Package eu.emi.security.authn.x509.helpers.pkipath

Class BCCertPathValidator

java.lang.Object
eu.emi.security.authn.x509.helpers.pkipath.BCCertPathValidator
public class BCCertPathValidator extends Object
Low-level certificate validator based on the BC PKIXCertPathReviewer with additional support for proxy certificates.
Author:
K. Benedyczak

  • Field Details

    • PROXY_VALIDATION_GRACE_PERIOD

      public static final long PROXY_VALIDATION_GRACE_PERIOD
      See Also:

  • Constructor Details

    • BCCertPathValidator

      public BCCertPathValidator()

  • Method Details

    • validate

      public ValidationResult validate(X509Certificate[] toCheck, boolean proxySupport, Set<TrustAnchor> trustAnchors, CertStore crlStore, RevocationParameters revocationParams, ObserversHandler observersHandler) throws CertificateException
      Performs validation. Expects correctly set up parameters.

      If the proxy support is turned off or the chain has no proxy certificate then normal X.509 path validation is performed (see below).

      If the proxy support is turned on and the chain has at least one proxy then the following checks are performed:

      • The chain is split into two chains A and B, where B ends with the first element of A and it is the first not proxy certificate in the original chain (i.e. the EEC which is the split point).
      • The chain A is validated using normal X.509 path validation.
      • The chain B is also validated with the X.509 path validation but PROXY extension OIDs are recognized, the only trust anchor is the EEC, the CRLs are ignored, the CA constraint is not required on any issuing certificate and the certificate sign bit is also not required.
      • The chain B is iterated over and on each pair additional checks from the RFC 3820 are verified, along with the proxy path limit.

      The normal path validation is performed as follows:

      • First all basically correct (i.e. fulfilling name chaining rules) certificate paths are tried to be constructed from the input chain. This step produces from zero to many paths (in 99%: 0 or 1). Those paths can differ from the input e.g. by having self-signed intermediary CA certificate removed.
      • If there were no path constructed, the input chain is used as-is, as the only possible path. At this step we already know it is invalid, but we anyway continue to establish complete and detailed list of errors.
      • All constructed paths are validated using PKIX rules, and errors found are recorded. If at least one path validates successfully the algorithm ends.
      • If all paths were invalid, the one with the least number of errors is selected and those errors are reported as the validation result.
      Parameters:
      toCheck - chain to check
      proxySupport - proxy support
      trustAnchors - trust anchors
      crlStore - crl store
      revocationParams - revocation params
      observersHandler - observers handler
      Returns:
      validation result
      Throws:
      CertificateException - if some of the certificates in the chain can not be parsed

    • createPKIXParameters

      protected ExtPKIXParameters2 createPKIXParameters(X509Certificate[] toCheck, boolean proxySupport, Set<TrustAnchor> trustAnchors, CertStore crlStore, RevocationParameters revocationParams, ObserversHandler observersHandler)

    • getFirstProxy

      protected int getFirstProxy(X509Certificate[] toCheck)

    • checkNonProxyChain

      protected List<X509Certificate> checkNonProxyChain(X509Certificate[] baseChain, ExtPKIXParameters2 params, List<ValidationError> errors, Set<String> unresolvedExtensions, int posDelta, X509Certificate[] cc) throws CertificateException
      Performs checking of the chain which has no proxies (or at least should not have proxies), using FixedBCPKIXCertPathReviewer. In future, when BC implementation is fixed it should use PKIXCertPathReviewer instead.
      Parameters:
      baseChain - base chain
      params - parameters
      errors - errors
      unresolvedExtensions - unresolved extensions
      posDelta - position delta
      cc - certificate chain
      Returns:
      validated chain or null
      Throws:
      CertificateException - certificate exception

    • checkProxyChainWithBC

      protected void checkProxyChainWithBC(X509Certificate[] proxyChain, Set<TrustAnchor> trustAnchor, List<ValidationError> errors, Set<String> unresolvedExtensions) throws CertificateException
      Checks chain with proxies, starting with the EEC using X.509 path validation. EEC issuer is used as the only trust anchor. CRLs are ignored, proxy extension OIDs are marked as handled. The error resulting from the missing CA extension is ignored as well as validity time errors. The latter are checked manually later on.
      Parameters:
      proxyChain - proxy chain
      trustAnchor - trust anchor
      errors - errors
      unresolvedExtensions - unresolved extensions
      Throws:
      CertificateException - certificate exception

    • checkProxyChainMain

      protected void checkProxyChainMain(X509Certificate[] proxyChain, List<ValidationError> errors, Set<String> unresolvedExtensions, Date validDate) throws CertificateException
      Performs a validation loop of the proxy chain checking each pair in chain for the rules not otherwise verified by the base check. Additionally chain length restriction is verified.
      Parameters:
      proxyChain - proxy chain
      errors - errors
      unresolvedExtensions - unresolved extensions
      validDate - valid date
      Throws:
      CertificateException - certificate exception

    • checkPairWithProxy

      protected void checkPairWithProxy(X509Certificate issuerCert, X509Certificate proxyCert, List<ValidationError> errors, int position, X509Certificate[] proxyChain, Date validationTime) throws CertPathValidatorException, CertificateParsingException
      Checks if the certificate passed as the 2nd argument is a correct proxy certificate including checks w.r.t. chain rules with the certificate passed as the 1st argument being its issuing certificate. The checks are:
      • proxyCert is a real proxy cert of any type
      • issuer may not be a CA (3.1)
      • issuer must have subject set (3.1)
      • proxy must have issuer equal to issuerCert subject (3.1)
      • If the Proxy Issuer certificate has the KeyUsage extension, the Digital Signature bit MUST be asserted. (3.1)
      • no issuer alternative name extension (3.2)
      • proxy subject must be the issuerCert subject with appended one CN component (3.4)
      • no subject alternative name extension (3.5)
      • no cA basic constraint (3.7)
      • time constraints for the proxy are checked here (as we allow for a grace time to work around clock skews)
      • proxy certificate type (RFC, draft RFC or legacy) must be the same for both certificates
      • if the issuerCert is restricted then proxyCert must be restricted too.
      The numbers in brackets refer to the RFC 3820 sections. The last two rules were added in the version 1.1.0 of the library.

      Parameters:
      issuerCert - certificate of the issuer
      proxyCert - certificate to be checked
      errors - out arg - list of errors found
      position - position in original chain to be used in error reporting
      proxyChain - proxy chain
      validationTime - validation time
      Throws:
      CertPathValidatorException - certificate path validator exception
      CertificateParsingException - certificate parsing exception

    • checkProxyTime

      protected void checkProxyTime(X509Certificate proxyCert, Date validationTime, X509Certificate[] proxyChain, List<ValidationError> errors, int position)

    • checkLastCNNameRule

      protected void checkLastCNNameRule(X500Principal srcP, X500Principal issuerP, List<ValidationError> errors, int position, X509Certificate[] proxyChain) throws CertPathValidatorException
      Throws:
      CertPathValidatorException

    • convertErrors

      protected List<ValidationError> convertErrors(List<?>[] bcErrorsA, boolean ignoreProxyErrors, int positionDelta, X509Certificate[] cc)

    • getUnresolvedExtensionons

      protected Set<String> getUnresolvedExtensionons(List<?>[] bcErrorsA)