2
|
1 |
/*
|
|
2 |
* Copyright 2000-2003 Sun Microsystems, Inc. All Rights Reserved.
|
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
4 |
*
|
|
5 |
* This code is free software; you can redistribute it and/or modify it
|
|
6 |
* under the terms of the GNU General Public License version 2 only, as
|
|
7 |
* published by the Free Software Foundation. Sun designates this
|
|
8 |
* particular file as subject to the "Classpath" exception as provided
|
|
9 |
* by Sun in the LICENSE file that accompanied this code.
|
|
10 |
*
|
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that
|
|
15 |
* accompanied this code).
|
|
16 |
*
|
|
17 |
* You should have received a copy of the GNU General Public License version
|
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
20 |
*
|
|
21 |
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
|
|
22 |
* CA 95054 USA or visit www.sun.com if you need additional information or
|
|
23 |
* have any questions.
|
|
24 |
*/
|
|
25 |
|
|
26 |
package java.security.cert;
|
|
27 |
|
|
28 |
import java.util.Collection;
|
|
29 |
import java.util.Set;
|
|
30 |
|
|
31 |
/**
|
|
32 |
* An abstract class that performs one or more checks on an
|
|
33 |
* <code>X509Certificate</code>.
|
|
34 |
*
|
|
35 |
* <p>A concrete implementation of the <code>PKIXCertPathChecker</code> class
|
|
36 |
* can be created to extend the PKIX certification path validation algorithm.
|
|
37 |
* For example, an implementation may check for and process a critical private
|
|
38 |
* extension of each certificate in a certification path.
|
|
39 |
*
|
|
40 |
* <p>Instances of <code>PKIXCertPathChecker</code> are passed as parameters
|
|
41 |
* using the {@link PKIXParameters#setCertPathCheckers setCertPathCheckers}
|
|
42 |
* or {@link PKIXParameters#addCertPathChecker addCertPathChecker} methods
|
|
43 |
* of the <code>PKIXParameters</code> and <code>PKIXBuilderParameters</code>
|
|
44 |
* class. Each of the <code>PKIXCertPathChecker</code>s {@link #check check}
|
|
45 |
* methods will be called, in turn, for each certificate processed by a PKIX
|
|
46 |
* <code>CertPathValidator</code> or <code>CertPathBuilder</code>
|
|
47 |
* implementation.
|
|
48 |
*
|
|
49 |
* <p>A <code>PKIXCertPathChecker</code> may be called multiple times on
|
|
50 |
* successive certificates in a certification path. Concrete subclasses
|
|
51 |
* are expected to maintain any internal state that may be necessary to
|
|
52 |
* check successive certificates. The {@link #init init} method is used
|
|
53 |
* to initialize the internal state of the checker so that the certificates
|
|
54 |
* of a new certification path may be checked. A stateful implementation
|
|
55 |
* <b>must</b> override the {@link #clone clone} method if necessary in
|
|
56 |
* order to allow a PKIX <code>CertPathBuilder</code> to efficiently
|
|
57 |
* backtrack and try other paths. In these situations, the
|
|
58 |
* <code>CertPathBuilder</code> is able to restore prior path validation
|
|
59 |
* states by restoring the cloned <code>PKIXCertPathChecker</code>s.
|
|
60 |
*
|
|
61 |
* <p>The order in which the certificates are presented to the
|
|
62 |
* <code>PKIXCertPathChecker</code> may be either in the forward direction
|
|
63 |
* (from target to most-trusted CA) or in the reverse direction (from
|
|
64 |
* most-trusted CA to target). A <code>PKIXCertPathChecker</code> implementation
|
|
65 |
* <b>must</b> support reverse checking (the ability to perform its checks when
|
|
66 |
* it is presented with certificates in the reverse direction) and <b>may</b>
|
|
67 |
* support forward checking (the ability to perform its checks when it is
|
|
68 |
* presented with certificates in the forward direction). The
|
|
69 |
* {@link #isForwardCheckingSupported isForwardCheckingSupported} method
|
|
70 |
* indicates whether forward checking is supported.
|
|
71 |
* <p>
|
|
72 |
* Additional input parameters required for executing the check may be
|
|
73 |
* specified through constructors of concrete implementations of this class.
|
|
74 |
* <p>
|
|
75 |
* <b>Concurrent Access</b>
|
|
76 |
* <p>
|
|
77 |
* Unless otherwise specified, the methods defined in this class are not
|
|
78 |
* thread-safe. Multiple threads that need to access a single
|
|
79 |
* object concurrently should synchronize amongst themselves and
|
|
80 |
* provide the necessary locking. Multiple threads each manipulating
|
|
81 |
* separate objects need not synchronize.
|
|
82 |
*
|
|
83 |
* @see PKIXParameters
|
|
84 |
* @see PKIXBuilderParameters
|
|
85 |
*
|
|
86 |
* @since 1.4
|
|
87 |
* @author Yassir Elley
|
|
88 |
* @author Sean Mullan
|
|
89 |
*/
|
|
90 |
public abstract class PKIXCertPathChecker implements Cloneable {
|
|
91 |
|
|
92 |
/**
|
|
93 |
* Default constructor.
|
|
94 |
*/
|
|
95 |
protected PKIXCertPathChecker() {}
|
|
96 |
|
|
97 |
/**
|
|
98 |
* Initializes the internal state of this <code>PKIXCertPathChecker</code>.
|
|
99 |
* <p>
|
|
100 |
* The <code>forward</code> flag specifies the order that
|
|
101 |
* certificates will be passed to the {@link #check check} method
|
|
102 |
* (forward or reverse). A <code>PKIXCertPathChecker</code> <b>must</b>
|
|
103 |
* support reverse checking and <b>may</b> support forward checking.
|
|
104 |
*
|
|
105 |
* @param forward the order that certificates are presented to
|
|
106 |
* the <code>check</code> method. If <code>true</code>, certificates
|
|
107 |
* are presented from target to most-trusted CA (forward); if
|
|
108 |
* <code>false</code>, from most-trusted CA to target (reverse).
|
|
109 |
* @throws CertPathValidatorException if this
|
|
110 |
* <code>PKIXCertPathChecker</code> is unable to check certificates in
|
|
111 |
* the specified order; it should never be thrown if the forward flag
|
|
112 |
* is false since reverse checking must be supported
|
|
113 |
*/
|
|
114 |
public abstract void init(boolean forward)
|
|
115 |
throws CertPathValidatorException;
|
|
116 |
|
|
117 |
/**
|
|
118 |
* Indicates if forward checking is supported. Forward checking refers
|
|
119 |
* to the ability of the <code>PKIXCertPathChecker</code> to perform
|
|
120 |
* its checks when certificates are presented to the <code>check</code>
|
|
121 |
* method in the forward direction (from target to most-trusted CA).
|
|
122 |
*
|
|
123 |
* @return <code>true</code> if forward checking is supported,
|
|
124 |
* <code>false</code> otherwise
|
|
125 |
*/
|
|
126 |
public abstract boolean isForwardCheckingSupported();
|
|
127 |
|
|
128 |
/**
|
|
129 |
* Returns an immutable <code>Set</code> of X.509 certificate extensions
|
|
130 |
* that this <code>PKIXCertPathChecker</code> supports (i.e. recognizes, is
|
|
131 |
* able to process), or <code>null</code> if no extensions are supported.
|
|
132 |
* <p>
|
|
133 |
* Each element of the set is a <code>String</code> representing the
|
|
134 |
* Object Identifier (OID) of the X.509 extension that is supported.
|
|
135 |
* The OID is represented by a set of nonnegative integers separated by
|
|
136 |
* periods.
|
|
137 |
* <p>
|
|
138 |
* All X.509 certificate extensions that a <code>PKIXCertPathChecker</code>
|
|
139 |
* might possibly be able to process should be included in the set.
|
|
140 |
*
|
|
141 |
* @return an immutable <code>Set</code> of X.509 extension OIDs (in
|
|
142 |
* <code>String</code> format) supported by this
|
|
143 |
* <code>PKIXCertPathChecker</code>, or <code>null</code> if no
|
|
144 |
* extensions are supported
|
|
145 |
*/
|
|
146 |
public abstract Set<String> getSupportedExtensions();
|
|
147 |
|
|
148 |
/**
|
|
149 |
* Performs the check(s) on the specified certificate using its internal
|
|
150 |
* state and removes any critical extensions that it processes from the
|
|
151 |
* specified collection of OID strings that represent the unresolved
|
|
152 |
* critical extensions. The certificates are presented in the order
|
|
153 |
* specified by the <code>init</code> method.
|
|
154 |
*
|
|
155 |
* @param cert the <code>Certificate</code> to be checked
|
|
156 |
* @param unresolvedCritExts a <code>Collection</code> of OID strings
|
|
157 |
* representing the current set of unresolved critical extensions
|
|
158 |
* @exception CertPathValidatorException if the specified certificate does
|
|
159 |
* not pass the check
|
|
160 |
*/
|
|
161 |
public abstract void check(Certificate cert,
|
|
162 |
Collection<String> unresolvedCritExts)
|
|
163 |
throws CertPathValidatorException;
|
|
164 |
|
|
165 |
/**
|
|
166 |
* Returns a clone of this object. Calls the <code>Object.clone()</code>
|
|
167 |
* method.
|
|
168 |
* All subclasses which maintain state must support and
|
|
169 |
* override this method, if necessary.
|
|
170 |
*
|
|
171 |
* @return a copy of this <code>PKIXCertPathChecker</code>
|
|
172 |
*/
|
|
173 |
public Object clone() {
|
|
174 |
try {
|
|
175 |
return super.clone();
|
|
176 |
} catch (CloneNotSupportedException e) {
|
|
177 |
/* Cannot happen */
|
|
178 |
throw new InternalError(e.toString());
|
|
179 |
}
|
|
180 |
}
|
|
181 |
}
|