1 /* |
1 /* |
2 * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. |
2 * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 * |
4 * |
5 * This code is free software; you can redistribute it and/or modify it |
5 * This code is free software; you can redistribute it and/or modify it |
6 * under the terms of the GNU General Public License version 2 only, as |
6 * under the terms of the GNU General Public License version 2 only, as |
7 * published by the Free Software Foundation. Oracle designates this |
7 * published by the Free Software Foundation. Oracle designates this |
40 /** |
40 /** |
41 * A class for validating certification paths (also known as certificate |
41 * A class for validating certification paths (also known as certificate |
42 * chains). |
42 * chains). |
43 * <p> |
43 * <p> |
44 * This class uses a provider-based architecture. |
44 * This class uses a provider-based architecture. |
45 * To create a <code>CertPathValidator</code>, |
45 * To create a {@code CertPathValidator}, |
46 * call one of the static <code>getInstance</code> methods, passing in the |
46 * call one of the static {@code getInstance} methods, passing in the |
47 * algorithm name of the <code>CertPathValidator</code> desired and |
47 * algorithm name of the {@code CertPathValidator} desired and |
48 * optionally the name of the provider desired. |
48 * optionally the name of the provider desired. |
49 * |
49 * |
50 * <p>Once a <code>CertPathValidator</code> object has been created, it can |
50 * <p>Once a {@code CertPathValidator} object has been created, it can |
51 * be used to validate certification paths by calling the {@link #validate |
51 * be used to validate certification paths by calling the {@link #validate |
52 * validate} method and passing it the <code>CertPath</code> to be validated |
52 * validate} method and passing it the {@code CertPath} to be validated |
53 * and an algorithm-specific set of parameters. If successful, the result is |
53 * and an algorithm-specific set of parameters. If successful, the result is |
54 * returned in an object that implements the |
54 * returned in an object that implements the |
55 * <code>CertPathValidatorResult</code> interface. |
55 * {@code CertPathValidatorResult} interface. |
56 * |
56 * |
57 * <p>The {@link #getRevocationChecker} method allows an application to specify |
57 * <p>The {@link #getRevocationChecker} method allows an application to specify |
58 * additional algorithm-specific parameters and options used by the |
58 * additional algorithm-specific parameters and options used by the |
59 * {@code CertPathValidator} when checking the revocation status of |
59 * {@code CertPathValidator} when checking the revocation status of |
60 * certificates. Here is an example demonstrating how it is used with the PKIX |
60 * certificates. Here is an example demonstrating how it is used with the PKIX |
67 * params.addCertPathChecker(rc); |
67 * params.addCertPathChecker(rc); |
68 * CertPathValidatorResult cpvr = cpv.validate(path, params); |
68 * CertPathValidatorResult cpvr = cpv.validate(path, params); |
69 * </pre> |
69 * </pre> |
70 * |
70 * |
71 * <p>Every implementation of the Java platform is required to support the |
71 * <p>Every implementation of the Java platform is required to support the |
72 * following standard <code>CertPathValidator</code> algorithm: |
72 * following standard {@code CertPathValidator} algorithm: |
73 * <ul> |
73 * <ul> |
74 * <li><tt>PKIX</tt></li> |
74 * <li>{@code PKIX}</li> |
75 * </ul> |
75 * </ul> |
76 * This algorithm is described in the <a href= |
76 * This algorithm is described in the <a href= |
77 * "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathValidator"> |
77 * "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathValidator"> |
78 * CertPathValidator section</a> of the |
78 * CertPathValidator section</a> of the |
79 * Java Cryptography Architecture Standard Algorithm Name Documentation. |
79 * Java Cryptography Architecture Standard Algorithm Name Documentation. |
87 * Multiple threads may concurrently invoke the static methods defined in |
87 * Multiple threads may concurrently invoke the static methods defined in |
88 * this class with no ill effects. |
88 * this class with no ill effects. |
89 * <p> |
89 * <p> |
90 * However, this is not true for the non-static methods defined by this class. |
90 * However, this is not true for the non-static methods defined by this class. |
91 * Unless otherwise documented by a specific provider, threads that need to |
91 * Unless otherwise documented by a specific provider, threads that need to |
92 * access a single <code>CertPathValidator</code> instance concurrently should |
92 * access a single {@code CertPathValidator} instance concurrently should |
93 * synchronize amongst themselves and provide the necessary locking. Multiple |
93 * synchronize amongst themselves and provide the necessary locking. Multiple |
94 * threads each manipulating a different <code>CertPathValidator</code> |
94 * threads each manipulating a different {@code CertPathValidator} |
95 * instance need not synchronize. |
95 * instance need not synchronize. |
96 * |
96 * |
97 * @see CertPath |
97 * @see CertPath |
98 * |
98 * |
99 * @since 1.4 |
99 * @since 1.4 |
113 private final CertPathValidatorSpi validatorSpi; |
113 private final CertPathValidatorSpi validatorSpi; |
114 private final Provider provider; |
114 private final Provider provider; |
115 private final String algorithm; |
115 private final String algorithm; |
116 |
116 |
117 /** |
117 /** |
118 * Creates a <code>CertPathValidator</code> object of the given algorithm, |
118 * Creates a {@code CertPathValidator} object of the given algorithm, |
119 * and encapsulates the given provider implementation (SPI object) in it. |
119 * and encapsulates the given provider implementation (SPI object) in it. |
120 * |
120 * |
121 * @param validatorSpi the provider implementation |
121 * @param validatorSpi the provider implementation |
122 * @param provider the provider |
122 * @param provider the provider |
123 * @param algorithm the algorithm name |
123 * @param algorithm the algorithm name |
129 this.provider = provider; |
129 this.provider = provider; |
130 this.algorithm = algorithm; |
130 this.algorithm = algorithm; |
131 } |
131 } |
132 |
132 |
133 /** |
133 /** |
134 * Returns a <code>CertPathValidator</code> object that implements the |
134 * Returns a {@code CertPathValidator} object that implements the |
135 * specified algorithm. |
135 * specified algorithm. |
136 * |
136 * |
137 * <p> This method traverses the list of registered security Providers, |
137 * <p> This method traverses the list of registered security Providers, |
138 * starting with the most preferred Provider. |
138 * starting with the most preferred Provider. |
139 * A new CertPathValidator object encapsulating the |
139 * A new CertPathValidator object encapsulating the |
141 * Provider that supports the specified algorithm is returned. |
141 * Provider that supports the specified algorithm is returned. |
142 * |
142 * |
143 * <p> Note that the list of registered providers may be retrieved via |
143 * <p> Note that the list of registered providers may be retrieved via |
144 * the {@link Security#getProviders() Security.getProviders()} method. |
144 * the {@link Security#getProviders() Security.getProviders()} method. |
145 * |
145 * |
146 * @param algorithm the name of the requested <code>CertPathValidator</code> |
146 * @param algorithm the name of the requested {@code CertPathValidator} |
147 * algorithm. See the CertPathValidator section in the <a href= |
147 * algorithm. See the CertPathValidator section in the <a href= |
148 * "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathValidator"> |
148 * "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathValidator"> |
149 * Java Cryptography Architecture Standard Algorithm Name Documentation</a> |
149 * Java Cryptography Architecture Standard Algorithm Name Documentation</a> |
150 * for information about standard algorithm names. |
150 * for information about standard algorithm names. |
151 * |
151 * |
152 * @return a <code>CertPathValidator</code> object that implements the |
152 * @return a {@code CertPathValidator} object that implements the |
153 * specified algorithm. |
153 * specified algorithm. |
154 * |
154 * |
155 * @exception NoSuchAlgorithmException if no Provider supports a |
155 * @exception NoSuchAlgorithmException if no Provider supports a |
156 * CertPathValidatorSpi implementation for the |
156 * CertPathValidatorSpi implementation for the |
157 * specified algorithm. |
157 * specified algorithm. |
165 return new CertPathValidator((CertPathValidatorSpi)instance.impl, |
165 return new CertPathValidator((CertPathValidatorSpi)instance.impl, |
166 instance.provider, algorithm); |
166 instance.provider, algorithm); |
167 } |
167 } |
168 |
168 |
169 /** |
169 /** |
170 * Returns a <code>CertPathValidator</code> object that implements the |
170 * Returns a {@code CertPathValidator} object that implements the |
171 * specified algorithm. |
171 * specified algorithm. |
172 * |
172 * |
173 * <p> A new CertPathValidator object encapsulating the |
173 * <p> A new CertPathValidator object encapsulating the |
174 * CertPathValidatorSpi implementation from the specified provider |
174 * CertPathValidatorSpi implementation from the specified provider |
175 * is returned. The specified provider must be registered |
175 * is returned. The specified provider must be registered |
176 * in the security provider list. |
176 * in the security provider list. |
177 * |
177 * |
178 * <p> Note that the list of registered providers may be retrieved via |
178 * <p> Note that the list of registered providers may be retrieved via |
179 * the {@link Security#getProviders() Security.getProviders()} method. |
179 * the {@link Security#getProviders() Security.getProviders()} method. |
180 * |
180 * |
181 * @param algorithm the name of the requested <code>CertPathValidator</code> |
181 * @param algorithm the name of the requested {@code CertPathValidator} |
182 * algorithm. See the CertPathValidator section in the <a href= |
182 * algorithm. See the CertPathValidator section in the <a href= |
183 * "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathValidator"> |
183 * "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathValidator"> |
184 * Java Cryptography Architecture Standard Algorithm Name Documentation</a> |
184 * Java Cryptography Architecture Standard Algorithm Name Documentation</a> |
185 * for information about standard algorithm names. |
185 * for information about standard algorithm names. |
186 * |
186 * |
187 * @param provider the name of the provider. |
187 * @param provider the name of the provider. |
188 * |
188 * |
189 * @return a <code>CertPathValidator</code> object that implements the |
189 * @return a {@code CertPathValidator} object that implements the |
190 * specified algorithm. |
190 * specified algorithm. |
191 * |
191 * |
192 * @exception NoSuchAlgorithmException if a CertPathValidatorSpi |
192 * @exception NoSuchAlgorithmException if a CertPathValidatorSpi |
193 * implementation for the specified algorithm is not |
193 * implementation for the specified algorithm is not |
194 * available from the specified provider. |
194 * available from the specified provider. |
195 * |
195 * |
196 * @exception NoSuchProviderException if the specified provider is not |
196 * @exception NoSuchProviderException if the specified provider is not |
197 * registered in the security provider list. |
197 * registered in the security provider list. |
198 * |
198 * |
199 * @exception IllegalArgumentException if the <code>provider</code> is |
199 * @exception IllegalArgumentException if the {@code provider} is |
200 * null or empty. |
200 * null or empty. |
201 * |
201 * |
202 * @see java.security.Provider |
202 * @see java.security.Provider |
203 */ |
203 */ |
204 public static CertPathValidator getInstance(String algorithm, |
204 public static CertPathValidator getInstance(String algorithm, |
209 return new CertPathValidator((CertPathValidatorSpi)instance.impl, |
209 return new CertPathValidator((CertPathValidatorSpi)instance.impl, |
210 instance.provider, algorithm); |
210 instance.provider, algorithm); |
211 } |
211 } |
212 |
212 |
213 /** |
213 /** |
214 * Returns a <code>CertPathValidator</code> object that implements the |
214 * Returns a {@code CertPathValidator} object that implements the |
215 * specified algorithm. |
215 * specified algorithm. |
216 * |
216 * |
217 * <p> A new CertPathValidator object encapsulating the |
217 * <p> A new CertPathValidator object encapsulating the |
218 * CertPathValidatorSpi implementation from the specified Provider |
218 * CertPathValidatorSpi implementation from the specified Provider |
219 * object is returned. Note that the specified Provider object |
219 * object is returned. Note that the specified Provider object |
220 * does not have to be registered in the provider list. |
220 * does not have to be registered in the provider list. |
221 * |
221 * |
222 * @param algorithm the name of the requested <code>CertPathValidator</code> |
222 * @param algorithm the name of the requested {@code CertPathValidator} |
223 * algorithm. See the CertPathValidator section in the <a href= |
223 * algorithm. See the CertPathValidator section in the <a href= |
224 * "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathValidator"> |
224 * "{@docRoot}/../technotes/guides/security/StandardNames.html#CertPathValidator"> |
225 * Java Cryptography Architecture Standard Algorithm Name Documentation</a> |
225 * Java Cryptography Architecture Standard Algorithm Name Documentation</a> |
226 * for information about standard algorithm names. |
226 * for information about standard algorithm names. |
227 * |
227 * |
228 * @param provider the provider. |
228 * @param provider the provider. |
229 * |
229 * |
230 * @return a <code>CertPathValidator</code> object that implements the |
230 * @return a {@code CertPathValidator} object that implements the |
231 * specified algorithm. |
231 * specified algorithm. |
232 * |
232 * |
233 * @exception NoSuchAlgorithmException if a CertPathValidatorSpi |
233 * @exception NoSuchAlgorithmException if a CertPathValidatorSpi |
234 * implementation for the specified algorithm is not available |
234 * implementation for the specified algorithm is not available |
235 * from the specified Provider object. |
235 * from the specified Provider object. |
236 * |
236 * |
237 * @exception IllegalArgumentException if the <code>provider</code> is |
237 * @exception IllegalArgumentException if the {@code provider} is |
238 * null. |
238 * null. |
239 * |
239 * |
240 * @see java.security.Provider |
240 * @see java.security.Provider |
241 */ |
241 */ |
242 public static CertPathValidator getInstance(String algorithm, |
242 public static CertPathValidator getInstance(String algorithm, |
246 return new CertPathValidator((CertPathValidatorSpi)instance.impl, |
246 return new CertPathValidator((CertPathValidatorSpi)instance.impl, |
247 instance.provider, algorithm); |
247 instance.provider, algorithm); |
248 } |
248 } |
249 |
249 |
250 /** |
250 /** |
251 * Returns the <code>Provider</code> of this |
251 * Returns the {@code Provider} of this |
252 * <code>CertPathValidator</code>. |
252 * {@code CertPathValidator}. |
253 * |
253 * |
254 * @return the <code>Provider</code> of this <code>CertPathValidator</code> |
254 * @return the {@code Provider} of this {@code CertPathValidator} |
255 */ |
255 */ |
256 public final Provider getProvider() { |
256 public final Provider getProvider() { |
257 return this.provider; |
257 return this.provider; |
258 } |
258 } |
259 |
259 |
260 /** |
260 /** |
261 * Returns the algorithm name of this <code>CertPathValidator</code>. |
261 * Returns the algorithm name of this {@code CertPathValidator}. |
262 * |
262 * |
263 * @return the algorithm name of this <code>CertPathValidator</code> |
263 * @return the algorithm name of this {@code CertPathValidator} |
264 */ |
264 */ |
265 public final String getAlgorithm() { |
265 public final String getAlgorithm() { |
266 return this.algorithm; |
266 return this.algorithm; |
267 } |
267 } |
268 |
268 |
269 /** |
269 /** |
270 * Validates the specified certification path using the specified |
270 * Validates the specified certification path using the specified |
271 * algorithm parameter set. |
271 * algorithm parameter set. |
272 * <p> |
272 * <p> |
273 * The <code>CertPath</code> specified must be of a type that is |
273 * The {@code CertPath} specified must be of a type that is |
274 * supported by the validation algorithm, otherwise an |
274 * supported by the validation algorithm, otherwise an |
275 * <code>InvalidAlgorithmParameterException</code> will be thrown. For |
275 * {@code InvalidAlgorithmParameterException} will be thrown. For |
276 * example, a <code>CertPathValidator</code> that implements the PKIX |
276 * example, a {@code CertPathValidator} that implements the PKIX |
277 * algorithm validates <code>CertPath</code> objects of type X.509. |
277 * algorithm validates {@code CertPath} objects of type X.509. |
278 * |
278 * |
279 * @param certPath the <code>CertPath</code> to be validated |
279 * @param certPath the {@code CertPath} to be validated |
280 * @param params the algorithm parameters |
280 * @param params the algorithm parameters |
281 * @return the result of the validation algorithm |
281 * @return the result of the validation algorithm |
282 * @exception CertPathValidatorException if the <code>CertPath</code> |
282 * @exception CertPathValidatorException if the {@code CertPath} |
283 * does not validate |
283 * does not validate |
284 * @exception InvalidAlgorithmParameterException if the specified |
284 * @exception InvalidAlgorithmParameterException if the specified |
285 * parameters or the type of the specified <code>CertPath</code> are |
285 * parameters or the type of the specified {@code CertPath} are |
286 * inappropriate for this <code>CertPathValidator</code> |
286 * inappropriate for this {@code CertPathValidator} |
287 */ |
287 */ |
288 public final CertPathValidatorResult validate(CertPath certPath, |
288 public final CertPathValidatorResult validate(CertPath certPath, |
289 CertPathParameters params) |
289 CertPathParameters params) |
290 throws CertPathValidatorException, InvalidAlgorithmParameterException |
290 throws CertPathValidatorException, InvalidAlgorithmParameterException |
291 { |
291 { |