org.glite.security.util.proxy
Class ProxyRestrictionData

java.lang.Object
  extended by org.glite.security.util.proxy.ProxyRestrictionData

public class ProxyRestrictionData
extends java.lang.Object

An utility class for defining the allowed address space, used both to define the source and target restrictions. The format is:

 iGTFProxyRestrictFrom ::= NameConstraints
 iGTFProxyRestrictTarget ::= NameConstraints
  
 NameConstraints::= SEQUENCE {
            permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
            excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
 
 GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
 
 GeneralSubtree ::= SEQUENCE {
            base                    GeneralName,
            minimum         [0]     BaseDistance DEFAULT 0,
            maximum         [1]     BaseDistance OPTIONAL }
 
 BaseDistance ::= INTEGER (0..MAX)
 
 GeneralName ::= CHOICE {
         otherName                       [0]     OtherName,
         rfc822Name                      [1]     IA5String,
         dNSName                         [2]     IA5String,
         x400Address                     [3]     ORAddress,
         directoryName                   [4]     Name,
         ediPartyName                    [5]     EDIPartyName,
         uniformResourceIdentifier       [6]     IA5String,
         iPAddress                       [7]     OCTET STRING,
         registeredID                    [8]     OBJECT IDENTIFIER }
 
 OtherName ::= SEQUENCE {
         type-id    OBJECT IDENTIFIER,
         value      [0] EXPLICIT ANY DEFINED BY type-id }
 
 EDIPartyName ::= SEQUENCE {
         nameAssigner            [0]     DirectoryString OPTIONAL,
         partyName               [1]     DirectoryString }
 
And in this class only the IPAddress as a IP address - netmask combination is supported.

Author:
joni.hahkala@cern.ch

Field Summary
static java.lang.String SOURCE_RESTRICTION_OID
          The OID for the proxy source restriction
static java.lang.String TARGET_RESTRICTION_OID
          The OID for the proxy target Restriction
 
Constructor Summary
ProxyRestrictionData()
          Constructor to generate an empty ProxyRestrictionData object for creating new restrictions.
ProxyRestrictionData(byte[] bytes)
          Parses the restriction data from byte array.
 
Method Summary
 void addExcludedIPAddressWithNetmask(java.lang.String address)
          Adds a new excluded IP addressSpace to the data structure.
 void addPermittedIPAddressWithNetmask(java.lang.String address)
          Adds a new permitted IP addressSpace to the data structure.
 byte[][][] getIPSpaces()
          Returns a Vector of Vectors of IP address spaces as defined in rfc 4632.
 org.bouncycastle.asn1.DERSequence getNameConstraints()
          Returns the NameConstraints structure of the restrictions.
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

SOURCE_RESTRICTION_OID

public static final java.lang.String SOURCE_RESTRICTION_OID
The OID for the proxy source restriction

See Also:
Constant Field Values

TARGET_RESTRICTION_OID

public static final java.lang.String TARGET_RESTRICTION_OID
The OID for the proxy target Restriction

See Also:
Constant Field Values
Constructor Detail

ProxyRestrictionData

public ProxyRestrictionData(byte[] bytes)
                     throws java.io.IOException
Parses the restriction data from byte array.

Parameters:
bytes - The byte array to parse.
Throws:
java.io.IOException - In case there is a problem parsing the structure.

ProxyRestrictionData

public ProxyRestrictionData()
Constructor to generate an empty ProxyRestrictionData object for creating new restrictions. Notice that putting an empty proxy restriction into a certificate means that there are no permitted IP spaces, meaning the proxy should be rejected everywhere.

Method Detail

addPermittedIPAddressWithNetmask

public void addPermittedIPAddressWithNetmask(java.lang.String address)
Adds a new permitted IP addressSpace to the data structure.

Parameters:
address - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. Which equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
See RFC 4632. The restriction is of the format used for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses.

addExcludedIPAddressWithNetmask

public void addExcludedIPAddressWithNetmask(java.lang.String address)
Adds a new excluded IP addressSpace to the data structure.

Parameters:
address - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. Which equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
See RFC 4632. The restriction is of the format used for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses.

getNameConstraints

public org.bouncycastle.asn1.DERSequence getNameConstraints()
Returns the NameConstraints structure of the restrictions.

Returns:
The DERSequence containing the NameConstraints structure.

getIPSpaces

public byte[][][] getIPSpaces()
Returns a Vector of Vectors of IP address spaces as defined in rfc 4632.

Returns:
The array of arrays of string representation of address spaces defined in this structure. The first element in the array lists the permitted IP address spaces and the second the excluded IP spaces. In format ipaddress/netmask bytes. Example {137,138,0,0,255,255,0,0}. Array always contains two items, but they can be of length 0.
See Also:
addExcludedIPAddressWithNetmask(String)