Package eu.emi.security.authn.x509.proxy

Class ProxyChainInfo

  • public class ProxyChainInfo
extends java.lang.Object
    A class to get an information from a proxy certificate chain.
    Author:
    J. Hahkala, K. Benedyczak

    • Constructor Summary

      Constructors 
      Constructor Description
      ProxyChainInfo​(java.security.cert.X509Certificate[] chain)
      Generates new instance of this class using the certificate chain as the source of the data.

    • Constructor Detail

      • ProxyChainInfo

        public ProxyChainInfo​(java.security.cert.X509Certificate[] chain)
               throws java.security.cert.CertificateException
        Generates new instance of this class using the certificate chain as the source of the data.
        Parameters:
        chain - chain with at least one proxy certificate
        Throws:
        java.security.cert.CertificateException - if there is no proxy certificate in the chain or if the chain is inconsistent, i.e. after proxy there is a non-proxy certificate.

    • Method Detail

      • getSerialNumbers

        public java.math.BigInteger[] getSerialNumbers()
        Returns:
        array with serial numbers of the certificates in the chain

      • getProxyType

        public ProxyChainType getProxyType()
                            throws java.security.cert.CertificateException
        The type of the proxy chain chain is returned. If chain contains different types then MIXED type is returned.
        Returns:
        the type of the chain
        Throws:
        java.security.cert.CertificateException - certificate exception

      • getFirstProxyPosition

        public int getFirstProxyPosition()
        Returns:
        the index of the first proxy in the chain (issued by the EEC).

      • isLimited

        public boolean isLimited()
                  throws java.security.cert.CertificateException,
                         java.io.IOException
        Used to check whether the proxy chain is limited or not. The method returns 'true' if and only if there is at least one limited proxy in the chain.
        Returns:
        true if the chain is limited, i.e. owner of the certificate may not submit jobs
        Throws:
        java.security.cert.CertificateException - certificate exception
        java.io.IOException - IO exception

      • getPolicy

        public ProxyPolicy[] getPolicy()
                        throws java.io.IOException
        Gets the array of RFC proxy extension policy OID and octets of the policy. See RFC3820. Policy octets can be null in case the OID in itself defines the behavior, like with "inherit all" policy or "independent" policy. The array contains entries from all certificates in chain.
        Returns:
        array with policy information
        Throws:
        java.io.IOException - Thrown in case the parsing of the information failed.

      • getProxyTracingIssuers

        public java.lang.String[] getProxyTracingIssuers()
                                          throws java.io.IOException
        Returns an array of URLs of the proxy tracing issuers in the chain. Non-traced proxies will have null in the array.
        Returns:
        The proxy tracing issuer URLs in String format, or null in the array if an extension was not found or it was empty.
        Throws:
        java.io.IOException - Thrown in case the parsing of the information failed.

      • getProxyTracingSubjects

        public java.lang.String[] getProxyTracingSubjects()
                                           throws java.io.IOException
        Returns an array of URLs of the proxy tracing subjects in the chain. Non-traced proxies will have null in the array.
        Returns:
        The proxy tracing subject URLs in String format, or null in the array if an extension was not found or it was empty.
        Throws:
        java.io.IOException - Thrown in case the parsing of the information failed.

      • getSAMLExtensions

        public java.lang.String[] getSAMLExtensions()
                                     throws java.io.IOException
        Returns the SAML extensions from the certificate chain.
        Returns:
        The SAML assertions in String format. A null in the array means that no SAML extensions were found at the given position.
        Throws:
        java.io.IOException - Thrown in case the parsing of the information failed.

      • getAttributeCertificateExtensions

        public org.bouncycastle.asn1.x509.AttributeCertificate[][] getAttributeCertificateExtensions()
                                                                                      throws java.io.IOException
        Returns the Attribute Certificate extensions from the certificate chain.
        Returns:
        The Attribute Certificates array. The first index corresponds to the first certificate in the chain. A null in the array means that no AC extension was found at the given position.
        Throws:
        java.io.IOException - Thrown in case the parsing of the information failed.

      • getRemainingPathLimit

        public int getRemainingPathLimit()
                          throws java.io.IOException
        Returns the remaining path length of this chain. Will search for both the RFC 3820 and the draft proxy path limit extensions. Legacy proxies are treated as unlimited.

        Notice: negative value means that the chain is invalid as it has passed the limit of delegations. Integer.MAX_INT is returned if there is no path length limit set on the chain.

        Returns:
        remaining proxy path limit
        Throws:
        java.io.IOException - Thrown in case the parsing of the information failed.

      • getProxySourceRestrictions

        public byte[][][] getProxySourceRestrictions()
                                      throws java.io.IOException
        Gets the proxy source restriction data from the chain. The allowed namespaces in different certificates in the chain will be intersected and the excluded namespaces will be summed. The returned array has as the first item the array of allowed namespaces and as the second item the array of excluded namespaces. If extensions exist, but in the end no allowed or excluded namespaces are left, the array is empty.
        Returns:
        array with proxy source restrictions. Null is returned when there is no restriction defined for any of the proxies in the chain.
        Throws:
        java.io.IOException - Thrown in case the parsing of the information failed.

      • getProxyTargetRestrictions

        public byte[][][] getProxyTargetRestrictions()
                                      throws java.io.IOException
        Gets the proxy target restriction data from the chain. The allowed namespaces in different certificates in the chain will be intersected and the union of the excluded namespaces will be computed. The returned array has as the first item the array of allowed namespaces and as the second item the array of excluded namespaces. If extensions exist, but in the end no allowed or excluded namespaces are left, the array is empty.
        Returns:
        array with proxy target restrictions. Null is returned when there is no restriction defined for any of the proxies in the chain.
        Throws:
        java.io.IOException - Thrown in case the parsing of the information failed.

      • isHostAllowedAsSource

        public boolean isHostAllowedAsSource​(byte[] ipAddress)
                              throws java.io.IOException
        Checks if the given IP address is allowed as this proxy chain source.
        Parameters:
        ipAddress - host IPv4 address in 4 elements array
        Returns:
        true if and only if the ipAddress is OK w.r.t. this proxy chain's source restrictions.
        Throws:
        java.io.IOException - Thrown in case the parsing of the information failed.

      • isHostAllowedAsTarget

        public boolean isHostAllowedAsTarget​(byte[] ipAddress)
                              throws java.io.IOException
        Checks if the given IP address is allowed as this proxy chain target.
        Parameters:
        ipAddress - host IPv4 address in 4 elements array
        Returns:
        true if and only if the ipAddress is OK w.r.t. this proxy chain's source restrictions.
        Throws:
        java.io.IOException - Thrown in case the parsing of the information failed.

      • concatArrays

        public static byte[][] concatArrays​(byte[][] first,
                                    byte[][] second)
        Concatenates two arrays of arrays bytes.
        Parameters:
        first - The array of arrays to begin with.
        second - The array of arrays to end with.
        Returns:
        the array of arrays that contains the arrays from both argument arrays.