Package eu.emi.security.authn.x509.helpers.pkipath

Class BCCertPathValidator

  • public class BCCertPathValidator
extends java.lang.Object
    Low-level certificate validator based on the BC PKIXCertPathReviewer with additional support for proxy certificates.
    Author:
    K. Benedyczak

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected void checkLastCNNameRule​(javax.security.auth.x500.X500Principal srcP, javax.security.auth.x500.X500Principal issuerP, java.util.List<ValidationError> errors, int position, java.security.cert.X509Certificate[] proxyChain)  
      protected java.util.List<java.security.cert.X509Certificate> checkNonProxyChain​(java.security.cert.X509Certificate[] baseChain, ExtPKIXParameters2 params, java.util.List<ValidationError> errors, java.util.Set<java.lang.String> unresolvedExtensions, int posDelta, java.security.cert.X509Certificate[] cc)
      Performs checking of the chain which has no proxies (or at least should not have proxies), using FixedBCPKIXCertPathReviewer.
      protected void checkPairWithProxy​(java.security.cert.X509Certificate issuerCert, java.security.cert.X509Certificate proxyCert, java.util.List<ValidationError> errors, int position, java.security.cert.X509Certificate[] proxyChain, java.util.Date validationTime)
      Checks if the certificate passed as the 2nd argument is a correct proxy certificate including checks w.r.t.
      protected void checkProxyChainMain​(java.security.cert.X509Certificate[] proxyChain, java.util.List<ValidationError> errors, java.util.Set<java.lang.String> unresolvedExtensions, java.util.Date validDate)
      Performs a validation loop of the proxy chain checking each pair in chain for the rules not otherwise verified by the base check.
      protected void checkProxyChainWithBC​(java.security.cert.X509Certificate[] proxyChain, java.util.Set<java.security.cert.TrustAnchor> trustAnchor, java.util.List<ValidationError> errors, java.util.Set<java.lang.String> unresolvedExtensions)
      Checks chain with proxies, starting with the EEC using X.509 path validation.
      protected void checkProxyTime​(java.security.cert.X509Certificate proxyCert, java.util.Date validationTime, java.security.cert.X509Certificate[] proxyChain, java.util.List<ValidationError> errors, int position)  
      protected java.util.List<ValidationError> convertErrors​(java.util.List<?>[] bcErrorsA, boolean ignoreProxyErrors, int positionDelta, java.security.cert.X509Certificate[] cc)  
      protected ExtPKIXParameters2 createPKIXParameters​(java.security.cert.X509Certificate[] toCheck, boolean proxySupport, java.util.Set<java.security.cert.TrustAnchor> trustAnchors, java.security.cert.CertStore crlStore, RevocationParameters revocationParams, ObserversHandler observersHandler)  
      protected int getFirstProxy​(java.security.cert.X509Certificate[] toCheck)  
      protected java.util.Set<java.lang.String> getUnresolvedExtensionons​(java.util.List<?>[] bcErrorsA)  
      ValidationResult validate​(java.security.cert.X509Certificate[] toCheck, boolean proxySupport, java.util.Set<java.security.cert.TrustAnchor> trustAnchors, java.security.cert.CertStore crlStore, RevocationParameters revocationParams, ObserversHandler observersHandler)
      Performs validation.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • PROXY_VALIDATION_GRACE_PERIOD

        public static final long PROXY_VALIDATION_GRACE_PERIOD
        See Also:
        Constant Field Values

    • Constructor Detail

      • BCCertPathValidator

        public BCCertPathValidator()

    • Method Detail

      • validate

        public ValidationResult validate​(java.security.cert.X509Certificate[] toCheck,
                                 boolean proxySupport,
                                 java.util.Set<java.security.cert.TrustAnchor> trustAnchors,
                                 java.security.cert.CertStore crlStore,
                                 RevocationParameters revocationParams,
                                 ObserversHandler observersHandler)
                          throws java.security.cert.CertificateException
        Performs validation. Expects correctly set up parameters.

        If the proxy support is turned off or the chain has no proxy certificate then normal X.509 path validation is performed (see below).

        If the proxy support is turned on and the chain has at least one proxy then the following checks are performed:

        • The chain is split into two chains A and B, where B ends with the first element of A and it is the first not proxy certificate in the original chain (i.e. the EEC which is the split point).
        • The chain A is validated using normal X.509 path validation.
        • The chain B is also validated with the X.509 path validation but PROXY extension OIDs are recognized, the only trust anchor is the EEC, the CRLs are ignored, the CA constraint is not required on any issuing certificate and the certificate sign bit is also not required.
        • The chain B is iterated over and on each pair additional checks from the RFC 3820 are verified, along with the proxy path limit.

        The normal path validation is performed as follows:

        • First all basically correct (i.e. fulfilling name chaining rules) certificate paths are tried to be constructed from the input chain. This step produces from zero to many paths (in 99%: 0 or 1). Those paths can differ from the input e.g. by having self-signed intermediary CA certificate removed.
        • If there were no path constructed, the input chain is used as-is, as the only possible path. At this step we already know it is invalid, but we anyway continue to establish complete and detailed list of errors.
        • All constructed paths are validated using PKIX rules, and errors found are recorded. If at least one path validates successfully the algorithm ends.
        • If all paths were invalid, the one with the least number of errors is selected and those errors are reported as the validation result.
        Parameters:
        toCheck - chain to check
        proxySupport - proxy support
        trustAnchors - trust anchors
        crlStore - crl store
        revocationParams - revocation params
        observersHandler - observers handler
        Returns:
        validation result
        Throws:
        java.security.cert.CertificateException - if some of the certificates in the chain can not be parsed

      • createPKIXParameters

        protected ExtPKIXParameters2 createPKIXParameters​(java.security.cert.X509Certificate[] toCheck,
                                                  boolean proxySupport,
                                                  java.util.Set<java.security.cert.TrustAnchor> trustAnchors,
                                                  java.security.cert.CertStore crlStore,
                                                  RevocationParameters revocationParams,
                                                  ObserversHandler observersHandler)

      • getFirstProxy

        protected int getFirstProxy​(java.security.cert.X509Certificate[] toCheck)

      • checkNonProxyChain

        protected java.util.List<java.security.cert.X509Certificate> checkNonProxyChain​(java.security.cert.X509Certificate[] baseChain,
                                                                                ExtPKIXParameters2 params,
                                                                                java.util.List<ValidationError> errors,
                                                                                java.util.Set<java.lang.String> unresolvedExtensions,
                                                                                int posDelta,
                                                                                java.security.cert.X509Certificate[] cc)
                                                                         throws java.security.cert.CertificateException
        Performs checking of the chain which has no proxies (or at least should not have proxies), using FixedBCPKIXCertPathReviewer. In future, when BC implementation is fixed it should use PKIXCertPathReviewer instead.
        Parameters:
        baseChain - base chain
        params - parameters
        errors - errors
        unresolvedExtensions - unresolved extensions
        posDelta - position delta
        cc - certificate chain
        Returns:
        validated chain or null
        Throws:
        java.security.cert.CertificateException - certificate exception

      • checkProxyChainWithBC

        protected void checkProxyChainWithBC​(java.security.cert.X509Certificate[] proxyChain,
                                     java.util.Set<java.security.cert.TrustAnchor> trustAnchor,
                                     java.util.List<ValidationError> errors,
                                     java.util.Set<java.lang.String> unresolvedExtensions)
                              throws java.security.cert.CertificateException
        Checks chain with proxies, starting with the EEC using X.509 path validation. EEC issuer is used as the only trust anchor. CRLs are ignored, proxy extension OIDs are marked as handled. The error resulting from the missing CA extension is ignored as well as validity time errors. The latter are checked manually later on.
        Parameters:
        proxyChain - proxy chain
        trustAnchor - trust anchor
        errors - errors
        unresolvedExtensions - unresolved extensions
        Throws:
        java.security.cert.CertificateException - certificate exception

      • checkProxyChainMain

        protected void checkProxyChainMain​(java.security.cert.X509Certificate[] proxyChain,
                                   java.util.List<ValidationError> errors,
                                   java.util.Set<java.lang.String> unresolvedExtensions,
                                   java.util.Date validDate)
                            throws java.security.cert.CertificateException
        Performs a validation loop of the proxy chain checking each pair in chain for the rules not otherwise verified by the base check. Additionally chain length restriction is verified.
        Parameters:
        proxyChain - proxy chain
        errors - errors
        unresolvedExtensions - unresolved extensions
        validDate - valid date
        Throws:
        java.security.cert.CertificateException - certificate exception

      • checkPairWithProxy

        protected void checkPairWithProxy​(java.security.cert.X509Certificate issuerCert,
                                  java.security.cert.X509Certificate proxyCert,
                                  java.util.List<ValidationError> errors,
                                  int position,
                                  java.security.cert.X509Certificate[] proxyChain,
                                  java.util.Date validationTime)
                           throws java.security.cert.CertPathValidatorException,
                                  java.security.cert.CertificateParsingException
        Checks if the certificate passed as the 2nd argument is a correct proxy certificate including checks w.r.t. chain rules with the certificate passed as the 1st argument being its issuing certificate. The checks are:
        • proxyCert is a real proxy cert of any type
        • issuer may not be a CA (3.1)
        • issuer must have subject set (3.1)
        • proxy must have issuer equal to issuerCert subject (3.1)
        • If the Proxy Issuer certificate has the KeyUsage extension, the Digital Signature bit MUST be asserted. (3.1)
        • no issuer alternative name extension (3.2)
        • proxy subject must be the issuerCert subject with appended one CN component (3.4)
        • no subject alternative name extension (3.5)
        • no cA basic constraint (3.7)
        • time constraints for the proxy are checked here (as we allow for a grace time to work around clock skews)
        • proxy certificate type (RFC, draft RFC or legacy) must be the same for both certificates
        • if the issuerCert is restricted then proxyCert must be restricted too.
        The numbers in brackets refer to the RFC 3820 sections. The last two rules were added in the version 1.1.0 of the library.

        Parameters:
        issuerCert - certificate of the issuer
        proxyCert - certificate to be checked
        errors - out arg - list of errors found
        position - position in original chain to be used in error reporting
        proxyChain - proxy chain
        validationTime - validation time
        Throws:
        java.security.cert.CertPathValidatorException - certificate path validator exception
        java.security.cert.CertificateParsingException - certificate parsing exception

      • checkProxyTime

        protected void checkProxyTime​(java.security.cert.X509Certificate proxyCert,
                              java.util.Date validationTime,
                              java.security.cert.X509Certificate[] proxyChain,
                              java.util.List<ValidationError> errors,
                              int position)

      • checkLastCNNameRule

        protected void checkLastCNNameRule​(javax.security.auth.x500.X500Principal srcP,
                                   javax.security.auth.x500.X500Principal issuerP,
                                   java.util.List<ValidationError> errors,
                                   int position,
                                   java.security.cert.X509Certificate[] proxyChain)
                            throws java.security.cert.CertPathValidatorException
        Throws:
        java.security.cert.CertPathValidatorException

      • convertErrors

        protected java.util.List<ValidationError> convertErrors​(java.util.List<?>[] bcErrorsA,
                                                        boolean ignoreProxyErrors,
                                                        int positionDelta,
                                                        java.security.cert.X509Certificate[] cc)

      • getUnresolvedExtensionons

        protected java.util.Set<java.lang.String> getUnresolvedExtensionons​(java.util.List<?>[] bcErrorsA)