/** * Returns certificate type of the given TBS certificate. <br> * The certificate type is {@link org.globus.gsi.GSIGSIConstants.CertificateType#CA * CertificateType.CA} <B>only</B> if the certificate contains a BasicConstraints extension and it * is marked as CA.<br> * A certificate is a GSI-2 proxy when the subject DN of the certificate ends with * <I>"CN=proxy"</I> (certificate type {@link * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_2_PROXY CertificateType.GSI_2_PROXY}) or * <I>"CN=limited proxy"</I> (certificate type {@link * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_2_LIMITED_PROXY * CertificateType.LIMITED_PROXY}) component and the issuer DN of the certificate matches the * subject DN without the last proxy <I>CN</I> component.<br> * A certificate is a GSI-3 proxy when the subject DN of the certificate ends with a <I>CN</I> * component, the issuer DN of the certificate matches the subject DN without the last <I>CN</I> * component and the certificate contains {@link org.globus.security.proxyExtension.ProxyCertInfo * ProxyCertInfo} critical extension. The certificate type is {@link * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_IMPERSONATION_PROXY * CertificateType.GSI_3_IMPERSONATION_PROXY} if the policy language of the {@link * org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link * org.globus.security.proxyExtension.ProxyPolicy#IMPERSONATION ProxyPolicy.IMPERSONATION} OID. * The certificate type is {@link * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_LIMITED_PROXY * CertificateType.GSI_3_LIMITED_PROXY} if the policy language of the {@link * org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link * org.globus.security.proxyExtension.ProxyPolicy#LIMITED ProxyPolicy.LIMITED} OID. The * certificate type is {@link * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_INDEPENDENT_PROXY * CertificateType.GSI_3_INDEPENDENT_PROXY} if the policy language of the {@link * org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link * org.globus.security.proxyExtension.ProxyPolicy#INDEPENDENT ProxyPolicy.INDEPENDENT} OID. The * certificate type is {@link * org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_RESTRICTED_PROXY * CertificateType.GSI_3_RESTRICTED_PROXY} if the policy language of the {@link * org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to any other * OID then the above.<br> * The certificate type is {@link org.globus.gsi.GSIGSIConstants.CertificateType#EEC * CertificateType.EEC} if the certificate is not a CA certificate or a GSI-2 or GSI-3 proxy. * * @param crt the TBS certificate to get the type of. * @return the certificate type. The certificate type is determined by rules described above. * @throws java.io.IOException if something goes wrong. * @throws java.security.cert.CertificateException for proxy certificates, if the issuer DN of the * certificate does not match the subject DN of the certificate without the last <I>CN</I> * component. Also, for GSI-3 proxies when the <code>ProxyCertInfo</code> extension is not * marked as critical. */ public static GSIConstants.CertificateType getCertificateType(TBSCertificateStructure crt) throws CertificateException, IOException { X509Extensions extensions = crt.getExtensions(); X509Extension ext = null; if (extensions != null) { ext = extensions.getExtension(X509Extensions.BasicConstraints); if (ext != null) { BasicConstraints basicExt = getBasicConstraints(ext); if (basicExt.isCA()) { return GSIConstants.CertificateType.CA; } } } GSIConstants.CertificateType type = GSIConstants.CertificateType.EEC; // does not handle multiple AVAs X509Name subject = crt.getSubject(); ASN1Set entry = X509NameHelper.getLastNameEntry(subject); ASN1Sequence ava = (ASN1Sequence) entry.getObjectAt(0); if (X509Name.CN.equals(ava.getObjectAt(0))) { type = processCN(extensions, type, ava); } return type; }