eu.emi.security.authn.x509.helpers.proxy
Class ProxyAddressRestrictionData

java.lang.Object
  extended by org.bouncycastle.asn1.ASN1Encodable
      extended by eu.emi.security.authn.x509.helpers.proxy.ProxyAddressRestrictionData
All Implemented Interfaces:
DEREncodable

public class ProxyAddressRestrictionData
extends ASN1Encodable

An utility class for defining the allowed address space, used both to define the source and target restrictions. The format is:

 iGTFProxyRestrictFrom ::= NameConstraints
 iGTFProxyRestrictTarget ::= NameConstraints
  
 NameConstraints::= SEQUENCE {
            permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
            excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
 
 GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
 
 GeneralSubtree ::= SEQUENCE {
            base                    GeneralName,
            minimum         [0]     BaseDistance DEFAULT 0,
            maximum         [1]     BaseDistance OPTIONAL }
 
 BaseDistance ::= INTEGER (0..MAX)
 
 GeneralName ::= CHOICE {
         otherName                       [0]     OtherName,
         rfc822Name                      [1]     IA5String,
         dNSName                         [2]     IA5String,
         x400Address                     [3]     ORAddress,
         directoryName                   [4]     Name,
         ediPartyName                    [5]     EDIPartyName,
         uniformResourceIdentifier       [6]     IA5String,
         iPAddress                       [7]     OCTET STRING,
         registeredID                    [8]     OBJECT IDENTIFIER }
 
 OtherName ::= SEQUENCE {
         type-id    OBJECT IDENTIFIER,
         value      [0] EXPLICIT ANY DEFINED BY type-id }
 
 EDIPartyName ::= SEQUENCE {
         nameAssigner            [0]     DirectoryString OPTIONAL,
         partyName               [1]     DirectoryString }
 
And in this class only the IPAddress as a IP address - netmask combination is supported.

Author:
joni.hahkala@cern.ch, K. Benedyczak

Field Summary
static String SOURCE_RESTRICTION_OID
           
static String TARGET_RESTRICTION_OID
           
 
Fields inherited from class org.bouncycastle.asn1.ASN1Encodable
BER, DER
 
Constructor Summary
ProxyAddressRestrictionData()
          Constructor to generate an empty ProxyRestrictionData object for creating new restrictions.
ProxyAddressRestrictionData(byte[] bytes)
          Parses the restriction data from byte array.
 
Method Summary
 void addExcludedIPAddressWithNetmask(String address)
          Adds a new excluded IP addressSpace to the data structure.
 void addPermittedIPAddressWithNetmask(String address)
          Adds a new permitted IP addressSpace to the data structure.
static String convert2sr(byte[] src)
           
static String[] convert2strings(byte[][] src)
           
 String[] getExcludedAddresses()
           
static ProxyAddressRestrictionData getInstance(X509Certificate certificate, boolean source)
          Creates an instance of the extension of the given type from a certificate.
 byte[][][] getIPSpaces()
          Returns a Vector of Vectors of IP address spaces as defined in rfc 4632.
 String[] getPermittedAddresses()
           
 DERSequence toASN1Object()
          Returns the NameConstraints structure of the restrictions.
 
Methods inherited from class org.bouncycastle.asn1.ASN1Encodable
equals, getDEREncoded, getDERObject, getEncoded, getEncoded, hashCode
 
Methods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

SOURCE_RESTRICTION_OID

public static final String SOURCE_RESTRICTION_OID
See Also:
Constant Field Values

TARGET_RESTRICTION_OID

public static final String TARGET_RESTRICTION_OID
See Also:
Constant Field Values
Constructor Detail

ProxyAddressRestrictionData

public ProxyAddressRestrictionData(byte[] bytes)
                            throws IOException
Parses the restriction data from byte array.

Parameters:
bytes - The byte array to parse.
Throws:
IOException - In case there is a problem parsing the structure.

ProxyAddressRestrictionData

public ProxyAddressRestrictionData()
Constructor to generate an empty ProxyRestrictionData object for creating new restrictions. Notice that putting an empty proxy restriction into a certificate means that there are no permitted IP spaces, meaning the proxy should be rejected everywhere.

Method Detail

getInstance

public static ProxyAddressRestrictionData getInstance(X509Certificate certificate,
                                                      boolean source)
                                               throws IOException
Creates an instance of the extension of the given type from a certificate.

Parameters:
certificate -
source - whether to create object representing the source restriction (if true) or target (if value is false).
Returns:
null if the certificate does not have the required extension, initialized object otherwise.
Throws:
IOException

addPermittedIPAddressWithNetmask

public void addPermittedIPAddressWithNetmask(String address)
Adds a new permitted IP addressSpace to the data structure.

Parameters:
address - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. Which equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
It is also possible to provide IPv6 addresses. See RFC4632.

addExcludedIPAddressWithNetmask

public void addExcludedIPAddressWithNetmask(String address)
Adds a new excluded IP addressSpace to the data structure.

Parameters:
address - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. Which equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
It is also possible to provide IPv6 addresses. See RFC4632.

toASN1Object

public DERSequence toASN1Object()
Returns the NameConstraints structure of the restrictions.

Specified by:
toASN1Object in class ASN1Encodable
Returns:
The DERSequence containing the NameConstraints structure.

getIPSpaces

public byte[][][] getIPSpaces()
Returns a Vector of Vectors of IP address spaces as defined in rfc 4632.

Returns:
The array of arrays of string representation of address spaces defined in this structure. The first element in the array lists the permitted IP address spaces and the second the excluded IP spaces. In format ipaddress/netmask bytes. Example {137,138,0,0,255,255,0,0}. Array always contains two items, but they can be of length 0.
See Also:
addExcludedIPAddressWithNetmask(String)

getPermittedAddresses

public String[] getPermittedAddresses()

getExcludedAddresses

public String[] getExcludedAddresses()

convert2sr

public static String convert2sr(byte[] src)

convert2strings

public static String[] convert2strings(byte[][] src)


Copyright © 2012-2013 European Middleware Initiative. All Rights Reserved.