org.glite.security.trustmanager
Class ProxyCertPathValidator

java.lang.Object
  extended by org.glite.security.trustmanager.ProxyCertPathValidator

public class ProxyCertPathValidator
extends java.lang.Object

ProxyCertificatePathValidator validates certificate paths. A certificate path is an array of certificates where the first certificate is signed by the public key of the second, the second certificate is signed by the public key of the third and so on. The certificate path might contain a certificate authority (CA) certificate as the last element or it may not. If the path ends in CA certificate, the CA certificate is ignored. To validate the last non-CA certificate the trust anchors given in the constructor are searched and if a CA that issued the certificate is found the non-CA certificate is checked against the CA certificate. The last non-CA certificate is checked against the optional certificate revocation lists (CRL) given in the setCRLs method. If all the certificates in the array are valid and there is a CA that signed the last non-CA certificate, the path is valid. The certificates have to be arranged in correct order. The have to be ordered from index 0 being the actual end certificate, 0 or more intermediate certificates. The last item in the array can be the end certificate if it is signed by a CA, an intermediate certificate that is signed by a CA or a CA certificate, which is ignored and the previous certificate is used as the last of the array. Notice: a certificate path consisting of only a CA certificate is considered invalid certificate path. The certificates are also checked for: - Date (the cert has to be valid for the time of check)

Author:
Joni Hahkala Created on May 7, 2002, 6:23 PM

Constructor Summary
ProxyCertPathValidator(java.util.Vector trustAnchors)
          Creates a new instance of MyCertPathValidator
 
Method Summary
 void check(java.security.cert.X509Certificate[] inpath)
          Checks that a certificate path is valid.
 boolean checkCertificatePair(java.security.cert.X509Certificate sub, java.security.cert.X509Certificate signer, boolean namingConstraint)
          Checks that the sub certificate is signed and issued by signer
 void checkDNRestriction(java.security.cert.X509Certificate sub, java.security.cert.X509Certificate signer)
          Checks that the subject DN starts with the DN parts of the signer.
 boolean checkLastAnchor(java.security.cert.X509Certificate sub, java.security.cert.TrustAnchor anchor)
          Does the same checks as checkCertificatePair and in addition checks that the sub is not listed in the possible CRL issued by the CA represented by the anchor.
 void checkSignature(java.security.cert.X509Certificate sub, java.security.cert.X509Certificate signer)
          Checks that the sub certificate is signed by the signer.
 java.security.cert.TrustAnchor[] findCA(DN dn)
          Finds the TrustAnchor with the distinguished name (DN) dn.
 java.security.cert.X509Certificate[] getCACerts()
          Returns an array of accepted CA certificates
 void setCRLChecker(CRLCertChecker checker)
          The setCRLChecker sets the CRLCehcker to use for the Chekcing of cert chains
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

ProxyCertPathValidator

public ProxyCertPathValidator(java.util.Vector trustAnchors)
                       throws java.security.cert.CertificateException,
                              java.security.NoSuchProviderException
Creates a new instance of MyCertPathValidator

Parameters:
trustAnchors - A vector or TrustAnchors (Certificate Authority certificates with additional info and wrapping) that are considered trusted.
Throws:
java.security.cert.CertificateException - thrown by certificate factory in some cases.
java.security.NoSuchProviderException - thrown if bouncycastle provider is not available.
Method Detail

setCRLChecker

public void setCRLChecker(CRLCertChecker checker)
The setCRLChecker sets the CRLCehcker to use for the Chekcing of cert chains

Parameters:
checker - The Checker instance to use to check the CRLs

check

public void check(java.security.cert.X509Certificate[] inpath)
           throws java.security.cert.CertPathValidatorException,
                  java.security.cert.CertificateException
Checks that a certificate path is valid. Look above the class description for better explanation.

Parameters:
inpath - The certificate path to check.
Throws:
java.security.cert.CertPathValidatorException - thrown if there was a problem linking two certificates.
java.security.cert.CertificateException - thrown if there was a problem with a single certificate.

checkSignature

public void checkSignature(java.security.cert.X509Certificate sub,
                           java.security.cert.X509Certificate signer)
                    throws java.security.cert.CertPathValidatorException,
                           java.security.cert.CertificateException
Checks that the sub certificate is signed by the signer.

Parameters:
sub - The sub certificate, the certificate appearing before signer in the certificate path array.
signer - The signer certificate, the certificate appearing after the sub in the certificate path array.
Throws:
java.security.cert.CertPathValidatorException - Thrown if the signature checking fails.
java.security.cert.CertificateException - Thrown if a problem occurs when accessing either certificate.

checkCertificatePair

public boolean checkCertificatePair(java.security.cert.X509Certificate sub,
                                    java.security.cert.X509Certificate signer,
                                    boolean namingConstraint)
                             throws java.security.cert.CertPathValidatorException,
                                    java.security.cert.CertificateException
Checks that the sub certificate is signed and issued by signer

Parameters:
sub - the sub certificate
signer - the signer certificate. The certificate for the issuer of the sub certificate.
namingConstraint - true the cert pair is subject to naming constrain from above
Returns:
true if the following certs are subject to naming restriction, meaning that the sub can only sign certs that contain the sub DN
Throws:
java.security.cert.CertPathValidatorException - Thrown if the signeture in sub is invalid or the certificate is not issued by signer.
java.security.cert.CertificateException - Thrown if there is a problem accessing data from either of the certificates

checkLastAnchor

public boolean checkLastAnchor(java.security.cert.X509Certificate sub,
                               java.security.cert.TrustAnchor anchor)
                        throws java.security.cert.CertPathValidatorException,
                               java.security.cert.CertificateException,
                               java.security.cert.CRLException
Does the same checks as checkCertificatePair and in addition checks that the sub is not listed in the possible CRL issued by the CA represented by the anchor.

Parameters:
sub - The sub certificate
anchor - The TrustAnchor that issued the sub certificate
Returns:
true if the following certs are subject to naming restriction, meaning that the sub can only sign certs that contain the sub DN
Throws:
java.security.cert.CertPathValidatorException - Thrown if the sub certificate is not issued by anchor, is revoked or the signature in sub is invalid.
java.security.cert.CertificateException - Thrown if there is a problem accessing the data from the certificate or the trust anchor.
java.security.cert.CRLException - Thrown in case the CRL parsing or usage fails.

findCA

public java.security.cert.TrustAnchor[] findCA(DN dn)
                                        throws java.security.cert.CertPathValidatorException,
                                               java.security.cert.CertificateParsingException
Finds the TrustAnchor with the distinguished name (DN) dn.

Parameters:
dn - The Principal holding the DN of the CA to be searched.
Returns:
Returns the TrustAnchors that are named dn
Throws:
java.security.cert.CertPathValidatorException - Thrown if no CA was found with that name
java.security.cert.CertificateParsingException - Thrown in case the CA certificate parsing fails.

getCACerts

public java.security.cert.X509Certificate[] getCACerts()
Returns an array of accepted CA certificates

Returns:
Returns the array of CA certificates

checkDNRestriction

public void checkDNRestriction(java.security.cert.X509Certificate sub,
                               java.security.cert.X509Certificate signer)
                        throws java.security.cert.CertificateException
Checks that the subject DN starts with the DN parts of the signer.

Parameters:
sub - the signer signed certificate.
signer - the signer certificate.
Throws:
java.security.cert.CertificateException - thrown in case the proxy certificate DN of the sub is not the DN of the signer appended by additional CN= rdn.