Package eu.emi.security.authn.x509.proxy

Class ProxyChainInfo

java.lang.Object
eu.emi.security.authn.x509.proxy.ProxyChainInfo
public class ProxyChainInfo extends Object
A class to get an information from a proxy certificate chain.
Author:
J. Hahkala, K. Benedyczak

  • Constructor Details

    • ProxyChainInfo

      public ProxyChainInfo(X509Certificate[] chain) throws CertificateException
      Generates new instance of this class using the certificate chain as the source of the data.
      Parameters:
      chain - chain with at least one proxy certificate
      Throws:
      CertificateException - if there is no proxy certificate in the chain or if the chain is inconsistent, i.e. after proxy there is a non-proxy certificate.

  • Method Details

    • getSerialNumbers

      public BigInteger[] getSerialNumbers()
      Returns:
      array with serial numbers of the certificates in the chain

    • getProxyType

      public ProxyChainType getProxyType() throws CertificateException
      The type of the proxy chain chain is returned. If chain contains different types then MIXED type is returned.
      Returns:
      the type of the chain
      Throws:
      CertificateException - certificate exception

    • getFirstProxyPosition

      public int getFirstProxyPosition()
      Returns:
      the index of the first proxy in the chain (issued by the EEC).

    • isLimited

      public boolean isLimited() throws CertificateException, IOException
      Used to check whether the proxy chain is limited or not. The method returns 'true' if and only if there is at least one limited proxy in the chain.
      Returns:
      true if the chain is limited, i.e. owner of the certificate may not submit jobs
      Throws:
      CertificateException - certificate exception
      IOException - IO exception

    • getPolicy

      public ProxyPolicy[] getPolicy() throws IOException
      Gets the array of RFC proxy extension policy OID and octets of the policy. See RFC3820. Policy octets can be null in case the OID in itself defines the behavior, like with "inherit all" policy or "independent" policy. The array contains entries from all certificates in chain.
      Returns:
      array with policy information
      Throws:
      IOException - Thrown in case the parsing of the information failed.

    • getProxyTracingIssuers

      public String[] getProxyTracingIssuers() throws IOException
      Returns an array of URLs of the proxy tracing issuers in the chain. Non-traced proxies will have null in the array.
      Returns:
      The proxy tracing issuer URLs in String format, or null in the array if an extension was not found or it was empty.
      Throws:
      IOException - Thrown in case the parsing of the information failed.

    • getProxyTracingSubjects

      public String[] getProxyTracingSubjects() throws IOException
      Returns an array of URLs of the proxy tracing subjects in the chain. Non-traced proxies will have null in the array.
      Returns:
      The proxy tracing subject URLs in String format, or null in the array if an extension was not found or it was empty.
      Throws:
      IOException - Thrown in case the parsing of the information failed.

    • getSAMLExtensions

      public String[] getSAMLExtensions() throws IOException
      Returns the SAML extensions from the certificate chain.
      Returns:
      The SAML assertions in String format. A null in the array means that no SAML extensions were found at the given position.
      Throws:
      IOException - Thrown in case the parsing of the information failed.

    • getAttributeCertificateExtensions

      public org.bouncycastle.asn1.x509.AttributeCertificate[][] getAttributeCertificateExtensions() throws IOException
      Returns the Attribute Certificate extensions from the certificate chain.
      Returns:
      The Attribute Certificates array. The first index corresponds to the first certificate in the chain. A null in the array means that no AC extension was found at the given position.
      Throws:
      IOException - Thrown in case the parsing of the information failed.

    • getRemainingPathLimit

      public int getRemainingPathLimit() throws IOException
      Returns the remaining path length of this chain. Will search for both the RFC 3820 and the draft proxy path limit extensions. Legacy proxies are treated as unlimited.

      Notice: negative value means that the chain is invalid as it has passed the limit of delegations. Integer.MAX_INT is returned if there is no path length limit set on the chain.

      Returns:
      remaining proxy path limit
      Throws:
      IOException - Thrown in case the parsing of the information failed.

    • getProxySourceRestrictions

      public byte[][][] getProxySourceRestrictions() throws IOException
      Gets the proxy source restriction data from the chain. The allowed namespaces in different certificates in the chain will be intersected and the excluded namespaces will be summed. The returned array has as the first item the array of allowed namespaces and as the second item the array of excluded namespaces. If extensions exist, but in the end no allowed or excluded namespaces are left, the array is empty.
      Returns:
      array with proxy source restrictions. Null is returned when there is no restriction defined for any of the proxies in the chain.
      Throws:
      IOException - Thrown in case the parsing of the information failed.

    • getProxyTargetRestrictions

      public byte[][][] getProxyTargetRestrictions() throws IOException
      Gets the proxy target restriction data from the chain. The allowed namespaces in different certificates in the chain will be intersected and the union of the excluded namespaces will be computed. The returned array has as the first item the array of allowed namespaces and as the second item the array of excluded namespaces. If extensions exist, but in the end no allowed or excluded namespaces are left, the array is empty.
      Returns:
      array with proxy target restrictions. Null is returned when there is no restriction defined for any of the proxies in the chain.
      Throws:
      IOException - Thrown in case the parsing of the information failed.

    • isHostAllowedAsSource

      public boolean isHostAllowedAsSource(byte[] ipAddress) throws IOException
      Checks if the given IP address is allowed as this proxy chain source.
      Parameters:
      ipAddress - host IPv4 address in 4 elements array
      Returns:
      true if and only if the ipAddress is OK w.r.t. this proxy chain's source restrictions.
      Throws:
      IOException - Thrown in case the parsing of the information failed.

    • isHostAllowedAsTarget

      public boolean isHostAllowedAsTarget(byte[] ipAddress) throws IOException
      Checks if the given IP address is allowed as this proxy chain target.
      Parameters:
      ipAddress - host IPv4 address in 4 elements array
      Returns:
      true if and only if the ipAddress is OK w.r.t. this proxy chain's source restrictions.
      Throws:
      IOException - Thrown in case the parsing of the information failed.

    • concatArrays

      public static byte[][] concatArrays(byte[][] first, byte[][] second)
      Concatenates two arrays of arrays bytes.
      Parameters:
      first - The array of arrays to begin with.
      second - The array of arrays to end with.
      Returns:
      the array of arrays that contains the arrays from both argument arrays.