src/share/classes/java/security/cert/PKIXCertPathChecker.java
Print this page
*** 28,69 ****
import java.util.Collection;
import java.util.Set;
/**
* An abstract class that performs one or more checks on an
! * <code>X509Certificate</code>.
*
! * <p>A concrete implementation of the <code>PKIXCertPathChecker</code> class
* can be created to extend the PKIX certification path validation algorithm.
* For example, an implementation may check for and process a critical private
* extension of each certificate in a certification path.
*
! * <p>Instances of <code>PKIXCertPathChecker</code> are passed as parameters
* using the {@link PKIXParameters#setCertPathCheckers setCertPathCheckers}
* or {@link PKIXParameters#addCertPathChecker addCertPathChecker} methods
! * of the <code>PKIXParameters</code> and <code>PKIXBuilderParameters</code>
! * class. Each of the <code>PKIXCertPathChecker</code>s {@link #check check}
* methods will be called, in turn, for each certificate processed by a PKIX
! * <code>CertPathValidator</code> or <code>CertPathBuilder</code>
* implementation.
*
! * <p>A <code>PKIXCertPathChecker</code> may be called multiple times on
* successive certificates in a certification path. Concrete subclasses
* are expected to maintain any internal state that may be necessary to
* check successive certificates. The {@link #init init} method is used
* to initialize the internal state of the checker so that the certificates
* of a new certification path may be checked. A stateful implementation
* <b>must</b> override the {@link #clone clone} method if necessary in
! * order to allow a PKIX <code>CertPathBuilder</code> to efficiently
* backtrack and try other paths. In these situations, the
! * <code>CertPathBuilder</code> is able to restore prior path validation
! * states by restoring the cloned <code>PKIXCertPathChecker</code>s.
*
* <p>The order in which the certificates are presented to the
! * <code>PKIXCertPathChecker</code> may be either in the forward direction
* (from target to most-trusted CA) or in the reverse direction (from
! * most-trusted CA to target). A <code>PKIXCertPathChecker</code> implementation
* <b>must</b> support reverse checking (the ability to perform its checks when
* it is presented with certificates in the reverse direction) and <b>may</b>
* support forward checking (the ability to perform its checks when it is
* presented with certificates in the forward direction). The
* {@link #isForwardCheckingSupported isForwardCheckingSupported} method
--- 28,69 ----
import java.util.Collection;
import java.util.Set;
/**
* An abstract class that performs one or more checks on an
! * {@code X509Certificate}.
*
! * <p>A concrete implementation of the {@code PKIXCertPathChecker} class
* can be created to extend the PKIX certification path validation algorithm.
* For example, an implementation may check for and process a critical private
* extension of each certificate in a certification path.
*
! * <p>Instances of {@code PKIXCertPathChecker} are passed as parameters
* using the {@link PKIXParameters#setCertPathCheckers setCertPathCheckers}
* or {@link PKIXParameters#addCertPathChecker addCertPathChecker} methods
! * of the {@code PKIXParameters} and {@code PKIXBuilderParameters}
! * class. Each of the {@code PKIXCertPathChecker}s {@link #check check}
* methods will be called, in turn, for each certificate processed by a PKIX
! * {@code CertPathValidator} or {@code CertPathBuilder}
* implementation.
*
! * <p>A {@code PKIXCertPathChecker} may be called multiple times on
* successive certificates in a certification path. Concrete subclasses
* are expected to maintain any internal state that may be necessary to
* check successive certificates. The {@link #init init} method is used
* to initialize the internal state of the checker so that the certificates
* of a new certification path may be checked. A stateful implementation
* <b>must</b> override the {@link #clone clone} method if necessary in
! * order to allow a PKIX {@code CertPathBuilder} to efficiently
* backtrack and try other paths. In these situations, the
! * {@code CertPathBuilder} is able to restore prior path validation
! * states by restoring the cloned {@code PKIXCertPathChecker}s.
*
* <p>The order in which the certificates are presented to the
! * {@code PKIXCertPathChecker} may be either in the forward direction
* (from target to most-trusted CA) or in the reverse direction (from
! * most-trusted CA to target). A {@code PKIXCertPathChecker} implementation
* <b>must</b> support reverse checking (the ability to perform its checks when
* it is presented with certificates in the reverse direction) and <b>may</b>
* support forward checking (the ability to perform its checks when it is
* presented with certificates in the forward direction). The
* {@link #isForwardCheckingSupported isForwardCheckingSupported} method
*** 94,164 ****
* Default constructor.
*/
protected PKIXCertPathChecker() {}
/**
! * Initializes the internal state of this <code>PKIXCertPathChecker</code>.
* <p>
! * The <code>forward</code> flag specifies the order that
* certificates will be passed to the {@link #check check} method
! * (forward or reverse). A <code>PKIXCertPathChecker</code> <b>must</b>
* support reverse checking and <b>may</b> support forward checking.
*
* @param forward the order that certificates are presented to
! * the <code>check</code> method. If <code>true</code>, certificates
* are presented from target to most-trusted CA (forward); if
! * <code>false</code>, from most-trusted CA to target (reverse).
* @throws CertPathValidatorException if this
! * <code>PKIXCertPathChecker</code> is unable to check certificates in
* the specified order; it should never be thrown if the forward flag
* is false since reverse checking must be supported
*/
@Override
public abstract void init(boolean forward)
throws CertPathValidatorException;
/**
* Indicates if forward checking is supported. Forward checking refers
! * to the ability of the <code>PKIXCertPathChecker</code> to perform
! * its checks when certificates are presented to the <code>check</code>
* method in the forward direction (from target to most-trusted CA).
*
! * @return <code>true</code> if forward checking is supported,
! * <code>false</code> otherwise
*/
@Override
public abstract boolean isForwardCheckingSupported();
/**
! * Returns an immutable <code>Set</code> of X.509 certificate extensions
! * that this <code>PKIXCertPathChecker</code> supports (i.e. recognizes, is
! * able to process), or <code>null</code> if no extensions are supported.
* <p>
! * Each element of the set is a <code>String</code> representing the
* Object Identifier (OID) of the X.509 extension that is supported.
* The OID is represented by a set of nonnegative integers separated by
* periods.
* <p>
! * All X.509 certificate extensions that a <code>PKIXCertPathChecker</code>
* might possibly be able to process should be included in the set.
*
! * @return an immutable <code>Set</code> of X.509 extension OIDs (in
! * <code>String</code> format) supported by this
! * <code>PKIXCertPathChecker</code>, or <code>null</code> if no
* extensions are supported
*/
public abstract Set<String> getSupportedExtensions();
/**
* Performs the check(s) on the specified certificate using its internal
* state and removes any critical extensions that it processes from the
* specified collection of OID strings that represent the unresolved
* critical extensions. The certificates are presented in the order
! * specified by the <code>init</code> method.
*
! * @param cert the <code>Certificate</code> to be checked
! * @param unresolvedCritExts a <code>Collection</code> of OID strings
* representing the current set of unresolved critical extensions
* @exception CertPathValidatorException if the specified certificate does
* not pass the check
*/
public abstract void check(Certificate cert,
--- 94,164 ----
* Default constructor.
*/
protected PKIXCertPathChecker() {}
/**
! * Initializes the internal state of this {@code PKIXCertPathChecker}.
* <p>
! * The {@code forward} flag specifies the order that
* certificates will be passed to the {@link #check check} method
! * (forward or reverse). A {@code PKIXCertPathChecker} <b>must</b>
* support reverse checking and <b>may</b> support forward checking.
*
* @param forward the order that certificates are presented to
! * the {@code check} method. If {@code true}, certificates
* are presented from target to most-trusted CA (forward); if
! * {@code false}, from most-trusted CA to target (reverse).
* @throws CertPathValidatorException if this
! * {@code PKIXCertPathChecker} is unable to check certificates in
* the specified order; it should never be thrown if the forward flag
* is false since reverse checking must be supported
*/
@Override
public abstract void init(boolean forward)
throws CertPathValidatorException;
/**
* Indicates if forward checking is supported. Forward checking refers
! * to the ability of the {@code PKIXCertPathChecker} to perform
! * its checks when certificates are presented to the {@code check}
* method in the forward direction (from target to most-trusted CA).
*
! * @return {@code true} if forward checking is supported,
! * {@code false} otherwise
*/
@Override
public abstract boolean isForwardCheckingSupported();
/**
! * Returns an immutable {@code Set} of X.509 certificate extensions
! * that this {@code PKIXCertPathChecker} supports (i.e. recognizes, is
! * able to process), or {@code null} if no extensions are supported.
* <p>
! * Each element of the set is a {@code String} representing the
* Object Identifier (OID) of the X.509 extension that is supported.
* The OID is represented by a set of nonnegative integers separated by
* periods.
* <p>
! * All X.509 certificate extensions that a {@code PKIXCertPathChecker}
* might possibly be able to process should be included in the set.
*
! * @return an immutable {@code Set} of X.509 extension OIDs (in
! * {@code String} format) supported by this
! * {@code PKIXCertPathChecker}, or {@code null} if no
* extensions are supported
*/
public abstract Set<String> getSupportedExtensions();
/**
* Performs the check(s) on the specified certificate using its internal
* state and removes any critical extensions that it processes from the
* specified collection of OID strings that represent the unresolved
* critical extensions. The certificates are presented in the order
! * specified by the {@code init} method.
*
! * @param cert the {@code Certificate} to be checked
! * @param unresolvedCritExts a {@code Collection} of OID strings
* representing the current set of unresolved critical extensions
* @exception CertPathValidatorException if the specified certificate does
* not pass the check
*/
public abstract void check(Certificate cert,
*** 175,190 ****
public void check(Certificate cert) throws CertPathValidatorException {
check(cert, java.util.Collections.<String>emptySet());
}
/**
! * Returns a clone of this object. Calls the <code>Object.clone()</code>
* method.
* All subclasses which maintain state must support and
* override this method, if necessary.
*
! * @return a copy of this <code>PKIXCertPathChecker</code>
*/
@Override
public Object clone() {
try {
return super.clone();
--- 175,190 ----
public void check(Certificate cert) throws CertPathValidatorException {
check(cert, java.util.Collections.<String>emptySet());
}
/**
! * Returns a clone of this object. Calls the {@code Object.clone()}
* method.
* All subclasses which maintain state must support and
* override this method, if necessary.
*
! * @return a copy of this {@code PKIXCertPathChecker}
*/
@Override
public Object clone() {
try {
return super.clone();