Class FrameworkUtil.DNChainMatching
- Enclosing class:
- FrameworkUtil
The format of DNs are given in RFC 2253. We represent a signature chain for an X.509 certificate as a semicolon separated list of DNs. This is what we refer to as the DN chain. Each DN is made up of relative distinguished names (RDN) which in turn are made up of key value pairs. For example:
cn=ben+ou=research,o=ACME,c=us;ou=Super CA,c=CAis made up of two DNs: "
cn=ben+ou=research,o=ACME,c=us
" and "
ou=Super CA,c=CA
". The first DN is made of of three RDNs: "
cn=ben+ou=research
" and "o=ACME
" and " c=us
". The first RDN has two name value pairs: " cn=ben
" and "
ou=research
".
A chain pattern makes use of wildcards ('*' or '-') to match against DNs, and wildcards ('*') to match againts DN prefixes, and value. If a DN in a match pattern chain is made up of a wildcard ("*"), that wildcard will match zero or one DNs in the chain. If a DN in a match pattern chain is made up of a wildcard ("-"), that wildcard will match zero or more DNs in the chain. If the first RDN of a DN is the wildcard ("*"), that DN will match any other DN with the same suffix (the DN with the wildcard RDN removed). If a value of a name/value pair is a wildcard ("*"), the value will match any value for that name.
-
Field Summary
Fields -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprivate static boolean
dnChainMatch
(List<Object> dnChain, int dnChainIndex, List<Object> dnChainPattern, int dnChainPatternIndex) recursively attempt to match the DNChain, and the DNChainPattern where DNChain is of the format: "DN;DN;DN;" and DNChainPattern is of the format: "DNPattern;*;DNPattern" (or combinations of this)private static boolean
(package private) static boolean
Matches a distinguished name chain against a pattern of a distinguished name chain.private static void
Takes a distinguished name in canonical form and fills in the rdnArray with the extracted RDNs.parseDNchain
(List<String> chain) parseDNchainPattern
(String pattern) Parses a distinguished name chain pattern and returns a List where each element represents a distinguished name (DN) in the chain of DNs.private static boolean
Check the name/value pairs of the rdn against the pattern.private static int
skipSpaces
(String dnChain, int startIndex) Increment startIndex until the end of dnChain is hit or until it is the index of a non-space character.private static int
skipWildCards
(List<Object> dnChainPattern, int dnChainPatternIndex) This method will return an 'index' which points to a non-wildcard DN or the end-of-list.private static String
-
Field Details
-
MINUS_WILDCARD
- See Also:
-
STAR_WILDCARD
- See Also:
-
-
Constructor Details
-
DNChainMatching
private DNChainMatching()
-
-
Method Details
-
rdnmatch
Check the name/value pairs of the rdn against the pattern.- Parameters:
rdn
- List of name value pairs for a given RDN.rdnPattern
- List of name value pattern pairs.- Returns:
- true if the list of name value pairs match the pattern.
-
dnmatch
-
parseDNchainPattern
Parses a distinguished name chain pattern and returns a List where each element represents a distinguished name (DN) in the chain of DNs. Each element will be either a String, if the element represents a wildcard ("*" or "-"), or a List representing an RDN. Each element in the RDN List will be a String, if the element represents a wildcard ("*"), or a List of Strings, each String representing a name/value pair in the RDN.- Parameters:
pattern
-- Returns:
- a list of DNs.
- Throws:
IllegalArgumentException
-
parseDNchain
-
skipSpaces
Increment startIndex until the end of dnChain is hit or until it is the index of a non-space character. -
parseDN
Takes a distinguished name in canonical form and fills in the rdnArray with the extracted RDNs.- Parameters:
dn
- the distinguished name in canonical form.rdn
- the list to fill in with RDNs extracted from the dn- Throws:
IllegalArgumentException
- if a formatting error is found.
-
skipWildCards
This method will return an 'index' which points to a non-wildcard DN or the end-of-list. -
dnChainMatch
private static boolean dnChainMatch(List<Object> dnChain, int dnChainIndex, List<Object> dnChainPattern, int dnChainPatternIndex) throws IllegalArgumentException recursively attempt to match the DNChain, and the DNChainPattern where DNChain is of the format: "DN;DN;DN;" and DNChainPattern is of the format: "DNPattern;*;DNPattern" (or combinations of this)- Throws:
IllegalArgumentException
-
match
Matches a distinguished name chain against a pattern of a distinguished name chain.- Parameters:
dnChain
-pattern
- the pattern of distinguished name (DN) chains to match against the dnChain. Wildcards ("*" or "-") can be used in three cases:- As a DN. In this case, the DN will consist of just the "*" or "-". When "*" is used it will match zero or one DNs. When "-" is used it will match zero or more DNs. For example, "cn=me,c=US;*;cn=you" will match "cn=me,c=US";cn=you" and "cn=me,c=US;cn=her;cn=you". The pattern "cn=me,c=US;-;cn=you" will match "cn=me,c=US";cn=you" and "cn=me,c=US;cn=her;cn=him;cn=you".
- As a DN prefix. In this case, the DN must start with "*,". The wild card will match zero or more RDNs at the start of a DN. For example, "*,cn=me,c=US;cn=you" will match "cn=me,c=US";cn=you" and "ou=my org unit,o=my org,cn=me,c=US;cn=you"
- As a value. In this case the value of a name value pair in an RDN will be a "*". The wildcard will match any value for the given name. For example, "cn=*,c=US;cn=you" will match "cn=me,c=US";cn=you" and "cn=her,c=US;cn=you", but it will not match "ou=my org unit,c=US;cn=you". If the wildcard does not occur by itself in the value, it will not be used as a wildcard. In other words, "cn=m*,c=US;cn=you" represents the common name of "m*" not any common name starting with "m".
- Returns:
- true if dnChain matches the pattern.
- Throws:
IllegalArgumentException
-
toString
-