1 /*
2 * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
127 /**
128 * Constant for a TLS Server variant of a validator.
129 * @see #getInstance
130 */
131 public final static String VAR_TLS_SERVER = "tls server";
132
133 /**
134 * Constant for a TSA Server variant of a validator.
135 * @see #getInstance
136 */
137 public final static String VAR_TSA_SERVER = "tsa server";
138
139 /**
140 * Constant for a Code Signing variant of a validator for use by
141 * the J2SE Plugin/WebStart code.
142 * @see #getInstance
143 */
144 public final static String VAR_PLUGIN_CODE_SIGNING = "plugin code signing";
145
146 final EndEntityChecker endEntityChecker;
147 final String variant;
148
149 /**
150 * @deprecated
151 * @see #setValidationDate
152 */
153 @Deprecated
154 volatile Date validationDate;
155
156 Validator(String type, String variant) {
157 this.variant = variant;
158 endEntityChecker = EndEntityChecker.getInstance(type, variant);
159 }
160
161 /**
162 * Get a new Validator instance using the trusted certificates from the
163 * specified KeyStore as trust anchors.
164 */
165 public static Validator getInstance(String type, String variant,
166 KeyStore ks) {
167 return getInstance(type, variant, KeyStores.getTrustedCerts(ks));
168 }
169
170 /**
171 * Get a new Validator instance using the Set of X509Certificates as trust
172 * anchors.
173 */
174 public static Validator getInstance(String type, String variant,
175 Collection<X509Certificate> trustedCerts) {
176 if (type.equals(TYPE_SIMPLE)) {
244 * could be helpful for path building (or null)
245 * @param constraints algorithm constraints for certification path
246 * processing
247 * @param parameter an additional parameter with variant specific meaning.
248 * Currently, it is only defined for TLS_SERVER variant validators,
249 * where it must be non null and the name of the TLS key exchange
250 * algorithm being used (see JSSE X509TrustManager specification).
251 * In the future, it could be used to pass in a PKCS#7 object for
252 * code signing to check time stamps.
253 * @return a non-empty chain that was used to validate the path. The
254 * end entity cert is at index 0, the trust anchor at index n-1.
255 */
256 public final X509Certificate[] validate(X509Certificate[] chain,
257 Collection<X509Certificate> otherCerts,
258 AlgorithmConstraints constraints,
259 Object parameter) throws CertificateException {
260 chain = engineValidate(chain, otherCerts, constraints, parameter);
261
262 // omit EE extension check if EE cert is also trust anchor
263 if (chain.length > 1) {
264 endEntityChecker.check(chain[0], parameter);
265 }
266
267 return chain;
268 }
269
270 abstract X509Certificate[] engineValidate(X509Certificate[] chain,
271 Collection<X509Certificate> otherCerts,
272 AlgorithmConstraints constraints,
273 Object parameter) throws CertificateException;
274
275 /**
276 * Returns an immutable Collection of the X509Certificates this instance
277 * uses as trust anchors.
278 */
279 public abstract Collection<X509Certificate> getTrustedCertificates();
280
281 /**
282 * Set the date to be used for subsequent validations. NOTE that
283 * this is not a supported API, it is provided to simplify
284 * writing tests only.
|
1 /*
2 * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
127 /**
128 * Constant for a TLS Server variant of a validator.
129 * @see #getInstance
130 */
131 public final static String VAR_TLS_SERVER = "tls server";
132
133 /**
134 * Constant for a TSA Server variant of a validator.
135 * @see #getInstance
136 */
137 public final static String VAR_TSA_SERVER = "tsa server";
138
139 /**
140 * Constant for a Code Signing variant of a validator for use by
141 * the J2SE Plugin/WebStart code.
142 * @see #getInstance
143 */
144 public final static String VAR_PLUGIN_CODE_SIGNING = "plugin code signing";
145
146 final EndEntityChecker endEntityChecker;
147 final String type;
148 final String variant;
149
150 /**
151 * @deprecated
152 * @see #setValidationDate
153 */
154 @Deprecated
155 volatile Date validationDate;
156
157 Validator(String type, String variant) {
158 this.type = type;
159 this.variant = variant;
160 endEntityChecker = EndEntityChecker.getInstance(type, variant);
161 }
162
163 /**
164 * Get a new Validator instance using the trusted certificates from the
165 * specified KeyStore as trust anchors.
166 */
167 public static Validator getInstance(String type, String variant,
168 KeyStore ks) {
169 return getInstance(type, variant, KeyStores.getTrustedCerts(ks));
170 }
171
172 /**
173 * Get a new Validator instance using the Set of X509Certificates as trust
174 * anchors.
175 */
176 public static Validator getInstance(String type, String variant,
177 Collection<X509Certificate> trustedCerts) {
178 if (type.equals(TYPE_SIMPLE)) {
246 * could be helpful for path building (or null)
247 * @param constraints algorithm constraints for certification path
248 * processing
249 * @param parameter an additional parameter with variant specific meaning.
250 * Currently, it is only defined for TLS_SERVER variant validators,
251 * where it must be non null and the name of the TLS key exchange
252 * algorithm being used (see JSSE X509TrustManager specification).
253 * In the future, it could be used to pass in a PKCS#7 object for
254 * code signing to check time stamps.
255 * @return a non-empty chain that was used to validate the path. The
256 * end entity cert is at index 0, the trust anchor at index n-1.
257 */
258 public final X509Certificate[] validate(X509Certificate[] chain,
259 Collection<X509Certificate> otherCerts,
260 AlgorithmConstraints constraints,
261 Object parameter) throws CertificateException {
262 chain = engineValidate(chain, otherCerts, constraints, parameter);
263
264 // omit EE extension check if EE cert is also trust anchor
265 if (chain.length > 1) {
266 // EndEntityChecker does not need to check unresolved critical
267 // extensions when validating with a TYPE_PKIX Validator.
268 // A TYPE_PKIX Validator will already have run checks on all
269 // certs' extensions, including checks by any PKIXCertPathCheckers
270 // included in the PKIXParameters, so the extra checks would be
271 // redundant.
272 boolean checkUnresolvedCritExts =
273 (type == TYPE_PKIX) ? false : true;
274 endEntityChecker.check(chain[0], parameter,
275 checkUnresolvedCritExts);
276 }
277
278 return chain;
279 }
280
281 abstract X509Certificate[] engineValidate(X509Certificate[] chain,
282 Collection<X509Certificate> otherCerts,
283 AlgorithmConstraints constraints,
284 Object parameter) throws CertificateException;
285
286 /**
287 * Returns an immutable Collection of the X509Certificates this instance
288 * uses as trust anchors.
289 */
290 public abstract Collection<X509Certificate> getTrustedCertificates();
291
292 /**
293 * Set the date to be used for subsequent validations. NOTE that
294 * this is not a supported API, it is provided to simplify
295 * writing tests only.
|