author | sherman |
Tue, 30 Aug 2011 11:53:11 -0700 | |
changeset 10419 | 12c063b39232 |
parent 5506 | 202f599c92aa |
child 12860 | 9ffbd4e43413 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
5506 | 2 |
* Copyright (c) 2000, 2003, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package java.security.cert; |
|
27 |
||
28 |
import java.util.Collection; |
|
29 |
import java.util.Set; |
|
30 |
||
31 |
/** |
|
32 |
* An abstract class that performs one or more checks on an |
|
33 |
* <code>X509Certificate</code>. |
|
34 |
* |
|
35 |
* <p>A concrete implementation of the <code>PKIXCertPathChecker</code> class |
|
36 |
* can be created to extend the PKIX certification path validation algorithm. |
|
37 |
* For example, an implementation may check for and process a critical private |
|
38 |
* extension of each certificate in a certification path. |
|
39 |
* |
|
40 |
* <p>Instances of <code>PKIXCertPathChecker</code> are passed as parameters |
|
41 |
* using the {@link PKIXParameters#setCertPathCheckers setCertPathCheckers} |
|
42 |
* or {@link PKIXParameters#addCertPathChecker addCertPathChecker} methods |
|
43 |
* of the <code>PKIXParameters</code> and <code>PKIXBuilderParameters</code> |
|
44 |
* class. Each of the <code>PKIXCertPathChecker</code>s {@link #check check} |
|
45 |
* methods will be called, in turn, for each certificate processed by a PKIX |
|
46 |
* <code>CertPathValidator</code> or <code>CertPathBuilder</code> |
|
47 |
* implementation. |
|
48 |
* |
|
49 |
* <p>A <code>PKIXCertPathChecker</code> may be called multiple times on |
|
50 |
* successive certificates in a certification path. Concrete subclasses |
|
51 |
* are expected to maintain any internal state that may be necessary to |
|
52 |
* check successive certificates. The {@link #init init} method is used |
|
53 |
* to initialize the internal state of the checker so that the certificates |
|
54 |
* of a new certification path may be checked. A stateful implementation |
|
55 |
* <b>must</b> override the {@link #clone clone} method if necessary in |
|
56 |
* order to allow a PKIX <code>CertPathBuilder</code> to efficiently |
|
57 |
* backtrack and try other paths. In these situations, the |
|
58 |
* <code>CertPathBuilder</code> is able to restore prior path validation |
|
59 |
* states by restoring the cloned <code>PKIXCertPathChecker</code>s. |
|
60 |
* |
|
61 |
* <p>The order in which the certificates are presented to the |
|
62 |
* <code>PKIXCertPathChecker</code> may be either in the forward direction |
|
63 |
* (from target to most-trusted CA) or in the reverse direction (from |
|
64 |
* most-trusted CA to target). A <code>PKIXCertPathChecker</code> implementation |
|
65 |
* <b>must</b> support reverse checking (the ability to perform its checks when |
|
66 |
* it is presented with certificates in the reverse direction) and <b>may</b> |
|
67 |
* support forward checking (the ability to perform its checks when it is |
|
68 |
* presented with certificates in the forward direction). The |
|
69 |
* {@link #isForwardCheckingSupported isForwardCheckingSupported} method |
|
70 |
* indicates whether forward checking is supported. |
|
71 |
* <p> |
|
72 |
* Additional input parameters required for executing the check may be |
|
73 |
* specified through constructors of concrete implementations of this class. |
|
74 |
* <p> |
|
75 |
* <b>Concurrent Access</b> |
|
76 |
* <p> |
|
77 |
* Unless otherwise specified, the methods defined in this class are not |
|
78 |
* thread-safe. Multiple threads that need to access a single |
|
79 |
* object concurrently should synchronize amongst themselves and |
|
80 |
* provide the necessary locking. Multiple threads each manipulating |
|
81 |
* separate objects need not synchronize. |
|
82 |
* |
|
83 |
* @see PKIXParameters |
|
84 |
* @see PKIXBuilderParameters |
|
85 |
* |
|
86 |
* @since 1.4 |
|
87 |
* @author Yassir Elley |
|
88 |
* @author Sean Mullan |
|
89 |
*/ |
|
90 |
public abstract class PKIXCertPathChecker implements Cloneable { |
|
91 |
||
92 |
/** |
|
93 |
* Default constructor. |
|
94 |
*/ |
|
95 |
protected PKIXCertPathChecker() {} |
|
96 |
||
97 |
/** |
|
98 |
* Initializes the internal state of this <code>PKIXCertPathChecker</code>. |
|
99 |
* <p> |
|
100 |
* The <code>forward</code> flag specifies the order that |
|
101 |
* certificates will be passed to the {@link #check check} method |
|
102 |
* (forward or reverse). A <code>PKIXCertPathChecker</code> <b>must</b> |
|
103 |
* support reverse checking and <b>may</b> support forward checking. |
|
104 |
* |
|
105 |
* @param forward the order that certificates are presented to |
|
106 |
* the <code>check</code> method. If <code>true</code>, certificates |
|
107 |
* are presented from target to most-trusted CA (forward); if |
|
108 |
* <code>false</code>, from most-trusted CA to target (reverse). |
|
109 |
* @throws CertPathValidatorException if this |
|
110 |
* <code>PKIXCertPathChecker</code> is unable to check certificates in |
|
111 |
* the specified order; it should never be thrown if the forward flag |
|
112 |
* is false since reverse checking must be supported |
|
113 |
*/ |
|
114 |
public abstract void init(boolean forward) |
|
115 |
throws CertPathValidatorException; |
|
116 |
||
117 |
/** |
|
118 |
* Indicates if forward checking is supported. Forward checking refers |
|
119 |
* to the ability of the <code>PKIXCertPathChecker</code> to perform |
|
120 |
* its checks when certificates are presented to the <code>check</code> |
|
121 |
* method in the forward direction (from target to most-trusted CA). |
|
122 |
* |
|
123 |
* @return <code>true</code> if forward checking is supported, |
|
124 |
* <code>false</code> otherwise |
|
125 |
*/ |
|
126 |
public abstract boolean isForwardCheckingSupported(); |
|
127 |
||
128 |
/** |
|
129 |
* Returns an immutable <code>Set</code> of X.509 certificate extensions |
|
130 |
* that this <code>PKIXCertPathChecker</code> supports (i.e. recognizes, is |
|
131 |
* able to process), or <code>null</code> if no extensions are supported. |
|
132 |
* <p> |
|
133 |
* Each element of the set is a <code>String</code> representing the |
|
134 |
* Object Identifier (OID) of the X.509 extension that is supported. |
|
135 |
* The OID is represented by a set of nonnegative integers separated by |
|
136 |
* periods. |
|
137 |
* <p> |
|
138 |
* All X.509 certificate extensions that a <code>PKIXCertPathChecker</code> |
|
139 |
* might possibly be able to process should be included in the set. |
|
140 |
* |
|
141 |
* @return an immutable <code>Set</code> of X.509 extension OIDs (in |
|
142 |
* <code>String</code> format) supported by this |
|
143 |
* <code>PKIXCertPathChecker</code>, or <code>null</code> if no |
|
144 |
* extensions are supported |
|
145 |
*/ |
|
146 |
public abstract Set<String> getSupportedExtensions(); |
|
147 |
||
148 |
/** |
|
149 |
* Performs the check(s) on the specified certificate using its internal |
|
150 |
* state and removes any critical extensions that it processes from the |
|
151 |
* specified collection of OID strings that represent the unresolved |
|
152 |
* critical extensions. The certificates are presented in the order |
|
153 |
* specified by the <code>init</code> method. |
|
154 |
* |
|
155 |
* @param cert the <code>Certificate</code> to be checked |
|
156 |
* @param unresolvedCritExts a <code>Collection</code> of OID strings |
|
157 |
* representing the current set of unresolved critical extensions |
|
158 |
* @exception CertPathValidatorException if the specified certificate does |
|
159 |
* not pass the check |
|
160 |
*/ |
|
161 |
public abstract void check(Certificate cert, |
|
162 |
Collection<String> unresolvedCritExts) |
|
163 |
throws CertPathValidatorException; |
|
164 |
||
165 |
/** |
|
166 |
* Returns a clone of this object. Calls the <code>Object.clone()</code> |
|
167 |
* method. |
|
168 |
* All subclasses which maintain state must support and |
|
169 |
* override this method, if necessary. |
|
170 |
* |
|
171 |
* @return a copy of this <code>PKIXCertPathChecker</code> |
|
172 |
*/ |
|
173 |
public Object clone() { |
|
174 |
try { |
|
175 |
return super.clone(); |
|
176 |
} catch (CloneNotSupportedException e) { |
|
177 |
/* Cannot happen */ |
|
10419
12c063b39232
7084245: Update usages of InternalError to use exception chaining
sherman
parents:
5506
diff
changeset
|
178 |
throw new InternalError(e.toString(), e); |
2 | 179 |
} |
180 |
} |
|
181 |
} |