public class X509ProxyCertPathValidator
extends java.security.cert.CertPathValidatorSpi
Modifier and Type | Field and Description |
---|---|
static java.lang.String |
BASIC_CONSTRAINT_OID |
protected java.security.cert.CertStore |
certStore |
private java.security.cert.X509Certificate |
identityCert |
static java.lang.String |
KEY_USAGE_OID |
protected java.security.KeyStore |
keyStore |
private boolean |
limited |
private java.util.Map<java.lang.String,ProxyPolicyHandler> |
policyHandlers |
protected SigningPolicyStore |
policyStore |
private boolean |
rejectLimitedProxy |
Constructor and Description |
---|
X509ProxyCertPathValidator() |
Modifier and Type | Method and Description |
---|---|
private void |
checkCertificate(java.security.cert.X509Certificate cert,
GSIConstants.CertificateType certType) |
private void |
checkExtension(org.bouncycastle.asn1.ASN1ObjectIdentifier oid,
org.bouncycastle.asn1.x509.X509Extension proxyExtension,
org.bouncycastle.asn1.x509.X509Extension proxyKeyUsage) |
protected void |
checkKeyUsage(org.bouncycastle.asn1.x509.TBSCertificateStructure issuer) |
private void |
checkProxyConstraints(java.security.cert.CertPath certPath,
java.security.cert.X509Certificate cert,
org.bouncycastle.asn1.x509.TBSCertificateStructure tbsCert,
GSIConstants.CertificateType certType,
org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert,
int i) |
protected void |
checkProxyConstraints(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy,
org.bouncycastle.asn1.x509.TBSCertificateStructure issuer,
java.security.cert.X509Certificate checkedProxy) |
protected void |
checkRestrictedProxy(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy,
java.security.cert.CertPath certPath,
int index) |
void |
clear()
Dispose of the current validation state.
|
java.security.cert.CertPathValidatorResult |
engineValidate(java.security.cert.CertPath certPath,
java.security.cert.CertPathParameters params)
Validates the specified certification path using the specified algorithm parameter set.
|
protected java.util.List<CertificateChecker> |
getCertificateCheckers() |
private GSIConstants.CertificateType |
getCertificateType(org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert) |
java.security.cert.X509Certificate |
getIdentityCertificate() |
private org.bouncycastle.asn1.x509.TBSCertificateStructure |
getTBSCertificateStructure(java.security.cert.X509Certificate issuerCert) |
boolean |
isLimited() |
boolean |
isRejectLimitedProxy() |
protected void |
parseParameters(java.security.cert.CertPathParameters params) |
void |
setIdentityCert(java.security.cert.X509Certificate identityCert) |
void |
setLimited(boolean limited) |
protected java.security.cert.CertPathValidatorResult |
validate(java.security.cert.CertPath certPath)
Validates the certificate path and does the following for each certificate in the chain: method
checkCertificate() In addition: a) Validates if the issuer type of each certificate is correct b) CA path
constraints c) Proxy path constraints
|
private void |
validateCACert(java.security.cert.X509Certificate cert,
java.security.cert.X509Certificate issuerCert,
org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert,
int proxyDepth,
int i,
boolean certIsProxy) |
private int |
validateCert(java.security.cert.X509Certificate cert,
GSIConstants.CertificateType certType,
java.security.cert.X509Certificate issuerCert,
org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert,
GSIConstants.CertificateType issuerCertType,
int proxyDepth,
int i,
boolean certIsProxy) |
private void |
validateEECCert(java.security.cert.X509Certificate cert,
GSIConstants.CertificateType certType,
java.security.cert.X509Certificate issuerCert) |
private int |
validateGsi2ProxyCert(java.security.cert.X509Certificate cert,
GSIConstants.CertificateType certType,
java.security.cert.X509Certificate issuerCert,
int proxyDepth) |
private int |
validateGsiProxyCert(java.security.cert.X509Certificate cert,
GSIConstants.CertificateType certType,
java.security.cert.X509Certificate issuerCert,
org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert,
GSIConstants.CertificateType issuerCertType,
int proxyDepth) |
public static final java.lang.String BASIC_CONSTRAINT_OID
public static final java.lang.String KEY_USAGE_OID
protected java.security.KeyStore keyStore
protected java.security.cert.CertStore certStore
protected SigningPolicyStore policyStore
private java.security.cert.X509Certificate identityCert
private boolean limited
private boolean rejectLimitedProxy
private java.util.Map<java.lang.String,ProxyPolicyHandler> policyHandlers
public java.security.cert.CertPathValidatorResult engineValidate(java.security.cert.CertPath certPath, java.security.cert.CertPathParameters params) throws java.security.cert.CertPathValidatorException, java.security.InvalidAlgorithmParameterException
The CertPath
specified must be of a type that is supported by the validation algorithm, otherwise
an InvalidAlgorithmParameterException
will be thrown. For example, a CertPathValidator
that implements the PKIX algorithm validates CertPath
objects of type X.509.
engineValidate
in class java.security.cert.CertPathValidatorSpi
certPath
- the CertPath
to be validatedparams
- the algorithm parametersjava.security.cert.CertPathValidatorException
- if the CertPath
does not validatejava.security.InvalidAlgorithmParameterException
- if the specified parameters or the type of the
specified CertPath
are inappropriate for this CertPathValidator
public void clear()
protected void parseParameters(java.security.cert.CertPathParameters params) throws java.security.InvalidAlgorithmParameterException
java.security.InvalidAlgorithmParameterException
protected java.security.cert.CertPathValidatorResult validate(java.security.cert.CertPath certPath) throws java.security.cert.CertPathValidatorException
If it is of type proxy, check following: a) proxy constraints b) restricted proxy else if certificate, check the following: a) keyisage
certPath
- The CertPath to validate.java.security.cert.CertPathValidatorException
- If the CertPath is invalid.private GSIConstants.CertificateType getCertificateType(org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert) throws java.security.cert.CertPathValidatorException
java.security.cert.CertPathValidatorException
private org.bouncycastle.asn1.x509.TBSCertificateStructure getTBSCertificateStructure(java.security.cert.X509Certificate issuerCert) throws java.security.cert.CertPathValidatorException
java.security.cert.CertPathValidatorException
private int validateCert(java.security.cert.X509Certificate cert, GSIConstants.CertificateType certType, java.security.cert.X509Certificate issuerCert, org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert, GSIConstants.CertificateType issuerCertType, int proxyDepth, int i, boolean certIsProxy) throws java.security.cert.CertPathValidatorException
java.security.cert.CertPathValidatorException
private void checkProxyConstraints(java.security.cert.CertPath certPath, java.security.cert.X509Certificate cert, org.bouncycastle.asn1.x509.TBSCertificateStructure tbsCert, GSIConstants.CertificateType certType, org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert, int i) throws java.security.cert.CertPathValidatorException
java.security.cert.CertPathValidatorException
private void validateEECCert(java.security.cert.X509Certificate cert, GSIConstants.CertificateType certType, java.security.cert.X509Certificate issuerCert) throws java.security.cert.CertPathValidatorException
java.security.cert.CertPathValidatorException
private int validateGsi2ProxyCert(java.security.cert.X509Certificate cert, GSIConstants.CertificateType certType, java.security.cert.X509Certificate issuerCert, int proxyDepth) throws java.security.cert.CertPathValidatorException
java.security.cert.CertPathValidatorException
private int validateGsiProxyCert(java.security.cert.X509Certificate cert, GSIConstants.CertificateType certType, java.security.cert.X509Certificate issuerCert, org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert, GSIConstants.CertificateType issuerCertType, int proxyDepth) throws java.security.cert.CertPathValidatorException
java.security.cert.CertPathValidatorException
private void validateCACert(java.security.cert.X509Certificate cert, java.security.cert.X509Certificate issuerCert, org.bouncycastle.asn1.x509.TBSCertificateStructure issuerTbsCert, int proxyDepth, int i, boolean certIsProxy) throws java.security.cert.CertPathValidatorException
java.security.cert.CertPathValidatorException
protected void checkRestrictedProxy(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy, java.security.cert.CertPath certPath, int index) throws java.security.cert.CertPathValidatorException, java.io.IOException
java.security.cert.CertPathValidatorException
java.io.IOException
protected void checkKeyUsage(org.bouncycastle.asn1.x509.TBSCertificateStructure issuer) throws java.security.cert.CertPathValidatorException, java.io.IOException
java.security.cert.CertPathValidatorException
java.io.IOException
protected java.util.List<CertificateChecker> getCertificateCheckers()
private void checkCertificate(java.security.cert.X509Certificate cert, GSIConstants.CertificateType certType) throws java.security.cert.CertPathValidatorException
java.security.cert.CertPathValidatorException
protected void checkProxyConstraints(org.bouncycastle.asn1.x509.TBSCertificateStructure proxy, org.bouncycastle.asn1.x509.TBSCertificateStructure issuer, java.security.cert.X509Certificate checkedProxy) throws java.security.cert.CertPathValidatorException, java.io.IOException
java.security.cert.CertPathValidatorException
java.io.IOException
private void checkExtension(org.bouncycastle.asn1.ASN1ObjectIdentifier oid, org.bouncycastle.asn1.x509.X509Extension proxyExtension, org.bouncycastle.asn1.x509.X509Extension proxyKeyUsage) throws java.security.cert.CertPathValidatorException
java.security.cert.CertPathValidatorException
public java.security.cert.X509Certificate getIdentityCertificate()
public void setLimited(boolean limited)
public boolean isLimited()
public void setIdentityCert(java.security.cert.X509Certificate identityCert)
public boolean isRejectLimitedProxy()