1 /*
2 * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
254 * code signing to check time stamps.
255 * @return a non-empty chain that was used to validate the path. The
256 * end entity cert is at index 0, the trust anchor at index n-1.
257 */
258 public final X509Certificate[] validate(X509Certificate[] chain,
259 Collection<X509Certificate> otherCerts,
260 AlgorithmConstraints constraints,
261 Object parameter) throws CertificateException {
262 chain = engineValidate(chain, otherCerts, constraints, parameter);
263
264 // omit EE extension check if EE cert is also trust anchor
265 if (chain.length > 1) {
266 // EndEntityChecker does not need to check unresolved critical
267 // extensions when validating with a TYPE_PKIX Validator.
268 // A TYPE_PKIX Validator will already have run checks on all
269 // certs' extensions, including checks by any PKIXCertPathCheckers
270 // included in the PKIXParameters, so the extra checks would be
271 // redundant.
272 boolean checkUnresolvedCritExts =
273 (type == TYPE_PKIX) ? false : true;
274 endEntityChecker.check(chain[0], parameter,
275 checkUnresolvedCritExts);
276 }
277
278 return chain;
279 }
280
281 abstract X509Certificate[] engineValidate(X509Certificate[] chain,
282 Collection<X509Certificate> otherCerts,
283 AlgorithmConstraints constraints,
284 Object parameter) throws CertificateException;
285
286 /**
287 * Returns an immutable Collection of the X509Certificates this instance
288 * uses as trust anchors.
289 */
290 public abstract Collection<X509Certificate> getTrustedCertificates();
291
292 /**
293 * Set the date to be used for subsequent validations. NOTE that
294 * this is not a supported API, it is provided to simplify
|
1 /*
2 * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
254 * code signing to check time stamps.
255 * @return a non-empty chain that was used to validate the path. The
256 * end entity cert is at index 0, the trust anchor at index n-1.
257 */
258 public final X509Certificate[] validate(X509Certificate[] chain,
259 Collection<X509Certificate> otherCerts,
260 AlgorithmConstraints constraints,
261 Object parameter) throws CertificateException {
262 chain = engineValidate(chain, otherCerts, constraints, parameter);
263
264 // omit EE extension check if EE cert is also trust anchor
265 if (chain.length > 1) {
266 // EndEntityChecker does not need to check unresolved critical
267 // extensions when validating with a TYPE_PKIX Validator.
268 // A TYPE_PKIX Validator will already have run checks on all
269 // certs' extensions, including checks by any PKIXCertPathCheckers
270 // included in the PKIXParameters, so the extra checks would be
271 // redundant.
272 boolean checkUnresolvedCritExts =
273 (type == TYPE_PKIX) ? false : true;
274 endEntityChecker.check(chain, parameter,
275 checkUnresolvedCritExts);
276 }
277
278 return chain;
279 }
280
281 abstract X509Certificate[] engineValidate(X509Certificate[] chain,
282 Collection<X509Certificate> otherCerts,
283 AlgorithmConstraints constraints,
284 Object parameter) throws CertificateException;
285
286 /**
287 * Returns an immutable Collection of the X509Certificates this instance
288 * uses as trust anchors.
289 */
290 public abstract Collection<X509Certificate> getTrustedCertificates();
291
292 /**
293 * Set the date to be used for subsequent validations. NOTE that
294 * this is not a supported API, it is provided to simplify
|