Package eu.emi.security.authn.x509.proxy

Class BaseProxyCertificateOptions

  • Direct Known Subclasses:
    ProxyCertificateOptions, ProxyRequestOptions
    public abstract class BaseProxyCertificateOptions
extends java.lang.Object
    Generic proxy creation parameters useful for all scenarios. All objects passed to this class are copied. All objects returned by methods of this class are also copies of the object state. Therefore it is only possible to modify state of this class using its methods. This class is not thread safe.
    Author:
    J. Hahkala, K. Benedyczak

    • Field Detail

      • DEFAULT_KEY_USAGE

        public static final int DEFAULT_KEY_USAGE
        Key usage value which is used when
        See Also:
        Constant Field Values

    • Constructor Detail

      • BaseProxyCertificateOptions

        protected BaseProxyCertificateOptions​(java.security.cert.X509Certificate[] parentCertChain)
        Create a new proxy cert based on the parent cert chain. The default type of the proy generation params will be set to the type of the parent chain if it is an consistent proxy chain. If it is mixed proxy chain, or EEC certificate chain then by default RFC proxy type is set.
        Parameters:
        parentCertChain - chain of the issuer

    • Method Detail

      • getParentCertChain

        public java.security.cert.X509Certificate[] getParentCertChain()
        Returns the certificate parent chain of the proxy. If only user certificate was provided then it is returned in a one element array.
        Returns:
        the parent certificate chain

      • setValidityBounds

        public void setValidityBounds​(java.util.Date notBefore,
                              java.util.Date notAfter)
        Sets the desired time bounds for the proxy. Note that both arguments are cut to the seconds precision (this is what goes into certificate).
        Parameters:
        notBefore - proxy won't be valid before this date
        notAfter - proxy won't be valid after this date
        Since:
        1.1.0

      • setLifetime

        public void setLifetime​(int lifetime)
        Set the proxy lifetime in seconds. The start of proxy validity is set to the current time. If not set, the default lifetime is 12h.
        Parameters:
        lifetime - in seconds
        See Also:
        setValidityBounds(Date, Date)

      • setLifetime

        public void setLifetime​(long lifetime,
                        java.util.concurrent.TimeUnit unit)
        Set the proxy lifetime using desired unit. The start of proxy validity is set to the current time. If not set, the default lifetime is 12h.
        Parameters:
        lifetime - in unit specified by the 2nd parameter
        unit - the unit of the timeout specified by the first value
        Throws:
        java.lang.IllegalArgumentException - if the requested lifetime is larger then Integer.MAX_VALUE seconds.
        Since:
        1.1.0
        See Also:
        setValidityBounds(Date, Date)

      • getLifetime

        public int getLifetime()
        Returns:
        proxy lifetime in seconds

      • getNotBefore

        public java.util.Date getNotBefore()
        Returns:
        start of proxy validity

      • getProxyKeyUsageMask

        public int getProxyKeyUsageMask()
        Returns:
        bit mask of KeyUsage flags which was set for the options object or -1 if nothing was set.

      • setProxyKeyUsageMask

        public void setProxyKeyUsageMask​(int proxyKeyUsageMask)
                          throws java.lang.IllegalArgumentException
        Sets the mask of the KeyUsage for the resulting proxy certificate. Note that the this is a mask, i.e. the flags from this mask are ANDed with the effective KeyUsage of the parent chain.

        If this method is not called at all (or called with a negative argument), then the default behavior is applied, and the proxy gets a copy of the effective KeyUsage of the parent chain. If no certificate in the parent chain has KeyUsage set, then the DEFAULT_KEY_USAGE is applied.

        Parameters:
        proxyKeyUsageMask - The mask to set. Use constants from the KeyUsage class. The mask must always have the KeyUsage.digitalSignature bit set.
        Throws:
        java.lang.IllegalArgumentException - if the argument has no KeyUsage.digitalSignature bit set

      • setType

        public void setType​(ProxyType type)
             throws java.lang.IllegalArgumentException
        Used to set the type of the proxy. Useful only in case the parent certificate is user certificate, otherwise the generator will generate same type of proxy as the parent is. And trying to set different type here than in the parent will result in IllegalArgumentException. If the parent certificate is user certificate and this method is not used, RFC3820 type will be assumed.
        Parameters:
        type - to be set
        Throws:
        java.lang.IllegalArgumentException

      • getType

        public ProxyType getType()
        Returns:
        the current proxy type

      • setLimited

        public void setLimited​(boolean limited)
        Defines whether the resulting proxy will be a limited proxy. Job submission with a limited proxy is not possible.

        For legacy proxy this is the only way to control the proxy's application area. RFC and draft proxies allows for a more rich and extensible semantics using setPolicy(ProxyPolicy).

        Since version 1.2.0, in case of RFC proxies, usage of this method with argument 'true' is equivalent to calling setPolicy(new ProxyPolicy(ProxyPolicy.LIMITED_PROXY_OID)) and with argument false to setPolicy(new ProxyPolicy(ProxyPolicy.INHERITALL_POLICY_OID)). Note that subsequent calls to setPolicy will overwrite the setLimited setting. Therefore the following code: 

         param.setLimited(true);
 param.setPolicy(new ProxyPolicy(ProxyPolicy.INHERITALL_POLICY_OID));
        configures the engine to create limited legacy proxies or unlimited rfc proxies. As this behavior is rather not intended it is strongly advised NOT to mix setLimited and setPolicy calls in any case.
        Parameters:
        limited - true if proxy shall be limited

      • isLimited

        public boolean isLimited()
        Checks if the proxy shall be limited.
        Returns:
        true if limited proxy shall be created

      • setSerialNumber

        public void setSerialNumber​(java.math.BigInteger sn)
        Sets the proxy serial number. Only applicable for rfc proxies.
        Parameters:
        sn - serial number to be set

      • getSerialNumber

        public java.math.BigInteger getSerialNumber()
        Gets the proxy serial number.
        Returns:
        the serial number previously set

      • setProxyPathLimit

        public void setProxyPathLimit​(int pathLen)
        Sets the proxy path length limit of this certificate. Only works on rfc3820 and RFC draft proxies. Note: this method previously was documented as accepting negative values to mark unlimited proxy length. The implementation was buggy (see #81). The old approach with negative value works now, but usage of the constant is preferred in a new code.
        Parameters:
        pathLen - path limit, use UNLIMITED_PROXY_LENGTH if proxy shall be unlimited.

      • getProxyPathLimit

        public int getProxyPathLimit()
        Gets the proxy path length limit of this certificate.
        Returns:
        limit or UNLIMITED_PROXY_LENGTH if proxy shall be unlimited

      • addExtension

        public void addExtension​(CertificateExtension extension)
        Add an extension to the proxy certificate to be generated.
        Parameters:
        extension - the extension to be set

      • setPolicy

        public void setPolicy​(ProxyPolicy policy)
        Set the RFC proxy extension policy OID and octets of the policy. See RFC3820. Policy can be null in case the OID in it self defines the behavior, like with "inherit all" policy or "independent" policy.

        Note: this setting is ignored for legacy proxies.

        Parameters:
        policy - to be set

      • getPolicy

        public ProxyPolicy getPolicy()
        Returns:
        Get the RFC proxy extension policy OID and octets of the policy. See RFC3820. Policy can be null in case the OID in it self defines the behavior, like with "inherit all" policy or "independent" policy.

      • setTargetRestrictionPermittedAddresses

        public void setTargetRestrictionPermittedAddresses​(java.lang.String[] addresses)
                                            throws java.lang.IllegalArgumentException
        Sets a new permitted target IP addressSpace to the Proxy.
        Parameters:
        addresses - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. It equals to a network 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
        See RFC 4632. The restriction is of the format used for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses.
        Throws:
        java.lang.IllegalArgumentException - if the argument does not contain addresses in the specified format

      • setTargetRestrictionPermittedAddresses

        public void setTargetRestrictionPermittedAddresses​(byte[][] addresses)
                                            throws java.lang.IllegalArgumentException
        Sets a permitted target IP address space to the Proxy.
        Parameters:
        addresses - The array of 8 element arrays of bytes representation of address spaces defined in this structure. Each inner 8-elements array must contains IP address and netmask bytes, e.g. {137,138,0,0,255,255,0,0}.
        Throws:
        java.lang.IllegalArgumentException - when inner arrays are not of length 8 or if does not represent a valid address and netmask combination.

      • getTargetRestrictionPermittedAddresses

        public java.lang.String[] getTargetRestrictionPermittedAddresses()
        Returns a permitted target IP address space of the Proxy.
        Returns:
        The array of addresses in the CIDR format (address/netmaskBits) or null if not set

      • setSourceRestrictionPermittedAddresses

        public void setSourceRestrictionPermittedAddresses​(java.lang.String[] addresses)
                                            throws java.lang.IllegalArgumentException
        Sets a new permitted source IP addressSpace to the Proxy
        Parameters:
        addresses - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. It equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
        See RFC 4632. The restriction is of the format used for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses.
        Throws:
        java.lang.IllegalArgumentException - if the argument does not contain addresses in the specified format

      • setSourceRestrictionPermittedAddresses

        public void setSourceRestrictionPermittedAddresses​(byte[][] addresses)
                                            throws java.lang.IllegalArgumentException
        Sets a permitted source IP addressSpace to the Proxy.
        Parameters:
        addresses - The array of 8 element arrays of bytes representation of address spaces defined in this structure. Each inner 8-elements array must contains IP address and netmask bytes, e.g. {137,138,0,0,255,255,0,0}.
        Throws:
        java.lang.IllegalArgumentException - when inner arrays are not of length 8 or if does not represent a valid address and netmask combination.

      • getSourceRestrictionPermittedAddresses

        public java.lang.String[] getSourceRestrictionPermittedAddresses()
        Gets the permitted source IP addressSpace of the Proxy.
        Returns:
        The array of addresses in the CIDR format (address/netmaskBits) or null if not set

      • setTargetRestrictionExcludedAddresses

        public void setTargetRestrictionExcludedAddresses​(java.lang.String[] addresses)
                                           throws java.lang.IllegalArgumentException
        Sets an excluded target IP addressSpace to the data structure.
        Parameters:
        addresses - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. It equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
        See RFC 4632. The restriction is of the format used for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses.
        Throws:
        java.lang.IllegalArgumentException - if the argument does not contain addresses in the specified format

      • setTargetRestrictionExcludedAddresses

        public void setTargetRestrictionExcludedAddresses​(byte[][] addresses)
                                           throws java.lang.IllegalArgumentException
        Sets an excluded target IP addressSpace to the data structure.
        Parameters:
        addresses - The array of 8 element arrays of bytes representation of address spaces defined in this structure. Each inner 8-elements array must contains IP address and netmask bytes, e.g. {137,138,0,0,255,255,0,0}.
        Throws:
        java.lang.IllegalArgumentException - when inner arrays are not of length 8 or if does not represent a valid address and netmask combination.

      • getTargetRestrictionExcludedAddresses

        public java.lang.String[] getTargetRestrictionExcludedAddresses()
        Gets an excluded target IP addressSpace from the data structure.
        Returns:
        The array of addresses in the CIDR format (address/netmaskBits) or null if not set

      • setSourceRestrictionExcludedAddresses

        public void setSourceRestrictionExcludedAddresses​(java.lang.String[] addresses)
                                           throws java.lang.IllegalArgumentException
        Sets an excluded from source restriction IP addressSpace to the data structure.
        Parameters:
        addresses - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. It equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
        See RFC 4632. The restriction is of the format used for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses.
        Throws:
        java.lang.IllegalArgumentException - if the argument does not contain addresses in the specified format

      • setSourceRestrictionExcludedAddresses

        public void setSourceRestrictionExcludedAddresses​(byte[][] addresses)
                                           throws java.lang.IllegalArgumentException
        Sets an excluded from source restriction IP addressSpace to the data structure.
        Parameters:
        addresses - The array of 8 element arrays of bytes representation of address spaces defined in this structure. Each inner 8-elements array must contains IP address and netmask bytes, e.g. {137,138,0,0,255,255,0,0}.
        Throws:
        java.lang.IllegalArgumentException - when inner arrays are not of length 8 or if does not represent a valid address and netmask combination.

      • getSourceRestrictionExcludedAddresses

        public java.lang.String[] getSourceRestrictionExcludedAddresses()
        Gets an excluded from source restriction IP addressSpace from the data structure.
        Returns:
        The array of addresses in the CIDR format (address/netmaskBits) or null if not set

      • setProxyTracingIssuer

        public void setProxyTracingIssuer​(java.lang.String url)
        Sets the issuer URL for the proxy tracing.
        Parameters:
        url - the issuer URL

      • getProxyTracingIssuer

        public java.lang.String getProxyTracingIssuer()
        Returns:
        Gets the issuer URL for the proxy tracing.

      • setProxyTracingSubject

        public void setProxyTracingSubject​(java.lang.String url)
        Sets the subject URL for the proxy tracing.
        Parameters:
        url - the subject URL

      • getProxyTracingSubject

        public java.lang.String getProxyTracingSubject()
        Returns:
        Gets the subject URL for the proxy tracing.

      • getSAMLAssertion

        public java.lang.String getSAMLAssertion()
        Gets SAML assertions in a string format.
        Returns:
        SAML assertions

      • setSAMLAssertion

        public void setSAMLAssertion​(java.lang.String saml)
        Sets SAML assertions in a string format.
        Parameters:
        saml - assertions to be used

      • setAttributeCertificates

        public void setAttributeCertificates​(org.bouncycastle.asn1.x509.AttributeCertificate[] ac)
                              throws java.io.IOException
        Sets Attribute certificates, which will be added as the VOMS extensions to the generated proxy.
        Parameters:
        ac - to be set
        Throws:
        java.io.IOException - IO exception

      • getAttributeCertificates

        public org.bouncycastle.asn1.x509.AttributeCertificate[] getAttributeCertificates()
                                                                           throws java.io.IOException
        Returns:
        Attribute certificates or null if was not set
        Throws:
        java.io.IOException - IO exception