eu.emi.security.authn.x509.helpers.proxy

Class ProxyAddressRestrictionData

java.lang.Object

org.bouncycastle.asn1.ASN1Object

eu.emi.security.authn.x509.helpers.proxy.ProxyAddressRestrictionData

All Implemented Interfaces:

org.bouncycastle.asn1.ASN1Encodable, org.bouncycastle.util.Encodable

public class ProxyAddressRestrictionData
extends org.bouncycastle.asn1.ASN1Object

An utility class for defining the allowed address space, used both to define the source and target restrictions. The format is:

 iGTFProxyRestrictFrom ::= NameConstraints
 iGTFProxyRestrictTarget ::= NameConstraints
  
 NameConstraints::= SEQUENCE {
            permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
            excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
 
 GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
 
 GeneralSubtree ::= SEQUENCE {
            base                    GeneralName,
            minimum         [0]     BaseDistance DEFAULT 0,
            maximum         [1]     BaseDistance OPTIONAL }
 
 BaseDistance ::= INTEGER (0..MAX)
 
 GeneralName ::= CHOICE {
         otherName                       [0]     OtherName,
         rfc822Name                      [1]     IA5String,
         dNSName                         [2]     IA5String,
         x400Address                     [3]     ORAddress,
         directoryName                   [4]     Name,
         ediPartyName                    [5]     EDIPartyName,
         uniformResourceIdentifier       [6]     IA5String,
         iPAddress                       [7]     OCTET STRING,
         registeredID                    [8]     OBJECT IDENTIFIER }
 
 OtherName ::= SEQUENCE {
         type-id    OBJECT IDENTIFIER,
         value      [0] EXPLICIT ANY DEFINED BY type-id }
 
 EDIPartyName ::= SEQUENCE {
         nameAssigner            [0]     DirectoryString OPTIONAL,
         partyName               [1]     DirectoryString }
 

And in this class only the IPAddress as a IP address - netmask combination is supported.

Field Summary

Fields

Modifier and Type	Field and Description
private java.util.List<org.bouncycastle.asn1.x509.GeneralSubtree>	excludedGeneralSubtrees
private java.util.List<org.bouncycastle.asn1.x509.GeneralSubtree>	permittedGeneralSubtrees
static java.lang.String	SOURCE_RESTRICTION_OID
static java.lang.String	TARGET_RESTRICTION_OID

Constructor Summary

Constructors

Constructor and Description
ProxyAddressRestrictionData() Constructor to generate an empty ProxyRestrictionData object for creating new restrictions.
ProxyAddressRestrictionData(byte[] bytes) Parses the restriction data from byte array.

Method Summary

Modifier and Type	Method and Description
void	addExcludedIPAddressWithNetmask(java.lang.String address) Adds a new excluded IP addressSpace to the data structure.
void	addPermittedIPAddressWithNetmask(java.lang.String address) Adds a new permitted IP addressSpace to the data structure.
private static void	addTaggedSequenceOfSubtrees(int tagNo, java.util.List<org.bouncycastle.asn1.x509.GeneralSubtree> subtrees, org.bouncycastle.asn1.ASN1EncodableVector asn1Vector) Adds, with the given tag, a DER sequence object that contains the GeneralSubtree objects into the ASN1Vector.
static java.lang.String	convert2sr(byte[] src)
static java.lang.String[]	convert2strings(byte[][] src)
private static void	copyCondSequenceToVector(org.bouncycastle.asn1.DERSequence subSeq, java.util.List<org.bouncycastle.asn1.x509.GeneralSubtree> vector) This method copies the contents of a generalSubtrees sequence into the given vector.
java.lang.String[]	getExcludedAddresses()
static ProxyAddressRestrictionData	getInstance(java.security.cert.X509Certificate certificate, boolean source) Creates an instance of the extension of the given type from a certificate.
byte[][][]	getIPSpaces() Returns a Vector of Vectors of IP address spaces as defined in rfc 4632.
java.lang.String[]	getPermittedAddresses()
private static byte[][]	subtreesIntoArray(java.util.List<org.bouncycastle.asn1.x509.GeneralSubtree> subtrees) Generates a string array of IP address spaces from a list of GeneralSubtrees.
org.bouncycastle.asn1.ASN1Primitive	toASN1Primitive() Returns the NameConstraints structure of the restrictions.

Methods inherited from class org.bouncycastle.asn1.ASN1Object

equals, getEncoded, getEncoded, hasEncodedTagValue, hashCode, toASN1Object

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, toString, wait, wait, wait

Field Detail

SOURCE_RESTRICTION_OID

public static final java.lang.String SOURCE_RESTRICTION_OID

See Also:

Constant Field Values

TARGET_RESTRICTION_OID

public static final java.lang.String TARGET_RESTRICTION_OID

See Also:

Constant Field Values

permittedGeneralSubtrees

private java.util.List<org.bouncycastle.asn1.x509.GeneralSubtree> permittedGeneralSubtrees

excludedGeneralSubtrees

private java.util.List<org.bouncycastle.asn1.x509.GeneralSubtree> excludedGeneralSubtrees

Constructor Detail

ProxyAddressRestrictionData

public ProxyAddressRestrictionData(byte[] bytes)
                            throws java.io.IOException

Parses the restriction data from byte array.

Parameters:

bytes - The byte array to parse.

Throws:

java.io.IOException - In case there is a problem parsing the structure.

ProxyAddressRestrictionData

public ProxyAddressRestrictionData()

Constructor to generate an empty ProxyRestrictionData object for creating new restrictions. Notice that putting an empty proxy restriction into a certificate means that there are no permitted IP spaces, meaning the proxy should be rejected everywhere.

Method Detail

getInstance

public static ProxyAddressRestrictionData getInstance(java.security.cert.X509Certificate certificate,
                                                      boolean source)
                                               throws java.io.IOException

Creates an instance of the extension of the given type from a certificate.

Parameters:

certificate - certificate

source - whether to create object representing the source restriction (if true) or target (if value is false).

Returns:

null if the certificate does not have the required extension, initialized object otherwise.

Throws:

java.io.IOException - IO exception

copyCondSequenceToVector

private static void copyCondSequenceToVector(org.bouncycastle.asn1.DERSequence subSeq,
                                             java.util.List<org.bouncycastle.asn1.x509.GeneralSubtree> vector)

This method copies the contents of a generalSubtrees sequence into the given vector. Static to protect the internal data structures from access.

Parameters:

subSeq - the subsequence to copy.

vector - The target to copy the parsed GeneralSubtree objects.

addPermittedIPAddressWithNetmask

public void addPermittedIPAddressWithNetmask(java.lang.String address)

Adds a new permitted IP addressSpace to the data structure.

Parameters:

address - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. Which equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
It is also possible to provide IPv6 addresses. See RFC4632.

addExcludedIPAddressWithNetmask

public void addExcludedIPAddressWithNetmask(java.lang.String address)

Adds a new excluded IP addressSpace to the data structure.

Parameters:

address - The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. Which equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as xxx.xxx.xxx.xxx/32.
It is also possible to provide IPv6 addresses. See RFC4632.

toASN1Primitive

public org.bouncycastle.asn1.ASN1Primitive toASN1Primitive()

Returns the NameConstraints structure of the restrictions.

Specified by:

toASN1Primitive in interface org.bouncycastle.asn1.ASN1Encodable

Specified by:

toASN1Primitive in class org.bouncycastle.asn1.ASN1Object

Returns:

The DERSequence containing the NameConstraints structure.

addTaggedSequenceOfSubtrees

private static void addTaggedSequenceOfSubtrees(int tagNo,
                                                java.util.List<org.bouncycastle.asn1.x509.GeneralSubtree> subtrees,
                                                org.bouncycastle.asn1.ASN1EncodableVector asn1Vector)

Adds, with the given tag, a DER sequence object that contains the GeneralSubtree objects into the ASN1Vector.

Parameters:

tagNo - The tag to tag the object.

subtrees - The Vector of GeneralSubtree objects. Null will throw NullPointerException. An empty Vector will not be added.

asn1Vector - The vector to add the subtrees sequence with the given tag.

getIPSpaces

public byte[][][] getIPSpaces()

Returns a Vector of Vectors of IP address spaces as defined in rfc 4632.

Returns:

The array of arrays of string representation of address spaces defined in this structure. The first element in the array lists the permitted IP address spaces and the second the excluded IP spaces. In format ipaddress/netmask bytes. Example {137,138,0,0,255,255,0,0}. Array always contains two items, but they can be of length 0.

See Also:

addExcludedIPAddressWithNetmask(String)

getPermittedAddresses

public java.lang.String[] getPermittedAddresses()

getExcludedAddresses

public java.lang.String[] getExcludedAddresses()

subtreesIntoArray

private static byte[][] subtreesIntoArray(java.util.List<org.bouncycastle.asn1.x509.GeneralSubtree> subtrees)

Generates a string array of IP address spaces from a list of GeneralSubtrees.

Parameters:

subtrees - The list of GeneralSubtrees to parse. Null as input will return null.

Returns:

the array of IP address spaces.

convert2sr

public static java.lang.String convert2sr(byte[] src)

convert2strings

public static java.lang.String[] convert2strings(byte[][] src)