eu.emi.security.authn.x509.proxy

Class BaseProxyCertificateOptions

java.lang.Object

eu.emi.security.authn.x509.proxy.BaseProxyCertificateOptions

Direct Known Subclasses:

ProxyCertificateOptions, ProxyRequestOptions

public abstract class BaseProxyCertificateOptions
extends Object

Generic proxy creation parameters useful for all scenarios. All objects passed to this class are copied. All objects returned by methods of this class are also copies of the object state. Therefore it is only possible to modify state of this class using its methods. This class is not thread safe.

Author:

J. Hahkala, K. Benedyczak

Field Summary

Fields

Modifier and Type	Field and Description
static int	DEFAULT_KEY_USAGE Key usage value which is used when
static int	DEFAULT_LIFETIME
static int	UNLIMITED_PROXY_LENGTH

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	BaseProxyCertificateOptions(X509Certificate[] parentCertChain) Create a new proxy cert based on the parent cert chain.

Method Summary

Modifier and Type	Method and Description
void	addExtension(CertificateExtension extension) Add an extension to the proxy certificate to be generated.
AttributeCertificate[]	getAttributeCertificates()
List<CertificateExtension>	getExtensions()
int	getLifetime()
Date	getNotBefore()
X509Certificate[]	getParentCertChain() Returns the certificate parent chain of the proxy.
ProxyPolicy	getPolicy()
int	getProxyKeyUsageMask()
int	getProxyPathLimit() Gets the proxy path length limit of this certificate.
String	getProxyTracingIssuer()
String	getProxyTracingSubject()
String	getSAMLAssertion() Gets SAML assertions in a string format.
BigInteger	getSerialNumber() Gets the proxy serial number.
String[]	getSourceRestrictionExcludedAddresses() Gets an excluded from source restriction IP addressSpace from the data structure.
String[]	getSourceRestrictionPermittedAddresses() Gets the permitted source IP addressSpace of the Proxy.
String[]	getTargetRestrictionExcludedAddresses() Gets an excluded target IP addressSpace from the data structure.
String[]	getTargetRestrictionPermittedAddresses() Returns a permitted target IP address space of the Proxy.
ProxyType	getType()
boolean	isLimited() Checks if the proxy shall be limited.
void	setAttributeCertificates(AttributeCertificate[] ac) Sets Attribute certificates, which will be added as the VOMS extensions to the generated proxy.
void	setLifetime(int lifetime) Set the proxy lifetime in seconds.
void	setLifetime(long lifetime, TimeUnit unit) Set the proxy lifetime using desired unit.
void	setLimited(boolean limited) Defines whether the resulting proxy will be a limited proxy.
void	setPolicy(ProxyPolicy policy) Set the RFC proxy extension policy OID and octets of the policy.
void	setProxyKeyUsageMask(int proxyKeyUsageMask) Sets the mask of the KeyUsage for the resulting proxy certificate.
void	setProxyPathLimit(int pathLen) Sets the proxy path length limit of this certificate.
void	setProxyTracingIssuer(String url) Sets the issuer URL for the proxy tracing.
void	setProxyTracingSubject(String url) Sets the subject URL for the proxy tracing.
void	setSAMLAssertion(String saml) Sets SAML assertions in a string format.
void	setSerialNumber(BigInteger sn) Sets the proxy serial number.
void	setSourceRestrictionExcludedAddresses(byte[][] addresses) Sets an excluded from source restriction IP addressSpace to the data structure.
void	setSourceRestrictionExcludedAddresses(String[] addresses) Sets an excluded from source restriction IP addressSpace to the data structure.
void	setSourceRestrictionPermittedAddresses(byte[][] addresses) Sets a permitted source IP addressSpace to the Proxy.
void	setSourceRestrictionPermittedAddresses(String[] addresses) Sets a new permitted source IP addressSpace to the Proxy
void	setTargetRestrictionExcludedAddresses(byte[][] addresses) Sets an excluded target IP addressSpace to the data structure.
void	setTargetRestrictionExcludedAddresses(String[] addresses) Sets an excluded target IP addressSpace to the data structure.
void	setTargetRestrictionPermittedAddresses(byte[][] addresses) Sets a permitted target IP address space to the Proxy.
void	setTargetRestrictionPermittedAddresses(String[] addresses) Sets a new permitted target IP addressSpace to the Proxy.
void	setType(ProxyType type) Used to set the type of the proxy.
void	setValidityBounds(Date notBefore, Date notAfter) Sets the desired time bounds for the proxy.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_KEY_USAGE

public static final int DEFAULT_KEY_USAGE

Key usage value which is used when

See Also:

Constant Field Values

DEFAULT_LIFETIME

public static final int DEFAULT_LIFETIME

See Also:

Constant Field Values

UNLIMITED_PROXY_LENGTH

public static final int UNLIMITED_PROXY_LENGTH

See Also:

Constant Field Values

Constructor Detail

BaseProxyCertificateOptions

protected BaseProxyCertificateOptions(X509Certificate[] parentCertChain)

Create a new proxy cert based on the parent cert chain. The default type of the proy generation params will be set to the type of the parent chain if it is an consistent proxy chain. If it is mixed proxy chain, or EEC certificate chain then by default RFC proxy type is set.

Parameters:

parentCertChain - chain of the issuer

Method Detail

getParentCertChain

public X509Certificate[] getParentCertChain()

Returns the certificate parent chain of the proxy. If only user certificate was provided then it is returned in a one element array.

Returns:

the parent certificate chain

setValidityBounds

public void setValidityBounds(Date notBefore,
                              Date notAfter)

Sets the desired time bounds for the proxy. Note that both arguments are cut to the seconds precision (this is what goes into certificate).

Parameters:

notBefore - proxy won't be valid before this date

notAfter - proxy won't be valid after this date

Since:

1.1.0

setLifetime

public void setLifetime(int lifetime)

Set the proxy lifetime in seconds. The start of proxy validity is set to the current time. If not set, the default lifetime is 12h.

Parameters:

lifetime - in seconds

See Also:

setValidityBounds(Date, Date)

setLifetime

public void setLifetime(long lifetime,
                        TimeUnit unit)

Set the proxy lifetime using desired unit. The start of proxy validity is set to the current time. If not set, the default lifetime is 12h.

Parameters:

lifetime - in unit specified by the 2nd parameter

unit - the unit of the timeout specified by the first value

Throws:

IllegalArgumentException - if the requested lifetime is larger then Integer.MAX_VALUE seconds.

Since:

1.1.0

See Also:

setValidityBounds(Date, Date)

getLifetime

public int getLifetime()

Returns:

proxy lifetime in seconds

getNotBefore

public Date getNotBefore()

Returns:

start of proxy validity

getProxyKeyUsageMask

public int getProxyKeyUsageMask()

Returns:

bit mask of KeyUsage flags which was set for the options object or -1 if nothing was set.

setProxyKeyUsageMask

public void setProxyKeyUsageMask(int proxyKeyUsageMask)
                          throws IllegalArgumentException

Sets the mask of the KeyUsage for the resulting proxy certificate. Note that the this is a mask, i.e. the flags from this mask are ANDed with the effective KeyUsage of the parent chain.

If this method is not called at all (or called with a negative argument), then the default behavior is applied, and the proxy gets a copy of the effective KeyUsage of the parent chain. If no certificate in the parent chain has KeyUsage set, then the DEFAULT_KEY_USAGE is applied.

Parameters:

proxyKeyUsageMask - The mask to set. Use constants from the KeyUsage class. The mask must always have the KeyUsage.digitalSignature bit set.

Throws:

IllegalArgumentException - if the argument has no KeyUsage.digitalSignature bit set

setType

public void setType(ProxyType type)
             throws IllegalArgumentException

Used to set the type of the proxy. Useful only in case the parent certificate is user certificate, otherwise the generator will generate same type of proxy as the parent is. And trying to set different type here than in the parent will result in IllegalArgumentException. If the parent certificate is user certificate and this method is not used, RFC3820 type will be assumed.

Parameters:

type - to be set

Throws:

IllegalArgumentException

getType

public ProxyType getType()

Returns:

the current proxy type

setLimited

public void setLimited(boolean limited)

Defines whether the resulting proxy will be a limited proxy. Job submission with a limited proxy is not possible.

For legacy proxy this is the only way to control the proxy's application area. RFC and draft proxies allows for a more rich and extensible semantics using setPolicy(ProxyPolicy).

Since version 1.2.0, in case of RFC proxies, usage of this method with argument 'true' is equivalent to calling setPolicy(new ProxyPolicy(ProxyPolicy.LIMITED_PROXY_OID)) and with argument false to setPolicy(new ProxyPolicy(ProxyPolicy.INHERITALL_POLICY_OID)). Note that subsequent calls to setPolicy will overwrite the setLimited setting. Therefore the following code:

 param.setLimited(true);
 param.setPolicy(new ProxyPolicy(ProxyPolicy.INHERITALL_POLICY_OID));
 

configures the engine to create limited legacy proxies or unlimited rfc proxies. As this behavior is rather not intended it is strongly advised NOT to mix setLimited and setPolicy calls in any case.

Parameters:

limited - true if proxy shall be limited

isLimited

public boolean isLimited()

Checks if the proxy shall be limited.

Returns:

true if limited proxy shall be created

setSerialNumber

public void setSerialNumber(BigInteger sn)

Sets the proxy serial number. Only applicable for rfc proxies.

Parameters:

sn - serial number to be set

getSerialNumber

public BigInteger getSerialNumber()

Gets the proxy serial number.

Returns:

the serial number previously set

setProxyPathLimit

public void setProxyPathLimit(int pathLen)

Sets the proxy path length limit of this certificate. Only works on rfc3820 and RFC draft proxies. Note: this method previously was documented as accepting negative values to mark unlimited proxy length. The implementation was buggy (see #81). The old approach with negative value works now, but usage of the constant is preferred in a new code.

Parameters:

pathLen - path limit, use UNLIMITED_PROXY_LENGTH if proxy shall be unlimited.

getProxyPathLimit

public int getProxyPathLimit()

Gets the proxy path length limit of this certificate.

Returns:

limit or UNLIMITED_PROXY_LENGTH if proxy shall be unlimited

addExtension

public void addExtension(CertificateExtension extension)

Add an extension to the proxy certificate to be generated.

Parameters:

extension - the extension to be set

getExtensions

public List<CertificateExtension> getExtensions()

Returns:

Returns a list of extensions including only those which were set via addExtension(CertificateExtension)

setPolicy

public void setPolicy(ProxyPolicy policy)

Set the RFC proxy extension policy OID and octets of the policy. See RFC3820. Policy can be null in case the OID in it self defines the behavior, like with "inherit all" policy or "independent" policy.

Note: this setting is ignored for legacy proxies.

Parameters:

policy - to be set

getPolicy

public ProxyPolicy getPolicy()

Returns:

Get the RFC proxy extension policy OID and octets of the policy. See RFC3820. Policy can be null in case the OID in it self defines the behavior, like with "inherit all" policy or "independent" policy.

setTargetRestrictionPermittedAddresses

public void setTargetRestrictionPermittedAddresses(String[] addresses)
                                            throws IllegalArgumentException

Sets a new permitted target IP addressSpace to the Proxy.

Parameters:

addresses - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. It equals to a network 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
See RFC 4632. The restriction is of the format used for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses.

Throws:

IllegalArgumentException - if the argument does not contain addresses in the specified format

setTargetRestrictionPermittedAddresses

public void setTargetRestrictionPermittedAddresses(byte[][] addresses)
                                            throws IllegalArgumentException

Sets a permitted target IP address space to the Proxy.

Parameters:

addresses - The array of 8 element arrays of bytes representation of address spaces defined in this structure. Each inner 8-elements array must contains IP address and netmask bytes, e.g. {137,138,0,0,255,255,0,0}.

Throws:

IllegalArgumentException - when inner arrays are not of length 8 or if does not represent a valid address and netmask combination.

getTargetRestrictionPermittedAddresses

public String[] getTargetRestrictionPermittedAddresses()

Returns a permitted target IP address space of the Proxy.

Returns:

The array of addresses in the CIDR format (address/netmaskBits) or null if not set

setSourceRestrictionPermittedAddresses

public void setSourceRestrictionPermittedAddresses(String[] addresses)
                                            throws IllegalArgumentException

Sets a new permitted source IP addressSpace to the Proxy

Parameters:

addresses - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. It equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
See RFC 4632. The restriction is of the format used for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses.

Throws:

IllegalArgumentException - if the argument does not contain addresses in the specified format

setSourceRestrictionPermittedAddresses

public void setSourceRestrictionPermittedAddresses(byte[][] addresses)
                                            throws IllegalArgumentException

Sets a permitted source IP addressSpace to the Proxy.

Parameters:

addresses - The array of 8 element arrays of bytes representation of address spaces defined in this structure. Each inner 8-elements array must contains IP address and netmask bytes, e.g. {137,138,0,0,255,255,0,0}.

Throws:

IllegalArgumentException - when inner arrays are not of length 8 or if does not represent a valid address and netmask combination.

getSourceRestrictionPermittedAddresses

public String[] getSourceRestrictionPermittedAddresses()

Gets the permitted source IP addressSpace of the Proxy.

Returns:

The array of addresses in the CIDR format (address/netmaskBits) or null if not set

setTargetRestrictionExcludedAddresses

public void setTargetRestrictionExcludedAddresses(String[] addresses)
                                           throws IllegalArgumentException

Sets an excluded target IP addressSpace to the data structure.

Parameters:

addresses - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. It equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
See RFC 4632. The restriction is of the format used for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses.

Throws:

IllegalArgumentException - if the argument does not contain addresses in the specified format

setTargetRestrictionExcludedAddresses

public void setTargetRestrictionExcludedAddresses(byte[][] addresses)
                                           throws IllegalArgumentException

Sets an excluded target IP addressSpace to the data structure.

Parameters:

addresses - The array of 8 element arrays of bytes representation of address spaces defined in this structure. Each inner 8-elements array must contains IP address and netmask bytes, e.g. {137,138,0,0,255,255,0,0}.

Throws:

IllegalArgumentException - when inner arrays are not of length 8 or if does not represent a valid address and netmask combination.

getTargetRestrictionExcludedAddresses

public String[] getTargetRestrictionExcludedAddresses()

Gets an excluded target IP addressSpace from the data structure.

Returns:

The array of addresses in the CIDR format (address/netmaskBits) or null if not set

setSourceRestrictionExcludedAddresses

public void setSourceRestrictionExcludedAddresses(String[] addresses)
                                           throws IllegalArgumentException

Sets an excluded from source restriction IP addressSpace to the data structure.

Parameters:

addresses - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. It equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
See RFC 4632. The restriction is of the format used for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses.

Throws:

IllegalArgumentException - if the argument does not contain addresses in the specified format

setSourceRestrictionExcludedAddresses

public void setSourceRestrictionExcludedAddresses(byte[][] addresses)
                                           throws IllegalArgumentException

Sets an excluded from source restriction IP addressSpace to the data structure.

Parameters:

addresses - The array of 8 element arrays of bytes representation of address spaces defined in this structure. Each inner 8-elements array must contains IP address and netmask bytes, e.g. {137,138,0,0,255,255,0,0}.

Throws:

IllegalArgumentException - when inner arrays are not of length 8 or if does not represent a valid address and netmask combination.

getSourceRestrictionExcludedAddresses

public String[] getSourceRestrictionExcludedAddresses()

Gets an excluded from source restriction IP addressSpace from the data structure.

Returns:

The array of addresses in the CIDR format (address/netmaskBits) or null if not set

setProxyTracingIssuer

public void setProxyTracingIssuer(String url)

Sets the issuer URL for the proxy tracing.

Parameters:

url - the issuer URL

getProxyTracingIssuer

public String getProxyTracingIssuer()

Returns:

Gets the issuer URL for the proxy tracing.

setProxyTracingSubject

public void setProxyTracingSubject(String url)

Sets the subject URL for the proxy tracing.

Parameters:

url - the subject URL

getProxyTracingSubject

public String getProxyTracingSubject()

Returns:

Gets the subject URL for the proxy tracing.

getSAMLAssertion

public String getSAMLAssertion()

Gets SAML assertions in a string format.

Returns:

SAML assertions

setSAMLAssertion

public void setSAMLAssertion(String saml)

Sets SAML assertions in a string format.

Parameters:

saml - assertions to be used

setAttributeCertificates

public void setAttributeCertificates(AttributeCertificate[] ac)
                              throws IOException

Sets Attribute certificates, which will be added as the VOMS extensions to the generated proxy.

Parameters:

ac - to be set

Throws:

IOException - IO exception

getAttributeCertificates

public AttributeCertificate[] getAttributeCertificates()
                                                throws IOException

Returns:

Attribute certificates or null if was not set

Throws:

IOException - IO exception