}.
Throws:
IllegalArgumentException - when inner arrays are not of length 8 or if does not represent a valid address and netmask combination.

getTargetRestrictionPermittedAddresses

public String[] getTargetRestrictionPermittedAddresses()
Returns a permitted target IP address space of the Proxy.

Returns:
The array of addresses in the CIDR format (address/netmaskBits) or null if not set

setSourceRestrictionPermittedAddresses

public void setSourceRestrictionPermittedAddresses(String[] addresses)
                                            throws IllegalArgumentException
Sets a new permitted source IP addressSpace to the Proxy

Parameters:
addresses - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. It equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
See RFC 4632. The restriction is of the format used for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses.
Throws:
IllegalArgumentException - if the argument does not contain addresses in the specified format

setSourceRestrictionPermittedAddresses

public void setSourceRestrictionPermittedAddresses(byte[][] addresses)
                                            throws IllegalArgumentException
Sets a permitted source IP addressSpace to the Proxy.

Parameters:
addresses - The array of 8 element arrays of bytes representation of address spaces defined in this structure. Each inner 8-elements array must contains IP address and netmask bytes, e.g. {137,138,0,0,255,255,0,0}.
Throws:
IllegalArgumentException - when inner arrays are not of length 8 or if does not represent a valid address and netmask combination.

getSourceRestrictionPermittedAddresses

public String[] getSourceRestrictionPermittedAddresses()
Gets the permitted source IP addressSpace of the Proxy.

Returns:
The array of addresses in the CIDR format (address/netmaskBits) or null if not set

setTargetRestrictionExcludedAddresses

public void setTargetRestrictionExcludedAddresses(String[] addresses)
                                           throws IllegalArgumentException
Sets an excluded target IP addressSpace to the data structure.

Parameters:
addresses - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. It equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
See RFC 4632. The restriction is of the format used for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses.
Throws:
IllegalArgumentException - if the argument does not contain addresses in the specified format

setTargetRestrictionExcludedAddresses

public void setTargetRestrictionExcludedAddresses(byte[][] addresses)
                                           throws IllegalArgumentException
Sets an excluded target IP addressSpace to the data structure.

Parameters:
addresses - The array of 8 element arrays of bytes representation of address spaces defined in this structure. Each inner 8-elements array must contains IP address and netmask bytes, e.g. {137,138,0,0,255,255,0,0}.
Throws:
IllegalArgumentException - when inner arrays are not of length 8 or if does not represent a valid address and netmask combination.

getTargetRestrictionExcludedAddresses

public String[] getTargetRestrictionExcludedAddresses()
Gets an excluded target IP addressSpace from the data structure.

Returns:
The array of addresses in the CIDR format (address/netmaskBits) or null if not set

setSourceRestrictionExcludedAddresses

public void setSourceRestrictionExcludedAddresses(String[] addresses)
                                           throws IllegalArgumentException
Sets an excluded from source restriction IP addressSpace to the data structure.

Parameters:
addresses - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. It equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
See RFC 4632. The restriction is of the format used for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses.
Throws:
IllegalArgumentException - if the argument does not contain addresses in the specified format

setSourceRestrictionExcludedAddresses

public void setSourceRestrictionExcludedAddresses(byte[][] addresses)
                                           throws IllegalArgumentException
Sets an excluded from source restriction IP addressSpace to the data structure.

Parameters:
addresses - The array of 8 element arrays of bytes representation of address spaces defined in this structure. Each inner 8-elements array must contains IP address and netmask bytes, e.g. {137,138,0,0,255,255,0,0}.
Throws:
IllegalArgumentException - when inner arrays are not of length 8 or if does not represent a valid address and netmask combination.

getSourceRestrictionExcludedAddresses

public String[] getSourceRestrictionExcludedAddresses()
Gets an excluded from source restriction IP addressSpace from the data structure.

Returns:
The array of addresses in the CIDR format (address/netmaskBits) or null if not set

setProxyTracingIssuer

public void setProxyTracingIssuer(String url)
Sets the issuer URL for the proxy tracing.

Parameters:
url - the issuer URL

getProxyTracingIssuer

public String getProxyTracingIssuer()
Returns:
Gets the issuer URL for the proxy tracing.

setProxyTracingSubject

public void setProxyTracingSubject(String url)
Sets the subject URL for the proxy tracing.

Parameters:
url - the subject URL

getProxyTracingSubject

public String getProxyTracingSubject()
Returns:
Gets the subject URL for the proxy tracing.

getSAMLAssertion

public String getSAMLAssertion()
Gets SAML assertions in a string format.

Returns:
SAML assertions

setSAMLAssertion

public void setSAMLAssertion(String saml)
Sets SAML assertions in a string format.

Parameters:
saml - assertions to be used

setAttributeCertificates

public void setAttributeCertificates(AttributeCertificate[] ac)
Sets Attribute certificates, which will be added as the VOMS extensions to the generated proxy.

Parameters:
ac - to be set

getAttributeCertificates

public AttributeCertificate[] getAttributeCertificates()
Returns:
Attribute certificates or null if was not set


Copyright © 2012-2013 European Middleware Initiative. All Rights Reserved.