|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectorg.glite.security.trustmanager.ProxyCertPathValidator
public class ProxyCertPathValidator
ProxyCertificatePathValidator validates certificate paths. A certificate path is an array of certificates where the first certificate is signed by the public key of the second, the second certificate is signed by the public key of the third and so on. The certificate path might contain a certificate authority (CA) certificate as the last element or it may not. If the path ends in CA certificate, the CA certificate is ignored. To validate the last non-CA certificate the trust anchors given in the constructor are searched and if a CA that issued the certificate is found the non-CA certificate is checked against the CA certificate. The last non-CA certificate is checked against the optional certificate revocation lists (CRL) given in the setCRLs method. If all the certificates in the array are valid and there is a CA that signed the last non-CA certificate, the path is valid. The certificates have to be arranged in correct order. The have to be ordered from index 0 being the actual end certificate, 0 or more intermediate certificates. The last item in the array can be the end certificate if it is signed by a CA, an intermediate certificate that is signed by a CA or a CA certificate, which is ignored and the previous certificate is used as the last of the array. Notice: a certificate path consisting of only a CA certificate is considered invalid certificate path. The certificates are also checked for: - Date (the cert has to be valid for the time of check)
Constructor Summary | |
---|---|
ProxyCertPathValidator(java.util.Vector trustAnchors)
Creates a new instance of MyCertPathValidator |
Method Summary | |
---|---|
void |
check(java.security.cert.X509Certificate[] inpath)
Checks that a certificate path is valid. |
boolean |
checkCertificatePair(java.security.cert.X509Certificate sub,
java.security.cert.X509Certificate signer,
boolean namingConstraint)
Checks that the sub certificate is signed and issued by signer |
void |
checkDNRestriction(java.security.cert.X509Certificate sub,
java.security.cert.X509Certificate signer)
Checks that the subject DN starts with the DN parts of the signer. |
boolean |
checkLastAnchor(java.security.cert.X509Certificate sub,
java.security.cert.TrustAnchor anchor)
Does the same checks as checkCertificatePair and in addition checks that the sub is not listed in the possible CRL issued by the CA represented by the anchor. |
void |
checkSignature(java.security.cert.X509Certificate sub,
java.security.cert.X509Certificate signer)
Checks that the sub certificate is signed by the signer. |
java.security.cert.TrustAnchor[] |
findCA(DN dn)
Finds the TrustAnchor with the distinguished name (DN) dn. |
java.security.cert.X509Certificate[] |
getCACerts()
Returns an array of accepted CA certificates |
void |
setCRLChecker(CRLCertChecker checker)
The setCRLChecker sets the CRLCehcker to use for the Chekcing of cert chains |
Methods inherited from class java.lang.Object |
---|
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public ProxyCertPathValidator(java.util.Vector trustAnchors) throws java.security.cert.CertificateException, java.security.NoSuchProviderException
trustAnchors
- A vector or TrustAnchors (Certificate Authority certificates with additional info and
wrapping) that are considered trusted.
java.security.cert.CertificateException
- thrown by certificate factory in some cases.
java.security.NoSuchProviderException
- thrown if bouncycastle provider is not available.Method Detail |
---|
public void setCRLChecker(CRLCertChecker checker)
checker
- The Checker instance to use to check the CRLspublic void check(java.security.cert.X509Certificate[] inpath) throws java.security.cert.CertPathValidatorException, java.security.cert.CertificateException
inpath
- The certificate path to check.
java.security.cert.CertPathValidatorException
- thrown if there was a problem linking two certificates.
java.security.cert.CertificateException
- thrown if there was a problem with a single certificate.public void checkSignature(java.security.cert.X509Certificate sub, java.security.cert.X509Certificate signer) throws java.security.cert.CertPathValidatorException, java.security.cert.CertificateException
sub
- The sub certificate, the certificate appearing before signer in the certificate path array.signer
- The signer certificate, the certificate appearing after the sub in the certificate path array.
java.security.cert.CertPathValidatorException
- Thrown if the signature checking fails.
java.security.cert.CertificateException
- Thrown if a problem occurs when accessing either certificate.public boolean checkCertificatePair(java.security.cert.X509Certificate sub, java.security.cert.X509Certificate signer, boolean namingConstraint) throws java.security.cert.CertPathValidatorException, java.security.cert.CertificateException
sub
- the sub certificatesigner
- the signer certificate. The certificate for the issuer of the sub certificate.namingConstraint
- true the cert pair is subject to naming constrain from above
java.security.cert.CertPathValidatorException
- Thrown if the signeture in sub is invalid or the certificate is not issued by
signer.
java.security.cert.CertificateException
- Thrown if there is a problem accessing data from either of the certificatespublic boolean checkLastAnchor(java.security.cert.X509Certificate sub, java.security.cert.TrustAnchor anchor) throws java.security.cert.CertPathValidatorException, java.security.cert.CertificateException, java.security.cert.CRLException
sub
- The sub certificateanchor
- The TrustAnchor that issued the sub certificate
java.security.cert.CertPathValidatorException
- Thrown if the sub certificate is not issued by anchor, is revoked or the
signature in sub is invalid.
java.security.cert.CertificateException
- Thrown if there is a problem accessing the data from the certificate or the trust
anchor.
java.security.cert.CRLException
- Thrown in case the CRL parsing or usage fails.public java.security.cert.TrustAnchor[] findCA(DN dn) throws java.security.cert.CertPathValidatorException, java.security.cert.CertificateParsingException
dn
- The Principal holding the DN of the CA to be searched.
java.security.cert.CertPathValidatorException
- Thrown if no CA was found with that name
java.security.cert.CertificateParsingException
- Thrown in case the CA certificate parsing fails.public java.security.cert.X509Certificate[] getCACerts()
public void checkDNRestriction(java.security.cert.X509Certificate sub, java.security.cert.X509Certificate signer) throws java.security.cert.CertificateException
sub
- the signer signed certificate.signer
- the signer certificate.
java.security.cert.CertificateException
- thrown in case the proxy certificate DN of the sub is not the DN of the signer appended by additional CN= rdn.
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |