iaik.x509.attr

Interface TargetChecker

public interface TargetChecker

Interface to may be implemented for application-dependent checking if some server/service is a valid target/proxy of an attribute certificate that contains the TargetInformation or ProxyInfo extension.

The X.509 Attribute Certificate profile presented in RFC 5755 specifies the TargetInformation extension to be used for targeting an attribute certificate to be accepted only by a specified number of servers/services. If no TargetInformation extension is present in an attribute certificate, the certificate may be accepted by any service/server.

The ProxyInfo extension is used for proxying an attribute certificate from one server to another. Chains of proxies (where a number of servers is involved) are possible.

Both extensions need a TargetChecker to validate if some server/service that has received an attribute certificate can accept the attribute certificate because it matches the "targeting condition". When validating the targeting condition the current server (or also sender/proxy in the case of ProxyInfo) object is checked against any Target element contained in the TargetInformation or ProxyInfo extension of the attribute certificate. Each Target element may by either a TargetName, a TargetGroup or a TargetCert):

 Target  ::= CHOICE {
   targetName          [0] GeneralName,
   targetGroup         [1] GeneralName,
   targetCert          [2] TargetCert
 }
 

However, RFC 5755 recommends that the TargetCert choice MUST NOT be used By default the TargetChecker performs the following checks (in this order):

1. If the server is given as Target object and is equal to the AC Target element, the check returns true.
2. If the AC Target element represents a TargetName or TargetGroup and the server is given as GeneralName, the check returns true if the GeneralName of the AC Target is equal to the server GeneralName.
3. If 1. and 2. have returned false and the AC Target is a TargetGroup containing a GeneralName of type dNSName the server maybe given as TargetGroup or GeneralName. In this case the server GeneralName is checked of being of type dNSName, uniformResourceIdentifier or rfc822Name. If the server GeneralName is of any of these three types the check returns true if the server name is in the domain specified by the dNSName of the AC TargetGroup (i.e. it is checked if the server name ends with the dNSName specified by the AC TargetGroup). If, for instance, the AC TargetGroup specifies a dNSName like "iaik.at" and the server name is "http://jce.iaik.at" the server is accepted as being a member of the AC TargetGroup.
4. The check returns false, if any of the steps above has not come to a positive result.

As seen from above the server can be given as Target object or -- if the TargetInformation contains TargetName or TargetGroup elements -- as GeneralName. In any other case -- if the supplied server object is not given as Target or GeneralName -- a TargetException is thrown indicating that the server object cannot be handled by the TargetChecker. An application may plug-in its own TargetChecker implementation for enforcing a more sophisticated target checking policy which may be tailored to application specific requirements that cannot be considered by a general default implementation.

See Also:

GeneralName, AttributeCertificate, Targets, Target, TargetName, TargetGroup, TargetCert, TargetException, TargetInformation, ProxyInfo

Method Summary

Methods

Modifier and Type	Method and Description
boolean	isTargetFor(Target target, java.lang.Object server) Checks if the given server/service is a valid target/proxy for the attribute certificate that contains a TargetInformation or ProxyInfo extension with the given Target.

Method Detail

isTargetFor

boolean isTargetFor(Target target,
                  java.lang.Object server)
                    throws TargetException

Checks if the given server/service is a valid target/proxy for the attribute certificate that contains a TargetInformation or ProxyInfo extension with the given Target.

By default the following checks are performed:

1. If the server is given as Target object and is equal to the AC Target element, the check returns true.
2. If the AC Target element represents a TargetName or TargetGroup and the server is given as GeneralName, the check returns true if the GeneralName of the AC Target is equal to the server GeneralName.
3. If 1. and 2. have returned false and the AC Target is a TargetGroup containing a GeneralName of type dNSName the server maybe given as TargetGroup or GeneralName. In this case the server GeneralName is checked of being of type dNSName, uniformResourceIdentifier or rfc822Name. If the server GeneralName is of any of these three types the check returns true if the server name is in the domain specified by the dNSName of the AC TargetGroup (i.e. it is checked if the server name ends with the dNSName specified by the AC TargetGroup). If, for instance, the AC TargetGroup specifies a dNSName like "iaik.at" and the server name is "http://jce.iaik.at" the server is accepted as being a member of the AC TargetGroup.
4. The check returns false, if any of the steps above has not come to a positive result.

As seen from above the server can be given as Target object or -- if the TargetInformation contains TargetName or TargetGroup elements -- as GeneralName. In any other case -- if the supplied server object is not given as Target or GeneralName -- a TargetException is thrown indicating that the server object cannot be handled by the TargetChecker. An application may plug-in its own TargetChecker implementation for enforcing a more sophisticated target checking policy which may be tailored to application specific requirements that cannot be considered by a general default implementation.

Parameters:

target - the Target specifying a valid recipient by TargetName, TargetGroup or TargetCert

server - the server/service to be checked for being a target of the AC

Returns:

true if the given server/service is a target for the attribute certificate containing a Target extension with this Target; false if the given server/service is no target

Throws:

TargetException - if a Target implementation is not be able to determine if a given server/service is a target for the attribute certificate that contains the particular Target extension. For instance, checking if a server/service belongs to some specific TargetGroup cannot be done in a general way because membership of a target to a TargetGroup only can be handled in application specfic manner, e.g. (see RFC 5755): a TargetGroup may specify "PRINTERS," and the AC verifier knows if it is a printer or print server or not). In such cases the isTargetFor check must be done in a different, application specific way.