Package eu.emi.security.authn.x509.helpers.proxy

Class ProxyAddressRestrictionData

  • All Implemented Interfaces:
    org.bouncycastle.asn1.ASN1Encodable, org.bouncycastle.util.Encodable
    public class ProxyAddressRestrictionData
extends org.bouncycastle.asn1.ASN1Object
    An utility class for defining the allowed address space, used both to define the source and target restrictions. The format is: 
     iGTFProxyRestrictFrom ::= NameConstraints
 iGTFProxyRestrictTarget ::= NameConstraints
  
 NameConstraints::= SEQUENCE {
            permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
            excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
 
 GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
 
 GeneralSubtree ::= SEQUENCE {
            base                    GeneralName,
            minimum         [0]     BaseDistance DEFAULT 0,
            maximum         [1]     BaseDistance OPTIONAL }
 
 BaseDistance ::= INTEGER (0..MAX)
 
 GeneralName ::= CHOICE {
         otherName                       [0]     OtherName,
         rfc822Name                      [1]     IA5String,
         dNSName                         [2]     IA5String,
         x400Address                     [3]     ORAddress,
         directoryName                   [4]     Name,
         ediPartyName                    [5]     EDIPartyName,
         uniformResourceIdentifier       [6]     IA5String,
         iPAddress                       [7]     OCTET STRING,
         registeredID                    [8]     OBJECT IDENTIFIER }
 
 OtherName ::= SEQUENCE {
         type-id    OBJECT IDENTIFIER,
         value      [0] EXPLICIT ANY DEFINED BY type-id }
 
 EDIPartyName ::= SEQUENCE {
         nameAssigner            [0]     DirectoryString OPTIONAL,
         partyName               [1]     DirectoryString }
    And in this class only the IPAddress as a IP address - netmask combination is supported.
    Author:
    joni.hahkala@cern.ch, K. Benedyczak

    • Field Detail

      • SOURCE_RESTRICTION_OID

        public static final java.lang.String SOURCE_RESTRICTION_OID
        See Also:
        Constant Field Values

      • TARGET_RESTRICTION_OID

        public static final java.lang.String TARGET_RESTRICTION_OID
        See Also:
        Constant Field Values

    • Constructor Detail

      • ProxyAddressRestrictionData

        public ProxyAddressRestrictionData​(byte[] bytes)
                            throws java.io.IOException
        Parses the restriction data from byte array.
        Parameters:
        bytes - The byte array to parse.
        Throws:
        java.io.IOException - In case there is a problem parsing the structure.

      • ProxyAddressRestrictionData

        public ProxyAddressRestrictionData()
        Constructor to generate an empty ProxyRestrictionData object for creating new restrictions. Notice that putting an empty proxy restriction into a certificate means that there are no permitted IP spaces, meaning the proxy should be rejected everywhere.

    • Method Detail

      • getInstance

        public static ProxyAddressRestrictionData getInstance​(java.security.cert.X509Certificate certificate,
                                                      boolean source)
                                               throws java.io.IOException
        Creates an instance of the extension of the given type from a certificate.
        Parameters:
        certificate - certificate
        source - whether to create object representing the source restriction (if true) or target (if value is false).
        Returns:
        null if the certificate does not have the required extension, initialized object otherwise.
        Throws:
        java.io.IOException - IO exception

      • addPermittedIPAddressWithNetmask

        public void addPermittedIPAddressWithNetmask​(java.lang.String address)
        Adds a new permitted IP addressSpace to the data structure.
        Parameters:
        address - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. Which equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
        It is also possible to provide IPv6 addresses. See RFC4632.

      • addExcludedIPAddressWithNetmask

        public void addExcludedIPAddressWithNetmask​(java.lang.String address)
        Adds a new excluded IP addressSpace to the data structure.
        Parameters:
        address - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. Which equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
        It is also possible to provide IPv6 addresses. See RFC4632.

      • toASN1Primitive

        public org.bouncycastle.asn1.ASN1Primitive toASN1Primitive()
        Returns the NameConstraints structure of the restrictions.
        Specified by:
        toASN1Primitive in interface org.bouncycastle.asn1.ASN1Encodable
        Specified by:
        toASN1Primitive in class org.bouncycastle.asn1.ASN1Object
        Returns:
        The DERSequence containing the NameConstraints structure.

      • getIPSpaces

        public byte[][][] getIPSpaces()
        Returns a Vector of Vectors of IP address spaces as defined in rfc 4632.
        Returns:
        The array of arrays of string representation of address spaces defined in this structure. The first element in the array lists the permitted IP address spaces and the second the excluded IP spaces. In format ipaddress/netmask bytes. Example {137,138,0,0,255,255,0,0}. Array always contains two items, but they can be of length 0.
        See Also:
        addExcludedIPAddressWithNetmask(String)

      • getPermittedAddresses

        public java.lang.String[] getPermittedAddresses()

      • getExcludedAddresses

        public java.lang.String[] getExcludedAddresses()

      • convert2sr

        public static java.lang.String convert2sr​(byte[] src)

      • convert2strings

        public static java.lang.String[] convert2strings​(byte[][] src)