/**
* Returns certificate type of the given TBS certificate. <br>
* The certificate type is {@link org.globus.gsi.GSIGSIConstants.CertificateType#CA
* CertificateType.CA} <B>only</B> if the certificate contains a BasicConstraints extension and it
* is marked as CA.<br>
* A certificate is a GSI-2 proxy when the subject DN of the certificate ends with
* <I>"CN=proxy"</I> (certificate type {@link
* org.globus.gsi.GSIGSIConstants.CertificateType#GSI_2_PROXY CertificateType.GSI_2_PROXY}) or
* <I>"CN=limited proxy"</I> (certificate type {@link
* org.globus.gsi.GSIGSIConstants.CertificateType#GSI_2_LIMITED_PROXY
* CertificateType.LIMITED_PROXY}) component and the issuer DN of the certificate matches the
* subject DN without the last proxy <I>CN</I> component.<br>
* A certificate is a GSI-3 proxy when the subject DN of the certificate ends with a <I>CN</I>
* component, the issuer DN of the certificate matches the subject DN without the last <I>CN</I>
* component and the certificate contains {@link org.globus.security.proxyExtension.ProxyCertInfo
* ProxyCertInfo} critical extension. The certificate type is {@link
* org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_IMPERSONATION_PROXY
* CertificateType.GSI_3_IMPERSONATION_PROXY} if the policy language of the {@link
* org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link
* org.globus.security.proxyExtension.ProxyPolicy#IMPERSONATION ProxyPolicy.IMPERSONATION} OID.
* The certificate type is {@link
* org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_LIMITED_PROXY
* CertificateType.GSI_3_LIMITED_PROXY} if the policy language of the {@link
* org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link
* org.globus.security.proxyExtension.ProxyPolicy#LIMITED ProxyPolicy.LIMITED} OID. The
* certificate type is {@link
* org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_INDEPENDENT_PROXY
* CertificateType.GSI_3_INDEPENDENT_PROXY} if the policy language of the {@link
* org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to {@link
* org.globus.security.proxyExtension.ProxyPolicy#INDEPENDENT ProxyPolicy.INDEPENDENT} OID. The
* certificate type is {@link
* org.globus.gsi.GSIGSIConstants.CertificateType#GSI_3_RESTRICTED_PROXY
* CertificateType.GSI_3_RESTRICTED_PROXY} if the policy language of the {@link
* org.globus.security.proxyExtension.ProxyCertInfo ProxyCertInfo} extension is set to any other
* OID then the above.<br>
* The certificate type is {@link org.globus.gsi.GSIGSIConstants.CertificateType#EEC
* CertificateType.EEC} if the certificate is not a CA certificate or a GSI-2 or GSI-3 proxy.
*
* @param crt the TBS certificate to get the type of.
* @return the certificate type. The certificate type is determined by rules described above.
* @throws java.io.IOException if something goes wrong.
* @throws java.security.cert.CertificateException for proxy certificates, if the issuer DN of the
* certificate does not match the subject DN of the certificate without the last <I>CN</I>
* component. Also, for GSI-3 proxies when the <code>ProxyCertInfo</code> extension is not
* marked as critical.
*/
public static GSIConstants.CertificateType getCertificateType(TBSCertificateStructure crt)
throws CertificateException, IOException {
X509Extensions extensions = crt.getExtensions();
X509Extension ext = null;
if (extensions != null) {
ext = extensions.getExtension(X509Extensions.BasicConstraints);
if (ext != null) {
BasicConstraints basicExt = getBasicConstraints(ext);
if (basicExt.isCA()) {
return GSIConstants.CertificateType.CA;
}
}
}
GSIConstants.CertificateType type = GSIConstants.CertificateType.EEC;
// does not handle multiple AVAs
X509Name subject = crt.getSubject();
ASN1Set entry = X509NameHelper.getLastNameEntry(subject);
ASN1Sequence ava = (ASN1Sequence) entry.getObjectAt(0);
if (X509Name.CN.equals(ava.getObjectAt(0))) {
type = processCN(extensions, type, ava);
}
return type;
}
