org.glite.security.trustmanager
Class OpensslCertPathValidator

java.lang.Object
  extended by org.glite.security.trustmanager.OpensslCertPathValidator

public class OpensslCertPathValidator
extends java.lang.Object

OpenSSLCertPathValidator validates certificate paths. A certificate path is an array of certificates where the first certificate is signed by the public key of the second, the second certificate is signed by the public key of the third and so on. The certificate path might contain a certificate authority (CA) certificate as the last element or it may not. If the path ends in CA certificate, the CA certificate is ignored. To validate the last non-CA certificate the trust anchors given in the constructor are searched and if a CA that issued the certificate is found the non-CA certificate is checked against the CA certificate. The last non-CA certificate is checked against the optional certificate revocation lists (CRL) given in the setCRLs method. If all the certificates in the array are valid and there is a CA that signed the last non-CA certificate, the path is valid. The certificates have to be arranged in correct order. The have to be ordered from index 0 being the actual end certificate, 0 or more intermediate certificates. The last item in the array can be the end certificate if it is signed by a CA, an intermediate certificate that is signed by a CA or a CA certificate, which is ignored and the previous certificate is used as the last of the array. Notice: a certificate path consisting of only a CA certificate is considered invalid certificate path. The certificates are also checked for:

Author:
Joni Hahkala Created on Mar 6, 2008, 6:23 PM

Constructor Summary
OpensslCertPathValidator(java.lang.String trustPath, boolean crlRequired)
          Creates a new instance of MyCertPathValidator
 
Method Summary
 java.util.Vector<java.security.cert.X509Certificate> buildPath(java.security.cert.X509Certificate[] inpath)
          Constructs the CA path of the given cert chain.
 void check(java.security.cert.X509Certificate[] inpath)
          Checks that a certificate path is valid.
 CertPathValidatorState checkAnchorAndCert(java.security.cert.X509Certificate sub, java.security.cert.X509Certificate caCert, CertPathValidatorState state, boolean firstAnchor)
          Does the same checks as checkCertificatePair and in addition checks that the sub is not listed in the possible CRL issued by the CA represented by the anchor.
 CertPathValidatorState checkCertificatePair(java.security.cert.X509Certificate sub, java.security.cert.X509Certificate signer, CertPathValidatorState state)
          Checks that the sub certificate is signed and issued by signer
 void checkDNRestriction(java.security.cert.X509Certificate sub, java.security.cert.X509Certificate signer, int proxyType)
          Checks that the subject DN starts with the DN parts of the signer.
 void checkSignature(java.security.cert.X509Certificate sub, java.security.cert.X509Certificate signer)
          Checks that the sub certificate is signed by the signer.
 void checkUpdate()
          Checks whether any trust anchor information has been updated on disk and reloads them if they have.
 void checkValidity(java.security.cert.X509Certificate cert)
          Checks that the certificate is valid now and throws the corresponding exception in case it isn't.
 boolean findAddParent(java.util.Vector<java.security.cert.X509Certificate> inpath)
          Searches for a parent CA from trustAnchors and add the cert to the cert chain.
 java.security.cert.X509Certificate[] getCACerts()
          Returns an array of accepted CA certificates
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

OpensslCertPathValidator

public OpensslCertPathValidator(java.lang.String trustPath,
                                boolean crlRequired)
                         throws java.security.cert.CertificateException,
                                java.security.NoSuchProviderException,
                                java.io.IOException,
                                java.text.ParseException
Creates a new instance of MyCertPathValidator

Parameters:
trustPath - A vector or TrustAnchors (Certificate Authority certificates with additional info and wrapping) that are considered trusted.
crlRequired - true if CRLs are required for each CA for them to be used in the certificate path checking.
Throws:
java.security.cert.CertificateException - in case CA certificate loading fails.
java.security.NoSuchProviderException - in case bouncycastle provider is not found.
java.io.IOException - in case CA, CRL or namespace file reading fails.
java.text.ParseException - in case the reading of namespace files fails.
Method Detail

findAddParent

public boolean findAddParent(java.util.Vector<java.security.cert.X509Certificate> inpath)
Searches for a parent CA from trustAnchors and add the cert to the cert chain.

Parameters:
inpath - The input path.
Returns:
the constructed path.

buildPath

public java.util.Vector<java.security.cert.X509Certificate> buildPath(java.security.cert.X509Certificate[] inpath)
                                                               throws java.security.cert.CertPathValidatorException,
                                                                      java.security.cert.CertificateException
Constructs the CA path of the given cert chain. If the chain starts with a CA cert, tries to replace it with one from trustAnchors. If not starting with CA or if the starting CA is not in trustStore, searches for the CA that signed the first cert. If trustanchor is found, tries to build upwards to parent CAs and returns the constructed chain.

Parameters:
inpath - The certificate chain to start with.
Returns:
The constructed certificate chain using as many CA certs as possible (longest cert chain possible).
Throws:
java.security.cert.CertPathValidatorException - Thrown in case the certificate chain building fails, like if there is no valid trustanchor for the chain.
java.security.cert.CertificateException - In case certificate handling fails, in case of corrupted certs etc.

check

public void check(java.security.cert.X509Certificate[] inpath)
           throws java.security.cert.CertPathValidatorException,
                  java.security.cert.CertificateException
Checks that a certificate path is valid. Look above the class description for better explanation.

Parameters:
inpath - The certificate path to check
Throws:
java.security.cert.CertPathValidatorException - Thrown if there was a problem linking two certificates
java.security.cert.CertificateException - thrown if there was a problem with a single certificate

checkValidity

public void checkValidity(java.security.cert.X509Certificate cert)
                   throws java.security.cert.CertificateExpiredException,
                          java.security.cert.CertificateNotYetValidException
Checks that the certificate is valid now and throws the corresponding exception in case it isn't.

Parameters:
cert -
Throws:
java.security.cert.CertificateExpiredException
java.security.cert.CertificateNotYetValidException

checkSignature

public void checkSignature(java.security.cert.X509Certificate sub,
                           java.security.cert.X509Certificate signer)
                    throws java.security.cert.CertPathValidatorException,
                           java.security.cert.CertificateException
Checks that the sub certificate is signed by the signer.

Parameters:
sub - The sub certificate, the certificate appearing before signer in the certificate path array.
signer - The signer certificate, the certificate appearing after the sub in the certificate path array.
Throws:
java.security.cert.CertPathValidatorException - Thrown if the signature cheking fails
java.security.cert.CertificateException - Thrown if a problem occures when accessing either certificate.

checkCertificatePair

public CertPathValidatorState checkCertificatePair(java.security.cert.X509Certificate sub,
                                                   java.security.cert.X509Certificate signer,
                                                   CertPathValidatorState state)
                                            throws java.security.cert.CertPathValidatorException,
                                                   java.security.cert.CertificateException
Checks that the sub certificate is signed and issued by signer

Parameters:
sub - the sub certificate
signer - the signer certificate. The certificate for the issuer of the sub certificate.
state - the state for this certificate pair checking from the previous round.
Returns:
state the state for the next certificate pair checking.
Throws:
java.security.cert.CertPathValidatorException - Thrown if the signature in sub is invalid or the certificate is not issued by signer.
java.security.cert.CertificateException - Thrown if there is a problem accessing data from either of the certificates

checkAnchorAndCert

public CertPathValidatorState checkAnchorAndCert(java.security.cert.X509Certificate sub,
                                                 java.security.cert.X509Certificate caCert,
                                                 CertPathValidatorState state,
                                                 boolean firstAnchor)
                                          throws java.security.cert.CertPathValidatorException,
                                                 java.security.cert.CertificateException,
                                                 java.security.cert.CRLException
Does the same checks as checkCertificatePair and in addition checks that the sub is not listed in the possible CRL issued by the CA represented by the anchor.

Parameters:
sub - The sub certificate to check.
caCert - The ca cert to check.
state - The state from the possible previous steps.
firstAnchor - The flag for first anchor in the chain. The anchor must be found, otherwise checking fails.
Returns:
the state for the next certificate pair checking.
Throws:
java.security.cert.CertPathValidatorException - Thrown if the sub certificate is not issued by anchor, is revoked or the signature in sub is invalid.
java.security.cert.CertificateException - Thrown if there is a problem accessing the data from the certificate or the trust anchor
java.security.cert.CRLException - In case the CRL parsing or usage fails.

getCACerts

public java.security.cert.X509Certificate[] getCACerts()
Returns an array of accepted CA certificates

Returns:
Returns the array of CA certificates

checkDNRestriction

public void checkDNRestriction(java.security.cert.X509Certificate sub,
                               java.security.cert.X509Certificate signer,
                               int proxyType)
                        throws java.security.cert.CertificateException
Checks that the subject DN starts with the DN parts of the signer.

Parameters:
sub - The certificate to check.
signer - The signer cert to take the DN from for the checking.
proxyType - type of this proxy type.
Throws:
java.security.cert.CertificateException - Thrown in case there is problems in handling the certificates.
See Also:
ProxyCertificateInfo

checkUpdate

public void checkUpdate()
                 throws java.io.IOException,
                        java.security.cert.CertificateException,
                        java.text.ParseException
Checks whether any trust anchor information has been updated on disk and reloads them if they have.

Throws:
java.io.IOException - In case there is unrecoverable trust info reading failure during update.
java.security.cert.CertificateException - In case there is unrecoverable certificate parsing or handling problem during update.
java.text.ParseException - In case there is an unrecoverable CRL or namespace parsing error during update.