eu.emi.security.authn.x509.proxy

Class ProxyChainInfo

java.lang.Object

eu.emi.security.authn.x509.proxy.ProxyChainInfo

public class ProxyChainInfo
extends Object

A class to get an information from a proxy certificate chain.

Author:

J. Hahkala, K. Benedyczak

Constructor Summary

Constructors

Constructor and Description
ProxyChainInfo(X509Certificate[] chain) Generates new instance of this class using the certificate chain as the source of the data.

Method Summary

Modifier and Type	Method and Description
static byte[][]	concatArrays(byte[][] first, byte[][] second) Concatenates two arrays of arrays bytes.
AttributeCertificate[][]	getAttributeCertificateExtensions() Returns the Attribute Certificate extensions from the certificate chain.
int	getFirstProxyPosition()
ProxyPolicy[]	getPolicy() Gets the array of RFC proxy extension policy OID and octets of the policy.
byte[][][]	getProxySourceRestrictions() Gets the proxy source restriction data from the chain.
byte[][][]	getProxyTargetRestrictions() Gets the proxy target restriction data from the chain.
String[]	getProxyTracingIssuers() Returns an array of URLs of the proxy tracing issuers in the chain.
String[]	getProxyTracingSubjects() Returns an array of URLs of the proxy tracing subjects in the chain.
ProxyChainType	getProxyType() The type of the proxy chain chain is returned.
int	getRemainingPathLimit() Returns the remaining path length of this chain.
String[]	getSAMLExtensions() Returns the SAML extensions from the certificate chain.
BigInteger[]	getSerialNumbers()
boolean	isHostAllowedAsSource(byte[] ipAddress) Checks if the given IP address is allowed as this proxy chain source.
boolean	isHostAllowedAsTarget(byte[] ipAddress) Checks if the given IP address is allowed as this proxy chain target.
boolean	isLimited() Used to check whether the proxy chain is limited or not.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ProxyChainInfo

public ProxyChainInfo(X509Certificate[] chain)
               throws CertificateException

Generates new instance of this class using the certificate chain as the source of the data.

Parameters:

chain - chain with at least one proxy certificate

Throws:

CertificateException - if there is no proxy certificate in the chain or if the chain is inconsistent, i.e. after proxy there is a non-proxy certificate.

Method Detail

getSerialNumbers

public BigInteger[] getSerialNumbers()

Returns:

array with serial numbers of the certificates in the chain

getProxyType

public ProxyChainType getProxyType()
                            throws CertificateException

The type of the proxy chain chain is returned. If chain contains different types then MIXED type is returned.

Returns:

the type of the chain

Throws:

CertificateException - certificate exception

getFirstProxyPosition

public int getFirstProxyPosition()

Returns:

the index of the first proxy in the chain (issued by the EEC).

isLimited

public boolean isLimited()
                  throws CertificateException,
                         IOException

Used to check whether the proxy chain is limited or not. The method returns 'true' if and only if there is at least one limited proxy in the chain.

Returns:

true if the chain is limited, i.e. owner of the certificate may not submit jobs

Throws:

CertificateException - certificate exception

IOException - IO exception

getPolicy

public ProxyPolicy[] getPolicy()
                        throws IOException

Gets the array of RFC proxy extension policy OID and octets of the policy. See RFC3820. Policy octets can be null in case the OID in itself defines the behavior, like with "inherit all" policy or "independent" policy. The array contains entries from all certificates in chain.

Returns:

array with policy information

Throws:

IOException - Thrown in case the parsing of the information failed.

getProxyTracingIssuers

public String[] getProxyTracingIssuers()
                                throws IOException

Returns an array of URLs of the proxy tracing issuers in the chain. Non-traced proxies will have null in the array.

Returns:

The proxy tracing issuer URLs in String format, or null in the array if an extension was not found or it was empty.

Throws:

IOException - Thrown in case the parsing of the information failed.

getProxyTracingSubjects

public String[] getProxyTracingSubjects()
                                 throws IOException

Returns an array of URLs of the proxy tracing subjects in the chain. Non-traced proxies will have null in the array.

Returns:

The proxy tracing subject URLs in String format, or null in the array if an extension was not found or it was empty.

Throws:

IOException - Thrown in case the parsing of the information failed.

getSAMLExtensions

public String[] getSAMLExtensions()
                           throws IOException

Returns the SAML extensions from the certificate chain.

Returns:

The SAML assertions in String format. A null in the array means that no SAML extensions were found at the given position.

Throws:

IOException - Thrown in case the parsing of the information failed.

getAttributeCertificateExtensions

public AttributeCertificate[][] getAttributeCertificateExtensions()
                                                           throws IOException

Returns the Attribute Certificate extensions from the certificate chain.

Returns:

The Attribute Certificates array. The first index corresponds to the first certificate in the chain. A null in the array means that no AC extension was found at the given position.

Throws:

IOException - Thrown in case the parsing of the information failed.

getRemainingPathLimit

public int getRemainingPathLimit()
                          throws IOException

Returns the remaining path length of this chain. Will search for both the RFC 3820 and the draft proxy path limit extensions. Legacy proxies are treated as unlimited.

Notice: negative value means that the chain is invalid as it has passed the limit of delegations. Integer.MAX_INT is returned if there is no path length limit set on the chain.

Returns:

remaining proxy path limit

Throws:

IOException - Thrown in case the parsing of the information failed.

getProxySourceRestrictions

public byte[][][] getProxySourceRestrictions()
                                      throws IOException

Gets the proxy source restriction data from the chain. The allowed namespaces in different certificates in the chain will be intersected and the excluded namespaces will be summed. The returned array has as the first item the array of allowed namespaces and as the second item the array of excluded namespaces. If extensions exist, but in the end no allowed or excluded namespaces are left, the array is empty.

Returns:

array with proxy source restrictions. Null is returned when there is no restriction defined for any of the proxies in the chain.

Throws:

IOException - Thrown in case the parsing of the information failed.

getProxyTargetRestrictions

public byte[][][] getProxyTargetRestrictions()
                                      throws IOException

Gets the proxy target restriction data from the chain. The allowed namespaces in different certificates in the chain will be intersected and the union of the excluded namespaces will be computed. The returned array has as the first item the array of allowed namespaces and as the second item the array of excluded namespaces. If extensions exist, but in the end no allowed or excluded namespaces are left, the array is empty.

Returns:

array with proxy target restrictions. Null is returned when there is no restriction defined for any of the proxies in the chain.

Throws:

IOException - Thrown in case the parsing of the information failed.

isHostAllowedAsSource

public boolean isHostAllowedAsSource(byte[] ipAddress)
                              throws IOException

Checks if the given IP address is allowed as this proxy chain source.

Parameters:

ipAddress - host IPv4 address in 4 elements array

Returns:

true if and only if the ipAddress is OK w.r.t. this proxy chain's source restrictions.

Throws:

IOException - Thrown in case the parsing of the information failed.

isHostAllowedAsTarget

public boolean isHostAllowedAsTarget(byte[] ipAddress)
                              throws IOException

Checks if the given IP address is allowed as this proxy chain target.

Parameters:

ipAddress - host IPv4 address in 4 elements array

Returns:

true if and only if the ipAddress is OK w.r.t. this proxy chain's source restrictions.

Throws:

IOException - Thrown in case the parsing of the information failed.

concatArrays

public static byte[][] concatArrays(byte[][] first,
                                    byte[][] second)

Concatenates two arrays of arrays bytes.

Parameters:

first - The array of arrays to begin with.

second - The array of arrays to end with.

Returns:

the array of arrays that contains the arrays from both argument arrays.