Package eu.emi.security.authn.x509.proxy

Class BaseProxyCertificateOptions

java.lang.Object
eu.emi.security.authn.x509.proxy.BaseProxyCertificateOptions
Direct Known Subclasses:
ProxyCertificateOptions, ProxyRequestOptions
public abstract class BaseProxyCertificateOptions extends Object
Generic proxy creation parameters useful for all scenarios. All objects passed to this class are copied. All objects returned by methods of this class are also copies of the object state. Therefore it is only possible to modify state of this class using its methods. This class is not thread safe.
Author:
J. Hahkala, K. Benedyczak

  • Field Details

    • DEFAULT_KEY_USAGE

      public static final int DEFAULT_KEY_USAGE
      Key usage value which is used when
      See Also:

    • DEFAULT_LIFETIME

      public static final int DEFAULT_LIFETIME
      See Also:

    • UNLIMITED_PROXY_LENGTH

      public static final int UNLIMITED_PROXY_LENGTH
      See Also:

  • Constructor Details

    • BaseProxyCertificateOptions

      protected BaseProxyCertificateOptions(X509Certificate[] parentCertChain)
      Create a new proxy cert based on the parent cert chain. The default type of the proy generation params will be set to the type of the parent chain if it is an consistent proxy chain. If it is mixed proxy chain, or EEC certificate chain then by default RFC proxy type is set.
      Parameters:
      parentCertChain - chain of the issuer

  • Method Details

    • getParentCertChain

      public X509Certificate[] getParentCertChain()
      Returns the certificate parent chain of the proxy. If only user certificate was provided then it is returned in a one element array.
      Returns:
      the parent certificate chain

    • setValidityBounds

      public void setValidityBounds(Date notBefore, Date notAfter)
      Sets the desired time bounds for the proxy. Note that both arguments are cut to the seconds precision (this is what goes into certificate).
      Parameters:
      notBefore - proxy won't be valid before this date
      notAfter - proxy won't be valid after this date
      Since:
      1.1.0

    • setLifetime

      public void setLifetime(int lifetime)
      Set the proxy lifetime in seconds. The start of proxy validity is set to the current time. If not set, the default lifetime is 12h.
      Parameters:
      lifetime - in seconds
      See Also:

    • setLifetime

      public void setLifetime(long lifetime, TimeUnit unit)
      Set the proxy lifetime using desired unit. The start of proxy validity is set to the current time. If not set, the default lifetime is 12h.
      Parameters:
      lifetime - in unit specified by the 2nd parameter
      unit - the unit of the timeout specified by the first value
      Throws:
      IllegalArgumentException - if the requested lifetime is larger then Integer.MAX_VALUE seconds.
      Since:
      1.1.0
      See Also:

    • getLifetime

      public int getLifetime()
      Returns:
      proxy lifetime in seconds

    • getNotBefore

      public Date getNotBefore()
      Returns:
      start of proxy validity

    • getProxyKeyUsageMask

      public int getProxyKeyUsageMask()
      Returns:
      bit mask of KeyUsage flags which was set for the options object or -1 if nothing was set.

    • setProxyKeyUsageMask

      public void setProxyKeyUsageMask(int proxyKeyUsageMask) throws IllegalArgumentException
      Sets the mask of the KeyUsage for the resulting proxy certificate. Note that the this is a mask, i.e. the flags from this mask are ANDed with the effective KeyUsage of the parent chain.

      If this method is not called at all (or called with a negative argument), then the default behavior is applied, and the proxy gets a copy of the effective KeyUsage of the parent chain. If no certificate in the parent chain has KeyUsage set, then the DEFAULT_KEY_USAGE is applied.

      Parameters:
      proxyKeyUsageMask - The mask to set. Use constants from the KeyUsage class. The mask must always have the KeyUsage.digitalSignature bit set.
      Throws:
      IllegalArgumentException - if the argument has no KeyUsage.digitalSignature bit set

    • setType

      public void setType(ProxyType type) throws IllegalArgumentException
      Used to set the type of the proxy. Useful only in case the parent certificate is user certificate, otherwise the generator will generate same type of proxy as the parent is. And trying to set different type here than in the parent will result in IllegalArgumentException. If the parent certificate is user certificate and this method is not used, RFC3820 type will be assumed.
      Parameters:
      type - to be set
      Throws:
      IllegalArgumentException

    • getType

      public ProxyType getType()
      Returns:
      the current proxy type

    • setLimited

      public void setLimited(boolean limited)
      Defines whether the resulting proxy will be a limited proxy. Job submission with a limited proxy is not possible.

      For legacy proxy this is the only way to control the proxy's application area. RFC and draft proxies allows for a more rich and extensible semantics using setPolicy(ProxyPolicy).

      Since version 1.2.0, in case of RFC proxies, usage of this method with argument 'true' is equivalent to calling setPolicy(new ProxyPolicy(ProxyPolicy.LIMITED_PROXY_OID)) and with argument false to setPolicy(new ProxyPolicy(ProxyPolicy.INHERITALL_POLICY_OID)). Note that subsequent calls to setPolicy will overwrite the setLimited setting. Therefore the following code: 

       param.setLimited(true);
 param.setPolicy(new ProxyPolicy(ProxyPolicy.INHERITALL_POLICY_OID));
      configures the engine to create limited legacy proxies or unlimited rfc proxies. As this behavior is rather not intended it is strongly advised NOT to mix setLimited and setPolicy calls in any case.
      Parameters:
      limited - true if proxy shall be limited

    • isLimited

      public boolean isLimited()
      Checks if the proxy shall be limited.
      Returns:
      true if limited proxy shall be created

    • setSerialNumber

      public void setSerialNumber(BigInteger sn)
      Sets the proxy serial number. Only applicable for rfc proxies.
      Parameters:
      sn - serial number to be set

    • getSerialNumber

      public BigInteger getSerialNumber()
      Gets the proxy serial number.
      Returns:
      the serial number previously set

    • setProxyPathLimit

      public void setProxyPathLimit(int pathLen)
      Sets the proxy path length limit of this certificate. Only works on rfc3820 and RFC draft proxies. Note: this method previously was documented as accepting negative values to mark unlimited proxy length. The implementation was buggy (see #81). The old approach with negative value works now, but usage of the constant is preferred in a new code.
      Parameters:
      pathLen - path limit, use UNLIMITED_PROXY_LENGTH if proxy shall be unlimited.

    • getProxyPathLimit

      public int getProxyPathLimit()
      Gets the proxy path length limit of this certificate.
      Returns:
      limit or UNLIMITED_PROXY_LENGTH if proxy shall be unlimited

    • addExtension

      public void addExtension(CertificateExtension extension)
      Add an extension to the proxy certificate to be generated.
      Parameters:
      extension - the extension to be set

    • getExtensions

      public List<CertificateExtension> getExtensions()
      Returns:
      Returns a list of extensions including only those which were set via addExtension(CertificateExtension)

    • setPolicy

      public void setPolicy(ProxyPolicy policy)
      Set the RFC proxy extension policy OID and octets of the policy. See RFC3820. Policy can be null in case the OID in it self defines the behavior, like with "inherit all" policy or "independent" policy.

      Note: this setting is ignored for legacy proxies.

      Parameters:
      policy - to be set

    • getPolicy

      public ProxyPolicy getPolicy()
      Returns:
      Get the RFC proxy extension policy OID and octets of the policy. See RFC3820. Policy can be null in case the OID in it self defines the behavior, like with "inherit all" policy or "independent" policy.

    • setTargetRestrictionPermittedAddresses

      public void setTargetRestrictionPermittedAddresses(String[] addresses) throws IllegalArgumentException
      Sets a new permitted target IP addressSpace to the Proxy.
      Parameters:
      addresses - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. It equals to a network 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
      See RFC 4632. The restriction is of the format used for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses.
      Throws:
      IllegalArgumentException - if the argument does not contain addresses in the specified format

    • setTargetRestrictionPermittedAddresses

      public void setTargetRestrictionPermittedAddresses(byte[][] addresses) throws IllegalArgumentException
      Sets a permitted target IP address space to the Proxy.
      Parameters:
      addresses - The array of 8 element arrays of bytes representation of address spaces defined in this structure. Each inner 8-elements array must contains IP address and netmask bytes, e.g. {137,138,0,0,255,255,0,0}.
      Throws:
      IllegalArgumentException - when inner arrays are not of length 8 or if does not represent a valid address and netmask combination.

    • getTargetRestrictionPermittedAddresses

      public String[] getTargetRestrictionPermittedAddresses()
      Returns a permitted target IP address space of the Proxy.
      Returns:
      The array of addresses in the CIDR format (address/netmaskBits) or null if not set

    • setSourceRestrictionPermittedAddresses

      public void setSourceRestrictionPermittedAddresses(String[] addresses) throws IllegalArgumentException
      Sets a new permitted source IP addressSpace to the Proxy
      Parameters:
      addresses - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. It equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
      See RFC 4632. The restriction is of the format used for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses.
      Throws:
      IllegalArgumentException - if the argument does not contain addresses in the specified format

    • setSourceRestrictionPermittedAddresses

      public void setSourceRestrictionPermittedAddresses(byte[][] addresses) throws IllegalArgumentException
      Sets a permitted source IP addressSpace to the Proxy.
      Parameters:
      addresses - The array of 8 element arrays of bytes representation of address spaces defined in this structure. Each inner 8-elements array must contains IP address and netmask bytes, e.g. {137,138,0,0,255,255,0,0}.
      Throws:
      IllegalArgumentException - when inner arrays are not of length 8 or if does not represent a valid address and netmask combination.

    • getSourceRestrictionPermittedAddresses

      public String[] getSourceRestrictionPermittedAddresses()
      Gets the permitted source IP addressSpace of the Proxy.
      Returns:
      The array of addresses in the CIDR format (address/netmaskBits) or null if not set

    • setTargetRestrictionExcludedAddresses

      public void setTargetRestrictionExcludedAddresses(String[] addresses) throws IllegalArgumentException
      Sets an excluded target IP addressSpace to the data structure.
      Parameters:
      addresses - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. It equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
      See RFC 4632. The restriction is of the format used for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses.
      Throws:
      IllegalArgumentException - if the argument does not contain addresses in the specified format

    • setTargetRestrictionExcludedAddresses

      public void setTargetRestrictionExcludedAddresses(byte[][] addresses) throws IllegalArgumentException
      Sets an excluded target IP addressSpace to the data structure.
      Parameters:
      addresses - The array of 8 element arrays of bytes representation of address spaces defined in this structure. Each inner 8-elements array must contains IP address and netmask bytes, e.g. {137,138,0,0,255,255,0,0}.
      Throws:
      IllegalArgumentException - when inner arrays are not of length 8 or if does not represent a valid address and netmask combination.

    • getTargetRestrictionExcludedAddresses

      public String[] getTargetRestrictionExcludedAddresses()
      Gets an excluded target IP addressSpace from the data structure.
      Returns:
      The array of addresses in the CIDR format (address/netmaskBits) or null if not set

    • setSourceRestrictionExcludedAddresses

      public void setSourceRestrictionExcludedAddresses(String[] addresses) throws IllegalArgumentException
      Sets an excluded from source restriction IP addressSpace to the data structure.
      Parameters:
      addresses - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. It equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
      See RFC 4632. The restriction is of the format used for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses.
      Throws:
      IllegalArgumentException - if the argument does not contain addresses in the specified format

    • setSourceRestrictionExcludedAddresses

      public void setSourceRestrictionExcludedAddresses(byte[][] addresses) throws IllegalArgumentException
      Sets an excluded from source restriction IP addressSpace to the data structure.
      Parameters:
      addresses - The array of 8 element arrays of bytes representation of address spaces defined in this structure. Each inner 8-elements array must contains IP address and netmask bytes, e.g. {137,138,0,0,255,255,0,0}.
      Throws:
      IllegalArgumentException - when inner arrays are not of length 8 or if does not represent a valid address and netmask combination.

    • getSourceRestrictionExcludedAddresses

      public String[] getSourceRestrictionExcludedAddresses()
      Gets an excluded from source restriction IP addressSpace from the data structure.
      Returns:
      The array of addresses in the CIDR format (address/netmaskBits) or null if not set

    • setProxyTracingIssuer

      public void setProxyTracingIssuer(String url)
      Sets the issuer URL for the proxy tracing.
      Parameters:
      url - the issuer URL

    • getProxyTracingIssuer

      public String getProxyTracingIssuer()
      Returns:
      Gets the issuer URL for the proxy tracing.

    • setProxyTracingSubject

      public void setProxyTracingSubject(String url)
      Sets the subject URL for the proxy tracing.
      Parameters:
      url - the subject URL

    • getProxyTracingSubject

      public String getProxyTracingSubject()
      Returns:
      Gets the subject URL for the proxy tracing.

    • getSAMLAssertion

      public String getSAMLAssertion()
      Gets SAML assertions in a string format.
      Returns:
      SAML assertions

    • setSAMLAssertion

      public void setSAMLAssertion(String saml)
      Sets SAML assertions in a string format.
      Parameters:
      saml - assertions to be used

    • setAttributeCertificates

      public void setAttributeCertificates(org.bouncycastle.asn1.x509.AttributeCertificate[] ac) throws IOException
      Sets Attribute certificates, which will be added as the VOMS extensions to the generated proxy.
      Parameters:
      ac - to be set
      Throws:
      IOException - IO exception

    • getAttributeCertificates

      public org.bouncycastle.asn1.x509.AttributeCertificate[] getAttributeCertificates() throws IOException
      Returns:
      Attribute certificates or null if was not set
      Throws:
      IOException - IO exception