eu.emi.security.authn.x509.helpers.pkipath

Class BCCertPathValidator

java.lang.Object

eu.emi.security.authn.x509.helpers.pkipath.BCCertPathValidator

public class BCCertPathValidator
extends Object

Low-level certificate validator based on the BC PKIXCertPathReviewer with additional support for proxy certificates.

Author:

K. Benedyczak

Field Summary

Fields

Modifier and Type	Field and Description
static long	PROXY_VALIDATION_GRACE_PERIOD

Constructor Summary

Constructors

Constructor and Description
BCCertPathValidator()

Method Summary

Modifier and Type	Method and Description
protected void	checkLastCNNameRule(X500Principal srcP, X500Principal issuerP, List<ValidationError> errors, int position, X509Certificate[] proxyChain)
protected List<X509Certificate>	checkNonProxyChain(X509Certificate[] baseChain, ExtPKIXParameters2 params, List<ValidationError> errors, Set<String> unresolvedExtensions, int posDelta, X509Certificate[] cc) Performs checking of the chain which has no proxies (or at least should not have proxies), using FixedBCPKIXCertPathReviewer.
protected void	checkPairWithProxy(X509Certificate issuerCert, X509Certificate proxyCert, List<ValidationError> errors, int position, X509Certificate[] proxyChain, Date validationTime) Checks if the certificate passed as the 2nd argument is a correct proxy certificate including checks w.r.t. chain rules with the certificate passed as the 1st argument being its issuing certificate.
protected void	checkProxyChainMain(X509Certificate[] proxyChain, List<ValidationError> errors, Set<String> unresolvedExtensions, Date validDate) Performs a validation loop of the proxy chain checking each pair in chain for the rules not otherwise verified by the base check.
protected void	checkProxyChainWithBC(X509Certificate[] proxyChain, Set<TrustAnchor> trustAnchor, List<ValidationError> errors, Set<String> unresolvedExtensions) Checks chain with proxies, starting with the EEC using X.509 path validation.
protected void	checkProxyTime(X509Certificate proxyCert, Date validationTime, X509Certificate[] proxyChain, List<ValidationError> errors, int position)
protected List<ValidationError>	convertErrors(List<?>[] bcErrorsA, boolean ignoreProxyErrors, int positionDelta, X509Certificate[] cc)
protected ExtPKIXParameters2	createPKIXParameters(X509Certificate[] toCheck, boolean proxySupport, Set<TrustAnchor> trustAnchors, CertStore crlStore, RevocationParameters revocationParams, ObserversHandler observersHandler)
protected int	getFirstProxy(X509Certificate[] toCheck)
protected Set<String>	getUnresolvedExtensionons(List<?>[] bcErrorsA)
ValidationResult	validate(X509Certificate[] toCheck, boolean proxySupport, Set<TrustAnchor> trustAnchors, CertStore crlStore, RevocationParameters revocationParams, ObserversHandler observersHandler) Performs validation.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

PROXY_VALIDATION_GRACE_PERIOD

public static final long PROXY_VALIDATION_GRACE_PERIOD

See Also:

Constant Field Values

Constructor Detail

BCCertPathValidator

public BCCertPathValidator()

Method Detail

validate

public ValidationResult validate(X509Certificate[] toCheck,
                                 boolean proxySupport,
                                 Set<TrustAnchor> trustAnchors,
                                 CertStore crlStore,
                                 RevocationParameters revocationParams,
                                 ObserversHandler observersHandler)
                          throws CertificateException

Performs validation. Expects correctly set up parameters.

If the proxy support is turned off or the chain has no proxy certificate then normal X.509 path validation is performed (see below).

If the proxy support is turned on and the chain has at least one proxy then the following checks are performed:

• The chain is split into two chains A and B, where B ends with the first element of A and it is the first not proxy certificate in the original chain (i.e. the EEC which is the split point).
• The chain A is validated using normal X.509 path validation.
• The chain B is also validated with the X.509 path validation but PROXY extension OIDs are recognized, the only trust anchor is the EEC, the CRLs are ignored, the CA constraint is not required on any issuing certificate and the certificate sign bit is also not required.
• The chain B is iterated over and on each pair additional checks from the RFC 3820 are verified, along with the proxy path limit.

The normal path validation is performed as follows:

• First all basically correct (i.e. fulfilling name chaining rules) certificate paths are tried to be constructed from the input chain. This step produces from zero to many paths (in 99%: 0 or 1). Those paths can differ from the input e.g. by having self-signed intermediary CA certificate removed.
• If there were no path constructed, the input chain is used as-is, as the only possible path. At this step we already know it is invalid, but we anyway continue to establish complete and detailed list of errors.
• All constructed paths are validated using PKIX rules, and errors found are recorded. If at least one path validates successfully the algorithm ends.
• If all paths were invalid, the one with the least number of errors is selected and those errors are reported as the validation result.

Parameters:

toCheck - chain to check

proxySupport - proxy support

trustAnchors - trust anchors

crlStore - crl store

revocationParams - revocation params

observersHandler - observers handler

Returns:

validation result

Throws:

CertificateException - if some of the certificates in the chain can not be parsed

createPKIXParameters

protected ExtPKIXParameters2 createPKIXParameters(X509Certificate[] toCheck,
                                                  boolean proxySupport,
                                                  Set<TrustAnchor> trustAnchors,
                                                  CertStore crlStore,
                                                  RevocationParameters revocationParams,
                                                  ObserversHandler observersHandler)

getFirstProxy

protected int getFirstProxy(X509Certificate[] toCheck)

checkNonProxyChain

protected List<X509Certificate> checkNonProxyChain(X509Certificate[] baseChain,
                                                   ExtPKIXParameters2 params,
                                                   List<ValidationError> errors,
                                                   Set<String> unresolvedExtensions,
                                                   int posDelta,
                                                   X509Certificate[] cc)
                                            throws CertificateException

Performs checking of the chain which has no proxies (or at least should not have proxies), using FixedBCPKIXCertPathReviewer. In future, when BC implementation is fixed it should use PKIXCertPathReviewer instead.

Parameters:

baseChain - base chain

params - parameters

errors - errors

unresolvedExtensions - unresolved extensions

posDelta - position delta

cc - certificate chain

Returns:

validated chain or null

Throws:

CertificateException - certificate exception

checkProxyChainWithBC

protected void checkProxyChainWithBC(X509Certificate[] proxyChain,
                                     Set<TrustAnchor> trustAnchor,
                                     List<ValidationError> errors,
                                     Set<String> unresolvedExtensions)
                              throws CertificateException

Checks chain with proxies, starting with the EEC using X.509 path validation. EEC issuer is used as the only trust anchor. CRLs are ignored, proxy extension OIDs are marked as handled. The error resulting from the missing CA extension is ignored as well as validity time errors. The latter are checked manually later on.

Parameters:

proxyChain - proxy chain

trustAnchor - trust anchor

errors - errors

unresolvedExtensions - unresolved extensions

Throws:

CertificateException - certificate exception

checkProxyChainMain

protected void checkProxyChainMain(X509Certificate[] proxyChain,
                                   List<ValidationError> errors,
                                   Set<String> unresolvedExtensions,
                                   Date validDate)
                            throws CertificateException

Performs a validation loop of the proxy chain checking each pair in chain for the rules not otherwise verified by the base check. Additionally chain length restriction is verified.

Parameters:

proxyChain - proxy chain

errors - errors

unresolvedExtensions - unresolved extensions

validDate - valid date

Throws:

CertificateException - certificate exception

checkPairWithProxy

protected void checkPairWithProxy(X509Certificate issuerCert,
                                  X509Certificate proxyCert,
                                  List<ValidationError> errors,
                                  int position,
                                  X509Certificate[] proxyChain,
                                  Date validationTime)
                           throws CertPathValidatorException,
                                  CertificateParsingException

Checks if the certificate passed as the 2nd argument is a correct proxy certificate including checks w.r.t. chain rules with the certificate passed as the 1st argument being its issuing certificate. The checks are:

• proxyCert is a real proxy cert of any type
• issuer may not be a CA (3.1)
• issuer must have subject set (3.1)
• proxy must have issuer equal to issuerCert subject (3.1)
• If the Proxy Issuer certificate has the KeyUsage extension, the Digital Signature bit MUST be asserted. (3.1)
• no issuer alternative name extension (3.2)
• proxy subject must be the issuerCert subject with appended one CN component (3.4)
• no subject alternative name extension (3.5)
• no cA basic constraint (3.7)
• time constraints for the proxy are checked here (as we allow for a grace time to work around clock skews)
• proxy certificate type (RFC, draft RFC or legacy) must be the same for both certificates
• if the issuerCert is restricted then proxyCert must be restricted too.

The numbers in brackets refer to the RFC 3820 sections. The last two rules were added in the version 1.1.0 of the library.

Parameters:

issuerCert - certificate of the issuer

proxyCert - certificate to be checked

errors - out arg - list of errors found

position - position in original chain to be used in error reporting

proxyChain - proxy chain

validationTime - validation time

Throws:

CertPathValidatorException - certificate path validator exception

CertificateParsingException - certificate parsing exception

checkProxyTime

protected void checkProxyTime(X509Certificate proxyCert,
                              Date validationTime,
                              X509Certificate[] proxyChain,
                              List<ValidationError> errors,
                              int position)

checkLastCNNameRule

protected void checkLastCNNameRule(X500Principal srcP,
                                   X500Principal issuerP,
                                   List<ValidationError> errors,
                                   int position,
                                   X509Certificate[] proxyChain)
                            throws CertPathValidatorException

Throws:

CertPathValidatorException

convertErrors

protected List<ValidationError> convertErrors(List<?>[] bcErrorsA,
                                              boolean ignoreProxyErrors,
                                              int positionDelta,
                                              X509Certificate[] cc)

getUnresolvedExtensionons

protected Set<String> getUnresolvedExtensionons(List<?>[] bcErrorsA)